Ubuntu Server Guide
Contents
1. 2 2 Consistent Multipath Device Names in a Cluster When the user_friendly_names configuration option is set to yes the name of the multipath device is unique to a node but it is not guaranteed to be the same on all nodes using the multipath device Similarly if you set the alias option for a device in the multipaths section of the multipath conf configuration file the name is not automatically consistent across all nodes in the cluster This should not cause any difficulties if you use LVM to create logical devices from the multipath device but if you require that your multipath device names be consistent in every node it is recommended that you leave the user_friendly_names option set to no and that you not configure aliases for the devices By default if you do not set user_friendly_names to yes or configure an alias for a device a device name will be the WWID for the device which is always the same If you want the system defined user friendly names to be consistent across all nodes in the cluster however you can follow this procedure 55 DM Multipath 1 Set up all of the multipath devices on one machine 2 Disable all of your multipath devices on your other machines by running the following commands service multipath tools stop multipath F 3 Copy the etc multipath bindings file from the first machine to all the other machines in the cluster 4 Re enable the multipathd daemon on all the other machines2. e etc openvpn ca crt e etc openvpn easy rsa keys clientl crt e etc openvpn easy rsa keys clientl key As the client certificates and keys are only required on the client machine you should remove them from the server 1 3 Simple Server Configuration Along with your OpenVPN installation you got these sample config files and many more if if you check root server ls l usr share doc openvpn examples sample config files total 68 rw r r 1 root root 3427 2011 07 04 15 09 client conf rw r r 1 root root 4141 2011 07 04 15 09 server conf gz Start with copying and unpacking server conf gz to etc openvpn server conf sudo cp usr share doc openvpn examples sample config files server conf gz etc openvpn sudo gzip d etc openvpn server conf gz Edit etc openvpn server conf to make sure the following lines are pointing to the certificates and keys you created in the section above ca ca crt cert myservername crt key myservername key dh dh1024 pem That is the minimum you have to configure to get a working OpenVPN server You can use all the default settings in the sample server conf file Now start the server You will find logging and error messages in your syslog root server etc openvpn etc init d openvpn start Starting virtual private network daemon s x Autostarting VPN server OK Now check if OpenVPN created a tun0 interface root server etc openvpn if
3. bin sh Prints the local weather information for the MOTD Replace KINT with your local weather station Local stations can be found here http www weather gov tg siteloc shtml echo weather i KINT echo l http www weather gov tg siteloc shtml 379 Other Useful Applications e Make the script executable sudo chmod 755 usr local bin local weather e Next create a symlink to etc update motd d 98 local weather sudo ln s usr local bin local weather etc update motd d 98 local weather e Finally exit the server and re login to view the new MOTD You should now be greeted with some useful information and some information about the local weather that may not be quite so useful Hopefully the local weather example demonstrates the flexibility of pam_motd 380 Other Useful Applications 2 etckeeper etckeeper allows the contents of etc be easily stored in Version Control System VCS repository It hooks into apt to automatically commit changes to etc when packages are installed or upgraded Placing etc under version control is considered an industry best practice and the goal of etckeeper is to make this process as painless as possible Install etckeeper by entering the following in a terminal sudo apt get install etckeeper The main configuration file etc etckeeper etckeeper conf is fairly simple The main option is which VCS to use By default etckeeper is configured to use bzr f
4. sudo smbldap groupadd a groupname As for smbldap useradd the a adds the Samba attributes To make an existing user a member of a group sudo smbldap groupmod m username groupname The m option can add more than one user at a time by listing them in comma separated format e To remove a user from a group 121 Network Authentication sudo smbldap groupmod x username groupname To add a Samba machine account sudo smbldap useradd t 0 w username Replace username with the name of the workstation The t 0 option creates the machine account without a delay while the w option specifies the user as a machine account Also note the add machine script parameter in etc samba smb conf was changed to use smbldap useradd There are utilities in the smbldap tools package that were not covered here Here is a complete list smbldap groupa da smbldap gro upde 138 smbldap gro upmod smbldap gro upshow smbldap passwd smbldap populate smbldap useradd smbl dap userdel smbldap userinfo smbldap userlist smbldap usermod smbl dap usershow 2 4 Resources e For more information on installing and configuring Samba see Chapter 18 Windows Networking p 276 of this Ubuntu Server Guide e There are multiple places where LDAP and Samba is documented in the upstream Samba HOWTO Collection e Regarding the above see specifically the passdb section e Although dated
5. 5 8 1 Exploitable system calls It is a core container feature that containers share a kernel with the host Therefore if the kernel contains any exploitable system calls the container can exploit these as well Once the container controls the kernel it can fully control any resource known to the host of http wiki ubuntu com LxcSecurity 359 Virtualization 5 9 Resources The DeveloperWorks article LXC Linux container tools was an early introduction to the use of containers The Secure Containers Cookbook demonstrated the use of security modules to make containers more secure Manual pages referenced above can be found at capabiliti es ixc cont The upstream LXC project is hosted at Sourceforge LXC security issues are listed and discussed at the LXC Security wiki page For more on namespaces in Linux see S Bhattiprolu E W Biederman S E Hallyn and D Lezcano Virtual Servers and Check point Restart in Mainstream Linux SIGOPS Op erating Systems Review 42 5 2008 38 https www ibm com developerworks linux library l Ixc containers ag http www ibm com developerworks linux library l Ixc security index html a0 http manpages ubuntu com manpages en man7 capabilities 7 html ah http manpages ubuntu com manpages en man5 lxc conf 5 html 2 http Ixc sf net a http wiki ubuntu com LxcSecurity 360 Chapter 21 Clustering 361 Clustering 1 DRBD Distribu
6. For your virtual machine to be able to handle restart and shutdown events it is being sent it is a good idea to install the acpid package as well To do this we just add the following option addpkg acpid 2 6 Final Command Here is the command with all the options discussed above sudo vmbuilder kvm ubuntu suite precise flavour virtual arch i386 o 9 https wiki ubuntu com PackagingGuide 19 http www debian administration org articles 286 7 http www pathname com fhs 320 Virtualization libvirt qemu system ip 192 168 0 100 hostname myvm part vmbuilder partition user user name user pass default addpkg addpkg addpkg addpkg addpkg addpkg mirror 2 7 Resources apache2 addpkg apache2 mpm prefork addpkg apache2 utils apache2 2 common addpkg dbconfig common libapache2 mod php5 addpkg mysql client addpkg php5 cli php5 gd addpkg php5 ldap addpkg php5 mysql wwwconfig common addpkg mysql server unattended upgrades addpkg acpid ppa nijaba http mirroraddress 9999 ubuntu If you are interested in learning more have questions or suggestions please contact the Ubuntu Server Team at IRC ubuntu server on freenode e Mailing list ubuntu server at lists ubuntu com e Also see the J OSVMBuilder Ubuntu Wiki page 12 https lists ubuntu com mailman listinfo ubuntu server 13 https help ubuntu com community J
7. You must enter above the instance_id ami and public_ip_address shown above by euca describe instances and euca allocate address commands Now you should be able to SSH to the instance ssh i userl priv ubuntu ipaddress To terminate instances euca terminate instances instance_id 4 7 Install the Storage Infrastructure Swift Swift is a highly available distributed eventually consistent object blob store It is used by the OpenStack Infrastructure to provide S3 like cloud storage services It is also S3 api compatible with amazon 337 Virtualization Organizations use Swift to store lots of data efficiently safely and cheaply where applications use an special api to interface between the applications and objects stored in Swift Although you can install Swift on a single server a multiple server installation is required for production environments If you want to install OpenStack Object Storage Swift on a single node for development or testing purposes use the Swift All In One instructions on Ubuntu For more information see http swift openstack org development_saio html 4 8 Support and Troubleshooting Community Support e OpenStack Mailing list The OpenStack Wiki search e Launchpad bugs area e Join the IRC channel openstack on freenode 4 9 Resources e Cloud Computing Service models OpenStack Compute OpenStack Image Service e OpenStack Obj
8. cn module 0 1ldif Cn schema cn 0 core ldif cn l cosine ldif cn 2 nis ldif cn 3 inetorgperson ldif cn schema ldif olcBackend 0 hdb 1ldif OlcDatabase 0 config ldif olcDatabase 1 frontend ldif OlcDatabase 1 hdb ldif cn config 1ldif fy Do not edit the slapd config database directly Make changes via the LDAP protocol utilities e This is what the slapd config DIT looks like via the LDAP protocol sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn config dn dn cn config dn cn module 0 cn config dn cn schema cn config dn cn 0 core cn schema cn config dn cn l cosine cn schema cn config dn cn 2 nis cn schema cn config dn cn 3 inetorgperson cn schema cn config dn olcBackend 0 hdb cn config dn olcDatabase 1 frontend cn config 93 Network Authentication dn olcDatabase 0 config cn config dn olcDatabase 1 hdb cn config Explanation of entries e cn config global settings e cn module 0 cn config a dynamically loaded module e cn schema cn config contains hard coded system level schema e cn 0 core cn schema cn config the hard coded core schema e cn 1 cosine cn schema cn config the cosine schema e cn 2 nis cn schema cn config the nis schema e cn 3 inetorgperson cn schema cn config the inetorgperson schema e olcBackend 0 hdb cn config the hdb backend storage type e olcDatabase 1 fr
9. dc example dc com Create a file call it uid_index 1dif with the following contents dn olcDatabase 1 hdb cn config add olcDbIndex olcDbIndex uid eq pres sub Then issue the command sudo ldapmodify Q Y EXTERNAL H ldapi f uid_index 1ldif modifying entry olcDatabase 1 hdb cn config You can confirm the change in this way sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn config olcDatabase 1 hdb olcDbIndex dn olcDatabase 1 hdb cn config olcDbIndex objectClass eq olcDbIndex uid eq pres sub e Let s add a schema It will first need to be converted to LDIF format You can find unconverted schemas in addition to converted ones in the etc 1ldap schema directory fy e It is not trivial to remove a schema from the slapd config database Practice adding schemas on a test system e Before adding any schema you should check which schemas are already installed shown is a default out of the box output 96 Network Authentication sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn schema cn config dn dn cn schema cn config dn cn 0 core cn schema cn config dn cn 1 cosine cn schema cn config dn cn 2 nis cn schema cn config dn cn 3 inetorgperson cn schema cn config In the following example we ll add the CORBA schema 1 Create the conversion configuration file schema_convert conf containing the following lines include etc ldap sche
10. sudo cp etc bind db local etc bind db example com Edit the new zone file etc bind db example com change localhost to the FQDN of your server leaving the additional at the end Change 27 0 0 to the nameserver s IP Address and root localhost to a valid email address but with a instead of the usual symbol again leaving the at the end Change the comment to indicate the domain that this file is for Create an A record for the base domain example com Also create an A record for ns example com the name server in this example i BIND data file for example com i TTL 604800 IN SOA example com root example com 2 Serial 604800 Refresh 86400 Retry 2419200 Expire 604800 Negative Cache TTL IN A 192 168 1 10 IN NS ns example com IN A 192 168 1 10 IN AAAA Seal ns IN A 192 168 1 10 142 Domain Name Service DNS You must increment the Serial Number every time you make changes to the zone file If you make multiple changes before restarting BIND9 simply increment the Serial once Now you can add DNS records to the bottom of the zone file See Section 4 1 Common Record Types p 151 for details J Many admins like to use the last date edited as the serial of a zone such as 2012010100 which is yyyymmddss where ss is the Serial Number Once you have made changes to the zone file BIND9 needs to be restarted for the changes to take effect sudo service bind9 r
11. 2 3 4 Access via custom protocol svn Once the Subversion repository is created you can configure the access control You can edit the path to repos project conf svnserve conf file to configure the access control For example to set up authentication you can uncomment the following lines in the configuration file general password db passwd After uncommenting the above lines you can maintain the user list in the passwd file So edit the file passwd in the same directory and add the new user The syntax is as follows username password For more details please refer to the file Now to access Subversion via the svn custom protocol either from the same machine or a different machine you can run svnserver using svnserve command The syntax is as follows svnserve d foreground r path to repos d daemon mode foreground run in foreground useful for debugging r root of directory to serve For more usage details please refer to svnserve help Once you run this command Subversion starts listening on default port 3690 To access the project repository you must run the following command from a terminal prompt svn co svn hostname project project username user_name Based on server configuration it prompts for password Once you are authenticated it checks out the code from Subversion repository To synchronize the project repository with the local copy you ca
12. ServerAdmin bjoy somebigco com e Listen By default on Ubuntu the CUPS server installation listens only on the loopback interface at IP address 727 0 0 1 In order to instruct the CUPS server to listen on an actual network adapter s IP address you must specify either a hostname the IP address or optionally an IP address port pairing via the addition of a Listen directive For example if your CUPS server resides on a local network at the IP address 92 68 10 250 and you d like to make it accessible to the other systems on this subnetwork you would edit the etc cups cupsd conf and add a Listen directive as such Listen 127 0 0 1 631 existing loopback Listen Listen var run cups cups sock existing socket Listen Listen 192 168 10 250 631 Listen on the LAN interface Port 631 IPP In the example above you may comment out or remove the reference to the Loopback address 127 0 0 1 if you do not wish cupsd to listen on that interface but would rather have it only listen on the Ethernet interfaces of the Local Area Network LAN To enable listening for all network interfaces for which a certain hostname is bound including the Loopback you could create a Listen entry for the hostname socrates as such Listen socrates 631 Listen on all interfaces for the hostname socrates or by omitting the Listen directive and using Port instead as in Port 631 Listen on port 631 on all interfaces For more examples of configuration dir
13. That s it Now you have your Server ready for your Ruby on Rails applications 4 3 References See the Ruby on Rails website for more information e Also Agile Development with Rails is a great resource e Another place for more information is the Ruby on Rails Ubuntu Wiki page I http rubyonrails org 18 http pragprog com titles rails3 agile web development with rails third edition 19 https help ubuntu com community RubyOnRails 200 Web Servers 5 Apache Tomcat Apache Tomcat is a web container that allows you to serve Java Servlets and JSP Java Server Pages web applications The Tomcat 6 0 packages in Ubuntu support two different ways of running Tomcat You can install them as a classic unique system wide instance that will be started at boot time will run as the tomcat6 unprivileged user But you can also deploy private instances that will run with your own user rights and that you should start and stop by yourself This second way is particularly useful in a development server context where multiple users need to test on their own private Tomcat instances 5 1 System wide installation To install the Tomcat server you can enter the following command in the terminal prompt sudo apt get install tomcat6 This will install a Tomcat server with just a default ROOT webapp that displays a minimal It works page by default 5 2 Configuration Tomcat configuration files can be found i
14. based on demand The default virtualization technology supported in Ubuntu is KVM a technology that takes advantage of virtualization extensions built into Intel and AMD hardware For hardware without virtualization extensions Xen and Qemu are popular solutions 307 Virtualization 1 libvirt The libvirt library is used to interface with different virtualization technologies Before getting started with libvirt it is best to make sure your hardware supports the necessary virtualization extensions for KVM Enter the following from a terminal prompt kvm ok A message will be printed informing you if your CPU does or does not support hardware virtualization fe On most computer whose processor supports virtualization it is necessary to activate an option in the BIOS to enable it 1 1 Virtual Networking There are a few different ways to allow a virtual machine access to the external network The default virtual network configuration is usermode networking which uses the SLIRP protocol and traffic is NATed through the host interface to the outside network To enable external hosts to directly access services on virtual machines a bridge needs to be configured This allows the virtual interfaces to connect to the outside network through the physical interface making them appear as normal hosts to the rest of the network For information on setting up a bridge see Section 1 4 Bridging p 39 1 2 Installa
15. container is started When a container is created the release updates archive is added to the container s sources list and its package archive will be updated If the container release is older than 12 04 LTS then the Ixcguest package will be automatically installed Alternatively if the trim option is specified then the Ixcguest package will not be installed and many services will be removed from the container This will result in a faster booting but less upgrade able container 5 3 1 3 Ubuntu cloud template The ubuntu cloud template creates Ubuntu containers by downloading and extracting the published Ubuntu cloud images It accepts some of the same options as the ubuntu template namely r release S sshkey pub a arch and F to flush the cached image It also accepts a few extra options The C option will create a cloud container configured for use with a metadata service The u option accepts a cloud init user data file to configure the container on start If L is passed then no locales will be installed The 7 option can be used to choose a tarball location to extract in place of the published cloud image tarball Finally the i option sets a host id for cloud init which by default is set to a random string 5 3 1 4 Other templates The ubuntu and ubuntu cloud templates are well supported Other templates are available however The debian template creates a Debian based container using debootstrap much as the ubuntu te
16. e The ErrorDocument directive allows you to specify a file for Apache2 to use for specific error events For example if a user requests a resource that does not exist a 404 error will occur By default Apache2 will simply return a HTTP 404 Return code Read etc apache2 conf d localized error pages for detailed instructions for using ErrorDocument including locations of example files e By default the server writes the transfer log to the file var log apache2 access log You can change this on a per site basis in your virtual host configuration files with the CustomLog directive or omit it to accept the default specified in etc apache2 conf d other vhosts access log You may also specify the file to which errors are logged via the ErrorLog directive whose default is var log apache2 error 1log These are kept separate from the transfer logs to aid in troubleshooting problems with your Apache2 server You may also specify the LogLevel the default value is warn and the LogFormat see etc apache2 apache2 conf for the default value e Some options are specified on a per directory basis rather than per server Options is one of these directives A Directory stanza is enclosed in XML like tags like so lt Directory var www mynewsite gt lt Directory gt 190 Web Servers The Options directive within a Directory stanza accepts one or more of the following values among others separated by spaces e ExecCGI Allo
17. enter 20 btyp www pathname com ths pub fhs 2 3 html SRVDATAFORSER VICESPROVIDEDBY SYSTEM 289 Windows Networking sudo net groupmap add ntgroup Domain Admins unixgroup sysadmin rid 512 type d Change sysadmin to whichever group you prefer Also the user used to join the domain needs to be a member of the sysadmin group as well as a member of the system admin group The admin group allows sudo use If the user does not have Samba credentials yet you can add them with the smbpasswd utility change the sysadmin username appropriately sudo smbpasswd a sysadmin Also rights need to be explicitly provided to the Domain Admins group to allow the add machine script and other admin functions to work This is achieved by executing net rpc rights grant U sysadmin EXAMPLE Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege 9 You should now be able to join Windows clients to the Domain in the same manner as joining them to an NT4 domain running on a Windows server 5 2 Backup Domain Controller With a Primary Domain Controller PDC on the network it is best to have a Backup Domain Controller BDC as well This will allow clients to authenticate in case the PDC becomes unavailable When configuring Samba as a BDC you need a way to sync account information with the PDC There are multiple ways of accomplishing this scp
18. example ubuntu ro sync no_root_squash home rw Sync no_root_squash You can replace with one of the hostname formats Make the hostname declaration as specific as possible so unwanted systems cannot access the NFS mount To start the NFS server you can run the following command at a terminal prompt sudo etc init d nfs kernel server start 2 3 NFS Client Configuration Use the mount command to mount a shared NFS directory from another machine by typing a command line similar to the following at a terminal prompt sudo mount example hostname com ubuntu local ubuntu The mount point directory 1ocal ubuntu must exist There should be no files or subdirectories in the local ubuntu directory 226 File Servers An alternate way to mount an NFS share from another machine is to add a line to the etc fstab file The line must state the hostname of the NFS server the directory on the server being exported and the directory on the local machine where the NFS share is to be mounted The general syntax for the line in etc fstab file is as follows example hostname com ubuntu local ubuntu nfs rsize 8192 wsize 8192 timeo 14 intr If you have trouble mounting an NFS share make sure the nfs common package is installed on your client To install nfs common enter the following command at the terminal prompt sudo apt get install nfs common 2 4 References Linux NFS faq Ubuntu Wiki N
19. fs01 example com share k c ls e To copy a file from the share enter smbclient fs01 example com share k c get file txt This will copy the file txt into the current directory e And to copy a file to the share smbclient fs01 example com share k c put etc hosts hosts This will copy the etc hosts to fs01 example com share hosts e The c option used above allows you to execute the smbclient command all at once This is useful for scripting and minor file operations To enter the smb gt prompt a FTP like prompt where you can execute normal file and directory commands simply execute smbclient fs01 example com share k bA Replace all instances of fs01 example com share 192 168 0 5 share username steve password secret and file txt with your server s IP hostname share name file name and an actual username and password with rights to the share 6 3 Resources For more smbclient options see the man page man smbclient also available online The mount cifs man page is also useful for more detailed information The Ubuntu Wiki Samba page 28 http manpages ubuntu com manpages precise en man 1 smbclient 1 html a http manpages ubuntu com manpages precise en man8 mount cifs 8 html 30 https help ubuntu com community Samba 293 Chapter 19 Backups There are many ways to backup an Ubuntu installation The most important thing about backups is to develop a backup plan
20. ldap_kerberos_container_dn dc example dc com dbmodules openldap_ldapconf db_library kldap ldap_kdc_dn cn admin dc example dc com this object needs to have read rights on the realm container principal container and realm sub trees ldap_kadmind_dn cn admin dc example dc com this object needs to have read and write rights on the realm container principal container and realm sub trees ldap_service_password_file etc krb5kdc service keyfil ldap_servers ldaps ldap01l example com ldaps ldap02 example com ldap_conns_per_server 5 Create the stash for the LDAP bind password sudo kdb5_ldap_util D cn admin dc example dc com stashsrvpw f etc krb5kdc service keyfile cn admin dc example dc com Now on the Primary KDC copy the etc krb5kdc k5 EXAMPLE COM Master Key stash to the Secondary KDC Be sure to copy the file over an encrypted connection such as scp or on physical media sudo scp etc krb5kdc k5 EXAMPLE COM steve kdc02 example com sudo mv k5 EXAMPLE COM etc krb5kdc Again replace EXAMPLE COM with your actual realm Back on the Secondary KDC re start the Idap server only sudo service slapd restart Finally start the krb5 kdc daemon sudo etc init d krb5 kdc start Verify the two ldap servers and kerberos by extension are in sync You now have redundant KDCs on your network and with redundant LDAP servers you should be able to continue
21. mailman join var lib mailman mail mailman join mailman mailman leave var lib mailman mail mailman leave mailman mailman owner var lib mailman mail mailman owner mailman mailman request var lib mailman mail mailman request mailman mailman subscribe var lib mailman mail mailman subscribe mailman mailman unsubscribe var lib mailman mail mailman unsubscribe mailman Hit enter to notify mailman owner We have configured either Postfix or Exim4 to recognize all emails from mailman So it is not mandatory to make any new entries in etc aliases If you have made any changes to the configuration files please ensure that you restart those services before continuing to next section 251 Email Services fe The Exim4 does not use the above aliases to forward mails to Mailman as it uses a discover approach To suppress the aliases while creating the list you can add MTA None line in Mailman configuration file etc mailman mm_cfg py 4 3 Administration We assume you have a default installation The mailman cgi scripts are still in the usr lib cgi bin mailman directory Mailman provides a web based administration facility To access this page point your browser to the following url http hostname cgi bin mailman admin The default mailing list mailman will appear in this screen If you click the mailing list name it will ask for your authentication password If you enter the correct password yo
22. multipathd k gt multipath conf live fy To work around a quirk in multipathd when an etc multipath conf doesn t exist the previous command will return nothing as it is the result of a merge between the etc multipath conf and the database in memory To remedy this either define an empty etc multipath conf by using touch or create one that redefines a default value like defaults user_friendly_names no and restart multipathd service multipath tools restart Now the show config command will return the live database 3 2 Installing with Multipath Support To enable multipath support during installation use install disk detect multipath enable true at the installer prompt If multipath devices are found these will show up as dev mapper mpath lt X gt during installation l http wiki debian org DebianInstaller MultipathSupport 58 DM Multipath 3 3 Ignoring Local Disks When Generating Multipath Devices Some machines have local SCSI cards for their internal disks DM Multipath is not recommended for these devices The following procedure shows how to modify the multipath configuration file to ignore the local disks when configuring multipath 1 Determine which disks are the internal disks and mark them as the ones to blacklist In this example dev sda is the internal disk Note that as originally configured in the default multipath configuration file executing the multipath v2 shows the
23. 148 Domain Name Service DNS If no logging option is configured the default option is logging category default default_syslog default_debug category unmatched null he This section covers configuring BIND9 to send debug messages related to DNS queries to a separate file e First we need to configure a channel to specify which file to send the messages to Edit etc bind named conf local and add the following logging channel query log file var log query log severity debug 3 e Next configure a category to send all DNS queries to the query file logging channel query log file var log query log severity debug 3 category queries query log bJ Note the debug option can be set from 1 to 3 If a level isn t specified level 1 is the default e Since the named daemon runs as the bind user the var log query 1log file must be created and the ownership changed sudo touch var log query log sudo chown bind var log query log e Before named daemon can write to the new log file the AppArmor profile must be updated First edit etc apparmor d usr sbin named and add var log query log w Next reload the profile cat etc apparmor d usr sbin named sudo apparmor_parser r For more information on AppArmor see Section 4 AppArmor p 167 149 Domain Name Service DNS e Now restart BIND9 for the changes to take effect sudo service bind9
24. In the 11 04 Natty and 11 10 Oneiric releases of Ubuntu a package was introduced called lxcguest An unmodified root image could not be safely booted inside a container but an image with the Ixcguest package installed could be booted as a container on bare hardware or in a Xen kvm or VMware virtual machine As of the 12 04 LTS release the work previously done by the Ixcguest package was pushed into the core packages and the lxcguest package was removed As a result an unmodified 12 04 LTS image can be booted as a container on bare hardware or in a Xen kvm or VMware virtual machine To use an older release the lxcguest package should still be used 5 8 Security A namespace maps ids to resources By not providing a container any id with which to reference a resource the resource can be protected This is the basis of some of the security afforded to container users For instance IPC namespaces are completely isolated Other namespaces however have various leaks which allow privilege to be inappropriately exerted from a container into another container or to the host By default LXC containers are started under a Apparmor policy to restrict some actions However while stronger security is a goal for future releases in 12 04 LTS the goal of the Apparmor policy is not to stop malicious actions but rather to stop accidental harm of the host by the guest See the LXC security wiki page for more uptodate information
25. Ixc start is intended to be used for system containers while Ixc execute is intended for application containers see this article for more You can stop a container several ways You can use shutdown poweroff and reboot while logged into the container To cleanly shut down a container externally i e from the host you can issue the sudo Ixc shutdown n CN command This takes an optional timeout value If not specified 36 https www ibm com developerworks linux library l lxc containers 348 Virtualization the command issues a SIGPWR signal to the container and immediately returns If the option is used as in sudo Ixc shutdown n CN t 10 then the command will wait the specified number of seconds for the container to cleanly shut down Then if the container is still running it will kill it and any running applications You can also immediately kill the container without any chance for applications to cleanly shut down using sudo Ixc stop n CN Finally Ixe kill can be used more generally to send any signal number to the container s init While the container is shutting down you can expect to see some harmless error messages as follows sudo poweroff sudo password for ubuntu Broadcast message from ubuntu cnl dev lxc console at 18 17 The system is going down for power off NOW Asking all remaining processes to terminat esa done All processes ended within 1 seconds done
26. The LockFile directive sets the path to the lockfile used when the server is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or USE_FLOCK_SERIALIZED_ACCEPT It must be stored on the local disk It should be left to the default value unless the logs directory is located on an NFS share If this is the case the default value should be changed to a location on the local disk and to a directory that is readable only by root PidFile The PidFile directive sets the file in which the server records its process ID pid This file should only be readable by root In most cases it should be left to the default value User The User directive sets the userid used by the server to answer requests This setting determines the server s access Any files inaccessible to this user will also be inaccessible to your website s visitors The default value for User is www data i https help ubuntu com community ServerSideIncludes 5 http httpd apache org docs 2 2 mod mod_negotiation html multiviews 191 Web Servers Unless you know exactly what you are doing do not set the User directive to root Using root as the User will create large security holes for your Web server Group The Group directive is similar to the User directive Group sets the group under which the server will answer requests The default group is also www data 1 2 4 Apache2 Modules Apache is a modular server This implies that only the most basic fu
27. are also frequently used instead of PHP While Nginx Cherokee and Lighttpd can replace Apache The fastest way to get started is to install LAMP using tasksel Tasksel is a Debian Ubuntu tool that installs multiple related packages as a co ordinated task onto your system To install a LAMP server e Ata terminal prompt enter the following command sudo tasksel install lamp server After installing it you ll be able to install most LAMP applications in this way e Download an archive containing the application source files e Unpack the archive usually in a directory accessible to a web server e Depending on where the source was extracted configure a web server to serve the files e Configure the application to connect to the database e Runa script or browse to a page of the application to install the database needed by the application e Once the steps above or similar steps are completed you are ready to begin using the application A disadvantage of using this approach is that the application files are not placed in the file system in a standard way which can cause confusion as to where the application is installed Another larger disadvantage is updating the application When a new version is released the same process used to install the application is needed to apply updates Fortunately a number of LAMP applications are already packaged for Ubuntu and are available for installation in the same way as non LAMP ap
28. e all bA Replace mail example com with the domain for which you ll accept email 192 168 0 0 24 with the actual network and class range of your mail server and steve with the appropriate username Now is a good time to decide which mailbox format you want to use By default Postfix will use mbox for the mailbox format Rather than editing the configuration file directly you can use the postconf command to configure all postfix parameters The configuration parameters will be stored in 235 Email Services etc postfix main c file Later if you wish to re configure a particular parameter you can either run the command or change it manually in the file To configure the mailbox format for Maildir sudo postconf e home_mailbox Maildir ft This will place new mail in home username Maildir so you will need to configure your Mail Delivery Agent MDA to use the same path 1 3 SMTP Authentication SMTP AUTH allows a client to identify itself through an authentication mechanism SASL Transport Layer Security TLS should be used to encrypt the authentication process Once authenticated the SMTP server will allow the client to relay mail 1 Configure Postfix for SMTP AUTH using SASL Dovecot SASL sudo postconf e smtpd_sasl_type dovecot sudo postconf e smtpd_sasl_path private auth client sudo postconf e smtpd_sasl_local_domain sudo postconf e smtpd_sasl_security_options noanonymous sudo
29. grep mysql When you run this command you should see the following line or something similar tcp 0 0 localhost mysql Eek LISTEN 2556 mysqld If the server is not running correctly you can type the following command to start it sudo service mysql restart 1 2 Configuration You can edit the etc mysql my cn file to configure the basic settings log file port number etc For example to configure MySQL to listen for connections from network hosts change the bind address directive to the server s IP address bind address 192 168 0 5 fy Replace 192 168 0 5 with the appropriate address After making a change to etc mysql my cnf the MySQL daemon will need to be restarted 206 Databases sudo service mysql restart If you would like to change the MySQL root password in a terminal enter sudo dpkg reconfigure mysql server 5 5 The MySQL daemon will be stopped and you will be prompted to enter a new password 1 3 Database Engines Whilst the default configuration of MySQL provided by the Ubuntu packages is perfectly functional and performs well there are things you may wish to consider before you proceed MySQL is designed to allow data to be stored in different ways These methods are referred to as either database or storage engines There are two main engines that you ll be interested in InnoDB and MyISAM Storage engines are transparent to the end user MySQL will handle things differently under
30. partition type etc During installation there is an option to encrypt the home partition This will automatically configure everything needed to encrypt and mount the partition As an example this section will cover configuring srv to be encrypted using eCryptfs 6 1 Using eCryptfs First install the necessary packages From a terminal prompt enter sudo apt get install ecryptfs utils Now mount the partition to be encrypted sudo mount t ecryptfs srv srv You will then be prompted for some details on how ecryptfs should encrypt the data To test that files placed in srv are indeed encrypted copy the etc default folder to srv sudo cp r etc default srv Now unmount srv and try to view a file sudo umount srv cat srv default cron Remounting srv using ecryptfs will make the data viewable once again 6 2 Automatically Mounting Encrypted Partitions There are a couple of ways to automatically mount an ecryptfs encrypted filesystem at boot This example will use a root ecryptfsrc file containing mount options along with a passphrase file residing on a USB key First create root ecryptfsre containing key passphrase passphrase_passwd_file mnt usb passwd_file txt ecryptfs_sig 5826dd62cf81c615 ecryptfs_cipher aes ecryptfs_key_bytes 16 176 Security ecryptfs_passthrough n ecryptfs_enable_filename_crypto n fy Adjust the ecryptfs_sig to the signature in root ecryptfs si
31. root client etc openvpn ifconfig tun0 tun0 Link encap UNSPEC HWaddr 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 inet addr Tro 80G Pat Pit0 8 20 5 Maski255 25572255 3255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 Check if you can ping the OpenVPN server root client etc openvpn ping 10 8 0 1 PING 10 8 0 1 10 8 0 1 56 84 bytes of data 64 bytes from 10 8 0 1 icmp_req 1 tt1l 64 time 0 920 ms 369 VPN fe The OpenVPN server always uses the first usable IP address in the client network and only that IP is pingable E g if you configured a 24 for the client network mask the 1 address will be used The P t P address you see in the ifconfig output above is usually not answering ping requests Check out your routes root client etc openvpn netstat rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10 8 0 5 0 0 0 0 255 255 255 255 UH 0 0 0 tun0d 10 8 0 1 10 8 0 5 255729972997499 UGH 0 0 0 tun0 192 168 42 0 0 0 0 0 29572092050 U 0 0 0 eth0 0 0 0 0 192 168 42 1 0 0 0 0 UG 0 0 0 etho 1 5 First trouble shooting If the above didn t work for you check this e Check your syslog e g grep i vpn var log syslog e Can the client connect to the server machine Maybe a firewall is blocking access Check syslog on server e Client and server must use same protocol and port e g UDP port 1194 see port and proto config option e Client and server must
32. sudo apt get install apticron Once the package is installed edit etc apticron apticron conf to set the email address and other options EMATL root example com 28 Package Management 6 Configuration Configuration of the Advanced Packaging Tool APT system repositories is stored in the etc apt sources list file and the etc apt sources list d directory An example of this file is referenced here along with information on adding or removing repository references from the file Here is a simple example of a typical etc apt sources list file You may edit the file to enable repositories or disable them For example to disable the requirement of inserting the Ubuntu CD ROM whenever package operations occur simply comment out the appropriate line for the CD ROM which appears at the top of the file no more prompting for CD ROM please deb cdrom Ubuntu 12 04 _Precise Pangolin_ Release i386 20111013 1 precise main restricted 6 1 Extra Repositories In addition to the officially supported package repositories available for Ubuntu there exist additional community maintained repositories which add thousands more packages for potential installation Two of the most popular are the Universe and Multiverse repositories These repositories are not officially supported by Ubuntu but because they are maintained by the community they generally provide packages which are safe for use with your Ubuntu com
33. var lib exim4 config autogenerated At any time you should not edit the master configuration file var 1lib exim4 QD config autogenerated manually It is updated automatically every time you run update exim4 conf You can run the following command to start Exim4 daemon sudo etc init d exim4 start 2 3 SMTP Authentication This section covers configuring Exim4 to use SMTP AUTH with TLS and SASL 242 Email Services The first step is to create a certificate for use with TLS Enter the following into a terminal prompt sudo usr share doc exim4 base examples exim gencert Now Exim4 needs to be configured for TLS by editing etc exim4 conf d main 03_exim4 config_tlsoptions add the following MAIN_TLS_ENABLE yes Next you need to configure Exim4 to use the saslauthd for authentication Edit etc exim4 conf d auth 30_exim4 config_examples and uncomment the plain_saslauthd_server and login_saslauthd_server sections plain_saslauthd_server driver plaintext public_name PLAIN server _condition S if saslauthd Sauth2 Sauth3 1 0 server_set_id Sauth2 server_prompts ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition if eq S tls_cipher endif login_saslauthd_server driver plaintext public_name LOGIN server_prompts Username Password don t send system passwords over unencrypted connections server _condition S
34. 53 connected using 192 168 1 11 37531 zone 1 168 192 in addr arpa IN transferred serial 5 transfer of 100 18 172 in addr arpa IN from 192 168 1 10 53 Transfer completed 1 messages 6 records 212 bytes 0 002 secs 106000 bytes sec zone 1 168 192 in addr arpa IN sending notifies serial 5 client 192 168 1 10 20329 received notify for zone example com zone example com IN Transfer started transfer of example com IN from 192 168 1 10 53 connected using 192 168 1 11 38577 zone example com IN transferred serial 5 transfer of example com IN from 192 168 1 10 53 Transfer completed 1 messages 8 records 225 bytes 0 002 secs 112500 bytes sec fe Note A zone is only transferred if the Serial Number on the Primary is larger than the one on the Secondary If you want to have your Primary Master DNS notifying Secondary DNS Servers of zone changes you can add also notify ipaddress in to etc pind named conf 1local as shown in the example below zone example com type master file etc bind db example com allow transfer 192 168 1 11 also notify 192 168 1 11 zone 1 168 192 in addr arpa type master file etc bind db 192 145 Domain Name Service DNS allow transfer 192 168 1 11 also notify 192 168 1 11 The default directory for non authoritative zone files is var cache bind This directory is also configured in AppArmor to allow the name
35. Advanced Message Queuing Protocol AMQP 334 Virtualization sudo apt get install rabbitmq server Edit etc nova nova conf and add the following Nova config FlatDHCPManager sql_connection mysql novauser novapassword localhost nova flat_injected true network_manager nova network manager FlatDHCPManager fixed_range 10 0 0 0 24 floating_range 10 153 107 72 29 flat_network_dhcp_start 10 0 0 2 flat_network_bridge br100 flat_interface ethl public_interface eth0 Restart OpenStack services for i in nova api nova network nova objectstore nova scheduler nova volume nova compute do sudo stop i sleep 2 done for i in nova api nova network nova objectstore nova scheduler nova volume nova compute do sudo start i sleep 2 done Migrate Nova database from sqlite db to MySQL db It may take a while sudo nova manage db sync Define a specific private network where all your Instances will run This will be used in the network of fixed Ips set inside nova conf sudo nova manage network create fixed_range_v4 10 0 0 0 24 label private bridge_interface br100 Define a specific public network and allocate 6 usable Floating Public IP addresses for use with the instances starting from 10 153 107 72 sudo nova manage floating create ip_range 10 153 107 72 29 Create a user user1 a project project1 download credentials and source its configuration file cd mkdir n
36. Another common use of Samba is to configure it to share printers installed either locally or over the network on an Ubuntu server Similar to Section 2 Samba File Server p 278 this section will configure Samba to allow any client on the local network to use the installed printers without prompting for a username and password For a more secure configuration see Section 4 Securing a Samba File and Print Server p 283 3 1 Installation Before installing and configuring Samba it is best to already have a working CUPS installation See Section 4 CUPS Print Server p 231 for details To install the samba package from a terminal enter sudo apt get install samba 3 2 Configuration After installing samba edit etc samba smb conf Change the workgroup attribute to what is appropriate for your network and change security to user workgroup EXAMPLE security user In the printers section change the guest ok option to yes browsable yes guest ok yes After editing smb conf restart Samba sudo restart smbd sudo restart nmbd The default Samba configuration will automatically share any printers installed Simply install the printer locally on your Windows clients 3 3 Resources e For in depth Samba configurations see the Samba HOWTO Collection 8 http samba org samba docs man Samba HOWTO Collection 281 Windows Networking e The guide is also available in print
37. ApacheMySQLPHP 196 Web Servers 3 Squid Proxy Server Squid is a full featured web proxy cache server application which provides proxy and cache services for Hyper Text Transport Protocol HTTP File Transfer Protocol FTP and other popular network protocols Squid can implement caching and proxying of Secure Sockets Layer SSL requests and caching of Domain Name Server DNS lookups and perform transparent caching Squid also supports a wide variety of caching protocols such as Internet Cache Protocol ICP the Hyper Text Caching Protocol HTCP the Cache Array Routing Protocol CARP and the Web Cache Coordination Protocol WCCP The Squid proxy cache server is an excellent solution to a variety of proxy and caching server needs and scales from the branch office to enterprise level networks while providing extensive granular access control mechanisms and monitoring of critical parameters via the Simple Network Management Protocol SNMP When selecting a computer system for use as a dedicated Squid proxy or caching servers ensure your system is configured with a large amount of physical memory as Squid maintains an in memory cache for increased performance 3 1 Installation At a terminal prompt enter the following command to install the Squid server sudo apt get install squid 3 2 Configuration Squid is configured by editing the directives contained within the etc squid squid conf configuration
38. In all likelihood taking the NFS server to another location would not be practical Depending upon connection speeds it may be an option to copy the archive file over a WAN link to a server in another location Another option is to copy the archive file to an external hard drive which can then be taken off site Since the price of external hard drives continue to decrease it may be cost effective to use two drives for each archive level This would allow you to have one external drive attached to the backup server and one in another location 2 2 Tape Drives A tape drive attached to the server can be used instead of an NFS share Using a tape drive simplifies archive rotation and makes taking the media off site easier as well 300 Backups When using a tape drive the filename portions of the script aren t needed because the data is sent directly to the tape device Some commands to manipulate the tape are needed This is accomplished using mt a magnetic tape control utility part of the cpio package Here is the shell script modified to use a tape drive bin bash Hat at aE AE at aE aE a aE aE HE aE HE aE E AE E aE E HE aE aE HE aE a EE aE EE E Backup to tape drive script PRET EE HEHE EEE HEHE EEE HEHE EEE HEHE EEE What to backup backup_files home var spool mail etc root boot opt Where to backup to dest dev st0 Print start status message echo Backing up Sbackup_files to S dest
39. Installation To install openvpn in a terminal enter sudo apt get install openvpn 1 2 Public Key Infrastructure Setup The first step in building an OpenVPN configuration is to establish a PKI public key infrastructure The PKI consists of e a separate certificate also known as a public key and private key for the server and each client and e a master Certificate Authority CA certificate and key which is used to sign each of the server and client certificates OpenVPN supports bidirectional authentication based on certificates meaning that the client must authenticate the server certificate and the server must authenticate the client certificate before mutual trust is established Both server and client will authenticate the other by first verifying that the presented certificate was signed by the master certificate authority CA and then by testing information in the now authenticated certificate header such as the certificate common name or certificate type client or server 1 2 1 Certificate Authority Setup To setup your own Certificate Authority CA and generating certificates and keys for an OpenVPN server and multiple clients first copy the easy rsa directory to etc openvpn This will ensure that any changes to the scripts will not be lost when the package is updated From a terminal change to user root and mkdir etc openvpn easy rsa cp r usr share doc openvpn examples easy rsa 2 0
40. MUA or email client to send the message through one or more Mail Transfer Agents MTA the last of which will hand it off to a Mail Delivery Agent MDA for delivery to the recipient s mailbox from which it will be retrieved by the recipient s email client usually via a POP3 or IMAP server 234 Email Services 1 Postfix Postfix is the default Mail Transfer Agent MTA in Ubuntu It attempts to be fast and easy to administer and secure It is compatible with the MTA sendmail This section explains how to install and configure postfix It also explains how to set it up as an SMTP server using a secure connection for sending emails securely fe This guide does not cover setting up Postfix Virtual Domains for information on Virtual Domains and other advanced configurations see Section 1 7 3 References p 240 1 1 Installation To install postfix run the following command sudo apt get install postfix Simply press return when the installation process asks questions the configuration will be done in greater detail in the next stage 1 2 Basic Configuration To configure postfix run the following command sudo dpkg reconfigure postfix The user interface will be displayed On each screen select the following values e Internet Site e mail example com e steve e mail example com localhost localdomain localhost e No e 127 0 0 0 8 ffff 127 0 0 0 104 1 128 192 168 0 0 24 0 e
41. S Send report 1 7 KiB V View report K Keep report file for sending later or copying to somewhere else C Cancel Please choose S V K C The options available are e Send Report Selecting Send Report submits the collected information to Launchpad as part of the the process of filing a bug report You will be given the opportunity to describe the situation that led up to the occurrence of the bug xxx Uploading problem information The collected information is being sent to the bug tracking system This might take a few minutes 91 xxx To continue you must visit the following URL https bugs launchpad net ubuntu source postgresql 8 4 filebug kc6eSnTLnLxF 8u0t 3e5 6EukFeqJ You can launch a browser now or copy this URL into a browser on another computer Choices 1 Launch a browser now C Cancel Please choose 1 C If you choose to start a browser by default the text based web browser w3m will be used to finish filing the bug report Alternately you can copy the given URL to a currently running web browser e View Report Selecting View Report causes the collected information to be displayed to the terminal for review Package postgresql 8 4 2 2 PackageArchitecture all Tags lucid ProblemType Bug ProcEnviron LANG en_US UTF 8 SHELL bin bash Uname Linux 2 6 32 16 server x86_64 Dependencies 388 Appendix adduser 3 112ubuntul base files 5 0 0ubuntul0 base passwd 3 5 22 coreu
42. The C option to tar redirects the extracted files to the specified directory The above example will extract the etc hosts file to tmp etc hosts tar recreates the directory structure that it contains Also notice the leading is left off the path of the file to restore e To restore all files in the archive enter the following cd sudo tar xzvf mnt backup host Monday tgz bJ This will overwrite the files currently on the file system 1 4 References For more information on shell scripting see the Advanced Bash Scripting Guide e The book Teach Yourself Shell Programming in 24 Hours is available online and a great resource for shell scripting e The CronHowto Wiki Page contains details on advanced cron options e See the GNU tar Manual for more tar options e The Wikipedia Backup Rotation Scheme article contains information on other backup rotation schemes e The shell script uses tar to create the archive but there many other command line utilities that can be used For example e cpio used to copy files to and from archives e dd part of the coreutils package A low level utility that can copy data from one format to another e rsnapshot a file system snapshot utility used to create copies of an entire file system e rsync a flexible utility used to create incremental copies of files 1 htep tldp org LDP abs html 2 http safari samspublishing com 0672323583 2 https help
43. a group they share in common The following example grants shared write permission to var www to the group webmasters sudo chgrp R webmasters var www sudo find var www type d exec chmod g rwxs sudo find var www type f exec chmod g rws fe If access must be granted to more than one group per directory enable Access Control Lists ACLs 1 5 References e Apache2 Documentation contains in depth information on Apache2 configuration directives Also see the apache2 doc package for the official Apache2 docs See the Mod SSL Documentation site for more SSL related information 5 http httpd apache org docs 2 2 T http www modssl org docs 193 Web Servers O Reilly s Apache Cookbook is a good resource for accomplishing specific Apache2 configurations For Ubuntu specific Apache2 questions ask in the ubuntu server IRC channel on freenode net Usually integrated with PHP and MySQL the Apache MySQL PHP Ubuntu Wiki page is a good resource 8 http oreilly com catalog 9780596001919 7 http freenode net 19 https help ubuntu com community ApacheMySQLPHP 194 Web Servers 2 PHPS Scripting Language PHP is a general purpose scripting language suited for Web development The PHP script can be embedded into HTML This section explains how to install and configure PHP5 in Ubuntu System with Apache2 and MySQL This section assumes you have installed and conf
44. a mail is delivered to a list Associate the domain lists example com to the Mailman transport with the transport map Edit the file etc postfix transport lists example com mailman Now have Postfix build the transport map by entering the following from a terminal prompt sudo postmap v etc postfix transport Then restart Postfix to enable the new configurations sudo etc init d postfix restart 4 2 3 Exim4 Once Exim4 is installed you can start the Exim server using the following command from a terminal prompt sudo etc init d exim4 start In order to make mailman work with Exim4 you need to configure Exim4 As mentioned earlier by default Exim4 uses multiple configuration files of different types For details please refer to the Exim web site To run mailman we should add new a configuration file to the following configuration types e Main e Transport e Router Exim creates a master configuration file by sorting all these mini configuration files So the order of these configuration files is very important 4 2 4 Main All the configuration files belonging to the main type are stored in the etc exim4 conf d main directory You can add the following content to a new file named 04_exim4 config_mailman start Home dir for your Mailman installation aka Mailman s prefix directory On Ubuntu this should be var lib mailman 18 http www exim org 249 Email Services This i
45. addresses sometimes also called a range or scope for a period of time or lease that is configured on the server or until the client informs the server that it doesn t need the address anymore This way the clients will be receiving their configuration properties dynamically and on a first come first served basis When a DHCP client is no longer on the network for a specified period the configuration is expired and released back to the address pool for use by other DHCP Clients This way an address cand be leased or used for a period of time After this period the client has to renegociate the lease with the server to maintain use of the address Automatic allocation Using this method the DHCP automatically assigns an IP address permanently to a device selecting it from a pool of available addresses Usually DHCP is used to assign a temporary address to a client but a DHCP server can allow an infinite lease time 46 Networking The last two methods can be considered automatic because in each case the DHCP server assigns an address with no extra intervention needed The only difference between them is in how long the IP address is leased in other words whether a client s address varies over time Ubuntu is shipped with both DHCP server and client The server is dhcpd dynamic host configuration protocol daemon The client provided with Ubuntu is dhclient and should be installed on all computers required to be automatically con
46. addresses that have a valid signature from example com This is usually used for discussion groups that sign their messages A domain can also have multiple Whitelist configurations After editing the file restart amavisd new sudo etc init d amavis restart fy In this context once a domain has been added to the Whitelist the message will not receive any anti virus or spam filtering This may or may not be the intended behavior you wish for a domain 5 2 4 Postfix For Postfix integration enter the following from a terminal prompt sudo postconf e content_filter smtp amavis 127 0 0 1 10024 Next edit etc post fix master cf and add the following to the end of the file smtp amavis unix 2 smtp o smtp_data_done_timeout 1200 o smtp_send_xforward_command yes o disable_dns_lookups yes o max_use 20 127 0 0 1 10025 inet n smtpd 0o content_filter 0o local_recipient_maps o relay_recipient_maps 0o smtpd_restriction_classes 0o smtpd_delay_reject no 0o smtpd_client_restrictions permit_mynetworks reject 256 Email Services o smtpd_helo_restrictions 0o smtpd_sender_restrictions 0o smtpd_recipient_restrictions permit_mynetworks reject o smtpd_data_restrictions reject_unauth_pipelining 0o smtpd_end_of_data_restrictions 0o mynetworks 127 0 0 0 8 o smtpd_error_sleep_time 0 o smtpd_soft_error_limit 1001 o smtpd_hard_error_limit 1000 o smtpd_client_connection_coun
47. adduser username groupname 1 3 User Profile Security When a new user is created the adduser utility creates a brand new home directory named home username respectively The default profile is modeled after the contents found in the directory of etc skel which includes all profile basics 154 Security If your server will be home to multiple users you should pay close attention to the user home directory permissions to ensure confidentiality By default user home directories in Ubuntu are created with world read execute permissions This means that all users can browse and access the contents of other users home directories This may not be suitable for your environment e To verify your current users home directory permissions use the following syntax ls ld home username The following output shows that the directory home username has world readable permissions drwxr xr x 2 username usernam 4096 2007 10 02 20 03 username e You can remove the world readable permissions using the following syntax sudo chmod 0750 home username Some people tend to use the recursive option R indiscriminately which modifies all child folders and files but this is not necessary and may yield other undesirable results The parent directory alone is sufficient for preventing unauthorized access to anything below the parent A much more efficient approach to the matter would be to modify the adduser global default perm
48. amp objectClass auditWriteObject reqResult 0 schemachecking on type refreshAndPersist retry 60 syncdata accesslog starttls critical tls_reqcert demand The extra options specify respectively that the consumer must use StartTLS and that the CA certificate is required to verify the Provider s identity Also note the LDIF syntax for changing the values of an attribute replace Implement these changes sudo ldapmodify Y EXTERNAL H ldapi f consumer_sync_tls 1ldif 109 Network Authentication And restart slapd sudo service slapd restart 4 On the Provider Check to see that a TLS session has been established In var log syslog providing you have conns level logging set up you should see messages similar to slapd 3620 slapd 3620 slapd 3620 slapd 3620 slapd 3620 slapd 3620 slapd 3620 slapd 3620 conn 104 conn 104 conn 104 conn 104 conn 104 conn 104 conn 104 conn 104 Gon EES ES E E ES S S Oo 0 0 Hh O0 E d 20 ACCEPT from IP 10 153 107 229 57922 p 0 EXT oid 1 3 6 1 4 1 1466 20037 p 0 STARTTLS p 0 RESULT oid err 0 text d 20 TLS established tls_ssf 128 ssf 128 IP 0 0 0 0 389 method 128 p 1 BIND dn cn admin dc example dc com mech SIMPL E ssf 0 p 1 BIND dn cn admin dc example dc com p 1 RESULT tag 97 err 0 text 1 10 LDAP Authentication Once you have a working LDAP server you will nee
49. an ephemeral one time container lxc stop lxc unfreeze Immediately stop a running container Unfreeze a frozen container lxc unshare lxc version Testing tool to manually unshare namespaces Print the version of the LXC tools lxc wait Wait for a container to reach a particular state 5 4 Configuration File LXC containers are very flexible The Ubuntu Ixc package sets defaults to make creation of Ubuntu system containers as simple as possible If you need more flexibility this chapter will show how to fine tune your containers as you need Detailed information is available in the Ixc conf 5 man page Note that the default configurations created by the ubuntu templates are reasonable for a system container and usually do not need customization 5 4 1 Choosing configuration files and options The container setup is controlled by the LXC configuration options Options can be specified at several points e During container creation a configuration file can be specified However creation templates often insert their own configuration options so we usually specify only network configuration options at 353 Virtualization this point For other configuration it is usually better to edit the configuration file after container creation e The file var lib 1lxc CN config is used at container startup by default e Ixc start accepts an alternate configuration file with the f fil
50. as a python script with a few new design goals 313 Virtualization e Develop it so that it can be reused by other distributions e Use a plugin mechanisms for all virtualization interactions so that others can easily add logic for other virtualization environments e Provide an easy to maintain web interface as an option to the command line interface But the general principles and commands remain the same 2 2 Initial Setup It is assumed that you have installed and configured libvirt and KVM locally on the machine you are using For details on how to perform this please refer to e Section 1 libvirt p 308 e The KVM Wiki page We also assume that you know how to use a text based text editor such as nano or vi If you have not used any of them before you can get an overview of the various text editors available by reading the PowerUsersTextEditors page This tutorial has been done on KVM but the general principle should remain on other virtualization technologies 2 2 1 Install vmbuilder The name of the package that we need to install is python vm builder In a terminal prompt enter sudo apt get install python vm builder fy If you are running Hardy you can still perform most of this using the older version of the package named ubuntu vm builder there are only a few changes to the syntax of the tool 2 3 Defining Your Virtual Machine Defining a virtual machine with Ubuntu s v
51. basic steps to install Ubuntu Server Edition from CD are the same as those for installing any operating system from CD Unlike the Desktop Edition the Server Edition does not include a graphical installation program The Server Edition uses a console menu based process instead First download and burn the appropriate ISO file from the Ubuntu web site Boot the system from the CD ROM drive At the boot prompt you will be asked to select a language From the main boot menu there are some additional options to install Ubuntu Server Edition You can install a basic Ubuntu Server check the CD ROM for defects check the system s RAM boot from first hard disk or rescue a broken system The rest of this section will cover the basic Ubuntu Server install The installer asks for which language it should use Afterwards you are asked to select your location Next the installation process begins by asking for your keyboard layout You can ask the installer to attempt auto detecting it or you can select it manually from a list The installer then discovers your hardware configuration and configures the network settings using DHCP If you do not wish to use DHCP at the next screen choose Go Back and you have the option to Configure the network manually Next the installer asks for the system s hostname and Time Zone You can then choose from several options to configure the hard drive layout Afterwards you are asked for which disk to in
52. be configured to share files with any client on the network without prompting for a password If your environment requires stricter Access Controls see Section 4 Securing a Samba File and Print Server p 283 2 1 Installation The first step is to install the samba package From a terminal prompt enter sudo apt get install samba That s all there is to it you are now ready to configure Samba to share files 2 2 Configuration The main Samba configuration file is located in etc samba smb conf The default configuration file has a significant amount of comments in order to document various configuration directives ba Not all the available options are included in the default configuration file See the smb conf man page or the Samba HOWTO Collection for more details 1 First edit the following key value pairs in the global section of etc samba smb conf workgroup EXAMPLE security user The security parameter is farther down in the global section and is commented by default Also change EXAMPLE to better match your environment 2 Create a new section at the bottom of the file or uncomment one of the examples for the directory to be shared share comment Ubuntu File Server Share path srv samba share browsable yes guest ok yes read only no create mask 0755 2 http samba org samba docs man Samba HOWTO Collection 278 Windows Networking e comment a s
53. by default install into a chroot environment for security reasons This can add greater complexity when troubleshooting problems To turn off the chroot operation locate for the following line in the etc post fix master cf configuration file smtp inet n smtpd and modify it as follows smtp inet n n smtpd You will then need to restart Postfix to use the new configuration From a terminal prompt enter sudo etc init d postfix restart 239 Email Services 1 7 2 Log Files Postfix sends all log messages to var log mail 1log However error and warning messages can sometimes get lost in the normal log output so they are also logged to var log mail err and var log mail warn respectively To see messages entered into the logs in real time you can use the tail f command tail f var log mail err The amount of detail that is recorded in the logs can be increased Below are some configuration options for increasing the log level for some of the areas covered above e To increase TLS activity logging set the smtpd_tls_loglevel option to a value from 1 to 4 sudo postconf e smtpd_tls_loglevel 4 e If you are having trouble sending or receiving mail from a specific domain you can add the domain to the debug_peer_list parameter sudo postconf e debug_peer_list problem domain e You can increase the verbosity of any Postfix daemon process by editing the etc post fix master cf and adding a
54. command line tool apt get has numerous advantages over other package management tools available in Ubuntu for server administrators Some of these advantages include ease of use over simple terminal connections SSH and the ability to be used in system administration scripts which can in turn be automated by the cron scheduling utility Some examples of popular uses for the apt get utility e Install a Package Installation of packages using the apt get tool is quite simple For example to install the network scanner nmap type the following sudo apt get install nmap e Remove a Package Removal of a package or packages is also straightforward To remove the package installed in the previous example type the following sudo apt get remove nmap Multiple Packages You may specify multiple packages to be installed or removed separated by spaces Also adding the purge option to apt get remove will remove the package configuration files as well This may or may not be the desired effect so use with caution e Update the Package Index The APT package index is essentially a database of available packages from the repositories defined in the etc apt sources 1list file and in the etc apt sources list d directory To update the local package index with the latest changes made in the repositories type the following sudo apt get update e Upgrade Packages Over time updated versions of packages currently installe
55. configure Samba to share Also any errors will be logged to var log syslog 4 5 Resources e For in depth Samba configurations see the Samba HOWTO Collection e The guide is also available in printed format e O Reilly s Using Samba is also a good reference e Chapter 18 of the Samba HOWTO Collection is devoted to security as http samba org samba docs man Samba HOWTO Collection 7 http www amazon com exec obidos tg detail 013 1882228 16 ittp www oreilly com catalog 9780596007690 hy http samba org samba docs man Samba HOWTO Collection securing samba html 286 Windows Networking e For more information on Samba and ACLs see the Samba ACLs page e The Ubuntu Wiki Samba page 18 http samba org samba docs man Samba HOWTO Collection AccessControls html id397568 19 https help ubuntu com community Samba 287 Windows Networking 5 Samba as a Domain Controller Although it cannot act as an Active Directory Primary Domain Controller PDC a Samba server can be configured to appear as a Windows NT4 style domain controller A major advantage of this configuration is the ability to centralize user and machine credentials Samba can also use multiple backends to store the user information 5 1 Primary Domain Controller This section covers configuring Samba as a Primary Domain Controller PDC using the default smbpasswd backend 1 First install Samba and libpam smbpass to sync
56. connecting client and to use that information as a basis for authenticating the client To use this authentication method first add the auth user pass directive to the client configuration It will direct the OpenVPN client to query the user for a username password passing it on to the server over the secure TLS channel client config auth user pass This will tell the OpenVPN server to validate the username password entered by clients using the login PAM module Useful if you have centralized authentication with e g Kerberos plugin usr lib openvpn openvpn auth pam so login fe Please read the OpenVPN hardening security guide for further security advice 1 6 2 Advanced bridged VPN configuration on server OpenVPN can be setup for either a routed or a bridged VPN mode Sometimes this is also referred to as OSI layer 2 versus layer 3 VPN In a bridged VPN all layer 2 frames e g all ethernet frames are sent to the VPN partners and in a routed VPN only layer 3 packets are sent to VPN partners In bridged mode all traffic including traffic which was traditionally LAN local like local network broadcasts DHCP requests ARP requests etc are sent to VPN partners whereas in routed mode this would be filtered 1 6 2 1 Prepare interface config for bridging on server Make sure you have the bridge utils package installed sudo apt get install bridge utils Before you setup OpenVPN in bridged mode you need to change your in
57. consisting of what to backup where to back it up to and how to restore it The following sections discuss various ways of accomplishing these tasks 294 Backups 1 Shell Scripts One of the simplest ways to backup a system is using a shell script For example a script can be used to configure which directories to backup and pass those directories as arguments to the tar utility which creates an archive file The archive file can then be moved or copied to another location The archive can also be created on a remote file system such as an NFS mount The tar utility creates one archive file out of many files or directories tar can also filter the files through compression utilities thus reducing the size of the archive file 1 1 Simple Shell Script The following shell script uses tar to create an archive file on a remotely mounted NFS file system The archive filename is determined using additional command line utilities bin sh HHPFHEREERE EERE EEPE EERE EEE EH HH Backup to NFS mount script FE AE E AE FE HEHE EEE AE AE HEE EH HEHE EE AE AE FE FE E E H What to backup backup_files home var spool mail etc root boot opt Where to backup to dest mnt backup Create archive filename day date A hostname S hostname s archive_file Shostname Sday tgz Print start status message echo Backing up Sbackup_files to S dest Sarchive_file date echo Backup t
58. correction and guaranteed delivery of data via what is known as flow control Flow control determines when the flow of a data stream needs to be stopped and previously sent data packets should to be re sent due to problems such as collisions for example thus ensuring complete and accurate delivery of the data TCP is typically used in the exchange of important information such as database transactions The User Datagram Protocol UDP on the other hand is a connectionless protocol which seldom deals with the transmission of important data because it lacks flow control or any other method to ensure reliable delivery of the data UDP is commonly used in such applications as audio and video streaming where it is considerably faster than TCP due to the lack of error correction and flow control and where the loss of a few packets is not generally catastrophic 44 Networking 2 5 ICMP The Internet Control Messaging Protocol ICMP is an extension to the Internet Protocol IP as defined in the Request For Comments RFC 792 and supports network packets containing control error and informational messages ICMP is used by such network applications as the ping utility which can determine the availability of a network host or device Examples of some error messages returned by ICMP which are useful to both network hosts and devices such as routers include Destination Unreachable and Time Exceeded 2 6 Daemons Daemons are speci
59. date echo Make sure the tape is rewound mt f Sdest rewind Backup the files using tar tar czf Sdest Sbackup_files Rewind and eject the tape mt f Sdest rewoffl Print end status message echo echo Backup finished date fe The default device name for a SCSI tape drive is dev st0 Use the appropriate device path for your system Restoring from a tape drive is basically the same as restoring from a file Simply rewind the tape and use the device path instead of a file path For example to restore the etc hosts file to tmp etc hosts mt f dev st0O rewind tar xzf dev st0 C tmp etc hosts 301 Backups 3 Bacula Bacula is a backup program enabling you to backup restore and verify data across your network There are Bacula clients for Linux Windows and Mac OS X making it a cross platform network wide solution 3 1 Overview Bacula is made up of several components and services used to manage which files to backup and backup locations e Bacula Director a service that controls all backup restore verify and archive operations e Bacula Console an application allowing communication with the Director There are three versions of the Console e Text based command line version e Gnome based GTK Graphical User Interface GUI interface e wxWidgets GUI interface e Bacula File also known as the Bacula Client program This application is installed on machines to b
60. device maps fy The default verbosity level of multipath is 2 and can be globally modified by defining the verbosity attribute in the defaults section of multipath conf The following example shows the output of a multipath 1 command multipath 1 3600d0230000000000e13955cc3757800 dm 1 WINSYS SF2372 size 269G features 0 hwhandler 0 wp rw policy round robin 0 prio 1 status active 6 0 0 0 sdb 8 16 active ready running policy round robin 0 prio 1 status enabled 7 0 0 0 sdf 8 80 active ready running The following example shows the output of a multipath ll command multipath 11 3600d0230000000000e13955cc3757801 dm 10 WINSYS SF2372 size 269G features 0 hwhandler 0 wp rw policy round robin 0 prio 1 status enabled 19 0 0 1 sdc 8 32 active ready running 76 DM Multipath policy round robin 0 prio 1 status enabled 18 0 0 1 sdh 8 112 active ready running 3600d0230000000000e13955cc3757803 dm 2 WINSYS SF2372 size 125G features 0 hwhandler 0 wp rw policy round robin 0 prio 1 status active 19 0 0 3 sde 8 64 active ready running 18 0 0 3 sdj 8 144 active ready running 5 8 Multipath Command Options Table Useful multipath Command Options p 77 describes some options of the multipath command that you might find useful Table 5 6 Useful multipath Command Options Option Description l Display
61. e Byobu currently does not launch at login toggle on The key bindings determine such things as the escape sequence new window change window etc There are two key binding sets to choose from f keys and screen escape keys If you wish to use the original key bindings choose the none set byobu provides a menu which displays the Ubuntu release processor information memory information and the time and date The effect is similar to a desktop menu Using the Byobu currently does not launch at login toggle on option will cause byobu to be executed any time a terminal is opened Changes made to byobu are on a per user basis and will not affect other users on the system One difference when using byobu is the scrollback mode Press the F7 key to enter scrollback mode Scrollback mode allows you to navigate past output using vi like commands Here is a quick list of movement commands e h Move the cursor left by one character e j Move the cursor down by one line e k Move the cursor up by one line e Move the cursor right by one character e 0 Move to the beginning of the current line e Move to the end of the current line e G Moves to the specified line defaults to the end of the buffer e Search forward 383 Other Useful Applications e Search backward e n Moves to the next match either forward or backword 384 Other Useful Applications 4 References e See the update motd man
62. etc openvpn up sh br0 ethi j server 10 8 0 0 255 255 255 0 server bridge 10 0 0 4 255 255 255 0 10 0 0 128 10 0 0 254 Next create a helper script to add the tap interface to the bridge and to ensure that eth1 is promiscuous mode Create etc openvpn up sh bin sh BR 1 ETHDEV 2 TAPDEV 3 sbin ip link set TAPDEV up 373 VPN sbin ip link set SETHDEV promisc on sbin brctl addif BR S TAPDEV Then make it executable sudo chmod 755 etc openvpn up sh After configuring the server restart openvpn by entering sudo etc init d openvpn restart 1 6 2 3 Client Configuration First install openvpn on the client sudo apt get install openvpn Then with the server configured and the client certificates copied to the etc openvpn directory create a client configuration file by copying the example In a terminal on the client machine enter sudo cp usr share doc openvpn examples sample config files client conf etc openvpn Now edit etc openvpn client conf changing the following options dev tap 7 dev tun Finally restart openvpn sudo etc init d openvpn restart You should now be able to connect to the remote LAN through the VPN 1 7 Client software implementations 1 7 1 Linux Network Manager GUI for OpenVPN Many Linux distributions including Ubuntu desktop variants come with Network Manager a nice GUI to configure your network settings It also can manage your VPN connections
63. file and insert the appropriate device information For example to add information about the HP Open V series the entry looks like this where n is the device name devices device vendor HP product OPEN V getuid_callout lib udev scsi_id whitelisted device dev n For more information on the devices section of the configuration file see Section Configuration File Devices p 70 61 DM Multipath 4 The DM Multipath Configuration File By default DM Multipath provides configuration values for the most common uses of multipathing In addition DM Multipath includes support for the most common storage arrays that support DM Multipath The default configuration values and the supported devices can be found in the multipath conf defaults file You can override the default configuration values for DM Multipath by editing the etc multipath conf configuration file If necessary you can also add a storage array that is not supported by default to the configuration file This chapter provides information on parsing and modifying the multipath conf file It contains sections on the following topics e Configuration File Overview p 62 e Configuration File Blacklist p 63 e Configuration File Defaults p 65 e Configuration File Multipath Attributes p 69 e Configuration File Devices p 70 In the multipath configuration file you need to specify only the sections that you need for your configu
64. filesystem create and symlink two directories sudo mkdir srv 1xclib srv 1xccache sudo rm rf var lib 1lxc var cache 1xc sudo ln s srv 1xclib var lib 1xc sudo ln s srv lxccache var cache 1lxc or using bind mounts sudo mkdir srv 1xclib srv 1lxccache sudo sed i Sa srv 1xclib var lib 1lxc none defaults bind 0 0 srv lxccache var cache lxc none defaults bind 0 0 etc fstab sudo mount a 5 2 4 Containers backed by lvm It is possible to use LVM partitions as the backing stores for containers Advantages of this include flexibility in storage management and fast container cloning The tools default to using a VG volume group named xc but another VG can be used through command line options When a LV is used as a container backing store the container s configuration file is still var 1ib 1xc CN config but the root fs entry in that file xc rootfs will point to the 1V block device name i e dev 1xc CN Containers with directory tree and LVM backing stores can co exist 5 2 5 Btrfs If your host has a btrfs var the LXC administration tools will detect this and automatically exploit it by cloning containers using btrfs snapshots 5 2 6 Apparmor LXC ships with an Apparmor profile intended to protect the host from accidental misuses of privilege inside the container For instance the container will not be able to write to proc sysrgq trigger or to most sys files The usr bin 1xc start
65. following command sudo apt get install vsftpd 1 2 Anonymous FTP Configuration By default vsftpd is not configured to allow anonymous download If you wish to enable anonymous download edit etc vsftpd conf by changing anonymous_enable Yes During installation a ftp user is created with a home directory of srv ftp This is the default FTP directory If you wish to change this location to srv files ftp for example simply create a directory in another location and change the ftp user s home directory 222 File Servers sudo mkdir srv files ftp sudo usermod d srv files ftp ftp After making the change restart vsftpd sudo restart vsftpd Finally copy any files and directories you would like to make available through anonymous FTP to srv files ftp Or srv ftp if you wish to use the default 1 3 User Authenticated FTP Configuration By default vsftpd is configured to authenticate system users and allow them to download files If you want users to be able to upload files edit etc vsftpd conf write_enable YES Now restart vsftpd sudo restart vsftpd Now when system users login to FTP they will start in their home directories where they can download upload create directories etc Similarly by default anonymous users are not allowed to upload files to FTP server To change this setting you should uncomment the following line and restart vsftpd anon_upload_enable YES Enabling anon
66. http_access section of your etc squid squid conf file http_access allow fortytwo_network e Using the excellent access control features of Squid you may configure use of Internet services proxied by Squid to be available only during normal business hours For example we ll illustrate access by employees of a business which is operating between 9 00AM and 5 00PM Monday through Friday and which uses the 10 1 42 0 42 subnetwork Add the following to the bottom of the ACL section of your etc squid squid conf file acl biz network src 10 1 42 0 24 acl biz_hours time M T W T F 9 00 17 00 Then add the following to the top of the http_access section of your etc squid squid conf file http_access allow biz_network biz_hours a After making changes to the etc squid squid conf file save the file and restart the squid server application to effect the changes using the following command entered at a terminal prompt sudo etc init d squid restart 3 3 References Squid Website Ubuntu Wiki Squid page 5 http www squid cache org 16 https help ubuntu com community Squid 198 Web Servers 4 Ruby on Rails Ruby on Rails is an open source web framework for developing database backed web applications It is optimized for sustainable productivity of the programmer since it lets the programmer to write code by favouring convention over configuration 4 1 Installation Before installing Rails you should
67. in etc apparmor d disable Then load the profile using the a option sudo rm etc apparmor d disable profile name cat etc apparmor d profile name sudo apparmor_parser a e AppArmor can be disabled and the kernel module unloaded by entering the following sudo etc init d apparmor stop sudo update re d f apparmor remove e To re enable AppArmor enter sudo etc init d apparmor start sudo update re d apparmor defaults bJ Replace profile name with the name of the profile you want to manipulate Also replace path to bin with the actual executable file path For example for the ping command use bin ping 4 2 Profiles AppArmor profiles are simple text files located in etc apparmor d The files are named after the full path to the executable they profile replacing the with For example etc apparmor d bin ping is the AppArmor profile for the bin ping command There are two main type of rules used in profiles e Path entries which detail which files an application can access in the file system 168 Security e Capability entries determine what privileges a confined process is allowed to use As an example take a look at etc apparmor d bin ping include lt tunables global gt bin ping flags complain include lt abstractions base gt include lt abstractions consoles gt include lt abstractions nameservice gt capability net_raw capability setuid network inet raw bin p
68. in etc resolv conf which is now a symlink etc resolv conf gt run resolvconf resolv conf To configure the resolver add the IP addresses of the nameservers that are appropriate for your network in the file etc network interfaces You can also add an optional DNS suffix search lists to match your network domain names For each other valid resolv conf configuration option you can include in the stanza one line beginning with that option name with a dns prefix The resulting file might look like the following iface ethO inet static address 192 168 3 3 netmask 255 255 255 0 gateway 192 168 3 1 dns search example com dns nameservers 192 168 3 45 192 168 8 10 The search option can also be used with multiple domain names so that DNS queries will be appended in the order in which they are entered For example your network may have multiple sub domains to search a parent domain of example com and two sub domains sales example com and dev example com If you have multiple domains you wish to search your configuration might look like the following iface ethO inet static address 192 168 3 3 netmask 255 255 255 0 gateway 192 168 3 1 dns search example com sales example com dev example com dns nameservers 192 168 3 45 192 168 8 10 If you try to ping a host with the name of server your system will automatically query DNS for its Fully Qualified Domain Name FQDN in the following order 1 serverl example com 2 ser
69. in the cluster by running the following command service multipath tools start If you add a new device you will need to repeat this process Similarly if you configure an alias for a device that you would like to be consistent across the nodes in the cluster you should ensure that the etc multipath conf file is the same for each node in the cluster by following the same procedure 1 Configure the aliases for the multipath devices in the in the multipath conf file on one machine 2 Disable all of your multipath devices on your other machines by running the following commands service multipath tools stop multipath F 3 Copy the multipath conf file from the first machine to all the other machines in the cluster 4 Re enable the multipathd daemon on all the other machines in the cluster by running the following command service multipath tools start When you add a new device you will need to repeat this process 2 3 Multipath Device attributes In addition to the user_friendly_names and alias options a multipath device has numerous attributes You can modify these attributes for a specific multipath device by creating an entry for that device in the multipaths section of the multipath configuration file For information on the multipaths section of the multipath configuration file see Section Configuration File Multipath Attributes 2 4 Multipath Devices in Logical Volumes After creating multipat
70. install Apache and MySQL To install the Apache package please refer to Section 1 HTTPD Apache2 Web Server p 187 For instructions on installing MySQL refer to Section 1 MySQL p 206 Once you have Apache and MySQL packages installed you are ready to install Ruby on Rails package To install the Ruby base packages and Ruby on Rails you can enter the following command in the terminal prompt sudo apt get install rails 4 2 Configuration Modify the etc apache2 sites available default configuration file to setup your domains The first thing to change is the DocumentRoot directive DocumentRoot path to rails application public Next change the lt Directory path to rails application public gt directive lt Directory path to rails application public gt Options Indexes FollowSymLinks MultiViews ExecCGI AllowOverride All Order allow deny allow from all AddHandler cgi script cgi lt Directory gt You should also enable the mod_rewrite module for Apache To enable mod_rewrite module please enter the following command in a terminal prompt sudo a2enmod rewrite Finally you will need to change the ownership of the path to rails application public and path to rails application tmp directories to the user used to run the Apache process 199 Web Servers sudo chown R www data www data path to rails application public sudo chown R www data www data path to rails application tmp
71. is called the Directory Information Tree DIT e An entry consists of a set of attributes e An attribute has a type a name description and one or more values e Every attribute must be defined in at least one objectClass e Attributes and objectclasses are defined in schemas an objectclass is actually considered as a special kind of attribute e Each entry has a unique identifier it s Distinguished Name DN or dn This consists of it s Relative Distinguished Name RDN followed by the parent entry s DN e The entry s DN is not an attribute It is not considered part of the entry itself fe The terms object container and node have certain connotations but they all essentially mean the same thing as entry the technically correct term For example below we have a single entry consisting of 11 attributes It s DN is cn John Doe dc example dc com it s RDN is cn John Doe and it s parent DN is dc example dc com dn cn John Doe dc example dc com cn John Doe givenName John sn Doe telephoneNumber 1 888 555 6789 telephoneNumber 1 888 555 1232 mail john example com manager cn Larry Smith dc example dc com objectClass inetOrgPerson objectClass organizationalPerson objectClass person objectClass top The above entry is in LDIF format LDAP Data Interchange Format Any information that you feed into your DIT must also be in such a format It is defined in RFC2849 Although this guide w
72. is provided in its own package but the multipath tools package depends on it 53 DM Multipath 1 5 DM Multipath Setup Overview DM Multipath includes compiled in default settings that are suitable for common multipath configurations Setting up DM multipath is often a simple procedure The basic procedure for configuring your system with DM Multipath is as follows 1 Install the multipath tools and multipath tools boot packages 2 Create an empty config file etc multipath conf that re defines the following 3 If necessary edit the multipath conf configuration file to modify default values and save the updated file 4 Start the multipath daemon 5 Update initial ramdisk For detailed setup instructions for multipath configuration see Section Setting Up DM Multipath 54 DM Multipath 2 Multipath Devices Without DM Multipath each path from a server node to a storage controller is treated by the system as a separate device even when the I O path connects the same server node to the same storage controller DM Multipath provides a way of organizing the I O paths logically by creating a single multipath device on top of the underlying devices 2 1 Multipath Device Identifiers Each multipath device has a World Wide Identifier WWID which is guaranteed to be globally unique and unchanging By default the name of a multipath device is set to its WWID Alternately you can set the user_frie
73. local disk dev sda in the multipath map For further information on the multipath command output see Section Multipath Command Output multipath v2 create SIBM ESXSST336732LC F3ETOEBPOQ000072428BX1 undef WINSYS SF2372 size 33 GB features 0 hwhandler 0 wp undef policy round robin 0 prio 1 status undef l 0 0 0 0 sda 8 0 device mapper ioctl cmd 9 failed Invalid argument device mapper ioctl cmd 14 failed No such device or address create 3600a0b80001327d80000006d43621677 undef WINSYS SF2372 size 12G features 0 hwhandler 0 wp undef policy round robin 0 prio 1 status undef 2 0 0 0 sdb 8 16 undef ready running 3 0 0 0 sdf 8 80 undef ready running create 3600a0b80001327510000009a436215ec undef WINSYS SF2372 size 12G features 0 hwhandler 0 wp undef policy round robin 0 prio 1 status undef 2 0 0 1 sdc 8 32 undef ready running 3 0 0 1 sdg 8 96 undef ready running create 3600a0b80001327d800000070436216b3 undef WINSYS SF2372 size 12G features 0 hwhandler 0 wp undef policy round robin 0 prio 1 status undef 2 0 0 2 sdd 8 48 undef ready running 3 0 0 2 sdg 8 112 undef ready running create 3600a0b80001327510000009b4362163e undef WINSYS SF2372 size 12G features 0 hwhandler 0 wp undef policy round robin 0 prio 1 status undef 2 0 0 3 sdd 8 64 undef ready running 3 0 0 3 sdg 8 128 undef ready runn
74. manage your firewall if you re familiar with it but many frontends are available to simplify the task 3 2 ufw Uncomplicated Firewall The default firewall configuration tool for Ubuntu is ufw Developed to ease iptables firewall configuration ufw provides a user friendly way to create an IPv4 or IPv6 host based firewall ufw by default is initially disabled From the ufw man page ufw is not intended to provide complete firewall functionality via its command interface but instead provides an easy way to add or remove simple rules It is currently mainly used for host based firewalls The following are some examples of how to use ufw e First ufw needs to be enabled From a terminal prompt enter sudo ufw enable e To open a port ssh in this example sudo ufw allow 22 e Rules can also be added using a numbered format sudo ufw insert 1 allow 80 e Similarly to close an opened port sudo ufw deny 22 e To remove a rule use delete followed by the rule sudo ufw delete deny 22 e Itis also possible to allow access from specific hosts or networks to a port The following example allows ssh access from host 192 168 0 2 to any ip address on this host 160 Security sudo ufw allow proto tcp from 192 168 0 2 to any port 22 Replace 192 168 0 2 with 192 168 0 0 24 to allow ssh access from the entire subnet Adding the dry run option to a ufw command will output the resulting rules but not app
75. necessary for all my cnf changes Most of the variables you may wish to change to improve performance are adjustable even whilst the server is running As with anything make sure to have a good backup copy of config files and data before making changes 1 4 2 MySQL Tuner MySQL Tuner is a useful tool that will connect to a running MySQL instance and offer suggestions for how it can be best configured for your workload The longer the server has been running for the better the advice mysqltuner can provide In a production environment consider waiting for at least 24 hours before running the tool You can get install mysqltuner from the Ubuntu repositories sudo apt get install mysqltuner Then once its been installed run it mysqltuner and wait for its final report The top section provides general information about the database server and the bottom section provides tuning suggestions to alter in your my cnf Most of these can be altered live on the server without restarting look through the official MySQL documentation link in Resources section for the relevant variables to change in production The following is part of an example report from a production database which shows there may be some benefit from increasing the amount of query cache Sona Recommendations 555 5 5 5 General recommendations Run OPTIMIZE TABLE to defragment tables for better performance Increase ta
76. need to run it as an administrator You have to right click on it and you will see that option You will have to write your OpenVPN config in a textfile and place it in C Program Files OpenVPN config client ovpn along with the CA certificate You could put the user certificate in the user s home directory like in the follwing example C Program Files OpenVPN config client ovpn client remote server example com port 1194 proto udp dev tun dev type tun ns cert type server reneg sec 86400 auth user pass auth retry interact comp lzo yes verb 3 ca ca crt cert C Users username My Documents openvpn client crt key C Users username My Documents openvpn client key management 127 0 0 1 1194 management hold management query passwords auth retry interact 1 7 4 Open VPN for OpenWRT OpenWRT is described as a Linux distribution for embedded devices like WLAN router There are certain types of WLAN routers who can be flashed to run OpenWRT Depending on the available memory on your OpenWRT router you can run software like OpenVPN and you could for example build a small inexpensive branch office router with VPN connectivity to the central office More info on OpenVPN on OpenWRT is here And here is the OpenWRT project s homepage http openwrt org 2 http www openvpn net index php open source downloads html gt http wiki openwrt org doc howto vpn overview 376 VPN Log
77. nodes returned 0 euca_conf register walrus returned 0 Calling cluster clusterl 10 1 1 71 euca_conf register cluster returned 0 Calling storage clusterl storage 10 1 1 71 euca_conf register sc returned 0 The output on your machine will vary from the example above After installing and booting the Cloud Controller users of the cloud will need to retrieve their credentials This can be done either through a web browser or at the command line 3 6 1 From a Web Browser 1 From your web browser either remotely or on your Ubuntu server access the following URL https lt cloud controller ip address gt 8443 You must use a secure connection so make sure you use https not http in your URL You will get a security certificate warning You will have to add an exception to view the page If you do not accept it you will not be able to view the Eucalyptus configuration page 2 Use username admin and password admin for the first time login you will be prompted to change your password 3 Then follow the on screen instructions to update the admin password and email address 326 Virtualization 4 Once the first time configuration process is completed click the credentials tab located in the top left portion of the screen 5 Click the Download Credentials button to get your certificates 6 Save them to euca 7 Unzip the downloaded zip file into a safe locati
78. out to obtain a unique path identifier An absolute path is required The default value is lib udev scsi_id whitelisted device dev n prio Specifies the default function to call to obtain a path priority value For example the ALUA bits in SPC 3 provide an exploitable prio value Possible values include e const Set a priority of 1 to all paths e emc Generate the path priority for EMC arrays e alua Generate the path priority based on the SCSI 3 ALUA settings e netapp Generate the path priority for NetApp arrays e rdac Generate the path priority for LSI Engenio RDAC controller e hp_sw Generate the path priority for Compaq HP controller in active standby mode e hds Generate the path priority for Hitachi HDS Modular storage arrays The default value is const prio_args The arguments string passed to the prio function Most prio functions do not need arguments The datacore prioritizer need one Example timeout 1000 preferredsds foo The default value is null features The extra features of multipath devices The only existing feature is queue_if_no_path which is the same as setting no_path_retry to queue For information on issues that may arise when using this feature see Section Issues with queue_if_no_path feature path_checker Specifies the default method used to determine the state of the paths Possible values include e readsector0 Read the first sec
79. private server key sudo postconf e smtpd_tls_cert_file etc ssl certs server crt sudo postconf e smtpd_tls_loglevel 1 sudo postconf e smtpd_tls_received_header yes sudo postconf e myhostname mail example com 4 If you are using your own Certificate Authority to sign the certificate enter sudo postconf e smtpd_tls_CAfile etc ssl certs cacert pem Again for more details about certificates see Section 5 Certificates p 171 J After running all the commands Postfix is configured for SMTP AUTH and a self signed certificate has been created for TLS encryption Now the file etc postfix main cf should look like this The postfix initial configuration is complete Run the following command to restart the postfix daemon sudo etc init d postfix restart Postfix supports SMTP AUTH as defined in RFC2554 It is based on SASL However it is still necessary to set up SASL authentication before you can use SMTP AUTH 1 4 Configuring SASL Postfix supports two SASL implementations Cyrus SASL and Dovecot SASL To enable Dovecot SASL the dovecot common package will need to be installed From a terminal prompt enter the following sudo apt get install dovecot common Next you will need to edit etc dovecot dovecot conf In the auth default section uncomment the socket listen option and change the following socket listen master Master socket provides access to userdb informat
80. restart You should see the file var log query 1log fill with query information This is a simple example of the BIND9 logging options For coverage of advanced options see Section 4 2 More Information p 151 150 Domain Name Service DNS 4 References 4 1 Common Record Types This section covers some of the most common DNS record types A record This record maps an IP Address to a hostname www IN A 192 168 1 12 CNAME record Used to create an alias to an existing A record You cannot create a CNAME record pointing to another CNAME record web IN CNAME www MX record Used to define where email should be sent to Must point to an A record not a CNAME IN MX 1 mail example com mail IN A 192 068 1013 NS record Used to define which servers serve copies of a zone It must point to an A record not a CNAME This is where Primary and Secondary servers are defined IN NS ns example com IN NS ns2 example com ns IN A 192 168 1 10 ns2 IN A 192 168 1 11 4 2 More Information The DNS HOWTO explains more advanced options for configuring BIND9 For in depth coverage of DNS and BIND9 see Bind9 ner DNS and BIND is a popular book now in it s fifth edition A great place to ask for BIND9 assistance and get involved with the Ubuntu Server community is the ubuntu server IRC channel on freenode Also see the BIND9 Server HOWTO in the Ubuntu Wiki 1 http www tldp org HOWTO DNS
81. that slapd knows about the Samba attributes we can set up some indices based on them Indexing entries is a way to improve performance when a client performs a filtered search on the DIT Create the file samba_indices 1dif with the following contents dn olcDatabase 1 hdb cn config changetype modify add olcDbIndex olcDbIndex uidNumber eq olcDbIndex gidNumber eq olcDbIndex loginShell eq olcDbIndex uid eq pres sub olcDbIndex memberUid eq pres sub olcDbIndex uniqueMember eq pres olcDbIndex sambaSID eq olcDbIndex sambaPrimaryGroupSID eq olcDbIndex sambaGroupType eq olcDbIndex sambaSIDList eq olcDbIndex sambaDomainName eq olcDbIndex default sub Using the ldapmodify utility load the new indices sudo ldapmodify Q Y EXTERNAL H ldapi f samba_indices 1ldif If all went well you should see the new indices using ldapsearch sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn config olcDatabase 1 hdb olcDbIndex 2 2 3 Adding Samba LDAP objects Next configure the smbldap tools package to match your environment The package comes with a configuration script that will ask questions about the needed options To run the script enter sudo gzip d usr share doc smbldap tools configure pl gz sudo perl usr share doc smbldap tools configure pl 119 Network Authentication You may need to comment out the strict pragma in the configure p file Once you have answered the questions
82. the Bacula Console prompt enter label You will then be prompted for the Storage resource Automatically selected Catalog MyCatalog Using Catalog MyCatalog The defined Storage resources ar 1 File 2 TapeDrive Select Storage resource 1 2 2 305 Backups Enter the new Volume name Enter new Volume name Sunday Defined Pools 1 Default 2 Scratch Replace Sunday with the desired label e Now select the Pool Select the Pool 1 2 1 Connecting to Storage daemon TapeDrive at backupserver 9103 Sending label command for Volume Sunday Slot 0 Congratulations you have now configured Bacula to backup the localhost to an attached tape drive 3 5 Resources e For more Bacula configuration options refer to the Bacula User s Manual e The Bacula Home Page contains the latest Bacula news and developments e Also see the Bacula Ubuntu Wiki page 19 http www bacula org en rel manual index html Il http www bacula org Me https help ubuntu com community Bacula 306 Chapter 20 Virtualization Virtualization is being adopted in many different environments and situations If you are a developer virtualization can provide you with a contained environment where you can safely do almost any sort of development safe from messing up your main working environment If you are a systems administrator you can use virtualization to more easily separate your services and move them around
83. the basic unit of networking information The IP Datagram consists of a header followed by a message The Transmission Control Protocol is the TCP of TCP IP and enables network hosts to establish connections which may be used to exchange data streams TCP also guarantees that the data between connections is delivered and that it arrives at one network host in the same order as sent from another network host 2 2 TCP IP Configuration The TCP IP protocol configuration consists of several elements which must be set by editing the appropriate configuration files or deploying solutions such as the Dynamic Host Configuration Protocol DHCP server which in turn can be configured to provide the proper TCP IP configuration settings to network clients automatically These configuration values must be set correctly in order to facilitate the proper network operation of your Ubuntu system The common configuration elements of TCP IP and their purposes are as follows e IP address The IP address is a unique identifying string expressed as four decimal numbers ranging from zero 0 to two hundred and fifty five 255 separated by periods with each of the four numbers representing eight 8 bits of the address for a total length of thirty two 32 bits for the whole address This format is called dotted quad notation e Netmask The Subnet Mask or simply netmask is a local bit mask or set of flags which separate the portions of an IP address s
84. the files etc smbldap tools smbldap conf and etc smbldap tools smbldap_bind conf should be generated If you made any mistakes while executing the script you can always edit the files afterwards The smbldap populate script will add the LDAP objects required for Samba It is a good idea to first make a backup of your entire directory using slapcat sudo slapcat 1 backup 1ldif Once you have a backup proceed to populate your directory sudo smbldap populate You can create a LDIF file containing the new Samba objects by executing sudo smbldap populate e samba ldif This allows you to look over the changes making sure everything is correct If it is rerun the script without the e switch Alternatively you can take the LDIF file and import it s data per usual Your LDAP directory now has the necessary information to authenticate Samba users 2 3 Samba Configuration There are multiple ways to configure Samba For details on some common configurations see Chapter 18 Windows Networking p 276 To configure Samba to use LDAP edit it s configuration file etc samba smb conf commenting out the default passdb backend parameter and adding some Idap related ones passdb backend tdbsam LDAP Settings passdb backend ldapsam ldap hostname ldap suffix dc example dc com ldap user suffix ou People ldap group suffix ou Groups ldap machine suffix ou Computers ldap idmap suffix ou Idmap ldap admin d
85. the key By default the public key is saved in the file ssh id_dsa pub while ssh id_dsa is the private key Now copy the id_dsa pub file to the remote host and append it to ssh authorized_keys by entering ssh copy id username remotehost Finally double check the permissions on the authorized_keys file only the authenticated user should have read and write permissions If the permissions are not correct change them by chmod 600 ssh authorized_keys You should now be able to SSH to the host without being prompted for a password 1 5 References e Ubuntu Wiki SSH page OpenSSH Website e Advanced OpenSSH Wiki Page i https help ubuntu com community SSH 2 http www openssh org 2 https wiki ubuntu com AdvancedOpenSSH 82 Remote Administration 2 Puppet Puppet is a cross platform framework enabling system administrators to perform common tasks using code The code can do a variety of tasks from installing new software to checking file permissions or updating user accounts Puppet is great not only during the initial installation of a system but also throughout the system s entire life cycle In most circumstances puppet will be used in a client server configuration This section will cover installing and configuring Puppet in a client server configuration This simple example will demonstrate how to install Apache using Puppet 2 1 Installation To install Puppet in a terminal on the se
86. the most common storage arrays that support DM Multipath The supported devices can be found in the multipath conf defaults file If your storage array supports DM Multipath and is not configured by default in this file you may need to add them to the DM Multipath configuration file multipath conf For information on the DM Multipath configuration file see Section The DM Multipath Configuration File Some storage arrays require special handling of I O errors and path switching These require separate hardware handler kernel modules 1 4 DM Multipath components Table DM Multipath Components describes the components of the DM Multipath package Table 5 2 DM Multipath Components Component Description dm_multipath kernel Reroutes I O and supports failover for paths and path groups module multipath command Lists and configures multipath devices Normally started up with etc rc sysinit it can also be started up by a udev program whenever a block device is added or it can be run by the initramfs file system multipathd daemon Monitors paths as paths fail and come back it may initiate path group switches Provides for interactive changes to multipath devices This daemon must be restarted for any changes to the etc multipath conf file to take effect kpartx command Creates device mapper devices for the partitions on a device It is necessary to use this command for DOS based partitions with DM Multipath The kpartx
87. the network configuration and administration and allows to save time Zentyal is open source released under the GNU General Public License GPL and runs on top of Ubuntu GNU Linux Zentyal consists of a serie of packages usually one for each module that provide a web interface to configure the different servers or services The configuration is stored on a key value Redis database but users groups and domains related configuration is on OpenLDAP When you configure any of the available parameters through the web interface final configuration files are overwritten using the configuration templates provided by the modules The main advantages of using Zentyal are unified graphical user interface to configure all network services and high out of the box integration between them 3 1 Installation Zentyal 2 3 is available on Ubuntu 12 04 Universe repository The modules available are e zentyal core amp zentyal common the core of the Zentyal interface and the common libraries of the framework Also include the logs and events modules that give the administrator an interface to view the logs and generate events from them e zentyal network manages the configuration of the network From the interfaces supporting static IP DHCP VLAN bridges or PPPoE to multiple gateways when having more than one Internet connection load balancing and advanced routing static routes or dynamic DNS e zentyal objects amp zentyal services
88. the surface but regardless of which storage engine is in use you will interact with the database in the same way Each engine has its own advantages and disadvantages While it is possible and may be advantageous to mix and match database engines on a table level doing so reduces the effectiveness of the performance tuning you can do as you ll be splitting the resources between two engines instead of dedicating them to one e MyISAM is the older of the two It can be faster than InnoDB under certain circumstances and favours a read only workload Some web applications have been tuned around MyISAM though that s not to imply that they will slow under InnoDB MyISAM also supports the FULLTEXT data type which allows very fast searches of large quantities of text data However MyISAM is only capable of locking an entire table for writing This means only one process can update a table at a time As any application that uses the table scales this may prove to be a hindrance It also lacks journaling which makes it harder for data to be recovered after a crash The following link provides some points for consideration about using MyISAM on a production database e InnoDB is a more modern database engine designed to be ACID compliant which guarantees database transactions are processed reliably Write locking can occur on a row level basis within a table That means multiple updates can occur on a single table simultaneously Data caching
89. the user accounts by entering the following in a terminal prompt sudo apt get install samba libpam smbpass 2 Next configure Samba by editing etc samba smb conf The security mode should be set to user and the workgroup should relate to your organization workgroup EXAMPLE security user 3 In the commented Domains section add or uncomment the following the last line has been split to fit the format of this document domain logons yes logon path N U profile logon drive H logon home N U logon script logon cmd add machine script sudo usr sbin useradd N g machines c Machine d var lib samba s bin false u If you wish to not use Roaming Profiles leave the logon home and logon path options commented e domain logons provides the netlogon service causing Samba to act as a domain controller e logon path places the user s Windows profile into their home directory It is also possible to configure a profiles share placing all profiles under a single directory e logon drive specifies the home directory local path e logon home specifies the home directory location e logon script determines the script to be run locally once a user has logged in The script needs to be placed in the netlogon share 288 Windows Networking e add machine script a script that will automatically create the Machine Trust Account needed for a workstation to join the do
90. this group and he can then add and manage projects in the CVS repository 274 Version Control System 4 References Bazaar Home Page Launchpad Subversion Home Page Subversion Book CVS Manual Easy Bazaar Ubuntu Wiki page Ubuntu Wiki Subversion page 4 http bazaar canonical com en 2 https launchpad net 6 http subversion tigris org T http svnbook red bean com 8 http ximbiot com cvs manual cvs 1 11 21 cvs_toc html 7 https help ubuntu com community Easy Bazaar 19 https help ubuntu com community Subversion 275 Chapter 18 Windows Networking Computer networks are often comprised of diverse systems and while operating a network made up entirely of Ubuntu desktop and server computers would certainly be fun some network environments must consist of both Ubuntu and Microsoft Windows systems working together in harmony This section of the Ubuntu Server Guide introduces principles and tools used in configuring your Ubuntu Server for sharing network resources with Windows computers 276 Windows Networking 1 Introduction Successfully networking your Ubuntu system with Windows clients involves providing and integrating with services common to Windows environments Such services assist the sharing of data and information about the computers and users involved in the network and may be classified under three major categories of functionality e File and Printer Sh
91. to a portion of the contents of volatile memory RAM that is copied to disk whenever the execution of the kernel is disrupted The following events can cause a kernel disruption e Kernel Panic e Non Maskable Interrupts NMI e Machine Check Exceptions MCE e Hardware failure e Manual intervention For some of those events panic NMI the kernel will react automatically and trigger the crash dump mechanism through kexec In other situations a manual intervention is required in order to capture the memory Whenever one of the above events occurs it is important to find out the root cause in order to prevent it from happening again The cause can be determined by inspecting the copied memory contents 5 2 Kernel Crash Dump Mechanism When a kernel panic occurs the kernel relies on the kexec mechanism to quickly reboot a new instance of the kernel in a pre reserved section of memory that had been allocated when the system booted see below This permits the existing memory area to remain untouched in order to safely copy its contents to storage 5 3 Installation The kernel crash dump utility is installed with the following command sudo apt get install linux crashdump A reboot is then needed 5 4 Configuration No further configuration is required in order to have the kernel dump mechanism enabled 5 5 Verification To confirm that the kernel dump mechanism is enabled there are a few things to verify F
92. to authenticate users if one LDAP server one Kerberos server or one LDAP and one Kerberos server become unavailable 137 Network Authentication 4 4 Resources e The Kerberos Admin Guide has some additional details e For more information on kdb5_Idap_util see Section 5 6 and the kdb5_Idap_util man page 2 e Another useful link is the krb5 conf man page e Also see the Kerberos and LDAP Ubuntu wiki page af http web mit edu Kerberos krb5 1 6 krb5 1 6 3 doc krb5 admin html Configuring Kerberos with OpenLDAP back_002dend 58 http web mit edu Kerberos krb5 1 6 krb5 1 6 3 doc krb5 admin html Global Operations on the Kerberos LDAP Database 33 http manpages ubuntu com manpages precise en man8 kdb5_ldap_util 8 html oo http manpages ubuntu com manpages precise en man5 krbS conf 5 html 61 https help ubuntu com community Kerberos kerberos ldap 138 Chapter 8 Domain Name Service DNS Domain Name Service DNS is an Internet service that maps IP addresses and fully qualified domain names FQDN to one another In this way DNS alleviates the need to remember IP addresses Computers that run DNS are called name servers Ubuntu ships with BIND Berkley Internet Naming Daemon the most common program used for maintaining a name server on Linux 139 Domain Name Service DNS 1 Installation At a terminal prompt enter the following command to install dns sudo apt get install bind9 A very
93. to be restored later The following will save the virtual machine state into a file named according to the date virsh c gemu system save web_devel web_devel 022708 state Once saved the virtual machine will no longer be running e A saved virtual machine can be restored using 310 Virtualization virsh c gemu system restore web_devel 022708 state To shutdown a virtual machine do virsh c gemu system shutdown web_devel e A CDROM device can be mounted in a virtual machine by entering virsh c gemu system attach disk web_devel dev cdrom media cdrom ba In the above examples replace web_devel with the appropriate virtual machine name and web_devel 022708 state with a descriptive file name 1 5 2 Virtual Machine Manager The virt manager package contains a graphical utility to manage local and remote virtual machines To install virt manager enter sudo apt get install virt manager Since virt manager requires a Graphical User Interface GUI environment it is recommended to be installed on a workstation or test machine instead of a production server To connect to the local libvirt service enter virt manager c qemu system You can connect to the libvirt service running on another host by entering the following in a terminal prompt virt manager c qemu ssh virtnodel mydomain com system fy The above example assumes that SSH connectivity between the management system and virtnodel
94. to be the Fully Qualified Domain Name FQDN of the server Change backupserver to the actual host name Also make sure the Password directive matches the password string in etc bacula bacula sd conf Create a new FileSet which will determine what directories to backup by adding LocalhostBacup FileSet FileSet Name LocalhostFiles Include Options signature MD5 compression GZIP File etc File home 304 Backups This FileSet will backup the etc and home directories The Options resource directives configure the FileSet to create an MDS signature for each file backed up and to compress the files using GZIP Next create a new Schedule for the backup job LocalhostBackup Schedule Daily Schedule Name LocalhostDaily Run Full daily at 00 01 The job will run every day at 00 01 or 12 01 am There are many other scheduling options available Finally create the Job Localhost backup Job Name LocalhostBackup JobDefs DefaultJob Enabled yes Level Full FileSet LocalhostFiles Schedule LocalhostDaily Storage TapeDrive Write Bootstrap var lib bacula LocalhostBackup bsr The job will do a Full backup every day to the tape drive Each tape used will need to have a Label If the current tape does not have a label Bacula will send an email letting you know To label a tape using the Console enter the following from a terminal bconsole At
95. to connect using FTPS The Iftp command line FTP client has the ability to use FTPS as well 1 5 References e See the vsftpd website for more information e For detailed etc vsftpd conf options see the vsftpd conf man page http vsftpd beasts org vsftpd_conf html 2 http manpages ubuntu com manpages precise en manS5 vsftpd conf 5 html 225 File Servers 2 Network File System NFS NFS allows a system to share directories and files with others over a network By using NFS users and programs can access files on remote systems almost as if they were local files Some of the most notable benefits that NFS can provide are e Local workstations use less disk space because commonly used data can be stored on a single machine and still remain accessible to others over the network e There is no need for users to have separate home directories on every network machine Home directories could be set up on the NFS server and made available throughout the network e Storage devices such as floppy disks CDROM drives and USB Thumb drives can be used by other machines on the network This may reduce the number of removable media drives throughout the network 2 1 Installation At a terminal prompt enter the following command to install the NFS Server sudo apt get install nfs kernel server 2 2 Configuration You can configure the directories to be exported by adding them to the etc exports file For
96. to the private IP address that made the request which is impossible over the Internet Linux uses Connection Tracking conntrack to keep track of which connections belong to which machines and reroute each return packet accordingly Traffic leaving your private network is thus masqueraded as having originated from your Ubuntu gateway machine This process is referred to in Microsoft documentation as Internet Connection Sharing 162 Security 3 3 1 ufw Masquerading IP Masquerading can be achieved using custom ufw rules This is possible because the current back end for ufw is iptables restore with the rules files located in etc ufw rules These files are a great place to add legacy iptables rules used without ufw and rules that are more network gateway or bridge related The rules are split into two different files rules that should be executed before ufw command line rules and rules that are executed after ufw command line rules e First packet forwarding needs to be enabled in ufw Two configuration files will need to be adjusted in etc default ufw change the DEFAULT_FORWARD_POLICY to ACCEPT DEFAULT_FORWARD_POLICY ACCEPT Then edit etc ufw sysctl conf and uncomment net ipv4 ip_forward 1 Similarly for IPv6 forwarding uncomment net ipv6 conf default forwarding 1 e Now we will add rules to the etc ufw before rules file The default rules only configure the filter table and to enable masqueradin
97. try to establish your VPN 1 7 2 OpenVPN with GUI for Mac OS X Tunnelblick Tunnelblick is an excellent free open source implementation of a GUI for OpenVPN for OS X The project s homepage is at http code google com p tunnelblick Download the latest OS X installer from there and install it Then put your client ovpn config file together with the certificates and keys in Users username Library Application Support Tunnelblick Configurations and lauch Tunnelblick from your Application folder sample client ovpn for Tunnelblick client remote blue example com port 1194 proto udp dev tun dev type tun WS Ceri type server reneg sec 86400 auth user pass auth nocache auth retry interact comp lzo yes verb 3 Cau C CPE cert client crt key client key 375 VPN 1 7 3 OpenVPN with GUI for Win 7 First download and install the latest OpenVPN Windows Installer OpenVPN 2 2 1 was the latest when this was written Additionally download an alternative Open VPN Windows GUI The OpenVPN MI GUI from http openvpn mi gui inside security de seems to be a nice one for Windows 7 Download the latest version 20110624 was the latest version when this was written You need to start the OpenVPN service Goto Start gt Computer gt Manage gt Services and Applications gt Services Find the OpenVPN service and start it Set it s startup type to automatic When you start the OpenVPN MI GUI the first time you
98. ubuntu com community The most common protocol used to transfer Web pages is the Hyper Text Transfer Protocol HTTP Protocols such as Hyper Text Transfer Protocol over Secure Sockets Layer HTTPS and File Transfer Protocol FTP a protocol for uploading and downloading files are also supported Apache Web Servers are often used in combination with the MySQL database engine the HyperText Preprocessor PHP scripting language and other popular scripting languages such as Python and Perl This configuration is termed LAMP Linux Apache MySQL and Perl Python PHP and forms a powerful and robust platform for the development and deployment of Web based applications 1 1 Installation The Apache2 web server is available in Ubuntu Linux To install Apache2 e Ata terminal prompt enter the following command sudo apt get install apache2 1 2 Configuration Apache is configured by placing directives in plain text configuration files These directives are separated between the following files and directories e apache2 conf the main Apache configuration file Contains settings that are global to Apache 2 e conf d contains configuration files which apply globally to Apache2 Other packages that use Apache2 to serve content may add files or symlinks to this directory e envvars file where Apache2 environment variables are set http www ubuntu com 2 http www ubuntu com community 187 Web Servers e h
99. use such as the Level3 Verizon servers with IP addresses from 4 2 2 1 to 4 2 2 6 The IP address Netmask Network Address Broadcast Address and Gateway Address are typically specified via the appropriate directives in the file etc network interfaces The Nameserver Addresses are typically specified via nameserver directives in the file etc resolv conf For more information view the system manual page for interfaces OF resolv conf respectively with the following commands typed at a terminal prompt Access the system manual page for interfaces with the following command man interfaces Access the system manual page for resolv conf with the following command man resolv conf 43 Networking 2 3 IP Routing IP routing is a means of specifying and discovering paths in a TCP IP network along which network data may be sent Routing uses a set of routing tables to direct the forwarding of network data packets from their source to the destination often via many intermediary network nodes known as routers There are two primary forms of IP routing Static Routing and Dynamic Routing Static routing involves manually adding IP routes to the system s routing table and this is usually done by manipulating the routing table with the route command Static routing enjoys many advantages over dynamic routing such as simplicity of implementation on smaller networks predictability the routing table is always computed in adva
100. v after the entry For example edit the smtp entry smtp unix smtp v bA It is important to note that after making one of the logging changes above the Postfix process will need to be reloaded in order to recognize the new configuration sudo etc init d postfix reload e To increase the amount of information logged when troubleshooting SASL issues you can set the following options in etc dovecot dovecot conf auth_debug yes auth_debug_passwords yes Just like Postfix if you change a Dovecot configuration the process will need to be reloaded sudo etc init d dovecot reload bJ Some of the options above can drastically increase the amount of information sent to the log files Remember to return the log level back to normal after you have corrected the problem Then reload the appropriate daemon for the new configuration to take affect 1 7 3 References Administering a Postfix server can be a very complicated task At some point you may need to turn to the Ubuntu community for more experienced help 240 Email Services A great place to ask for Postfix assistance and get involved with the Ubuntu Server community is the ubuntu server IRC channel on freenode You can also post a message to one of the Web Forums For in depth Postfix information Ubuntu developers highly recommend The Book of Postfix Finally the Postfix website also has great documentation on all the different configuration op
101. you might sudo lxc create t sshd n sshl ssh keygen f id sudo mkdir var lib 1xc ssh1 rootfs root ssh sudo cp id pub var 1lib 1xc ssh1 rootfs root ssh authorized_keys sudo lxc start n sshl d ssh i id root sshl 5 3 1 5 Backing Stores By default Ixc create places the container s root filesystem as a directory tree at var lib 1xc CN rootfs Another option is to use LVM logical volumes If a volume group named xc exists you can create an lvm backed container called CN using sudo lxc create t ubuntu n CN B lvm If you want to use a volume group named schroots with a 5G xfs filesystem then you would use sudo lxc create t ubuntu n CN B lvm vgname schroots fssize 5G fstype xfs 5 3 2 Cloning For rapid provisioning you may wish to customize a canonical container according to your needs and then make multiple copies of it This can be done with the Ixc clone program Given an existing container called C1 a new container called C2 can be created using sudo lxc clone o C1 n C2 347 Virtualization If var lib 1xc is a btrfs filesystem then Ixc clone will create C2 s filesystem as a snapshot of C1 s If the container s root filesystem is lvm backed then you can specify the s option to create the new rootfs as alvm snapshot of the original as follows sudo lxc clone s o Cl n C2 Both lvm and btrfs snapshots will provide fast cloning with very small initial disk usage 5 3 3 Starting
102. 0 Email Services require_files MM_HOME lists local_part config pck local_part_suffix_optional local_part_suffix bounces bouncest confirm join leave owner request admin transport mailman_transport The order of main and transport configuration files can be in any order But the order of router configuration files must be the same This particular file must appear before the 200_exim4 config_primary file These two configuration files contain same type of information The first file takes the precedence For more details please refer to the references section 4 2 7 Mailman Once mailman is installed you can run it using the following command sudo etc init d mailman start Once mailman is installed you should create the default mailing list Run the following command to create the mailing list sudo usr sbin newlist mailman Enter the email address of the person running the list bhuvan at ubuntu com Initial mailman password To finish creating your mailing list you must edit your etc aliases or equivalent file by adding the following lines and possibly running the newaliases program mailman mailing list mailman var lib mailman mail mailman post mailman mailman admin var lib mailman mail mailman admin mailman mailman bounces var lib mailman mail mailman bounces mailman mailman confirm var lib mailman mail mailman confirm mailman
103. 0 Monitoring 178 Monitoring 1 Overview The monitoring of essential servers and services is an important part of system administration Most network services are monitored for performance availability or both This section will cover installation and configuration of Nagios for availability monitoring and Munin for performance monitoring The examples in this section will use two servers with hostnames server0 and server02 Server01 will be configured with Nagios to monitor services on itself and server02 Server01 will also be setup with the munin package to gather information from the network Using the munin node package server02 will be configured to send information to server0 Hopefully these simple examples will allow you to monitor additional servers and services on your network 179 Monitoring 2 Nagios 2 1 Installation First on serverO install the nagios package In a terminal enter sudo apt get install nagios3 nagios nrpe plugin You will be asked to enter a password for the nagiosadmin user The user s credentials are stored in etc nagios3 htpasswd users To change the nagiosadmin password or add additional users to the Nagios CGI scripts use the htpasswd that is part of the apache2 utils package For example to change the password for the nagiosadmin user enter sudo htpasswd etc nagios3 htpasswd users nagiosadmin To add a user sudo htpasswd etc nagios3 htpasswd user
104. 0 0 etho 0 0 0 0 10 0 0 1 0 0 0 0 UG 0 0 0 etho If you require DNS for your temporary network configuration you can add DNS server IP addresses in the file etc resolv conf The example below shows how to enter two DNS servers to etc 35 Networking resolv conf which should be changed to servers appropriate for your network A more lengthy description of DNS client configuration is in a following section nameserver 8 8 8 8 nameserver 8 8 4 4 If you no longer need this configuration and wish to purge all IP configuration from an interface you can use the ip command with the flush option as shown below ip addr flush eth0 fy Flushing the IP configuration using the ip command does not clear the contents of etc resolv conf You must remove or modify those entries manually 1 2 2 Dynamic IP Address Assignment DHCP Client To configure your server to use DHCP for dynamic address assignment add the dhcp method to the inet address family statement for the appropriate interface in the file etc network interfaces The example below assumes you are configuring your first Ethernet interface identified as eth0 auto eth0 iface ethO inet dhcp By adding an interface configuration as shown above you can manually enable the interface through the ifup command which initiates the DHCP process via dhclient sudo ifup eth0 To manually disable the interface you can use the ifdown command which in turn will initiate the D
105. 0 000 000000 modifiersName cn config modifyTimestamp 201108291654352 Your attribute values will vary Finally use Idapadd to add the new schema to the slapd config DIT sudo ldapadd Q Y EXTERNAL H ldapi f cn corba 1ldif adding new entry cn corba cn schema cn config Confirm currently loaded schemas sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn schema cn config dn dn cn schema cn config dn cn 0 core cn schema cn config dn cn 1 cosine cn schema cn config dn cn 2 nis cn schema cn config dn cn 3 inetorgperson cn schema cn config dn cn 4 corba cn schema cn config For external applications and clients to authenticate using LDAP they will each need to be specifically configured to do so Refer to the appropriate client side documentation for details 98 Network Authentication 1 5 Logging Activity logging for slapd is indispensible when implementing an OpenLDAP based solution yet it must be manually enabled after software installation Otherwise only rudimentary messages will appear in the logs Logging like any other slapd configuration is enabled via the slapd config database OpenLDAP comes with multiple logging subsystems levels with each one containing the lower one additive A good level to try is stats The slapd config man page has more to say on the different subsystems Create the file logging 1dif with the following contents dn cn
106. 0 2 7788 362 Clustering meta disk internal fy There are many other options in etc drbd conf but for this example their default values are fine e Now copy etc drbd conf to the second host scp etc drbd conf drbd02 e And on drbd02 move the file to etc sudo mv drbd conf etc e Now using the drbdadm utility initialize the meta data storage On each server execute sudo drbdadm create md r0 e Next on both hosts start the drbd daemon sudo etc init d drbd start e On the drbd01 or whichever host you wish to be the primary enter the following sudo drbdadm overwrite data of peer primary all e After executing the above command the data will start syncing with the secondary host To watch the progress on drbd02 enter the following watch n1 cat proc drbd To stop watching the output press Ctrl c e Finally add a filesystem to dev drbdo and mount it sudo mkfs ext3 dev drbd0 sudo mount dev drbd0 srv 1 2 Testing To test that the data is actually syncing between the hosts copy some files on the drbd01 the primary to srv sudo cp r etc default srv Next unmount srv sudo umount srv 363 Clustering Demote the primary server to the secondary role sudo drbdadm secondary r0 Now on the secondary server promote it to the primary role sudo drbdadm primary r0 Lastly mount the partition sudo mount dev drbd0 srv Using Js you should see srv
107. 168 1 254 as the default gateway and 192 168 1 1 and 192 168 1 2 as its DNS servers After changing the config file you have to restart the dhcpd 47 Networking sudo etc init d isc dhcp server restart 3 3 References The dhcp3 server Ubuntu Wiki page has more information e For more etc dhcp dhcpd conf options see the dhcpd conf man page e ISC dhcp server 13 https help ubuntu com community dhcp3 server 14 http manpages ubuntu com manpages precise en man5 dhcpd conf 5 html 13 http www isc org software dhcp 48 Networking 4 Time Synchronisation with NTP NTP is a TCP IP protocol for synchronising time over a network Basically a client requests the current time from a server and uses it to set its own clock Behind this simple description there is a lot of complexity there are tiers of NTP servers with the tier one NTP servers connected to atomic clocks and tier two and three servers spreading the load of actually handling requests across the Internet Also the client software is a lot more complex than you might think it has to factor out communication delays and adjust the time in a way that does not upset all the other processes that run on the server But luckily all that complexity is hidden from you Ubuntu uses ntpdate and ntpd 4 1 ntpdate Ubuntu comes with ntpdate as standard and will run it once at boot time to set up your time according to Ubuntu s NTP server
108. 1xc CN config To make that container auto start use the command sudo ln s var lib 1xc CN config etc 1xc auto CN conf 5 3 Container Administration 5 3 1 Creating Containers The easiest way to create containers is using Ixc create This script uses distribution specific templates under usr 1lib 1xc templates to set up container friendly chroots under var lib lxc CN root fs and initialize the configuration in var lib 1xc CN fstab and var lib 1xc CN config where CN is the container name The simplest container creation command would look like sudo lxc create t ubuntu n CN This tells lxc create to use the ubuntu template t ubuntu and to call the container CN n CN Since no configuration file was specified which would have been done with f file it will use the default configuration file under etc 1xc 1xc conf This gives the container a single veth network interface attached to the lxcbr0 bridge 344 Virtualization The container creation templates can also accept arguments These can be listed after For instance sudo lxc create t ubuntu n oneiricl r oneiric passes the arguments r oneiricl to the ubuntu template 5 3 1 1 Help Help on the lxc create command can be seen by using Ixc create h However the templates also take their own options If you do sudo lxc create t ubuntu h then the general Ixc create help will be followed by help output specific to the ubuntu t
109. 2 2 UU unused devices lt none gt The following command is great for watching the status of a syncing drive watch n1 cat proc mdstat Press Ctrl c to stop the watch command If you do need to replace a faulty drive after the drive has been replaced and synced grub will need to be installed To install grub on the new drive enter the following sudo grub install dev md0 Replace dev mdo with the appropriate array device name 4 1 6 Resources The topic of RAID arrays is a complex one due to the plethora of ways RAID can be configured Please see the following links for more information Ubuntu Wiki Articles on RAIDE 6 https help ubuntu com community Installation raid 13 Installation e Software RAID HOWTO e Managing RAID on Linux 4 2 Logical Volume Manager LVM Logical Volume Manger or LVM allows administrators to create logical volumes out of one or multiple physical hard disks LVM volumes can be created on both software RAID partitions and standard partitions residing on a single disk Volumes can also be extended giving greater flexibility to systems as requirements change 4 2 1 Overview A side effect of LVM s power and flexibility is a greater degree of complication Before diving into the LVM installation process it is best to get familiar with some terms e Physical Volume PV physical hard disk disk partition or software RAID partition formatted as LVM PV e Vo
110. 2 Web Server p 187 First on serverO install munin In a terminal enter sudo apt get install munin Now on server02 install the munin node package sudo apt get install munin node 3 2 Configuration On server0 1 edit the etc munin munin conf adding the IP address for server02 First our normal host server02 address 172 18 100 101 fy Replace server02 and 172 18 100 101 with the actual hostname and IP address for your server Next configure munin node on server02 Edit etc munin munin node conf to allow access by serverOl allow 172 18 100 100 fe Replace 72 18 00 100 with IP address for your munin server Now restart munin node on server02 for the changes to take effect sudo etc init d munin node restart Finally in a browser go to http server01 munin and you should see links to nice graphs displaying information from the standard munin plugins for disk network processes and system bJ Since this is a new install it may take some time for the graphs to display anything useful 184 Monitoring 3 3 Additional Plugins The munin plugins extra package contains performance checks additional services such as DNS DHCP Samba etc To install the package from a terminal enter sudo apt get install munin plugins extra Be sure to install the package on both the server and node machines 3 4 References e See the Munin website for more details e Spe
111. 2007 the Linux Samba OpenLDAP HOWTO contains valuable notes of http manpages ubuntu com manpages en man8 smbldap groupadd 8 html 38 http manpages ubuntu com manpages en man8 smbldap groupdel 8 html 32 http manpages ubuntu com manpages en man8 smbldap groupmod 8 html 49 http manpages ubuntu com manpages en man8 smbldap groupshow 8 html al http manpages ubuntu com manpages en man8 smbldap passwd 8 html Me http manpages ubuntu com manpages en man8 smbldap populate 8 html 3 http manpages ubuntu com manpages en man8 smbldap useradd 8 html a http manpages ubuntu com manpages en man8 smbldap userdel 8 html B http manpages ubuntu com manpages en man8 smbldap userinfo 8 html 40 http manpages ubuntu com manpages en man8 smbldap userlist 8 html oil http manpages ubuntu com manpages en man8 smbldap usermod 8 html a8 http manpages ubuntu com manpages en man8 smbldap usershow 8 html ao http samba org samba docs man Samba HOWTO Collection 3 http samba org samba docs man Samba HOWTO Collection passdb html gt http download gna org smbldap tools docs samba Idap howto 122 Network Authentication e The main page of the Samba Ubuntu community documentation has a plethora of links to articles that may prove useful 32 https help ubuntu com community Samba samba ldap 123 Network Authentication 3 Kerberos Kerberos is a network authentication system based on the principal of a trusted third party T
112. 24 outfile etc ssl private ldap01_slapd_key pem ba Replace dapO in the filename with your server s hostname Naming the certificate and key for the host and service that will be using them will help keep things clear Create the etc ss1 1dap01 info info file containing organization Example Company cn ldap01l example com tls_www_server encryption_key signing_key expiration_days 3650 The above certificate is good for 10 years Adjust accordingly Create the server s certificate sudo certtool generate certificate load privkey etc ssl private ldap01_slapd_key pem load ca certificate etc ssl certs cacert pem load ca privkey etc ssl private cakey pem template etc ssl ldap01 info outfile etc ssl certs ldap01_slapd_cert pem Create the file certinfo 1dif with the following contents adjust accordingly our example assumes we created certs using https www cacert org cn config olcTLSCACertificateFile 106 Network Authentication olcTLSCACertificateFile etc ssl certs cacert pem add olcTLSCertificateFile olcTLSCertificateFile etc ssl certs ldap01_slapd_cert pem add olcTLSCertificateKeyFile olcTLSCertificateKeyFile etc ssl private ldap0l_slapd_key pem Use the ldapmodify command to tell slapd about our TLS work via the slapd config database sudo ldapmodify Y EXTERNAL H ldapi f etc ssl certinfo 1ldif Contratry to popular belief you do not need daps
113. 4 Networking Networks consist of two or more devices such as computer systems printers and related equipment which are connected by either physical cabling or wireless links for the purpose of sharing and distributing information among the connected devices This section provides general and specific information pertaining to networking including an overview of network concepts and detailed discussion of popular network protocols 32 Networking 1 Network Configuration Ubuntu ships with a number of graphical utilities to configure your network devices This document is geared toward server administrators and will focus on managing your network on the command line 1 1 Ethernet Interfaces Ethernet interfaces are identified by the system using the naming convention of ethX where X represents a numeric value The first Ethernet interface is typically identified as eth0 the second as eth and all others should move up in numerical order 1 1 1 Identify Ethernet Interfaces To quickly identify all available Ethernet interfaces you can use the ifconfig command as shown below ifconfig a grep eth etho Link encap Ethernet HWaddr 00 15 c5 4a 16 5a Another application that can help identify all network interfaces available to your system is the lshw command In the example below Ishw shows a single Ethernet interface with the logical name of eth0 along with bus information driver details and all support
114. 5 Network Authentication daemon If you need to reconfigure Kerberos from scratch perhaps to change the realm name you can do so by typing sudo dpkg reconfigure krb5 kdc 1 Once the KDC is properly running an admin user the admin principal is needed It is recommended to use a different username from your everyday username Using the kadmin local utility in a terminal prompt enter sudo kadmin local Authenticating as principal root admin EXAMPLE COM with password kadmin local addprinc steve admin WARNING no policy specified for steve admin EXAMPLE COM defaulting to no policy Enter password for principal steve admin EXAMPLE COM Re enter password for principal steve admin EXAMPLE COM Principal steve admin EXAMPLE COM created kadmin local quit In the above example steve is the Principal admin is an Instance and EXAMPLE COM signifies the realm The every day Principal a k a the user principal would be steve EXAMPLE COM and should have only normal user rights Replace EXAMPLE COM and steve with your Realm and admin username 2 Next the new admin user needs to have the appropriate Access Control List ACL permissions The permissions are configured in the etc krb5kdc kadm5 acl file steve admin EXAMPLE COM This entry grants steve admin the ability to perform any operation on all principals in the realm You can configure principals w
115. 8 Network Authentication sudo apt get install ssl cert sudo adduser openldap ssl cert sudo cp ldap02_slapd_cert pem cacert pem etc ssl certs sudo cp ldap02_slapd_key pem etc ssl private sudo chgrp ssl cert etc ssl private ldap02_slapd_key pem sudo chmod gtr etc ssl private ldap02_slapd_key pem sudo chmod o r etc ssl private ldap02_slapd_key pem Create the file etc ssl certinfo 1ldif with the following contents adjust accordingly dn cn config add olcTLSCACertificateFile olcTLSCACertificateFile etc ssl certs cacert pem add olcTLSCertificateFile olcTLSCertificateFile etc ssl certs ldap02_slapd_cert pem add olcTLSCertificateKeyFile olcTLSCertificateKeyFile etc ssl private ldap02_slapd_key pem Configure the slapd config database sudo ldapmodify Y EXTERNAL H ldapi f certinfo ldif Configure etc default slapd as on the Provider SLAPD_SERVICES On the Consumer Configure TLS for Consumer side replication Modify the existing olcSyncrepl attribute by tacking on some TLS options In so doing we will see for the first time how to change an attribute s value s Create the file consumer_sync_tls 1dif with the following contents dn olcDatabase 1 hdb cn config replace olcSyncRepl olcSyncRepl rid 0 provider ldap ldap0l example com bindmethod simple binddn cn admin dc example dc com credentials secret searchbase dc example dc com logbase cn accesslog logfilter
116. Config olcOverlay syncprov olcSpNoPresent TRUE accesslog overlay definitions for primary db dn olcOverlay accesslog olcDatabase 1 hdb cn config objectClass olcOverlayConfig objectClass olcAccessLogConfig olcOverlay accesslog olcAccessLogDB cn accesslog olcAccessLogOps writes olcAccessLogSuccess TRUE scan the accesslog DB every day and purg ntries older than 7 days olcAccessLogPurge 07 00 00 01 00 00 Change the rootDN in the LDIF file to match the one you have for your directory 2 The apparmor profile for slapd will need to be adjusted for the accesslog database location Edit etc apparmor d local usr sbin slapd by adding the following var lib ldap accesslog r var lib ldap accesslog rwk Create a directory set up a databse config file and reload the apparmor profile sudo u openldap mkdir var lib ldap accesslog sudo u openldap cp var lib ldap DB_CONFIG var lib ldap accesslog sudo service apparmor reload 3 Add the new content and due to the apparmor change restart the daemon sudo ldapadd Q Y EXTERNAL H ldapi f provider_sync 1ldif sudo service slapd restart The Provider is now configured 1 6 2 Consumer Configuration And now configure the Consumer 1 Install the software by going through Section 1 1 Installation p 92 Make sure the slapd config databse is identical to the Provider s In particular make sure schemas and the databse suff
117. Deconfiguring network interfaces done Deactivating swap jes fait umount run lock not mounted umount dev shm not mounted mount is busy Will now halt A container can be frozen with sudo Ixc freeze n CN This will block all its processes until the container is later unfrozen using sudo Ixc unfreeze n CN 5 3 4 Monitoring container status Two commands are available to monitor container state changes Ixc monitor monitors one or more containers for any state changes It takes a container name as usual with the n option but in this case the container name can be a posix regular expression to allow monitoring desirable sets of containers Ixc monitor continues running as it prints container changes lxc wait waits for a specific state change and then exits For instance sudo lxc monitor n cont 0 5 would print all state changes to any containers matching the listed regular expression whereas 349 Virtualization sudo lxc wait n cont1 s STOPPED FROZEN will wait until container cont enters state STOPPED or state FROZEN and then exit 5 3 5 Consoles Containers have a configurable number of consoles One always exists on the container s dev console This is shown on the terminal from which you ran Ixe start unless the d option is specified The output on dev console can be redirected to a file using the c console file option to Ixc start The number of extra consoles is specified by the I
118. FS Howto 3 http nfs sourceforge net j https help ubuntu com community NFSv4Howto 227 File Servers 3 iSCSI Initiator iSCSI Internet Small Computer System Interface is a protocol that allows SCSI commands to be transmitted over a network Typically iSCSI is implemented in a SAN Storage Area Network to allow servers to access a large store of hard drive space The iSCSI protocol refers to clients as initiators and iSCSI servers as targets Ubuntu Server can be configured as both an iSCSI iniator and a target This guide provides commands and configuration options to setup an iSCSI initiator It is assumed that you already have an iSCSI target on your local network and have the appropriate rights to connect to it The instructions for setting up a target vary greatly between hardware providers so consult your vendor documentation to configure your specific iSCSI target 3 1 iSCSI Initiator Install To configure Ubuntu Server as an iSCSI initiator install the open iscsi package In a terminal enter sudo apt get install open iscsi 3 2 iSCSI Initiator Configuration Once the open iscsi package is installed edit etc iscsi iscsid conf changing the following node startup automatic You can check which targets are available by using the iscsiadm utility Enter the following in a terminal sudo iscsiadm m discovery t st p 192 168 0 10 m determines the mode that iscsiadm executes in e t sp
119. HCP release process and shut down the interface sudo ifdown eth0 1 2 3 Static IP Address Assignment To configure your system to use a static IP address assignment add the static method to the inet address family statement for the appropriate interface in the file etc network interfaces The example below assumes you are configuring your first Ethernet interface identified as ethO Change the address netmask and gateway values to meet the requirements of your network auto eth0 iface ethO inet static address 10 0 0 100 netmask 255 255 255 0 gateway 10 0 0 1 36 Networking By adding an interface configuration as shown above you can manually enable the interface through the ifup command sudo ifup eth0 To manually disable the interface you can use the ifdown command sudo ifdown eth0 1 2 4 Loopback Interface The loopback interface is identified by the system as o and has a default IP address of 127 0 0 1 It can be viewed using the ifconfig command ifconfig lo lo Link encap Local Loopback inet addr 127 0 0 1 Mask 255 0 0 0 inet6 addr 1 128 Scope Host UP LOOPBACK RUNNING MTU 16436 Metric 1 RX packets 2718 errors 0 dropped 0 overruns 0 frame 0 TX packets 2718 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 0 RX bytes 183308 183 3 KB TX bytes 183308 183 3 KB By default there should be two lines in etc network interfaces responsible for automatically configuring your loopbac
120. HOWTO html 2 http www bind9 net 3 http www oreilly com catalog dns5 index html a http freenode net 3 https help ubuntu com community BIND9ServerHowto 151 Chapter 9 Security Security should always be considered when installing deploying and using any type of computer system Although a fresh installation of Ubuntu is relatively safe for immediate use on the Internet it is important to have a balanced understanding of your systems security posture based on how it will be used after deployment This chapter provides an overview of security related topics as they pertain to Ubuntu 12 04 LTS Server Edition and outlines simple measures you may use to protect your server and network from any number of potential security threats 152 Security 1 User Management User management is a critical part of maintaining a secure system Ineffective user and privilege management often lead many systems into being compromised Therefore it is important that you understand how you can protect your server through simple and effective user account management techniques 1 1 Where is root Ubuntu developers made a conscientious decision to disable the administrative root account by default in all Ubuntu installations This does not mean that the root account has been deleted or that it may not be accessed It merely has been given a password which matches no possible encrypted value therefore may not log in directl
121. HTTP protocol over SSL This allows a way to encrypt traffic using a protocol that does not itself provide encryption A Certificate is a method used to distribute a public key and other information about a server and the organization who is responsible for it Certificates can be digitally signed by a Certification Authority or CA A CA is a trusted third party that has confirmed that the information contained in the certificate is accurate 5 1 Types of Certificates To set up a secure server using public key cryptography in most cases you send your certificate request including your public key proof of your company s identity and payment to a CA The CA verifies the certificate request and your identity and then sends back a certificate for your secure server Alternatively you can create your own self signed certificate fy Note that self signed certificates should not be used in most production environments Continuing the HTTPS example a CA signed certificate provides two important capabilities that a self signed certificate does not e Browsers usually automatically recognize the certificate and allow a secure connection to be made without prompting the user e When a CA issues a signed certificate it is guaranteeing the identity of the organization that is providing the web pages to the browser Most Web browsers and computers that support SSL have a list of CAs whose certificates they automatically acce
122. IF files mkdir tmp ldif_output Now use slapcat to convert the schema files slapcat f schema_convert conf F tmp ldif_output n0 s cn 12 kerberos cn schema cn config gt tmp cn kerberos 1ldif Change the above file and path names to match your own if they are different Edit the generated tmp cn kerberos 1dif file changing the following attributes dn cn kerberos cn schema cn config cn kerberos And remove the following lines from the end of the file structuralObjectClass olcSchemaConfig entryUUID 18ccd010 746b 102d 9fbe 3760cca765dc creatorsName cn config createTimestamp 200901112035152 entryCSN 20090111203515 326445Z2 000000 000 000000 modifiersName cn config modifyTimestamp 200901112035152 The attribute values will vary just be sure the attributes are removed Load the new schema with Idapadd ldapadd x D cn admin cn config W f tmp cn kerberos 1ldif Add an index for the krbSprincipalname attribute ldapmodify x D cn admin cn config W Enter LDAP Password dn olcDatabase 1 hdb cn config add olcDbIndex olcDbIndex krbPrincipalName eq pres sub 133 Network Authentication modifying entry olcDatabase 1 hdb cn config 7 Finally update the Access Control Lists ACL ldapmodify x D cn admin cn config W Enter LDAP Password dn olcDatabase 1 hdb cn config replace olcAccess olcAccess to attrs userPassword shadowLastChange krbPrincipalK
123. LAMP server a DNS server as well simply insert the installation CD and from a terminal sudo tasksel install dns server Installation 3 Upgrading There are several ways to upgrade from one Ubuntu release to another This section gives an overview of the recommended upgrade method 3 1 do release upgrade The recommended way to upgrade a Server Edition installation is to use the do release upgrade utility Part of the update manager core package it does not have any graphical dependencies and is installed by default Debian based systems can also be upgraded by using apt get dist upgrade However using do release upgrade is recommended because it has the ability to handle system configuration changes sometimes needed between releases To upgrade to a newer release from a terminal prompt enter do release upgrade It is also possible to use do release upgrade to upgrade to a development version of Ubuntu To accomplish this use the d switch do release upgrade d Upgrading to a development release is not recommended for production environments Installation 4 Advanced Installation 4 1 Software RAID Redundant Array of Independent Disks RAID is a method of using multiple disks to provide different balances of increasing data reliability and or increasing input output performance depending on the RAID level being used RAID is implemented in either software where the operating system kn
124. LTS Server Edition CD and assumes a basic network topology with a single system serving as the all in one cloud infrastructure Due to the tutorial s simplicity the instructions as is are not intended to set up production servers although it allows you to have a POC proof of concept of the Ubuntu Cloud using OpenStack 4 2 Prerequisites To deploy a minimal Ubuntu Cloud infrastructure you ll need at least e One dedicated system e Two network address ranges private network and public network e Make sure the host in question supports VT Virtualization Technology since we will be using KVM as the virtualization technology Other hypervisors are also supported such as QEMU UML Vmware ESX ESXi and XEN LXC Linux Containers is also supported through libvirt Check if your system supports kvm issuing sudo kvm ok in a linux terminal The Minimum Topology recommended for production use is using three nodes One master server running nova services except compute and two servers running nova compute This setup is not redundant and the master server is a SPoF Single Point of Failure 4 3 Preconfiguring the network Before we start installing OpenStack we need to make sure we have bridging support installed a MySQL database and a central time server ntp This will assure that we have instantiated machines and hosts in sync In this example the private network will be in the 10 0 0 0 24 range on eth1 Al
125. LUE IP net address default X X X 0 e bcast VALUE IP broadcast default X X X 255 315 Virtualization e gw ADDRESS Gateway address default X X X 1 e dns ADDRESS Name server address default X X X 1 We assume for now that default values are good enough so the resulting invocation becomes sudo vmbuilder kvm ubuntu suite precise flavour virtual arch i386 o libvirt qemu system ip 192 168 0 100 hostname myvm 2 3 2 1 2 Bridging Because our appliance will be likely to need to be accessed by remote hosts we need to configure libvirt so that the appliance uses bridge networking To do this add the bridge option to the command sudo vmbuilder kvm ubuntu suite precise flavour virtual arch i386 o libvirt qemu system ip 192 168 0 100 hostname myvm bridge br0 bJ You will need to have previously setup a bridge interface see Section 1 4 Bridging p 39 for more information Also if the interface name is different change brO to the actual bridge interface 2 3 2 2 Partitioning Partitioning of the virtual appliance will have to take into consideration what you are planning to do with is Because most appliances want to have a separate storage for data having a separate var would make sense In order to do this vmbuilder provides us with part part PATH Allows you to specify a partition table in a partition file located at PATH Each line of the partition fi
126. LUN that is for which all the paths are unavailable For example if you want to change the policy on the multipath device mpathc from queue_if_no_path to fail_if_no_path execute the following command dmsetup message mpathc 0 fail_if_no_path J You must specify the mpathn alias rather than the path 5 6 Multipath Command Output When you create modify or list a multipath device you get a printout of the current device setup The format is as follows For each multipath device action_if_any alias wwid_if_different_from_alias dm_device_name_if_known vendor product size size features features hwhandler hardware_handler wp write_permission_if_known For each path group policy scheduling_policy prio prio_if_known status path_group_status_if_known For each path host channel id lun devnode major minor dm_status_if_known path_status online_status For example the output of a multipath command might appear as follows 3600d0230000000000e13955cc3757800 dm 1 WINSYS SF2372 size 269G features 0 hwhandler 0 wp rw policy round robin 0 prio 1 status active 6 0 0 0 sdb 8 16 active ready running policy round robin 0 prio 1 status enabled 75 DM Multipath 7 0 0 0 sdf 8 80 active ready running If the path is up and ready for I O the status of the path is ready or ghost If the path is down the status is faulty or shaky The path stat
127. Locate the line listen_addresses localhost and change it to listen_addresses localhost fy To allow other computers to connect to your PostgreSQL server replace localhost with the IP Address of your server or alternatively to 0 0 0 0 to bind to all interfaces You may also edit all other parameters if you know what you are doing For details refer to the configuration file or to the PostgreSQL documentation Now that we can connect to our PostgreSQL server the next step is to set a password for the postgres user Run the following command at a terminal prompt to connect to the default PostgreSQL template database 8 http www postgresql org docs 8 4 static admin html 211 Databases sudo u postgres psql templatel The above command connects to PostgreSQL database template as user postgres Once you connect to the PostgreSQL server you will be at a SQL prompt You can run the following SQL command at the psql prompt to configure the password for the user postgres ALTER USER postgres with encrypted password your_password After configuring the password edit the file etc postgresql 8 4 main pg_hba conf to use MD5 authentication with the postgres user local all postgres md5 Finally you should restart the PostgreSQL service to initialize the new configuration From a terminal prompt enter the following to restart PostgreSQL sudo etc init d postgresql 8 4 restart The above configuration i
128. Logical partition Then change Use as to physical volume for LVM then Done setting up the partition i http www faqs org docs Linux HOWTO Software RAID HOWTO html 8 http oreilly com catalog 978 1565927308 14 Installation 6 Now select Configure the Logical Volume Manager at the top and choose Yes to write the changes to disk 7 For the LVM configuration action on the next screen choose Create volume group Enter a name for the VG such as vg0 or something more descriptive After entering a name select the partition configured for LVM and choose Continue 8 Back at the LVM configuration action screen select Create logical volume Select the newly created volume group and enter a name for the new LV for example srv since that is the intended mount point Then choose a size which may be the full partition because it can always be extended later Choose Finish and you should be back at the main Partition Disks screen 9 Now add a filesystem to the new LVM Select the partition under LVM VG vg01 LV srv or whatever name you have chosen the choose Use as Setup a file system as normal selecting srv as the mount point Once done select Done setting up the partition 10 Finally select Finish partitioning and write changes to disk Then confirm the changes and continue with the rest of the installation There are some useful utilities to view information about LVM e pvdisplay s
129. Make sure you have package network manager openvpn installed Here you see that the installation installs all other required packages as well root client apt get install network manager openvpn Reading package lists Done Building dependency tr Reading state information Done 374 VPN The following extra packages will be installed liblzo2 2 libpkcsll helperl network manager openvpn gnome openvpn Suggested packages resolvconf The following NEW packages will be installed liblzo2 2 libpkcsll helperl network manager openvpn network manager openvpn gnome openvpn 0 upgraded 5 newly installed 0 to remove and 631 not upgraded Need to get 700 kB of archives After this operation 3 031 kB of additional disk space will be used Do you want to continue Y n To inform network manager about the new installed packages you will have to restart it root client restart network manager network manager start running process 3078 Open the Network Manager GUI select the VPN tab and then the Add button Select OpenVPN as the VPN type in the opening requester and press Create In the next window add the OpenVPN s server name as the Gateway set Type to Certificates TLS point User Certificate to your user certificate CA Certificate to your CA certificate and Private Key to your private key file Use the advanced button to enable compression or other special settings you set on the server Now
130. T SUPPORTED Run a command in a running container Ixc backup Back up the root filesystems for all lvm backed containers lxc cgroup View and set container control group settings Ixc checkconfig Verify host support for containers lxc checkpoint NOT SUPPORTED Checkpoint a running container lxc clone Clone a new container from an existing one lxc console Open a console in a running container lxc create Create a new container Ixc destroy Destroy an existing container lxc execute Run a command in a not running application container 352 Virtualization Command Synopsis Ixc freeze Freeze a running container lxc info Print information on the state of a container Ixc kill Send a signal to a container s init Ixc list List all containers Ixc ls List all containers with shorter output than Ixc list lxc monitor lxc netstat Monitor state changes of one or more containers Execute netstat in a running container lxc ps lxc restart View process info in a running container NOT SUPPORTED Restart a checkpointed container lxc restore Ixc setcap Restore containers from backups made by Ixc backup NOT RECOMMENDED Set file capabilities on LXC tools lxc setuid lxc shutdown NOT RECOMMENDED Set or remove setuid bits on LXC tools Safely shut down a container lxc start lxc start ephemeral Start a stopped container Start
131. TLS p 105 for details bJ cn admin cn config is a user we created with rights to edit the Idap database Many times it is the RootDN Change its value to reflect your setup e To load the schema into LDAP on the LDAP server install the krb5 kdc ldap package From a terminal enter sudo apt get install krb5 kdc ldap e Next extract the kerberos schema gz file sudo gzip d usr share doc krb5 kdc ldap kerberos schema gz sudo cp usr share doc krb5 kdc ldap kerberos schema etc ldap schema e The kerberos schema needs to be added to the cn config tree The procedure to add a new schema to slapd is also detailed in Section 1 4 Modifying the slapd Configuration Database p 96 1 First create a configuration file named schema_convert conf or a similar descriptive name containing the following lines include etc ldap schema core schema include etc ldap schema collective schema include etc ldap schema corba schema include etc ldap schema cosine schema 132 Network Authentication include etc ldap schema duaconf schema include etc ldap schema dyngroup schema include etc ldap schema inetorgperson schema include etc ldap schema java schema include etc ldap schema misc schema include etc ldap schema nis schema include etc ldap schema openldap schema include etc ldap schema ppolicy schema include etc ldap schema kerberos schema Create a temporary directory to hold the LD
132. TP protocol you must install and configure a web server Apache2 is proven to work with Subversion Please refer to the HTTP subsection in the Apache section to install and configure Apache2 To access the Subversion repository using the HTTPS protocol you must install and configure a digital certificate in your Apache 2 web server Please refer to the HTTPS subsection in the Apache section to install and configure the digital certificate To install Subversion run the following command from a terminal prompt sudo apt get install subversion libapache2 svn 2 2 Server Configuration This step assumes you have installed above mentioned packages on your system This section explains how to create a Subversion repository and access the project 2 2 1 Create Subversion Repository The Subversion repository can be created using the following command from a terminal prompt svnadmin create path to repos project 2 2 2 Importing Files Once you create the repository you can import files into the repository To import a directory enter the following from a terminal prompt svn import path to import directory file path to repos project 2 3 Access Methods Subversion repositories can be accessed checked out through many different methods on local disk or through various network protocols A repository location however is always a URL The table describes how different URL schemes map to the available acces
133. Ubuntu Server Guide Ubuntu Server Guide Copyright 2012 Contributors to the document Abstract Welcome to the Ubuntu Server Guide It contains information on how to install and configure various server applications on your Ubuntu system to fit your needs It is a step by step task oriented guide for configuring and customizing your system Credits and License This document is maintained by the Ubuntu documentation team https wiki ubuntu com DocumentationTeam A list of contributors is below This document is made available under the Creative Commons ShareAlike 3 0 License CC BY SA You are free to modify extend and improve the Ubuntu documentation source code under the terms of this license All derivative works must be released under this license This documentation is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE AS DESCRIBED IN THE DISCLAIMER A copy of the license is available here Creative Commons ShareAlike License Contributors to this document are e Members of the Ubuntu Documentation Project e Members of the Ubuntu Server Team e Contributors to the Ubuntu Documentation Wiki e Other contributors can be found in the revision history of the serverguide gt and ubuntu docs bzr branches available on Launchpad l http creativecommons org licenses by sa 3 0 7 https launchpad net u
134. a aE 187 2 PHPS Senpting Langage anei ea a a a e a a eaa aa iate 195 3 Squid Proxy Servet ee ie i iea E E a EEE 197 4 Ruby on Rails ei e a ie e E E ta these tet E EE R E a aa i 199 53 Apache Tomeat roerien oe Eie Ea e REER EA R EE E ER AEE EE RE 201 12 Databases enn enen ee ee E E RAEE E coz EEE e AEE ES eee iE EIES 205 ED OL PEE E E E E EE 206 2 Aoa eO EE E A E E A ET 211 13 LAMP A ppl Cations ssssceiccccsvesdobsesadeseesodedeusdenidee ce vhs oubdecelesusesdedeusdonbedusevascueseselesussededeesteebies 213 LON ETVIEW aa a T E AE astiots Maeda wot ww Suse tains ae il ween ae 214 2 Moim Moin sae eee raae e ugaaece cas AE E raS E Rea OaE EEE EEEE a EAE E 215 3 SM edi a W AT SERE E E E E EA 217 4 phpMyAdmin 3 pie onnon den elses e a E Ea E aead abepegscasueavedaebauasacneessant 219 14 File Servers oianean rioei artia e ia dete aes done e e ata eae bela adie dees loge e a a e danas 221 1 PPP Seriyi rne na a R a a code A EA ieaS 222 2 NetWork Fil System NFS cecccec ceeciseereseceds tes wide een a E KEE E Eea 226 SAO CSL Initiator he cd ese eae E EE E sane E E E a e E E EEEE 228 4 CUPS Print Serv r eret ira ar a a aa aaa ar a aa e aatia 231 15x Email ServicESsniene osn etira bs enai Oe Sinkan ees bugessvabovudesebusiessgedeues rara S iHe 234 Te POStEIR cas cosvortesceetadens E E EEA eal stot E E sbanecs an Sednces MN needs ey 235 2s EXIM ETE EE ie ea ie ait ee a eee Ae de ne ee cece ee eee 242 3 Dovecot Serve srenti a seta a el ed
135. a aae anaa a a E a aee a i aAa 117 De KOTDELOS i aare eia a ae a E a e cee E E eed E 124 4 Kerberosand LDAP diirit aaa a a a ea aa E AE NE 132 8 Domain Name Service DNS Jorne rnia TE EE E Ta A ENS 139 Dy Aristallation aeneae aa n EEE S E E EE N E EEEE EA 140 2 Confid ration yraa a n ees a E REE ed Tee ia a ea a eae 141 3 TrOuBleShOO tn T srn nenen sane eddies Gade onteameteceadecd cnnnvdeneDervdee cates yelesa a e tees 147 iii Ubuntu Server Guide A References se vxcceessee cee EE E E E NEER E NEEE A N EE T EE 151 Oo SCCULILY ani esha etiam MA ae Aes ern Ria AA ee ees T 152 1 User Management 250 vie Ji eei a e Wie een tate E aea aea 153 2 CONSOLE SECULILY ces satseadsnadorane sheep anal a r a a a a a a a a a a e 159 3s Firewall aieea dirae unease ea De ieee rera Oaa aa SEa Pana i Ta raD raia 160 aN o oA Su na LO KEN E a Sasa eee Ge FeSO NE Suan Se cdee uel Aad a eeaee ub eae ede 167 5 Certificates osue sees voted tad tae iets ane east EE dees aa Eaa aed E ae EEEE area eee 171 6 COCKY Pts orons ii Merely eA AA ee te ee le 176 10 MONtri 326 set sdetscelelowsinidele eee E EARE EE AE E EEEE O EE ERE 178 EE OAE RIA TA ER E A E E E E E sl Maes Leelee beatae halal te 179 De Na QlOS cospetto iiid or AEE EEEE ETE EEE EEEE aabeedueat 180 Be MUU ga feiss See st A EEE AAA E N BREE AAA AE A E A E EEA AR ERA 184 TVs WED Servers onei nare i e e E ET E E E E EE AE EE EEEE eae AaS 186 1 HIIPD Apache2 Web Servel deorienn aa n a a pa
136. a shared web host However it is possible to restrict such accounts to only SFTP and disable shell interaction See the section on OpenSSH Server for more To configure FTPS edit etc vsftpd conf and at the bottom add ssl_enable Yes Also notice the certificate and key related options rsa_cert_file etc ssl certs ssl cert snakeoil pem rsa_private_key_file etc ssl private ssl cert snakeoil key By default these options are set to the certificate and key provided by the ssl cert package In a production environment these should be replaced with a certificate and key generated for the specific host For more information on certificates see Section 5 Certificates p 171 Now restart vsftpd and non anonymous users will be forced to use FTPS sudo restart vsftpd To allow users with a shell of usr sbin nologin access to FTP but have no shell access edit etc shells adding the nologin shell etc shells valid login shells bin csh bin sh usr bin es asr bin ksh bin ksh usr bin re 224 File Servers usr bin tcsh bin tcsh usr bin esh bin dash bin bash bin rbash usr bin screen usr sbin nologin This is necessary because by default vsftpd uses PAM for authentication and the etc pam d vsftpd configuration file contains auth required pam_shells so The shells PAM module restricts access to shells listed in the etc she11s file Most popular FTP clients can be configured
137. a terminal prompt enter the following command to install bzr sudo apt get install bzr 1 2 Configuration To introduce yourself to bzr use the whoami command like this bzr whoami Joe Doe lt joe doe gmail com gt 1 3 Learning Bazaar Bazaar comes with bundled documentation installed into usr share doc bzr html by default The tutorial is a good place to start The bzr command also comes with built in help bzr help To learn more about the foo command bzr help foo 1 4 Launchpad Integration While highly useful as a stand alone system Bazaar has good optional integration with Launchpad the collaborative development system used by Canonical and the broader open source community to manage and extend Ubuntu itself For information on how Bazaar can be used with Launchpad to collaborate on open source projects see http bazaar vcs org LaunchpadIntegration https launchpad net 2 http bazaar vcs org LaunchpadIntegration 267 Version Control System 2 Subversion Subversion is an open source version control system Using Subversion you can record the history of source files and documents It manages files and directories over time A tree of files is placed into a central repository The repository is much like an ordinary file server except that it remembers every change ever made to files and directories 2 1 Installation To access Subversion repository using the HT
138. ackage contains Tomcat 6 0 documentation packaged as a webapp that you can access by default at http yourserver 8080 docs You can install it by entering the following command in the terminal prompt sudo apt get install tomcat6 docs 5 3 2 Tomcat administration webapps The tomcat6 admin package contains two webapps that can be used to administer the Tomcat server using a web interface You can install them by entering the following command in the terminal prompt sudo apt get install tomcat6 admin The first one is the manager webapp which you can access by default at http yourserver 8080 manager html It is primarily used to get server status and restart webapps ft Access to the manager application is protected by default you need to define a user with the role manager in etc tomcat 6 tomcat users xml before you can access it The second one is the host manager webapp which you can access by default at http yourserver 8080 host manager html It can be used to create virtual hosts dynamically fy Access to the host manager application is also protected by default you need to define a user with the role admin in etc tomcat 6 tomcat users xml before you can access it For security reasons the tomcat6 user cannot write to the etc tomcat directory by default Some features in these admin webapps application deployment virtual host creation need write access to that directory If you want to use these f
139. ages The bottom pane contains information related to the packages and package categories Using Aptitude for package management is relatively straightforward and the user interface makes common tasks simple to perform The following are examples of common package management functions as performed in Aptitude e Install Packages To install a package locate the package via the Not Installed Packages package category by using the keyboard arrow keys and the ENTER key Highlight the desired package then press the key The package entry should turn green indicating that it has been marked for installation Now press g to be presented with a summary of package actions Press g again and you will be prompted to become root to complete the installation Press ENTER which will result in a Password prompt Enter your user password to become root Finally press g once more and you ll be prompted to download the package Press ENTER on the Continue prompt and downloading and installation of the package will commence e Remove Packages To remove a package locate the package via the Installed Packages package category by using the keyboard arrow keys and the ENTER key Highlight the desired package you wish to remove then press the key The package entry should turn pink indicating it has been marked for removal Now press g to be presented with a summary of package actions Press g again and you will be prompted to become root to complete
140. ages are sent to the log files The program aa logprof can be used to scan log files for AppArmor audit messages review them and update the profiles From a terminal sudo aa logprof 4 3 References e See the AppArmor Administration Guide for advanced configuration options e For details using AppArmor with other Ubuntu releases see the AppArmor Community Wiki page e The OpenSUSE AppArmor page is another introduction to AppArmor e A great place to ask for AppArmor assistance and get involved with the Ubuntu Server community is the ubuntu server IRC channel on freenode https bugs launchpad net ubuntu source apparmor filebug 8 http www novell com documentation apparmor apparmor201_sp10_admin index html page documentation apparmor apparmor201_sp10_admin data book_apparmor_admin html 7 https help ubuntu com community AppArmor 19 http en opensuse org SDB AppArmor_geeks 7 http freenode net 170 Security 5 Certificates One of the most common forms of cryptography today is public key cryptography Public key cryptography utilizes a public key and a private key The system works by encrypting information using the public key The information can then only be decrypted using the private key A common use for public key cryptography is encrypting application traffic using a Secure Socket Layer SSL or Transport Layer Security TLS connection For example configuring Apache to provide HTTPS the
141. ainer configuration file e var lib 1xc is where containers and their configuration information are stored e var cache 1xc is where caches of distribution data are stored to speed up multiple container creations 5 2 2 Ixcbr0 When USE_LXC_BRIDGE is set to true in etc default lxc as it is by default a bridge called Ixcbr0 is created at startup This bridge is given the private address 10 0 3 1 and containers using this bridge will have a 10 0 3 0 24 address A dnsmasgq instance is run listening on that bridge so if another dnsmasq has bound all interfaces before the lxc net upstart job runs Ixc net will fail to start and lxcbr0 will not exist If you have another bridge libvirt s default virbr0 or a brO bridge for your default NIC you can use that bridge in place of Ixcbr0 for your containers 5 2 3 Using a separate filesystem for the container store LXC stores container information and with the default backing store root filesystems under var lib 1xc Container creation templates also tend to store cached distribution information under var cache 1xc 341 Virtualization If you wish to use another filesystem than var you can mount a filesystem which has more space into those locations If you have a disk dedicated for this you can simply mount it at var lib 1xc If you d like to use another location like srv you can bind mount it or use a symbolic link For instance if srv is a large mounted
142. al system applications which typically execute continuously in the background and await requests for the functions they provide from other applications Many daemons are network centric that is a large number of daemons executing in the background on an Ubuntu system may provide network related functionality Some examples of such network daemons include the Hyper Text Transport Protocol Daemon httpd which provides web server functionality the Secure SHell Daemon sshd which provides secure remote login shell and file transfer capabilities and the Internet Message Access Protocol Daemon imapd which provides E Mail services 2 7 Resources e There are man pages for TCP and IP that contain more useful information e Also see the TCP IP Tutorial and Technical Overview IBM Redbook e Another resource is O Reilly s TCP IP Network Administration 9 http manpages ubuntu com manpages precise en man7 tcp 7 html 19 http manpages ubuntu com manpages precise man7 ip 7 html ul http www redbooks ibm com abstracts gg243376 html 12 bttp oreilly com catalog 9780596002978 45 Networking 3 Dynamic Host Configuration Protocol DHCP The Dynamic Host Configuration Protocol DHCP is a network service that enables host computers to be automatically assigned settings from a server as opposed to manually configuring each network host Computers configured to be DHCP clients have no control over the settings they receiv
143. allows the LV to be extended using PE The L option allows the LV to be extended using Meg Gig Tera etc bytes 4 Even though you are supposed to be able to expand an ext3 or ext4 filesystem without unmounting it first it may be a good practice to unmount it anyway and check the filesystem so that you don t mess up the day you want to reduce a logical volume in that case unmounting first is compulsory The following commands are for an EXT3 or EXT4 filesystem If you are using another filesystem there may be other utilities available sudo umount srv sudo e2fsck f dev vg01 srv The f option of e2fsck forces checking even if the system seems clean 5 Finally resize the filesystem sudo resize2fs dev vg01 srv 6 Now mount the partition and check its size mount dev vg01 srv srv amp amp df h srv 4 2 4 Resources See the Ubuntu Wiki LVM Articles See the LVM HOWTO for more information e Another good article is Managing Disk Space with LVM on O Reilly s linuxdevcenter com site e For more information on fdisk see the fdisk man page 9 https help ubuntu com community Installation lvm 10 ttp tldp org HOWTO LVM HOWTO index html I http www linuxdevcenter com pub a linux 2006 04 27 managing disk space with Ilvm html 12 http manpages ubuntu com manpages precise en man8 fdisk 8 html 16 Installation 5 Kernel Crash Dump 5 1 Introduction A Kernel Crash Dump refers
144. also check email validity by passing it through external content filters These filters can sometimes determine if a message is spam without needing to process it with more resource intensive applications Two common filters are opendkim and python policyd spf e Amavisd new is a wrapper program that can call any number of content filtering programs for spam detection antivirus etc e Spamassassin uses a variety of mechanisms to filter email based on the message content e ClamAV is an open source antivirus application e opendkim implements a Sendmail Mail Filter Milter for the DomainKeys Identified Mail DKIM standard e python policyd spf enables Sender Policy Framework SPF checking with Postfix This is how the pieces fit together e An email message is accepted by Postfix e The message is passed through any external filters opendkim and python policyd spf in this case e Amavisd new then processes the message e ClamAV is used to scan the message If the message contains a virus Postfix will reject the message e Clean messages will then be analyzed by Spamassassin to find out if the message is spam Spamassassin will then add X Header lines allowing Amavisd new to further manipulate the message For example if a message has a Spam score of over fifty the message could be automatically dropped from the queue without the recipient ever having to be bothered Another way to handle flagged messages is to deliver them
145. and stopping To start a container use Ixe start n CN By default Ixc start will execute sbin init in the container You can provide a different program to execute plus arguments as further arguments to Ixc start sudo lxc start n container sbin init loglevel debug If you do not specify the d daemon option then you will see a console on the container s dev console see Section 5 3 5 Consoles p 350 for more information on the terminal If you specify the d option you will not see that console and lxc start will immediately exit success even if a later part of container startup has failed You can use Ixe wait or lxc monitor see Section 5 3 4 Monitoring container status p 349 to check on the success or failure of the container startup To obtain LXC debugging information use o filename l debuglevel for instance sudo lxc start o lxc debug 1 DEBUG n container Finally you can specify configuration parameters inline using s However it is generally recommended to place them in the container s configuration file instead Likewise an entirely alternate config file can be specified with the f option but this is not generally recommended While Ixc start runs the container s sbin init lxe execute uses a minimal init program called Ixe init which attempts to mount proc dev mqueue and dev shm executes the programs specified on the command line and waits for those to finish executing
146. another file mountall upgrades which insist on replacing that file can fail 356 Virtualization e The over mounting of console devices with ptys from the host can cause trouble with udev upgrades e Apparmor policy and devices cgroup restrictions can prevent package upgrades from performing certain actions e Capabilities dropped by use of Ixc cap drop can likewise stop package upgrades from performing certain actions 5 6 Libvirt LXC Libvirt is a powerful hypervisor management solution with which you can administer Qemu Xen and LXC virtual machines both locally and remote The libvirt LXC driver is a separate implementation from what we normally call LXC A few differences include e Configuration is stored in xml format e There no tools to facilitate container creation e By default there is no console on dev console e There is no support yet for container reboot or full shutdown 5 6 1 Converting a LXC container to libvirt lxc Section 5 3 1 Creating Containers p 344 showed how to create LXC containers If you ve created a valid LXC container in this way you can manage it with libvirt Fetch a sample xml file from wget http people canonical com serge ol1 xml Edit this file to replace the container name and root filesystem locations Then you can define the container with virsh c lxc define o1 xml 5 6 2 Creating a container from cloud image If you prefer to create a p
147. aring Services Using the Server Message Block SMB protocol to facilitate the sharing of files folders volumes and the sharing of printers throughout the network e Directory Services Sharing vital information about the computers and users of the network with such technologies as the Lightweight Directory Access Protocol LDAP and Microsoft Active Directory e Authentication and Access Establishing the identity of a computer or user of the network and determining the information the computer or user is authorized to access using such principles and technologies as file permissions group policies and the Kerberos authentication service Fortunately your Ubuntu system may provide all such facilities to Windows clients and share network resources among them One of the principal pieces of software your Ubuntu system includes for Windows networking is the Samba suite of SMB server applications and tools This section of the Ubuntu Server Guide will introduce some of the common Samba use cases and how to install and configure the necessary packages Additional detailed documentation and information on Samba can be found on the Samba website l http www samba org 277 Windows Networking 2 Samba File Server One of the most common ways to network Ubuntu and Windows computers is to configure Samba as a File Server This section covers setting up a Samba server to share files with Windows clients The server will
148. ast address is 192 168 1 255 Broadcast messages are typically produced by network protocols such as the Address Resolution Protocol ARP and the Routing Information Protocol RIP e Gateway Address A Gateway Address is the IP address through which a particular network or host on a network may be reached If one network host wishes to communicate with another network host and that host is not located on the same network then a gateway must be used In many cases the Gateway Address will be that of a router on the same network which will in turn pass traffic on to other networks or hosts such as Internet hosts The value of the Gateway Address setting must be correct or your system will not be able to reach any hosts beyond those on the same network e Nameserver Address Nameserver Addresses represent the IP addresses of Domain Name Service DNS systems which resolve network hostnames into IP addresses There are three levels of Nameserver Addresses which may be specified in order of precedence The Primary Nameserver the Secondary Nameserver and the Tertiary Nameserver In order for your system to be able to resolve network hostnames into their corresponding IP addresses you must specify valid Nameserver Addresses which you are authorized to use in your system s TCP IP configuration In many cases these addresses can and will be provided by your network service provider but many free and publicly accessible nameservers are available for
149. at phpMyAdmin is installed on or on a host accessible over the network For more information see Section 1 MySQL p 206 From a terminal prompt enter sudo apt get install phpmyadmin At the prompt choose which web server to be configured for phpMyAdmin The rest of this section will use Apache2 for the web server In a browser go to http servername phpmyadmin replacing serveranme with the server s actual hostname At the login page enter root for the username or another MySQL user if you any setup and enter the MySQL user s password Once logged in you can reset the root password if needed create users create destroy databases and tables etc 4 2 Configuration The configuration files for phpMyAdmin are located in etc phpmyadmin The main configuration file is etc phpmyadmin config inc php This file contains configuration options that apply globally to phpMyAdmin To use phpMyAdmin to administer a MySQL database hosted on another server adjust the following in etc phpmyadmin config inc php Scfg Servers i host db_server bA Replace db_server with the actual remote database server name or IP address Also be sure that the phpMyAdmin host has permissions to access the remote database Once configured log out of phpMyAdmin and back in and you should be accessing the new server The config header inc php and config footer inc php files are used to add a HTML header and footer to phpMyAd
150. at6 instance create my instance This will create a new my instance directory with all the necessary subdirectories and scripts You can for example install your common libraries in the 1ib subdirectory and deploy your webapps in the webapps subdirectory No webapps are deployed by default 5 4 3 Configuring your private instance You will find the classic Tomcat configuration files for your private instance in the conf subdirectory You should for example certainly edit the conf server xml file to change the default ports used by your private Tomcat instance to avoid conflict with other instances that might be running 203 Web Servers 5 4 4 Starting stopping your private instance You can start your private instance by entering the following command in the terminal prompt supposing your instance is located in the my instance directory my instance bin startup sh a You should check the 1ogs subdirectory for any error If you have a java net BindException Address already in use lt null gt 8080 error it means that the port you re using is already taken and that you should change it You can stop your instance by entering the following command in the terminal prompt supposing your instance is located in the my instance directory my instance bin shutdown sh 5 5 References See the Apache Tomcat website for more information e Tomcat The Definitive Guide is a good resource for building we
151. ate A hostname hostname s Find which week of the month 1 4 it is day_num date d if day_num lt 7 then week_file hostname week1 tgz elif day_num gt 7 amp amp day_num lt 14 then week_file hostname week2 tgz elif day_num gt 14 amp amp day_num lt 21 then week_file hostname week3 tgz elif day_num gt 21 amp amp day_num lt 32 then week_file hostname week4 tgz 299 Backups Find if the Month is odd or even month_num S date m month S expr S month_num 2 if month eq 0 then month_file Shostname month2 tgz else month_file Shostname monthl tgz fi Create archive filename if S day_num then archive_file month_file elif Sday Saturday then archive_file Shostname Sday tgz else archive_file week_fil fi Print start status message echo Backing up Sbackup_files to S dest Sarchive_file date echo Backup the files using tar tar czf Sdest Sarchive_file Sbackup_files Print end status message echo echo Backup finished date Long listing of files in dest to check file sizes ls 1h Sdest The script can be executed using the same methods as in Section 1 2 Executing the Script p 296 It is good practice to take backup media off site in case of a disaster In the shell script example the backup media is another server providing an NFS share
152. ay be easier to use the above commands to configure Postfix for SMTP AUTH To install the package from a terminal prompt enter sudo apt get install mail stack delivery You should now have a working mail server but there are a few options that you may wish to further customize For example the package uses the certificate and key from the ssl cert package and in a production environment you should use a certificate and key generated for the host See Section 5 Certificates p 171 for more details Once you have a customized certificate and key for the host change the following options in etc postfix main cf 238 Email Services smtpd_tls_cert_file etc ssl certs ssl mail pem smtpd_tls_key_file etc ssl private ssl mail key Then restart Postfix sudo etc init d postfix restart 1 6 Testing SMTP AUTH configuration is complete Now it is time to test the setup To see if SMTP AUTH and TLS work properly run the following command telnet mail example com 25 After you have established the connection to the postfix mail server type ehlo mail example com If you see the following lines among others then everything is working perfectly Type quit to exit 250 STARTTLS 250 AUTH LOGIN PLAIN 250 AUTH LOGIN PLAIN 250 8BITMIME 1 7 Troubleshooting This section introduces some common ways to determine the cause if problems arise 1 7 1 Escaping chroot The Ubuntu postfix package will
153. b applications with Tomcat e For additional books see the Tomcat Books list page e Also see theUbuntu Wiki Apache Tomcat page al http tomcat apache org 22 http oreilly com catalog 9780596003180 23 http wiki apache org tomcat Tomcat Books at https help ubuntu com community ApacheTomcat5 204 Chapter 12 Databases Ubuntu provides two popular database servers They are e MySQL e PostgreSQL They are available in the main repository This section explains how to install and configure these database servers 205 Databases 1 MySQL MySQL is a fast multi threaded multi user and robust SQL database server It is intended for mission critical heavy load production systems as well as for embedding into mass deployed software 1 1 Installation To install MySQL run the following command from a terminal prompt sudo apt get install mysql server bJ As of Ubuntu 12 04 MySQL 5 5 is installed by default Whilst this is 100 compatible with MySQL 5 1 should you need to install 5 1 for example to be a slave to other MySQL 5 1 servers you can install the mysql server 5 1 package instead During the installation process you will be prompted to enter a password for the MySQL root user Once the installation is complete the MySQL server should be started automatically You can run the following command from a terminal prompt to check whether the MySQL server is running sudo netstat tap
154. b trees ldap_service_password_file etc krb5kdc service keyfil ldap_servers ldaps ldap01l example com ldaps ldap02 example com ldap_conns_per_server 5 Change example com dc example dc com cn admin dc example dc com and IdapO1 example com to the appropriate domain LDAP object and LDAP server for your network e Next use the kdb5_Idap_util utility to create the realm sudo kdb5_ldap_util D cn admin dc example dc com create subtrees dc example dc com r EXAMPLE COM s H ldap ldap01 example com e Create a stash of the password used to bind to the LDAP server This password is used by the Idap_kdc_dn and Idap_kadmin_dn options in etc krb5 conf sudo kdb5_ldap_util D cn admin dc example dc com stashsrvpw f etc krb5kdc service keyfile cn admin dc example dc com e Copy the CA certificate from the LDAP server scp ldap01 etc ssl certs cacert pem sudo cp cacert pem etc ssl certs And edit etc ldap ldap conf to use the certificate TLS_CACERT etc ssl certs cacert pem The certificate will also need to be copied to the Secondary KDC to allow the connection to the LDAP servers using LDAPS 135 Network Authentication You can now add Kerberos principals to the LDAP database and they will be copied to any other LDAP servers configured for replication To add a principal using the kadmin local utility enter sudo kadmin local Authenticating as principal root admin EXAMPLE COM with
155. ble e Another resource is the Exim4 Ubuntu Wiki page 9 http www exim org 19 http www uit co uk content exim smtp mail server 7 https help ubuntu com community Exim4 244 Email Services 3 Dovecot Server Dovecot is a Mail Delivery Agent written with security primarily in mind It supports the major mailbox formats mbox or Maildir This section explain how to set it up as an imap or pop3 server 3 1 Installation To install dovecot run the following command in the command prompt sudo apt get install dovecot imapd dovecot pop3d 3 2 Configuration To configure dovecot you can edit the file etc dovecot dovecot conf You can choose the protocol you use It could be pop3 pop3s pop3 secure imap and imaps imap secure A description of these protocols is beyond the scope of this guide For further information refer to the Wikipedia articles on POP3 and IMAP IMAPS and POP3S are more secure that the simple IMAP and POP3 because they use SSL encryption to connect Once you have chosen the protocol amend the following line in the file etc dovecot dovecot conf protocols pop3 pop3s imap imaps Next choose the mailbox you would like to use Dovecot supports maildir and mbox formats These are the most commonly used mailbox formats They both have their own benefits and are discussed on the Dovecot web site Once you have chosen your mailbox type edit the file etc dovecot d
156. ble_cache gradually to avoid file descriptor limits Variables to adjust key_buffer_siz gt 1 4G query_cache_size gt 32M table_cache gt 64 innodb_buffer_pool_size gt 22G One final comment on tuning databases Whilst we can broadly say that certain settings are the best performance can vary from application to application For example what works best for Wordpress might not be the best for Drupal Joomla or proprietary applications Performance is dependent on the types of queries use of indexes how efficient the database design is and so on You may find it useful to spend some time searching for database tuning tips based on what applications you re using it for Once you get past a certain point any adjustments you make will only result in minor improvements and you ll be better off either improving the application or looking at scaling up your database environment through either using more powerful hardware or by adding slave servers 209 Databases 1 5 Resources e See the MySQL Home Page for more information e Full documentation is available in both online and offline formats from the MySQL Developers 5 portal e For general SQL information see Using SQL Special Edition by Rafe Colburn e The Apache MySQL PHP Ubuntu Wiki page also has useful information A http www mysql com gt http dev mysql com doc 6 http www informit com store product aspx isbn 0768664128 7 https help u
157. buntu com community ApacheMySQLPHP 210 Databases 2 PostgreSQL PostgreSQL is an object relational database system that has the features of traditional commercial database systems with enhancements to be found in next generation DBMS systems 2 1 Installation To install PostgreSQL run the following command in the command prompt sudo apt get install postgresql Once the installation is complete you should configure the PostgreSQL server based on your needs although the default configuration is viable 2 2 Configuration By default connection via TCP IP is disabled PostgreSQL supports multiple client authentication methods IDENT authentication method is used for postgres and local users unless otherwise configured Please refer the PostgreSQL Administrator s Guide if you would like to configure alternatives like Kerberos The following discussion assumes that you wish to enable TCP IP connections and use the MD5 method for client authentication PostgreSQL configuration files are stored in the etc postgresql lt version gt main directory For example if you install PostgreSQL 8 4 the configuration files are stored in the etc postgresql 8 4 main directory To configure ident authentication add entries to the etc postgresql 8 4 main pg_ident conf file There are detailed comments in the file to guide you To enable TCP IP connections edit the file etc postgresql 8 4 main postgresql conf
158. buntu core doc 2 https launchpad net ubuntu server A https help ubuntu com community gt https code launchpad net serverguide 6 https code launchpad net ubuntu docs Table of Contents Te Introduction isien eroeethe sec chee E nE a Speen sve duce E E EE A A E ces duce AE ER AEEA 1 Ty SUpPOrti eects ied EET aA EE A ea ee S 2 De Am Stall ata Omics siesta ses voreapea ea tae ae Aia esis TE A EE A A E syedeeueds sb sata be cusucusven O a 3 1 Preparmey to Installa cidescisepediesdscdccctssves Sauthdescattvedsesdsteeccteveds cSaethdescasapedeesdetcgectenyes aeni 4 2 Installing from CD reprhnert aten E esheets acaba ane ye Lees ake acd be delete 6 3s Upgrading e i ae bs eects a ra Ae sevepegess cocgessUcsuig eps ou cies E a nian i ittota 9 4 Advanced Installation sesoonse aiana r aea a ae Resid aie 10 9 Kernel Crash D MPi siainen iaaa ee E E e e E a ES 17 3 Packa e Management esie onsi esas tear eaaa ees Eta AEE E OARE EEE Ae EE A EAE ENEE E E 20 1s Introduction rerin enee a E EE e E E E E E A e E E EA 21 PRI E E A E E sa gees dhlacs 22 JAP Get wie aeaea A A e aa aa RE es es a iA ahs 23 Ae Aptitude i abe aeoe i o E east louse baat eden ede e cave EEN E E teed east vdeseuaeaves 25 5 Automate Updates irais A cvecadacceds nna E aN Eanna EENES FELA SE EnA daduonad da EEKAN EErEE n TEE EENE 27 OCOD SUTAUON S cieee a ai sais aea hee N R eE alls E E E ERE E A EE 29 E O E ETE E T 31 A Networking veteen antee nai een ee ed en e
159. by editing etc sysctl conf and uncomment the following line net ipv4 ip_forward 1 If you wish to enable IPv6 forwarding also uncomment net ipv6 conf default forwarding 1 e Next execute the sysctl command to enable the new settings in the configuration file sudo sysctl p e IP Masquerading can now be accomplished with a single iptables rule which may differ slightly based on your network configuration sudo iptables t nat A POSTROUTING s 192 168 0 0 16 0o ppp0 j MASQUERADE The above command assumes that your private address space is 192 168 0 0 16 and that your Internet facing device is ppp0 The syntax is broken down as follows e t nat the rule is to go into the nat table e A POSTROUTING the rule is to be appended A to the POSTROUTING chain e s 192 168 0 0 16 the rule applies to traffic originating from the specified address space e o pppo the rule applies to traffic scheduled to be routed through the specified network device e j MASQUERADE traffic matching this rule is to jump j to the MASQUERADE target to be manipulated as described above e Also each chain in the filter table the default table and where most or all packet filtering occurs has a default policy of ACCEPT but if you are creating a firewall in addition to a gateway device you may have set the policies to DROP or REJECT in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rul
160. c mediawiki LocalSettings php in order to set the memory limit disabled by default ini_set memory_limit 64M 3 3 Extensions The extensions add new features and enhancements for the MediaWiki application The extensions give wiki administrators and end users the ability to customize MediaWiki to their requirements 217 LAMP Applications You can download MediaWiki extensions as an archive file or checkout from the Subversion repository You should copy it to var lib mediawiki extensions directory You should also add the following line at the end of file etc mediawiki LocalSettings php require_once SIP extensions ExtentionName ExtentionName php 3 4 References e For more details please refer to the MediaWiki web site e The MediaWiki Administrators Tutorial Guide contains a wealth of information for new MediaWiki administrators e Also the Ubuntu Wiki MediaWiki page is a good resource i http www mediawiki org gt http www packtpub com Mediawiki book 6 https help ubuntu com community MediaWiki 218 LAMP Applications 4 phpMyAdmin phpMyAdmin is a LAMP application specifically written for administering MySQL servers Written in PHP and accessed through a web browser phpMyAdmin provides a graphical interface for database administration tasks 4 1 Installation Before installing phpMyAdmin you will need access to a MySQL database either on the same host as th
161. c rootfs var lib 1xc CN rootfs 1lxc mount entry proc var lib 1xc CN rootfs proc proc nodev noexec nosuid 0 0 lxc mount var lib 1xc CN fstab The first line says that the container s root filesystem is already mounted at var lib 1xc CN rootfs If the filesystem is a block device such as an LVM logical volume then the path to the block device must be given instead Each Ixc mount entry line should contain an item to mount in valid fstab format The target directory should be prefixed by var 1lib 1xc CN root fs even if Ixc rootfs points to a block device Finally Ixc mount points to a file in fstab format containing further items to mount Note that all of these entries will be mounted by the host before the container init is started In this way it is possible to bind mount various directories from the host into the container 5 4 5 Other configuration options e Ixc cap drop can be used to prevent the container from having or ever obtaining the listed capabilities For instance including lxc cap drop sys_admin will prevent the container from mounting filesystems as well as all other actions which require cap_sys_admin See the capabilities 7 manual page for a list of capabilities and their meanings e lxc aa_profile lxc CN profile specifies a custom Apparmor profile in which to start the container See Section 5 2 6 Apparmor p 342 for more information e lxc console path to consolefile will caus
162. cDatabase 1 frontend olcAccess 103 Network Authentication dn olcDatabase 1 frontend cn config olcAccess 0 to by dn exact gidNumber 0 uidNumber 0 cn peercred cn external cn auth manage by break olcAccess l to dn exact by read olcAccess 2 to dn base cn Subschema by read The very first ACL is crucial olcAccess 0 to attrs userPassword shadowLastChange by self write by anonymous auth by dn cn admin dc example dc com write by none This can be represented differently for easier digestion to attrs userPassword by self write by anonymous auth by dn cn admin dc example dc com write by none to attrs shadowLastChange by self write by anonymous auth by dn cn admin dc example dc com write by none This compound ACL there are 2 enforces the following e Anonymous auth access is provided to the userPassword attribute for the initial connection to occur Perhaps counter intuitively by anonymous auth is needed even when anonymous access to the DIT is unwanted Once the remote end is connected howerver authentication can occur see next point e Authentication can happen because all users have read due to by self write access to the userPassword attribute The userPassword attribute is otherwise unaccessible by all other users with the exception of the rootDN who has complete access to it e In order for users to change their own password u
163. cifically the Munin Documentation page includes information on additional plugins writing plugins etc e Also there is a book in German by Open Source Press Munin Graphisches Netzwerk und System Monitoring e Another resource is the Munin Ubuntu Wiki page 2 http munin projects linpro no http munin projects linpro no wiki Documentation i https www opensourcepress de index php 26 amp backPID 178 amp tt_products 152 8 https help ubuntu com community Munin 185 Chapter 11 Web Servers A Web server is a software responsible for accepting HTTP requests from clients which are known as Web browsers and serving them HTTP responses along with optional data contents which usually are Web pages such as HTML documents and linked objects images etc 186 Web Servers 1 HTTPD Apache2 Web Server Apache is the most commonly used Web Server on Linux systems Web Servers are used to serve Web Pages requested by client computers Clients typically request and view Web Pages using Web Browser applications such as Firefox Opera Chromium or Mozilla Users enter a Uniform Resource Locator URL to point to a Web server by means of its Fully Qualified Domain Name FQDN and a path to the required resource For example to view the home page of the Ubuntu Web site a user will enter only the FQDN www ubuntu com To view the community sub page a user will enter the FQDN followed by a path www
164. ckage configuration remains on system e p Purged from system e v Virtual package e B Broken package e u Unpacked files but package not yet configured e C Half configured Configuration failed and requires fix e H Half installed Removal failed and requires fix To exit Aptitude simply press the q key and confirm you wish to exit Many other functions are available from the Aptitude menu by pressing the F10 key 4 1 Command Line Aptitude You can also use Aptitude as a command line tool similar to apt get To install the nmap package with all necessary dependencies as in the apt get example you would use the following command sudo aptitude install nmap To remove the same package you would use the command sudo aptitude remove nmap Consult the man pages for more details of command line options for Aptitude 26 Package Management 5 Automatic Updates The unattended upgrades package can be used to automatically install updated packages and can be configured to update all packages or just install security updates First install the package by entering the following in a terminal sudo apt get install unattended upgrades To configure unattended upgrades edit etc apt apt conf d 50unattended upgrades and adjust the following to fit your needs Unattended Upgrade Allowed Origins Ubuntu precise security Ubuntu precise updates Certain packages can also be blacklisted and ther
165. col you must configure your Apache 2 web server Add the following snippet between the lt VirtualHost gt and lt VirtualHost gt elements in etc apache2 sites available default or another VirtualHost file lt Location svn gt DAV svn SVNPath home svn AuthType Basic AuthName Your repository name 3 http svnbook red bean com 269 Version Control System AuthUserFile etc subversion passwd Require valid user lt Location gt bA The above configuration snippet assumes that Subversion repositories are created under home svn directory using svnadmin command They can be accessible using http hostname svn repos_name url To import or commit files to your Subversion repository over HTTP the repository should be owned by the HTTP user In Ubuntu systems normally the HTTP user is www data To change the ownership of the repository files enter the following command from terminal prompt sudo chown R www data www data path to repos By changing the ownership of repository as www data you will not be able to import or commit files into the repository by running svn import file command as any user other than www data Next you must create the etc subversion passwd file that will contain user authentication details To create a file issue the following command at a command prompt which will create the file and add the first user sudo htpasswd c etc subversion passwd user_name To add additio
166. comes with Mailman and is placed in etc mailman apache conf In order for Apache to use the config file it needs to be copied to etc apache2 sites available sudo cp etc mailman apache conf etc apache2 sites available mailman conf This will setup a new Apache VirtualHost for the Mailman administration site Now enable the new configuration and restart Apache sudo a2ensite mailman conf sudo service apache2 restart Mailman uses apache2 to render its CGI scripts The mailman CGI scripts are installed in the usr lib cgi bin mailman directory So the mailman url will be http hostname cgi bin mailman You can make changes to the etc apache2 sites available mailman conf file if you wish to change this behavior 4 2 2 Postfix For Postfix integration we will associate the domain lists example com with the mailing lists Please replace lists example com with the domain of your choosing You can use the postconf command to add the necessary configuration to etc postfix main cf sudo postconf e relay domains lists example com sudo postconf e transport_maps hash etc postfix transport sudo postconf e mailman_destination_recipient_limit 1 In etc post fix master cf double check that you have the following transport mailman unix n n z z pipe flags FR user list argv usr lib mailman bin postfix to mailman py 248 Email Services S nexthop user It calls the postfix to mailman py script when
167. config changetype modify add olcLogLevel olcLogLevel stats Implement the change sudo ldapmodify Q Y EXTERNAL H ldapi f logging 1ldif This will produce a significant amount of logging and you will want to throttle back to a less verbose level once your system is in production While in this verbose mode your host s syslog engine rsyslog may have a hard time keeping up and may drop messages rsyslogd 2177 imuxsock lost 228 messages from pid 2547 due to rate limiting You may consider a change to rsyslog s configuration In etc rsyslog conf put Disable rate limiting default is 200 messages in 5 seconds below we make the 5 become 0 SSystemLogRateLimitInterval 0 And then restart the rsyslog daemon sudo service rsyslog restart 1 6 Replication The LDAP service becomes increasingly important as more networked systems begin to depend on it In such an environment it is standard practice to build redundancy high availability into LDAP to prevent havoc should the LDAP server become unresponsive This is done through LDAP replication 3 http manpages ubuntu com manpages en man5 slapd config 5 html 99 Network Authentication Replication is achieved via the Syncrepl engine This allows changes to be synchronized using a Consumer Provider model The specific kind of replication we will implement in this guide is a combination of the following modes refreshAndPersist and delta syncrepl This
168. config tun0 tun0 Link encap UNSPEC HWaddr 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 inet address P t P 0802 Mask 259 255 255 255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU 1500 Metric 1 368 VPN 1 4 Simple Client Configuration There are various different OpenVPN client implementations with and without GUIs You can read more about clients in a later section For now we use the OpenVPN client for Ubuntu which is the same executable as the server So you have to install the openvpn package again on the client machine sudo apt get install openvpn This time copy the client conf sample config file to etc openvpn sudo cp usr share doc openvpn examples sample config files client conf etc openvpn Copy the client keys and the certificate of the CA you created in the section above to e g etc openvpn and edit etc openvpn client conf to make sure the following lines are pointing to those files If you have the files in etc openvpn you can omit the path ca ca crt cert clientl crt key clientl key And you have to at least specify the OpenVPN server name or address Make sure the keyword client is in the config That s what enables client mode client remote vpnserver example com 1194 Now start the OpenVPN client root client etc openvpn etc init d openvpn start Starting virtual private network daemon s x Autostarting VPN client OK Check if it created a tun0O interface
169. configuration file that would blacklist all SCSI devices since it blacklists all sd devices blacklist devnode sd a z 63 DM Multipath You can use a devnode entry in the blacklist section of the configuration file to specify individual devices to blacklist rather than all devices of a specific type This is not recommended however since unless it is statically mapped by udev rules there is no guarantee that a specific device will have the same name on reboot For example a device name could change from dev sda to dev sdb on reboot By default the following devnode entries are compiled in the default blacklist the devices that these entries blacklist do not generally support DM Multipath To enable multipathing on any of these devices you would need to specify them in the blacklist_exceptions section of the configuration file as described in Blacklist Exceptions p 64 blacklist devnode ram raw loop fd md dm sr scd st 0 9 devnode hd a z 4 2 3 Blacklisting By Device Type You can specify specific device types in the blacklist section of the configuration file with a device section The following example blacklists all IBM DS4200 and HP devices blacklist device vendor IBM product 3S42 DS4200 Product 10 device vendor HP product 4 2 4 Blacklist Exceptions You can use the blacklist_exceptions section of the configuration file to enable multipathing on
170. cripts from your command prompt 195 Web Servers By default the Apache 2 Web server is configured to run PHP5S scripts In other words the PHP5 module is enabled in Apache2 Web server automatically when you install the module Please verify if the files etc apache2 mods enabled php5 conf and etc apache2 mods enabled php5 load exist If they do not exists you can enable the module using a2enmod command Once you install PHP5 related packages and enabled PHP5 Apache 2 module you should restart Apache2 Web server to run PHP5 scripts You can run the following command at a terminal prompt to restart your web server sudo service apache2 restart 2 3 Testing To verify your installation you can run following PHPS5 phpinfo script lt php phpinfo 2 gt You can save the content in a file phpinfo php and place it under DocumentRoot directory of Apache2 Web server When point your browser to http hostname phpinfo php it would display values of various PHP5 configuration parameters 2 4 References e For more in depth information see php net documentation e There are a plethora of books on PHP Two good books from O Reilly are Learning PHP 5 and the PHP Cook Book e Also see the Apache MySQL PHP Ubuntu Wiki page for more information t http www php net docs php 12 http oreilly com catalog 9780596005603 13 http oreilly com catalog 9781565926813 14 https help ubuntu com community
171. ctives involved are called access control lists or ACL When we installed the slapd package various ACL were set up automatically We will look at a few important consequences of those defaults and in so doing we ll get an idea of how ACLs work and how they re configured To get the effective ACL for an LDAP query we need to look at the ACL entries of the database being queried as well as those of the special frontend database instance The ACLs belonging to the latter act as defaults in case those of the former do not match The frontend database is the second to be consulted and the ACL to be applied is the first to match first match wins among these 2 ACL sources The following commands will give respectively the ACLs of the hdb database dc example dc com and those of the frontend database sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn config olcDatabase 1 hdb olcAccess dn olcDatabase 1 hdb cn config olcAccess 0 to attrs userPassword shadowLastChange by self write by anonymous auth by dn cn admin dc example dc com write by none olcAccess l to dn base by read olcAccess 2 to by self write by dn cn admin dc example dc com write by read fe The rootDN always has full rights to it s database Including it in an ACL does provide an explicit configuration but it also causes slapd to incur a performance penalty sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn config ol
172. ctory domain enter the following command in the terminal prompt sudo apt get install samba smbfs smbclient Next edit etc samba smb conf changing workgroup EXAMPLE security ads realm EXAMPLE COM idmap backend lwopen idmap uid 50 9999999999 idmap gid 50 9999999999 Restart samba for the new settings to take effect sudo restart smbd sudo restart nmbd You should now be able to access any Samba shares from a Windows client However be sure to give the appropriate AD users or groups access to the share directory See Section 4 Securing a Samba File and Print Server p 283 for more details 6 2 Accessing a Windows Share Now that the Samba server is part of the Active Directory domain you can access any Windows server shares e To mount a Windows file share enter the following in a terminal prompt mount cifs fs01 example com share mount_point It is also possible to access shares on computers not part of an AD domain but a username and password will need to be provided 2h http www likewise com resources documentation_library manuals open likewise open guide html 292 Windows Networking e To mount the share during boot place an entry in etc fstab for example 192 168 0 5 share mnt windows cifs auto username steve password secret rw 0 e Another way to copy files from a Windows server is to use the smbclient utility To list the files in a Windows share smbclient
173. d command the command to execute To add or change entries in a crontab file the crontab e command should be used Also the contents of a crontab file can be viewed using the crontab 1 command To execute the backup sh script listed above using cron Enter the following from a terminal prompt sudo crontab e fe Using sudo with the crontab e command edits the root user s crontab This is necessary if you are backing up directories only the root user has access to Add the following entry to the crontab file m h dom mon dow command 0 0 bash usr local bin backup sh The backup sh script will now be executed every day at 12 00 am bJ The backup sh script will need to be copied to the usr local bin directory in order for this entry to execute properly The script can reside anywhere on the file system simply change the script path appropriately For more in depth crontab options see Section 1 4 References p 298 1 3 Restoring from the Archive Once an archive has been created it is important to test the archive The archive can be tested by listing the files it contains but the best test is to restore a file from the archive e To see a listing of the archive contents From a terminal prompt type tar tzvf mnt backup host Monday tgz e To restore a file from the archive to a different directory enter tar xzvf mnt backup host Monday tgz C tmp etc hosts 297 Backups
174. d and is not described here A few other networking options exist e lxc network flags can only be set to up and ensures that the network interface is up e Ixc network hwaddr specifies a mac address to assign the the nic inside the container e Ixc network ipv4 and lxc network ipv6 set the respective IP addresses if those should be static e Ixc network name specifies a name to assign inside the container If this is not specified a good default i e ethO for the first nic is chosen e lxc network lxcscript up specifies a script to be called after the host side of the networking has been set up See the Ixc conf 5 manual page for details 5 4 3 Control group configuration Cgroup options can be specified using lxc cgroup entries Ixc cgroup subsystem item value instructs LXC to set cgroup subsystem s item to value It is perhaps simpler to realize that this will simply write value to the file item for the container s control group for subsystem subsystem For instance to set the memory limit to 320M you could add 354 Virtualization 1lxc cgroup memory limit_in_bytes 320000000 which will cause 320000000 to be written to the file sys s cgroup memory 1xc CN limit_in_bytes 5 4 4 Rootfs mounts and fstab An important part of container setup is the mounting of various filesystems into place The following is an example configuration file excerpt demonstrating the commonly used configuration options lx
175. d are easily intercepted So if you are here looking for a way to upload and download files securely see the section on OpenSSH in Chapter 6 Remote Administration p 79 instead FTP works on a client server model The server component is called an FTP daemon It continuously listens for FTP requests from remote clients When a request is received it manages the login and sets up the connection For the duration of the session it executes any of commands sent by the FTP client Access to an FTP server can be managed in two ways e Anonymous e Authenticated In the Anonymous mode remote clients can access the FTP server by using the default user account called anonymous or ftp and sending an email address as the password In the Authenticated mode a user must have an account and a password This latter choice is very insecure and should not be used except in special circumstances If you are looking to transfer files securely see SFTP in the section on OpenSSH Server User access to the FTP server directories and files is dependent on the permissions defined for the account used at login As a general rule the FTP daemon will hide the root directory of the FTP server and change it to the FTP Home directory This hides the rest of the file system from remote sessions 1 1 vsftpd FTP Server Installation vsftpd is an FTP daemon available in Ubuntu It is easy to install set up and maintain To install vsftpd you can run the
176. d check_nrpe_larg check_all_disks 172 18 100 101 182 Monitoring 2 Now on server02 edit etc nagios nrpe cfg changing allowed_hosts 172 18 100 100 And below in the command definition area add command check_all_disks usr lib nagios plugins check_disk w 20 c 10 e 3 Finally restart nagios nrpe server sudo etc init d nagios nrpe server restart 4 Also on serverO restart nagios sudo etc init d nagios3 restart You should now be able to see the host and service checks in the Nagios CGI files To access them point a browser to http server01 nagios3 You will then be prompted for the nagiosadmin username and password 2 4 References This section has just scratched the surface of Nagios features The nagios plugins extra and nagios snmp plugins contain many more service checks e For more information see Nagios website e Specifically the Online Documentation site e There is also a list of books related to Nagios and network monitoring e The Nagios Ubuntu Wiki page also has more details 1 http www nagios org 7 http nagios sourceforge net docs 3_0 3 http www nagios org propaganda books F https help ubuntu com community Nagios 183 Monitoring 3 Munin 3 1 Installation Before installing Munin on server0 apache2 will need to be installed The default configuration is fine for running a munin server For more information see Section 1 HTTPD Apache
177. d daemon to write to it For more information on AppArmor see Section 4 AppArmor p 167 146 Domain Name Service DNS 3 Troubleshooting This section covers ways to help determine the cause when problems happen with DNS and BIND9 3 1 Testing 3 1 1 resolv conf The first step in testing BIND9 is to add the nameserver s IP Address to a hosts resolver The Primary nameserver should be configured as well as another host to double check things Simply edit etc resolv conf and add the following nameserver 192 168 1 10 nameserver 192 168 1 11 ba You should also add the IP Address of the Secondary nameserver in case the Primary becomes unavailable 3 1 2 dig If you installed the dnsutils package you can test your setup using the DNS lookup utility dig e After installing BIND9 use dig against the loopback interface to make sure it is listening on port 53 From a terminal prompt dig x 127 0 0 1 You should see lines similar to the following in the command output 7 Query time 1 msec 7 SERVER 192 168 1 10 53 192 168 1 10 e If you have configured BIND9 as a Caching nameserver dig an outside domain to check the query time dig ubuntu com Note the query time toward the end of the command output 7 Query time 49 msec After a second dig there should be improvement 77 Query time 1 msec 147 Domain Name Service DNS 3 1 3 ping Now to demonstrate how appl
178. d on your computer may become available from the package repositories for example security updates To upgrade your system first update your package index as outlined above and then type sudo apt get upgrade For information on upgrading to a new Ubuntu release see Section 3 Upgrading p 9 Actions of the apt get command such as installation and removal of packages are logged in the var log dpkg log log file 23 Package Management For further information about the use of APT read the comprehensive Debian APT User Manual or type apt get help f http www debian org doc user manuals apt howto 24 Package Management 4 Aptitude Launching Aptitude with no command line options will give you a menu driven text based front end to the Advanced Packaging Tool APT system Many of the common package management functions such as installation removal and upgrade can be performed in Aptitude with single key commands which are typically lowercase letters Aptitude is best suited for use in a non graphical terminal environment to ensure proper functioning of the command keys You may start the menu driven interface of Aptitude as a normal user by typing the following command at a terminal prompt sudo aptitude When Aptitude starts you will see a menu bar at the top of the screen and two panes below the menu bar The top pane contains package categories such as New Packages and Not Installed Pack
179. d or restarted The server also reads a file containing mime document types the filename is set by the TypesConfig directive typically via etc apache2 mods available mime conf which might also include additions and overrides and is etc mime types by default 1 2 1 Basic Settings This section explains Apache2 server essential configuration parameters Refer to the Apache2 Documentation for more details e Apache2 ships with a virtual host friendly default configuration That is it is configured with a single default virtual host using the VirtualHost directive which can modified or used as is if you have a single site or used as a template for additional virtual hosts if you have multiple sites If left alone the default virtual host will serve as your default site or the site users will see if the URL they enter does not match the ServerName directive of any of your custom sites To modify the default virtual host edit the file etc apache2 sites available default fe The directives set for a virtual host only apply to that particular virtual host If a directive is set server wide and not defined within the virtual host settings the default setting is used For example you can define a Webmaster email address and not define individual email addresses for each virtual host If you wish to configure a new virtual host or site copy that file into the same directory with a name you choose For example 2 http htt
180. d there where the filter matters the most during boot Perform update initramfs u k all fy Every time either etc lvm conf or etc multipath conf is updated the initrd should be rebuilt to reflect these changes This is imperative when blacklists and filters are necessary to maintain a stable storage configuration 57 DM Multipath 3 Setting up DM Multipath Overview This section provides step by step example procedures for configuring DM Multipath It includes the following procedures e Basic DM Multipath setup e Ignoring local disks e Adding more devices to the configuration file 3 1 Setting Up DM Multipath Before setting up DM Multipath on your system ensure that your system has been updated and includes the multipath tools package If boot from SAN is desired then the multipath tools boot package is also required A basic etc multipath conf need not even exist when multpath is run without an accompanying etc multipath conf it draws from it s internal database to find a suitable configuration it also draws from it s internal blacklist If after running multipath ll without a config file no multipaths are discovered One must proceed to increase the verbosity to discover why a multipath was not created Consider referencing the SAN vendor s documentation the multipath example config files found in usr share doc mult ipath tools examples and the live multipathd database echo show config
181. d to install libraries on the client that will know how and when to contact it On Ubuntu this has been traditionally accomplishd by installing the libnss Idap package This package will bring in other tools that will assist you in the configuration step Install this package now sudo apt get install libnss ldap You will be prompted for details of your LDAP server If you make a mistake you can try again using sudo dpkg reconfigure ldap auth config The results of the dialog can be seen in etc 1dap conf If your server requires options not covered in the menu edit this file accordingly Now configure the LDAP profile for NSS sudo auth client config t nss p lac_ldap Configure the system to use LDAP for authentication sudo pam auth update From the menu choose LDAP and any other authentication mechanisms you need You should now be able to log in using LDAP based credentials 110 Network Authentication LDAP clients will need to refer to multiple servers if replication is in use In etc ldap conf you would have something like uri ldap ldap01l example com ldap ldap02 example com The request will time out and the Consumer ldap02 will attempt to be reached if the Provider ldap01 becomes unresponsive If you are going to use LDAP to store Samba users you will need to configure the Samba server to authenticate using LDAP See Section 2 Samba and LDAP p 117 for details ba An alternat
182. dactedusstebeubieielavssteteabadactedes 386 1 Reporting Bugs in Ubuntu Server Edition ceeeeeeseeeeeesnsseeeneseeesseeeeseeeeeneneeaees 387 List of Tables 2 1 Recommended Minimum Requirement 20 0 0 eeeeeeeeeeeeeeeeeeeeeeeeeeeeseeseeeeeseeeseseeeeeeeeeeeeeees 4 521 Priority Checker Conversion nicio Sasa hii Ga ee ane ee eed 52 5 2 DM Multip th Components isseire i ee Ae eee ie hee eke 53 5 3 Multipath Configuration Defaults 0 0 0 eee ee eeeeeeeeeeeeeeeeeeeeeseeeeeeeseseeeeeneeeeeeeeeeeeeeeeee 66 5 4 Multipath Attributes neirinnen reei are e LEENE Er TEENA EEE EET t 69 5 5 Device Att DUTES cusoon iiiaae i iara iii iiia iiaa ei aa E 71 5 6 Useful multipath Command Options eee eere ereere ee eeereseseseseseresesteeseseseseseseeeeesesesests 77 Tif eAccess Methods seis iene ie es eS Ba i A a E a a 269 20 1 UEC Front End Requirements eien eener otea e aie bidet ake 323 20 2 UBC Node Requirement 0 civsvsladt ene eto naan aly havea eee 323 20 3 Container commands isi2 cccfatas eecacencecdantde eehenee decd shegececdusnenetuncseesucneidectalegececdeeneuctaneseneans 352 vi Chapter 1 Introduction Welcome to the Ubuntu Server Guide Here you can find information on how to install and configure various server applications It is a step by step task oriented guide for configuring and customizing your system This guide assumes you have a basic understanding of your Ubuntu system Some installation detail
183. data corruption by default Ubuntu Server Edition will boot to initramfs after thirty seconds Once the initramfs has booted there is a fifteen second prompt giving you the option to go ahead and boot the system or attempt manual recover Booting to the initramfs prompt may or may not be the desired behavior especially if the machine is in a remote location Booting to a degraded array can be configured several ways e The dpkg reconfigure utility can be used to configure the default behavior and during the process you will be queried about additional settings related to the array Such as monitoring email alerts etc To reconfigure mdadm enter the following sudo dpkg reconfigure mdadm The dpkg reconfigure mdadm process will change the etc initramfs tools conf d mdadm configuration file The file has the advantage of being able to pre configure the system s behavior and can also be manually edited BOOT_DEGRADED t rue a The configuration file can be overridden by using a Kernel argument e Using a Kernel argument will allow the system to boot to a degraded array as well e When the server is booting press Shift to open the Grub menu e Press e to edit your kernel command options e Press the down arrow to highlight the kernel line e Add bootdegraded true without the quotes to the end of the line e Press Ctrl x to boot the system Once the system has booted you can either repair the array see Section 4 1 5 RAID Ma
184. dc dump kdc02 example com There should be a SUCCEEDED message if the propagation worked If there is an error message check var log syslog on the secondary KDC for more information You may also want to create a cron job to periodically update the database on the Secondary KDC For example the following will push the database every hour note the long line has been split to fit the format of this document mh dom mon dow command O0 usr sbin kdb5_util dump var lib krb5kdc dump amp amp usr sbin kprop r EXAMPLE COM f var lib krb5kdc dump kdc02 example com 11 Back on the Secondary KDC create a stash file to hold the Kerberos master key sudo kdb5_util stash 12 Finally start the krb5 kdc daemon on the Secondary KDC sudo etc init d krb5 kdc start The Secondary KDC should now be able to issue tickets for the Realm You can test this by stopping the krb5 kdc daemon on the Primary KDC then by using kinit to request a ticket If all goes well you should receive a ticket from the Secondary KDC Otherwise check var log syslog and var log auth log in the Secondary KDC 3 4 Kerberos Linux Client This section covers configuring a Linux system as a Kerberos client This will allow access to any kerberized services once a user has successfully logged into the system 3 4 1 Installation In order to authenticate to a Kerberos Realm the krb5 user and libpam krb5 packages are needed along wi
185. default copied from the former primary host drbd01 1 3 References For more information on DRBD see the DRBD web site The drbd conf man page contains details on the options not covered in this guide e Also see the drbdadm man page The DRBD Ubuntu Wiki page also has more information l http www drbd org 7 http manpages ubuntu com manpages precise en manS drbd conf 5 html 3 http manpages ubuntu com manpages precise en man8 drbdadm 8 html F https help ubuntu com community DRBD 364 Chapter 22 VPN OpenVPN is a Virtual Private Networking VPN solution provided in the Ubuntu Repositories It is flexible reliable and secure It belongs to the family of SSL TLS VPN stacks different from IPSec VPNs This chapter will cover installing and configuring OpenVPN to create a VPN 365 VPN 1 OpenVPN If you want more than just pre shared keys OpenVPN makes it easy to setup and use a Public Key Infrastructure PKI to use SSL TLS certificates for authentication and key exchange between the VPN server and clients OpenVPN can be used in a routed or bridged VPN mode and can be configured to use either UDP or TCP The port number can be configured as well but port 1194 is the official one And it is only using that single port for all communication VPN client implementations are available for almost anything including all Linux distributions OS X Windows and OpenWRT based WLAN routers 1 1 Server
186. deletegroup ldapmodifygroup ldapdeletemachine ldaprenamegroup ldapaddma chine ldapmodi fymachine ldapsetprimarygro up ldapdeleteuser 1 12 Backup and Restore Now we have ldap running just the way we want it is time to ensure we can save all of our work and restore it as needed What we need is a way to backup the ldap database s specifically the backend cn config and frontend dc example dc com If we are going to backup those databases into say export backup we could use slapcat as shown in the following script called usr local bin 1dapbackup bin bash 7 http manpages ubuntu com manpages en man ldapadduser html y http manpages ubuntu com manpages en man 1 ldapdeleteuserfromgroup 1 html http manpages ubuntu com manpages en man1 ldapfinger 1 html 2 http manpages ubuntu com manpages en man1 ldapid 1 html 10 http manpages ubuntu com manpages en man1 ldapgid 1 html 1 http manpages ubuntu com manpages en man 1 ldapmodifyuser 1 html 12 http manpages ubuntu com manpages en man1 ldaprenameuser 1 html 13 http manpages ubuntu com manpages en man I Isldap 1 html 14 http manpages ubuntu com manpages en man 1 ldapaddusertogroup 1 html 5 http manpages ubuntu com manpages en man ldapsetpasswd 1 html 16 http manpages ubuntu com manpages en man 1 ldapinit 1 htm Me http manpages ubuntu com manpages en man ldapaddgroup 1 html 18 http manpages ubunt
187. devices by product hardware_handler Specifies a module that will be used to perform hardware specific actions when switching path groups or handling I O errors Possible values include 71 DM Multipath Attribute Description e 1 emc hardware handler for EMC storage arrays e 1 alua hardware handler for SCSI 3 ALUA arrays e 1 hp_sw hardware handler for Compaq HP controllers e 1 rdac hardware handler for the LSI Engenio RDAC controllers In addition the following parameters may be overridden in this device section e path_grouping_policy e getuid_ callout e path_selector e path_ checker features e failback prio e prio args e no_path_retry e rr min_io e rr weight e fast_io_fail_tmo e dev_loss_tmo e flush_on_last_del a Whenever a hardware_handler is specified it is your responsibility to ensure that the appropriate kernel module is loaded to support the specified interface These modules can be found in lib modules uname r kernel drivers scsi device handler The requisite module should be integrated into the initrd to ensure the necessary discovery and failover failback capacity is available during boot time Example cat scsi_dh_alua gt gt etc initramfs tools modules update initramfs u k all The following example shows a device entry in the multipath configuration file devices device vendor COMPAQ product MSA1000 path_checker t
188. devices that have been blacklisted by default For example if you have a large number of devices and want to multipath only one of them with the WWID of 3600d0230000000000e13955cc3757803 instead of individually blacklisting each of the devices except the one you want you could instead blacklist all of them and then allow only the one you want by adding the following lines to the etc multipath conf file blacklist wwid gt 64 DM Multipath blacklist_exceptions wwid 3600d0230000000000e13955cc3757803 When specifying devices in the blacklist_exceptions section of the configuration file you must specify the exceptions in the same way they were specified in the blacklist For example a WWID exception will not apply to devices specified by a devnode blacklist entry even if the blacklisted device is associated with that WWID Similarly devnode exceptions apply only to devnode entries and device exceptions apply only to device entries 4 3 Configuration File Defaults The etc multipath conf configuration file includes a defaults section that sets the user_friendly_names parameter to yes as follows defaults user_friendly_names yes This overwrites the default value of the user_friendly_names parameter The configuration file includes a template of configuration defaults This section is commented out as follows defaults udev_dir dev polling_interval 5 selector round robin 0 path_groupi
189. duser username bacula bJ Replace username with the actual username Also if you are adding the current user to the group you should log out and back in for the new permissions to take effect 3 4 Localhost Backup This section describes how to backup specified directories on a single host to a local tape drive e First the Storage device needs to be configured Edit etc bacula bacula sd conf add Device Name Tape Drive Device Type tap 303 Backups Media Type DDS 4 Archive Device dev st0 Hardware end of medium No AutomaticMount yes when device opened read it AlwaysOpen Yes RemovableMedia yes RandomAccess no Alert Command sh c tapeinfo f c grep TapeAlert The example is for a DDS 4 tape drive Adjust the Media Type and Archive Device to match your hardware You could also uncomment one of the other examples in the file After editing etc bacula bacula sd conf the Storage daemon will need to be restarted sudo etc init d bacula sd restart Now add a Storage resource in etc bacula bacula dir conf to use the new Device Definition of Tape Drive storage device Storage Name TapeDrive Do not use localhost here Address backupserver N B Use a fully qualified name here SDPort 9103 Password Cv70F6pfl1lt 6pBopT4vQOnigDrROv3LT3Cgkiyjc Device Tape Drive Media Type tape The Address directive needs
190. dyngroup schema include etc ldap schema inetorgperson schema include etc ldap schema java schema include etc ldap schema misc schema include etc ldap schema nis schema include etc ldap schema openldap schema include etc ldap schema ppolicy schema include etc ldap schema ldapns schema include etc ldap schema pmi schema include etc ldap schema samba schema Have the directory 1dif_output hold output Determine the index of the schema slapcat f schema_convert conf F ldif_output n 0 grep samba cn schema dn cn 14 samba cn schema cn config Convert the schema to LDIF format slapcat f schema_convert conf F ldif_output n0 H ldap cn 14 samba cn schema cn config 1 cn samba 1ldif Edit the generated cn samba 1dif file by removing index information to arrive at dn cn samba cn schema cn config cn samba Remove the bottom lines structuralObjectClass olcSchemaConfig entryUUID b53b75ca 083f 102d 9fff 2f64fd123c95 creatorsName cn config createTimestamp 200808270452342Z entryCSN 20080827045234 341425Z2 000000 000 000000 modifiersName cn config modifyTimestamp 200808270452342Z Your attribute values will vary 118 Network Authentication 7 Add the new schema sudo ldapadd Q Y EXTERNAL H ldapi f cn samba ldif To query and view this new schema sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn schema cn config cn samba 2 2 2 Samba indices Now
191. e e Installed the build essential and pastebinit packages e Printed a similar message to the script above The Apache Edgers PPA in the above example contains the latest version of Apache from gt upstream source repositories Package versions in the PPA are unsupported and depending on your situation this may or may not be desirable See the Ubuntu Server Edgers web page for more details The runcmd commands are run at the same point in boot that the script would run in the previous example It is present to allow you to get the full power of a scripting language if you need it without abandoning cloud config For more information on what kinds of things can be done with cloud config see doc examples in the source 3 9 More Information How to use the Storage Controller Controlling eucalyptus services e sudo service eucalyptus startlstoplrestart on the CLC CC SC Walrus side e sudo service eucalyptus nc startlstoplrestart on the Node side Locations of some important files e Log files e var log eucalyptus e Configuration files e etc eucalyptus Database 19 i ttps launchpad net ubuntu server edgers 20 http bazaar launchpad net cloud init dev cloud init trunk files head doc examples al https help ubuntu com community UEC StorageController 331 Virtualization e var lib eucalyptus db e Keys e var lib eucalyptus e var lib eucalyptus ssh ft Don t forg
192. e However as root in a container cannot yet be reliably 343 Virtualization contained this is not worthwhile It is therefore recommended to not use 1xc setup and to provide the LXC administrators the needed sudo privilege The user namespace which is expected to be available in the next Long Term Support LTS release will allow containment of the container root user as well as reduce the amount of privilege required for creating and administering containers 5 2 9 LXC Upstart Jobs As listed above the lxc package includes two upstart jobs The first 1xc net is always started when the other 1xc is about to begin and stops when it stops If the USE_LXC_BRIDGE variable is set to false in etc defaults 1xc then it will immediately exit If it is true and an error occurs bringing up the LXC bridge then the 1xc job will not start 1xc net will bring down the LXC bridge when stopped unless a container is running which is using that bridge The 1xc job starts on runlevel 2 5 If the LXC_AUTO variable is set to true then it will look under etc 1xc for containers which should be started automatically When the 1xc job is stopped either manually or by entering runlevel 0 1 or 6 it will stop those containers To register a container to start automatically create a symbolic link etc default 1xc name conf pointing to the container s config file For instance the configuration file for a container CN is var lib
193. e Provider we will require the same on the Consumer In addition to this however we want to encrypt replication traffic What remains to be done is to 107 Network Authentication create a key and certificate for the Consumer and then configure accordingly We will generate the key certificate on the Provider to avoid having to create another CA certificate and then transfer the necessary material over to the Consumer 1 On the Provider Create a holding directory which will be used for the eventual transfer and then the Consumer s private key mkdir ldap02 ssl cd ldap02 ssl sudo certtool generate privkey bits 1024 outfile ldap02_slapd_key pem Create an info file 1dap02 info for the Consumer server adjusting it s values accordingly organization Example Company cn ldap02 example com tls_www_server encryption_key signing_key expiration_days 3650 Create the Consumer s certificate sudo certtool generate certificate load privkey ldap02_slapd_key pem load ca certificate etc ssl certs cacert pem load ca privkey etc ssl private cakey pem template ldap02 info outfile ldap02_slapd_cert pem Get a copy of the CA certificate cp etc ssl certs cacert pem We re done Now transfer the 1dap02 ss1 directory to the Consumer Here we use scp adjust accordingly cd scp r ldap02 ssl user consumer 2 On the Consumer Configure TLS authentication 10
194. e backed up and is responsible for the data requested by the Director e Bacula Storage the programs that perform the storage and recovery of data to the physical media e Bacula Catalog is responsible for maintaining the file indexes and volume databases for all files backed up enabling quick location and restoration of archived files The Catalog supports three different databases MySQL PostgreSQL and SQLite e Bacula Monitor allows the monitoring of the Director File daemons and Storage daemons Currently the Monitor is only available as a GTK GUI application These services and applications can be run on multiple servers and clients or they can be installed on one machine if backing up a single disk or volume 3 2 Installation ft If using MySQL or PostgreSQL as your database you should already have the services available Bacula will not install them for you There are multiple packages containing the different Bacula components To install Bacula from a terminal prompt enter sudo apt get install bacula By default installing the bacula package will use a MySQL database for the Catalog If you want to use SQLite or PostgreSQL for the Catalog install bacula director sqlite3 or bacula director pgsql respectively 302 Backups During the install process you will be asked to supply credentials for the database administrator and the bacula database owner The database administrator will need to have the appr
195. e console messages to be written to the specified file e Ixc arch specifies the architecture for the container for instance x86 or x86_64 e Ixc tty 5 specifies that 5 consoles in addition to dev console should be created That is consoles will be available on dev tty1 through dev tty5 The ubuntu templates set this value to 4 355 Virtualization e Ixc pts 1024 specifies that the container should have a private Unix98 devpts filesystem mount If this is not specified then the container will share dev pts with the host which is rarely desired The number 1024 means that 1024 ptys should be allowed in the container however this number is currently ignored Before starting the container init LXC will do essentially a sudo mount t devpts o newinstance devpts dev pts inside the container It is important to realize that the container should not mount devpts filesystems of its own It may safely do bind or move mounts of its mounted dev pts But if it does sudo mount t devpts devpts dev pts it will remount the host s devpts instance If it adds the newinstance mount option then it will mount a new private empty instance In neither case will it remount the instance which was set up by LXC For this reason and to prevent the container from using the host s ptys the default Apparmor policy will not allow containers to mount devpts filesystems after the container s init has been started e lxc devttydir specif
196. e contains command line utilities that you can use to change the AppArmor execution mode find the status of a profile create new profiles etc e apparmor_status is used to view the current status of AppArmor profiles sudo apparmor_status e aa complain places a profile into complain mode sudo aa complain path to bin ile i enforce e aa enforce places a profile into mode sudo aa enforce path to bin e The etc apparmor d directory is where the AppArmor profiles are located It can be used to manipulate the mode of all profiles Enter the following to place all profiles into complain mode sudo aa complain etc apparmor d To place all profiles in enforce mode sudo aa enforce etc apparmor d 167 Security e apparmor_parser is used to load a profile into the kernel It can also be used to reload a currently loaded profile using the r option To load a profile cat etc apparmor d profile name sudo apparmor_parser a To reload a profile cat etc apparmor d profile name sudo apparmor_parser r e etc init d apparmor can be used to reload all profiles sudo etc init d apparmor reload e The etc apparmor d disable directory can be used along with the apparmor_parser R option to disable a profile sudo ln s etc apparmor d profile name etc apparmor d disable sudo apparmor_parser R etc apparmor d profile name To re enable a disabled profile remove the symbolic link to the profile
197. e eh ea ane hod ath ae a eh edn 2 ah a 245 Ae Matlman riocchevevosdstercoestisetecesturdoctaseecasesdebcocsdtetecdsiaraosedetecaeesterenccteuetecd shardeetasaevaseatetees 247 S Mail Filtering s 2 c c 3 e3 c c pees uieia nei eee Bead Baie eae 253 16 Chat Applications ssis iiie a E E coesdsndecdtensvesdcenededauarseccase 260 TEE DAE WATEA AEE REEE EEE E TE A ESE EEEE TEA 261 2 ARC Serye einnar ne e a a n eer areata tna ae 262 3 Jabber Instant Messaging Server eee ee ceeeeeeeceeececeeeeececeeeceeececeeeceeeceeeseeeeeseeeeeees 264 172Version Control Systemae aroti eiia sw hE A ue ea R bai aa ae REE RR aus 266 iv Ubuntu Server Guide 18 19 20 21 22 23 A l Baz dates o vissccse severest essescude vivo cued ETER be TRAETERA Ea ERE dees eee nani a E evel ides 267 2 SUDVETSION 23 548 isis Mas aie EA E A A has Aaa ee 268 SCV SO SELVER reeset ae ek ede ia Awan aaa a ee ae 273 A RELETENCES 92 sesh cSscetcoschsevedscnteecocctsbecssdhetbdecchsspensenditdecchsteescdaettcoachstvedsentencocctsbeesed nettees 275 Windows Networking ss s ccess c cescsse be deen iisen oea eiee e a iakoe iiien irai eana 276 T Tr ducts on eeinetan eiin Ea ta Soca veda ce Sacha EN oe Sacha cls EE SATA E n Ea 277 2 Samba File Server srecetina orae oaea ah ieee r AE OaE aAa EEEE RE SE 278 3 Samba Print Server piration adi a cok e e eh a a tied ete a 281 4 Securing a Samba File and Print Server cece cece cecccececececececeeeeeeee
198. e from the DHCP server and the configuration is transparent to the computer s user The most common settings provided by a DHCP server to DHCP clients include e IP address and netmask e IP address of the default gateway to use e IP adresses of the DNS servers to use However a DHCP server can also supply configuration properties such as e Host Name Domain Name Time Server e Print Server The advantage of using DHCP is that changes to the network for example a change in the address of the DNS server need only be changed at the DHCP server and all network hosts will be reconfigured the next time their DHCP clients poll the DHCP server As an added advantage it is also easier to integrate new computers into the network as there is no need to check for the availability of an IP address Conflicts in IP address allocation are also reduced A DHCP server can provide configuration settings using the following methods Manual allocation MAC address This method entails using DHCP to identify the unique hardware address of each network card connected to the network and then continually supplying a constant configuration each time the DHCP client makes a request to the DHCP server using that network device This ensures that a particular address is assigned automatically to that network card based on it s MAC address Dynamic allocation address pool In this method the DHCP server will assign an IP address from a pool of
199. e or more IP addresses e For the Walrus Controller Registration e Define the shell variable WALRUS_IP_ADDR in etc eucalyptus eucalyptus ipaddr conf as a single IP address On the Cluster Controller e For Storage Controller Registration e Define the shell variable CC_NAME in etc eucalyptus eucalyptus cc conf e Define the shell variable SC_IP_ADDR in etc eucalyptus eucalyptus ipaddr conf as a space separated list of one or more IP addresses Publish Now start the publication services Walrus Controller sudo start eucalyptus walrus publication Cluster Controller 325 Virtualization sudo start eucalyptus cc publication e Storage Controller sudo start eucalyptus sc publication e Node Controller sudo start eucalyptus nc publication 5 Start the Listener On the Cloud Controller and the Cluster Controller s run sudo start uec component listener 6 Verify Registration cat var log eucalyptus registration 2010 04 08 15 46 36 05 00 24243 gt 2010 04 08 15 46 36 05 00 24243 gt 2010 04 08 15 48 47 05 00 25858 gt 2010 04 08 15 48 51 05 00 25858 gt 2010 04 08 15 49 04 05 00 26237 F 2010 04 08 15 49 08 05 00 26237 gt 2010 04 08 15 49 17 05 00 26644 gt 2010 04 08 15 49 18 05 00 26644 gt fe 3 6 Obtain Credentials log Calling node clusterl node 10 1 1 75 euca_conf Calling walrus Walrus 10 1 1 71 register
200. e to work 164 Security sudo iptables A FORWARD s 192 168 0 0 16 o ppp0 j ACCEPT sudo iptables A FORWARD d 192 168 0 0 16 m state state ESTABLISHED RELATED i ppp0 j ACCEPT The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them e Ifyou want masquerading to be enabled on reboot which you probably do edit etc rc local and add any commands used above For example add the first command with no filtering iptables t nat A POSTROUTING s 192 168 0 0 16 o ppp0 j MASQUERADE 3 4 Logs Firewall logs are essential for recognizing attacks troubleshooting your firewall rules and noticing unusual activity on your network You must include logging rules in your firewall for them to be generated though and logging rules must come before any applicable terminating rule a rule with a target that decides the fate of the packet such as ACCEPT DROP or REJECT If you are using ufw you can turn on logging by entering the following in a terminal sudo ufw logging on To turn logging off in ufw simply replace on with off in the above command If using iptables instead of ufw enter sudo iptables A INPUT m state state NEW p tcp dport 80 j LOG log prefix NEW_HTTP_CONN A request on port 80 from the local machine then would generate a log in dmesg that looks like this single
201. eOS VMBuilder 321 Virtualization 3 UEC 3 1 Overview O UEC Ubuntu Enterprise Cloud is now depracated in favour of UC Ubuntu Cloud The Q former is based on Eucalyptus and the latter is based on Openstack This section of the guide yp p g will be removed in future iterations This tutorial covers UEC installation from the Ubuntu 12 04 LTS Server Edition CD and assumes a basic network topology with a single system serving as the all in one controller and one or more nodes attached From this Tutorial you will learn how to install configure register and perform several operations on a basic UEC setup that results in a cloud with a one controller front end and one or several node s for running Virtual Machine VM instances You will also use examples to help get you started using your own private compute cloud 3 2 Prerequisites To deploy a minimal cloud infrastructure you ll need at least two dedicated systems e A front end e One or more node s The following are recommendations rather than fixed requirements However our experience in developing this documentation indicated the following suggestions 3 2 1 Front End Requirements Use the following table for a system that will run one or more of e Cloud Controller CLC e Cluster Controller CC e Walrus the S3 like storage service e Storage Controller SC 322 Virtualization Table 20 1 UEC Front End Requireme
202. eatures execute the following to give users in the tomcat6 group the necessary rights 202 Web Servers sudo chgrp R tomcat6 etc tomcat 6 sudo chmod R gtw etc tomcat6 5 3 3 Tomcat examples webapps The tomcat6 examples package contains two webapps that can be used to test or demonstrate Servlets and JSP features which you can access them by default at http yourserver 8080 examples You can install them by entering the following command in the terminal prompt sudo apt get install tomcat6 examples 5 4 Using private instances Tomcat is heavily used in development and testing scenarios where using a single system wide instance doesn t meet the requirements of multiple users on a single system The Tomcat 6 0 packages in Ubuntu come with tools to help deploy your own user oriented instances allowing every user on a system to run without root rights separate private instances while still using the system installed libraries fy It is possible to run the system wide instance and the private instances in parallel as long as they do not use the same TCP ports 5 4 1 Installing private instance support You can install everything necessary to run private instances by entering the following command in the terminal prompt sudo apt get install tomcat6 user 5 4 2 Creating a private instance You can create a private instance directory by entering the following command in the terminal prompt tomc
203. eb http us archive ubuntu com ubuntu precise multiverse deb src http us archive ubuntu com ubuntu precise multiverse deb http us archive ubuntu com ubuntu precise updates multiverse deb src http us archive ubuntu com ubuntu precise updates multiverse deb http security ubuntu com ubuntu precise security universe deb src http security ubuntu com ubuntu precise security universe deb http security ubuntu com ubuntu precise security multiverse deb src http security ubuntu com ubuntu precise security multiverse 30 Package Management 7 References Most of the material covered in this chapter is available in man pages many of which are available online e The InstallingSoftware Ubuntu wiki page has more information e For more dpkg details see the dpkg man page e The APT HOWTO and apt get man page contain useful information regarding apt get usage e See the aptitude man page for more aptitude options e The Adding Repositories HOWTO Ubuntu Wiki page contains more details on adding repositories 2 https help ubuntu com community InstallingSoftware 4 http manpages ubuntu com manpages precise en man 1 dpkg 1 html 3 http www debian org doc manuals apt howto 6 http manpages ubuntu com manpages precise en man8 apt get 8 html i http manpages ubuntu com manpages precise man8 aptitude 8 html 8 https help ubuntu com community Repositories Ubuntu 31 Chapter
204. ecifies the type of discovery e p option indicates the target IP address bJ Change example 792 168 0 10 to the target IP address on your network If the target is available you should see output similar to the following 192 168 0 10 3260 1 iqn 1992 05 com emc s17b92030000520000 2 The iqn number and IP address above will vary depending on your hardware 228 File Servers You should now be able to connect to the iSCSI target and depending on your target setup you may have to enter user credentials Login to the iSCSI node sudo iscsiadm m node login Check to make sure that the new disk has been detected using dmesg dmesg grep sd 4 322384 sd 2 0 0 0 Attached scsi generic sgl type 0 4 322797 sd 2 0 0 0 sda 41943040 512 byte logical blocks 21 4 GB 20 0 GiB 4 322843 sd 2 0 0 0 sda Write Protect is off 4 322846 sd 2 0 0 0 sda Mode Sense 03 00 00 00 4 322896 sd 2 0 0 0 sda Cache data unavailable 4 322899 sd 2 0 0 0 sda Assuming drive cache write through 4 323230 sd 2 0 0 0 sda Cache data unavailable 4 323233 sd 2 0 0 0 sda Assuming drive cache write through 4 325312 sda sdal sda2 lt sda5 gt 4 325729 sd 2 0 0 0 sda Cache data unavailable 4 325732 sd 2 0 0 0 sda Assuming drive cache write through 4 325735 sd 2 0 0 0 sda Attached SCSI disk 2486 941805 sd 4 0 0 3 Attached scsi generic sg3 type 0 2486 952093 sd 4 0 0 3 sdb 1126400000 512 byte logica
205. ect Storage Administration Guide e Installing OpenStack Object Storage on Ubuntu http cloudglossary com 4 10 Glossary The Ubuntu Cloud documentation uses terminology that might be unfamiliar to some readers This page is intended to provide a glossary of such terms and acronyms e Cloud A federated set of physical machines that offer computing resources through virtual machines provisioned and recollected dynamically e laaS Infrastructure as a Service Cloud infrastructure services whereby a virtualized environment is delivered as a service over the Internet by the provider The infrastructure can include servers network equipment and software 28 http swift openstack org development_saio html 23 https launchpad net openstack 3 http wiki openstack org al https bugs launchpad net nova 32 http en wikipedia org wiki Cloud_computing Service_Models 33 docs openstack org trunk openstack compute ot http docs openstack org diablo openstack compute starter content GlanceMS d2s21 html http docs openstack org trunk openstack object storage admin content installing openstack object storage on ubuntu html 338 Virtualization EBS Elastic Block Storage EC2 Elastic Compute Cloud Amazon s pay by the hour pay by the gigabyte public cloud computing offering Node A node is a physical machine that s capable of running virtual machines running a node controller Within Ubuntu this
206. ectives in the CUPS server configuration file view the associated system manual page by entering the following command at a terminal prompt man cupsd conf fy Whenever you make changes to the etc cups cupsd conf configuration file you ll need to restart the CUPS server by typing the following command at a terminal prompt sudo etc init d cups restart 232 File Servers 4 3 Web Interface CUPS can be configured and monitored using a web interface which by default is available at http Nocalhost 63 1 admin The web interface can be used to perform all printer management tasks In order to perform administrative tasks via the web interface you must either have the root account enabled on your server or authenticate as a user in the Jpadmin group For security reasons CUPS won t authenticate a user that doesn t have a password To add a user to the Jpadmin group run at the terminal prompt sudo usermod aG lpadmin username Further documentation is available in the Documentation Help tab of the web interface 4 4 References CUPS Website Debian Open iSCSI page T http www cups org 8 http wiki debian org SAN iSCSI open iscsi 233 Chapter 15 Email Services The process of getting an email from one person to another over a network or the Internet involves many systems working together Each of these systems must be correctly configured for the process to work The sender uses a Mail User Agent
207. ecurity mode must not be set to security share Now that Samba has been configured to limit which groups have access to the shared directory the filesystem permissions need to be updated Traditional Linux file permissions do not map well to Windows NT Access Control Lists ACLs Fortunately POSIX ACLs are available on Ubuntu servers providing more fine grained control For example to enable ACLs on srv an EXT3 filesystem edit etc fstab adding the acl option UUID 66bcdd2e 8861 4fb0 b7e4 e61c569fe17d srv ext3 noatime relatime acl 0 1 Then remount the partition sudo mount v o remount srv fy The above example assumes srv on a separate partition If srv or wherever you have configured your share path is part of the partition a reboot may be required To match the Samba configuration above the sysadmin group will be given read write and execute permissions to srv samba share the ga group will be given read and execute permissions and the files will be owned by the username melissa Enter the following in a terminal sudo chown R melissa srv samba share sudo chgrp R sysadmin srv samba share sudo setfacl R m g qa rx srv samba share a The setfacl command above gives execute permissions to all files in the srv samba share directory which you may or may not want 285 Windows Networking Now from a Windows client you should notice the new file permissions are implemented See the acl and
208. ed capabilities sudo lshw class network network description Ethernet interfac product BCM4401 B0 100Base TX vendor Broadcom Corporation physical id 0 bus info pci 0000 03 00 0 logical name eth0O version 02 serial 00 15 c5 4a 16 5a size 10MB s capacity 100MB s width 32 bits clock 33MHz capabilities snipped for brevity configuration snipped for brevity resources irg 17 memory ef9fe000 ef9fffff 1 1 2 Ethernet Interface Logical Names Interface logical names are configured in the file etc udev rules d 70 persistent net rules If you would like control which interface receives a particular logical name find the line matching the interfaces physical MAC address and modify the value of NAME ethxX to the desired logical name Reboot the system to commit your changes 33 Networking 1 1 3 Ethernet Interface Settings ethtool is a program that displays and changes Ethernet card settings such as auto negotiation port speed duplex mode and Wake on LAN It is not installed by default but is available for installation in the repositories sudo apt get install ethtool The following is an example of how to view supported features and configured settings of an Ethernet interface sudo ethtool eth0 Settings for eth0 Supported ports TP Supported link modes 10baseT Half 10baseT Full 100baseT Half 100baseT Full 1000baseT Half 1000baseT Full Supports auto negotiati
209. ed format O Reilly s Using Samba is another good reference e Also see the CUPS Website for more information on configuring CUPS e The Ubuntu Wiki Samba page 9 http www amazon com exec obidos tg detail 013 1882228 10 ittp Avww oreilly com catalog 9780596007690 ul http www cups org 12 https help ubuntu com community Samba 282 Windows Networking 4 Securing a Samba File and Print Server 4 1 Samba Security Modes There are two security levels available to the Common Internet Filesystem CIFS network protocol user level and share level Samba s security mode implementation allows more flexibility providing four ways of implementing user level security and one way to implement share level e security user requires clients to supply a username and password to connect to shares Samba user accounts are separate from system accounts but the libpam smbpass package will sync system users and passwords with the Samba user database e security domain this mode allows the Samba server to appear to Windows clients as a Primary Domain Controller PDC Backup Domain Controller BDC or a Domain Member Server DMS See Section 5 Samba as a Domain Controller p 288 for further information e security ADS allows the Samba server to join an Active Directory domain as a native member See Section 6 Samba Active Directory Integration p 292 for details e security server this
210. ed post fix postfix script added postfix sasl added ppp ip down d added ppp ip down d postfix added ppp ip up d postfix added rc0 d K20post fix added rcl d K20post fix added rc2 d S20post fix added rc3 d S20postfix added rc4 d S20post fix added rc5 d S20post fix added rc6 d K20post fix added resolvconf update libc d added resolvconf update libc d postfix added rsyslog d postfix conf added ufw applications d postfix Committed revision 2 For an example of how etckeeper tracks manual changes add new a host to etc hosts Using bzr you can see which files have been modified sudo bzr status etc modified hosts Now commit the changes sudo etckeeper commit new host For more information on bzr see Section 1 Bazaar p 267 382 Other Useful Applications 3 Byobu One of the most useful applications for any system administrator is screen It allows the execution of multiple shells in one terminal To make some of the advanced screen features more user friendly and provide some useful information about the system the byobu package was created When executing byobu pressing the F9 key will bring up the Configuration menu This menu will allow you to e View the Help menu e Change Byobu s background color e Change Byobu s foreground color e Toggle status notifications e Change the key binding set e Change the escape sequence e Create new windows e Manage the default windows
211. ed previously 156 Security sudo chage 1 username The output below shows the new policies that have been established for the account Last password change Jan 20 2008 Password expires Apr 19 2008 Password inactive May 19 2008 Account expires Jan 31 2008 Minimum number of days between password change st Maximum number of days between password change 90 Number of days of warning before password expires 14 1 5 Other Security Considerations Many applications use alternate authentication mechanisms that can be easily overlooked by even experienced system administrators Therefore it is important to understand and control how users authenticate and gain access to services and applications on your server 1 5 1 SSH Access by Disabled Users Simply disabling locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication They will still be able to gain shell access to the server without the need for any password Remember to check the users home directory for files that will allow for this type of authenticated SSH access e g home username ssh authorized_keys Remove or rename the directory ssh in the user s home folder to prevent further SSH authentication capabilities Be sure to check for any established SSH connections by the disabled user as it is possible they may have existing inbound or outbound connect
212. ee ee 32 1s Network Configuration erennere oirin eie EEE dee besten etna eben RE EE tebe renege teed 33 De TRIP veces e ccecs netarctets a 2 cot ots e ana dete acdecresaceaetevs taearctonscargh ana ddcecaceteceestdearets 42 3 Dynamic Host Configuration Protocol DHCP 0000 0 cece ceeeceeececeaeeaeeeeeeceeeeeaeaaeeeeeneeeees 46 4 Time Synchronisation with NTP oo cceeeeecececececececececececeeeeeeececeeeaeeeaeaeeeaeeeaeeeaeaeaeas 49 5 DM Mu ltipath isc ssoscis ve eiennenn eden A te ee ha nde ee eee 51 1 Device Mapper Multipathin t ssar sinsin ania ete ew R RE ees es 52 2 Multipath DEVICES rar scsesces te dein EE ER EAE E EEE sb E EEEE E EE R E eee 55 3 Setting up DM Multipath Overview 20 0 0 ccc cceecececececeaaeeeeeeceeeeeaeuauaeeeeeececeaeaaneeeneeeees 58 4 The DM Multipath Configuration File 00 0 ee eeeeeeeeeeeeeeeeeneeeeeeeeeeeseneeeseeeeeeeeeeeneneees 62 5 DM Multipath Administration and Troubleshooting 20 0 0 eseeeseeeeeeeeeneeeneneneneneneneeees 74 6 Remote Administration ia oe eE case E EE E ee i E A E R ANE ETEA 79 l OpenSSH Serye ar E a EEE ER debe peed ace E ET EE EES ERS OEKD due seuae seuss 80 2 P ppet etare e a a e eee anv E E ied aoe E a dees 83 Se LOntyal EE E T EE E EES 86 7 Network Authentication 0 ccccccccccceseeseeeececececeaeeaesencecececeaaaaeseneeeeeeceaaaauseneneeeeeeaeaauaaneeeeees 90 1 OpenLDAP Servei neran reia T ETE E VREE E R E IEE E tana wx 91 2 Samba and EDAP arree ateetara aea a
213. eeeeeeeeeeeenees 283 5 Samba asa Domain Controller oreesa iii E Ree Aa KE AE E aN aE 288 6 Samba Active Directory Integration esesesessseseerrtrrrtrerrrerererererrrererrrrrererererererereeeeees 292 Backups ie aaan ie Aina an eee ae een aaa ee 294 Te Shelli Scripts ots occexeccvs tists sears vetoes tbseh ave e anise Lets eee a aaa e a e Ea eaa eaei 295 2 cArchive Rofan rerit Case annie Abed anien an a a Ghani Aerie ts 299 3 Baculae stars si xodti EA E T A E chats 302 M Ut Al ZAtLOM r wh ened E nt sachet scale cada ah Sean saad Ws oa ES gael sede EEAS 307 Ve LONA E n SE E E E A E ESE E E ei Sdeaesi EE E E T E ateesseeddetsnts Messtedcaces 308 2 JeOS and Vimburl der aneirin e E EE AEE ERE EER AA E AR E E 313 3 MOB OEE T T T 322 4 Ubuntu Cloude E Ea E E R E EE E RTE AEE 333 ST C O E E E E 340 Cl sterin g oeri e reent ei eE EEN EAREN E E EEEN rs fused EEEE EE SEEEN EATE T EEEE EiS 361 T DRB Dive sr are a E E IE E EAEE EAR EA EE E E E E E E AN 362 M PWN R E ca E EEEE E S EEE E EE E EE S ET 365 LeOpe nV PIN Ae ian eaa e aige aaa a ea a a e a A ea a a aie aa a aN E eA 366 Other Useful Applications oaren eo S beet E EE E E ATE ETE EEES 378 l pa MOtd sissioni riin iode S Er o ar SESE o er TEADS io Darsdan as 379 2yetekeepeT aain a aa a a E a E RA 381 3 Byobu ee e neee e e e a aA O EaI ed cua E E EA aeea ENER 383 A Referenc eSenior a e a aa as 385 PAAPPENGIX 3 ss teecstovsasutaseevossatopussegtetagsstedeabadarecuuteteepesisaterausctoabuba
214. efore will not be automatically updated To blacklist a package add it to the list Unattended Upgrade Package Blacklist vim libc6 Li libc6 dev libc6 i686 bJ The double serve as comments so whatever follows will not be evaluated To enable automatic updates edit etc apt apt conf d 10periodic and set the appropriate apt configuration options APT Periodic Update Package Lists 1 APT Periodic Download Upgradeable Packages 1 APT Periodic AutocleanInterval 7 APT Periodic Unattended Upgrade 1 The above configuration updates the package list downloads and installs available upgrades every day The local download archive is cleaned every week fy You can read more about apt Periodic configuration options in the etc cron daily apt script header The results of unattended upgrades will be logged to var log unattended upgrades 27 Package Management 5 1 Notifications Configuring Unattended Upgrade Mail in etc apt apt conf d 50unattended upgrades will enable unattended upgrades to email an administrator detailing any packages that need upgrading or have problems Another useful package is apticron apticron will configure a cron job to email an administrator information about any packages on the system that have updates available as well as a summary of changes in each package To install the apticron package in a terminal enter
215. emplate If no template is specified then only help for lxc create itself will be shown 5 3 1 2 Ubuntu template The ubuntu template can be used to create Ubuntu system containers with any release at least as new as 10 04 LTS It uses debootstrap to create a cached container filesystem which gets copied into place each time a container is created The cached image is saved and only re generated when you create a container using the F flush option to the template i e sudo lxc create t ubuntu n CN F The Ubuntu release installed by the template will be the same as that on the host unless otherwise specified with the r option i e sudo lxc create t ubuntu n CN r lucid If you want to create a 32 bit container on a 64 bit host pass a i386 to the container If you have the qemu user static package installed then you can create a container using any architecture supported by qemu user static The container will have a user named ubuntu whose password is ubuntu and who is a member of the sudo group If you wish to inject a public ssh key for the ubuntu user you can do so with S sshkey pub You can also bind user jdoe from the host into the container using the b jdoe option This will copy jdoe s password and shadow entries into the container make sure his default group and shell are 345 Virtualization available add him to the sudo group and bind mount his home directory into the container when the
216. ename option e Specific configuration variables can be overridden at Ixc start using s key value It is generally better to edit the container configuration file 5 4 2 Network Configuration Container networking in LXC is very flexible It is triggered by the Ixc network type configuration file entries If no such entries exist then the container will share the host s networking stack Services and connections started in the container will be using the host s IP address If at least one Ixc network type entry is present then the container will have a private layer 2 network stack It will have its own network interfaces and firewall rules There are several options for Ixc network type e Ixc network type empty The container will have no network interfaces other than loopback e Ixc network type veth This is the default when using the ubuntu or ubuntu cloud templates and creates a veth network tunnel One end of this tunnel becomes the network interface inside the container The other end is attached to a bridged on the host Any number of such tunnels can be created by adding more lxc network type veth entries in the container configuration file The bridge to which the host end of the tunnel will be attached is specified with Ixc network link Ixcbr0 e Ixc network type phys A physical network interface i e eth2 is passed into the container Two other options are to use vlan or macvlan however their use is more complicate
217. er s password sudo ldapsetpasswd george Changing password for user uid george ou People dc example dc com New Password New Password verify e Delete a user sudo ldapdeleteuser george e Add a group sudo ldapaddgroup qa e Delete a group sudo ldapdeletegroup qa e Add a user to a group sudo ldapaddusertogroup george qa You should now see a memberUid attribute for the ga group with a value of george e Remove a user from a group sudo ldapdeleteuserfromgroup george qa The memberUid attribute should now be removed from the ga group e The ldapmodifyuser script allows you to add remove or replace a user s attributes The script uses the same syntax as the ldapmodify utility For example sudo ldapmodifyuser george About to modify the following entry dn uid george ou People dc example dc com objectClass account objectClass posixAccount cn george uid george uidNumber 1001 gidNumber 1001 homeDirectory home george 112 Network Authentication loginShell bin bash gecos george description User account userPassword elNTSEF9eXFsTFcyWlhwWkF leGUybVdFWHZKRZIVMjJETSG9IVCHk Enter your modifications here end with CTRL D dn uid george ou People dc example dc com replace gecos gecos George Carlin The user s gecos should now be George Carlin e A nice feature of ldapscripts is the template system Templates allow you to customize the attrib
218. er to be added Default Ubuntu e pass PASSWORD Sets the password for the user Default ubuntu Our resulting command line becomes sudo vmbuilder kvm ubuntu suite precise flavour virtual arch i386 o libvirt qemu system ip 192 168 0 100 hostname myvm part vmbuilder partition user user name user pass default 2 3 3 Installing Required Packages In this example we will be installing a package Limesurvey that accesses a MySQL database and has a web interface We will therefore require our OS to provide us with e Apache e PHP e MySQL OpenSSH Server e Limesurvey as an example application that we have packaged This is done using vmbuilder by specifying the addpkg option multiple times 317 Virtualization addpkg PKG Install PKG into the guest can be specfied multiple times However due to the way vmbuilder operates packages that have to ask questions to the user during the post install phase are not supported and should instead be installed while interactivity can occur This is the case of Limesurvey which we will have to install later once the user logs in Other packages that ask simple debconf question such as mysql server asking to set a password the package can be installed immediately but we will have to reconfigure it the first time the user logs in If some packages that we need to install are not in main we need to enable the additional repositories usin
219. erberos users with uid gt 5000 Kerberos should only be applied to ldap kerberos users not local ones for i in common auth common session common account common password do sudo sed i r e s pam_krb5 so minimum_uid 1000 pam_krb5 so minimum_uid 5000 etc pam d i done This will avoid being asked for the non existent Kerberos password of a locally authenticated user when changing its password using passwd You can test the configuration by requesting a ticket using the kinit utility For example kinit steve EXAMPLE COM Password for steve EXAMPLE COM When a ticket has been granted the details can be viewed using klist 130 Network Authentication klist Ticket cache FILE tmp krb5cc_1000 Default principal steve EXAMPLE COM Valid starting Expires Service principal 07 24 08 05 18 56 07 24 08 15 18 56 krbtgt EXAMPLE COM EXAMPLE COM renew until 07 25 08 05 18 57 Kerberos 4 ticket cache tmp tkt1000 klist You have no tickets cached Next use the auth client config to configure the libpam krb5 module to request a ticket during login sudo auth client config a p kerberos_example You will should now receive a ticket upon successful login authentication 3 5 Resources For more information on MIT s version of Kerberos see the MIT Kerberos site e The Ubuntu Wiki Kerberos page has more details e O Reilly s Kerberos The Definitive Guide is a great reference when setting up Kerbe
220. ers at that level Ssa_kill_level_deflt 21 0 triggers spam evasive actions Ssa_dsn_cutoff_level 4 spam level beyond which a DSN is not sent If the server s hostname is different from the domain s MX record you may need to manually set the myhostname option Also if the server receives mail for multiple domains the local_domains_acl option will need to be customized Edit the etc amavis conf d 50 user file Smyhostname mail example com local_domains_acl example com example org If you want to cover multiple domains you can use the following in the etc amavis conf d 50 user local_domains_acl qw After configuration Amavisd new needs to be restarted 255 Email Services sudo etc init d amavis restart 5 2 3 1 DKIM Whitelist Amavisd new can be configured to automatically Whitelist addresses from domains with valid Domain Keys There are some pre configured domains in the etc amavis conf d 40 policy_banks There are multiple ways to configure the Whitelist for a domain e example com gt WHITELIST will whitelist any address from the example com domain e example com gt WHITELIST will whitelist any address from any subdomains of example com that have a valid signature e example com example com gt WHITELIST will whitelist subdomains of example com that use the signature of example com the parent domain e example com gt WHITELIST adds
221. es SEMI k mykey t ml small user data file ud txt Wait now for the system to come up and console to be available To see the result of the data file commands enter euca get console output SEMI grep after context 1 Hello Hello World Mon Mar 29 18 05 05 UTC 2010 I have been up for 28 26 sec fq Your output may vary The simple approach shown above gives a great deal of power The user data can contain a script in any language where an interpreter already exists in the image bin sh usr bin python usr bin perl usr bin awk For many cases the user may not be interested in writing a program For this case cloud init provides cloud config a configuration based approach towards customization To utilize the cloud config syntax the supplied user data must start with a cloud config For example create a text file named cloud config txt containing cloud config apt_upgrade true apt_sources source ppa ubuntu server edgers server edgers apache packages build essential pastebinit 330 Virtualization runcmd echo Hello World echo I have been up for cut d f 1 lt proc uptime sec Create a new instance euca run instances EMI k mykey t ml small user data file cloud config txt Now when the above system is booted it will have e Added the Apache Edgers PPA e Run an upgrade to get all updates availabl
222. eshooting configuration problems with multiple VirtualHosts sudo a2dissite mynewsite sudo service apache2 restart 1 2 2 Default Settings This section explains configuration of the Apache2 server default settings For example if you add a virtual host the settings you configure for the virtual host take precedence for that virtual host For a directive not defined within the virtual host settings the default value is used e The DirectoryIndex is the default page served by the server when a user requests an index of a directory by specifying a forward slash at the end of the directory name For example when a user requests the page http www example com this_directory he or she will get either the DirectoryIndex page if it exists a server generated directory list if it does not and the Indexes option is specified or a Permission Denied page if neither is true The server will try to find one of the files listed in the DirectoryIndex directive and will return the first one it finds If it does not find any of these files and if Options Indexes is set for that directory the server will generate and return a list in HTML format of the subdirectories and files in the directory The default value found in etc apache2 mods available dir conf is index html index cgi index pl index php index xhtml index htm Thus if Apache2 finds a file in a requested directory matching any of these names the first will be displayed
223. estart 2 3 2 Reverse Zone File Now that the zone is setup and resolving names to IP Adresses a Reverse zone is also required A Reverse zone allows DNS to resolve an address to a name Edit etc bind named conf local and add the following zone 1 168 192 in addr arpa type master file etc bind db 192 he fy Replace 7 168 192 with the first three octets of whatever network you are using Also name the zone file etc bind db 192 appropriately It should match the first octet of your network Now create the etc bind db 192 file sudo cp etc bind db 127 etc bind db 192 Next edit etc bind db 192 changing the basically the same options as etc bind db example com BIND reverse data file for local 192 168 1 XXX net STTL 604800 IN SOA ns example com root example com 2 Serial 604800 Refresh 86400 Retry 2419200 Expire 604800 Negative Cache TTL 143 Domain Name Service DNS IN NS ns 10 IN PTR ns example com The Serial Number in the Reverse zone needs to be incremented on each change as well For each A record you configure in etc bind db example com that is for a different address you need to create a PTR record in etc bind db 192 After creating the reverse zone file restart BIND9 sudo service bind9 restart 2 4 Secondary Master Once a Primary Master has been configured a Secondary Master is needed in order to maintain the availability of the domain should
224. et server is to restart the daemon sudo etc init d puppetmaster restart Now everything is configured on the Puppet server it is time to configure the client First configure the Puppetagent daemon to start Edit etc default puppet changing START to yes START yes Then start the service sudo etc init d puppet start Back on the Puppet server sign the client certificate by entering sudo puppetca sign meercat02 example com Check var log syslog for any errors with the configuration If all goes well the apache2 package and it s dependencies will be installed on the Puppet client fy This example is very simple and does not highlight many of Puppet s features and benefits For more information see Section 2 3 Resources p 84 2 3 Resources e See the Official Puppet Documentation web site 4 http docs puppetlabs com 84 Remote Administration e Also see Pro Puppet e Another source of additional information is the Ubuntu Wiki Puppet Page gt http www apress com 978 1430230571 6 https help ubuntu com community Puppet 85 Remote Administration 3 Zentyal Zentyal is a Linux small business server that can be configured as a Gateway Infrastructure Manager Unified Threat Manager Office Server Unified Communication Server or a combination of them All network services managed by Zentyal are tightly integrated automating most tasks This helps to avoid errors in
225. et to source your euca eucarc before running the client tools 3 10 References e For information on loading instances see the Eucalyptus Wiki page e Eucalyptus Project Site forums documentation downloads e Eucalyptus on Launchpad bugs code Eucalyptus Troubleshooting 1 5 Register your cloud with RightScale e You can also find help in the ubuntu virt eucalyptus and ubuntu server IRC channels on Freenode Aa https help ubuntu com community Eucalyptus 23 http open eucalyptus com 24 https launchpad net eucalyptus ce http open eucalyptus com wiki EucalyptusTroubleshooting_v1 5 26 http support rightscale com 2 _References 02 Cloud_Infrastructures Eucalyptus 03 Administration_Guide Register_with_RightScale 2 http freenode net 332 Virtualization 4 Ubuntu Cloud Cloud computing is a computing model that allows vast pools of resources to be allocated on demand These resources such as storage computing power network and software are abstracted and delivered as a service over the Internet anywhere anytime These services are billed per time consumed similar to the ones used by public services such as electricity water and telephony Ubuntu Cloud Infrastructure uses OpenStack open source software to help build highly scalable cloud computing for both public and private clouds 4 1 Overview This tutorial covers the OpenStack installation from the Ubuntu 12 04
226. etc openvpn easy rsa 366 VPN Next edit etc openvpn easy rsa vars adjusting the following to your environment export KEY_COUNTRY US export KEY_PROVINCE NC export KEY_CITY Winston Salem export KEY_ORG Example Company export KEY_EMATIL steve example com Enter the following to generate the master Certificate Authority CA certificate and key cd etc openvpn easy rsa source vars clean all build ca 1 2 2 Server Certificates Next we will generate a certificate and private key for the server build key server myservername As in the previous step most parameters can be defaulted Two other queries require positive responses Sign the certificate y n and 1 out of 1 certificate requests certified commit y n Diffie Hellman parameters must be generated for the OpenVPN server build dh All certificates and keys have been generated in the subdirectory keys Common practice is to copy them to etc openvpn cd keys cp myservername crt myservername key ca crt dh1024 pem etc openvpn 1 2 3 Client Certificates The VPN client will also need a certificate to authenticate itself to the server Usually you create a different certificate for each client To create the certificate enter the following in a terminal while being user root cd etc openvpn easy rsa source vars build key client1 Copy the following files to the client using a secure method 367 VPN
227. ey by dn cn admin dc example dc com write by anonymous auth by self write by none add olcAccess olcAccess to dn base by read add olcAccess olcAccess to by dn cn admin dc example dc com write by read modifying entry olcDatabase 1 hdb cn config That s it your LDAP directory is now ready to serve as a Kerberos principal database 4 2 Primary KDC Configuration With OpenLDAP configured it is time to configure the KDC e First install the necessary packages from a terminal enter sudo apt get install krb5 kdc krb5 admin server krb5 kdc ldap e Now edit etc krb5 conf adding the following options to under the appropriate sections libdefaults default_realm EXAMPLE COM realms EXAMPLE COM kdc kdc admin_server kdc01 example com kdc01 example com kdc02 example com admin_server kdc02 example com default_domain example com database_module openldap_ldapconf domain_realm example com EXAMPLE COM 134 Network Authentication dbdefaults ldap_kerberos_container_dn dc example dc com dbmodules openldap_ldapconf db_library kldap ldap_kdc_dn cn admin dc example dc com this object needs to have read rights on the realm container principal container and realm sub trees ldap_kadmind_dn cn admin dc example dc com this object needs to have read and write rights on the realm container principal container and realm su
228. f the 174 Security server where the certificate will be installed For example mail example com crt is a nice descriptive name Subsequent certificates will be named 02 pem 03 pen etc ba Replace mail example com crt with your own descriptive name 8 Finally copy the new certificate to the host that needs it and configure the appropriate applications to use it The default location to install certificates is etc ssl certs This enables multiple services to use the same certificate without overly complicated file permissions For applications that can be configured to use a CA certificate you should also copy the etc ssl certs cacert pen file to the etc ssl certs directory on each server 5 6 References e For more detailed instructions on using cryptography see the SSL Certificates HOWTO by tlpd org e The Wikipedia HTTPS page has more information regarding HTTPS e For more information on OpenSSL see the OpenSSL Home Page e Also O Reilly s Network Security with OpenSSL is a good in depth reference 12 http tldp org HOWTO SSL Certificates HOWTO index html 13 http en wikipedia org wiki Https Id http www openssl org 15 http oreilly com catalog 9780596002701 175 Security 6 eCryptfs eCryptfs is a POSIX compliant enterprise class stacked cryptographic filesystem for Linux Layering on top of the filesystem layer eCryptfs protects files no matter the underlying filesystem
229. ffic between two network segments Another scenario is using bridge on a system with one interface to allow virtual machines direct access to the outside network The following example covers the latter scenario Before configuring a bridge you will need to install the bridge utils package To install the package in a terminal enter sudo apt get install bridge utils Next configure the bridge by editing etc network interfaces auto lo iface lo inet loopback auto bro iface brO inet static address 192 168 0 10 network 192 168 0 0 netmask 255 255 255 0 broadcast 192 168 0 255 gateway 192 168 0 1 bridge_ports eth0 bridge_fd 9 bridge_hello 2 bridge_maxage 12 bridge_stp off fy Enter the appropriate values for your physical interface and network Now restart networking to enable the bridge interface sudo etc init d networking restart The new bridge interface should now be up and running The brctl provides useful information about the state of the bridge controls which interfaces are part of the bridge etc See man bretl for more information 1 5 Resources e The Ubuntu Wiki Network page has links to articles covering more advanced network configuration e The resolvconf man page has more information on resolvconf i https help ubuntu com community Network 2 http manpages ubuntu com manpages man8 resolvconf 8 html 40 Networking e The interfaces man page has details on more optio
230. figured Both programs are easy to install and configure and will be automatically started at system boot 3 1 Installation At a terminal prompt enter the following command to install dhcpd sudo apt get install isc dhcp server You will probably need to change the default configuration by editing etc dhcp dhcpd conf to suit your needs and particular configuration You also may need to edit etc default isc dhcp server to specify the interfaces dhcpd should listen to NOTE dhcpd s messages are being sent to syslog Look there for diagnostics messages 3 2 Configuration The error message the installation ends with might be a little confusing but the following steps will help you configure the service Most commonly what you want to do is assign an IP address randomly This can be done with settings as follows minimal sample etc dhcp dhcpd conf default lease time 600 max lease time 7200 subnet 192 168 1 0 netmask 255 255 255 0 range 192 168 1 150 192 168 1 200 option routers 192 168 1 254 option domain name servers 192 168 1 1 192 168 1 2 option domain name mydomain example This will result in the DHCP server giving clients an IP address from the range 192 168 1 150 192 168 1 200 It will lease an IP address for 600 seconds if the client doesn t ask for a specific time frame Otherwise the maximum allowed lease will be 7200 seconds The server will also advise the client to use 192
231. file The following examples illustrate some of the directives which may be modified to affect the behavior of the Squid server For more in depth configuration of Squid see the References section Prior to editing the configuration file you should make a copy of the original file and protect it from writing so you will have the original settings as a reference and to re use as necessary Copy the etc squid squid conf file and protect it from writing with the following commands entered at a terminal prompt sudo cp etc squid squid conf etc squid squid conf original sudo chmod a w etc squid squid conf original To set your Squid server to listen on TCP port 8888 instead of the default TCP port 3128 change the http_port directive as such http_port 8888 197 Web Servers e Change the visible_hostname directive in order to give the Squid server a specific hostname This hostname does not necessarily need to be the computer s hostname In this example it is set to weezie visible_hostname weezie e Using Squid s access control you may configure use of Internet services proxied by Squid to be available only users with certain Internet Protocol IP addresses For example we will illustrate access by users of the 192 168 42 0 24 subnetwork only Add the following to the bottom of the ACL section of your etc squid squid conf file acl fortytwo_network src 192 168 42 0 24 Then add the following to the top of the
232. file etc apparmor d 1xc containers Finally to make container cn use this new 1xc CcN profile add the following line to its configuration file lxc aa_profile lxc CN profile Ixc execute does not enter an Apparmor profile but the container it spawns will be confined 5 2 7 Control Groups Control groups cgroups are a kernel feature providing hierarchical task grouping and per cgroup resource accounting and limits They are used in containers to limit block and character device access and to freeze suspend containers They can be further used to limit memory use and block i o guarantee minimum cpu shares and to lock containers to specific cpus By default LXC depends on the cgroup lite package to be installed which provides the proper cgroup initialization at boot The cgroup lite package mounts each cgroup subsystem separately under sys fs cgroup ss where SS is the subsystem name For instance the freezer subsystem is mounted under sys fs cgroup freezer LXC cgroup are kept under sys fs cgroup SS INIT 1xc where INIT is the init task s cgroup This is by default so in the end the freezer cgroup for container CN would be sys fs cgroup freezer 1xc CN 5 2 8 Privilege The container administration tools must be run with root user privilege A utility called 1xc setup was written with the intention of providing the tools with the needed file capabilities to allow non root users to run the tools with sufficient privileg
233. following command 273 Version Control System sudo netstat tap grep cvs When you run this command you should see the following line or something similar tcp 0 0 cvspserver LISTEN From here you can continue to add users add new projects and manage the CVS server CVS allows the user to add users independently of the underlying OS installation Probably the easiest way is to use the Linux Users for CVS although it has potential security issues Please refer to the CVS manual for details 3 3 Add Projects This section explains how to add new project to the CVS repository Create the directory and add necessary document and source files to the directory Now run the following command to add this project to CVS repository cd your project cvs d pserver username hostname com srv cvs import m Importing my project to CVS repository new_project start You can use the CVSROOT environment variable to store the CVS root directory Once you export the CVSROOT environment variable you can avoid using d option in the above cvs command The string new_project is a vendor tag and start is a release tag They serve no purpose in this context but since CVS requires them they must be present When you add a new project the CVS user you use must have write access to the CVS Q repository srv cvs By default the src group has write access to the CVS repository So you can add the user to
234. g comp and ppa components COMP1 COMP2 COMPN A comma separated list of distro components to include e g main universe This defaults to main ppa PPA Add ppa belonging to PPA to the vm s sources list Limesurvey not being part of the archive at the moment we ll specify it s PPA personal package archive address so that it is added to the VM etc apt source list so we add the following options to the command line addpkg apache2 addpkg apache2 mpm prefork addpkg apache2 utils addpkg apache2 2 common addpkg dbconfig common addpkg libapache2 mod php5 addpkg mysql client addpkg php5 cli addpkg php5 gd addpkg php5 ldap addpkg php5 mysql addpkg wwwconfig common addpkg mysql server ppa niJjaba 2 3 4 Speed Considerations 2 3 4 1 Package Caching When vmbuilder creates builds your system it has to go fetch each one of the packages that composes it over the network to one of the official repositories which depending on your internet connection speed and the load of the mirror can have a big impact on the actual build time In order to reduce this it is recommended to either have a local repository which can be created using apt mirror or using a caching proxy such as apt proxy The later option being much simpler to implement and requiring less disk space it is the one we will pick in this tutorial To install it simply type sudo apt get install apt proxy Once this is comp
235. g cache txt Next create the mnt usb passwd_file txt passphrase file passphrase_passwd secrets Now add the necessary lines to etc fstab dev sdbl mnt usb ext3 ro 0 0 srv srv ecryptfs defaults 0 0 Make sure the USB drive is mounted before the encrypted partition Finally reboot and the srv should be mounted using eCryptfs 6 3 Other Utilities The ecryptfs utils package includes several other useful utilities e ecryptfs setup private creates a Private directory to contain encrypted information This utility can be run by unprivileged users to keep data private from other users on the system e ecryptfs mount private and ecryptfs umount private will mount and unmount respectively a users Private directory e ecryptfs add passphrase adds a new passphrase to the kernel keyring e ecryptfs manager manages eCryptfs objects such as keys e ecryptfs stat allows you to view the ecryptfs meta information for a file 6 4 References e For more information on eCryptfs see the Launchpad project page e There is also a Linux Journal article covering eCryptfs e Also for more ecryptfs options see the ecryptfs man page e The eCryptfs Ubuntu Wiki page also has more details 16 https launchpad net ecryptfs hy http www linuxjournal com article 9400 18 http manpages ubuntu com manpages precise en man7 ecryptfs 7 html 13 https help ubuntu com community eCryptfs 177 Chapter 1
236. g instructions will help defend your server against issues that could otherwise yield very serious consequences 2 1 Disable Ctrl Alt Delete First and foremost anyone that has physical access to the keyboard can simply use the Ctrl Alt Delete key combination to reboot the server without having to log on Sure someone could simply unplug the power source but you should still prevent the use of this key combination on a production server This forces an attacker to take more drastic measures to reboot the server and will prevent accidental reboots at the same time e To disable the reboot action taken by pressing the Ctrl Alt Delete key combination comment out the following line in the file etc init control alt delete conf exec shutdown r now Control Alt Delete pressed 159 Security 3 Firewall 3 1 Introduction The Linux kernel includes the Netfilter subsystem which is used to manipulate or decide the fate of network traffic headed into or through your server All modern Linux firewall solutions use this system for packet filtering The kernel s packet filtering system would be of little use to administrators without a userspace interface to manage it This is the purpose of iptables When a packet reaches your server it will be handed off to the Netfilter subsystem for acceptance manipulation or rejection based on the rules supplied to it from userspace via iptables Thus iptables is all you need to
237. g the nat table will need to be configured Add the following to the top of the file just after the header comments nat Table rules nat POSTROUTING ACCEPT 0 0 Forward traffic from ethl through eth0 A POSTROUTING s 192 168 0 0 24 o ethO j MASQUERADE don t delete the COMMIT line or these nat table rules won t be processed COMMIT The comments are not strictly necessary but it is considered good practice to document your configuration Also when modifying any of the rules files in etc ufw make sure these lines are the last line for each table modified don t delete the COMMIT line or these rules won t be processed COMMIT For each Table a corresponding COMMIT statement is required In these examples only the nat and filter tables are shown but you can also add rules for the raw and mangle tables 163 Security bJ In the above example replace eth0 eth1 and 192 168 0 0 24 with the appropriate interfaces and IP range for your network e Finally disable and re enable ufw to apply the changes sudo ufw disable amp amp sudo ufw enable IP Masquerading should now be enabled You can also add any additional FORWARD rules to the etc ufw before rules It is recommended that these additional rules be added to the ufw before forward chain 3 3 2 iptables Masquerading iptables can also be used to enable Masquerading e Similar to ufw the first step is to enable IPv4 packet forwarding
238. ge in this case the ufw package enter dpkg L ufw e If you are not sure which package installed a file dpkg S may be able to tell you For example dpkg S etc host conf base files etc host conf The output shows that the etc host conf belongs to the base files package fy Many files are automatically generated during the package install process and even though they are on the filesystem dpkg S may not know which package they belong to e You can install a local deb file by entering sudo dpkg i zip_3 0 4_1386 deb Change zip_3 0 4_i386 deb to the actual file name of the local deb file you wish to install e Uninstalling a package can be accomplished by sudo dpkg r zip Q Uninstalling packages using dpkg in most cases is NOT recommended It is better to use a package manager that handles dependencies to ensure that the system is in a consistent state For example using dpkg r zip will remove the zip package but any packages that depend on it will still be installed and may no longer function correctly For more dpkg options see the man page man dpkg 22 Package Management 3 Apt Get The apt get command is a powerful command line tool which works with Ubuntu s Advanced Packaging Tool APT performing such functions as installation of new software packages upgrade of existing software packages updating of the package list index and even upgrading the entire Ubuntu system Being a simple
239. ged e To view which applications have installed a profile enter the following in a terminal sudo ufw app list e Similar to allowing traffic to a port using an application profile is accomplished by entering sudo ufw allow Samba e An extended syntax is available as well ufw allow from 192 168 0 0 24 to any app Samba Replace Samba and 192 168 0 0 24 with the application profile you are using and the IP range for your network fe There is no need to specify the protocol for the application because that information is detailed in the profile Also note that the app name replaces the port number e To view details about which ports protocols etc are defined for an application enter sudo ufw app info Samba Not all applications that require opening a network port come with ufw profiles but if you have profiled an application and want the file to be included with the package please file a bug against the package in Launchpad ubuntu bug nameofpackage 3 3 IP Masquerading The purpose of IP Masquerading is to allow machines with private non routable IP addresses on your network to access the Internet through the machine doing the masquerading Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request To do this the kernel must modify the source IP address of each packet so that replies will be routed back to it rather than
240. generally means that the CPU has VT extensions and can run the KVM hypervisor S3 Simple Storage Service Amazon s pay by the gigabyte persistent storage solution for EC2 Ubuntu Cloud Ubuntu Cloud Ubuntu s cloud computing solution based on OpenStack VM Virtual Machine VT Virtualization Technology An optional feature of some modern CPUs allowing for accelerated virtual machine hosting 339 Virtualization 5 LXC Containers are a lightweight virtualization technology They are more akin to an enhanced chroot than to full virtualization like Qemu or VMware both because they do not emulate hardware and because containers share the same operating system as the host Therefore containers are better compared to Solaris zones or BSD jails Linux vserver and OpenVZ are two pre existing independently developed implementations of containers like functionality for Linux In fact containers came about as a result of the work to upstream the vserver and OpenVZ functionality Some vserver and OpenVZ functionality is still missing in containers however containers can boot many Linux distributions and have the advantage that they can be used with an un modified upstream kernel There are two user space implementations of containers each exploiting the same kernel features Libvirt allows the use of containers through the LXC driver by connecting to Ixc This can be very convenient as it supports the same usage as its other dri
241. h z1 LLLOY EXTERNAL H ldapi s base contextCSN dn dc example dc com contextCSN 20120201193408 178454Z 000000 000 000000 on both the provider and the consumer Once the output 20120201193408 1784542 000000 000 000000 in the above example for both machines match you have replication Every time a change is done in the provider this value will change and so should the one in the consumer s 102 Network Authentication If your connection is slow and or your ldap database large it might take a while for the consumer s contextCSN match the provider s But you will know it is progressing since the consumer s contextCSN will be steadly increasing If the consumer s contextCSN is missing or does not match the provider you should stop and figure out the issue before continuing Try checking the slapd syslog and the auth log files in the provider to see if the consumer s authentication requests were successful or its requests to retrieve data they look like a lot of ldapsearch statements return no errors To test if it worked simply query on the Consumer the DNs in the database sudo ldapsearch Q LLL Y EXTERNAL H ldapi b dc example dc com dn You should see the user john and the group miners as well as the nodes People and Groups 1 7 Access Control The management of what type of access read write etc users should be granted to resources is known as access control The configuration dire
242. h devices you can use the multipath device names just as you would use a physical device name when creating an LVM physical volume For example if dev mapper mpatha is the name of a multipath device the following command will mark dev mapper mpatha as a physical volume pvcreate dev mapper mpatha 56 DM Multipath You can use the resulting LVM physical device when you create an LVM volume group just as you would use any other LVM physical device fe If you attempt to create an LVM physical volume on a whole device on which you have configured partitions the pvcreate command will fail When you create an LVM logical volume that uses active passive multipath arrays as the underlying physical devices you should include filters in the lvm conf to exclude the disks that underlie the multipath devices This is because if the array automatically changes the active path to the passive path when it receives I O multipath will failover and failback whenever LVM scans the passive path if these devices are not filtered For active passive arrays that require a command to make the passive path active LVM prints a warning message when this occurs To filter all SCSI devices in the LVM configuration file lvm conf include the following filter in the devices section of the file Filter r block t disk L sd 4 Tafer After updating etc 1vm conf it s necessary to update the initrd so that this file will be copie
243. has the Provider push changed entries to the Consumer as soon as they re made but in addition only actual changes will be sent not entire entries 1 6 1 Provider Configuration Begin by configuring the Provider 1 Create an LDIF file with the following contents and name it provider_sync 1dif Add indexes to the frontend db dn olcDatabase 1 hdb cn config changetype modify add olcDbIndex olcDbIndex entryCSN eq add olcDbIndex olcDbIndex entryUUID eq Load the syncprov and accesslog modules dn cn module 0 cn config changetype modify add olcModuleLoad olcModuleLoad syncprov add olcModuleLoad olcModuleLoad accesslog Accesslog database definitions dn olcDatabase 2 hdb cn config objectClass olcDatabaseConfig objectClass olcHdbConfig olcDatabase 2 hdb olcDbDirectory var lib ldap accesslog olcSuffix cn accesslog olcRootDN cn admin dc example dc com olcDbIndex default eq olcDbIndex entryCSN objectClass reqEnd reqResult reqStart Accesslog db syncprov dn olcOverlay syncprov olcDatabase 2 hdb cn config changetype add objectClass olcOverlayConfig objectClass olcSyncProvConfig olcOverlay syncprov olcSpNoPresent TRUE olcSpReloadHint TRU Gl 100 Network Authentication syncrepl Provider for primary db dn olcOverlay syncprov olcDatabase 1 hdb cn config changetype add objectClass olcOverlayConfig objectClass olcSyncProv
244. hat requires good knowledge of the linux kernel You can find more information on the topic here e Kdump kernel documentation The crash tool e Analyzing Linux Kernel Crash Based on Fedora it still gives a good walkthrough of kernel dump analysis 13 http www kernel org doc Documentation kdump kdump txt I http people redhat com anderson 7 http www dedoimedo com computers crash analyze html 19 Chapter 3 Package Management Ubuntu features a comprehensive package management system for installing upgrading configuring and removing software In addition to providing access to an organized base of over 35 000 software packages for your Ubuntu computer the package management facilities also feature dependency resolution capabilities and software update checking Several tools are available for interacting with Ubuntu s package management system from simple command line utilities which may be easily automated by system administrators to a simple graphical interface which is easy to use by those new to Ubuntu 20 Package Management 1 Introduction Ubuntu s package management system is derived from the same system used by the Debian GNU Linux distribution The package files contain all of the necessary files meta data and instructions to implement a particular functionality or software application on your Ubuntu computer Debian package files typically have the extension deb and
245. have some lines have been split to fit the format of this document deb http archive ubuntu com ubuntu precise main restricted universe multiverse deb i386 http archive ubuntu com ubuntu precise main restricted universe multiverse deb http archive ubuntu com ubuntu precise updates main restricted universe multiverse deb i386 http archive ubuntu com ubuntu precise updates main restricted universe multiverse deb http archive ubuntu com ubuntu precise backports main restricted universe multiverse deb i386 http archive ubuntu com ubuntu precise backports main restricted universe multiverse deb http security ubuntu com ubuntu precise security main restricted universe multiverse deb i386 http security ubuntu com ubuntu precise security main restricted universe multiverse deb http archive ubuntu com ubuntu precise main debian installer restricted debian installer universe debian installer multiverse debian installer deb i386 http archive ubuntu com ubuntu precise main debian installer restricted debian installer universe debian installer multiverse debian installer Notice that the source packages are not mirrored as they are seldom used compared to the binaries and they do take a lot more space but they can be easily added to the list Once the mirror has finished replicating and this can be quite long you need to configure Apache so that your mirror files in var spoo
246. he CA_default change dir etc ssl Where everything is kept database Sdir CA index txt database index file certificate Sdir certs cacert pem The CA certificate serial Sdir CA serial The current serial number Sdir private cakey pem The private key private_key 4 Next create the self singed root certificate openssl req new x509 extensions v3_ca keyout cakey pem out cacert pem days 3650 You will then be asked to enter the details about the certificate 5 Now install the root certificate and key sudo mv cakey pem etc ssl private sudo mv cacert pem etc ssl certs 6 You are now ready to start signing certificates The first item needed is a Certificate Signing Request CSR see Section 5 2 Generating a Certificate Signing Request CSR p 172 for details Once you have a CSR enter the following to generate a certificate signed by the CA sudo openssl ca in server csr config etc ssl openssl cnf After entering the password for the CA key you will be prompted to sign the certificate and again to commit the new certificate You should then see a somewhat large amount of output related to the certificate creation 7 There should now be a new file etc ssl newcerts 01 pem containing the same output Copy and paste everything beginning with the line BEGIN CERTIFICATE and continuing through the line END CERTIFICATE lines to a file named after the hostname o
247. he etc samba smb conf you would do so by entering the group name as sysadmin 4 3 2 File Permissions File Permissions define the explicit rights a computer or user has to a particular directory file or set of files Such permissions may be defined by editing the etc samba smb conf file and specifying the explicit permissions of a defined file share For example if you have defined a Samba share called share and wish to give read only permissions to the group of users known as qa but wanted to allow writing to the share by the group called sysadmin and the user named vincent then you could edit the etc samba smb conf file and add the following entries under the share entry 284 Windows Networking read list ga write list sysadmin vincent Another possible Samba permission is to declare administrative permissions to a particular shared resource Users having administrative permissions may read write or modify any information contained in the resource the user has been given explicit administrative permissions to For example if you wanted to give the user melissa administrative permissions to the share example you would edit the etc samba smb conf file and add the following line under the share entry admin users melissa After editing etc samba smb conf restart Samba for the changes to take effect sudo restart smbd sudo restart nmbd bJ For the read list and write list to work the Samba s
248. he Image Store on the UEC web interface 1 Access the web interface at the following URL Make sure you specify https https lt cloud controller ip address gt 8443 Enter your login and password if requested as you may still be logged in from earlier Click on the Store tab Browse available images vA PF YN Click on install for the image you want Once the image has been downloaded and installed you can click on How to run that will be displayed below the image button to view the command to execute to instantiate start this image The image will also appear on the list given on the Zmage tab 3 8 Run an Image There are multiple ways to instantiate an image in UEC e Use the command line e Use one of the UEC compatible management tools such as Landscape e Use the ElasticFox extension to Firefox Here we will describe the process from the command line 1 Before running an instance of your image you should first create a keypair ssh key that you can use to log into your instance as root once it boots The key is stored so you will only have to do this once Run the following command if e euca mykey priv then mkdir p m 700 euca touch euca mykey priv chmod 0600 euca mykey priv euca add keypair mykey gt euca mykey priv fi You can call your key whatever you like in this example the key is called mykey but remember what it is called If you forget you ca
249. he files using tar tar czf Sdest Sarchive_file Sbackup_files Print end status message echo echo Backup finished date Long listing of files in dest to check file sizes ls 1h Sdest 295 Backups e backup_files a variable listing which directories you would like to backup The list should be customized to fit your needs e day a variable holding the day of the week Monday Tuesday Wednesday etc This is used to create an archive file for each day of the week giving a backup history of seven days There are other ways to accomplish this including using the date utility e hostname variable containing the short hostname of the system Using the hostname in the archive filename gives you the option of placing daily archive files from multiple systems in the same directory e Sarchive_file the full archive filename e dest destination of the archive file The directory needs to be created and in this case mounted before executing the backup script See Section 2 Network File System NFS p 226 for details of using NFS e status messages optional messages printed to the console using the echo utility tar czf dest archive_file backup_files the tar command used to create the archive file e c creates an archive e z filter the archive through the gzip utility compressing the archive e f output to an archive file Otherwise the tar output will be sent to STDOUT e ls lh dest optio
250. he other two parties being the user and the service the user wishes to authenticate to Not all services and applications can use Kerberos but for those that can it brings the network environment one step closer to being Single Sign On SSO This section covers installation and configuration of a Kerberos server and some example client configurations 3 1 Overview If you are new to Kerberos there are a few terms that are good to understand before setting up a Kerberos server Most of the terms will relate to things you may be familiar with in other environments e Principal any users computers and services provided by servers need to be defined as Kerberos Principals e Instances are used for service principals and special administrative principals e Realms the unique realm of control provided by the Kerberos installation Think of it as the domain or group your hosts and users belong to Convention dictates the realm should be in uppercase By default ubuntu will use the DNS domain converted to uppercase EXAMPLE COM as the realm e Key Distribution Center KDC consist of three parts a database of all principals the authentication server and the ticket granting server For each realm there must be at least one KDC e Ticket Granting Ticket issued by the Authentication Server AS the Ticket Granting Ticket TGT is encrypted in the user s password which is known only to the user and the KDC e Ticket Gra
251. hine the o tells vmbuilder to overwrite the previous version of the VM and the ibvirt tells to inform the local virtualization environment to add the resulting VM to the list of available machines Notes e Because of the nature of operations performed by vmbuilder it needs to have root privilege hence the use of sudo e If your virtual machine needs to use more than 3Gb of ram you should build a 64 bit machine arch amd64 e Until Ubuntu 8 10 the virtual kernel was only built for 32 bit architecture so if you want to define an amd64 machine on Hardy you should use flavour server instead 2 3 2 JeOS Installation Parameters 2 3 2 1 JeOS Networking 2 3 2 1 1 Assigning a fixed IP address As a virtual appliance that may be deployed on various very different networks it is very difficult to know what the actual network will look like In order to simplify configuration it is a good idea to take an approach similar to what network hardware vendors usually do namely assigning an initial fixed IP address to the appliance in a private class network that you will provide in your documentation An address in the range 192 168 0 0 255 is usually a good choice To do this we ll use the following parameters e ip ADDRESS IP address in dotted form defaults to dhcp if not specified e hostname NAME Set NAME as the hostname of the guest e mask VALUE IP mask in dotted form default 255 255 255 0 e net VA
252. hine s console e v creates a fully virtualized guest After launching virt install you can connect to the virtual machine s console either locally using a GUI or with the virt viewer utility f https help ubuntu com 12 04 installation guide 309 Virtualization 1 4 virt clone The virt clone application can be used to copy one virtual machine to another For example sudo virt clone o web_devel n database_devel f path to database_devel img connect qemu system e o original virtual machine e n name of the new virtual machine e f path to the file logical volume or partition to be used by the new virtual machine e connect specifies which hypervisor to connect to Also use d or debug option to help troubleshoot problems with virt clone bJ Replace web_devel and database_devel with appropriate virtual machine names 1 5 Virtual Machine Management 1 5 1 virsh There are several utilities available to manage virtual machines and libvirt The virsh utility can be used from the command line Some examples e To list running virtual machines virsh c qemu system list To start a virtual machine virsh c gemu system start web_devel e Similarly to start a virtual machine at boot virsh c qemu system autostart web_devel e Reboot a virtual machine with virsh c gemu system reboot web_devel e The state of virtual machines can be saved to a file in order
253. hort description of the share Adjust to fit your needs e path the path to the directory to share This example uses srv samba sharename because according to the Filesystem Hierarchy Standard FHS srv is where site specific data should be served Technically Samba shares can be placed anywhere on the filesystem as long as the permissions are correct but adhering to standards is recommended e browsable enables Windows clients to browse the shared directory using Windows Explorer e guest ok allows clients to connect to the share without supplying a password e read only determines if the share is read only or if write privileges are granted Write privileges are allowed only when the value is no as is seen in this example If the value is yes then access to the share is read only e create mask determines the permissions new files will have when created 3 Now that Samba is configured the directory needs to be created and the permissions changed From a terminal enter sudo mkdir p srv samba share sudo chown nobody nogroup srv samba share ba The p switch tells mkdir to create the entire directory tree if it doesn t exist 4 Finally restart the samba services to enable the new configuration sudo restart smbd sudo restart nmbd Once again the above configuration gives all access to any client on the local network For Q a more secure configuration see Section 4 Securing a Samba File and Print Server
254. hould be set to the maximum number of paths plus 32 if that number is greater than 1024 checker_timer The timeout to use for path checkers that issue SCSI commands with an explicit timeout in seconds The default value is taken from sys block sdx device timeout which is 30 seconds as of 12 04 LTS fast_io_fail_tmo The number of seconds the SCSI layer will wait after a problem has been detected on an FC remote port before failing I O to devices on that remote port This value should be smaller than the value of dev_loss_tmo Setting this to off will disable the timeout The default value is determined by the OS dev_loss_tmo The number of seconds the SCSI layer will wait after a problem has been detected on an FC remote port before removing it from the system Setting this to infinity will set this to 2147483647 seconds or 68 years The default value is determined by the OS 4 4 Configuration File Multipath Attributes Table Multipath Attributes p 69 shows the attributes that you can set in the multipaths section of the mult ipath conf configuration file for each specific multipath device These attributes apply only to the one specified multipath These defaults are used by DM Multipath and override attributes set in the defaults and devices sections of the multipath conf file Table 5 4 Multipath Attributes Attribute Description wwid Specifies the WWID of the multipath device t
255. hows information about Physical Volumes e vgdisplay shows information about Volume Groups e lvdisplay shows information about Logical Volumes 4 2 3 Extending Volume Groups Continuing with srv as an LVM volume example this section covers adding a second hard disk creating a Physical Volume PV adding it to the volume group VG extending the logical volume srv and finally extending the filesystem This example assumes a second hard disk has been added to the system In this example this hard disk will be named dev sdb and we will use the entire disk as a physical volume you could choose to create partitions and use them as different physical volumes Make sure you don t already have an existing dev sdb before issuing the commands below You could lose some data if you issue those commands on a non empty disk 1 First create the physical volume in a terminal execute sudo pvcreate dev sdb 2 Now extend the Volume Group VG sudo vgextend vg01 dev sdb 3 Use vgdisplay to find out the free physical extents Free PE size the size you can allocate We will assume a free size of 511 PE equivalent to 2GB with a PE size of 4MB and we will use the whole free space available Use your own PE and or free space 15 Installation The Logical Volume LV can now be extended by different methods we will only see how to use the PE to extend the LV sudo lvextend dev vg01 srv 1 511 The option
256. i page for more information e ntp org home of the Network Time Protocol project 16 https help ubuntu com community UbuntuTime Ay http www ntp org 50 Chapter 5 DM Multipath DM Multipath 1 Device Mapper Multipathing Device mapper multipathing DM Miultipath allows you to configure multiple I O paths between server nodes and storage arrays into a single device These I O paths are physical SAN connections that can include separate cables switches and controllers Multipathing aggregates the I O paths creating a new device that consists of the aggregated paths This chapter provides a summary of the features of DM Multipath that are new for the initial release of Ubuntu Server 12 04 Following that this chapter provides a high level overview of DM Multipath and its components as well as an overview of DM Multipath setup 1 1 New and Changed Features for Ubuntu Server 12 04 Migrated from multipath 0 4 8 to multipath 0 4 9 1 1 1 Migration from 0 4 8 The priority checkers are no longer run as standalone binaries but as shared libraries The key value name for this feature has also slightly changed Copy the attribute named prio_callout to prio also modify the argument the name of the priority checker a system path is no longer necessary Example conversion device vendor NEC product DISK ARRAY prio_callout mpath_prio_alua dev n prio alua See Table Priority Checker Conversion
257. ic SSH keys have been exchanged properly b The services are configured properly c The appropriate wec component listener is running d Verify Registration p gt Steps a to e should only be required if you re using the VEC Packagelnstall method Otherwise if you are following this guide these steps should already be completed automatically moe moe for you and therefore you can skip a to e Exchange Public Keys i https help ubuntu com community UEC Topologies 7 https help ubuntu com community UEC Packagelnstall 324 Virtualization The Cloud Controller s eucalyptus user needs to have SSH access to the Walrus Controller Cluster Controller and Storage Controller as the eucalyptus user Install the Cloud Controller s eucalyptus user s public ssh key by e On the target controller temporarily set a password for the eucalyptus user sudo passwd eucalyptus e Then on the Cloud Controller sudo u eucalyptus ssh copy id i eucalyptus ssh id_rsa pub eucalyptus lt IP_OF_NODE gt e You can now remove the password of the eucalyptus account on the target controller if you wish sudo passwd d eucalyptus Configuring the Services On the Cloud Controller e For the Cluster Controller Registration e Define the shell variable CC_NAME in etc eucalyptus eucalyptus cc conf e Define the shell variable CC_IP_ADDR in etc eucalyptus eucalyptus ipaddr conf as a space separated list of on
258. ications make use of DNS to resolve a host name use the ping utility to send an ICMP echo request From a terminal prompt enter ping example com This tests if the nameserver can resolve the name ns example com to an IP Address The command output should resemble PING ns example com 192 168 1 10 56 84 bytes of data 64 bytes from 192 168 1 10 icmp_seq 1 tt1l 64 time 0 800 ms 64 bytes from 192 168 1 10 icmp_seq 2 tt1l 64 time 0 813 ms 3 1 4 named checkzone A great way to test your zone files is by using the named checkzone utility installed with the bind9 package This utility allows you to make sure the configuration is correct before restarting BIND9 and making the changes live e To test our example Forward zone file enter the following from a command prompt named checkzone example com etc bind db example com If everything is configured correctly you should see output similar to zone example com IN loaded serial 6 OK e Similarly to test the Reverse zone file enter the following named checkzone 1 168 192 in addr arpa etc bind db 192 The output should be similar to zone 1 168 192 in addr arpa IN loaded serial 3 OK fe The Serial Number of your zone file will probably be different 3 2 Logging BIND9 has a wide variety of logging configuration options available There are two main options The channel option configures where logs go and the category option determines what information to log
259. icly visible 1 3 Resources e See the Reporting Bugs Ubuntu wiki page e Also the Apport page has some useful information Though some of it pertains to using a GUI 3 https help ubuntu com community ReportingBugs j https wiki ubuntu com Apport 390
260. ies a directory under dev in which LXC will create its console devices If this option is not specified then the ptys will be bind mounted over dev console and dev ttyN However rare package updates may try to blindly rm f and then mknod those devices They will fail because the file has been bind mounted causing the package update to fail When Ixc devttydir is set to LXC for instance then LXC will bind mount the console ptys onto dev lxc console and dev 1xc ttyN and subsequently symbolically link them to dev console and dev ttyNn This allows the package updates to succeed at the risk of making future gettys on those consoles fail until the next reboot This problem will be ideally solved with device namespaces 5 5 Updates in Ubuntu containers Because of some limitations which are placed on containers package upgrades at times can fail For instance a package install or upgrade might fail if it is not allowed to create or open a block device This often blocks all future upgrades until the issue is resolved In some cases you can work around this by chrooting into the container to avoid the container restrictions and completing the upgrade in the chroot Some of the specific things known to occasionally impede package upgrades include e The container modifications performed when creating containers with the trim option e Actions performed by lxcguest For instance because 1ib init fstab is bind mounted from
261. if saslauthd Sauth1 Sauth2 1 0 server_set_id Sauthl ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition if eq Stls_cipher endif Additionally in order for outside mail client to be able to connect to new exim server new user needs to be added into exim by using the following commands sudo usr share doc exim4 examples exim adduser Users should protect the new exim password files with the following commands sudo chown root Debian exim etc exim4 passwd sudo chmod 640 etc exim4 passwd Finally update the Exim4 configuration and restart the service sudo update exim4 conf 243 Email Services sudo etc init d exim4 restart 2 4 Configuring SASL This section provides details on configuring the saslauthd to provide authentication for Exim4 The first step is to install the sas 2 bin package From a terminal prompt enter the following sudo apt get install sasl2 bin To configure saslauthd edit the etc default saslauthd configuration file and set START no to START yes Next the Debian exim user needs to be part of the sas group in order for Exim4 to use the saslauthd service sudo adduser Debian exim sasl Now start the saslauthd service sudo etc init d saslauthd start Exim4 is now configured with SMTP AUTH using TLS and SASL authentication 2 5 References e See exim org for more information e There is also an Exim4 Book availa
262. iffers very little from most other GNU Linux operating systems Ubuntu and other Debian based distributions encourage the use of the adduser package for account management e To add a user account use the following syntax and follow the prompts to give the account a password and identifiable characteristics such as a full name phone number etc sudo adduser username e To delete a user account and its primary group use the following syntax sudo deluser username Deleting an account does not remove their respective home folder It is up to you whether or not you wish to delete the folder manually or keep it according to your desired retention policies Remember any user added later on with the same UID GID as the previous owner will now have access to this folder if you have not taken the necessary precautions You may want to change these UID GID values to something more appropriate such as the root account and perhaps even relocate the folder to avoid future conflicts sudo chown R root root home username sudo mkdir home archived_users sudo mv home username home archived_users e To temporarily lock or unlock a user account use the following syntax respectively sudo passwd 1 username sudo passwd u username e To add or delete a personalized group use the following syntax respectively sudo addgroup groupname sudo delgroup groupname e To add a user to a group use the following syntax sudo
263. ignificant to the network from the bits significant to the subnetwork For example in a Class C network the standard netmask is 255 255 255 0 which masks the first three bytes of the IP address and allows the last byte of the IP address to remain available for specifying hosts on the subnetwork e Network Address The Network Address represents the bytes comprising the network portion of an IP address For example the host 12 128 1 2 in a Class A network would use 12 0 0 0 as the network address where twelve 12 represents the first byte of the IP address the network part and zeroes 0 in all of the remaining three bytes to represent the potential host values A network host using the private IP address 192 168 1 100 would in turn use a Network Address of 192 168 1 0 which specifies the first three bytes of the Class C 192 168 1 network and a zero 0 for all the possible hosts on the network 42 Networking Broadcast Address The Broadcast Address is an IP address which allows network data to be sent simultaneously to all hosts on a given subnetwork rather than specifying a particular host The standard general broadcast address for IP networks is 255 255 255 255 but this broadcast address cannot be used to send a broadcast message to every host on the Internet because routers block it A more appropriate broadcast address is set to match a specific subnetwork For example on the private Class C IP network 192 168 1 0 the broadc
264. igured Apache2 Web Server and MySQL Database Server You can refer to Apache2 section and MySQL sections in this document to install and configure Apache2 and MySQL respectively 2 1 Installation The PHP5S is available in Ubuntu Linux Unlike python and perl which are installed in the base system PHP must be added e To install PHP5 you can enter the following command in the terminal prompt sudo apt get install php5 libapache2 mod php5 You can run PHPS scripts from command line To run PHP5 scripts from command line you should install php5 cli package To install php5 cli you can enter the following command in the terminal prompt sudo apt get install php5 cli You can also execute PHP5 scripts without installing PHP5 Apache module To accomplish this you should install php5 cgi package You can run the following command in a terminal prompt to install php5 cgi package sudo apt get install php5 cgi To use MySQL with PHP5 you should install php5 mysql package To install php5 mysql you can enter the following command in the terminal prompt sudo apt get install php5 mysql Similarly to use PostgreSQL with PHP5 you should install php5 pgsql package To install php5 pgsql you can enter the following command in the terminal prompt sudo apt get install php5 pgsql 2 2 Configuration Once you install PHP5 you can run PHP5 scripts from your web browser If you have installed php5 cli package you can run PHP5 s
265. ill describe how to use it for central authentication LDAP is good for anything that involves a large number of access requests to a mostly read attribute based name value l http tools ietf org html rfc4510 2 http tools ietf org html rfc2849 91 Network Authentication backend Examples include an address book a list of email addresses and a mail server s configuration 1 1 Installation Install the OpenLDAP server daemon and the traditional LDAP management utilities These are found in packages slapd and Idap utils respectively The installation of slapd will create a working configuration In particular it will create a database instance that you can use to store your data However the suffix or base DN of this instance will be determined from the domain name of the localhost If you want something different edit etc hosts and replace the domain name with one that will give you the suffix you desire For instance if you want a suffix of dc example dc com then your file would have a line similar to this 127 Odd hostname example com hostname You can revert the change after package installation fy This guide will use a database suffix of dc example dc com Proceed with the install sudo apt get install slapd ldap utils Since Ubuntu 8 10 slapd is designed to be configured within slapd itself by dedicating a separate DIT for that purpose This allows one to dynamically configure slapd without the need to
266. in etc default slapd in order to use encryption You should have just SLAPD_SERVICES l1dap ldapi fy LDAP over TLS SSL Idaps is deprecated in favour of StartTLS The latter refers to an existing LDAP session listening on TCP port 389 becoming protected by TLS SSL whereas LDAPS like HTTPS is a distinct encrypted from the start protocol that operates over TCP port 636 Tighten up ownership and permissions sudo adduser openldap ssl cert sudo chgrp ssl cert etc ssl private ldap01_slapd_key pem sudo chmod gtr etc ssl private ldap01_slapd_key pem sudo chmod o r etc ssl private ldap01_slapd_key pem Restart OpenLDAP sudo service slapd restart Check your host s logs var log syslog to see if the server has started properly 1 9 Replication and TLS If you have set up replication between servers it is common practice to encrypt StartTLS the replication traffic to prevent evesdropping This is distinct from using encryption with authentication as we did above In this section we will build on that TLS authentication work The assumption here is that you have set up replication between Provider and Consumer according to Section 1 6 Replication p 99 and have configured TLS for authentication on the Provider by following Section 1 8 TLS p 105 As previously stated the objective for us with replication is high availablity for the LDAP service Since we have TLS for authentication on th
267. ined below password success 2 default ignore pam_unix so obscure sha512 min 8 fe Basic password entropy checks and minimum length rules do not apply to the administrator using sudo level commands to setup a new user 1 4 2 Password Expiration When creating user accounts you should make it a policy to have a minimum and maximum password age forcing users to change their passwords when they expire e To easily view the current status of a user account use the following syntax sudo chage 1 username The output below shows interesting facts about the user account namely that there are no policies applied Last password change Jan 20 2008 Password expires never Password inactive never Account expires never Minimum number of days between password change sO Maximum number of days between password change 99999 Number of days of warning before password expires cae e To set any of these values simply use the following syntax and follow the interactive prompts sudo chage username The following is also an example of how you can manually change the explicit expiration date E to 01 31 2008 minimum password age m of 5 days maximum password age M of 90 days inactivity period I of 5 days after password expiration and a warning time period W of 14 days before password expiration sudo chage E 01 31 2011 m 5 M 90 I 30 W 14 username e To verify changes use the same syntax as mention
268. ing 2 In order to prevent the device mapper from mapping dev sda in its multipath maps edit the blacklist section of the etc multipath conf file to include this device Although you could blacklist the sda device using a devnode type that would not be safe procedure since dev sda is not guaranteed to be the same on reboot To blacklist individual devices you can blacklist using the WWID of that device Note that in the output to the multipath v2 command the WWID of 59 DM Multipath the dev sda device is SIBM ESXSST336732LC F3ETOEP0Q000072428BX1 To blacklist this device include the following in the etc multipath conf file blacklist wwid SIBM ESXSST336732LC F3ETOEP0Q000072428BX1 After you have updated the etc multipath conf file you must manually tell the multipathd daemon to reload the file The following command reloads the updated etc multipath conf file service multipath tools reload Run the following command to remove the multipath device multipath f SIBM ESXSST336732LC F3ETOEP0Q000072428BX1 To check whether the device removal worked you can run the multipath lIl command to display the current multipath configuration For information on the multipath lIl command see Section Multipath Queries with multipath Command To check that the blacklisted device was not added back you can run the multipath command as in the following example The multipath command defaults to a verbosity leve
269. ing mixr etc modules conf r e include lt tunables global gt include statements from other files This allows statements pertaining to multiple applications to be placed in a common file e bin ping flags complain path to the profiled program also setting the mode to complain e capability net_raw allows the application access to the CAP_NET_RAW Posix le capability e bin ping mixr allows the application read and execute access to the file bJ After editing a profile file the profile must be reloaded See Section 4 1 Using AppArmor p 167 for details 4 2 1 Creating a Profile e Design a test plan Try to think about how the application should be exercised The test plan should be divided into small test cases Each test case should have a small description and list the steps to follow Some standard test cases are e Starting the program e Stopping the program e Reloading the program e Testing all the commands supported by the init script e Generate the new profile Use aa genprof to generate a new profile From a terminal sudo aa genprof executable For example sudo aa genprof slapd 169 Security e To get your new profile included in the apparmor profiles package file a bug in Launchpad against the AppArmor package e Include your test plan and test cases e Attach your new profile to the bug 4 2 2 Updating Profiles When the program is misbehaving audit mess
270. instances grep SEMI grep running tail n1 awk print 2 euca terminate instances SINSTANCEID 3 8 1 First Boot The cloud init package provides first boot functionality for the Ubuntu UEC images It is in charge of taking the generic filesystem image that is booting and customizing it for this particular instance That includes things like e Setting the hostname e Putting the provided ssh public keys into ubuntu ssh authorized_keys e Running a user provided script or otherwise modifying the image Setting hostname and configuring a system so the person who launched it can actually log into it are not terribly interesting The interesting things that can be done with cloud init are made possible by data provided at launch time called user data 18 http developer amazonwebservices com connect entry jspa externalID 1085 329 Virtualization First install the cloud init package sudo apt get install cloud init If the user data starts with then it will be stored and executed as root late in the boot process of the instance s first boot similar to a traditional rc local script Output from the script is directed to the console For example create a file named ud txt containing bin sh cho Hello World S date echo I have been up for cut d f 1 lt proc uptime sec Now start an instance with the user data file option euca run instanc
271. intenance p 12 for details or copy important data to another machine due to major hardware failure 4 1 5 RAID Maintenance The mdadm utility can be used to view the status of an array add disks to an array remove disks etc e To view the status of an array from a terminal prompt enter sudo mdadm D dev md0 The D tells mdadm to display detailed information about the dev mao device Replace dev mdo with the appropriate RAID device e To view the status of a disk in an array sudo mdadm E dev sdal 12 Installation The output if very similar to the mdadm D command adjust dev sda1 for each disk e Ifa disk fails and needs to be removed from an array enter sudo mdadm remove dev mdO dev sdal Change dev ma0 and dev sda1 to the appropriate RAID device and disk e Similarly to add a new disk sudo mdadm add dev md0 dev sdal Sometimes a disk can change to a faulty state even though there is nothing physically wrong with the drive It is usually worthwhile to remove the drive from the array then re add it This will cause the drive to re sync with the array If the drive will not sync with the array it is a good indication of hardware failure The proc mdstat file also contains useful information about the system s RAID devices cat proc mdstat Personalities linear multipath raidO raidl raid6 raid5 raid4 raid10 md0 active raidl sdal 0 sdb1 1 10016384 blocks
272. into your OpenWRT router and install OpenVPN opkg update opkg install openvpn Check out etc config openvpn and put you client config in there Copy certificated and keys to etc openvpn config openvpn clientl option enable 1 option client 1 option dev tap option dev tun option proto udp option ca etc openvpn ca crt option cert etc openvpn client crt option key etc openvpn client key option comp_lzo 1 Restart OpenVPN etc init d openvpn restart You will have to see if you need to adjust your router s routing and firewall rules 1 8 References e See the OpenVPN website for additional information OpenVPN hardening security guide e Also Pakt s OpenVPN Building and Integrating Virtual Private Networks is a good resource i http openvpn net gt http openvpn net index php open source documentation howto html security http www packtpub com openvpn book 377 Chapter 23 Other Useful Applications There are many very useful applications developed by the Ubuntu Server Team and others that are well integrated with Ubuntu Server Edition that might not be well known This chapter will showcase some useful applications that can make administering an Ubuntu server or many Ubuntu servers that much easier 378 Other Useful Applications 1 pam_motd When logging into an Ubuntu server you may have noticed the informative Message Of The Day MOTD This information
273. ion It s typically used to give Dovecot s local delivery agent access to userdb so it can find mailbox locations path var run dovecot auth master mode 0600 Default user group is the one who started dovecot auth root f sample postfix_configuration 2 http www ietf org rfc rfc2554 txt 3 http www ietf org rfc rfc2222 txt 237 Email Services fuser group client The client socket is generally safe to export to everyone Typical use is to export it to your SMTP server so it can do SMTP AUTH lookups using it path var spool postfix private auth client mode 0660 user postfix group postfix In order to let Outlook clients use SMTP AUTH in the auth default section of etc dovecot dovecot conf add login mechanisms plain login Once you have Dovecot configured restart it with sudo etc init d dovecot restart 1 5 Mail Stack Delivery Another option for configuring Postfix for SMTP AUTH is using the mail stack delivery package previously packaged as dovecot postfix This package will install Dovecot and configure Postfix to use it for both SASL authentication and as a Mail Delivery Agent MDA The package also configures Dovecot for IMAP IMAPS POP3 and POP3S fy You may or may not want to run IMAP IMAPS POP3 or POP3S on your mail server For example if you are configuring your server to be a mail gateway spam Virus filter etc If this is the case it m
274. ion of the Secure Shell SSH protocol family of tools for remotely controlling or transferring files between computers Traditional tools used to accomplish these functions such as telnet or rcp are insecure and transmit the user s password in cleartext when used OpenSSH provides a server daemon and client tools to facilitate secure encrypted remote control and file transfer operations effectively replacing the legacy tools The OpenSSH server component sshd listens continuously for client connections from any of the client tools When a connection request occurs sshd sets up the correct connection depending on the type of client tool connecting For example if the remote computer is connecting with the ssh client application the OpenSSH server sets up a remote control session after authentication If a remote user connects to an OpenSSH server with scp the OpenSSH server daemon initiates a secure copy of files between the server and client after authentication OpenSSH can use many authentication methods including plain password public key and Kerberos tickets 1 2 Installation Installation of the OpenSSH client and server applications is simple To install the OpenSSH client applications on your Ubuntu system use this command at a terminal prompt sudo apt get install openssh client To install the OpenSSH server application and related support files use this command at a terminal prompt sudo apt get install openssh
275. ions Kill any that are found Restrict SSH access to only user accounts that should have it For example you may create a group called sshlogin and add the group name as the value associated with the AllowGroups variable located in the file etc ssh sshd_config AllowGroups sshlogin Then add your permitted SSH users to the group sshlogin and restart the SSH service sudo adduser username sshlogin sudo service ssh restart 1 5 2 External User Database Authentication Most enterprise networks require centralized authentication and access controls for all system resources If you have configured your server to authenticate users against external databases be 157 Security sure to disable the user accounts both externally and locally this way you ensure that local fallback authentication is not possible 158 Security 2 Console Security As with any other security barrier you put in place to protect your server it is pretty tough to defend against untold damage caused by someone with physical access to your environment for example theft of hard drives power or service disruption and so on Therefore console security should be addressed merely as one component of your overall physical security strategy A locked screen door may deter a casual criminal or at the very least slow down a determined one so it is still advisable to perform basic precautions with regard to console security The followin
276. ir verbosity The directory where the dynamic shared objects are stored The default value is system dependent commonly 1ib multipath The default verbosity Higher values increase the verbosity level Valid levels are between 0 and 6 The default value is 2 path_selector Specifies the default algorithm to use in determining what path to use for the next I O operation Possible values include e round robin 0 Loop through every path in the path group sending the same amount of I O to each e queue length 0 Send the next bunch of I O down the path with the least number of outstanding I O requests e service time 0 Send the next bunch of I O down the path with the shortest estimated service time which is determined by dividing the total size of the outstanding I O to each path by its relative throughput The default value is round robin 0 path_grouping_policy Specifies the default path grouping policy to apply to unspecified multipaths Possible values include e failover 1 path per priority group e multibus all valid paths in 1 priority group e group_by_serial 1 priority group per detected serial number e group_by_prio 1 priority group per path priority value e group_by_node_name 1 priority group per target node name The default value is failover 66 DM Multipath Attribute getuid_callout Description Specifies the default program and arguments to call
277. irst confirm that the crashkernel boot parameter is present note The following line has been split into two to fit the format of this document 17 Installation cat proc cmdline BOOT_IMAGE vmlinuz 3 2 0 17 server root dev mapper PreciseS root ro crashkernel 384M 2G 64M 2G 128M The crashkernel parameter has the following syntax crashkernel lt rangel gt lt sizel gt lt range2 gt lt size2 gt offset range start end start is inclusive and end is exclusive So for the crashkernel parameter found in proc cmdline we would have crashkernel 384M 2G 64M 2G 128M The above value means e if the RAM is smaller than 384M then don t reserve anything this is the rescue case e if the RAM size is between 386M and 2G exclusive then reserve 64M e if the RAM size is larger than 2G then reserve 128M Second verify that the kernel has reserved the requested memory area for the kdump kernel by doing dmesg grep i crash 0 000000 Reserving 64MB of memory at 800MB for crashkernel System RAM 1023MB 5 6 Testing the Crash Dump Mechanism Testing the Crash Dump Mechanism will cause a system reboot In certain situations this 3 can cause data loss if the system is under heavy load If you want to test the mechanism make sure that the system is idle or under very light load Verify that the SysRQ mechanism is enabled by looking at the value of the proc sys kernel sysrq ker
278. is also handled in memory within the database engine allowing caching on a more efficient row level basis rather than file block To meet ACID compliance all transactions are journaled independently of the main tables This allows for much more reliable data recovery as data consistency can be checked As of MySQL 5 5 InnoDB is the default engine and is highly recommended over MyISAM unless you have specific need for features unique to the engine l http www mysqlperformanceblog com 2006 06 17 using myisam in production 2 http en wikipedia org wiki ACID 207 Databases 1 4 Advanced configuration 1 4 1 Creating a tuned my cnf file There are a number of parameters that can be adjusted within MySQL s configuration file that will allow you to improve the performance of the server over time For initial set up you may find Percona s my cnf generating tool useful This tool will help generate a my cnf file that will be much more optimised for your specific server capabilities and your requirements Do not replace your existing my cnf file with Percona s one if you have already loaded data into the database Some of the changes that will be in the file will be incompatible as they alter how data is stored on the hard disk and you ll be unable to start MySQL If you do wish to use it and you have existing data you will need to carry out a mysqldump and reload mysqldump all databases all routines u root p gt f
279. is obtained and displayed using a couple of packages e landscape common provides the core libraries of landscape client which can be used to manage systems using the web based Landscape application The package includes the usr bin landscape sysinfo utility which is used to gather the information displayed in the MOTD e update notifier common is used to automatically update the MOTD via pam_motd module pam_motd executes the scripts in etc update motd d in order based on the number prepended to the script The output of the scripts is written to var run motd keeping the numerical order then concatenated with etc motd tail You can add your own dynamic information to the MOTD For example to add local weather information e First install the weather util package sudo apt get install weather util e The weather utility uses METAR data from the National Oceanic and Atmospheric Administration and forecasts from the National Weather Service In order to find local information you will need the 4 character ICAO location indicator This can be determined by browsing to the National Weather Service site Although the National Weather Service is a United States government agency there are weather stations available world wide However local weather information for all locations outside the U S may not be available e Create usr local bin local weather a simple shell script to use weather with your local ICAO indicator
280. issions when creating user home folders Simply edit the file etc adduser conf and modify the DIR_MODE variable to something appropriate so that all new home directories will receive the correct permissions DIR_MODE 0750 e After correcting the directory permissions using any of the previously mentioned techniques verify the results using the following syntax ls ld home username The results below show that world readable permissions have been removed drwxr x 2 username usernam 4096 2007 10 02 20 03 username 1 4 Password Policy A strong password policy is one of the most important aspects of your security posture Many successful security breaches involve simple brute force and dictionary attacks against weak passwords If you intend to offer any form of remote access involving your local password system make sure you adequately address minimum password complexity requirements maximum password lifetimes and frequent audits of your authentication systems 155 Security 1 4 1 Minimum Password Length By default Ubuntu requires a minimum password length of 6 characters as well as some basic entropy checks These values are controlled in the file etc pam d common password which is outlined below password success 2 default ignore pam_unix so obscure sha512 If you would like to adjust the minimum length to 8 characters change the appropriate variable to min 8 The modification is outl
281. ists you should copy usr share moin config wikifarm mywiki py file to etc moin mywiki py file and do the above mentioned change fy If you have named your Wiki as my_wiki_name you should insert a line my_wiki_name r in etc moin farmconfig py file after the line C mywiki ae 215 LAMP Applications Once you have configured MoinMoin to find your first Wiki application mywiki you should configure apache2 and make it ready for your Wiki application You should add the following lines in etc apache2 sites available default file inside the lt VirtualHost gt tag moin ScriptAlias mywiki usr share moin mywiki moin cgi alias moin_staticl193 usr share moin htdocs lt Directory usr share moin htdocs gt Order allow deny allow from all lt Directory gt end moin Once you configure the apache2 web server and make it ready for your Wiki application you should restart it You can run the following command to restart the apache2 web server sudo service apache2 restart 2 3 Verification You can verify the Wiki application and see if it works by pointing your web browser to the following URL http localhost mywiki For more details please refer to the MoinMoin web site 2 4 References R 5 Py 7 2 For more information see the moinmoin Wiki e Also see the Ubuntu Wiki MoinMoin page f http moinmo in 2 http moinmo in 2 https hel
282. ith more restrictive privileges which is convenient if you need an admin principal that junior staff can use in Kerberos clients Please see the kadm5 acl man page for details 3 Now restart the krb5 admin server for the new ACL to take affect sudo etc init d krb5 admin server restart 4 The new user principal can be tested using the kinit utility kinit steve admin steve admin EXAMPLE COM s Password After entering the password use the klist utility to view information about the Ticket Granting Ticket TGT 126 Network Authentication klist Credentials cache FILE tmp krb5cc_1000 Principal steve admin EXAMPLE COM Issued Expires Principal Jul 13 17 53 34 Jul 14 03 53 34 krbtgt EXAMPLE COM EXAMPLE COM Where the cache filename krb5cc_1000 is composed of the prefix krb5cc_ and the user id uid which in this case is 1000 You may need to add an entry into the etc hosts for the KDC so the client can find the KDC For example 192 168 0 1 kdc0O1 example com kdc01 Replacing 792 168 0 1 with the IP address of your KDC This usually happens when you have a Kerberos realm encompassing different networks separated by routers The best way to allow clients to automatically determine the KDC for the Realm is using DNS SRV records Add the following to etc named db example com _kerberos _udp EXAMPLE COM IN SRV 1 0 88 kdc0O1l example com _kerbero
283. ithout a passphrase and shuffle the key names 172 Security openssl rsa in server key out server key insecure mv server key server key secure mv server key insecure server key The insecure key is now named server key and you can use this file to generate the CSR without passphrase To create the CSR run the following command at a terminal prompt openssl req new key server key out server csr It will prompt you enter the passphrase If you enter the correct passphrase it will prompt you to enter Company Name Site Name Email Id etc Once you enter all these details your CSR will be created and it will be stored in the server csr file You can now submit this CSR file to a CA for processing The CA will use this CSR file and issue the certificate On the other hand you can create self signed certificate using this CSR 5 3 Creating a Self Signed Certificate To create the self signed certificate run the following command at a terminal prompt openssl x509 req days 365 in server csr signkey server key out server crt The above command will prompt you to enter the passphrase Once you enter the correct passphrase your certificate will be created and it will be stored in the server crt file O If your secure server is to be used in a production environment you probably need a CA Q signed certificate It is not recommended to use self signed certificate 5 4 Installing the Certificate Yo
284. ive to the libnss ldap package is the libnss ldapd package This however will bring in the nscd package which is problably not wanted Simply remove it afterwards 1 11 User and Group Management The Idap utils package comes with enough utilities to manage the directory but the long string of options needed can make them a burden to use The Idapscripts package contains wrapper scripts to these utilities that some people find easier to use Install the package sudo apt get install ldapscripts Then edit the file etc ldapscripts ldapscripts conf to arrive at something similar to the following SERVER localhost BINDDN cn admin dc example dc com BINDPWDFILE etc ldapscripts ldapscripts passwd SUFFIX dc example dc com GSUFFIX ou Groups USUFFIX ou People SUFFIX ou Computers GIDSTART 10000 UIDSTART 10000 IDSTART 10000 Now create the 1dapscripts passwd file to allow rootDN access to the directory sudo sh c echo n secret gt etc ldapscripts ldapscripts passwd sudo chmod 400 etc ldapscripts ldapscripts passwd fy Replace secret with the actual password for your database s rootDN user The scripts are now ready to help manage your directory Here are some examples of how to use them 111 Network Authentication e Create a new user sudo ldapadduser george example This will create a user with uid george and set the user s primary group gid to example e Change a us
285. ix are the same 2 Create an LDIF file with the following contents and name it consumer_sync 1dif 101 Network Authentication dn cn module 0 cn config changetype modify add olcModuleLoad olcModuleLoad syncprov dn olcDatabase 1 hdb cn config changetype modify add olcDbIndex olcDbIndex entryUUID eq add olcSyncRepl olcSyncRepl rid 0 provider ldap ldap0l example com bindmethod simple binddn cn admin dc exa credentials secret searchbase dc example dc com logbase cn accesslog logfilter amp objectClass auditWriteObject reqResult 0 schemachecking on type refreshAndPersist retry 60 syncdata accesslog add olcUpdateRef olcUpdateRef ldap ldap01 example com Ensure the following attributes have the correct values e provider Provider server s hostname ldap01 example com in this example or IP address e binddn the admin DN you re using e credentials the admin DN password you re using e searchbase the database suffix you re using e olcUpdateRef Provider server s hostname or IP address e rid Replica ID an unique 3 digit that identifies the replica Each consumer should have at least one rid 3 Add the new content sudo ldapadd Q Y EXTERNAL H ldapi f consumer_sync 1ldif You re done The two databases suffix dc example dc com should now be synchronizing 1 6 3 Testing Once replication starts you can monitor it by running ldapsearc
286. k interface It is recommended that you keep the default settings unless you have a specific purpose for changing them An example of the two default lines are shown below auto lo iface lo inet loopback 1 3 Name Resolution Name resolution as it relates to IP networking is the process of mapping IP addresses to hostnames making it easier to identify resources on a network The following section will explain how to properly configure your system for name resolution using DNS and static hostname records 1 3 1 DNS Client Configuration Traditionally the file etc resolv conf was a Static configuration file that rarely needed to be changed or automatically changed via DCHP client hooks Nowadays a computer can switch from one network to another quite often and the resolvconf framework is now being used to track these changes and update the resolver s configuration automatically It acts as an intermediary between programs that supply nameserver information and applications that need nameserver information Resolvconf gets populated with information by a set of hook scripts related to network interface configuration The most notable difference for the user is that any change manually done to etc resolv conf will be lost as it gets overwritten each time something triggers resolvconf Instead 37 Networking resolvconf uses DHCP client hooks and etc network interfaces to generate a list of nameservers and domains to put
287. ks the multipath settings then the per devices settings then the multipath system defaults 4 2 Configuration File Blacklist The blacklist section of the multipath configuration file specifies the devices that will not be used when the system configures multipath devices Devices that are blacklisted will not be grouped into a multipath device e If you do need to blacklist devices you can do so according to the following criteria e By WWID as described Blacklisting By WWID p 63 e By device name as described in Blacklisting By Device Name p 63 e By device type as described in Blacklisting By Device Type p 64 By default a variety of device types are blacklisted even after you comment out the initial blacklist section of the configuration file For information see Blacklisting By Device Name p 63 4 2 1 Blacklisting By WWID You can specify individual devices to blacklist by their World Wide IDentification with a wwid entry in the blacklist section of the configuration file The following example shows the lines in the configuration file that would blacklist a device with a WWID of 26353900f02796769 blacklist wwid 26353900f02796769 4 2 2 Blacklisting By Device Name You can blacklist device types by device name so that they will not be grouped into a multipath device by specifying a devnode entry in the blacklist section of the configuration file The following example shows the lines in the
288. l apt mirror if you did not change the default are published 319 Virtualization by your Apache server For more information on Apache see Section 1 HTTPD Apache2 Web Server p 187 2 4 Package the Application Two option are available to us e The recommended method to do so is to make a Debian package Since this is outside of the scope of this tutorial we will not perform this here and invite the reader to read the documentation on how to do this in the Ubuntu Packaging Guide In this case it is also a good idea to setup a repository for your package so that updates can be conveniently pulled from it See the Debian Administration article for a tutorial on this e Manually install the application under opt as recommended by the FHS guidelines In our case we ll use Limesurvey as example web application for which we wish to provide a virtual appliance As noted before we ve made a version of the package available in a PPA Personal Package Archive 2 5 Useful Additions 2 5 1 Configuring Automatic Updates To have your system be configured to update itself on a regular basis we will just install unattended upgrades so we add the following option to our command line addpkg unattended upgrades As we have put our application package in a PPA the process will update not only the system but also the application each time we update the version in the PPA 2 5 2 ACPI Event Handling
289. l blocks 576 GB 537 GiB 2486 954195 sd 4 0 0 3 sdb Write Protect is off 2486 954200 sd 4 0 0 3 sdb Mode Sense 8f 00 00 08 2486 954692 sd 4 0 0 3 sdb Write cache disabled read cache enabled doesn t support DPO or FUA 2486 960577 sdb sdbl 2486 964862 sd 4 0 0 3 sdb Attached SCSI disk In the output above sdb is the new iSCSI disk Remember this is just an example the output you see on your screen will vary Next create a partition format the file system and mount the new iSCSI disk In a terminal enter sudo fdisk dev sdb n P enter The above commands are from inside the fdisk utility see man fdisk for more detailed instructions Also the cfdisk utility is sometimes more user friendly Now format the file system and mount it to srv as an example sudo mkfs ext4 dev sdb1 sudo mount dev sdb1 srv 229 File Servers Finally add an entry to etc fstab to mount the iSCSI drive during boot dev sdb1 srv ext4 defaults auto _netdev 0 0 It is a good idea to make sure everything is working as expected by rebooting the server 3 3 References Open iSCSI Website Debian Open iSCSI page 3 http www open iscsi org 6 http wiki debian org SAN iSCSI open iscsi 230 File Servers 4 CUPS Print Server The primary mechanism for Ubuntu printing and print services is the Common UNIX Printing System CUPS This printing system is a freely available portab
290. l of v2 if you do not specify a v option multipath create 3600a0b80001327d80000006d43621677 undef WINSYS SF2372 size 12G features 0 hwhandler 0 wp undef policy round robin 0 prio 1 status undef 2 0 0 0 sdb 8 16 undef ready running 3 0 0 0 sdf 8 80 undef ready running create 3600a0b80001327510000009a436215ec undef WINSYS SF2372 size 12G features 0 hwhandler 0 wp undef policy round robin 0 prio 1 status undef 2 0 0 1 sdc 8 32 undef ready running 3 0 0 1 sdg 8 96 undef ready running create 3600a0b80001327d800000070436216b3 undef WINSYS SF2372 size 12G features 0 hwhandler 0 wp undef policy round robin 0 prio 1 status undef 2 0 0 2 sdd 8 48 undef ready running 3 0 0 2 sdg 8 112 undef ready running create 3600a0b80001327510000009b4362163e undef WINSYS SF2372 size 12G features 0 hwhandler 0 wp undef policy round robin 0 prio 1 status undef 2 0 0 3 sdd 8 64 undef ready running 3 0 0 3 sdg 8 128 undef ready running 60 DM Multipath 3 4 Configuring Storage Devices By default DM Multipath includes support for the most common storage arrays that support DM Multipath The default configuration values including supported devices can be found in the multipath conf defaults file If you need to add a storage device that is not supported by default as a known multipath device edit the etc multipath conf
291. l the internal communication between instances will happen there while the public network will be in the 10 153 107 0 29 range on eth0 4 3 1 Install bridging support 333 Virtualization sudo apt get install bridge utils 4 3 2 Install and configure NTP sudo apt get install ntp Add these two lines at the end of the etc ntp conf file server 127 127 1 0 fudge 127 127 1 0 stratum 10 Restart ntp service sudo service ntp restart 4 3 3 Install and configure MySQL sudo apt get install mysql server Create a database and mysql user for OpenStack sudo mysql uroot ppassword e CREATE DATABASE nova sudo mysql uroot ppassword e GRANT ALL ON nova TO novauser localhost IDENTIFIED BY novapassword The line continuation character implies that you must include the subsequent line as part of the current command 4 4 Install OpenStack Compute Nova OpenStack Compute Nova is a cloud computing fabric controller the main part of an IaaS system It is written in Python using the Eventlet and Twisted frameworks and relies on the standard AMQP messaging protocol and SQLAIchemy for data store access Install OpenStack Nova components sudo apt get install nova api nova network nova volume nova objectstore nova scheduler nova compute euca2ools unzip Restart libvirt bin just to make sure libvirtd is aware of ebtables sudo service libvirt bin restart Install RabbitMQ
292. lable in apache2 common package Execute the following command from a terminal prompt to enable the mod_ssl module sudo a2enmod ssl 192 Web Servers There is a default HTTPS configuration file in etc apache2 sites available default ss1 In order for Apache2 to provide HTTPS a certificate and key file are also needed The default HTTPS configuration will use a certificate and key generated by the ssl cert package They are good for testing but the auto generated certificate and key should be replaced by a certificate specific to the site or server For information on generating a key and obtaining a certificate see Section 5 Certificates p 171 To configure Apache2 for HTTPS enter the following sudo a2ensite default ssl bJ The directories etc ssl certs and etc ssl private are the default locations If you install the certificate and key in another directory make sure to change SSLCertificate File and SSLCertificateKeyFile appropriately With Apache2 now configured for HTTPS restart the service to enable the new settings sudo service apache2 restart fy Depending on how you obtained your certificate you may need to enter a passphrase when Apache starts You can access the secure server pages by typing https your_hostname url in your browser address bar 1 4 Sharing Write Permission For more than one user to be able to write to the same directory it will be necessary to grant write permission to
293. le printing layer which has become the new standard for printing in most Linux distributions CUPS manages print jobs and queues and provides network printing using the standard Internet Printing Protocol IPP while offering support for a very large range of printers from dot matrix to laser and many in between CUPS also supports PostScript Printer Description PPD and auto detection of network printers and features a simple web based configuration and administration tool 4 1 Installation To install CUPS on your Ubuntu computer simply use sudo with the apt get command and give the packages to install as the first parameter A complete CUPS install has many package dependencies but they may all be specified on the same command line Enter the following at a terminal prompt to install CUPS sudo apt get install cups Upon authenticating with your user password the packages should be downloaded and installed without error Upon the conclusion of installation the CUPS server will be started automatically For troubleshooting purposes you can access CUPS server errors via the error log file at var log cups error_log If the error log does not show enough information to troubleshoot any problems you encounter the verbosity of the CUPS log can be increased by changing the LogLevel directive in the configuration file discussed below to debug or even debug2 which logs everything from the default of info If you make thi
294. le should specify root first mountpoint size where size is in megabytes You can have up to 4 virtual disks a new disk starts on a line with ie root 1000 opt 1000 swap 256 var 2000 log 1500 In our case we will define a text file name vmbuilder partition which will contain the following root 8000 swap 4000 316 Virtualization var 20000 fy Note that as we are using virtual disk images the actual sizes that we put here are maximum sizes for these volumes Our command line now looks like sudo vmbuilder kvm ubuntu suite precise flavour virtual arch i386 o libvirt qemu system ip 192 168 0 100 hostname myvm part vmbuilder partition bA Using a in a command will allow long command strings to wrap to the next line 2 3 2 3 User and Password Again setting up a virtual appliance you will need to provide a default user and password that is generic so that you can include it in your documentation We will see later on in this tutorial how we will provide some security by defining a script that will be run the first time a user actually logs in the appliance that will among other things ask him to change his password In this example I will use user as my user name and default as the password To do this we use the following optional parameters e user USERNAME Sets the name of the user to be added Default ubuntu e name FULLNAME Sets the full name of the us
295. lete your empty proxy is ready for use on http mirroraddress 9999 and will find ubuntu repository under ubuntu For vmbuilder to use it we ll have to use the mirror option mirror URL Use Ubuntu mirror at URL instead of the default which is http archive ubuntu com ubuntu for official 318 Virtualization arches and http ports ubuntu com ubuntu ports otherwise So we add to the command line mirror http mirroraddress 9999 ubuntu fe The mirror address specified here will also be used in the etc apt sources 1list of the newly created guest so it is useful to specify here an address that can be resolved by the guest or to plan on reseting this address later on 2 3 4 2 Install a Local Mirror If we are in a larger environment it may make sense to setup a local mirror of the Ubuntu repositories The package apt mirror provides you with a script that will handle the mirroring for you You should plan on having about 20 gigabyte of free space per supported release and architecture By default apt mirror uses the configuration file in etc apt mirror list As it is set up it will replicate only the architecture of the local machine If you would like to support other architectures on your mirror simply duplicate the lines starting with deb replacing the deb keyword by deb arch where arch can be 1386 amd64 etc For example on an amd64 machine to have the 1386 archives as well you will
296. lients rarely complain about self signed certificates Please refer to Section 5 Certificates p 171 for details about how to create self signed SSL certificate Once you create the certificate you will have a key file and a certificate file Please copy them to the location pointed in the etc dovecot dovecot conf configuration file 3 4 Firewall Configuration for an Email Server To access your mail server from another computer you must configure your firewall to allow connections to the server on the necessary ports e IMAP 143 e IMAPS 993 e POP3 110 e POP3S 995 3 5 References 15 See the Dovecot website for more information e Also the Dovecot Ubuntu Wiki page has more details 15 http www dovecot org 16 https help ubuntu com community Dovecot 246 Email Services 4 Mailman Mailman is an open source program for managing electronic mail discussions and e newsletter lists Many open source mailing lists including all the Ubuntu mailing lists use Mailman as their mailing list software It is powerful and easy to install and maintain 4 1 Installation Mailman provides a web interface for the administrators and users using an external mail server to send and receive emails It works perfectly with the following mail servers e Postfix e Exim e Sendmail e Qmail We will see how to install and configure Mailman with the Apache web server and eithe
297. line split into 3 to fit this document 4304885 870000 NEW_HTTP_CONN IN lo OUT MAC 00 00 00 00 00 00 00 00 00 00 00 00 08 00 SRC 127 0 0 1 DST 127 0 0 1 LEN 60 TOS 0x00 PREC 0x00 TTL 64 ID 58288 DF PROTO TCP SPT 53981 DPT 80 WINDOW 32767 RES 0x00 SYN URGP 0 The above log will also appear in var log messages var log syslog and var log kern 1log This behavior can be modified by editing etc syslog conf appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls and can log to any file you like or even to a PostgreSQL or MySQL database Making sense of your firewall logs can be simplified by using a log analyzing tool such as logwatch fwanalog fwlogwatch or lire 165 Security 3 5 Other Tools There are many tools available to help you construct a complete firewall without intimate knowledge of iptables For the GUI inclined e fwbuilder is very powerful and will look familiar to an administrator who has used a commercial firewall utility such as Checkpoint FireWall 1 If you prefer a command line tool with plain text configuration files e Shorewall is a very powerful solution to help you configure an advanced firewall for any network 3 6 References e The Ubuntu Firewall wiki page contains information on the development of ufw Also the ufw man
298. ltipath Device 5 4 The Multipath Daemon If you find you have trouble implementing a multipath configuration you should ensure the multipath daemon is running as described in Setting up DM Multipath The multipathd daemon must be running in order to use multipathd devices Also see section Troubleshooting with the multipathd interactive console concerning interacting with multipathd as a debugging aid 74 DM Multipath 5 5 Issues with queue_if no path If features 1 queue_if_no_path is specified in the etc multipath conf file then any process that uses I O will hang until one or more paths are restored To avoid this set the no_path_retry N parameter in the etc multipath conf When you set the no_path_retry parameter remove the features 1 queue_if_no_path option from the etc multipath conf file as well If however you are using a multipathed device for which the features 1 queue_if_no_path option is set as a compiled in default as it is for many SAN devices you must add features 0 to override this default You can do this by copying the existing devices section and just that section not the entire file from usr share doc multipath tools examples multipath conf annotated gz into etc multipath conf and editing to suit your needs If you need to use the features 1 queue_if_no_path option and you experience the issue noted here use the dmsetup command to edit the policy at runtime for a particular
299. lume Group VG is made from one or more physical volumes A VG can can be extended by adding more PVs A VG is like a virtual disk drive from which one or more logical volumes are carved e Logical Volume LV is similar to a partition in a non LVM system A LV is formatted with the desired file system EXT3 XFS JFS etc it is then available for mounting and data storage 4 2 2 Installation As an example this section covers installing Ubuntu Server Edition with srv mounted on a LVM volume During the initial install only one Physical Volume PV will be part of the Volume Group VG Another PV will be added after install to demonstrate how a VG can be extended There are several installation options for LVM Guided use the entire disk and setup LVM which will also allow you to assign a portion of the available space to LVM Guided use entire and setup encrypted LVM or Manually setup the partitions and configure LVM At this time the only way to configure a system with both LVM and standard partitions during installation is to use the Manual approach 1 Follow the installation steps until you get to the Partition disks step then 2 Atthe Partition Disks screen choose Manual 3 Select the hard disk and on the next screen choose yes to Create a new empty partition table on this device 4 Next create standard boot swap and partitions with whichever filesystem you prefer For the LVM sry create a new
300. ly them For example the following is what would be applied if opening the HTTP port sudo ufw dry run allow http filter ufw user input 0 0 ufw user output 0 0 ufw user forward 0 0 ufw user limit 0 0 ufw user limit accept 0 0 RULES tuple allow tcp 80 0 0 0 0 0 any 0 0 0 0 0 A ufw user input p tcp dport 80 j ACCEPT END RULES A ufw user input j RETURN A ufw user output j RETURN A ufw user forward j RETURN A ufw user limit m limit limit 3 minut j LOG log prefix UFW LIMIT A ufw user limit j REJECT A ufw user limit accept j ACCEPT COMMIT Rules updated ufw can be disabled by sudo ufw disable To see the firewall status enter sudo ufw status And for more verbose status information use sudo ufw status verbose To view the numbered format sudo ufw status numbered If the port you want to open or close is defined in etc services you can use the port name instead of the number In the above examples replace 22 with ssh 161 Security This is a quick introduction to using ufw Please refer to the ufw man page for more information 3 2 1 ufw Application Integration Applications that open ports can include an ufw profile which details the ports needed for the application to function properly The profiles are kept in etc ufw applications d and can be edited if the default ports have been chan
301. ma core schema include etc ldap schema collective schema include etc ldap schema corba schema include etc ldap schema cosine schema include etc ldap schema duaconf schema include etc ldap schema dyngroup schema include etc ldap schema inetorgperson schema include etc ldap schema java schema include etc ldap schema misc schema include etc ldap schema nis schema include etc ldap schema openldap schema include etc ldap schema ppolicy schema include etc ldap schema ldapns schema include etc ldap schema pmi schema 2 Create the output directory 1dif_output 3 Determine the index of the schema slapcat f schema_convert conf F ldif_output n 0 grep corba cn schema cn 1l corba cn schema cn config fe When slapd injests objects with the same parent DN it will create an index for that object An index is contained within braces X 4 Use slapcat to perform the conversion slapcat f schema_convert conf F ldif_output n0 H ldap cn 1 corba cn schema cn config 1 cn corba 1ldif The converted schema is now in cn corba ldif 97 Network Authentication i Edit cn corba 1dif to arrive at the following attributes dn cn corba cn schema cn config cn corba Also remove the following lines from the bottom structuralObjectClass olcSchemaConfig entryUUID 52109a02 66ab 1030 8be2 bbf166230478 creatorsName cn config createTimestamp 201108291654352 entryCSN 20110829165435 935248Z 00000
302. machine or your central firewall may need to NAT the TUN TAP interface to the internet in order for this to work properly push redirect gateway defl bypass dhcp Configure server mode and supply a VPN subnet for OpenVPN to draw client addresses from The server will take 10 8 0 1 for itself the rest will be made available to clients Each client will be able to reach the server on 10 8 0 1 Comment this line out if you are ethernet bridging server 10 8 0 0 255 255 255 0 Maintain a record of client to virtual IP address associations in this file If OpenVPN goes down or is restarted reconnecting clients can be assigned the same virtual IP address from the pool that was previously assigned ifconfig pool persist ipp txt Push DNS servers to the client push dhcp option DNS 10 0 0 2 push dhcp option DNS 10 1 0 2 Allow client to client communication client to client Enable compression on the VPN link comp 1zo The keepalive directive causes ping like messages to be sent back and forth over the link so that each side knows when the other side has gone down Ping every 1 second assume that remote peer is down if no ping received during a 3 second time period keepalive 1 3 It s a good idea to reduce the OpenVPN daemon s privileges after initialization user nobody group nogroup 371 VPN OpenVPN 2 0 includes a feature that allows the OpenVPN server to securely obtain a username and password from a
303. main In this example the machines group will need to be created using the addgroup utility see Section 1 2 Adding and Deleting Users p 154 for details 4 Uncomment the homes share to allow the logon home to be mapped homes comment Home Directories browseable no read only no create mask 0700 directory mask 0700 valid users S 5 When configured as a domain controller a netlogon share needs to be configured To enable the share uncomment netlogon comment Network Logon Service path srv samba netlogon guest ok yes read only yes share modes no The original netlogon share path is home samba net logon but according to the Filesystem Hierarchy Standard FHS srv is the correct location for site specific data provided by the system 6 Now create the netlogon directory and an empty for now logon cmd script file sudo mkdir p srv samba netlogon sudo touch srv samba netlogon logon cmd You can enter any normal Windows logon script commands in logon cma to customize the client s environment 7 Restart Samba to enable the new domain controller sudo restart smbd sudo restart nmbd 8 Lastly there are a few additional commands needed to setup the appropriate rights With root being disabled by default in order to join a workstation to the domain a system group needs to be mapped to the Windows Domain Admins group Using the net utility from a terminal
304. match 2 The EXTERNAL mechanism works via ZPC UNIX domain sockets This means you must use the Idapi URI format A succinct way to get all the ACLs is like this sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn config olcAccess olcAccess olcSuffix There is much to say on the topic of access control See the man page for slapd access 1 8 TLS When authenticating to an OpenLDAP server it is best to do so using an encrypted session This can be accomplished using Transport Layer Security TLS Here we will be our own Certificate Authority and then create and sign our LDAP server certificate as that CA Since slapd is compiled using the gnutls library we will use the certtool utility to complete these tasks 1 Install the gnutls bin and ssl cert packages sudo apt get install gnutls bin ssl cert 2 Create a private key for the Certificate Authority i http manpages ubuntu com manpages en man5 slapd access 5 html 105 Network Authentication sudo sh c certtool generate privkey gt etc ssl private cakey pem Create the template file etc ss1 ca info to define the CA cn Example Company ca cert_signing_key Create the self signed CA certificate sudo certtool generate self signed load privkey etc ssl private cakey pem template etc ssl ca info outfile etc ssl certs cacert pem Make a private key for the server sudo certtool generate privkey bits 10
305. mbuilder is quite simple but here are a few thing to consider e If you plan on shipping a virtual appliance do not assume that the end user will know how to extend disk size to fit their need so either plan for a large virtual disk to allow for your appliance to grow or explain fairly well in your documentation how to allocate more space It might actually be a good idea to store data on some separate external storage e Given that RAM is much easier to allocate in a VM RAM size should be set to whatever you think is a safe minimum for your appliance The vmbuilder command has 2 main parameters the virtualization technology hypervisor and the targeted distribution Optional parameters are quite numerous and can be found using the following command 7 https help ubuntu com community KVM 8 https help ubuntu com community PowerUsersTextEditors 314 Virtualization vmbuilder kvm ubuntu help 2 3 1 Base Parameters As this example is based on KVM and Ubuntu 12 04 LTS Precise Pangolin and we are likely to rebuild the same virtual machine multiple time we ll invoke vmbuilder with the following first parameters sudo vmbuilder kvm ubuntu suite precise flavour virtual arch i386 o libvirt qemu system The suite defines the Ubuntu release the flavour specifies that we want to use the virtual kernel that s the one used to build a JeOS image the arch tells that we want to use a 32 bit mac
306. me in this file by editing the following line M irc localhost Debian ircd default configuration 000A Please make sure you add DNS aliases for the IRC host name For instance if you set irc livecipher com as IRC host name please make sure irc livecipher com is resolvable in your Domain Name Server The IRC host name should not be same as the host name The IRC admin details can be configured by editing the following line A Organization IRC dept Daemon lt ircd example irc org gt Client Server IRCnet You should add specific lines to configure the list of IRC ports to listen on to configure Operator credentials to configure client authentication etc For details please refer to the example configuration file usr share doc ircd irc2 ircd conf example gz The IRC banner to be displayed in the IRC client when the user connects to the server can be set in etc ircd ircd motd file After making necessary changes to the configuration file you can restart the IRC server using following command sudo etc init d ircd irc2 restart 2 3 References You may also be interested to take a look at other IRC servers available in Ubuntu Repository It includes ircd ircu and ircd hybrid 262 Chat Applications e Refer to IRCD FAQ for more details about the IRC Server l http www irc org tech_docs ircnet faq html 263 Chat Applications 3 Jabber Instant Messaging Server Jabber a popular instant me
307. min Another important configuration file is etc phpmyadmin apache conf this file is symlinked to etc apache2 conf d phpmyadmin conf and is used to configure Apache2 to serve the phpMyAdmin 219 LAMP Applications site The file contains directives for loading PHP directory permissions etc For more information on configuring Apache2 see Section 1 HTTPD Apache2 Web Server p 187 4 3 References e The phpMyAdmin documentation comes installed with the package and can be accessed from the phpMyAdmin Documentation link a question mark with a box around it under the phpMyAdmin logo The official docs can also be access on the phpMyAdmin site e Also Mastering phpMyAdmin is a great resource e A third resource is the phpMyAdmin Ubuntu Wiki page i http www phpmyadmin net home_page docs php 8 http www packtpub com phpmyadmin 3rd edition book 7 https help ubuntu com community phpMy Admin 220 Chapter 14 File Servers If you have more than one computer on a single network At some point you will probably need to share files between them In this section we cover installing and configuring FTP NFS and CUPS 221 File Servers 1 FTP Server File Transfer Protocol FTP is a TCP protocol for downloading files between computers In the past it has also been used for uploading but as that method does not use encryption user credentials as well as data transferred in the clear an
308. mode is left over from before Samba could become a member server and due to some security issues should not be used See the Server Security section of the Samba guide for more details e security share allows clients to connect to shares without supplying a username and password The security mode you choose will depend on your environment and what you need the Samba server to accomplish 4 2 Security User This section will reconfigure the Samba file and print server from Section 2 Samba File Server p 278 and Section 3 Samba Print Server p 281 to require authentication First install the libpam smbpass package which will sync the system users to the Samba user database sudo apt get install libpam smbpass fy If you chose the Samba Server task during installation libpam smbpass is already installed Edit etc samba smb conf and in the share section change guest ok no Finally restart Samba for the new settings to take effect 13 http samba org samba docs man Samba HOWTO Collection ServerType html id349531 283 Windows Networking sudo restart smbd sudo restart nmbd Now when connecting to the shared directories or printers you should be prompted for a username and password fy If you choose to map a network drive to the share you can check the Reconnect at Logon check box which will require you to only enter the username and password once at least until the pass
309. mplate does By default it installs a debian squeeze image An alternate release can be chosen by setting the SUITE environment variable i e sudo SUITE sid lxc create t debian n dl Since debian cannot be safely booted inside a container debian containers will be trimmed as with the trim option to the ubuntu template To purge the container image cache call the template directly and pass it the clean option sudo SUITE sid usr 1lib 1xc templates 1lxc debian clean A fedora template exists which creates containers based on fedora releases lt 14 Fedora release 15 and higher are based on systemd which the template is not yet able to convert into a container bootable setup Before the fedora template is able to run you ll need to make sure that yum and curl are installed A fedora 12 container can be created with 346 Virtualization sudo lxc create t fedora n fedoral2 R 12 A OpenSuSE template exists but it requires the zypper program which is not yet packaged The OpenSuSE template is therefore not supported Two more templates exist mainly for experimental purposes The busybox template creates a very small system container based entirely on busybox The sshd template creates an application container running sshd in a private network namespace The host s library and binary directories are bind mounted into the container though not its home or root To create start and ssh into an ssh container
310. mydomain com has already been configured and uses SSH keys for authentication SSH keys are needed because libvirt sends the password prompt to another process For details on configuring SSH see Section I OpenSSH Server p 80 1 6 Virtual Machine Viewer The virt viewer application allows you to connect to a virtual machine s console virt viewer does require a Graphical User Interface GUD to interface with the virtual machine To install virt viewer from a terminal enter sudo apt get install virt viewer 311 Virtualization Once a virtual machine is installed and running you can connect to the virtual machine s console by using virt viewer c qemu system web_devel Similar to virt manager virt viewer can connect to a remote host using SSH with key authentication as well virt viewer c qemutssh virtnodel mydomain com system web_devel Be sure to replace web_devel with the appropriate virtual machine name If configured to use a bridged network interface you can also setup SSH access to the virtual machine See Section I OpenSSH Server p 80 and Section 1 4 Bridging p 39 for more details 1 7 Resources See the KVM home page for more details e For more information on libvirt see the libvirt home page e The Virtual Machine Manager site has more information on virt manager development e Also stop by the ubuntu virt IRC channel on freenode to discuss virtualization
311. n cn admin dc example dc com ldap ssl start tls ldap passwd sync yes add machine script sudo usr sbin smbldap useradd t 0 w Su Change the values to match your environment Restart samba to enable the new settings 120 Network Authentication sudo restart smbd sudo restart nmbd Now inform Samba about the rootDN user s password the one set during the installation of the slapd package sudo smbpasswd w password If you have existing LDAP users that you want to include in your new LDAP backed Samba they will of course also need to be given some of the extra attributes The smbpasswd utility can do this as well your host will need to be able to see enumerate those users via NSS install and configure either libnss Idapd or libnss ldap sudo smbpasswd a username You will prompted to enter a password It will be considered as the new password for that user Making it the same as before is reasonable To manage user group and machine accounts use the utilities provided by the smbldap tools package Here are some examples To add a new user sudo smbldap useradd a P username The a option adds the Samba attributes and the P option calls the smbldap passwd utility after the user is created allowing you to enter a password for the user e To remove a user sudo smbldap userdel username In the above command use the r option to remove the user s home directory e To add a group
312. n etc tomcat 6 Only a few common configuration tweaks will be described here please see Tomcat 6 0 documentation for more 5 2 1 Changing default ports By default Tomcat 6 0 runs a HTTP connector on port 8080 and an AJP connector on port 8009 You might want to change those default ports to avoid conflict with another server on the system This is done by changing the following lines in etc tomcat6 server xml lt Connector port 8080 protocol HTTP 1 1 connectionTimeout 20000 redirectPort 8443 gt lt Connector port 8009 protocol AJP 1 3 redirectPort 8443 gt 5 2 2 Changing JVM used By default Tomcat will run preferably with OpenJDK 6 then try Sun s JVM then try some other JVMs If you have various JVMs installed you can set which should be used by setting JAVA_HOME in etc default tomcat JAVA_HOME usr lib jvm java 6 sun 20 http tomcat apache org tomcat 6 0 doc index html 201 Web Servers 5 2 3 Declaring users and roles Usernames passwords and roles groups can be defined centrally in a Servlet container In Tomcat 6 0 this is done in the etc tomcat 6 tomcat users xml file lt role rolename admin gt lt user username tomcat password s3cret roles admin gt 5 3 Using Tomcat standard webapps Tomcat is shipped with webapps that you can install for documentation administration or demo purposes 5 3 1 Tomcat documentation The tomcat6 docs p
313. n always run euca describe keypairs to get a list of created keys stored in the system 2 You must also allow access to port 22 in your instances hy https help ubuntu com community UEC ElasticFox 328 Virtualization euca authorize default P tcp p 22 s 0 0 0 0 0 Next you can create instances of your registered image euca run instances SEMI k mykey t ml small fe If you receive an error regarding image_id you may find it by viewing Images page or click How to Run on the Store page to see the sample command The first time you run an instance the system will be setting up caches for the image from which it will be created This can often take some time the first time an instance is run given that VM images are usually quite large To monitor the state of your instance run watch n5 euca describe instances In the output you should see information about the instance including its state While first time caching is being performed the instance s state will be pending When the instance is fully started the above state will become running Look at the IP address assigned to your instance in the output then connect to it IPADDR euca describe instances grep EMI grep running tail n1 awk print 4 ssh i euca mykey priv ubuntu S IPADDR And when you are done with this instance exit your SSH connection then terminate your instance INSTANCEID euca describe
314. n bash homeDirectory home john fe It s important that uid and gid values in your directory do not collide with local values Use high number ranges such as starting at 5000 By setting the uid and gid values in Idap high you also allow for easier control of what can be done with a local user vs a ldap one More on that later Add the content ldapadd x D cn admin dc example dc com W f add_content 1ldif Enter LDAP Password x xx adding new entry ou People dc example dc com adding new entry ou Groups dc example dc com adding new entry cn miners ou Groups dc example dc com adding new entry uid john ou People dc example dc com We can check that the information has been correctly added with the ldapsearch utility ldapsearch x LLL b dc example dc com uid john cn gidNumber 95 Network Authentication dn uid john ou People dc example dc com cn John Doe gidNumber 5000 Explanation of switches e x simple binding will not use the default SASL method e LLL disable printing extraneous information e uid john a filter to find the john user e cn gidNumber requests certain attributes to be displayed the default is to show all attributes 1 4 Modifying the slapd Configuration Database The slapd config DIT can also be queried and modified Here are a few examples e Use ldapmodify to add an Index DbIndex attribute to your 1 hdb cn config database
315. n of notes e O Reilly s LDAP System Administration textbook 2003 e Packt s Mastering OpenLDAP textbook 2007 30 http manpages ubuntu com manpages en man5 slapo syncprov 5 html al http manpages ubuntu com manpages en man8 auth client config 8 html 32 http manpages ubuntu com manpages en man8 pam auth update 8 html 33 http www zytrax com books ldap oA https help ubuntu com community OpenLDAPServer 39 http www oreilly com catalog ldapsa 36 http www packtpub com OpenLDAP Developers Server Open Source Linux book 116 Network Authentication 2 Samba and LDAP This section covers the integration of Samba with LDAP The Samba server s role will be that of a standalone server and the LDAP directory will provide the authentication layer in addition to containing the user group and machine account information that Samba requires in order to function in any of it s 3 possible roles The pre requisite is an OpenLDAP server configured with a directory that can accept authentication requests See Section 1 OpenLDAP Server p 91 for details on fulfilling this requirement Once this section is completed you will need to decide what specifically you want Samba to do for you and then configure it accordingly 2 1 Software Installation There are three packages needed when integrating Samba with LDAP samba samba doc and smbldap tools packages Strictly speaking the smbldap tools package isn
316. n run the update sub command The syntax of the command entered at a terminal prompt is as follows cd project_dir svn update For more details about using each Subversion sub command you can refer to the manual For example to learn more about the co checkout command please run the following command from a terminal prompt svn co help 271 Version Control System 2 3 5 Access via custom protocol with SSL encryption svn ssh The configuration and server process is same as in the svn method For details please refer to the above section This step assumes you have followed the above step and started the Subversion server using svnserve command It is also assumed that the ssh server is running on that machine and that it is allowing incoming connections To confirm please try to login to that machine using ssh If you can login everything is perfect If you cannot login please address it before continuing further The svn ssh protocol is used to access the Subversion repository using SSL encryption The data transfer is encrypted using this method To access the project repository for example with a checkout you must use the following command syntax svn co svnt ssh hostname var svn repos project fy You must use the full path path to repos project to access the Subversion repository using this access method Based on server configuration it prompts for password You must enter the pas
317. nal statement prints a l long listing in h human readable format of the destination directory This is useful for a quick file size check of the archive file This check should not replace testing the archive file This is a simple example of a backup shell script however there are many options that can be included in such a script See Section 1 4 References p 298 for links to resources providing more in depth shell scripting information 1 2 Executing the Script 1 2 1 Executing from a Terminal The simplest way of executing the above backup script is to copy and paste the contents into a file backup sh for example Then from a terminal prompt sudo bash backup sh This is a great way to test the script to make sure everything works as expected 1 2 2 Executing with cron The cron utility can be used to automate the script execution The cron daemon allows the execution of scripts or commands at a specified time and date cron is configured through entries in a crontab file crontab files are separated into fields 296 Backups m h dom mon dow command e m minute the command executes on between 0 and 59 h hour the command executes on between 0 and 23 dom day of month the command executes on mon the month the command executes on between 1 and 12 dow the day of the week the command executes on between 0 and 7 Sunday may be specified by using 0 or 7 both values are vali
318. nal users omit the c option as this option replaces the old file Instead use this form sudo htpasswd etc subversion passwd user_name This command will prompt you to enter the password Once you enter the password the user is added Now to access the repository you can run the following command svn co http servername svn The password is transmitted as plain text If you are worried about password snooping you are advised to use SSL encryption For details please refer next section 2 3 3 Access via WebDAV protocol with SSL encryption https Accessing Subversion repository via WebDAV protocol with SSL encryption https is similar to http except that you must install and configure the digital certificate in your Apache2 web server To use SSL with Subversion add the above Apache2 configuration to etc apache2 sites available default ssl For more information on setting up Apache2 with SSL see Section 1 3 HTTPS Configuration p 192 You can install a digital certificate issued by a signing authority Alternatively you can install your own self signed certificate 270 Version Control System This step assumes you have installed and configured a digital certificate in your Apache 2 web server Now to access the Subversion repository please refer to the above section The access methods are exactly the same except the protocol You must use https to access the Subversion repository
319. nce and thus the route is precisely the same each time it is used and low overhead on other routers and network links due to the lack of a dynamic routing protocol However static routing does present some disadvantages as well For example static routing is limited to small networks and does not scale well Static routing also fails completely to adapt to network outages and failures along the route due to the fixed nature of the route Dynamic routing depends on large networks with multiple possible IP routes from a source to a destination and makes use of special routing protocols such as the Router Information Protocol RIP which handle the automatic adjustments in routing tables that make dynamic routing possible Dynamic routing has several advantages over static routing such as superior scalability and the ability to adapt to failures and outages along network routes Additionally there is less manual configuration of the routing tables since routers learn from one another about their existence and available routes This trait also eliminates the possibility of introducing mistakes in the routing tables via human error Dynamic routing is not perfect however and presents disadvantages such as heightened complexity and additional network overhead from router communications which does not immediately benefit the end users but still consumes network bandwidth 2 4 TCP and UDP TCP is a connection based protocol offering error
320. nctionality is included in the core server Extended features are available through modules which can be loaded into Apache2 By default a base set of modules is included in the server at compile time If the server is compiled to use dynamically loaded modules then modules can be compiled separately and added at any time using the LoadModule directive Otherwise Apache2 must be recompiled to add or remove modules Ubuntu compiles Apache2 to allow the dynamic loading of modules Configuration directives may be conditionally included on the presence of a particular module by enclosing them in an lt fModule gt block You can install additional Apache2 modules and use them with your Web server For example run the following command from a terminal prompt to install the MySQL Authentication module sudo apt get install libapache2 mod auth mysql See the etc apache2 mods available directory for additional modules Use the a2enmod utility to enable a module sudo a2enmod auth_mysql sudo service apache2 restart Similarly a2dismod will disable a module sudo a2dismod auth_mysql sudo service apache2 restart 1 3 HTTPS Configuration The mod_ssl module adds an important feature to the Apache2 server the ability to encrypt communications Thus when your browser is communicating using SSL the https prefix is used at the beginning of the Uniform Resource Locator URL in the browser navigation bar The mod_ssl module is avai
321. ndly_names option in the multipath configuration file which causes DM Multipath to use a node unique alias of the form mpathn as the name For example a node with two HBAs attached to a storage controller with two ports via a single unzoned FC switch sees four devices dev sda dev sdb dev sdc and dev sdd DM Multipath creates a single device with a unique WWID that reroutes I O to those four underlying devices according to the multipath configuration When the user_friendly_names configuration option is set to yes the name of the multipath device is set to mpathn When new devices are brought under the control of DM Multipath the new devices may be seen in two different places under the dev directory dev mapper mpathn and dev dm n e The devices in dev mapper are created early in the boot process Use these devices to access the multipathed devices for example when creating logical volumes e Any devices of the form dev dm n are for internal use only and should never be used For information on the multipath configuration defaults including the user_friendly_names configuration option see Section Configuration File Defaults You can also set the name of a multipath device to a name of your choosing by using the alias option in the multipaths section of the multipath configuration file For information on the multipaths section of the multipath configuration file see Section Multipaths Device Configuration Attributes
322. ndwidth throttling and improve latency e zentyal usercorner allows users to edit their own LDAP attributes using a web browser e zentyal virt simple interface to create and manage virtual machines based on libvirt e zentyal webmail allows to access your mail using the popular Roundcube webmail e zentyal webserver configures Apache webserver to host different sites on your machine e zentyal zarafa integrates Zarafa groupware suite with Zentyal mail stack and LDAP 3 2 First steps Any system account belonging to the sudo group is allowed to log into Zentyal web interface If you are using the user created during the installation this should be in the sudo group by default If you need to add another user to the sudo group just execute sudo adduser username sudo To access Zentyal web interface browse into https localhost or the IP of your remote server As Zentyal creates its own self signed SSL certificate you will have to accept a security exception on your browser Once logged in you will see the dashboard with an overview of your server To configure any of the features of your installed modules go to the different sections on the left menu When you make any changes on the upper right corner appears a red Save changes button that you must click to save all configuration changes To apply these configuration changes in your server the module needs to be enabled first you can do so from the Module Status en
323. nel parameter cat proc sys kernel sysrq If a value of 0 is returned the feature is disabled Enable it with the following command sudo sysctl w kernel sysrq 1 Once this is done you must become root as just using sudo will not be sufficient As the root user you will have to issue the command echo c gt proc sysrq trigger If you are using a network 18 Installation connection you will lose contact with the system This is why it is better to do the test while being connected to the system console This has the advantage of making the kernel dump process visible A typical test output should look like the following sudo s sudo password for ubuntu echo c gt proc sysrq trigger 1 659002 SysRq Trigger a crash 1 659749 BUG unable to handle kernel NULL pointer dereference at null 1 662668 IP lt ffffffff8139f166 gt sysrq_handle_crash 0x16 0x20 1 662668 PGD 3bfb9067 PUD 368a7067 PMD 0 1 662668 Oops 0002 1 SMP l 662668 CPU 1 WWW WwW WwW WwW The rest of the output is truncated but you should see the system rebooting and somewhere in the log you will see the following line Begin Saving vmcore from kernel crash Once completed the system will reboot to its normal operational mode You will then find Kernel Crash Dump file in the var crash directory ls var crash linux image 3 0 0 12 server 0 crash 5 7 Resources Kernel Crash Dump is a vast topic t
324. ng_policy failover getuid_callout lib dev scsi_id whitelisted device dev n prio const path_checker directio rr_min_io 1000 rr_weight uniform failback manual no_path_retry fail user_friendly_names no To overwrite the default value for any of the configuration parameters you can copy the relevant line from this template into the defaults section and uncomment it For example to overwrite the path_grouping_policy parameter so that it is multibus rather than the default value of failover copy the appropriate line from the template to the initial defaults section of the configuration file and uncomment it as follows defaults user_friendly_names yes 65 DM Multipath path_grouping_policy multibus Table Multipath Configuration Defaults p 66 describes the attributes that are set in the defaults section of the multipath conf configuration file These values are used by DM Multipath unless they are overwritten by the attributes specified in the devices and multipaths sections of the multipath conf file Table 5 3 Multipath Configuration Defaults Attribute Description polling_interval Specifies the interval between two path checks in seconds For properly functioning paths the interval between checks will gradually increase to 4 polling_interval The default value is 5 udev_dir The directory where udev device nodes are created The default value is dev multipath_d
325. ns for etc network interfaces e The dhclient man page has details on more options for configuring DHCP client settings e For more information on DNS client configuration see the resolver man page Also Chapter 6 of O Reilly s Linux Network Administrator s Guide is a good source of resolver and name service configuration information e For more information on bridging see the brctl man page and the Linux Foundation s Net Bridge page 3 http manpages ubuntu com manpages man5 interfaces 5 html 4 http manpages ubuntu com manpages man8 dhclient 8 html 2 http manpages ubuntu com manpages man5S resolver 5 html 6 http oreilly com catalog linag2 book ch06 html i http manpages ubuntu com manpages man8 bretl 8 html 8 http www linuxfoundation org en Net Bridge 41 Networking 2 TCP IP The Transmission Control Protocol and Internet Protocol TCP IP is a standard set of protocols developed in the late 1970s by the Defense Advanced Research Projects Agency DARPA as a means of communication between different types of computers and computer networks TCP IP is the driving force of the Internet and thus it is the most popular set of network protocols on Earth 2 1 TCP IP Introduction The two protocol components of TCP IP deal with different aspects of computer networking Internet Protocol the IP of TCP IP is a connectionless protocol which deals only with network packet routing using the ZP Datagram as
326. nting Server TGS issues service tickets to clients upon request e Tickets confirm the identity of the two principals One principal being a user and the other a service requested by the user Tickets establish an encryption key used for secure communication during the authenticated session e Keytab Files are files extracted from the KDC principal database and contain the encryption key for a service or host To put the pieces together a Realm has at least one KDC preferably more for redundancy which contains a database of Principals When a user principal logs into a workstation that is configured for Kerberos authentication the KDC issues a Ticket Granting Ticket TGT If the user supplied credentials match the user is authenticated and can then request tickets for Kerberized services from the Ticket Granting Server TGS The service tickets allow the user to authenticate to the service without entering another username and password 124 Network Authentication 3 2 Kerberos Server 3 2 1 Installation For this discussion we will create a MIT Kerberos domain with the following features edit them to fit your needs e Realm EXAMPLE COM e Primary KDC kdc01 example com 192 168 0 1 e Secondary KDC kdc02 example com 192 168 0 2 e User principal steve e Admin principal steve admin bJ It is strongly recommended that your network authenticated users have their uid in a different range say star
327. ntpdate s ntp ubuntu com 4 2 ntpd The ntp daemon ntpd calculates the drift of your system clock and continuously adjusts it so there are no large corrections that could lead to inconsistent logs for instance The cost is a little processing power and memory but for a modern server this is negligible 4 3 Installation To install ntpd from a terminal prompt enter sudo apt get install ntp 4 4 Configuration Edit etc ntp conf to add remove server lines By default these servers are configured Use servers from the NIP Pool Project Approved by Ubuntu Technical Board on 2011 02 08 LP 104525 See http www pool ntp org join html for more information server O ubuntu pool ntp org server 1l ubuntu pool ntp org server 2 ubuntu pool ntp org server 3 ubuntu pool ntp org After changing the config file you have to reload the ntpd 49 Networking sudo etc init d ntp reload 4 5 View status Use ntpq to see to see more info sudo ntpq p remote refid st t when poll reach delay offset jitter t stratum2 2 NTP 129 70 130 70 tntp2 m online n 212 18 1 106 145 253 66 170 DCFa t stratum2 3 NTP 129 70 130 70 teuropium canoni 193 79 237 14 5 64 377 68 461 44 274 110 334 5 64 377 54 629 27 318 78 882 10 64 377 83 607 30 159 68 343 5 64 357 68 795 68 168 104 612 63 64 337 81 5347 675968 92 792 DM NM FP NY NH coc GG Gob 4 6 References e See the Ubuntu Time wik
328. nts Hardware Minimum Suggested Notes CPU 1 GHz 2x2GHz_ For an all in one front end it helps to have at least a dual core processor Memory 2 GB 4 GB The Java web front end benefits from lots of available memory Disk 5400 RPM 7200RPM_ Slower disks will work but will yield much longer instance IDE SATA startup times Disk Space 40 GB 200 GB 40GB is only enough space for only a single image cache etc Eucalyptus does not like to run out of disk space Networking 100 Mbps 1000 Mbps Machine images are hundreds of MB and need to be copied over the network to nodes 3 2 2 Node Requirements The other system s are nodes which will run e the Node Controller NC Table 20 2 UEC Node Requirements Hardware Minimum Suggested Notes CPU VT VT 64 bit 64 bit can run both 1386 and amd64 instances by Extensions Multicore default Eucalyptus will only run 1 VM per CPU core on a Node Memory 1 GB 4 GB Additional memory means more and larger guests Disk 5400 RPM 7200 RPM Eucalyptus nodes are disk intensive I O wait will likely IDE SATA or SCSI be the performance bottleneck Disk Space 40 GB 100 GB Images will be cached locally Eucalyptus does not like to run out of disk space Networking 100 Mbps 1000 Mbps Machine images are hundreds of MB and need to be copied over the network to nodes 3 3 Installing the Cloud Cluster Storage Walrus Front End Serve
329. o which the multipath attributes apply This parameter is mandatory for this section of the multipath conf file alias Specifies the symbolic name for the multipath device to which the multipath attributes apply If you are using user_friendly_names do not set this value to mpathn this may conflict with an automatically assigned user friendly name and give you incorrect device node names 69 DM Multipath In addition the following parameters may be overridden in this multipath section e path_grouping_policy e path_selector e failback e prio e prio args e no_path_retry e rr min_io e rr weight e flush_on_last_del The following example shows multipath attributes specified in the configuration file for two specific multipath devices The first device has a WWID of 3600508b4000156d70001200000b0000 and a symbolic name of yellow The second multipath device in the example has a WWID of 1DEC 321816758474 and a symbolic name of red In this example the rr_weight attributes is set to priorities multipaths multipath wwid 3600508b4000156d70001200000b0000 alias yellow path_grouping_policy multibus path_selector round robin 0 failback manual rr_weight priorities no_path_retry 5 multipath wwid 1DEC 321816758474 alias red rr_weight priorities 4 5 Configuration File Devices Table Device Attributes p 71 shows the attributes that you can set for each individual storage de
330. of resolving hostnames to IP addresses is controlled by the Name Service Switch NSS configuration file etc nsswitch conf As mentioned in the previous section typically static hostnames defined in the systems etc hosts file have precedence over names resolved from DNS The following is an example of the line responsible for this order of hostname lookups in the file etc nsswitch conf hosts files mdns4_minimal NOTFOUND return dns mdns4 e files first tries to resolve static hostnames located in etc hosts e mdns4_minimal attempts to resolve the name using Multicast DNS e NOTFOUND return means that any response of notfound by the preceding mdns4_minimal process should be treated as authoritative and that the system should not try to continue hunting for an answer e dns represents a legacy unicast DNS query e mdns4 represents a Multicast DNS query To modify the order of the above mentioned name resolution methods you can simply change the hosts string to the value of your choosing For example if you prefer to use legacy Unicast DNS versus Multicast DNS you can change the string in etc nsswitch conf as shown below hosts files dns NOTFOUND return mdns4_minimal mdns4 1 4 Bridging Bridging multiple interfaces is a more advanced configuration but is very useful in multiple scenarios One scenario is setting up a bridge with multiple network interfaces then using a firewall 39 Networking to filter tra
331. of times the system should attempt to use a failed path before disabling queueing A value of fail indicates immediate failure without queueing A value of queue indicates that queueing should not stop until the path is fixed The default value is 0 user_friendly_names If set to yes specifies that the system should use the etc multipath bindings file to assign a persistent and unique alias to the multipath in the form of mpathn If set to no specifies that the system should use the WWID as the alias for the multipath In either case what is specified here will be overridden by any device specific aliases you specify in the multipaths section of the configuration file The default value is no queue_without_daemon If set to no the multipathd daemon will disable queueing for all devices when it is shut down The default value is yes flush_on_last_del If set to yes then multipath will disable queueing when the last path to a device has been deleted 68 DM Multipath Attribute Description The default value is no max_fds Sets the maximum number of open file descriptors that can be opened by multipath and the multipathd daemon This is equivalent to the ulimit ncommand A value of max will set this to the system limit from proc sys fs nr_open If this is not set the maximum number of open file descriptors is taken from the calling process it is usually 1024 To be safe this s
332. ommands such as ip ifconfig and route which are also found on most other GNU Linux operating systems These commands allow you to configure settings which take effect immediately however they are not persistent and will be lost after a reboot To temporarily configure an IP address you can use the ifconfig command in the following manner Just modify the IP address and subnet mask to match your network requirements sudo ifconfig ethO 10 0 0 100 netmask 255 255 255 0 To verify the IP address configuration of ethO you can use the ifconfig command in the following Manner ifconfig eth0 etho Link encap Ethernet HWaddr 00 15 c5 4a 16 5a inet addr 10 0 0 100 Bcast 10 0 0 255 Mask 255 255 255 0 inet6 addr fe80 215 c5ff fe4a 165a 64 Scope Link UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 466475604 errors 0 dropped 0 overruns 0 frame 0 TX packets 403172654 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 1000 RX bytes 2574778386 2 5 GB TX bytes 1618367329 1 6 GB Interrupt 16 To configure a default gateway you can use the route command in the following manner Modify the default gateway address to match your network requirements sudo route add default gw 10 0 0 1 eth0O To verify your default gateway configuration you can use the route command in the following Manner route n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10 0 0 0 0 0 0 0 255425529540 U 1
333. on euca unzip d euca mycreds zip 3 6 2 From a Command Line e Alternatively if you are on the command line of the Cloud Controller you can run mkdir p euca chmod 700 euca cd euca sudo euca_conf get credentials mycreds zip unzip mycreds zip ln s euca eucarc eucarc cd 3 6 3 Extracting and Using Your Credentials Now you will need to setup EC2 API and AMI tools on your server using X 509 certificates 1 Install the required cloud user tools sudo apt get install euca2ools 2 To validate that everything is working correctly get the local cluster availability details euca eucarc euca describe availability zones verbose AVAILABILITYZONE myowncloud 192 168 1 1 AVAILABILITYZONE vm types free max cpu ram disk AVAILABILITYZONE ml small 0004 0004 1 128 2 AVAILABILITYZONE cl medium 0004 0004 a 256 5 AVAILABILITYZONE ml large 0002 0002 2 512 10 AVAILABILITYZONE ml xlarge 0002 0002 2 1024 20 AVAILABILITYZONE cl xlarge 0001 0001 4 2048 20 Your output from the above command will vary 3 7 Install an Image from the Store The following is by far the simplest way to install an image However advanced users may be interested in learning how to Bundle their own image 16 https help ubuntu com community UEC BundlingImages 327 Virtualization The simplest way to add an image to UEC is to install it from t
334. on Yes Advertised link modes 10baseT Half 10baseT Full 100baseT Half 100baseT Full 1000baseT Half 1000baseT Full Advertised auto negotiation Yes Speed 1000Mb s Duplex Full Port Twisted Pair PHYAD 1 Transceiver internal Auto negotiation on Supports Wake on g Wake on d Current message level Ox000000ff 255 Link detected yes Changes made with the ethtool command are temporary and will be lost after a reboot If you would like to retain settings simply add the desired ethtool command to a pre up statement in the interface configuration file etc network interfaces The following is an example of how the interface identified as ethO could be permanently configured with a port speed of 1000Mb s running in full duplex mode auto eth0 iface ethO inet static pre up sbin ethtool s ethO speed 1000 duplex full Although the example above shows the interface configured to use the static method it actually works with other methods as well such as DHCP The example is meant to demonstrate only proper placement of the pre up statement in relation to the rest of the interface configuration 34 Networking 1 2 IP Addressing The following section describes the process of configuring your systems IP address and default gateway needed for communicating on a local area network and the Internet 1 2 1 Temporary IP Address Assignment For temporary network configurations you can use standard c
335. on guide Installation 1 Preparing to Install This section explains various aspects to consider before starting the installation 1 1 System Requirements Ubuntu 12 04 LTS Server Edition supports three 3 major architectures Intel x86 AMD64 and ARM The table below lists recommended hardware specifications Depending on your needs you might manage with less than this However most users risk being frustrated if they ignore these suggestions Table 2 1 Recommended Minimum Requirements Hard Drive Space Install Type CPU RAM Base System All Tasks Installed Server 300 megahertz 128 megabytes 500 megabytes 1 gigabyte The Server Edition provides a common base for all sorts of server applications It is a minimalist design providing a platform for the desired services such as file print services web hosting email hosting etc The requirements for UEC are slightly different for Front End requirements see Section 3 2 1 Front End Requirements p 322 and for UEC Node requirements see Section 3 2 2 Node Requirements p 323 1 2 Server and Desktop Differences There are a few differences between the Ubuntu Server Edition and the Ubuntu Desktop Edition It should be noted that both editions use the same apt repositories making it just as easy to install a server application on the Desktop Edition as it is on the Server Edition The differences between the two editi
336. ons are the lack of an X window environment in the Server Edition the installation process and different Kernel options 1 2 1 Kernel Differences Ubuntu version 10 10 and prior actually had different kernels for the server and desktop editions Ubuntu no longer has separate server and generic kernel flavors These have been merged into a single generic kernel flavor to help reduce the maintenance burden over the life of the release fy When running a 64 bit version of Ubuntu on 64 bit processors you are not limited by memory addressing space Installation To see all kernel configuration options you can look through poot config 3 2 0 server Also Linux Kernel in a Nutshell is a great resource on the options available 1 3 Backing Up e Before installing Ubuntu Server Edition you should make sure all data on the system is backed up See Chapter 19 Backups p 294 for backup options If this is not the first time an operating system has been installed on your computer it is likely you will need to re partition your disk to make room for Ubuntu Any time you partition your disk you should be prepared to lose everything on the disk should you make a mistake or something goes wrong during partitioning The programs used in installation are quite reliable most have seen years of use but they also perform destructive actions http Awww kroah com Ikn Installation 2 Installing from CD The
337. ontend cn config frontend database default settings for other databases e olcDatabase 0 config cn config slapd configuration database cn config e olcDatabase 1 hdb cn config your database instance dc examle dc com e This is what the dc example dc com DIT looks like ldapsearch x LLL H ldap b dc example dc com dn dn dc example dc com dn cn admin dc example dc com Explanation of entries e dc example dc com base of the DIT e cn admin dc example dc com administrator rootDN for this DIT set up during package install 1 3 Modifying Populating your Database Let s introduce some content to our database We will add the following e anode called People to store users e anode called Groups to store groups e a group called miners e auser called john Create the following LDIF file and call it add_content 1dif dn ou People dc example dc com 94 Network Authentication objectClass organizationalUnit ou People dn ou Groups dc example dc com objectClass organizationalUnit ou Groups dn cn miners ou Groups dc example dc com objectClass posixGroup cn miners gidNumber 5000 dn uid john ou People dc example dc com objectClass inetOrgPerson objectClass posixAccount objectClass shadowAccount uid john sn Doe givenName John cn John Doe displayName John Doe uidNumber 10000 gidNumber 5000 userPassword johnldap gecos John Doe loginShell bi
338. opriate rights to create a database see Section 1 MySQL p 206 for more information 3 3 Configuration Bacula configuration files are formatted based on resources comprising of directives surrounded by P braces Each Bacula component has an individual file in the etc bacula directory The various Bacula components must authorize themselves to each other This is accomplished using the password directive For example the Storage resource password in the etc bacula bacula dir conf file must match the Director resource password in etc bacula bacula sd conf By default the backup job named Client is configured to archive the Bacula Catalog If you plan on using the server to backup more than one client you should change the name of this job to something more descriptive To change the name edit etc bacula bacula dir conf Define the main nightly save backup job By default this job will back up to disk in Job Name BackupServer JobDefs DefaultJob Write Bootstrap var lib bacula Clientl bsr fy The example above changes the job name to BackupServer matching the machine s host name Replace BackupServer with your appropriate hostname or other descriptive name The Console can be used to query the Director about jobs but to use the Console with a non root user the user needs to be in the bacula group To add a user to the bacula group enter the following from a terminal sudo ad
339. or version control The repository is automatically initialized and committed for the first time during package installation It is possible to undo this by entering the following command sudo etckeeper uninit By default etckeeper will commit uncommitted changes made to etc daily This can be disabled using the AVOID_DAILY_AUTOCOMMITS configuration option It will also automatically commit changes before and after package installation For a more precise tracking of changes it is recommended to commit your changes manually together with a commit message using sudo etckeeper commit Reason for configuration change Using the VCS commands you can view log information about files in etc sudo bzr log etc passwd To demonstrate the integration with the package management system install postfix sudo apt get install postfix When the installation is finished all the postfix configuration files should be committed to the repository Committing to etc added aliases db modified group modified group modified gshadow modified gshadow modified passwd modified passwd added postfix 381 Other Useful Applications added resolvconf added rsyslog d modified shadow modified shadow added init d postfix added network if down d postfix added network if up d postfix added postfix dynamicmaps cf added postfix main cf added postfix master cf added postfix post install added postfix postfix files add
340. ore information see Section 4 Aptitude p 25 e Finally the last step before rebooting is to set the clock to UTC ft If at any point during installation you are not satisfied by the default setting use the Go Back function at any prompt to be brought to a detailed installation menu that will allow you to modify the default settings At some point during the installation process you may want to read the help screen provided by the installation system To do this press F1 Once again for detailed instructions see the Ubuntu Installation Guide 2 1 Package Tasks During the Server Edition installation you have the option of installing additional packages from the CD The packages are grouped by the type of service they provide e DNS server Selects the BIND DNS server and its documentation e LAMP server Selects a ready made Linux Apache MySQL PHP server e Mail server This task selects a variety of packages useful for a general purpose mail server system e OpenSSH server Selects packages needed for an OpenSSH server e PostgreSQL database This task selects client and server packages for the PostgreSQL database e Print server This task sets up your system to be a print server e Samba File server This task sets up your system to be a Samba file server which is especially suitable in networks with both Windows and Linux systems e Tomcat Java server Installs Apache Tomcat and needed dependencies e Vi
341. ormation about the system useful to developers in diagnosing the reported problem that will then be included in the bug report filed on Launchpad Bug reports in Ubuntu need to be filed against a specific software package thus the name of the package that the bug occurs in needs to be given to ubuntu bug ubuntu bug PACKAGENAME For example to file a bug against the openssh server package you would do ubuntu bug openssh server You can specify either a binary package or the source package for ubuntu bug Again using openssh server as an example you could also generate the report against the source package for openssh server openssh ubuntu bug openssh bJ See Chapter 3 Package Management p 20 for more information about packages in Ubuntu The ubuntu bug command will gather information about the system in question possibly including information specific to the specified package and then ask you what you would like to do with collected information ubuntu bug postgresql Collecting problem information The collected information can be sent to the developers to improve the application This might take a few minutes i https launchpad net 2 https help launchpad net Y ourAccount NewAccount 387 Appendix x Send problem report to the developers After the problem report has been sent please fill out the form in the automatically opened web browser What would you like to do Your options are
342. ory on the PDC and the PDC becomes unavailable access to the user s Home drive will also be unavailable For this reason it is best to configure the logon home to reside on a separate file server from the PDC and BDC 5 3 Resources e For in depth Samba configurations see the Samba HOWTO Collection e The guide is also available in printed format e O Reilly s Using Samba is also a good reference e Chapter 4 of the Samba HOWTO Collection explains setting up a Primary Domain Controller e Chapter 5 of the Samba HOWTO Collection explains setting up a Backup Domain Controller e The Ubuntu Wiki Samba page al http samba org samba docs man Samba HOWTO Collection 22 http www amazon com exec obidos tg detail 0131882228 23 http www oreilly com catalog 9780596007690 at http samba org samba docs man Samba HOWTO Collection samba pdc html 23 http us3 samba org samba docs man Samba HOWTO Collection samba bdc html 26 https help ubuntu com community Samba 291 Windows Networking 6 Samba Active Directory Integration 6 1 Accessing a Samba Share Another use for Samba is to integrate into an existing Windows network Once part of an Active Directory domain Samba can provide file and print services to AD users The simplest way to join an AD domain is to use Likewise open For detailed instructions see the Likewise Open Installation and Administration Guide Once part of the Active Dire
343. ostfix Dovecot etc a key without a passphrase is often appropriate Not having a passphrase allows the services to start without manual intervention usually the preferred way to start a daemon This section will cover generating a key with a passphrase and one without The non passphrase key will then be used to generate a certificate that can be used with various service daemons Running your secure service without a passphrase is convenient because you will not need 5 to enter the passphrase every time you start your secure service But it is insecure and a compromise of the key means a compromise of the server as well To generate the keys for the Certificate Signing Request CSR run the following command from a terminal prompt openssl genrsa des3 out server key 2048 Generating RSA private key 2048 bit long modulus Sisley Sister E ster E E Sicie eater Sitar sinter Side sister i i a EEEE PETET e is 65537 0x10001 Enter pass phrase for server key You can now enter your passphrase For best security it should at least contain eight characters The minimum length when specifying des3 is four characters It should include numbers and or punctuation and not be a word in a dictionary Also remember that your passphrase is case sensitive Re type the passphrase to verify Once you have re typed it correctly the server key is generated and stored in the server key file Now create the insecure key the one w
344. ot match a ServerName directive in another virtual host If you have just acquired the domain name ubunturocks com and wish to host it on your Ubuntu server the value of the ServerName directive in your virtual host configuration file should be ubunturocks com Add this directive to the new virtual host file you created earlier etc apache2 sites available mynewsite You may also want your site to respond to www ubunturocks com since many users will assume the www prefix is appropriate Use the ServerAlias directive for this You may also use wildcards in the ServerAlias directive For example the following configuration will cause your site to respond to any domain request ending in ubunturocks com ServerAlias ubunturocks com The DocumentRoot directive specifies where Apache2 should look for the files that make up the site The default value is var www as specified in etc apache2 sites available default If desired change this value in your site s virtual host file and remember to create that directory if necessary Enable the new VirtualHost using the a2ensite utility and restart Apache 2 sudo a2ensite mynewsite sudo service apache2 restart ba Be sure to replace mynewsite with a more descriptive name for the VirtualHost One method is to name the file after the ServerName directive of the VirtualHost 189 Web Servers Similarly use the a2dissite utility to disable sites This is can be useful when troubl
345. ova cd nova sudo nova manage user admin userl sudo nova manage project create projectl1 userl sudo nova manage project zipfile projectl userl unzip nova zip source novarc Verify the OpenStack Compute installation by typing 335 Virtualization sudo nova manage service list sudo nova manage version list If nova services don t show up correctly restart OpenStack services as described previously For more information please refer to the troubleshooting section on this guide 4 5 Install Imaging Service Glance Nova uses Glance service to manage Operating System images that it needs for bringing up instances Glance can use several types of storage backends such as filestore s3 etc Glance has two components glance api and glance registry These can be controlled using the concerned upstart service jobs For this specific case we will be using mysql as a storage backend Install Glance sudo apt get install glance Create a database and user for glance sudo mysql uroot ppassword e CREATE DATABASE glance sudo mysql uroot ppassword e GRANT ALL ON glance TO glanceuser localhost IDENTIFIED BY glancepassword Edit the file etc glance glance registry conf and edit the line which contains the option sql_connection to this sql_connection mysql glanceuser glancepassword localhost glance Remove the sqlite database rm rf var lib glance glance sqlite Restart glance registry afte
346. ovecot conf and change the following line mail_location maildir Maildir for maildir or mail_location mbox mail INBOX var spool mail Su for mbox w You should configure your Mail Transport Agent MTA to transfer the incoming mail to this type of mailbox if it is different from the one you have configured Once you have configured dovecot restart the dovecot daemon in order to test your setup sudo etc init d dovecot restart 12 bttp en wikipedia org wiki POP3 13 http en wikipedia org wiki Internet_Message_Access_Protocol Ia http wiki dovecot org MailboxFormat 245 Email Services If you have enabled imap or pop3 you can also try to log in with the commands telnet localhost pop3 or telnet localhost imap2 If you see something like the following the installation has been successful bhuvan rainbow telnet localhost pop3 Trying 127 0 0 1 Connected to localhost localdomain Escape character is OK Dovecot ready 3 3 Dovecot SSL Configuration To configure dovecot to use SSL you can edit the file etc dovecot dovecot conf and amend following lines ssl_cert_file etc ssl certs ssl cert snakeoil pem ssl_key_file etc ssl private ssl cert snakeoil key ssl_disable no disable_plaintext_auth no You can get the SSL certificate from a Certificate Issuing Authority or you can create self signed SSL certificate The latter is a good option for email because SMTP c
347. ows about both drives and actively maintains both of them or hardware where a special controller makes the OS think there s only one drive and maintains the drives invisibly The RAID software included with current versions of Linux and Ubuntu is based on the mdadm driver and works very well better even than many so called hardware RAID controllers This section will guide you through installing Ubuntu Server Edition using two RAID1 partitions on two physical hard drives one for and another for swap 4 1 1 Partitioning Follow the installation steps until you get to the Partition disks step then 1 Select Manual as the partition method 2 Select the first hard drive and agree to Create a new empty partition table on this device Repeat this step for each drive you wish to be part of the RAID array 3 Select the FREE SPACE on the first drive then select Create a new partition 4 Next select the Size of the partition This partition will be the swap partition and a general rule for swap size is twice that of RAM Enter the partition size then choose Primary then Beginning ba A swap partition size of twice the available RAM capacity may not always be desirable especially on systems with large amounts of RAM Calculating the swap partition size for servers is highly dependent on how the system is going to be used 5 Select the Use as line at the top By default this is Ext4 journaling file
348. p 283 From a Windows client you should now be able to browse to the Ubuntu file server and see the shared directory If your client doesn t show your share automatically try to access your server by its IP address e g 192 168 1 1 in a Windows Explorer window To check that everything is working try creating a directory from Windows To create additional shares simply create new dir sections in etc samba smb conf and restart Samba Just make sure that the directory you want to share actually exists and the permissions are correct fe The file share named share and the path srv samba share are just examples Adjust the share and path names to fit your environment It is a good idea to name a share after a 3 http www pathname com fhs pub fhs 2 3 html SRVDATAFORSERVICESPROVIDEDBYSYSTEM 279 Windows Networking directory on the file system Another example would be a share name of qa with a path of srv samba qa 2 3 Resources e For in depth Samba configurations see the Samba HOWTO Collection e The guide is also available in printed format e O Reilly s Using Samba is another good reference e The Ubuntu Wiki Samba page 4 http samba org samba docs man Samba HOWTO Collection gt http www amazon com exec obidos tg detail 013 1882228 5 http www oreilly com catalog 9780596007690 7 https help ubuntu com community Samba 280 Windows Networking 3 Samba Print Server
349. p 20 for more information about managing packages in Ubuntu Once you have ensured that gdb is installed open the file etc default apport in your text editor and change the enabled setting to be 1 like so set this to 0 to disable apport or to 1 to enable it you can temporarily override this with sudo service apport start force_start 1 389 Appendix enabled 1 set maximum core dump file size default 209715200 bytes 200 MB maxsize 209715200 Once you have completed editing etc default apport start the apport service sudo start apport After an application crashes use the apport cli command to search for the existing saved crash report information apport cli dash closed unexpectedly on 2010 03 11 at 21 40 59 If you were not doing anything confidential entering passwords or other private information you can help to improve the application by reporting the problem What would you like to do Your options are R Report Problem I Cancel and ignore future crashes of this program version C Cancel Please choose R I C Selecting Report Problem will walk you through similar steps as when using ubuntu bug One important difference is that a crash report will be marked as private when filed on Launchpad meaning that it will be visible to only a limited set of bug triagers These triagers will review the gathered data for private information before making the bug report publ
350. p 52 for a complete listing Table 5 1 Priority Checker Conversion v0 4 8 v0 4 9 prio_callout mpath_prio_emc dev n prio emc prio_callout mpath_prio_alua dev n prio alua prio_callout mpath_prio_netapp dev n prio netapp prio_callout mpath_prio_rdac dev n prio rdac prio_callout mpath_prio_hp_sw dev n prio hp_sw prio_callout mpath_prio_hds_modular b prio hds Since the multipath config file parser essentially parses all key value pairs it finds and then makes use of them it is safe for both prio_callout and prio to coexist and is recommended that the prio attribute be inserted before beginning migration After which you can safely delete the legacy prio_calliout attribute without interrupting service 52 DM Multipath 1 2 Overview DM Multipath can be used to provide e Redundancy DM Multipath can provide failover in an active passive configuration In an active passive configuration only half the paths are used at any time for I O If any element of an I O path the cable switch or controller fails DM Multipath switches to an alternate path e Improved Performance Performance DM Multipath can be configured in active active mode where I O is spread over the paths in a round robin fashion In some configurations DM Multipath can detect loading on the I O paths and dynamically re balance the load 1 3 Storage Array Overview By default DM Multipath includes support for
351. p ubuntu com community MoinMoin 216 LAMP Applications 3 MediaWiki MediaWiki is an web based Wiki software written in the PHP language It can either use MySQL or PostgreSQL Database Management System 3 1 Installation Before installing MediaWiki you should also install Apache2 the PHPS5 scripting language and Database a Management System MySQL or PostgreSQL are the most common choose one depending on your need Please refer to those sections in this manual for installation instructions To install MediaWiki run the following command in the command prompt sudo apt get install mediawiki php5 gd For additional MediaWiki functionality see the mediawiki extensions package 3 2 Configuration The Apache configuration file mediawiki conf for MediaWiki is installed in etc apache2 conf d directory You should uncomment the following line in this file to access MediaWiki application Alias mediawiki var lib mediawiki After you uncomment the above line restart Apache server and access MediaWiki using the following url http localhost mediawiki config index php Please read the Checking environment section in this page You should be able to fix many issues by carefully reading this section Once the configuration is complete you should copy the LocalSettings php file to etc mediawiki directory sudo mv var lib mediawiki config LocalSettings php etc mediawiki You may also want to edit et
352. page for more options available to update motd e The Debian Package of the Day weather article has more details about using the weatherutility e See the etckeeper site for more details on using etckeeper e The etckeeper Ubuntu Wiki page e For the latest news and information about bzr see the bzr web site e For more information on screen see the screen web site e And the Ubuntu Wiki screen page e Also see the byobu project page for more information 7 http manpages ubuntu com manpages precise en man 1 update motd 1 html 2 http debaday debian net 2007 10 04 weather check weather conditions and forecasts on the command line A http kitenet net joey code etckeeper 2 https help ubuntu com community etckeeper 6 http bazaar vcs org 1 http www gnu org software screen 8 https help ubuntu com community Screen a https launchpad net byobu 385 Appendix A Appendix 386 Appendix 1 Reporting Bugs in Ubuntu Server Edition While the Ubuntu Project attempts to release software with as few bugs as possible they do occur You can help fix these bugs by reporting ones that you find to the project The Ubuntu Project uses Launchpad to track its bug reports In order to file a bug about Ubuntu Server on Launchpad you will need to create an account 1 1 Reporting Bugs With ubuntu bug The preferred way to report a bug is with the ubuntu bug command The ubuntu bug tool gathers inf
353. password kadmin local addprinc x dn uid steve ou people dc example dc com steve WARNING no policy specified for steve EXAMPLE COM defaulting to no policy Enter password for principal steve EXAMPLE COM Re enter password for principal steve EXAMPLE COM Principal steve EXAMPLE COM created There should now be krbPrincipalName krbPrincipalKey krbLastPwdChange and krbExtraData attributes added to the uid steve ou people dc example dc com user object Use the kinit and klist utilities to test that the user is indeed issued a ticket fy If the user object is already created the x dn option is needed to add the Kerberos attributes Otherwise a new principal object will be created in the realm subtree 4 3 Secondary KDC Configuration Configuring a Secondary KDC using the LDAP backend is similar to configuring one using the normal Kerberos database 1 First install the necessary packages In a terminal enter sudo apt get install krb5 kdc krb5 admin server krb5 kdc ldap 2 Next edit etc krb5 conf to use the LDAP backend libdefaults default_realm EXAMPLE COM realms EXAMPLE COM kdc kdc kdc02 example com kdc01 example com admin_server kdc01 example com admin_server kdc02 example com default_domain example com database_module openldap_ldapconf domain_realm example com EXAMPLE COM 136 Network Authentication dbdefaults
354. path device use the following procedure 1 Resize your physical device This is storage platform specific 2 Use the following command to find the paths to the LUN multipath 1 3 Resize your paths For SCSI devices writing 1 to the rescan file for the device causes the SCSI driver to rescan as in the following command echo 1 gt sys block device_name device rescan 4 Resize your multipath device by running the multipathd resize command multipathd k resize map mpatha 5 Resize the file system assuming no LVM or DOS partitions are used resize2fs dev mapper mpatha 5 2 Moving root File Systems from a Single Path Device to a Multipath Device This is dramatically simplified by the use of UUIDs to identify devices as an intrinsic label Simply install multipath tools boot and reboot This will rebuild the initial ramdisk and afford multipath the opportunity to build it s paths before the root file system is mounted by UUID ft Whenever multipath conf is updated so should the initrd by executing update initramfs u k all The reason being is mult ipath conf is copied to the ramdisk and is integral to determining the available devices for grouping via it s blacklist and device sections 5 3 Moving swap File Systems from a Single Path Device to a Multipath Device The procedure is exactly the same as illustrated in the previous section called Moving root File Systems from a Single Path to a Mu
355. pd apache org docs 2 2 188 Web Servers sudo cp etc apache2 sites available default etc apache2 sites available mynewsite Edit the new file to configure the new site using some of the directives described below The ServerAdmin directive specifies the email address to be advertised for the server s administrator The default value is webmaster localhost This should be changed to an email address that is delivered to you if you are the server s administrator If your website has a problem Apache2 will display an error message containing this email address to report the problem to Find this directive in your site s configuration file in etc apache2 sites available The Listen directive specifies the port and optionally the IP address Apache2 should listen on If the IP address is not specified Apache2 will listen on all IP addresses assigned to the machine it runs on The default value for the Listen directive is 80 Change this to 127 0 0 1 80 to cause Apache to listen only on your loopback interface so that it will not be available to the Internet to for example 81 to change the port that it listens on or leave it as is for normal operation This directive can be found and changed in its own file etc apache2 ports conf The ServerName directive is optional and specifies what FQDN your site should answer to The default virtual host has no ServerName directive specified so it will respond to all requests that do n
356. plications Depending on the application some extra configuration and setup steps may be needed however This section covers how to install some LAMP applications 214 LAMP Applications 2 Moin Moin MoinMoin is a Wiki engine implemented in Python based on the PikiPiki Wiki engine and licensed under the GNU GPL 2 1 Installation To install MoinMoin run the following command in the command prompt sudo apt get install python moinmoin You should also install apache2 web server For installing apache2 web server please refer to Section 1 1 Installation p 187 sub section in Section 1 HTTPD Apache2 Web Server p 187 section 2 2 Configuration For configuring your first Wiki application please run the following set of commands Let us assume that you are creating a Wiki named mywiki cd usr share moin sudo mkdir mywiki sudo cp R data mywiki sudo cp R underlay mywiki sudo cp server moin cgi mywiki sudo chown R www data www data mywiki sudo chmod R ug trwX mywiki sudo chmod R o rwx mywiki Now you should configure MoinMoin to find your new Wiki mywiki To configure MoinMoin open etc moin mywiki py file and change the following line data_dir org mywiki data to data_dir usr share moin mywiki data Also below the data_dir option add the data_underlay_dir data_underlay_dir usr share moin mywiki underlay bJ If the etc moin mywiki py file does not ex
357. postconf e broken_sasl_auth_clients yes sudo postconf e smtpd_sasl_auth_enable yes sudo postconf e smtpd_recipient_restrictions permit_sasl_authenticated permit_mynetworks reject_unauth_destination The smtpd_sasl_path configuration is a path relative to the Postfix queue directory 2 Next generate or obtain a digital certificate for TLS See Section 5 Certificates p 171 for details This example also uses a Certificate Authority CA For information on generating a CA certificate see Section 5 5 Certification Authority p 173 MUAs connecting to your mail server via TLS will need to recognize the certificate used for TLS This can either be done using a certificate from a commercial CA or with a self signed certificate that users manually install accept For MTA to MTA TLS certficates are never validated without advance agreement from the affected organizations For MTA to MTA TLS unless local policy requires it there is no reason not to use a self signed certificate Refer to Section 5 3 Creating a Self Signed Certificate p 173 for more details 3 Once you have a certificate configure Postfix to provide TLS encryption for both incoming and outgoing mail sudo postconf e smtp_tls_security_level may sudo postconf e smtpd_tls_security_level may 236 Email Services sudo postconf e smtp_tls_note_starttls_offer yes sudo postconf e smtpd_tls_key_file etc ssl
358. profile is entered by running lIxc start This profile mainly prevents Ixc start from mounting new filesystems outside of the container s root filesystem Before executing the container s init LXC requests a switch to the container s profile By default this profile is the 1xc container default policy which is defined in etc apparmor d 1lxc 1xc default This profile prevents the container from accessing many dangerous paths and from mounting most filesystems 342 Virtualization If you find that Ixc start is failing due to a legitimate access which is being denied by its Apparmor policy you can disable the lxc start profile by doing sudo apparmor_parser R etc apparmor d usr bin 1lxc start sudo ln s etc apparmor d usr bin 1lxc start etc apparmor d disabled This will make Ixc start run unconfined but continue to confine the container itself If you also wish to disable confinement of the container then in addition to disabling the usr bin 1xc start profile you must add lxc aa_profile unconfined to the container s configuration file If you wish to run a container in a custom profile you can create anew profile under etc apparmor d 1xc Its name must start with 1xc in order for lxe start to be allowed to transition to that profile After creating the policy load it using sudo apparmor_parser r etc apparmor d 1lxc containers The profile will automatically be loaded after a reboot because it is sourced by the
359. provide an abstration level for network addresses e g LAN instead of 192 168 1 0 24 and ports named as services e g HTTP instead of 80 TCP e zentyal firewall configures the iptables rules to block forbiden connections NAT and port redirections e zentyal ntp installs the NTP daemon to keep server on time and allow network clients to synchronize their clocks against the server e zentyal dhcp configures ISC DHCP server supporting network ranges static leases and other advanced options like NTP WINS dynamic DNS updates and network boot with PXE e zentyal dns brings ISC Bind9 DNS server into your server for caching local queries as a forwarder or as an authoritative server for the configured domains Allows to configure A CNAME MX NS TXT and SRV records e zentyal ca integrates the management of a Certification Authority within Zentyal so users can use certificates to authenticate against the services like with OpenVPN e zentyal openvpn allows to configure multiple VPN servers and clients using OpenVPN with dynamic routing configuration using Quagga 86 Remote Administration e zentyal users provides an interface to configure and manage users and groups on OpenLDAP Other services on Zentyal are authenticated against LDAP having a centralized users and groups management It is also possible to synchronize users passwords and groups from a Microsoft Active Directory domain e zentyal squid configu
360. pt If a browser encounters a certificate whose authorizing CA is not in the list the browser asks the user to either accept or decline the connection Also other applications may generate an error message when using a self singed certificate The process of getting a certificate from a CA is fairly easy A quick overview is as follows 1 Create a private and public encryption key pair 2 Create a certificate request based on the public key The certificate request contains information about your server and the company hosting it 171 Security 3 Send the certificate request along with documents proving your identity to a CA We cannot tell you which certificate authority to choose Your decision may be based on your past experiences or on the experiences of your friends or colleagues or purely on monetary factors Once you have decided upon a CA you need to follow the instructions they provide on how to obtain a certificate from them 4 When the CA is satisfied that you are indeed who you claim to be they send you a digital certificate 5 Install this certificate on your secure server and configure the appropriate applications to use the certificate 5 2 Generating a Certificate Signing Request CSR Whether you are getting a certificate from a CA or generating your own self signed certificate the first step is to generate a key If the certificate will be used by service daemons such as Apache P
361. puter fe Packages in the Multiverse repository often have licensing issues that prevent them from being distributed with a free operating system and they may be illegal in your locality Be advised that neither the Universe or Multiverse repositories contain officially supported Q packages In particular there may not be security updates for these packages Many other package sources are available sometimes even offering only one package as in the case of package sources provided by the developer of a single application You should always be very careful and cautious when using non standard package sources however Research the source and packages carefully before performing any installation as some package sources and their packages could render your system unstable or non functional in some respects By default the Universe and Multiverse repositories are enabled but if you would like to disable them edit etc apt sources list and comment the following lines deb http archive ubuntu com ubuntu precise universe multiverse deb src http archive ubuntu com ubuntu precise universe multiverse deb http us archive ubuntu com ubuntu precise univers deb src http us archive ubuntu com ubuntu precise univers 2 sample sources list 29 Package Management deb http us archive ubuntu com ubuntu precise updates univers deb src http us archive ubuntu com ubuntu precise updates univers d
362. r 1 Download the Ubuntu 12 04 LTS Server ISO file and burn it to a CD 2 When you boot select Install Ubuntu Enterprise Cloud The installer will detect if any other Eucalyptus components are present 323 Virtualization You can then choose which components to install based on your chosen topology When asked whether you want a Cluster or a Node install select Cluster It will ask two other cloud specific questions during the course of the install e Name of your cluster e e g cluster e A range of public IP addresses on the LAN that the cloud can allocate to instances e e g 192 168 1 200 192 168 1 249 3 4 Installing the Node Controller s The node controller install is even simpler Just make sure that you are connected to the network on which the cloud cluster controller is already running OY OB 00 oS Boot from the same ISO on the node s When you boot select Install Ubuntu Enterprise Cloud Select Install Ubuntu Enterprise Cloud It should detect the Cluster and preselect Node install for you Confirm the partitioning scheme The rest of the installation should proceed uninterrupted complete the installation and reboot the node 3 5 Register the Node s 1 2 Nodes are the physical systems within UEC that actually run the virtual machine instances of the cloud All component registration should be automatic assuming a Publ
363. r making changes to etc glance glance registry conf The MySQL database will be automatically populated sudo restart glance registry If you find issues take a look at the log file in var log glance api log and var log glance registry log 4 6 Running Instances Before you can instantiate images you first need to setup user credentials Once this first step is achieved you also need to upload images that you want to run in the cloud Once you have these images uploaded to the cloud you will be able to run and connect to them Here are the steps you should follow to get OpenStack Nova running instances 336 Virtualization Download register and publish an Ubuntu cloud image distro lucid wget http cloud images ubuntu com S distro current S distro server cloudimg amd64 tar gz cloud publish tarball S distro server cloudimg amd64 tar gz S distro _amd64 Create a key pair and start an instance cd nova source novarc euca add keypair userl gt userl priv chmod 0600 userl priv Allow icmp ping and ssh access to instances euca authorize default P tcp p 22 s 0 0 0 0 0 euca authorize P icmp t 1 1 default Run an instance ami euca describe images awk print 2 grep m1 ami euca run instances ami k userl t ml tiny euca describe instances Assign public address to the instance euca allocate address euca associate address i instance_id public_ip address euca describe instances
364. r the Postfix or Exim mail server If you wish to install Mailman with a different mail server please refer to the references section J You only need to install one mail server and Postfix is the default Ubuntu Mail Transfer Agent 4 1 1 Apache2 To install apache2 you refer to Section 1 1 Installation p 187 for details 4 1 2 Postfix For instructions on installing and configuring Postfix refer to Section 1 Postfix p 235 4 1 3 Exim4 To install Exim4 refer to Section 2 Exim4 p 242 Once exim4 is installed the configuration files are stored in the etc exim4 directory In Ubuntu by default the exim4 configuration files are split across different files You can change this behavior by changing the following variable in the etc exim4 update exim4 conf file dc_use_split_config true 4 1 4 Mailman To install Mailman run following command at a terminal prompt hy http lists ubuntu com 247 Email Services sudo apt get install mailman It copies the installation files in var lib mailman directory It installs the CGI scripts in usr lib cgi bin mailman directory It creates list linux user It creates the list linux group The mailman process will be owned by this user 4 2 Configuration This section assumes you have successfully installed mailman apache2 and postfix or exim4 Now you just need to configure them 4 2 1 Apache2 An example Apache configuration file
365. ractive console can be used to troubleshoot problems you may be having with your system For example the following command sequence displays the multipath configuration including the defaults before exiting the console See the IBM article Tricks with Multipathd for more examples multipathd k gt gt show config gt gt CTRL D The following command sequence ensures that multipath has picked up any changes to the multipath conf multipathd k gt gt reconfigure gt gt CTRL D Use the following command sequence to ensure that the path checker is working properly multipathd k gt gt show paths gt gt CTRL D Commands can also be streamed into multipathd using stdin like so echo show config multipathd k http www 01 ibm com support docview wss uid isg3T 1011985 78 Chapter 6 Remote Administration There are many ways to remotely administer a Linux server This chapter will cover two of the most popular applications OpenSSH and Puppet 719 Remote Administration 1 OpenSSH Server 1 1 Introduction This section of the Ubuntu Server Guide introduces a powerful collection of tools for the remote control of and transfer of data between networked computers called OpenSSH You will also learn about some of the configuration settings possible with the OpenSSH server application and how to change them on your Ubuntu system OpenSSH is a freely available vers
366. rameters to specify depend on your specific device If the device is active active you will usually not need to set additional parameters You may want to set path_grouping_policy to multibus Other parameters you may need to set are no_path_retry and rr_min_io as described in Table Multipath Attributes p 69 If the device is active passive but it automatically switches paths with I O to the passive path you need to change the checker function to one that does not send I O to the path to test if it is working otherwise your device will keep failing over This almost always means that you set the path_checker to tur this works for all SCSI devices that support the Test Unit Ready command which most do If the device needs a special command to switch paths then configuring this device for multipath requires a hardware handler kernel module The current available hardware handler is emc If this is not sufficient for your device you may not be able to configure the device for multipath Table 5 5 Device Attributes Attribute Description vendor Specifies the vendor name of the storage device to which the device attributes apply for example COMPAQ product Specifies the product name of the storage device to which the device attributes apply for example HSV110 C COMPAQ revision Specifies the product revision identifier of the storage device product_blacklist Specifies a regular expression used to blacklist
367. randkey k keytab kdc02 host kdc02 example com There should now be a keytab kdc02 in the current directory move the file to etc krb5 keytab sudo mv keytab kdc02 etc krb5 keytab fey If the path to the keytab kdc02 file is different adjust accordingly Also you can list the principals in a Keytab file which can be useful when troubleshooting using the klist utility sudo klist k etc krb5 keytab The k option indicates the file is a keytab file Next there needs to be a kpropd ac1 file on each KDC that lists all KDCs for the Realm For example on both primary and secondary KDC create etc krb5kdc kpropd acl host kdc01 example com EXAMPLE COM host kdc02 example com EXAMPLE COM Create an empty database on the Secondary KDC sudo kdb5_util s create Now start the kpropd daemon which listens for connections from the kprop utility kprop is used to transfer dump files sudo kpropd S From a terminal on the Primary KDC create a dump file of the principal database sudo kdb5_util dump var lib krb5kdc dump Extract the Primary KDC s keytab file and copy it to etc krb5 keytab kadmin q ktadd k keytab kdc01 host kdc01 example com sudo mv keytab kdc01 etc krb5 keytab 128 Network Authentication Make sure there is a host for kdcOl example com before extracting the Keytab 10 Using the kprop utility push the database to the Secondary KDC sudo kprop r EXAMPLE COM f var lib krb5k
368. ration or that you wish to change from the default values specified in the multipath conf defaults file If there are sections of the file that are not relevant to your environment or for which you do not need to override the default values you can leave them commented out as they are in the initial file The configuration file allows regular expression description syntax An annotated version of the configuration file can be found in usr share doc multipath tools examples multipath conf annotated gz 4 1 Configuration File Overview The multipath configuration file is divided into the following sections blacklist Listing of specific devices that will not be considered for multipath blacklist_exceptions Listing of multipath candidates that would otherwise be blacklisted according to the parameters of the blacklist section defaults General default settings for DM Multipath multipath Settings for the characteristics of individual multipath devices These values overwrite what is specified in the defaults and devices sections of the configuration file 62 DM Multipath devices Settings for the individual storage controllers These values overwrite what is specified in the defaults section of the configuration file If you are using a storage array that is not supported by default you may need to create a devices subsection for your array When the system determines the attributes of a multipath device first it chec
369. ration easier e Host a server workstation network device etc that is being monitored e Host Group a group of similar hosts For example you could group all web servers file server etc e Service the service being monitored on the host Such as HTTP DNS NFS etc e Service Group allows you to group multiple services together This is useful for grouping multiple HTTP for example e Contact person to be notified when an event takes place Nagios can be configured to send emails SMS messages etc By default Nagios is configured to check HTTP disk space SSH current users processes and load on the localhost Nagios will also ping check the gateway Large Nagios installations can be quite complex to configure It is usually best to start small one or two hosts get things configured the way you like then expand 2 3 Configuration e 1 First create a host configuration file for server02 Unless otherwise specified run all these commands on serverO In a terminal enter sudo cp etc nagios3 conf d localhost_nagios2 cfg etc nagios3 conf d server02 cfg In the above and following command examples replace server01 server02 172 18 100 100 and 172 18 100 101 with the host names and IP addresses of your servers 2 Next edit etc nagios3 conf d server02 cfg define host use generic host Name of host template to us host_name server02 alias Server 02 address 172 18 100 101 check DNS
370. rects containers to use the LXC bridge created by the Ixc net upstart job If no configuration file is specified when creating a container then this one will be used e Examples of other container creation configuration files are found under usr share doc 1lxc examples These show how to create containers without a private network or using macvlan vlan or other network layouts e The various container administration tools are found under usr bin e usr lib 1lxc lxc init is a very minimal and lightweight init binary which is used by Ixc execute Rather than booting a full container it manually mounts a few filesystems especially proc and executes its arguments You are not likely to need to manually refer to this file e usr lib 1lxc templates contains the templates which can be used to create new containers of various distributions and flavors Not all templates are currently supported e etc apparmor d 1xc lxc default contains the default Apparmor MAC policy which works to protect the host from containers Please see the Section 5 2 6 Apparmor p 342 for more information e etc apparmor d usr bin 1lxc start contains a profile to protect the host from Ixc start while it is setting up the container e etc apparmor d lxc containers causes all the profiles defined under etc apparmor d 1xc to be loaded at boot e There are various man pages for the LXC administration tools as well as the 1xc conf cont
371. res Squid and Dansguardian for speeding up browsing thanks to the caching capabilities and content filtering e zentyal samba allows Samba configuration and integration with existing LDAP From the same interface you can define password policies create shared resources and assign permissions e zentyal printers integrates CUPS with Samba and allows not only to configure the printers but also give them permissions based on LDAP users and groups To install Zentyal in a terminal on the server enter where lt zentyal module gt is any of the modules from the previous list sudo apt get install lt zentyal module gt i Zentyal publishes one major stable release once a year in September based on latest Ubuntu LTS release Stable releases always have even minor numbers e g 2 2 3 0 and beta releases have odd minor numbers e g 2 1 2 3 Ubuntu 12 04 comes with Zentyal 2 3 packages If you want to upgrade to a new stable release published after the release of Ubuntu 12 04 you can use Zentyal Team PPA Upgrading to newer stable releases can provide you minor bugfixes not backported to 2 3 in Precise and newer features If you need more information on how to add packages from a PPA see Add a Personal Package Archive PPA Not present on Ubuntu Universe repositories but on Zentyal Team PPA you will find these other modules e zentyal antivirus integrates ClamAV antivirus with other modules like the proxy file
372. restart the service This configuration database consists of a collection of text based LDIF files located under etc ldap slapd d This way of working is known by several names the slapd config method the RTC method Real Time Configuration or the cn config method You can still use the traditional flat file method slapd conf but it s not recommended the functionality will be eventually phased out fy Ubuntu now uses the slapd config method for slapd configuration and this guide reflects that During the install you were prompted to define administrative credentials These are LDAP based credentials for the rootDN of your database instance By default this user s DN is cn admin dc example dc com Also by default there is no administrative account created for the slapd config database and you will therefore need to authenticate externally to LDAP in order to access it We will see how to do this later on Some classical schemas cosine nis inetorgperson come built in with slapd nowadays There is also an included core schema a pre requisite for any schema to work 92 Network Authentication 1 2 Post install Inspection The installation process set up 2 DITs One for slapd config and one for your own data dc example dc com Let s take a look e This is what the slapd config database DIT looks like Recall that this database is LDIF based and lives under etc ldap slapd d etc ldap slapd d cn config
373. ripts etc For details see Section 2 JeOS and vmbuilder p 313 1 3 virt install virt install is part of the virtinst package To install it from a terminal prompt enter sudo apt get install virtinst There are several options available when using virt install For example sudo virt install n web_devel r 256 disk path var lib libvirt images web_devel img bus virtio size 4 c jeos iso accelerate network network default model virtio connect qemu system vnc noautoconsole v e n web_devel the name of the new virtual machine will be web_devel in this example e r 256 specifies the amount of memory the virtual machine will use in megabytes e disk path Wvar lib ibvirt images web_devel img size 4 indicates the path to the virtual disk which can be a file partition or logical volume In this example a file named web_devel img in the var lib libvirt images directory with a size of 4 gigabytes and using virtio for the disk bus e c jeos iso file to be used as a virtual CDROM The file can be either an ISO file or the path to the host s CDROM device e accelerate enables the kernel s acceleration technologies e network provides details related to the VM s network interface Here the default network is used and the interface model is configured for virtio e ync exports the guest s virtual console using VNC e noautoconsole will not automatically connect to the virtual mac
374. ristine new container just for LXC you can download an ubuntu cloud image extract it and point a libvirt LXC xml file to it For instance find the url for a root tarball for the latest daily Ubuntu 12 04 LTS cloud image using url1l ubuntu cloudimg query precise daily arch format url n url echo urll sed e s tar gz root 0 357 Virtualization wget url filename basename Surl Extract the downloaded tarball for instance mkdir HOME c1 cd SHOME c1 sudo tar zxf filename Download the xml template wget http people canonical com serge ol xml In the xml template replace the name o1 with cl and the source directory var lib 1xc ol rootfs with HomE c1 Then define the container using virsh define ol xml 5 6 3 Interacting with libvirt containers As we ve seen you can create a libvirt lxc container using virsh c lxc define container xml To start a container called container use virsh c lxc start container To stop a running container use virsh c lxc destroy container Note that whereas the Ixc destroy command deletes the container the virsh destroy command stops a running container To delete the container definition use 358 Virtualization virsh c lxc undefine container To get a console to a running container use virsh c lxc console container Exit the console by simultaneously pressing control and 5 7 The Ixcguest package
375. ros e Also feel free to stop by the ubuntu server and kerberos IRC channels on Freenode if you have Kerberos questions 33 http web mit edu Kerberos ot https help ubuntu com community Kerberos 55 htup oreilly com catalog 9780596004033 56 http freenode net 131 Network Authentication 4 Kerberos and LDAP Most people will not use Kerberos by itself once an user is authenticated Kerberos we need to figure out what this user can do authorization And that would be the job of programs such as LDAP Replicating a Kerberos principal database between two servers can be complicated and adds an additional user database to your network Fortunately MIT Kerberos can be configured to use an LDAP directory as a principal database This section covers configuring a primary and secondary kerberos server to use OpenLDAP for the principal database J The examples presented here assume MIT Kerberos and OpenLDAP 4 1 Configuring OpenLDAP First the necessary schema needs to be loaded on an OpenLDAP server that has network connectivity to the Primary and Secondary KDCs The rest of this section assumes that you also have LDAP replication configured between at least two servers For information on setting up OpenLDAP see Section 1 OpenLDAP Server p 91 It is also required to configure OpenLDAP for TLS and SSL connections so that traffic between the KDC and LDAP server is encrypted See Section 1 8
376. rsync or by using LDAP as the passdb backend Using LDAP is the most robust way to sync account information because both domain controllers can use the same information in real time However setting up a LDAP server may be overly complicated for a small number of user and computer accounts See Section 2 Samba and LDAP p 117 for details 1 First install samba and libpam smbpass From a terminal enter sudo apt get install samba libpam smbpass 2 Now edit etc samba smb conf and uncomment the following in the global workgroup EXAMPLE security user 3 Inthe commented Domains uncomment or add 290 Windows Networking domain logons yes domain master no 4 Make sure a user has rights to read the files in var lib samba For example to allow users in the admin group to scp the files enter sudo chgrp R admin var 1lib samba 5 Next sync the user accounts using scp to copy the var 1ib samba directory from the PDC sudo scp r username pdc var lib samba var lib fy Replace username with a valid username and pdc with the hostname or IP Address of your actual PDC 6 Finally restart samba sudo restart smbd sudo restart nmbd You can test that your Backup Domain controller is working by stopping the Samba daemon on the PDC then trying to login to a Windows client joined to the domain Another thing to keep in mind is if you have configured the logon home option as a direct
377. rtual Machine host Includes packages needed to run KVM virtual machines e Manually select packages Executes aptitude allowing you to individually select packages Installing the package groups is accomplished using the tasksel utility One of the important differences between Ubuntu or Debian and other GNU Linux distribution is that when installed a package is also configured to reasonable defaults eventually prompting you for additional required information Likewise when installing a task the packages are not only installed but also configured to provided a fully integrated service Once the installation process has finished you can view a list of available tasks by entering the following from a terminal prompt tasksel list tasks https help ubuntu com 12 04 installation guide Installation fy The output will list tasks from other Ubuntu based distributions such as Kubuntu and Edubuntu Note that you can also invoke the tasksel command by itself which will bring up a menu of the different tasks available You can view a list of which packages are installed with each task using the task packages option For example to list the packages installed with the DNS Server task enter the following tasksel task packages dns server The output of the command should list bind9 doc bind9utils bind9 If you did not install one of the tasks during the installation process but for example you decide to make your new
378. rver enter sudo apt get install puppetmaster On the client machine or machines enter sudo apt get install puppet 2 2 Configuration Prior to configuring puppet you may want to add a DNS CNAME record for puppet example com where example com is your domain By default Puppet clients check DNS for puppet example com as the puppet server name or Puppet Master See Chapter 8 Domain Name Service DNS p 139 for more DNS details If you do not wish to use DNS you can add entries to the server and client etc hosts file For example in the Puppet server s etc hosts file add 127 0 0 1 localhost localdomain localhost puppet 192 168 1 17 meercat02 example com meercat02 On each Puppet client add an entry for the server 192 168 1 16 meercat example com meercat puppet bJ Replace the example IP addresses and domain names above with your actual server and client addresses and domain names Now setup some resources for apache2 Create a file etc puppet manifests site pp containing the following package 83 Remote Administration apache2 ensure gt installed service apache2 nsure gt true nable gt true require gt Package apache2 Next create a node file etc puppet manifests nodes pp with node meercat02 example com include apache2 bJ Replace meercat02 example com with your actual Puppet client s host name The final step for this simple Pupp
379. s are covered in Chapter 2 Installation p 3 but if you need detailed instructions installing Ubuntu please refer to the Ubuntu Installation Guide A HTML version of the manual is available online at the Ubuntu Documentation website https help ubuntu com 12 04 installation guide 2 https help ubuntu com Introduction 1 Support There are a couple of different ways that Ubuntu Server Edition is supported commercial support and community support The main commercial support and development funding is available from Canonical Ltd They supply reasonably priced support contracts on a per desktop or per server basis 3 For more information see the Canonical Services page Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible Support is provided through multiple mailing lists IRC channels forums blogs wikis etc The large amount of information available can be overwhelming but a good search engine query can usually provide an answer to your questions See the Ubuntu Support page for more information 3 http www canonical com services support j http www ubuntu com support Chapter 2 Installation This chapter provides a quick overview of installing Ubuntu 12 04 LTS Server Edition For more detailed instructions please refer to the Ubuntu Installation Guide l https help ubuntu com 12 04 installati
380. s n plain ef Ixc info provides the state of a container and the pid of its init process Ixe cgroup can be used to query or set the values of a container s control group limits and information This can be more convenient than interacting with the cgroup filesystem For instance to query the list of devices which a running container is allowed to access you could use 350 Virtualization sudo lxc cgroup n CN devices list or to add mknod read and write access to dev sda sudo lxc cgroup n CN devices allow b 8 rwm and to limit it to 300M of RAM 1lxc cgroup n CN memory limit_in bytes 300000000 Ixc netstat executes netstat in the running container giving you a glimpse of its network state Ixc backup will create backups of the root filesystems of all existing containers except lvm based ones using rsync to back the contents up under var lib 1xc CN rootfs backup 1 These backups can be restored using Ixc restore However Ixc backup and Ixc restore are fragile with respect to customizations and therefore their use is not recommended 5 3 7 Destroying containers Use Ixc destroy to destroy an existing container sudo lxc destroy n CN If the container is running Ixc destroy will exit with a message informing you that you can force stopping and destroying the container with sudo lxc destroy n CN f 5 3 8 Advanced namespace usage One of the Linux kernel features used by LXC to create con
381. s _tcp EXAMPLE COM IN SRV 1 0 88 kdc0Ol example com _kerberos _udp EXAMPLE COM IN SRV 10 0 88 kdc02 example com _kerberos _tcp EXAMPLE COM IN SRV 10 0 88 kdc02 example com _kerberos adm _tcp EXAMPLE COM IN SRV 1 0 749 kdc0Ol example com _kpasswd _udp EXAMPLE COM IN SRV 1 0 464 kdcOl example com Replace EXAMPLE COM kdc01 and kdc02 with your domain name primary KDC and secondary KDC See Chapter 8 Domain Name Service DNS p 139 for detailed instructions on setting up DNS Your new Kerberos Realm is now ready to authenticate clients 3 3 Secondary KDC Once you have one Key Distribution Center KDC on your network it is good practice to have a Secondary KDC in case the primary becomes unavailable Also if you have Kerberos clients that are in different networks possibly separated by routers using NAT it is wise to place a secondary KDC in each of those networks 1 First install the packages and when asked for the Kerberos and Admin server names enter the name of the Primary KDC sudo apt get install krb5 kdc krb5 admin server Once you have the packages installed create the Secondary KDC s host principal From a terminal prompt enter 127 Network Authentication kadmin q addprinc randkey host kdc02 example com After issuing any kadmin commands you will be prompted for your username admin EXAMPLE COM principal password Extract the keytab file kadmin q ktadd no
382. s change remember to change it back once you ve solved your problem to prevent the log file from becoming overly large 4 2 Configuration The Common UNIX Printing System server s behavior is configured through the directives contained in the file etc cups cupsd conf The CUPS configuration file follows the same syntax as the primary configuration file for the Apache HTTP server so users familiar with editing Apache s configuration file should feel at ease when editing the CUPS configuration file Some examples of settings you may wish to change initially will be presented here Prior to editing the configuration file you should make a copy of the original file and protect it from writing so you will have the original settings as a reference and to reuse as necessary Copy the etc cups cupsd conf file and protect it from writing with the following commands issued at a terminal prompt 231 File Servers sudo cp etc cups cupsd conf etc cups cupsd conf original sudo chmod a w etc cups cupsd conf original e ServerAdmin To configure the email address of the designated administrator of the CUPS server simply edit the etc cups cupsd conf configuration file with your preferred text editor and add or modify the ServerAdmin line accordingly For example if you are the Administrator for the CUPS server and your e mail address is bjoy somebigco com then you would modify the ServerAdmin line to appear as such
383. s methods 268 Version Control System Table 17 1 Access Methods Schema Access Method file direct repository access on local disk http Access via WebDAV protocol to Subversion aware Apache2 web server https Same as http but with SSL encryption svn Access via custom protocol to an svnserve server svn ssh Same as svn but through an SSH tunnel In this section we will see how to configure Subversion for all these access methods Here we cover the basics For more advanced usage details refer to the svn book 2 3 1 Direct repository access file This is the simplest of all access methods It does not require any Subversion server process to be running This access method is used to access Subversion from the same machine The syntax of the command entered at a terminal prompt is as follows svn co file path to repos project or svn co file localhost path to repos project fe If you do not specify the hostname there are three forward slashes two for the protocol file in this case plus the leading slash in the path If you specify the hostname you must use two forward slashes The repository permissions depend on filesystem permissions If the user has read write permission he can checkout from and commit to the repository 2 3 2 Access via WebDAV protocol http To access the Subversion repository via WebDAV proto
384. s normally the same as mailman MM_HOME var lib mailman User and group for Mailman should match your with mail gid switch to Mailman s configure script Value is normally mailman MM_UID list MM_GID list Domains that your lists are in colon separated list you may wish to add these into local_domains as well domainlist mm_domains hostname com These values are derived from the ones above and should not need editing unless you have munged your mailman installation The path of the Mailman mail wrapper script MM_WRAP MM_HOME mail mailman The path of the list config file used as a required file when verifying list addresses MM_LISTCHK MM_HOME lists lc Slocal_part config pck end 4 2 5 Transport All the configuration files belonging to transport type are stored in the etc exim4 conf d transport directory You can add the following content to a new file named 40_exim4 config_mailman mailman_transport driver pipe command MM_WRAP if def local_part_suffix sg local_part_suffix wt 1 post Slocal_part current_directory MM_HOME home_directory MM_HOME user MM_UID group MM_GID 4 2 6 Router All the configuration files belonging to router type are stored in the etc exim4 conf d router directory You can add the following content in to a new file named 101_exim4 config_mailman mailman_router driver accept 25
385. s not complete by any means Please refer the PostgreSQL Administrator s Guide to configure more parameters 2 3 Resources e As mentioned above the Administrator s Guide is an excellent resource The guide is also available in the postgresql doc 8 4 package Execute the following in a terminal to install the package sudo apt get install postgresql doc 8 4 To view the guide enter file usr share doc postgresql doc 8 4 html index html into the address bar of your browser e For general SQL information see Using SQL Special Edition by Rafe Colburn e Also see the PostgreSQL Ubuntu Wiki page for more information 2 http www postgresql org docs 8 4 static admin html 19 http www postgresql org docs 8 4 static admin html ul http www informit com store product aspx isbn 0768664 128 12 https help ubuntu com community PostgreSQL 212 Chapter 13 LAMP Applications 213 LAMP Applications 1 Overview LAMP installations Linux Apache MySQL PHP Perl Python are a popular setup for Ubuntu servers There is a plethora of Open Source applications written using the LAMP application stack Some popular LAMP applications are Wiki s Content Management Systems and Management Software such as phpMyAdmin One advantage of LAMP is the substantial flexibility for different database web server and scripting languages Popular substitutes for MySQL include PostgreSQL and SQLite Python Perl and Ruby
386. s required If you need more control over user accounts and credentials another authentication method is recommended 3 3 References e The Jabberd2 Web Site contains more details on configuring Jabberd2 e For more authentication options see the Jabberd2 Install Guide e Also the Setting Up Jabber Server Ubuntu Wiki page has more information 2 http codex xiaoka com wiki jabberd2 start 3 http www jabberdoc org 4 https help ubuntu com community SettingUpJabberServer 265 Chapter 17 Version Control System Version control is the art of managing changes to information It has long been a critical tool for programmers who typically spend their time making small changes to software and then undoing those changes the next day But the usefulness of version control software extends far beyond the bounds of the software development world Anywhere you can find people using computers to manage information that changes often there is room for version control 266 Version Control System 1 Bazaar Bazaar is a new version control system sponsored by Canonical the commercial company behind Ubuntu Unlike Subversion and CVS that only support a central repository model Bazaar also supports distributed version control giving people the ability to collaborate more efficiently In particular Bazaar is designed to maximize the level of community participation in open source projects 1 1 Installation At
387. s steve Next on server02 install the nagios nrpe server package From a terminal on server02 enter sudo apt get install nagios nrpe server fy NRPE allows you to execute local checks on remote hosts There are other ways of accomplishing this through other Nagios plugins as well as other checks 2 2 Configuration Overview There are a couple of directories containing Nagios configuration and check files e etc nagios3 contains configuration files for the operation of the nagios daemon CGI files hosts etc e etc nagios plugins houses configuration files for the service checks e etc nagios on the remote host contains the nagios nrpe server configuration files e usr lib nagios plugins where the check binaries are stored To see the options of a check use the h option For example usr lib nagios plugins check_dhcp h There are a plethora of checks Nagios can be configured to execute for any given host For this example Nagios will be configured to check disk space DNS and a MySQL hostgroup The DNS check will be on server02 and the MySQL hostgroup will include both server0 and server02 180 Monitoring fe See Section 1 HTTPD Apache2 Web Server p 187 for details on setting up Apache Chapter 8 Domain Name Service DNS p 139 for DNS and Section 1 MySQL p 206 for MySQL Additionally there are some terms that once explained will hopefully make understanding Nagios configu
388. server The openssh server package can also be selected to install during the Server Edition installation process 1 3 Configuration You may configure the default behavior of the OpenSSH server application sshd by editing the file etc ssh sshd_config For information about the configuration directives used in this file you may view the appropriate manual page with the following command issued at a terminal prompt man sshd_config 80 Remote Administration There are many directives in the sshd configuration file controlling such things as communication settings and authentication modes The following are examples of configuration directives that can be changed by editing the etc ssh sshd_config file Prior to editing the configuration file you should make a copy of the original file and protect it from writing so you will have the original settings as a reference and to reuse as necessary Copy the etc ssh sshd_config file and protect it from writing with the following commands issued at a terminal prompt sudo cp etc ssh sshd_config etc ssh sshd_config original sudo chmod a w etc ssh sshd_config original The following are examples of configuration directives you may change e To set your OpenSSH to listen on TCP port 2222 instead of the default TCP port 22 change the Port directive as such Port 2222 e To have sshd allow public key based login credentials simply add or modify the line Pubke
389. service define service use generic service host_name server02 service_description DNS 181 Monitoring check_command check_dns 172 18 100 101 Restart the nagios daemon to enable the new configuration sudo etc init d nagios3 restart Now add a service definition for the MySQL check by adding the following to etc nagios3 conf d services_nagios2 cfg check MySQL servers define service hostgroup_name mysql servers service_description MySQL check_command check_mysql_cmdlinecred nagios secret SHOSTADDRE use generic service notification_interval 0 set gt 0 if you want to be renotified A mysql servers hostgroup now needs to be defined Edit etc nagios3 conf d host groups_nagios2 cfg adding MySQL hostgroup define hostgroup hostgroup_name mysql servers alias MySQL servers members localhost server02 The Nagios check needs to authenticate to MySQL To add a nagios user to MySQL enter mysql u root p e create user nagios identified by secret J The nagios user will need to be added all hosts in the mysql servers hostgroup Restart nagios to start checking the MySQL servers sudo etc init d nagios3 restart Lastly configure NRPE to check the disk space on server02 On server0 add the service check to etc nagios3 conf d server02 cfg NRPE disk check define service use generic service host_name server02 service_description nrpe disk check_comman
390. service ready In the Header of messages that go through the content filter you should see X Spam Level X Virus Scanned Debian amavisd new at example com X Spam Status No hits 2 3 tagged_above 1000 0 required 5 0 tests AWL BAYES_00 X Spam Level Your output will vary but the important thing is that there are X Virus Scanned and X Spam Status entries 5 4 Troubleshooting The best way to figure out why something is going wrong is to check the log files e For instructions on Postfix logging see the Section 1 7 Troubleshooting p 239 section e Amavisd new uses Syslog to send messages to var log mail log The amount of detail can be increased by adding the og_level option to etc amavis conf d 50 user and setting the value from 1 to 5 Slog_level 2 fe When the Amavisd new log output is increased Spamassassin log output is also increased e The ClamAV log level can be increased by editing etc clamav clamd conf and setting the following option LogVerbose true By default ClamAV will send log messages to var log clamav clamav log J After changing an applications log settings remember to restart the service for the new settings to take affect Also once the issue you are troubleshooting is resolved it is a good idea to change the log settings back to normal 5 5 References For more information on filtering mail see the following links Amavisd new Documentation e ClamAV Documenta
391. setfacl man pages for more information on POSIX ACLs 4 4 Samba AppArmor Profile Ubuntu comes with the AppArmor security module which provides mandatory access controls The default AppArmor profile for Samba will need to be adapted to your configuration For more details on using AppArmor see Section 4 AppArmor p 167 There are default AppArmor profiles for usr sbin smbd and usr sbin nmbd the Samba daemon binaries as part of the apparmor profiles packages To install the package from a terminal prompt enter sudo apt get install apparmor profiles apparmor utils fy This package contains profiles for several other binaries By default the profiles for smbd and nmbd are in complain mode allowing Samba to work without modifying the profile and only logging errors To place the smbd profile into enforce mode and have Samba work as expected the profile will need to be modified to reflect any directories that are shared Edit etc apparmor d usr sbin smbd adding information for share from the file server example srv samba share r srv samba share rwkix Now place the profile into enforce and reload it sudo aa enforce usr sbin smbd cat etc apparmor d usr sbin smbd sudo apparmor_parser r You should now be able to read write and execute files in the shared directory as normal and the smbd binary will have access to only the configured files and directories Be sure to add entries for each directory you
392. sharing or mailfilter e zentyal asterisk configures Asterisk to provide a simple PBX with LDAP based authentication e zentyal bwmonitor allows to monitor bandwith usage of your LAN clients e zentyal captiveportal integrates a captive portal with the firewall and LDAP users and groups e zentyal ebackup allows to make scheduled backups of your server using the popular duplicity backup tool e zentyal ftp configures a FTP server with LDAP based authentication T https launchpad net zentyal 8 https help ubuntu com 12 04 ubuntu help addremove ppa html 7 https launchpad net zentyal 87 Remote Administration e zentyal ids integrates a network intrusion detection system e zentyal ipsec allows to configure IPsec tunnels using OpenSwan e zentyal jabber integrates ejabberd XMPP server with LDAP users and groups e zentyal thinclients a LTSP based thin clients solution e zentyal mail a full mail stack including Postfix and Dovecot with LDAP backend e zentyal mailfilter configures amavisd with mail stack to filter spam and attached virus e zentyal monitor integrates collectd to monitor server performance and running services e zentyal pptp configures a PPTP VPN server e zentyal radius integrates FreeRADIUS with LDAP users and groups e zentyal software simple interface to manage installed Zentyal modules and system updates e zentyal trafficshaping configures traffic limiting rules to do ba
393. sing passwd or other utilities the shadowLastChange attribute needs to be accessible once a user has authenticated This DIT can be searched anonymously because of by read in this ACL EOS by self write by dn cn admin dc example dc com write by read If this is unwanted then you need to change the ACLs To force authentication during a bind request you can alternatively or in combination with the modified ACL use the olcRequire authc directive 104 Network Authentication As previously mentioned there is no administrative account created for the slapd config database There is however a SASL identity that is granted full access to it It represents the localhost s superuser root sudo Here it is dn exact gidNumber 0 uidNumber 0 cn peercred cn external cn auth The following command will display the ACLs of the slapd config database sudo ldapsearch Q LLL Y EXTERNAL H ldapi b cn config olcDatabase 0 config olcAccess dn olcDatabase 0 config cn config olcAccess 0 to by dn exact gidNumber 0 uidNumber 0 cn peercred cn external cn auth manage by break Since this is a SASL identity we need to use a SASL mechanism when invoking the LDAP utility in question and and we have seen it plenty of times in this guide It is the EXTERNAL mechanism See the previous command for an example Note that 1 You must use sudo to become the root identity in order for the ACL to
394. ssage protocol is based on XMPP an open standard for instant messaging and used by many popular applications This section covers setting up a Jabberd 2 server on a local LAN This configuration can also be adapted to providing messaging services to users over the Internet 3 1 Installation To install jabberd2 in a terminal enter sudo apt get install jabberd2 3 2 Configuration A couple of XML configuration files will be used to configure jabberd2 for Berkeley DB user authentication This is a very simple form of authentication However jabberd2 can be configured to use LDAP MySQL PostgreSQL etc for for user authentication First edit etc jabberd2 sm xml changing lt id gt jabber example com lt id gt bJ Replace jabber example com with the hostname or other id of your server Now in the lt storage gt section change the lt driver gt to lt driver gt db lt driver gt Next edit etc jabberd2 c2s xm1 in the lt ocal gt section change lt id gt jabber example com lt id gt And in the lt authreg gt section adjust the lt module gt section to lt module gt db lt module gt Finally restart jabberd2 to enable the new settings sudo etc init d jabberd2 restart You should now be able to connect to the server using a Jabber client like Pidgin for example 264 Chat Applications fy The advantage of using Berkeley DB for user data is that after being configured no additional maintenance i
395. stall to You may get confirmation prompts before rewriting the partition table or setting up LVM depending on disk layout If you choose LVM you will be asked for the size of the root logical volume For advanced disk options see Section 4 Advanced Installation p 10 The Ubuntu base system is then installed A new user is set up this user will have root access through the sudo utility After the user settings have been completed you will be asked to encrypt your home directory The next step in the installation process is to decide how you want to update the system There are three options No automatic updates this requires an administrator to log into the machine and manually install updates e Install security updates automatically this will install the unattended upgrades package which will install security updates without the intervention of an administrator For more details see Section 5 Automatic Updates p 27 e Manage the system with Landscape Landscape is a paid service provided by Canonical to help manage your Ubuntu machines See the Landscape site for details 3 http www ubuntu com download server download j http www canonical com projects landscape Installation e You now have the option to install or not install several package tasks See Section 2 1 Package Tasks p 7 for details Also there is an option to launch aptitude to choose specific packages to install For m
396. swap partition choose sdal and sdb1 Select Continue to go to the next step Repeat steps three through seven for the partition choosing sda2 and sdb2 Once done select Finish 4 1 3 Formatting There should now be a list of hard drives and RAID devices The next step is to format and set the mount point for the RAID devices Treat the RAID device as a local hard drive format and mount accordingly 1 Select under the RAIDI device 0 partition 2 Choose Use as Then select swap area then Done setting up partition 3 Next select under the RAID device 1 partition 4 Choose Use as Then select Ext4 journaling file system 5 Then select the Mount point and choose the root file system Change any of the other options as appropriate then select Done setting up partition 6 Finally select Finish partitioning and write changes to disk If you choose to place the root partition on a RAID array the installer will then ask if you would like to boot in a degraded state See Section 4 1 4 Degraded RAID p 11 for further details The installation process will then continue normally 4 1 4 Degraded RAID At some point in the life of the computer a disk failure event may occur When this happens using Software RAID the operating system will place the array into what is known as a degraded state 11 Installation If the array has become degraded due to the chance of
397. sword you use to login via ssh Once you are authenticated it checks out the code from the Subversion repository 272 Version Control System 3 CVS Server CVS is a version control system You can use it to record the history of source files 3 1 Installation To install CVS run the following command from a terminal prompt sudo apt get install cvs After you install cvs you should install xinetd to start stop the cvs server At the prompt enter the following command to install xinetd sudo apt get install xinetd 3 2 Configuration Once you install cvs the repository will be automatically initialized By default the repository resides under the srv cvs directory You can change this path by running following command cvs d your new cvs repo init Once the initial repository is set up you can configure xinetd to start the CVS server You can copy the following lines to the etc xinetd d cvspserver file service cvspserver port 2401 socket_type stream protocol tcp user root wait no type UNLISTED server usr bin cvs server_args f allow root srv cvs pserver disable no ft Be sure to edit the repository if you have changed the default repository srv cvs directory Once you have configured xinetd you can start the cvs server by running following command sudo etc init d xinetd restart You can confirm that the CVS server is running by issuing the
398. system change that to physical volume for RAID then Done setting up partition 6 For the partition once again select Free Space on the first drive then Create a new partition 7 Use the rest of the free space on the drive and choose Continue then Primary 8 As with the swap partition select the Use as line at the top changing it to physical volume for RAID Also select the Bootable flag line to change the value to on Then choose Done setting up partition 9 Repeat steps three through eight for the other disk and partitions 4 1 2 RAID Configuration With the partitions setup the arrays are ready to be configured 10 Installation oS Back in the main Partition Disks page select Configure Software RAID at the top Select yes to write the changes to disk Choose Create MD device For this example select RAID1 but if you are using a different setup choose the appropriate type RAIDO RAID1 RAIDS In order to use RAIDS you need at least three drives Using RAIDO or RAID1 only two drives are required Enter the number of active devices 2 or the amount of hard drives you have for the array Then select Continue Next enter the number of spare devices 0 by default then choose Continue Choose which partitions to use Generally they will be sdal sdb1 sdcl etc The numbers will usually match and the different letters correspond to different hard drives For the
399. t is stored in a file mentioned in the file option It is possible to configure the same server to be a caching name server primary master and secondary master A server can be the Start of Authority SOA for one zone while providing secondary service for another zone All the while providing caching services for hosts on the local LAN 2 2 Caching Nameserver The default configuration is setup to act as a caching server All that is required is simply adding the IP Addresses of your ISP s DNS servers Simply uncomment and edit the following in etc bind named conf options forwarders E e T 5 6 7 8 bA Replace 7 2 3 4 and 5 6 7 8 with the IP Adresses of actual nameservers Now restart the DNS server to enable the new configuration From a terminal prompt 141 Domain Name Service DNS sudo service bind9 restart See Section 3 1 2 dig p 147 for information on testing a caching DNS server 2 3 Primary Master In this section BIND9 will be configured as the Primary Master for the domain example com Simply replace example com with your FQDN Fully Qualified Domain Name 2 3 1 Forward Zone File To add a DNS zone to BIND9 turning BIND9 into a Primary Master server the first step is to edit etc bind named conf local zone example com type master file etc bind db example com Now use an existing zone file as a template to create the etc bind db example con file
400. t needed but unless you have some other way to manage the various Samaba entities users groups computers in an LDAP context then you should install it Install these packages now sudo apt get install samba samba doc smbldap tools 2 2 LDAP Configuration We will now configure the LDAP server so that it can accomodate Samba data We will perform three tasks in this section 1 Import a schema 2 Index some entries 3 Add objects 2 2 1 Samba schema In order for OpenLDAP to be used as a backend for Samba logically the DIT will need to use attributes that can properly describe Samba data Such attributes can be obtained by introducing a Samba LDAP schema Let s do this now bJ For more information on schemas and their installation see Section 1 4 Modifying the slapd Configuration Database p 96 1 The schema is found in the now installed samba doc package It needs to be unzipped and copied to the etc ldap schema directory 117 Network Authentication sudo cp usr share doc samba doc examples LDAP samba schema gz etc ldap schema sudo gzip d etc ldap schema samba schema gz Have the configuration file schema_convert conf that contains the following lines include etc ldap schema core schema include etc ldap schema collective schema include etc ldap schema corba schema include etc ldap schema cosine schema include etc ldap schema duaconf schema include etc ldap schema
401. t_limit 0 0o smtpd_client_connection_rate_limit 0 o receive_override_options no_header_body_checks no_unknown_recipient_checks Also add the following two lines immediately below the pickup transport service 0o content_filter o receive_override_options no_header_body_checks This will prevent messages that are generated to report on spam from being classified as spam Now restart Postfix sudo etc init d postfix restart Content filtering with spam and virus detection is now enabled 5 2 5 Amavisd new and Spamassassin When integrating Amavisd new with Spamassassin if you choose to disable the bayes filtering by editing etc spamassassin local cf and use cron to update the nightly rules the result can cause a situation where a large amount of error messages are sent to the amavis user via the amavisd new cron job There are several ways to handle this situation e Configure your MDA to filter messages you do not wish to see e Change usr sbin amavisd new cron job to check for use_bayes 0 For example edit usr sbin amavisd new cron job and add the following to the top before the fest statements egrep q t use_bayes t 0 etc spamassassin local cf amp amp exit 0 5 3 Testing First test that the Amavisd new SMTP is listening telnet localhost 10024 Trying 127 0 0 1 Connected to localhost Escape character is 257 Email Services 220 127 0 0 1 ESMTP amavisd new
402. tainers is private namespaces Namespaces allow a set of tasks to have private mappings of names to resources for things like pathnames and process IDs See Section 5 9 Resources p 360 for a link to more information Unlike control groups and other mount features which are also used to create containers namespaces cannot be manipulated using a filesystem interface Therefore LXC ships with the Ixc unshare program which is mainly for testing It provides the ability to create new tasks in private namespaces For instance 351 Virtualization sudo lxc unshare s MOUNT PID bin bash creates a bash shell with private pid and mount namespaces In this shell you can do root ubuntu mount t proc proc proc root ubuntu ps ef UID PID root 1 root 110 C STIME TTY TIME CMD 6 10 20 pts 9 00 00 00 bin bash 0 10 20 pts 9 00 00 00 ps ef so that ps shows only the tasks in your new namespace 5 3 9 Ephemeral containers Ephemeral containers are one time containers Given an existing container CN you can run a command in an ephemeral container created based on CN with the host s jdoe user bound into the container using 1lxc start ephemeral b jdoe o CN home jdoe run_my_ job When the job is finished the container will be discarded 5 3 10 Container Commands Following is a table of all container commands Table 20 3 Container commands Command Synopsis lxc attach NO
403. technology in Ubuntu e Another good resource is the Ubuntu Wiki KVM page 2 http kvm qumranet com kvmwiki 3 http libvirt org A http virt manager et redhat com gt http freenode net https help ubuntu com community KVM 312 Virtualization 2 JeOS and vmbuilder 2 1 Introduction 2 1 1 What is JeOS Ubuntu JeOS pronounced Juice is an efficient variant of the Ubuntu Server operating system configured specifically for virtual appliances No longer available as a CD ROM ISO for download but only as an option either e While installing from the Server Edition ISO pressing F4 on the first screen will allow you to pick Minimal installation which is the package selection equivalent to JeOS e Or to be built using Ubuntu s vmbuilder which is described here JeOS is a specialized installation of Ubuntu Server Edition with a tuned kernel that only contains the base elements needed to run within a virtualized environment Ubuntu JeOS has been tuned to take advantage of key performance technologies in the latest virtualization products from VMware This combination of reduced size and optimized performance ensures that Ubuntu JeOS Edition delivers a highly efficient use of server resources in large virtual deployments Without unnecessary drivers and only the minimal required packages ISVs can configure their supporting OS exactly as they require They have the peace of mind that upda
404. ted Replicated Block Device DRBD mirrors block devices between multiple hosts The replication is transparent to other applications on the host systems Any block device hard disks partitions RAID devices logical volumes etc can be mirrored To get started using drbd first install the necessary packages From a terminal enter sudo apt get install drbd8 utils bJ If you are using the virtual kernel as part of a virtual machine you will need to manually compile the drbd module It may be easier to install the linux server package inside the virtual machine This section covers setting up a drbd to replicate a separate srv partition with an ext3 filesystem between two hosts The partition size is not particularly relevant but both partitions need to be the same size 1 1 Configuration The two hosts in this example will be called drbd01 and drbd02 They will need to have name resolution configured either through DNS or the etc hosts file See Chapter 8 Domain Name Service DNS p 139 for details e To configure drbd on the first host edit etc drbd conf global usage count no common syncer rate 100M resource r0 protocol C startup wfc timeout 15 degr wfc timeout 60 net cram hmac alg shal shared secret secret on drbd0l device dev drbd0 disk dev sdb1 address 192 168 0 1 7788 meta disk internal on drbd02 device dev drbd0 disk dev sdbl address 192 168
405. terface configuration Let s assume your server has an interface ethO connected to the internet and an interface eth connected to the LAN you want to bridge Your etc network interfaces would like this auto eth0 iface ethO inet static address 1 2 3 4 netmask 255 255 255 248 default 1 2 3 1 auto ethl iface ethl inet static http openvpn net index php open source documentation howto html security 372 VPN address 10 0 0 4 netmask 255 255 255 0 This straight forward interface config needs to be changed into a bridged mode like where the config of interface eth moves to the new brO interface Plus we configure that brO should bridge interface ethl We also need to make sure that interface eth is always in promiscuous mode this tells the interface to forward all ethernet frames to the IP stack auto eth0 iface ethO inet static address 1 2 3 4 netmask 255 255 255 248 default 1 2 3 1 auto ethl iface ethl inet manual up ip link set SIFACE up promisc on auto br0 iface br0 inet static address 10 0 0 4 netmask 255 255 255 0 bridge_ports ethl At this point you need to restart networking Be prepared that this might not work as expected and that you will lose remote connectivity Make sure you can solve problems having local access sudo etc init d network restart 1 6 2 2 Prepare server config for bridging Edit etc openvpn server conf changing the following options to 7 dev tun dev tap up
406. tes whether for security or enhancement reasons will be limited to the bare minimum of what is required in their specific environment In turn users deploying virtual appliances built on top of JeOS will have to go through fewer updates and therefore less maintenance than they would have had to with a standard full installation of a server 2 1 2 What is vmbuilder With vmbuilder there is no need to download a JeOS ISO anymore vmbuilder will fetch the various package and build a virtual machine tailored for your needs in about a minute vmbuilder is a script that automates the process of creating a ready to use Linux based VM The currently supported hypervisors are KVM and Xen You can pass command line options to add extra packages remove packages choose which version of Ubuntu which mirror etc On recent hardware with plenty of RAM tmpdir in dev shm or using a tmpfs and a local mirror you can bootstrap a VM in less than a minute First introduced as a shell script in Ubuntu 8 04 LTS ubuntu vm builder started with little emphasis as a hack to help developers test their new code in a virtual machine without having to restart from scratch each time As a few Ubuntu administrators started to notice this script a few of them went on improving it and adapting it for so many use case that Soren Hansen the author of the script and Ubuntu virtualization specialist not the golf player decided to rewrite it from scratch for Intrepid
407. th a few others that are not strictly necessary but make life easier To install the packages enter the following in a terminal prompt sudo apt get install krb5 user libpam krb5 libpam ccreds auth client config The auth client config package allows simple configuration of PAM for authentication from multiple sources and the libpam ccreds will cache authentication credentials allowing you to login in case 129 Network Authentication the Key Distribution Center KDC is unavailable This package is also useful for laptops that may authenticate using Kerberos while on the corporate network but will need to be accessed off the network as well 3 4 2 Configuration To configure the client in a terminal enter sudo dpkg reconfigure krb5 config You will then be prompted to enter the name of the Kerberos Realm Also if you don t have DNS configured with Kerberos SRV records the menu will prompt you for the hostname of the Key Distribution Center KDC and Realm Administration server The dpkg reconfigure adds entries to the etc krb5 conf file for your Realm You should have entries similar to the following libdefaults default_realm EXAMPLE COM realms EXAMPLE COM kdc 192 168 0 1 admin_server 192 168 0 1 a If you set the uid of each of your network authenticated users to start at 5000 as suggested in Section 3 2 1 Installation p 125 you can then tell pam to only try to authenticate using K
408. the Primary become unavailable First on the Primary Master server the zone transfer needs to be allowed Add the allow transfer option to the example Forward and Reverse zone definitions in etc bind named conf local zone example com type master file etc bind db example com allow transfer 192 168 1 11 zone 1 168 192 in addr arpa type master file etc bind db 192 allow transfer 192 168 1 11 bJ Replace 792 168 1 11 with the IP Address of your Secondary nameserver Restart BIND9 on the Primary Master sudo service bind9 restart Next on the Secondary Master install the bind9 package the same way as on the Primary Then edit the etc bind named conf 1local and add the following declarations for the Forward and Reverse zones zone example com type slave file db example com masters 192 168 1 10 144 Domain Name Service DNS zone 1 168 192 in addr arpa type slave file db 192 masters 192 168 1 10 ba Replace 92 68 1 10 with the IP Address of your Primary nameserver Restart BIND9 on the Secondary Master sudo service bind9 restart In var log syslog you should see something similar to some lines have been split to fit the format of this document client 192 168 1 10 39448 received notify for zone 1 168 192 in addr arpa zone 1 168 192 in addr arpa IN Transfer started transfer of 100 18 172 in addr arpa IN from 192 168 1 10
409. the current multipath configuration gathered from sysfs and the device mapper ll Display the current multipath configuration gathered from sysfs the device mapper and all other available components on the system f device Remove the named multipath device F Remove all unused multipath devices 5 9 Determining Device Mapper Entries with dmsetup Command You can use the dmsetup command to find out which device mapper entries match the multipathed devices The following command displays all the device mapper devices and their major and minor numbers The minor numbers determine the name of the dm device For example a minor number of 3 corresponds to the multipathed device dev dm 3 dmsetup ls mpathd 253 4 mpathepl 253 mpathfpl 253 mpathb 253 3 mpathgpl 253 mpathhp1l 253 mpatha 253 2 mpathh 253 9 mpathg 253 8 VolGroup00 LogVol01 mpathf 253 7 VolGroup00 LogVol100 mpathe 253 6 12 11 14 13 253 1 253 0 77 DM Multipath mpathbpl 253 10 mpathd 253 5 5 10 Troubleshooting with the multipathd interactive console The multipathd k command is an interactive interface to the multipathd daemon Entering this command brings up an interactive multipath console After entering this command you can enter help to get a list of available commands you can enter a interactive command or you can enter CTRL D to quit The multipathd inte
410. the removal Press ENTER which will result in a Password prompt Enter your user password to become root Finally press g once more then press ENTER on the Continue prompt and removal of the package will commence e Update Package Index To update the package index simply press the u key and you will be prompted to become root to complete the update Press ENTER which will result in a Password prompt Enter your user password to become root Updating of the package index will commence Press ENTER on the OK prompt when the download dialog is presented to complete the process e Upgrade Packages To upgrade packages perform the update of the package index as detailed above and then press the U key to mark all packages with updates Now press g whereby you ll be presented with a summary of package actions Press g again and you will be prompted to 25 Package Management become root to complete the installation Press ENTER which will result in a Password prompt Enter your user password to become root Finally press g once more and you ll be prompted to download the packages Press ENTER on the Continue prompt and upgrade of the packages will commence The first column of information displayed in the package list in the top pane when actually viewing packages lists the current state of the package and uses the following key to describe the state of the package e i Installed package e c Package not installed but pa
411. tils 7 4 2ubuntu2 After viewing the report you will be brought back to the same menu asking what you would like to do with the report e Keep Report File Selecting Keep Report File causes the gathered information to be written to a file This file can then be used to later file a bug report or transferred to a different Ubuntu system for reporting To submit the report file simply give it as an argument to the ubuntu bug command What would you like to do Your options are S Send report 1 7 KiB V View report K Keep report file for sending later or copying to somewhere else C Cancel Please choose S V K C k Problem report file tmp apport postgresql v4MQas apport ubuntu bug tmp apport postgresql v4MQas apport xxx Send problem report to the developers e Cancel Selecting Cancel causes the collected information to be discarded 1 2 Reporting Application Crashes The software package that provides the ubuntu bug utility apport can be configured to trigger when applications crash This is disabled by default as capturing a crash can be resource intensive depending on how much memory the application that crashed was using as apport captures and processes the core dump Configuring apport to capture information about crashing applications requires a couple of steps First gdb needs to be installed it is not installed by default in Ubuntu Server Edition sudo apt get install gdb See Chapter 3 Package Management
412. ting at 5000 than that of your local users Before installing the Kerberos server a properly configured DNS server is needed for your domain Since the Kerberos Realm by convention matches the domain name this section uses the EXAMPLE COM domain configured in Section 2 3 Primary Master p 142 of the DNS documentation Also Kerberos is a time sensitive protocol So if the local system time between a client machine and the server differs by more than five minutes by default the workstation will not be able to authenticate To correct the problem all hosts should have their time synchronized using the same Network Time Protocol NTP server For details on setting up NTP see Section 4 Time Synchronisation with NTP p 49 The first step in creating a Kerberos Realm is to install the krb5 kdc and krb5 admin server packages From a terminal enter sudo apt get install krb5 kdc krb5 admin server You will be asked at the end of the install to supply the hostname for the Kerberos and Admin servers which may or may not be the same server for the realm fy By default the realm is created from the KDC s domain name Next create the new realm with the kdb5_newrealm utility sudo krb5_newrealm 3 2 2 Configuration The questions asked during installation are used to configure the etc krb5 conf file If you need to adjust the Key Distribution Center KDC settings simply edit the file and restart the krb5 kdc 12
413. tion To install the necessary packages from a terminal prompt enter sudo apt get install kvm libvirt bin After installing libvirt bin the user used to manage virtual machines will need to be added to the libvirtd group Doing so will grant the user access to the advanced networking options In a terminal enter sudo adduser SUSER libvirtd fe If the user chosen is the current user you will need to log out and back in for the new group membership to take effect You are now ready to install a Guest operating system Installing a virtual machine follows the same process as installing the operating system directly on the hardware You either need a way to automate the installation or a keyboard and monitor will need to be attached to the physical machine 308 Virtualization In the case of virtual machines a Graphical User Interface GUD is analogous to using a physical keyboard and mouse Instead of installing a GUI the virt viewer application can be used to connect to a virtual machine s console using VNC See Section 1 6 Virtual Machine Viewer p 311 for more information There are several ways to automate the Ubuntu installation process for example using preseeds kickstart etc Refer to the Ubuntu Installation Guide for details Yet another way to install an Ubuntu virtual machine is to use ubuntu vm builder ubuntu vm builder allows you to setup advanced partitions execute custom post install sc
414. tion and ClamAV Wiki 22 http www ijs si software amavisd amavisd new docs html 23 http www clamav net doc latest html 2a http wiki clamav net Main WebHome 258 Email Services e Spamassassin Wiki e Pyzor Homepage Razor Homepage DKIM org Postfix Amavis New Also feel free to ask questions in the ubuntu server IRC channel on freenode 23 http wiki apache org spamassassin 26 http sourceforge net apps trac pyzor af http razor sourceforge net 28 http dkim org 23 https help ubuntu com community PostfixAmavisNew 3 http freenode net 259 Chapter 16 Chat Applications 260 Chat Applications 1 Overview In this section we will discuss how to install and configure a IRC server ircd irc2 We will also discuss how to install and configure Jabber an instance messaging server 261 Chat Applications 2 IRC Server The Ubuntu repository has many Internet Relay Chat servers This section explains how to install and configure the original IRC server ircd irc2 2 1 Installation To install ircd irc2 run the following command in the command prompt sudo apt get install ircd irc2 The configuration files are stored in etc ircd directory The documents are available in usr share doc ircd irce2 directory 2 2 Configuration The IRC settings can be done in the configuration file etc ircd ircd conf You can set the IRC host na
415. tions available Also the Ubuntu Wiki Postifx page has more information 4 http freenode net 2 http www ubuntu com support community webforums 6 http www postfix book com i http www postfix org documentation html 8 https help ubuntu com community Postfix 241 Email Services 2 Exim4 Exim4 is another Message Transfer Agent MTA developed at the University of Cambridge for use on Unix systems connected to the Internet Exim can be installed in place of sendmail although the configuration of exim is quite different to that of sendmail 2 1 Installation To install exim4 run the following command sudo apt get install exim4 2 2 Configuration To configure Exim4 run the following command sudo dpkg reconfigure exim4 config The user interface will be displayed The user interface lets you configure many parameters For example In Exim4 the configuration files are split among multiple files If you wish to have them in one file you can configure accordingly in this user interface All the parameters you configure in the user interface are stored in etc exim4 update exim4 conf file If you wish to re configure either you re run the configuration wizard or manually edit this file using your favorite editor Once you configure you can run the following command to generate the master configuration file sudo update exim4 conf The master configuration file is generated and it is stored in
416. to the Mail User Agent MUA allowing the user to deal with the message as they see fit 5 1 Installation See Section 1 Postfix p 235 for instructions on installing and configuring Postfix To install the rest of the applications enter the following from a terminal prompt sudo apt get install amavisd new spamassassin clamav daemon sudo apt get install opendkim postfix policyd spf python There are some optional packages that integrate with Spamassassin for better spam detection 253 Email Services sudo apt get install pyzor razor Along with the main filtering applications compression utilities are needed to process some email attachments sudo apt get install arj cabextract cpio lha nomarch pax rar unrar unzip zip fy If some packages are not found check that the multiverse repository is enabled in etc apt sources list If you make changes to the file be sure to run sudo apt get update before trying to install again 5 2 Configuration Now configure everything to work together and filter email 5 2 1 ClamAV The default behaviour of ClamAV will fit our needs For more ClamAV configuration options check the configuration files in etc clamav Add the clamav user to the amavis group in order for Amavisd new to have the appropriate access to scan files sudo adduser clamav amavis sudo adduser amavis clamav 5 2 2 Spamassassin Spamassassin automatically detects optional componen
417. tor of the device tur Issue a TEST UNIT READY to the device e emc_clariion Query the EMC Clariion specific EVPD page 0xCO0 to determine the path e hp_sw Check the path state for HP storage arrays with Active Standby firmware e rdac Check the path stat for LSI Engenio RDAC storage controller directio Read the first sector with direct I O The default value is directio 67 DM Multipath Attribute failback Description Manages path group failback e A value of immediate specifies immediate failback to the highest priority path group that contains active paths e A value of manual specifies that there should not be immediate failback but that failback can happen only with operator intervention e A numeric value greater than zero specifies deferred failback expressed in seconds The default value is manual rr_min_io Specifies the number of I O requests to route to a path before switching to the next path in the current path group The default value is 1000 rr_weight If set to priorities then instead of sending rr_min_io requests to a path before calling path_selector to choose the next path the number of requests to send is determined by rr_min_io times the path s priority as determined by the prio function If set to uniform all path weights are equal The default value is uniform no_path_retry A numeric value for this attribute specifies the number
418. try on the left menu Every time you enable a module a pop up will appear asking for a confirmation to perform the necessary actions and changes on your server and configuration files 88 Remote Administration fe If you need to customize any configuration file or run certain actions scripts or commands to configure features not available on Zentyal place the custom configuration file templates on etc zentyal stubs lt module gt and the hooks on etc zentyal hooks lt module gt lt action gt 3 3 References Zentyal Official Documentation page See also Zentyal Community Documentation page And don t forget to visit the forum for community support feedback feature requests etc 19 http doc zentyal org ul http trac zentyal org wiki Documentation 12 http forum zentyal org 89 Chapter 7 Network Authentication This section applies LDAP to network authentication and authorization 90 Network Authentication 1 OpenLDAP Server The Lightweight Directory Access Protocol or LDAP is a protocol for querying and modifying a X 500 based directory service running over TCP IP The current LDAP version is LDAPv3 as defined in RFC4510 and the LDAP implementation used in Ubuntu is OpenLDAP currently at version 2 4 25 Oneiric So this protocol accesses LDAP directories Here are some key concepts and terms e A LDAP directory is a tree of data entries that is hierarchical in nature and
419. ts and will use them if they are present This means that there is no need to configure pyzor and razor Edit etc default spamassassin to activate the Spamassassin daemon Change ENABLED 0 to ENABLED 1 Now start the daemon sudo etc init d spamassassin start 5 2 3 Amavisd new First activate spam and antivirus detection in Amavisd new by editing etc amavis conf d 15 content_filter_mode 254 Email Services use strict You can modify this file to re enable SPAM checking through spamassassin and to re enable antivirus checking Default antivirus checking mode Uncomment the two lines below to enable it bypass_virus_checks_maps Sbypass_virus_checks bypass_virus_checks_acl Sbypass_virus_checks_re Default SPAM checking mode Uncomment the two lines below to enable it bypass_spam_checks_maps Sbypass_spam_checks bypass_spam_checks_acl Sbypass_spam_checks_re 1 insure a defined return Bouncing spam can be a bad idea as the return address is often faked Consider editing etc amavis conf d 20 debian_defaults to set final_spam_destiny to D_DISCARD rather than D_BOUNCE as follows Sfinal_spam_destiny D_DISCARD Additionally you may want to adjust the following options to flag more messages as spam Ssa_tag_level_deflt 999 add spam info headers if at or above that level Ssa_tag2_level_deflt 6 0 add spam detected head
420. ttpd conf historically the main Apache2 configuration file named after the httpd daemon Now the file is typically empty as most configuration options have been moved to the below referenced directories The file can be used for user specific configuration options that globally effect Apache2 e mods available this directory contains configuration files to both load modules and configure them Not all modules will have specific configuration files however e mods enabled holds symlinks to the files in etc apache2 mods available When a module configuration file is symlinked it will be enabled the next time apache2 is restarted e ports conf houses the directives that determine which TCP ports Apache2 is listening on e sites available this directory has configuration files for Apache2 Virtual Hosts Virtual Hosts allow Apache2 to be configured for multiple sites that have separate configurations e sites enabled like mods enabled sites enabled contains symlinks to the etc apache2 sites available directory Similarly when a configuration file in sites available is symlinked the site configured by it will be active once Apache is restarted In addition other configuration files may be added using the Include directive and wildcards can be used to include many configuration files Any directive may be placed in any of these configuration files Changes to the main configuration files are only recognized by Apache2 when it is starte
421. u can install the key file server key and certificate file server crt or the certificate file issued by your CA by running following commands at a terminal prompt sudo cp server crt etc ssl certs sudo cp server key etc ssl private Now simply configure any applications with the ability to use public key cryptography to use the certificate and key files For example Apache can provide HTTPS Dovecot can provide IMAPS and POP3S etc 5 5 Certification Authority If the services on your network require more than a few self signed certificates it may be worth the additional effort to setup your own internal Certification Authority CA Using certificates signed 173 Security by your own CA allows the various services using the certificates to easily trust other services using certificates issued from the same CA 1 First create the directories to hold the CA certificate and related files sudo mkdir etc ssl1 CA sudo mkdir etc ssl newcerts 2 The CA needs a few additional files to operate one to keep track of the last serial number used by the CA each certificate must have a unique serial number and another file to record which certificates have been issued sudo sh c echo 01 gt etc ss1 CA serial sudo touch etc ss1 CA index txt 3 The third file is a CA configuration file Though not strictly necessary it is very convenient when issuing multiple certificates Edit etc ssl openssl cnf and in t
422. u com manpages en man1 ldapdeletegroup 1 html 19 http manpages ubuntu com manpages en man ldapmodify group 1 html 20 http manpages ubuntu com manpages en man1 ldapdeletemachine 1 html a http manpages ubuntu com manpages en man 1 ldaprenamegroup 1 html A http manpages ubuntu com manpages en man1 ldapaddmachine 1 html 23 http manpages ubuntu com manpages en man1 ldapmodifymachine 1 html at http manpages ubuntu com manpages en man ldapsetprimary group html a http manpages ubuntu com manpages en man I ldapdeleteuser 1 html 114 Network Authentication BACKUP_PATH export backup SLAPCAT usr sbin slapcat nice SLAPCAT n 0 gt BACKUP_PATH config ldif nice SLAPCAT n 1 gt BACKUP_PATH example com ldif nice SLAPCAT n 2 gt S BACKUP_PATH access ldif chmod 640 S BACKUP_PATH ldif fy These files are uncompressed text files containing everything in your ldap databases including the tree layout usernames and every password So you might want to consider making export backup an encrypted partition and even having the script encrypt those files as it creates them Ideally you should do both but that depends on your security requirements Then it is just a matter of having a cron script to run this program as often as we feel comfortable with For many once a day suffices For others more often is required Here is an example of a cron script called etc cron d ldapbackup that is run e
423. u will be able to change administrative settings of this mailing list You can create a new mailing list using the command line utility usr sbin newlist Alternatively you can create a new mailing list using the web interface 4 4 Users Mailman provides a web based interface for users To access this page point your browser to the following url http hostname cgi bin mailman listinfo The default mailing list mailman will appear in this screen If you click the mailing list name it will display the subscription form You can enter your email address name optional and password to subscribe An email invitation will be sent to you You can follow the instructions in the email to subscribe 4 5 References GNU Mailman Installation Manual HOWTO Using Exim 4 and Mailman 2 1 together Also see the Mailman Ubuntu Wiki page 19 http www list org mailman install index html 20 http www exim org howto mailman21 html al https help ubuntu com community Mailman 252 Email Services 5 Mail Filtering One of the largest issues with email today is the problem of Unsolicited Bulk Email UBE Also known as SPAM such messages may also carry viruses and other forms of malware According to some reports these messages make up the bulk of all email traffic on the Internet This section will cover integrating Amavisd new Spamassassin and ClamAV with the Postfix Mail Transport Agent MTA Postfix can
424. ual page contains some very useful information man ufw See the packet filtering HOWTO for more information on using iptables The nat HOWTO contains further details on masquerading The IPTables HowTo in the Ubuntu wiki is a great resource l http www fwbuilder org 2 http www shorewall net 3 https wiki ubuntu com UncomplicatedFirewall A http www netfilter org documentation HOWTO packet filtering HOWTO html gt http www netfilter org documentation HOWTO NAT HOWTO html 6 https help ubuntu com community IptablesHowTo 166 Security 4 AppArmor AppArmor is a Linux Security Module implementation of name based mandatory access controls AppArmor confines individual programs to a set of listed files and posix 1003 1e draft capabilities AppArmor is installed and loaded by default It uses profiles of an application to determine what files and permissions the application requires Some packages will install their own profiles and additional profiles can be found in the apparmor profiles package To install the apparmor profiles package from a terminal prompt sudo apt get install apparmor profiles AppArmor profiles have two modes of execution e Complaining Learning profile violations are permitted and logged Useful for testing and developing new profiles e Enforced Confined enforces profile policy as well as logging the violation 4 1 Using AppArmor The apparmor utils packag
425. ubuntu com community CronHowto 4 http www gnu org software tar manual index html 3 http en wikipedia org wiki Backup_rotation_scheme 5 http www gnu org software cpio 1 http www gnu org software coreutils 8 http www rsnapshot org A http www samba org ftp rsync rsync html 298 Backups 2 Archive Rotation The shell script in Section 1 Shell Scripts p 295 only allows for seven different archives For a server whose data doesn t change often this may be enough If the server has a large amount of data a more complex rotation scheme should be used 2 1 Rotating NFS Archives In this section the shell script will be slightly modified to implement a grandfather father son rotation scheme monthly weekly daily e The rotation will do a daily backup Sunday through Friday e On Saturday a weekly backup is done giving you four weekly backups a month e The monthly backup is done on the first of the month rotating two monthly backups based on if the month is odd or even Here is the new script bin bash PHT FE FE AE AE AE FE FE AE AE HEHE AE AE AE HEHE EE HEHE EEE Backup to NFS mount script with grandfather father son rotation FE HE AE AE FE AE HEHE FE FE AE AE AE FE FE EE FE FE FE AE AE FE FE TE HE HEE EH What to backup backup_files home var spool mail etc root boot opt Where to backup to dest mnt backup Setup variables for the archive filename day d
426. ulldump sql This will then prompt you for the root password before creating a copy of the data It is advisable to make sure there are no other users or processes using the database whilst this takes place Depending on how much data you ve got in your database this may take a while You won t see anything on the screen during this process Once the dump has been completed shut down MySQL sudo service mysql stop Now backup the original my cnf file and replace with the new one sudo cp etc my cnf etc my cnf backup sudo cp path to new my cnf etc my cnf Then delete and re initialise the database space and make sure ownership is correct before restarting MySQL sudo rm rf var 1ib mysql sudo mysql_install_db sudo chown R mysql var lib mysql sudo service start mysql Finally all that s left is to re import your data To give us an idea of how far the import process has got you may find the Pipe Viewer utility pv useful The following shows how to install and use pv for this case but if you d rather not use it just replace pv with cat in the following command Ignore any ETA times produced by pv they re based on the average time taken to handle each row of the file but the speed of inserting can vary wildly from row to row with mysqldumps 2 http tools percona com members wizard 208 Databases sudo apt get install pv pv fulldump sql mysql Once that is complete all is good to go fe This is not
427. ur path_grouping_policy multibus rr_weight priorities 72 append module to file DM Multipath The spacing reserved in the vendor product and revision fields are significant as multipath is performing a direct match against these attributes whose format is defined by the SCSI specification specifically the Standard INQUIRY command When quotes are used the vendor product and revision fields will be interpreted strictly according to the spec Regular expressions may be integrated into the quoted strings Should a field be defined without the requisite spacing multipath will copy the string into the properly sized buffer and pad with the appropriate number of spaces The specification expects the entire field to be populated by printable characters or spaces as seen in the example above e vendor 8 characters e product 16 characters e revision 4 characters To create a more robust configuration file regular expressions can also be used Operators include Examples of functional regular expressions can be found by examining the live multipath database and multipath conf example files found in usr share doc multipath tools examples echo show config multipathd k 2 http en wikipedia org wiki SCSI_Inquiry_Command 73 DM Multipath 5 DM Multipath Administration and Troubleshooting 5 1 Resizing an Online Multipath Device If you need to resize an online multi
428. us is updated periodically by the multipathd daemon based on the polling interval defined in the etc multipath conf file The dm status is similar to the path status but from the kernel s point of view The dm status has two states failed which is analogous to faulty and active which covers all other path states Occasionally the path state and the dm state of a device will temporarily not agree The possible values for online_status are running and offline A status of offline means that the SCSI device has been disabled fe When a multipath device is being created or modified the path group status the dm device name the write permissions and the dm status are not known Also the features are not always correct 5 7 Multipath Queries with multipath Command You can use the l and ll options of the multipath command to display the current multipath configuration The l option displays multipath topology gathered from information in sysfs and the device mapper The ll option displays the information the l displays in addition to all other available components of the system When displaying the multipath configuration there are three verbosity levels you can specify with the v option of the multipath command Specifying v0 yields no output Specifying v1 outputs the created or updated multipath names only which you can then feed to other tools such as kpartx Specifying v2 prints all detected paths multipaths and
429. use same config regarding compression see comp lzo config option e Client and server must use same config regarding bridged vs routed mode see server vs server bridge config option 1 6 Advanved configuration 1 6 1 Advanced routed VPN configuration on server The above is a very simple working VPN The client can access services on the VPN server machine through an encrypted tunnel If you want to reach more servers or anything in other networks push some routes to the clients E g if your company s network can be summarized to the network 192 168 0 0 16 you could push this route to the clients But you will also have to change the routing for the way back your servers need to know a route to the VPN client network Or you might push a default gateway to all the clients to send all their internet traffic to the VPN gateway first and from there via the company firewall into the internet This section shows you some possible options Push routes to the client to allow it to reach other private subnets behind the server Remember that these private subnets will also need to know to route the OpenVPN client address pool 10 8 0 0 24 back to the OpenVPN server 370 VPN push route 10 0 0 0 255 0 0 0 If enabled this directive will configure all clients to redirect their default network gateway through the VPN causing all IP traffic such as web browsing and and DNS lookups to go through the VPN the OpenVPN server
430. useful package for testing and troubleshooting DNS issues is the dnsutils package Very often these tools will be installed already but to check and or install dnsutils enter the following sudo apt get install dnsutils 140 Domain Name Service DNS 2 Configuration There are many ways to configure BIND9 Some of the most common configurations are a caching nameserver primary master and as a secondary master e When configured as a caching nameserver BIND9 will find the answer to name queries and remember the answer when the domain is queried again e As a primary master server BIND9 reads the data for a zone from a file on it s host and is authoritative for that zone e Ina secondary master configuration BIND9 gets the zone data from another nameserver authoritative for the zone 2 1 Overview The DNS configuration files are stored in the etc bind directory The primary configuration file is etc bind named conf The include line specifies the filename which contains the DNS options The directory line in the etc bind named conf options file tells DNS where to look for files All files BIND uses will be relative to this directory The file named etc bind db root describes the root nameservers in the world The servers change over time so the etc bind db root file must be maintained now and then This is usually done as updates to the bind9 package The zone section defines a master server and i
431. usually exist in repositories which are collections of packages found on various media such as CD ROM discs or online Packages are normally in a pre compiled binary format thus installation is quick and requires no compiling of software Many complex packages use the concept of dependencies Dependencies are additional packages required by the principal package in order to function properly For example the speech synthesis package festival depends upon the package libasound 2 which is a package supplying the ALSA sound library needed for audio playback In order for festival to function it and all of its dependencies must be installed The software management tools in Ubuntu will do this automatically 21 Package Management 2 dpkg dpkg is a package manager for Debian based systems It can install remove and build packages but unlike other package management systems it cannot automatically download and install packages or their dependencies This section covers using dpkg to manage locally installed packages e To list all packages installed on the system from a terminal prompt type dpkg 1 e Depending on the amount of packages on your system this can generate a large amount of output Pipe the output through grep to see if a specific package is installed dpkg 1 grep apache2 Replace apache2 with any package name part of a package name or other regular expression e To list the files installed by a packa
432. utes of user group and machine objectes For example to enable the user template edit etc ldapscripts ldapscripts conf changing UTEMPLATE etc ldapscripts ldapadduser template There are sample templates in the etc ldapscripts directory Copy or rename the ldapadduser template sample file to etc ldapscripts ldapadduser template sudo cp usr share doc ldapscripts examples ldapadduser template sample etc ldapscripts ldapadduser template Edit the new template to add the desired attributes The following will create new users with an objectClass of inetOrgPerson dn uid lt user gt lt usuffix gt lt suffix gt objectClass inetOrgPerson objectClass posixAccount cn lt user gt sn lt ask gt uid lt user gt uidNumber lt uid gt gidNumber lt gid gt homeDirectory lt home gt loginShell lt shell gt gecos lt user gt description User account title Employee Notice the lt ask gt option used for the sn attribute This will make ldapadduser prompt you for it s value There are utilities in the package that were not covered here Here is a complete list ldaprenamemachine 2 http manpages ubuntu com manpages en man I ldaprenamemachine 1 html 113 Network Authentication ldapadduser ldapdeleteuserfromgro up 1 dapfinger ldapi a ldapgi a ldapmodifyuser L daprenameuser lsldap 3 ldapaddusertogroup ldapsetpasswd gt ldapinit ldapaddgroup ldap
433. ver sales example com 3 serverl dev example com If no matches are found the DNS server will provide a result of notfound and the DNS query will fail 1 3 2 Static Hostnames Static hostnames are locally defined hostname to IP mappings located in the file etc hosts Entries in the hosts file will have precedence over DNS by default This means that if your system tries to resolve a hostname and it matches an entry in etc hosts it will not attempt to look up the record in DNS In some configurations especially when Internet access is not required servers that 38 Networking communicate with a limited number of resources can be conveniently set to use static hostnames instead of DNS The following is an example of a hosts file where a number of local servers have been identified by simple hostnames aliases and their equivalent Fully Qualified Domain Names FQDN s 127 0 0 1 localhost 127 0 1 1 ubuntu server 10 0 0 11 serverl vpn serverl example com 10 0 0 12 server2 mail server2 example com 10 0 0 13 server3 www server3 example com 10 0 0 14 server4 file server4 example com bJ In the above example notice that each of the servers have been given aliases in addition to their proper names and FQDN s Server has been mapped to the name vpn server2 is referred to as mail server3 as www and server4 as file 1 3 3 Name Service Switch Configuration The order in which your system selects a method
434. vers The other implementation called simply LXC is not compatible with libvirt but is more flexible with more userspace tools It is possible to switch between the two though there are peculiarities which can cause confusion In this document we will mainly describe the Ixc package Toward the end we will describe how to use the libvirt LXC driver In this document a container name will be shown as CN Cl or C2 5 1 Installation The lxc package can be installed using sudo apt get install lxc This will pull in the required and recommended dependencies including cgroup lite lvm2 and debootstrap To use libvirt Ixc install libvirt bin LXC and libvirt lxc can be installed and used at the same time 5 2 Host Setup 5 2 1 Basic layout of LXC files Following is a description of the files and directories which are installed and used by LXC e There are two upstart jobs e etc init 1lxc net conf is an optional job which only runs if etc default 1xc specifies USE_LXC_BRIDGE true by default It sets up a NATed bridge for containers to use e etc init lxc conf runs if LXC_AUTO true by default is set to true in etc default 1xc It looks for entries under etc 1xc auto which are symbolic links to configuration files for the containers which should be started at boot 340 Virtualization e etc 1lxc lxc conf There is a default container creation configuration file etc 1xc lxc conf which di
435. very night at 22 45h MATILTO backup emails domain com 45 22 root usr local bin ldapbackup Now the files are created they should be copied to a backup server Assuming we did a fresh reinstall of ldap the restore process could be something like this sudo service slapd stop sudo mkdir var lib ldap accesslog sudo slapadd F etc ldap slapd d n 0 1 export backup config 1ldif sudo slapadd F etc ldap slapd d n 1 1 export backup domain com 1ldif sudo slapadd F etc ldap slapd d n 2 1 export backup access 1ldif sudo chown R openldap openldap etc ldap slapd d sudo chown R openldap openldap var 1lib ldap sudo service slapd start 1 13 Resources e The primary resource is the upstream documentation www openldap org e There are many man pages that come with the slapd package Here are some important ones especially considering the material presented in this guide slapd slapd config slapd access 26 http www openldap org of http manpages ubuntu com manpages en man8 slapd 8 html 28 http manpages ubuntu com manpages en man5 slapd config 5 html 23 http manpages ubuntu com manpages en manS slapd access 5 html 115 Network Authentication slapo syncprov e Other man pages auth client config pam auth update e Zytrax s LDAP for Rocket Scientists a less pedantic but comprehensive treatment of LDAP e A Ubuntu community OpenLDAP wiki page has a collectio
436. vice in the devices section of the multipath conf configuration file These attributes are used by DM Multipath unless they are overwritten by the attributes specified in the multipaths section of the multipath conf file for paths that contain the device These attributes override the attributes set in the defaults section of the multipath conf file Many devices that support multipathing are included by default in a multipath configuration The values for the devices that are supported by default are listed in the multipath conf defaults file 70 DM Multipath You probably will not need to modify the values for these devices but if you do you can overwrite the default values by including an entry in the configuration file for the device that overwrites those values You can copy the device configuration defaults from the multipath conf annotated gz or if you wish to have a brief config file muitipath conf synthetic file for the device and override the values that you want to change To add a device to this section of the configuration file that is not configured automatically by default you must set the vendor and product parameters You can find these values by looking at sys block device_name device vendor and sys block device_name device model where device_name is the device to be multipathed as in the following example cat sys block sda device vendor WINSYS cat sys block sda device model SF2372 The additional pa
437. w execution of CGI scripts CGI scripts are not executed if this option is not chosen Most files should not be executed as CGI scripts This would be very dangerous CGI scripts should kept in a directory separate from and outside your DocumentRoot and only this directory should have the ExecCGI option set This is the default and the default location for CGI scripts is usr lib cgi bin e Includes Allow server side includes Server side includes allow an HTML file to include other files See Apache SSI documentation Ubuntu community for more information IncludesNOEXEC Allow server side includes but disable the exec and include commands in CGI scripts e Indexes Display a formatted list of the directory s contents if no DirectoryIndex such as index html exists in the requested directory Q For security reasons this should usually not be set and certainly should not be set on your DocumentRoot directory Enable this option carefully on a per directory basis only if you are certain you want users to see the entire contents of the directory e Multiview Support content negotiated multiviews this option is disabled by default for security reasons See the Apache2 documentation on this option e SymLinksIfOwnerMatch Only follow symbolic links if the target file or directory has the same owner as the link 1 2 3 httpd Settings This section explains some basic httpd daemon configuration settings LockFile
438. word changes 4 3 Share Security There are several options available to increase the security for each individual shared directory Using the share example this section will cover some common options 4 3 1 Groups Groups define a collection of computers or users which have a common level of access to particular network resources and offer a level of granularity in controlling access to such resources For example if a group qa is defined and contains the users freda danika and rob and a second group support is defined and consists of users danika jeremy and vincent then certain network resources configured to allow access by the ga group will subsequently enable access by freda danika and rob but not jeremy or vincent Since the user danika belongs to both the ga and support groups she will be able to access resources configured for access by both groups whereas all other users will have only access to resources explicitly allowing the group they are part of By default Samba looks for the local system groups defined in etc group to determine which users belong to which groups For more information on adding and removing users from groups see Section 1 2 Adding and Deleting Users p 154 When defining groups in the Samba configuration file etc samba smb conf the recognized syntax is to preface the group name with an symbol For example if you wished to define a group named sysadmin in a certain section of t
439. xe tty variable and is usually set to 4 Those consoles are shown on dev ttyn for 1 lt N lt 4 To log into console 3 from the host use sudo lxc console n container t 3 or if the t N option is not specified an unused console will be automatically chosen To exit the console use the escape sequence Ctrl a q Note that the escape sequence does not work in the console resulting from Ixc start without the d option Each container console is actually a Unix98 pty in the host s not the guest s pty mount bind mounted over the guest s dev ttyN and dev console Therefore if the guest unmounts those or otherwise tries to access the actual character device 4 N it will not be serving getty to the LXC consoles With the default settings the container will not be able to access that character device and getty will therefore fail This can easily happen when a boot script blindly mounts a new dev 5 3 6 Container Inspection Several commands are available to gather information on existing containers Ixc Is will report all existing containers in its first line of output and all running containers in the second line Ixc list provides the same information in a more verbose format listing running containers first and stopped containers next Ixe ps will provide lists of processes in containers To provide ps arguments to Ixc ps prepend them with For instance for listing of all processes in container plain sudo lxc p
440. y Authentication yes If the line is already present then ensure it is not commented out e To make your OpenSSH server display the contents of the etc issue net file as a pre login banner simply add or modify the line Banner etc issue net In the etc ssh sshd_config file After making changes to the etc ssh sshd_config file save the file and restart the sshd server application to effect the changes using the following command at a terminal prompt sudo etc init d ssh restart 1s Many other configuration directives for sshd are available to change the server application s behavior to fit your needs Be advised however if your only method of access to a server is ssh and you make a mistake in configuring sshd via the etc ssh sshd_config file you may find you are locked out of the server upon restarting it Additionally if an incorrect configuration directive is supplied the sshd server may refuse to start so be extra careful when editing this file on a remote server 1 4 SSH Keys SSH keys allow authentication between two hosts without the need of a password SSH key authentication uses two keys a private key and a public key 81 Remote Administration To generate the keys from a terminal prompt enter ssh keygen t dsa This will generate the keys using the Digital Signature Algorithm DSA method During the process you will be prompted for a password Simply hit Enter when prompted to create
441. y by itself Instead users are encouraged to make use of a tool by the name of sudo to carry out system administrative duties Sudo allows an authorized user to temporarily elevate their privileges using their own password instead of having to know the password belonging to the root account This simple yet effective methodology provides accountability for all user actions and gives the administrator granular control over which actions a user can perform with said privileges e If for some reason you wish to enable the root account simply give it a password sudo passwd Sudo will prompt you for your password and then ask you to supply a new password for root as shown below sudo password for username enter your own password Enter new UNIX password enter a new password for root Retype new UNIX password repeat new password for root passwd password updated successfully e To disable the root account use the following passwd syntax sudo passwd 1 root e You should read more on Sudo by checking out it s man page man sudo By default the initial user created by the Ubuntu installer is a member of the group admin which is added to the file etc sudoers as an authorized sudo user If you wish to give any other account full root access through sudo simply add them to the admin group 153 Security 1 2 Adding and Deleting Users The process for managing local users and groups is straight forward and d
442. ymous FTP upload can be an extreme security risk It is best to not enable anonymous upload on servers accessed directly from the Internet The configuration file consists of many configuration parameters The information about each parameter is available in the configuration file Alternatively you can refer to the man page man 5 vsftpd conf for details of each parameter 1 4 Securing FTP There are options in etc vsftpd conf to help make vsftpd more secure For example users can be limited to their home directories by uncommenting chroot_local_user YES You can also limit a specific list of users to just their home directories 223 File Servers chroot_list_enable YES chroot_list_file etc vsftpd chroot_list After uncommenting the above options create a etc vsftpd chroot_list containing a list of users one per line Then restart vsftpd sudo restart vsftpd Also the etc ftpusers file is a list of users that are disallowed FTP access The default list includes root daemon nobody etc To disable FTP access for additional users simply add them to the list FTP can also be encrypted using FTPS Different from SFTP FTPS is FTP over Secure Socket Layer SSL SFTP is a FTP like session over an encrypted SSH connection A major difference is that users of SFTP need to have a shell account on the system instead of a nologin shell Providing all users with a shell may not be ideal for some environments such as
Download Pdf Manuals
Related Search