Upload
victor-osborn-black
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
2
Some recommended references
Unix System Administration Handbook by Evi Nemeth, Garth Snyder, Scott
Seebass published by Prentice Hall
Unix in a Nutshell by Daniel Gilly & O’Reilly staff published by O’Reilly & Associates, Inc.
System Administration Online http://www.samag.com/
3
Essential System Administration
Startup & ShutdownUser AccountsSecurityBackup & RestorePrinters & the Spooling Subsystem
4
Sys Admin Duties
...just a partial list add/change/remove users & groups backups & restores answer user questions monitor system activity (audits & logs) system security install programs and OS updates free up disk space
5
Sys Admin Duties
handle system crashes resolve network problems install/modify/remove systems (&
furniture) write scripts to automate as much as
possible go to meetings....
6
Basic Strategies
plan it before you do itmake it reversiblemake changes incrementallytest, test, test!! ...before going to
productionknow how things REALLY worknever modify the original file
i.e.. always work with a copy!
7
Becoming the Superuser
su become “root user” in the current directory
without reading root’s startup scripts, it will ask for the root password before giving you superuser power
su - just like logging in as root
sudo a program that allows specified users to run
specific commands as root without knowing the root password
8
Common special file names
Special File Form Example Device/Use/dev/[r]fdn /dev/fd0 floppy disk/dev/rmtn/dev/rmt/n/dev/rstn
/dev/rmt/1/dev/rmt/0/dev/rst0/dev/nrmt0/dev/rmt/0n
generic tape devices
SCSI tape devicesnon-rewinding tape devices
/dev/cdn/dev/cdrom
/dev/cd0/dev/cdrom
CD-ROM devices
/dev/ttyn/dev/term/n/dev/tty[p-s]n/dev/pts/n
/dev/tty01/dev/term/01/dev/ttyp1/dev/pts/2
serial deviceV.4 serial lineslave virtual terminals
/dev/console/dev/null
console devicenull device - output is discarded - input returns nothing
9
Startup & Shutdown
the boot program is responsible for loading the UNIX kernel into memory and passing control of the system to it typically called:
unix on System V based systemsvmunix on BSD based systems
process 0 is often the scheduler it is really part of the kernel
process 1 is the init process
10
Startup & Shutdown
once called init takes care of preparing the system for use multi-user mode
a fully functional normal systemprompts for login by all users
single-user modenon-networkedusually considered to be a maintenance
modeshould prompt for login by root only
11
Startup & Shutdown
System V run levels (Solaris) 0 - power down state 1 - system administration state S/s - single user mode 2 - multi user mode (networked or not) 3 - remote file sharing state - (networked only) 4 - user defined 6 - shutdown and reboot state
12
Startup & Shutdown
who -r display current run level and it’s init
time
ex. $ who -r . run level 3 Mar 14 11:14 3 0 S ^ previous run levelsee man page for field definitions
13
Startup & Shutdown
to start a SunOS or Solaris system from the prom prompt boot will typically go to run level 3 boot -s will go to single user mode
other systems will be different...
14
Startup & Shutdown
BSD initialization files (typically) init calls /etc/rc which calls /etc/rc.local /etc/rc.local is primarily concerned with
network initialization /etc/rc takes care of everything else
15
Startup & Shutdown
System V initialization files (typically) init looks at configuration file /etc/inittab inittab implicitly defines a process to be run
at one or more run levels commands to execute at the start of each
run level are stored in an initialization file called rcn, where n is the run level number
stored under /etc in V.3 and /sbin in V.4 rcn script runs scripts in directory /etc/rcn.d
16
Startup & Shutdown
for example: booting to run level 3init read /etc/inittab which says to execute
/etc/rc3/etc/rc3 will execute scripts in directory
/etc/rc3.d you can use telinit command to change
current system run leveltelinit 6 - would cause system to shutdown &
reboot you can also use the init command directly
telinit is only a link to init in any case...
17
Example /etc/inittab file
poincare: more inittabs0:0:wait:/sbin/rc0 >/dev/console
2<>/dev/console </dev/consoles1:1:wait:/usr/sbin/shutdown -y -iS -g0 >/dev/console
2<>/dev/console </dev/consoles2:23:wait:/sbin/rc2 >/dev/console
2<>/dev/console </dev/consoles3:3:wait:/sbin/rc3 >/dev/console
2<>/dev/console </dev/consoles5:5:wait:/sbin/rc5 >/dev/console
2<>/dev/console </dev/consoles6:6:wait:/sbin/rc6 >/dev/console
2<>/dev/console </dev/console
19
Startup & Shutdown
BSD style shutdown... shutdown [options] time message
time• +m - in m minutes• h:m - at specified time (24 hour clock)• now - immediately
message• is displayed immediately• and repeated at increasingly more frequent
intervals until the shutdown actually occurs
20
Startup & Shutdown
System V shutdown... shutdown -g n [ -i level ] [ -y ]
n - number of seconds to wait (default is 60)level
• 0 - power off• S/s - single user mode (default)• 5 - firmware state (prom prompt)• 6 - reboot to initdefault state in /etc/inittab
-y - answer yes without a prompt to confirmation request (default is to prompt for confirmation)
21
The Superblock
Index into the filesystemStored in memory and multiply on diskContains:
List of inodes Freelist - set of pointers to free space on disk Various internal parameters
Like filesystem size
Maintained in memory, written to disk about every 30 seconds
22
Startup & Shutdown
sync command is used to finish all disk transactions and write out an up-to-date superblock, guaranteeing that the system can be turned off without corrupting the files
run as root and usually executed twice (or more) times in a row sync schedules but does not necessarily
immediately perform the writes
23
Startup & Shutdown
fsck command is used to check the filesystem for correctness.
checks for agreement between the superblock info and the actual filesystem
usually run automatically when booting to multi user modes
can be run manually but should only be done in single user
modecan fix problems that are found or just
display
24
User Accounts
a user is an entity that can execute programs or own files
some users exist only to own files - these are sometimes called pseudo users
every user has an unique username every user has an unique user id (UID)every user belongs to one or more groupseach group has an unique group id (GID)
25
Account Creation Strategy
Standard login namesHome directory/folder locationPassword requirementsStartup files/profilesEmail accounts
26
Creating UNIX User Accts
The /etc/passwd file is the same for all flavors of UNIX
All flavors also have a /etc/group fileThe passwd file defines a set of
attributes that define a userAll user accounts are created equal.
The permissions associated with them are what makes each user unique
27
User Accounts
Adding a new user assign a username and user id assign a primary group and secondary
groups (if any) edit /etc/passwd and /etc/group assign a password to the new account create a home directory and put default
initialization files there chown & chgrp the home dir & files as
needed
28
Passwd file & Group file
mike:x:1003:10:Mike John:/export/home/dbittrol:/sbin/sh
userid uid group User Name default directory
encrypted password default shell
it340-A::150:
groupname group id number
adm::4:root,adm,daemon,vwaldo,dbittrol,pmchugh
groupname grpid 5 members of the group
29
User Accounts
always make a copy of the passwd file before editing it or use the command vipw
format of /etc/passwd username:passwd:UID:GID:GCOS:homedir:shell stevel:xxxx:101:43:Comments:/home/stevel:/bin/
csh
format of /etc/group groupname:*:GID:additional usernames group1:*:43:stevel,student1,student2,student3
30
User Accounts standard users
root - user 0 - the superuser (only login acct in this list)
daemon - used to execute system server processes bin - owns executables for most user commands sys - owns system files adm - owns the accounting files uucp - UNIX-to-UNIX copy subsystem account cron,mail,news,usenet,lp,lpd - own subsystem
accounts auth,auditor or audit - own system auditing facility nobody - used by NFS
31
User Accounts
standard groups system or root or wheel or sys (GID0)
members of this group are allowed to su to root daemon - owner of spooling directories kmem,mem - owns various system files (GID2 on
bsd) sys - owns various system files (sys v) tty or terminal - owns all files connected to
terminals cron,mail,uucp,news - associated with subsystems user, users,other,staff - default group for users
(GID20)
32
Adding users
Use admintoolEdit files such as /etc/passwd (not
recommendedCommand line prompt i.e.;
/usr/sbin/useradd -m -d /home/username -g 100 -s /usr/local/bin/bash -c “First Lastname” userid
set up first password in the passwd filepasswd useridencrypted file is /etc/shadow
33
Adding Groups
To find out what groups you are in type id –a userid #I.e.; id -a dbittrol
uid=1003(dbittrol)gid=10(staff)groups=0(root),2(bin), 3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp), 12(daemon)
34
User Accounts
use passwd command to assign initial password to a new user
as root: passwd newuserpasswords should be easy to remember
but hard to figure out, guess or crack!there should be no unprotected
accountsspecify minimum password lengthchange passwords when necessary
35
User Accounts
shadow password file is protected from all access by non-
root users stores the encrypted passwords if you see an x in the password field
of the /etc/passwd file then you are using a shadow
usually found in the same directory as passwd
36
User Accounts
Password restrictions most UNIX systems provide the ability to
modify certain aspects of the passwordpassword aging
• maximum lifetime• minimum lifetime
warning time before you must change passwordautomatically disable account a certain number
of days after a password expires fixed date when account is automatically
disabled
37
User Startup Files
Startup files are found in the user’s home directory and are usually preceded by a . (dot)
Startup files control environment variables, command aliases, command search paths, and shell variables
Bourne .profile Korn .profile
.kshrc #ENV=.kshrc C-shell .login
.cshrc
.logout
38
Managing Users
Managing one system is not difficult, but when you manage multiple systems your tasks increase
Use tools such as NIS/NIS+When deleting users make sure that there
is not important info stored in that account prior to deleting (check w/supervisor)
Avoid recycling UIDs
39
User Accounts
login initialization files sh .profile csh .login and .cshrc ksh .profile and .kshrc
.login and .profile are executed at login
.cshrc and .kshrc are executed every time a new shell is spawned
40
User Accounts
On Solaris some standard utilities are provided for managing user accounts:useradduserdelusermod
These are located in the /usr/sbin directory
Check the man pages for options and syntax
41
User Accounts
other things to consider when adding a new user any enhanced security facilities assigning disk quotas defining mail alias setting print queue access adding to secondary groups access to third party applications
42
User Accounts
testing the new account use the su or sudo command i.e.. # su - newuser also handy for testing existing accounts!
43
User Accounts
the entire process of adding and removing a user can be (and often already is) automated
expect command line and GUI interfacesdepending on how your system is set up it
may be best to use only the automated tools for administrative functions they tend to make sure you don’t forget the
little (but always horribly important) details...
44
User Accounts
the ability to disable and restrict user accounts is also a feature of most systems
when removing a user there are a number of things to keep an eye out for.... change system access passwords (as
needed) terminate running processes owned by
user remove from secondary groups remove user’s mail file
45
User Accounts
remove from the mail alias file (if needed)
check for cron or at jobs by user check for pending print jobs backup & delete (archive) home
directory and any other site specific tasks....
46
Performance Monitoring
Performance Monitoring and tuning are essential parts of system administration
Multiple tools are availableProviding real-time and remote
logging of statistics
47
Key Components
Processor - will a faster processor fix a slow machine
Memory - Are page and swap files in use, is more RAM a fix
Disk - Will faster disks make a difference
Network Interface - Is it important to have a fast and reliable connection to the internet
48
UNIX Performance Tools
vmstat - Provides statistics on processes, virtual memory, disk, interrupts, and CPU activity Will summarize activity every five
seconds or until program terminated First line of info is on system since last
booted (ignore first line) r column (run queue) is good processor
evaluation
49
UNIX Performance Tools
b - blocked for resources is indicator of slow disk subsystem
memory - shows free swap space to see if you are using swap space allocated
page - only worry about 4 of 7 columnsre page reclaimspi kilobytes paged inpo kilobytes paged outsr pages scanned by the clock algorithm
50
UNIX Performance Tools
iostat - provides statistics on disk, terminal, and CPU activity summarizes activity 10 times at 5
second intervals report on kilobytes transferred per
second seeks per second milliseconds per average seek
51
UNIX Performance Tools
netstat - provides information on network counters and parameters switch -i for interfaces51 5 would be 5 second intervals show the number of packets passed, the errors
and collisions that occur collisions of more than 1% indicate a network
problem netstat for Linux provides cumulative counters
every second for all interfaces
52
UNIX Performance Tools
ps - provides a snapshot of processes currently running on UNIX systems (pmon is Win 2000 equivalent)
Use with -e for every process on the system
-l for a long listingps -el | more
53
UNIX Performance Tools
sar is utility that provides performance statistics
Has stats on Disk activity Queue length CPU utilization System swapping
54
UNIX Performance Tools
free - available on Red Hat Linux or Debian displays amount of memory in a system with a breakdown of total, used, and free memory
top - on HP-UX or Debian systems to display processes consuming large percentages of processor time
55
UNIX Performance Tuning
nice and renice allow the system administrator to alter the priority of processes/jobs - numbers from -20 to 20 or 0 to 39 - the lower the number the higher the priority - use nice to start and renice to change after started
56
Scheduling Jobs
There are two built-in utilities at cron
More sophisticated schedulers are available as add-on packages
Unless blocked, all users can use “at” and “cron”
Recommended that you log an entry for success or failure for all scheduled jobs in a standard location.
57
at
Allows you to specify a job to run once in the future
To repeat the job, you can setup a loop whereby the last instruction in the script is another “at” command that runs the same script again in 24 hours
Reads from standard input writes to standard output…but you can script anything you want.
58
at (cont.)
Sends mail to the person who initiated the at job with the stdout and stderr of the job.
If no output is generated, mail is still sent whether there is an error or not.
To control access to “at” create a /etc/cron.d/at.deny file and list users create a /etc/cron.d/at.allow file and list users create neither file and only root can use create empty at.deny to allow all to use
59
at (cont.)
Syntaxat [-f scriptname] [-m] time [date]
[+increment]-f runs the script named-m sends mail (won’t duplicate mail sent
automatically with stdout and stderr)time to run the jobdate defaults to today, can specify other days+increment alternative way of specifying
when to run
60
at (cont.)
Examples:1. $ at 2pm next week2. $ at -m 0730 tomorrow sort < file >outfile <EOT>3. $ at now + 1 hour <<! diff file1 file2 2>&1 >outfile | mailx
mygroup !
61
at (cont.)
NOTES: A. Time can be entered in may ways:
at 0815am Jan 24at 8 :15am jan24at now "+ 1day” (NOTE: “at now” won’t
work)at 5 pm FRIday
B. Now, noon, midnight, today, tomorrow, next are all reserved words in “at”
C. The daemon that runs “at” jobs is run every minute. You can schedule “at” jobs that won’t run exactly when you think.
62
at (cont.)
Uses your environment when running, advantage over cron
A file is created in /var/spool/cron/atjobs/user
Other options:at -l list at jobs scheduledat -r job remove the job specified from the
queue other options may exist, check the man
page
63
Cron - clock daemon
Similar to “at” but lets you schedule recurring jobs.
As with “at” all users can use cron if it hasn’t been “denied”.
Jobs are submitted via a crontab file
The crontab file is stored in /var/spool/cron/crontabs/user
64
Format of Crontab Entries
Six fields on each line:minute (0-59)hour (0-23)day of the month (1-31)month of the year (1-12)day of the week (0-6 with 0=Sunday)script or command to run
Each time value may be a number 5a list of numbers 10,20,30an asterisk * (meaning “all”)
65
Cron: Examples
05 23 * * 1-5 who >> /export/home/dbittrol/onlogThis will run at 11:05pm on Mon-Fri
05 01 1,15 * * /msrc/apps/bin/perl /msrc/share/CcmBackupThis will run at 1:05am on the 1st and 15th of each month
0,15,30,45 6-18 * * 1-5 /opt/eopstest/eops,test/eops/bin/eops_training_cron.csh
This will run each hour 0, 15, 30 and 45 minutes past each hour from 6am to 6pm Mon-Fri
66
Cron (cont.)
Each system has a clock daemonFor large projects it is useful to have a
shared crontab utility: Create a file named “proj_cron.csh” in
network space where all systems can see the file
Load a cron job on each system to execute this file every 10 minutes.
Whenever you want all systems to carry out a command, put it in the “proj_cron.csh” file.
67
Cron (cont.)
Cron options:crontab cronfilename loads a crontab file
into croncrontab -l to view the crontab without edit
capability (this is lowercase L)
crontab -r to remove a crontab fileCheck the system time using the date
command, as system clocks don’t always match real time
68
Cron (cont.)
To control access to “cron” create a /etc/cron.d/cron.deny file and list users create a /etc/cron.d/cron.allow file and list users create neither file and only root can use create empty at.deny to allow all to use
allow or deny files have one user name per line
Remember: Your environment is not being used. You must set your path or use absolute paths, for example.