Tryag File Manager

//proc/self/root/usr/share/doc/Deployment_Guide-en-US-5.8/index.html

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Deployment Guide</title><link rel="stylesheet" type="text/css" href="Common_Content/css/default.css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.8" /><meta name="package" content="Red_Hat_Enterprise_Linux-Deployment_Guide-5-en-US-8-0" /><meta name="description" content="The Deployment Guide documents relevant information regarding the deployment, configuration and administration of Red Hat Enterprise Linux 5." /></head><body class="desktop "><p id="title"><a class="left" href="http://www.redhat.com"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.redhat.com"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><div xml:lang="en-US" class="book" id="index" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Red Hat Enterprise Linux</span> <span class="productnumber">5</span></div><div><h1 class="title">Deployment Guide</h1></div><div><h2 class="subtitle">Deployment, configuration and administration of Red Hat Enterprise Linux 5</h2></div><p class="edition">Edition 8</p><div><h3 class="corpauthor">
		<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> Logo</object></span>

</h3></div><hr /><div><div id="id837133" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
		Copyright <span class="trademark"></span>© 2007, 2008, 2009, 2010, 2011 Red Hat, Inc.
	</div><div class="para">
		The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at <a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
	</div><div class="para">
		Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
	</div><div class="para">
		Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
	</div><div class="para">
		<span class="trademark">Linux</span>® is the registered trademark of Linus Torvalds in the United States and other countries.
	</div><div class="para">
		<span class="trademark">Java</span>® is a registered trademark of Oracle and/or its affiliates.
	</div><div class="para">
		<span class="trademark">XFS</span>® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
	</div><div class="para">
		<span class="trademark">MySQL</span>® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
	</div><div class="para">
		All other trademarks are the property of their respective owners.
	</div><div class="para">
		
<div class="address"><p><br />
			<span class="street">1801 Varsity Drive</span><br />
			 <span class="city">Raleigh</span>, <span class="state">NC</span> <span class="postcode">27606-2072</span> <span class="country">USA</span><br />
			 <span class="phone">Phone: +1 919 754 3700</span><br />
			 <span class="phone">Phone: 888 733 4281</span><br />
			 <span class="fax">Fax: +1 919 754 3701</span><br />
<br />
</p></div>

</div></div></div><div><div class="abstract"><h6>Abstract</h6><div class="para">
			The Deployment Guide documents relevant information regarding the deployment, configuration and administration of Red Hat Enterprise Linux 5.
		</div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="#ch-intro">Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-intro-conventions">1. Document Conventions</a></span></dt><dt><span class="section"><a href="#s2-intro-feedback">2. Send in Your Feedback</a></span></dt></dl></dd><dt><span class="part"><a href="#pt-filesystems">I. File Systems</a></span></dt><dd><dl><dt><span class="chapter"><a href="#ch-filesystem">1. File System Structure</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-filesystem-why">1.1. Why Share a Common Structure?</a></span></dt><dt><span class="section"><a href="#s1-filesystem-fhs">1.2. Overview of File System Hierarchy Standard (FHS)</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-filesystem-fsstnd">1.2.1. FHS Organization</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-filesystem-special-file">1.3. Special File Locations Under Red Hat Enterprise Linux</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Using_the_mount_Command">2. Using the <code class="command">mount</code> Command</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Using_the_mount_Command-Listing">2.1. Listing Currently Mounted File Systems</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting">2.2. Mounting a File System</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Type">2.2.1. Specifying the File System Type</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Options">2.2.2. Specifying the Mount Options</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Bind">2.2.3. Sharing Mounts</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Moving">2.2.4. Moving a Mount Point</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Using_the_mount_Command-Unmounting">2.3. Unmounting a File System</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Additional_Resources">2.4. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Using_the_mount_Command-Installed_Documentation">2.4.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Useful_Websites">2.4.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-ext3">3. The ext3 File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-filesystem-ext3">3.1. Features of ext3</a></span></dt><dt><span class="section"><a href="#s1-filesystem-ext3-create">3.2. Creating an ext3 File System</a></span></dt><dt><span class="section"><a href="#s1-filesystem-ext3-convert">3.3. Converting to an ext3 File System</a></span></dt><dt><span class="section"><a href="#s1-filesystem-ext2-revert">3.4. Reverting to an ext2 File System</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-proc">4. The <code class="filename">proc</code> File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-proc-virtual">4.1. A Virtual File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-viewing">4.1.1. Viewing Virtual Files</a></span></dt><dt><span class="section"><a href="#s2-proc-change">4.1.2. Changing Virtual Files</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-proc-topfiles">4.2. Top-level Files within the <code class="filename">proc</code> File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-apm">4.2.1.  <code class="filename">/proc/apm</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-buddyinfo">4.2.2.  <code class="filename">/proc/buddyinfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-cmdline">4.2.3.  <code class="filename">/proc/cmdline</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-cpuinfo">4.2.4.  <code class="filename">/proc/cpuinfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-crypto">4.2.5.  <code class="filename">/proc/crypto</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-devices">4.2.6.  <code class="filename">/proc/devices</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dma">4.2.7.  <code class="filename">/proc/dma</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-execdomains">4.2.8.  <code class="filename">/proc/execdomains</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-fb">4.2.9.  <code class="filename">/proc/fb</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-filesystems">4.2.10.  <code class="filename">/proc/filesystems</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-interrupts">4.2.11.  <code class="filename">/proc/interrupts</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-iomem">4.2.12.  <code class="filename">/proc/iomem</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-ioports">4.2.13.  <code class="filename">/proc/ioports</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-kcore">4.2.14.  <code class="filename">/proc/kcore</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-kmsg">4.2.15.  <code class="filename">/proc/kmsg</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-loadavg">4.2.16.  <code class="filename">/proc/loadavg</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-locks">4.2.17.  <code class="filename">/proc/locks</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-mdstat">4.2.18.  <code class="filename">/proc/mdstat</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-meminfo">4.2.19.  <code class="filename">/proc/meminfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-misc">4.2.20.  <code class="filename">/proc/misc</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-modules">4.2.21.  <code class="filename">/proc/modules</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-mounts">4.2.22.  <code class="filename">/proc/mounts</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-mtrr">4.2.23.  <code class="filename">/proc/mtrr</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-partitions">4.2.24.  <code class="filename">/proc/partitions</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-pci">4.2.25.  <code class="filename">/proc/pci</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-slabinfo">4.2.26.  <code class="filename">/proc/slabinfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-stat">4.2.27.  <code class="filename">/proc/stat</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-swaps">4.2.28.  <code class="filename">/proc/swaps</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-sysrq-trigger">4.2.29.  <code class="filename">/proc/sysrq-trigger</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-uptime">4.2.30.  <code class="filename">/proc/uptime</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-version">4.2.31.  <code class="filename">/proc/version</code> </a></span></dt></dl></dd><dt><span class="section"><a href="#s1-proc-directories">4.3. Directories within <code class="filename">/proc/</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-processdirs">4.3.1. Process Directories</a></span></dt><dt><span class="section"><a href="#s2-proc-dir-bus">4.3.2.  <code class="filename">/proc/bus/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-driver">4.3.3.  <code class="filename">/proc/driver/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-fs">4.3.4.  <code class="filename">/proc/fs</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-ide">4.3.5.  <code class="filename">/proc/ide/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-irq">4.3.6.  <code class="filename">/proc/irq/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-net">4.3.7.  <code class="filename">/proc/net/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-scsi">4.3.8.  <code class="filename">/proc/scsi/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-sys">4.3.9.  <code class="filename">/proc/sys/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-sysvipc">4.3.10.  <code class="filename">/proc/sysvipc/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-tty">4.3.11.  <code class="filename">/proc/tty/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-pid">4.3.12.  <code class="filename">/proc/&lt;PID&gt;/</code> </a></span></dt></dl></dd><dt><span class="section"><a href="#s1-proc-sysctl">4.4. Using the <code class="command">sysctl</code> Command</a></span></dt><dt><span class="section"><a href="#s1-proc-additional-resources">4.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-installed-documentation">4.5.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-proc-useful-websites">4.5.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-raid">5. Redundant Array of Independent Disks (RAID)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-raid-what-is">5.1. What is RAID?</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-raid-why-use">5.1.1. Who Should Use RAID?</a></span></dt><dt><span class="section"><a href="#s2-raid-approaches">5.1.2. Hardware RAID versus Software RAID</a></span></dt><dt><span class="section"><a href="#s2-raid-levels">5.1.3. RAID Levels and Linear Support</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-raid-config">5.2. Configuring Software RAID</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-raid-diskdruid-manual-part">5.2.1. Creating the RAID Partitions</a></span></dt><dt><span class="section"><a href="#s1-raid-diskdruid-manual-devmnt">5.2.2. Creating the RAID Devices and Mount Points</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-raid-manage">5.3. Managing Software RAID</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-raid-manage-reviewing">5.3.1. Reviewing RAID Configuration</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-creating">5.3.2. Creating a New RAID Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-replacing">5.3.3. Replacing a Faulty Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-extending">5.3.4. Extending a RAID Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-removing">5.3.5. Removing a RAID Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-preserving">5.3.6. Preserving the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-raid-resources">5.4. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-raid-resources-installed">5.4.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-swapspace">6. Swap Space</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-swap-what-is">6.1. What is Swap Space?</a></span></dt><dt><span class="section"><a href="#s1-swap-adding">6.2. Adding Swap Space</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-swap-extending-lvm2">6.2.1. Extending Swap on an LVM2 Logical Volume</a></span></dt><dt><span class="section"><a href="#s2-swap-creating-lvm2">6.2.2. Creating an LVM2 Logical Volume for Swap</a></span></dt><dt><span class="section"><a href="#s2-swap-creating-file">6.2.3. Creating a Swap File</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-swap-removing">6.3. Removing Swap Space</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-swap-reducing-lvm2">6.3.1. Reducing Swap on an LVM2 Logical Volume</a></span></dt><dt><span class="section"><a href="#s2-swap-removing-lvm2">6.3.2. Removing an LVM2 Logical Volume for Swap</a></span></dt><dt><span class="section"><a href="#s2-swap-removing-file">6.3.3. Removing a Swap File</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-swap-moving">6.4. Moving Swap Space</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-disk-storage">7. Managing Disk Storage</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-disk-storage-parted">7.1. Standard Partitions using <code class="command">parted</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-storage-parted-view-part-table">7.1.1. Viewing the Partition Table</a></span></dt><dt><span class="section"><a href="#s2-disk-storage-parted-create-part">7.1.2. Creating a Partition</a></span></dt><dt><span class="section"><a href="#s2-disk-storage-parted-remove-part">7.1.3. Removing a Partition</a></span></dt><dt><span class="section"><a href="#s2-disk-storage-parted-resize-part">7.1.4. Resizing a Partition</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-disk-storage-lvm">7.2. LVM Partition Management</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-disk-quotas">8. Implementing Disk Quotas</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-disk-quotas-configuring">8.1. Configuring Disk Quotas</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-quotas-enabling">8.1.1. Enabling Quotas</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-remounting">8.1.2. Remounting the File Systems</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-create-files">8.1.3. Creating the Quota Database Files</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-assigning-user">8.1.4. Assigning Quotas per User</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-assigning-group">8.1.5. Assigning Quotas per Group</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-assigning-file-system">8.1.6. Setting the Grace Period for Soft Limits</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-disk-quotas-managing">8.2. Managing Disk Quotas</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-quota-enabling">8.2.1. Enabling and Disabling</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-managing-rpt">8.2.2. Reporting on Disk Quotas</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-managing-accurate">8.2.3. Keeping Quotas Accurate</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-disk-quotas-additional-resources">8.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-quotas-install-docs">8.3.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-related-book">8.3.2. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-acls">9. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-acls-mounting">9.1. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-acls-mounting-nfs">9.1.1. NFS</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-acls-setting">9.2. Setting Access ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-setting-default">9.3. Setting Default ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-retrieving">9.4. Retrieving ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-archiving">9.5. Archiving File Systems With ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-compat-older">9.6. Compatibility with Older Systems</a></span></dt><dt><span class="section"><a href="#s1-acls-additional-resources">9.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-acls-installed-docs">9.7.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-acls-useful-websites">9.7.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-lvm">10. LVM (Logical Volume Manager)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-lvm-intro-whatis">10.1. What is LVM?</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-lvm2-intro-whatis">10.1.1. What is LVM2?</a></span></dt></dl></dd><dt><span class="section"><a href="#s-lvm-config">10.2. LVM Configuration</a></span></dt><dt><span class="section"><a href="#s1-lvm-diskdruid-auto">10.3. Automatic Partitioning</a></span></dt><dt><span class="section"><a href="#s1-lvm-diskdruid-manual">10.4. Manual LVM Partitioning</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-boot">10.4.1. Creating the <code class="command">/boot</code> Partition</a></span></dt><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-pv">10.4.2. Creating the LVM Physical Volumes</a></span></dt><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-vg">10.4.3. Creating the LVM Volume Groups</a></span></dt><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-lv">10.4.4. Creating the LVM Logical Volumes</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-system-config-lvm">10.5. Using the LVM utility <code class="filename">system-config-lvm</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s1-system-config-lvm-uninitialized">10.5.1. Utilizing uninitialized entities</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-add-unallocated">10.5.2. Adding Unallocated Volumes to a volume group</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-migrate-extents">10.5.3. Migrating extents</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-new-hdd">10.5.4. Adding a new hard disk using LVM</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-new-volumegrp">10.5.5. Adding a new volume group</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-ext-volumegrp">10.5.6. Extending a volume group</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-editing-lv">10.5.7. Editing a Logical Volume</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-lvm-additional-resources">10.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-lvm-installed-docs">10.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-lvm-useful-websites">10.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="#pt-pkg-management">II. Package Management</a></span></dt><dd><dl><dt><span class="chapter"><a href="#ch-rpm">11. Package Management with RPM</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-rpm-design">11.1. RPM Design Goals</a></span></dt><dt><span class="section"><a href="#s1-rpm-using">11.2. Using RPM</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-rpm-finding">11.2.1. Finding RPM Packages</a></span></dt><dt><span class="section"><a href="#s2-rpm-installing">11.2.2. Installing</a></span></dt><dt><span class="section"><a href="#s2-rpm-uninstalling">11.2.3. Uninstalling</a></span></dt><dt><span class="section"><a href="#s2-rpm-upgrading">11.2.4. Upgrading</a></span></dt><dt><span class="section"><a href="#s2-rpm-freshening">11.2.5. Freshening</a></span></dt><dt><span class="section"><a href="#s2-rpm-querying">11.2.6. Querying</a></span></dt><dt><span class="section"><a href="#s2-rpm-verifying">11.2.7. Verifying</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-check-rpm-sig">11.3. Checking a Package's Signature</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-keys-importing">11.3.1. Importing Keys</a></span></dt><dt><span class="section"><a href="#s2-keys-checking">11.3.2. Verifying Signature of Packages</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-rpm-impressing">11.4. Practical and Common Examples of RPM Usage</a></span></dt><dt><span class="section"><a href="#s1-rpm-additional-resources">11.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-rpm-installed-docs">11.5.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-rpm-useful-websites">11.5.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-rpm-related-books">11.5.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-graphical-rpm">12. <span class="application"><strong>Package Management Tool</strong></span></a></span></dt><dd><dl><dt><span class="section"><a href="#s1-graphical-rpm-analyzing">12.1. Listing and Analyzing Packages</a></span></dt><dt><span class="section"><a href="#s1-graphical-rpm-installing">12.2. Installing and Removing Packages</a></span></dt></dl></dd><dt><span class="chapter"><a href="#c1-yum">13. YUM (Yellowdog Updater Modified)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-yum-repo-setup">13.1. Setting Up a <span class="application"><strong>Yum</strong></span> Repository</a></span></dt><dt><span class="section"><a href="#s1-yum-useful-commands">13.2.  <code class="command">yum</code> Commands</a></span></dt><dt><span class="section"><a href="#s1-yum-common-options">13.3.  <code class="command">yum</code> Options</a></span></dt><dt><span class="section"><a href="#s1-yum-yumconf">13.4. Configuring <code class="command">yum</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s1-yum-yumconf-main">13.4.1.  <code class="command">[main]</code> Options</a></span></dt><dt><span class="section"><a href="#s1-yum-yumconf-repository">13.4.2.  <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> Options</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-yum-useful-variables">13.5. Useful <code class="command">yum</code> Variables</a></span></dt></dl></dd><dt><span class="chapter"><a href="#entitlements">14. Product Subscriptions and Entitlements</a></span></dt><dd><dl><dt><span class="section"><a href="#overview-of-entitlements">14.1. An Overview of Managing Subscriptions and Content</a></span></dt><dd><dl><dt><span class="section"><a href="#the-purpose-of-subscriptions">14.1.1. The Purpose of Subscription Management</a></span></dt><dt><span class="section"><a href="#defining-entitlements">14.1.2. Defining Subscriptions, Entitlements, and Products</a></span></dt><dt><span class="section"><a href="#rhsm-tools">14.1.3. Subscription Management Tools</a></span></dt><dt><span class="section"><a href="#entitlement-arch">14.1.4. Subscription and Content Architecture</a></span></dt><dt><span class="section"><a href="#enhanced-content">14.1.5. Advanced Content Management: Extended Update Support</a></span></dt><dt><span class="section"><a href="#classic-v-rhn">14.1.6. RHN Classic v. Certificate-based Red Hat Network</a></span></dt></dl></dd><dt><span class="section"><a href="#launching-ents-tools">14.2. Using Red Hat Subscription Manager Tools</a></span></dt><dd><dl><dt><span class="section"><a href="#launching-rhsm">14.2.1. Launching Red Hat Subscription Manager</a></span></dt><dt><span class="section"><a href="#about-ents-cli-script">14.2.2. About subscription-manager</a></span></dt><dt><span class="section"><a href="#about-rhsm-web">14.2.3. Looking at RHN Subscription Management</a></span></dt><dt><span class="section"><a href="#about-sam">14.2.4. Looking at Subscription Asset Manager</a></span></dt></dl></dd><dt><span class="section"><a href="#ents-special-types">14.3. Managing Special Deployment Scenarios</a></span></dt><dd><dl><dt><span class="section"><a href="#ents-multi-tenant">14.3.1. Local Subscription Services, Local Content Providers, and Multi-Tenant Organizations</a></span></dt><dt><span class="section"><a href="#ents-virtual">14.3.2. Virtual Guests and Hosts</a></span></dt><dt><span class="section"><a href="#ents-domains">14.3.3. Domains</a></span></dt></dl></dd><dt><span class="section"><a href="#registering-machine-ui">14.4. Registering, Unregistering, and Reregistering a System</a></span></dt><dd><dl><dt><span class="section"><a href="#registering-ui">14.4.1. Registering Consumers in the Hosted Environment</a></span></dt><dt><span class="section"><a href="#registering-multiorg">14.4.2. Registering Consumers to a Local Organization</a></span></dt><dt><span class="section"><a href="#registering-oflfine">14.4.3. Registering an Offline Consumer</a></span></dt><dt><span class="section"><a href="#registering-cmd">14.4.4. Registering from the Command Line</a></span></dt><dt><span class="section"><a href="#un-registering">14.4.5. Unregistering</a></span></dt><dt><span class="section"><a href="#reregistering">14.4.6. Restoring a Registration</a></span></dt></dl></dd><dt><span class="section"><a href="#rhn-migration">14.5. Migrating Systems from RHN Classic to Certificate-based Red Hat Network</a></span></dt><dd><dl><dt><span class="section"><a href="#install-migration-tools">14.5.1. Installing the Migration Tools</a></span></dt><dt><span class="section"><a href="#rhn-migrate-classic">14.5.2. Migrating from RHN Classic to Certificate-based Red Hat Network</a></span></dt><dt><span class="section"><a href="#rhn-migrate-unregister-only">14.5.3. Unregistering from RHN Classic Only</a></span></dt><dt><span class="section"><a href="#rhn-install-num">14.5.4. Migrating a Disconnected System</a></span></dt><dt><span class="section"><a href="#rhn-channel-mappings">14.5.5. Looking at Channel and Certificate Mappings</a></span></dt></dl></dd><dt><span class="section"><a href="#subscribing-ents">14.6. Handling Subscriptions</a></span></dt><dd><dl><dt><span class="section"><a href="#sub-ui">14.6.1. Subscribing and Unsubscribing through the Red Hat Subscription Manager GUI</a></span></dt><dt><span class="section"><a href="#sub-cli">14.6.2. Handling Subscriptions through the Command Line</a></span></dt><dt><span class="section"><a href="#stacking">14.6.3. Stacking Subscriptions</a></span></dt><dt><span class="section"><a href="#ADDING-SUB">14.6.4. Manually Adding a New Subscription</a></span></dt></dl></dd><dt><span class="section"><a href="#activating-machine">14.7. Redeeming Subscriptions on a Machine</a></span></dt><dd><dl><dt><span class="section"><a href="#activating-gui">14.7.1. Redeeming Subscriptions through the GUI</a></span></dt><dt><span class="section"><a href="#activating-register">14.7.2. Redeeming Subscriptions on a Machine through the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#viewing-ents">14.8. Viewing Available and Used Subscriptions</a></span></dt><dd><dl><dt><span class="section"><a href="#viewing-ents-ui">14.8.1. Viewing Subscriptions in the GUI</a></span></dt><dt><span class="section"><a href="#viewing-ents-cmd">14.8.2. Listing Subscriptions with the Command Line</a></span></dt><dt><span class="section"><a href="#viewing-available-sub">14.8.3. Viewing Subscriptions Used in Both RHN Classic and Certificate-based Red Hat Network</a></span></dt></dl></dd><dt><span class="section"><a href="#entitlements-and-yum">14.9. Working with Subscription yum Repos</a></span></dt><dt><span class="section"><a href="#responding-to-nags-ui">14.10. Responding to Subscription Notifications</a></span></dt><dt><span class="section"><a href="#sub-healing">14.11. Healing Subscriptions</a></span></dt><dd><dl><dt><span class="section"><a href="#healing-disable">14.11.1. Enabling Healing</a></span></dt><dt><span class="section"><a href="#healing-freq">14.11.2. Changing the Healing Check Frequency</a></span></dt></dl></dd><dt><span class="section"><a href="#sam">14.12. Working with Subscription Asset Manager</a></span></dt><dd><dl><dt><span class="section"><a href="#configuring-rhsm-sam">14.12.1. Configuring Subscription Manager to Work with Subscription Asset Manager</a></span></dt><dt><span class="section"><a href="#viewing-multi-org-info">14.12.2. Viewing Organization Information</a></span></dt></dl></dd><dt><span class="section"><a href="#uploading-new-certs">14.13. Updating Entitlements Certificates</a></span></dt><dd><dl><dt><span class="section"><a href="#updating-ent-certs">14.13.1. Updating Entitlement Certificates</a></span></dt><dt><span class="section"><a href="#refreshing-ent-info">14.13.2. Updating Subscription Information</a></span></dt></dl></dd><dt><span class="section"><a href="#rhsm-config">14.14. Configuring the Subscription Service</a></span></dt><dd><dl><dt><span class="section"><a href="#rhsm-files">14.14.1. Red Hat Subscription Manager Configuration Files</a></span></dt><dt><span class="section"><a href="#rhsm-config-cmd">14.14.2. Using the config Command</a></span></dt><dt><span class="section"><a href="#rhsm-http-proxy">14.14.3. Using an HTTP Proxy</a></span></dt><dt><span class="section"><a href="#changing-ents-server">14.14.4. Changing the Subscription Server</a></span></dt><dt><span class="section"><a href="#setting-up-rhsm-mirror">14.14.5. Configuring Red Hat Subscription Manager to Use a Local Content Provider</a></span></dt><dt><span class="section"><a href="#secure-cxn-ents-server">14.14.6. Managing Secure Connections to the Subscription Server</a></span></dt><dt><span class="section"><a href="#starting-rhsm">14.14.7. Starting and Stopping the Subscription Service</a></span></dt><dt><span class="section"><a href="#checking-rhsm-logs">14.14.8. Checking Logs</a></span></dt><dt><span class="section"><a href="#showing-incompatible-subsc">14.14.9. Showing and Hiding Incompatible Subscriptions</a></span></dt><dt><span class="section"><a href="#rhsm-facts">14.14.10. Checking and Adding System Facts</a></span></dt><dt><span class="section"><a href="#regen-certs-cli">14.14.11. Regenerating Identity Certificates</a></span></dt><dt><span class="section"><a href="#getting-system-uuid">14.14.12. Getting the System UUID</a></span></dt><dt><span class="section"><a href="#rhsm-package-profiles">14.14.13. Viewing Package Profiles</a></span></dt><dt><span class="section"><a href="#consumerid">14.14.14. Retrieving the Consumer ID, Registration Tokens, and Other Information</a></span></dt></dl></dd><dt><span class="section"><a href="#entitlement-certificates">14.15. About Certificates and Managing Entitlements</a></span></dt><dd><dl><dt><span class="section"><a href="#structure-of-identity-certs">14.15.1. The Structure of Identity Certificates</a></span></dt><dt><span class="section"><a href="#structure-of-ent-certificates">14.15.2. The Structure of Entitlement Certificates</a></span></dt><dt><span class="section"><a href="#structure-of-product-certificates">14.15.3. The Structure of Product Certificates</a></span></dt><dt><span class="section"><a href="#sat-certs">14.15.4. Anatomy of Satellite Certificates</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="#pt-network-related-config">III. Network-Related Configuration</a></span></dt><dd><dl><dt><span class="chapter"><a href="#ch-networkscripts">15. Network Interfaces</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-networkscripts-files">15.1. Network Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-interfaces">15.2. Interface Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-networkscripts-interfaces-eth0">15.2.1. Ethernet Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-ipsec">15.2.2. IPsec Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-chan">15.2.3. Channel Bonding Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-alias">15.2.4. Alias and Clone Files</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-ppp0">15.2.5. Dialup Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-other">15.2.6. Other Interfaces</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-networkscripts-control">15.3. Interface Control Scripts</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-static-routes">15.4. Configuring Static Routes</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-functions">15.5. Network Function Files</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-resources">15.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-networkscripts-docs-inst">15.6.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-network-config">16. Network Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-network-config-overview">16.1. Overview</a></span></dt><dt><span class="section"><a href="#s1-network-config-ethernet">16.2. Establishing an Ethernet Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-isdn">16.3. Establishing an ISDN Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-modem">16.4. Establishing a Modem Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-xdsl">16.5. Establishing an xDSL Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-tokenring">16.6. Establishing a Token Ring Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-wireless">16.7. Establishing a Wireless Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-dns">16.8. Managing DNS Settings</a></span></dt><dt><span class="section"><a href="#s1-network-config-hosts">16.9. Managing Hosts</a></span></dt><dt><span class="section"><a href="#s1-network-profiles">16.10. Working with Profiles</a></span></dt><dt><span class="section"><a href="#s1-network-aliases">16.11. Device Aliases</a></span></dt><dt><span class="section"><a href="#s1-network-save-config">16.12. Saving and Restoring the Network Configuration</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-services">17. Controlling Access to Services</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-services-runlevels">17.1. Runlevels</a></span></dt><dt><span class="section"><a href="#s1-services-tcp-wrappers">17.2. TCP Wrappers</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-services-xinetd">17.2.1. <code class="command">xinetd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-services-serviceconf">17.3. <span class="application"><strong>Services Configuration Tool</strong></span></a></span></dt><dt><span class="section"><a href="#s1-services-ntsysv">17.4. <span class="application"><strong>ntsysv</strong></span></a></span></dt><dt><span class="section"><a href="#s1-services-chkconfig">17.5. <code class="command">chkconfig</code></a></span></dt><dt><span class="section"><a href="#s1-services-additional-resources">17.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#services-installed-docs">17.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#services-useful-websites">17.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-bind">18. Berkeley Internet Name Domain (BIND)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-bind-introduction">18.1. Introduction to DNS</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-introduction-zones">18.1.1. Nameserver Zones</a></span></dt><dt><span class="section"><a href="#s2-bind-introduction-nameservers">18.1.2. Nameserver Types</a></span></dt><dt><span class="section"><a href="#s2-bind-introduction-bind">18.1.3. BIND as a Nameserver</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-namedconf">18.2.  <code class="filename">/etc/named.conf</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-namedconf-state">18.2.1. Common Statement Types</a></span></dt><dt><span class="section"><a href="#s2-bind-namedconf-state-other">18.2.2. Other Statement Types</a></span></dt><dt><span class="section"><a href="#s2-bind-namedconf-comm">18.2.3. Comment Tags</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-zone">18.3. Zone Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-zone-directives">18.3.1. Zone File Directives</a></span></dt><dt><span class="section"><a href="#s3-bind-zone-rr">18.3.2. Zone File Resource Records</a></span></dt><dt><span class="section"><a href="#s2-bind-zone-examples">18.3.3. Example Zone File</a></span></dt><dt><span class="section"><a href="#s2-bind-configuration-zone-reverse">18.3.4. Reverse Name Resolution Zone Files</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-rndc">18.4. Using <code class="command">rndc</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-rndc-configuration-namedconf">18.4.1. Configuring <code class="filename">/etc/named.conf</code> </a></span></dt><dt><span class="section"><a href="#s2-bind-rndc-configuration-rndcconf">18.4.2. Configuring <code class="filename">/etc/rndc.conf</code> </a></span></dt><dt><span class="section"><a href="#s2-bind-rndc-options">18.4.3. Command Line Options</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-features">18.5. Advanced Features of BIND</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-features-protocol">18.5.1. DNS Protocol Enhancements</a></span></dt><dt><span class="section"><a href="#s2-bind-features-views">18.5.2. Multiple Views</a></span></dt><dt><span class="section"><a href="#s2-bind-features-security">18.5.3. Security</a></span></dt><dt><span class="section"><a href="#s2-bind-features-ipv6">18.5.4. IP version 6</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-mistakes">18.6. Common Mistakes to Avoid</a></span></dt><dt><span class="section"><a href="#s1-bind-additional-resources">18.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-installed-docs">18.7.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-bind-useful-websites">18.7.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-bind-related-books">18.7.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-openssh">19. OpenSSH</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-ssh-intro">19.1. Features of SSH</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-intro-why">19.1.1. Why Use SSH?</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ssh-version">19.2. SSH Protocol Versions</a></span></dt><dt><span class="section"><a href="#s1-ssh-conn">19.3. Event Sequence of an SSH Connection</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-protocol-conn-transport">19.3.1. Transport Layer</a></span></dt><dt><span class="section"><a href="#s2-ssh-protocol-authentication">19.3.2. Authentication</a></span></dt><dt><span class="section"><a href="#s2-ssh-protocol-connection">19.3.3. Channels</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-openssh-server-config">19.4. Configuring an OpenSSH Server</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-requiring">19.4.1. Requiring SSH for Remote Connections</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ssh-configfiles">19.5. OpenSSH Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-openssh-client-config">19.6. Configuring an OpenSSH Client</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-openssh-using-ssh">19.6.1. Using the <code class="command">ssh</code> Command</a></span></dt><dt><span class="section"><a href="#s2-openssh-using-scp">19.6.2. Using the <code class="command">scp</code> Command</a></span></dt><dt><span class="section"><a href="#s2-openssh-using-sftp">19.6.3. Using the <code class="command">sftp</code> Command</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ssh-beyondshell">19.7. More Than a Secure Shell</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-beyondshell-x11">19.7.1. X11 Forwarding</a></span></dt><dt><span class="section"><a href="#s2-ssh-beyondshell-tcpip">19.7.2. Port Forwarding</a></span></dt><dt><span class="section"><a href="#s2-openssh-generate-keypairs">19.7.3. Generating Key Pairs</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-openssh-additional-resources">19.8. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-openssh-installed-docs">19.8.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-openssh-useful-websites">19.8.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-nfs">20. Network File System (NFS)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-nfs-how">20.1. How It Works</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-how-daemons">20.1.1. Required Services</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-client-config">20.2. NFS Client Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-fstab">20.2.1. Mounting NFS File Systems using <code class="filename">/etc/fstab</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-client-config-autofs">20.3. <code class="command">autofs</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-config-autofs-new">20.3.1. What's new in <code class="command">autofs</code> version 5?</a></span></dt><dt><span class="section"><a href="#s2-nfs-config-autofs">20.3.2. <code class="command">autofs</code> Configuration</a></span></dt><dt><span class="section"><a href="#s2-nfs-config-autofs-commontasks">20.3.3. <code class="command">autofs</code> Common Tasks</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-client-config-options">20.4. Common NFS Mount Options</a></span></dt><dt><span class="section"><a href="#s1-nfs-start">20.5. Starting and Stopping NFS</a></span></dt><dt><span class="section"><a href="#s1-nfs-server-export">20.6. NFS Server Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-export">20.6.1. Exporting or Sharing NFS File Systems</a></span></dt><dt><span class="section"><a href="#s2-nfs-command-line">20.6.2. Command Line Configuration</a></span></dt><dt><span class="section"><a href="#s2-nfs-nfs-firewall-config">20.6.3. Running NFS Behind a Firewall</a></span></dt><dt><span class="section"><a href="#s2-nfs-hostname-formats">20.6.4. Hostname Formats</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-server-config-exports">20.7. The <code class="filename">/etc/exports</code> Configuration File</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-nfs-server-config-exportfs">20.7.1. The <code class="command">exportfs</code> Command</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-security">20.8. Securing NFS</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-security-hosts">20.8.1. Host Access</a></span></dt><dt><span class="section"><a href="#s2-nfs-security-files">20.8.2. File Permissions</a></span></dt></dl></dd><dt><span class="section"><a href="#s2-nfs-methodology-portmap">20.9. NFS and <code class="command">portmap</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s3-nfs-methodology-portmap-rpcinfo">20.9.1. Troubleshooting NFS and <code class="command">portmap</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-tcp">20.10. Using NFS over TCP</a></span></dt><dt><span class="section"><a href="#s1-nfs-additional-resources">20.11. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-installed-documentation">20.11.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-nfs-useful-websites">20.11.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-nfs-related-books">20.11.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-samba">21. Samba</a></span></dt><dd><dl><dt><span class="section"><a href="#samba-rgs-overview">21.1. Introduction to Samba</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-abilities">21.1.1. Samba Features</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-daemons">21.2. Samba Daemons and Related Services</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-services">21.2.1. Samba Daemons</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-connect-share">21.3. Connecting to a Samba Share</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-connect-share-cmdline">21.3.1. Command Line</a></span></dt><dt><span class="section"><a href="#s1-samba-mounting">21.3.2. Mounting the Share</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-configuring">21.4. Configuring a Samba Server</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-configuring-gui">21.4.1. Graphical Configuration</a></span></dt><dt><span class="section"><a href="#s2-samba-configuring-cmdline">21.4.2. Command Line Configuration</a></span></dt><dt><span class="section"><a href="#s2-samba-encrypted-passwords">21.4.3. Encrypted Passwords</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-startstop">21.5. Starting and Stopping Samba</a></span></dt><dt><span class="section"><a href="#s1-samba-servers">21.6. Samba Server Types and the <code class="command">smb.conf</code> File</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-standalone">21.6.1. Stand-alone Server</a></span></dt><dt><span class="section"><a href="#s2-samba-domain-member">21.6.2. Domain Member Server</a></span></dt><dt><span class="section"><a href="#s2-samba-domain-controller">21.6.3. Domain Controller</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-security-modes">21.7. Samba Security Modes</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-user-level">21.7.1. User-Level Security</a></span></dt><dt><span class="section"><a href="#s2-samba-share-level">21.7.2. Share-Level Security</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-account-info-dbs">21.8. Samba Account Information Databases</a></span></dt><dt><span class="section"><a href="#s1-samba-network-browsing">21.9. Samba Network Browsing</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-domain-browsing">21.9.1. Domain Browsing</a></span></dt><dt><span class="section"><a href="#s2-samba-wins">21.9.2. WINS (Windows Internetworking Name Server)</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-cups">21.10. Samba with CUPS Printing Support</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-cups-smb.conf">21.10.1. Simple <code class="filename">smb.conf</code> Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-programs">21.11. Samba Distribution Programs</a></span></dt><dt><span class="section"><a href="#s1-samba-resources">21.12. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-resources-installed">21.12.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-samba-resources-published">21.12.2. Related Books</a></span></dt><dt><span class="section"><a href="#s2-samba-resources-community">21.12.3. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-dhcp">22. Dynamic Host Configuration Protocol (DHCP)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-dhcp-why">22.1. Why Use DHCP?</a></span></dt><dt><span class="section"><a href="#s1-dhcp-configuring-server">22.2. Configuring a DHCP Server</a></span></dt><dd><dl><dt><span class="section"><a href="#config-file">22.2.1. Configuration File</a></span></dt><dt><span class="section"><a href="#lease-database">22.2.2. Lease Database</a></span></dt><dt><span class="section"><a href="#id1071897">22.2.3. Starting and Stopping the Server</a></span></dt><dt><span class="section"><a href="#dhcp-relay-agent">22.2.4. DHCP Relay Agent</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-dhcp-configuring-client">22.3. Configuring a DHCP Client</a></span></dt><dt><span class="section"><a href="#sect-Configuring_a_Multihomed_DHCP_Server">22.4. Configuring a Multihomed DHCP Server</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-dns_Host_Configuration">22.4.1. Host Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-dhcp-additional-resources">22.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-dhcp-installed-docs">22.5.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-httpd">23. Apache HTTP Server</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-httpd-v2">23.1. Apache HTTP Server 2.2</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-httpd-v2-features">23.1.1. Features of Apache HTTP Server 2.2</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-httpd-mig">23.2. Migrating Apache HTTP Server Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-httpd-v22-mig">23.2.1. Migrating Apache HTTP Server 2.0 Configuration Files</a></span></dt><dt><span class="section"><a href="#s3-httpd-v2-mig">23.2.2. Migrating Apache HTTP Server 1.3 Configuration Files to 2.0</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-startstop">23.3. Starting and Stopping <code class="command">httpd</code></a></span></dt><dt><span class="section"><a href="#s1-apache-config-ui">23.4. Apache HTTP Server Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-httpd-basic-settings">23.4.1. Basic Settings</a></span></dt><dt><span class="section"><a href="#s2-httpd-default-settings">23.4.2. Default Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-config">23.5. Configuration Directives in <code class="filename">httpd.conf</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-apache-tips">23.5.1. General Configuration Tips</a></span></dt><dt><span class="section"><a href="#s2-apache-sslcommands">23.5.2. Configuration Directives for SSL</a></span></dt><dt><span class="section"><a href="#s2-apache-mpm-containers">23.5.3. MPM Specific Server-Pool Directives</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-addmods">23.6. Adding Modules</a></span></dt><dt><span class="section"><a href="#s1-apache-virtualhosts">23.7. Virtual Hosts</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-apache-settingupvhosts">23.7.1. Setting Up Virtual Hosts</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-httpd-secure-server">23.8. Apache HTTP Secure Server Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-secureserver-optionalpackages">23.8.1. An Overview of Security-Related Packages</a></span></dt><dt><span class="section"><a href="#s2-secureserver-overview-certs">23.8.2. An Overview of Certificates and Security</a></span></dt><dt><span class="section"><a href="#s1-secureserver-oldcert">23.8.3. Using Pre-Existing Keys and Certificates</a></span></dt><dt><span class="section"><a href="#s2-secureserver-certs">23.8.4. Types of Certificates</a></span></dt><dt><span class="section"><a href="#s2-secureserver-generatingkey">23.8.5. Generating a Key</a></span></dt><dt><span class="section"><a href="#s1-use-new-key">23.8.6. How to configure the server to use the new key</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-additional-resources">23.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-apache-additional-resources-web">23.9.1. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-ftp">24. FTP</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-ftp-protocol">24.1. The File Transfer Protocol</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-protocol-multiport">24.1.1. Multiple Ports, Multiple Modes</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ftp-servers">24.2. FTP Servers</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-servers-vsftpd">24.2.1. <code class="command">vsftpd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s2-ftp-vsftpd-conf">24.3. Files Installed with <code class="command">vsftpd</code></a></span></dt><dt><span class="section"><a href="#s1-ftp-vsftpd-start">24.4. Starting and Stopping <code class="command">vsftpd</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-vsftpd-start-multi">24.4.1. Starting Multiple Copies of <code class="command">vsftpd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ftp-vsftpd-conf">24.5. <code class="command">vsftpd</code> Configuration Options</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-daemon">24.5.1. Daemon Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-login">24.5.2. Log In Options and Access Controls</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-anon">24.5.3. Anonymous User Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-usr">24.5.4. Local User Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-dir">24.5.5. Directory Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-file">24.5.6. File Transfer Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-log">24.5.7. Logging Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-net">24.5.8. Network Options</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ftp-resources">24.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-installed-documentation">24.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-ftp-useful-websites">24.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-email">25. Email</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-email-protocols">25.1. Email Protocols</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-protocols-send">25.1.1. Mail Transport Protocols</a></span></dt><dt><span class="section"><a href="#s2-email-protocols-client">25.1.2. Mail Access Protocols</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-types">25.2. Email Program Classifications</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-types-mta">25.2.1. Mail Transport Agent</a></span></dt><dt><span class="section"><a href="#s2-email-types-mda">25.2.2. Mail Delivery Agent</a></span></dt><dt><span class="section"><a href="#s2-email-types-mua">25.2.3. Mail User Agent</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-mta">25.3. Mail Transport Agents</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-mta-sendmail">25.3.1. Sendmail</a></span></dt><dt><span class="section"><a href="#s2-email-mta-postfix">25.3.2. Postfix</a></span></dt><dt><span class="section"><a href="#s2-email-mta-fetchmail">25.3.3. Fetchmail</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-switchmail">25.4. Mail Transport Agent (MTA) Configuration</a></span></dt><dt><span class="section"><a href="#s1-email-mda">25.5. Mail Delivery Agents</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-procmail-configuration">25.5.1. Procmail Configuration</a></span></dt><dt><span class="section"><a href="#s2-email-procmail-recipes">25.5.2. Procmail Recipes</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-mua">25.6. Mail User Agents</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-security">25.6.1. Securing Communication</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-additional-resources">25.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-installed-docs">25.7.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-email-useful-websites">25.7.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-email-related-books">25.7.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-ldap">26. Lightweight Directory Access Protocol (LDAP)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-ldap-adv">26.1. Why Use LDAP?</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-ldap-v3">26.1.1. OpenLDAP Features</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-terminology">26.2. LDAP Terminology</a></span></dt><dt><span class="section"><a href="#s1-ldap-daemonsutils">26.3. OpenLDAP Daemons and Utilities</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-pam-nss">26.3.1. NSS, PAM, and LDAP</a></span></dt><dt><span class="section"><a href="#s2-ldap-other-apps">26.3.2. PHP4, LDAP, and the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#s2-ldap-applications">26.3.3. LDAP Client Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-files">26.4. OpenLDAP Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-ldap-files-schemas">26.5. The <code class="filename">/etc/openldap/schema/</code> Directory</a></span></dt><dt><span class="section"><a href="#s1-ldap-quickstart">26.6. OpenLDAP Setup Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-files-slapd-conf">26.6.1. Editing <code class="filename">/etc/openldap/slapd.conf</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-pam">26.7. Configuring a System to Authenticate Using OpenLDAP</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-pamd">26.7.1. PAM and LDAP</a></span></dt><dt><span class="section"><a href="#s2-ldap-migrate">26.7.2. Migrating Old Authentication Information to LDAP Format</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-migrate">26.8. Migrating Directories from Earlier Releases</a></span></dt><dt><span class="section"><a href="#s1-ldap-additional-resources">26.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-installed-docs">26.9.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-ldap-additional-resources-web">26.9.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-ldap-related-books">26.9.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-authconfig">27. Authentication Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-authconfig-user-info">27.1. User Information</a></span></dt><dt><span class="section"><a href="#s1-authconfig-auth">27.2. Authentication</a></span></dt><dt><span class="section"><a href="#authconfig-options">27.3. Options</a></span></dt><dt><span class="section"><a href="#s1-authconfig-command-line">27.4. Command Line Version</a></span></dt></dl></dd><dt><span class="chapter"><a href="#SSSD">28. Using and Caching Credentials with SSSD</a></span></dt><dd><dl><dt><span class="section"><a href="#about-sssd">28.1. About the sssd.conf File</a></span></dt><dt><span class="section"><a href="#Installing_SSSD-Starting_and_Stopping_SSSD">28.2. Starting and Stopping SSSD</a></span></dt><dt><span class="section"><a href="#Configuring_Services">28.3. Configuring Services</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuration_Options-NSS_Configuration_Options">28.3.1. Configuring the NSS Service</a></span></dt><dt><span class="section"><a href="#Configuration_Options-PAM_Configuration_Options">28.3.2. Configuring the PAM Service</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Domains">28.4. Creating Domains</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_Domains-Domain_Configuration_Options">28.4.1. General Rules and Options for Configuring a Domain</a></span></dt><dt><span class="section"><a href="#Configuring_Domains-Configuring_a_Native_LDAP_Domain">28.4.2. Configuring an LDAP Domain</a></span></dt><dt><span class="section"><a href="#Configuring_Domains-Setting_up_Kerberos_Authentication">28.4.3. Configuring Kerberos Authentication with a Domain</a></span></dt><dt><span class="section"><a href="#Domain_Configuration_Options-Configuring_a_Proxy_Domain">28.4.4. Configuring a Proxy Domain</a></span></dt></dl></dd><dt><span class="section"><a href="#config-sssd-domain-access">28.5. Configuring Access Control for SSSD Domains</a></span></dt><dd><dl><dt><span class="section"><a href="#id973609">28.5.1. Using the Simple Access Provider</a></span></dt><dt><span class="section"><a href="#id973729">28.5.2. Using the LDAP Access Filter</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Failover">28.6. Configuring Domain Failover</a></span></dt><dd><dl><dt><span class="section"><a href="#config-failover">28.6.1. Configuring Failover</a></span></dt><dt><span class="section"><a href="#Using_SRV_Records_with_Failover">28.6.2. Using SRV Records with Failover</a></span></dt></dl></dd><dt><span class="section"><a href="#sssd-cache">28.7. Deleting Domain Cache Files</a></span></dt><dt><span class="section"><a href="#usingnscd-sssd">28.8. Using NSCD with SSSD</a></span></dt><dt><span class="section"><a href="#SSSD-Troubleshooting">28.9. Troubleshooting SSSD</a></span></dt><dd><dl><dt><span class="section"><a href="#Troubleshooting-Using_SSSD_Log_Files">28.9.1. Using SSSD Log Files</a></span></dt><dt><span class="section"><a href="#Troubleshooting-Problems_with_SSSD_Configuration">28.9.2. Problems with SSSD Configuration</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="#pt-sysconfig">IV. System Configuration</a></span></dt><dd><dl><dt><span class="chapter"><a href="#ch-console-access">29. Console Access</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-access-console-ctrlaltdel">29.1. Disabling Shutdown Via <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Del</strong></span></a></span></dt><dt><span class="section"><a href="#s1-access-console-program">29.2. Disabling Console Program Access</a></span></dt><dt><span class="section"><a href="#s1-access-console-define">29.3. Defining the Console</a></span></dt><dt><span class="section"><a href="#s1-access-console-files">29.4. Making Files Accessible From the Console</a></span></dt><dt><span class="section"><a href="#s1-access-console-enable">29.5. Enabling Console Access for Other Applications</a></span></dt><dt><span class="section"><a href="#s1-access-floppy">29.6. The <code class="filename">floppy</code> Group</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-sysconfig">30. The <code class="filename">sysconfig</code> Directory</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-sysconfig-files">30.1. Files in the <code class="filename">/etc/sysconfig/</code> Directory</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-sysconfig-files-amd">30.1.1. <code class="filename">/etc/sysconfig/amd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-apmd">30.1.2. <code class="filename">/etc/sysconfig/apmd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-arpwatch">30.1.3. <code class="filename">/etc/sysconfig/arpwatch</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-authconfig">30.1.4. <code class="filename">/etc/sysconfig/authconfig</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-autofs">30.1.5. <code class="filename">/etc/sysconfig/autofs</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-clock">30.1.6. <code class="filename">/etc/sysconfig/clock</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-desktop">30.1.7. <code class="filename">/etc/sysconfig/desktop</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-dhcpd">30.1.8. <code class="filename">/etc/sysconfig/dhcpd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-exim">30.1.9. <code class="filename">/etc/sysconfig/exim</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-firewall">30.1.10. <code class="filename">/etc/sysconfig/firstboot</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-gpm">30.1.11. <code class="filename">/etc/sysconfig/gpm</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-hwconf">30.1.12. <code class="filename">/etc/sysconfig/hwconf</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-i18n">30.1.13. <code class="filename">/etc/sysconfig/i18n</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-init">30.1.14. <code class="filename">/etc/sysconfig/init</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-ip6tables">30.1.15. <code class="filename">/etc/sysconfig/ip6tables-config</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-iptables">30.1.16. <code class="filename">/etc/sysconfig/iptables-config</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-irda">30.1.17. <code class="filename">/etc/sysconfig/irda</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-kybd">30.1.18. <code class="filename">/etc/sysconfig/keyboard</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-kudzu">30.1.19. <code class="filename">/etc/sysconfig/kudzu</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-named">30.1.20. <code class="filename">/etc/sysconfig/named</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-network">30.1.21. <code class="filename">/etc/sysconfig/network</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-nfs">30.1.22. <code class="filename">/etc/sysconfig/nfs</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-ntpd">30.1.23. <code class="filename">/etc/sysconfig/ntpd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-radvd">30.1.24. <code class="filename">/etc/sysconfig/radvd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-samba">30.1.25. <code class="filename">/etc/sysconfig/samba</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-selinux">30.1.26. <code class="filename">/etc/sysconfig/selinux</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-sendmail">30.1.27. <code class="filename">/etc/sysconfig/sendmail</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-spamd">30.1.28. <code class="filename">/etc/sysconfig/spamassassin</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-squid">30.1.29. <code class="filename">/etc/sysconfig/squid</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-sec-level">30.1.30. <code class="filename">/etc/sysconfig/system-config-securitylevel</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-selinuxtool">30.1.31. <code class="filename">/etc/sysconfig/system-config-selinux</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-rcu">30.1.32. <code class="filename">/etc/sysconfig/system-config-users</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-rlv">30.1.33. <code class="filename">/etc/sysconfig/system-logviewer</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-tux">30.1.34. <code class="filename">/etc/sysconfig/tux</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-vncservers">30.1.35. <code class="filename">/etc/sysconfig/vncservers</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-xinetd">30.1.36. <code class="filename">/etc/sysconfig/xinetd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-sysconfig-etcsysconf-dir">30.2. Directories in the <code class="filename">/etc/sysconfig/</code> Directory</a></span></dt><dt><span class="section"><a href="#s1-sysconfig-additional-resources">30.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-sysconfig-installed-documentation">30.3.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-dateconfig">31. Date and Time Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-dateconfig-time-date">31.1. Time and Date Properties</a></span></dt><dt><span class="section"><a href="#s1-dateconfig-ntp">31.2. Network Time Protocol (NTP) Properties</a></span></dt><dt><span class="section"><a href="#s1-dateconfig-time-zone">31.3. Time Zone Configuration</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-keyboardconfig">32. Keyboard Configuration</a></span></dt><dt><span class="chapter"><a href="#ch-x">33. The X Window System</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-x-server">33.1. The X11R7.1 Release</a></span></dt><dt><span class="section"><a href="#s1-x-clients">33.2. Desktop Environments and Window Managers</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-clients-desktop">33.2.1. Desktop Environments</a></span></dt><dt><span class="section"><a href="#s2-x-clients-winmanagers">33.2.2. Window Managers</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-server-configuration">33.3. X Server Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-server-config-xorg.conf">33.3.1. <code class="filename">xorg.conf</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-fonts">33.4. Fonts</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-fonts-fontconfig">33.4.1. Fontconfig</a></span></dt><dt><span class="section"><a href="#s2-x-fonts-core">33.4.2. Core X Font System</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-runlevels">33.5. Runlevels and X</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-runlevels-3">33.5.1. Runlevel 3</a></span></dt><dt><span class="section"><a href="#s2-x-runlevels-5">33.5.2. Runlevel 5</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-additional-resources">33.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-installed-documentation">33.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-x-useful-websites">33.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-xconfig">34. X Window System Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-xconfig-display">34.1. Display Settings</a></span></dt><dt><span class="section"><a href="#s1-xconfig-advanced">34.2. Display Hardware Settings</a></span></dt><dt><span class="section"><a href="#s1-xconfig-dualhead">34.3. Dual Head Display Settings</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-users-groups">35. Users and Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-users-configui">35.1. User and Group Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-redhat-config-users-user-new">35.1.1. Adding a New User</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-user-properties">35.1.2. Modifying User Properties</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-group-new">35.1.3. Adding a New Group</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-group-properties">35.1.4. Modifying Group Properties</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-users-tools">35.2. User and Group Management Tools</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-users-cmd-line">35.2.1. Command Line Configuration</a></span></dt><dt><span class="section"><a href="#s2-users-add">35.2.2. Adding a User</a></span></dt><dt><span class="section"><a href="#s2-groups-add">35.2.3. Adding a Group</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-passwd-aging">35.2.4. Password Aging</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-process">35.2.5. Explaining the Process</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-users-groups-standard-users">35.3. Standard Users</a></span></dt><dt><span class="section"><a href="#s1-users-groups-standard-groups">35.4. Standard Groups</a></span></dt><dt><span class="section"><a href="#s1-users-groups-private-groups">35.5. User Private Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-users-groups-rationale">35.5.1. Group Directories</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-users-groups-shadow-utilities">35.6. Shadow Passwords</a></span></dt><dt><span class="section"><a href="#s1-users-groups-additional-resources">35.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-users-groups-documentation">35.7.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-printing">36. Printer Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-printing-local-printer">36.1. Adding a Local Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-ipp-printer">36.2. Adding an IPP Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-smb-printer">36.3. Adding a Samba (SMB) Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-jetdirect-printer">36.4. Adding a JetDirect Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-select-model">36.5. Selecting the Printer Model and Finishing</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-printing-confirm">36.5.1. Confirming Printer Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-printing-test-page">36.6. Printing a Test Page</a></span></dt><dt><span class="section"><a href="#s1-printing-edit">36.7. Modifying Existing Printers</a></span></dt><dd><dl><dt><span class="section"><a href="#id1051845">36.7.1. The <span class="guilabel"><strong>Settings</strong></span> Tab</a></span></dt><dt><span class="section"><a href="#id1051913">36.7.2. The <span class="guilabel"><strong>Policies</strong></span> Tab</a></span></dt><dt><span class="section"><a href="#id1052010">36.7.3. The <span class="guilabel"><strong>Access Control</strong></span> Tab</a></span></dt><dt><span class="section"><a href="#id1052078">36.7.4. The <span class="guilabel"><strong>Printer</strong></span> and <span class="guilabel"><strong>Job Options</strong></span>Tab</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-printing-managing">36.8. Managing Print Jobs</a></span></dt><dt><span class="section"><a href="#s1-printing-additional-resources">36.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-printing-installed-docs">36.9.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-printing-useful-websites">36.9.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-autotasks">37. Automated Tasks</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-autotasks-cron">37.1. Cron</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-autotasks-cron-configuring">37.1.1. Configuring Cron Tasks</a></span></dt><dt><span class="section"><a href="#s2-autotasks-cron-access">37.1.2. Controlling Access to Cron</a></span></dt><dt><span class="section"><a href="#s2-autotasks-cron-service">37.1.3. Starting and Stopping the Service</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-autotasks-at-batch">37.2. At and Batch</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-autotasks-at-configuring">37.2.1. Configuring At Jobs</a></span></dt><dt><span class="section"><a href="#s2-autotasks-batch-configuring">37.2.2. Configuring Batch Jobs</a></span></dt><dt><span class="section"><a href="#s2-autotasks-at-batch-viewing">37.2.3. Viewing Pending Jobs</a></span></dt><dt><span class="section"><a href="#s2-autotasks-commandline-options">37.2.4. Additional Command Line Options</a></span></dt><dt><span class="section"><a href="#s2-autotasks-at-batch-controlling-access">37.2.5. Controlling Access to At and Batch</a></span></dt><dt><span class="section"><a href="#s2-autotasks-at-batch-service">37.2.6. Starting and Stopping the Service</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-autotasks-additional-resources">37.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-autotasks-installed-docs">37.3.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-logfiles">38. Log Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-logfiles-locating">38.1. Locating Log Files</a></span></dt><dt><span class="section"><a href="#s1-logfiles-viewing">38.2. Viewing Log Files</a></span></dt><dt><span class="section"><a href="#s1-logfiles-adding">38.3. Adding a Log File</a></span></dt><dt><span class="section"><a href="#s1-logfiles-examining">38.4. Monitoring Log Files</a></span></dt></dl></dd></dl></dd><dt><span class="part"><a href="#pt-system-monitoring">V. System Monitoring</a></span></dt><dd><dl><dt><span class="chapter"><a href="#ch-systemtap">39. SystemTap</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-systemtap-intro">39.1. Introduction</a></span></dt><dt><span class="section"><a href="#s2-systemtap-implementation">39.2. Implementation</a></span></dt><dt><span class="section"><a href="#s3-systemtap-usingsystemtap">39.3. Using SystemTap</a></span></dt><dd><dl><dt><span class="section"><a href="#s3.1-systemtap-tracing">39.3.1.  Tracing </a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-sysinfo">40. Gathering System Information</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-sysinfo-system-processes">40.1. System Processes</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-memory-usage">40.2. Memory Usage</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-filesystems">40.3. File Systems</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-hardware">40.4. Hardware</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-additional-resources">40.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-sysinfo-installed-docs">40.5.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-oprofile">41. OProfile</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-oprofile-overview-tools">41.1. Overview of Tools</a></span></dt><dt><span class="section"><a href="#s1-oprofile-configuring">41.2. Configuring OProfile</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-oprofile-kernel">41.2.1. Specifying the Kernel</a></span></dt><dt><span class="section"><a href="#s2-oprofile-events">41.2.2. Setting Events to Monitor</a></span></dt><dt><span class="section"><a href="#s2-oprofile-starting-separate">41.2.3. Separating Kernel and User-space Profiles</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-oprofile-starting">41.3. Starting and Stopping OProfile</a></span></dt><dt><span class="section"><a href="#s1-oprofile-saving-data">41.4. Saving Data</a></span></dt><dt><span class="section"><a href="#s1-oprofile-analyzing-data">41.5. Analyzing the Data</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-oprofile-reading-opreport">41.5.1. Using <code class="command">opreport</code></a></span></dt><dt><span class="section"><a href="#s2-oprofile-reading-opreport-single">41.5.2. Using <code class="command">opreport</code> on a Single Executable</a></span></dt><dt><span class="section"><a href="#s2-oprofile-module-output">41.5.3. Getting more detailed output on the modules</a></span></dt><dt><span class="section"><a href="#s2-oprofile-reading-opannotate">41.5.4. Using <code class="command">opannotate</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-oprofile-dev-oprofile">41.6. Understanding <code class="filename">/dev/oprofile/</code></a></span></dt><dt><span class="section"><a href="#s1-oprofile-example-usage">41.7. Example Usage</a></span></dt><dt><span class="section"><a href="#s1-oprofile-gui">41.8. Graphical Interface</a></span></dt><dt><span class="section"><a href="#s1-oprofile-additional-resources">41.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-oprofile-installed-docs">41.9.1. Installed Docs</a></span></dt><dt><span class="section"><a href="#s2-oprofile-useful-websites">41.9.2. Useful Websites</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="#pt-kernel-configuration">VI. Kernel and Driver Configuration</a></span></dt><dd><dl><dt><span class="chapter"><a href="#ch-kernel">42. Manually Upgrading the Kernel</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-kernel-packages">42.1. Overview of Kernel Packages</a></span></dt><dt><span class="section"><a href="#s1-kernel-preparing">42.2. Preparing to Upgrade</a></span></dt><dt><span class="section"><a href="#s1-kernel-download">42.3. Downloading the Upgraded Kernel</a></span></dt><dt><span class="section"><a href="#s1-kernel-perform-upgrade">42.4. Performing the Upgrade</a></span></dt><dt><span class="section"><a href="#s1-kernel-initrd">42.5. Verifying the Initial RAM Disk Image</a></span></dt><dt><span class="section"><a href="#s1-kernel-boot-loader">42.6. Verifying the Boot Loader</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kernel-boot-loader-x86">42.6.1. x86 Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-itanium">42.6.2. Itanium Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-s390">42.6.3. IBM S/390 and IBM System z Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-iseries">42.6.4. IBM eServer iSeries Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-pseries">42.6.5. IBM eServer pSeries Systems</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-modules">43. General Parameters and Modules</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-kernel-module-utils">43.1. Kernel Module Utilities</a></span></dt><dt><span class="section"><a href="#s1-kernel-modules-persistant">43.2. Persistent Module Loading</a></span></dt><dt><span class="section"><a href="#s1-modules-parameters-specifying">43.3. Specifying Module Parameters</a></span></dt><dt><span class="section"><a href="#s1-modules-scsi">43.4. Storage parameters</a></span></dt><dt><span class="section"><a href="#s1-modules-ethernet">43.5. Ethernet Parameters</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-modules-multiple-eth">43.5.1. Using Multiple Ethernet Cards</a></span></dt><dt><span class="section"><a href="#s2-modules-bonding">43.5.2. The Channel Bonding Module</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-kernel-modules-additional-resources">43.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kernel-modules-installed-docs">43.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-kernel-modules-useful-websites">43.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-kdump">44. The kdump Crash Recovery Service</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-kdump-configuration">44.1. Configuring the <code class="systemitem">kdump</code> Service</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kdump-configuration-firstboot">44.1.1. Configuring the kdump at First Boot</a></span></dt><dt><span class="section"><a href="#s2-kdump-configuration-gui">44.1.2. Using the Kernel Dump Configuration Utility</a></span></dt><dt><span class="section"><a href="#s2-kdump-configuration-cli">44.1.3. Configuring <code class="systemitem">kdump</code> on the Command Line</a></span></dt><dt><span class="section"><a href="#s2-kdump-configuration-testing">44.1.4. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-kdump-crash">44.2. Analyzing the Core Dump</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kdump-crash-log">44.2.1. Displaying the Message Buffer</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-backtrace">44.2.2. Displaying a Backtrace</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-processes">44.2.3. Displaying a Process Status</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-memory">44.2.4. Displaying Virtual Memory Information</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-files">44.2.5. Displaying Open Files</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-kdump-resources">44.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kdump-resources-installed">44.3.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-kdump-resources-online">44.3.2. Useful Websites</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="part"><a href="#pt-security">VII. Security And Authentication</a></span></dt><dd><dl><dt><span class="chapter"><a href="#ch-sgs-ov">45. Security Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#ch-sgs-intro">45.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-sgs-ov-cs">45.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#s1-sgs-ov-controls">45.1.2. Security Controls</a></span></dt><dt><span class="section"><a href="#s1-sgs-ov-concl">45.1.3. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-sec-access">45.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-vuln-think">45.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#s1-vuln-defn">45.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#s1-vuln-tools">45.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-risk">45.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-risk-hackcrack">45.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#s1-risk-net">45.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#s1-risk-serv">45.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#s1-risk-wspc">45.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-exploits">45.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#ch-security-updates">45.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-security-updates">45.5.1. Updating Packages</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-sec-network">46. Securing Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#ch-wstation">46.1. Workstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-wstation-eval">46.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#s1-wstation-boot-sec">46.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#s1-wstation-pass">46.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#s1-wstation-privileges">46.1.4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#s1-wstation-service">46.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#s1-wstation-firewall">46.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#s1-wstation-sec-tools">46.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-server">46.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-server-tcpw-xinetd">46.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#s1-server-port">46.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#s1-server-nis">46.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#s1-server-nfs">46.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#s1-server-http">46.2.5. Securing the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#s1-server-ftp">46.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#s1-server-mail">46.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#s1-server-ports">46.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sso-ov">46.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sso-intro">46.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sso-sc-config">46.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sso-sc-enrol-concept">46.3.3. How Smart Card Enrollment Works</a></span></dt><dt><span class="section"><a href="#sso-sc-login-concept">46.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sso-config-firefox">46.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-pam">46.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-pam-advantages">46.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#s1-pam-config-files">46.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-pam-format">46.4.3. PAM Configuration File Format</a></span></dt><dt><span class="section"><a href="#s1-pam-sample-simple">46.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-pam-modules-add">46.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#s1-pam-timestamp">46.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#s1-pam-console">46.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#s1-pam-additional-resources">46.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-tcpwrappers">46.5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-tcpwrappers-purpose">46.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-access">46.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-xinetd">46.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-xinetd-config">46.5.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-additional-resources">46.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-kerberos">46.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-kerberos-definition">46.6.1. What is Kerberos?</a></span></dt><dt><span class="section"><a href="#s1-kerberos-terminology">46.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#s1-kerberos-works">46.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#s1-kerberos-pam">46.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#s1-kerberos-server">46.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#s1-kerberos-clients">46.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sec-kerberos-client2">46.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sec-kerberos-server2">46.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="section"><a href="#sec-kerberos-crossrealm">46.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sec-kerberos-additional-resources">46.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-vpn">46.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#vpn-how-it-works">46.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#s1-vpn-rhl">46.7.2. VPNs and Red Hat Enterprise Linux</a></span></dt><dt><span class="section"><a href="#s1-vpn-ipsec">46.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#vpn-create-ipsec-connection">46.7.4. Creating an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt><dt><span class="section"><a href="#s1-ipsec-generalconf">46.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#s1-ipsec-host2host">46.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#s1-ipsec-net2net">46.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#s1-network-config-ipsec-start">46.7.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-fw">46.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-firewall-ipt">46.8.1. Netfilter and IPTables</a></span></dt><dt><span class="section"><a href="#s1-basic-firewall">46.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#s1-fireall-ipt-act">46.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#s1-firewall-ipt-basic">46.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#s1-firewall-ipt-fwd">46.8.5. <code class="computeroutput">FORWARD</code> and <acronym class="acronym">NAT</acronym> Rules</a></span></dt><dt><span class="section"><a href="#s1-firewall-ipt-rule">46.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#s1-firewall-state">46.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a href="#s1-firewall-ip6t">46.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#s1-firewall-moreinfo">46.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-iptables">46.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-iptables-packetfiltering">46.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#s1-iptables-differences">46.9.2. Differences Between IPTables and IPChains</a></span></dt><dt><span class="section"><a href="#s1-iptables-options">46.9.3. Command Options for IPTables</a></span></dt><dt><span class="section"><a href="#s1-iptables-saving">46.9.4. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#s1-iptables-init">46.9.5. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#s1-ip6tables">46.9.6. IPTables and IPv6</a></span></dt><dt><span class="section"><a href="#s1-iptables-additional-resources">46.9.7. Additional Resources</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#selg-overview">47. Security and SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-acm-ov">47.1. Access Control Mechanisms (ACMs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-dac-intro1">47.1.1. Discretionary Access Control (DAC)</a></span></dt><dt><span class="section"><a href="#sec-acl-intro1">47.1.2. Access Control Lists (ACLs)</a></span></dt><dt><span class="section"><a href="#sec-mac-intro1">47.1.3. Mandatory Access Control (MAC)</a></span></dt><dt><span class="section"><a href="#sec-rbac-intro1">47.1.4. Role-based Access Control (RBAC)</a></span></dt><dt><span class="section"><a href="#sec-mls-intro1">47.1.5. Multi-Level Security (MLS)</a></span></dt><dt><span class="section"><a href="#sec-mcs-intro1">47.1.6. Multi-Category Security (MCS)</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-selinux">47.2. Introduction to SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-SELinux-overview">47.2.1. SELinux Overview</a></span></dt><dt><span class="section"><a href="#s1-SELinux-files">47.2.2. Files Related to SELinux</a></span></dt><dt><span class="section"><a href="#s1-SELinux-resources">47.2.3. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#rhlcommon-appendix-0005">47.3. Brief Background and History of SELinux</a></span></dt><dt><span class="section"><a href="#sec-mcs-ov">47.4. Multi-Category Security (MCS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-mcs-intro">47.4.1. Introduction</a></span></dt><dt><span class="section"><a href="#sec-mcs-apps">47.4.2. Applications for Multi-Category Security</a></span></dt><dt><span class="section"><a href="#sec-selinux-security-contexts">47.4.3. SELinux Security Contexts</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-mcs-getstarted">47.5. Getting Started with Multi-Category Security (MCS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-mcs-getstarted-intro">47.5.1. Introduction</a></span></dt><dt><span class="section"><a href="#sec-mcs-comp-userid">47.5.2. Comparing SELinux and Standard Linux User Identities</a></span></dt><dt><span class="section"><a href="#sec-mcs-config-categories">47.5.3. Configuring Categories</a></span></dt><dt><span class="section"><a href="#sec-mcs-assign-cat2users">47.5.4. Assigning Categories to Users</a></span></dt><dt><span class="section"><a href="#sec-mcs-assign-cat2files">47.5.5. Assigning Categories to Files</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-mls-ov">47.6. Multi-Level Security (MLS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-mls-multilevel">47.6.1. Why Multi-Level?</a></span></dt><dt><span class="section"><a href="#sec-mls-seclevels">47.6.2. Security Levels, Objects and Subjects</a></span></dt><dt><span class="section"><a href="#sec-mls-policy">47.6.3. MLS Policy</a></span></dt><dt><span class="section"><a href="#sec-mls-lspp-cert">47.6.4. LSPP Certification</a></span></dt></dl></dd><dt><span class="section"><a href="#rhlcommon-chapter-0001">47.7. SELinux Policy Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#rhlcommon-section-0056">47.7.1. What is the SELinux Policy?</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0091">47.7.2. Where is the Policy?</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0016">47.7.3. The Role of Policy in the Boot Process</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0049">47.7.4. Object Classes and Permissions</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-policy-targeted-oview">47.8. Targeted Policy Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#rhlcommon-section-0003">47.8.1. What is the Targeted Policy?</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0010">47.8.2. Files and Directories of the Targeted Policy</a></span></dt><dt><span class="section"><a href="#sec-selinux-policy-targeted-rolesandusers">47.8.3. Understanding the Users and Roles in the Targeted Policy</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#rhlcommon-chapter-0017">48. Working With SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-usercontrol">48.1. End User Control of SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-selinux-files-moving">48.1.1. Moving and Copying Files</a></span></dt><dt><span class="section"><a href="#sec-sel-context-checking-processanduser">48.1.2. Checking the Security Context of a Process, User, or File Object</a></span></dt><dt><span class="section"><a href="#sec-sel-file-relabel">48.1.3. Relabeling a File or Directory</a></span></dt><dt><span class="section"><a href="#sec-sel-backup-maintain-context">48.1.4. Creating Archives That Retain Security Contexts</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-admincontrol">48.2. Administrator Control of SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-selinux-status-viewing">48.2.1. Viewing the Status of SELinux</a></span></dt><dt><span class="section"><a href="#sec-sel-fsrelabel">48.2.2. Relabeling a File System</a></span></dt><dt><span class="section"><a href="#id1104143">48.2.3. Managing NFS Home Directories</a></span></dt><dt><span class="section"><a href="#sec-sel-grant-dir-access">48.2.4. Granting Access to a Directory or a Tree</a></span></dt><dt><span class="section"><a href="#sec-sel-backup-restore-system">48.2.5. Backing Up and Restoring the System</a></span></dt><dt><span class="section"><a href="#sec-sel-enable-disable-enforcement">48.2.6. Enabling or Disabling Enforcement</a></span></dt><dt><span class="section"><a href="#sec-sel-enable-disable">48.2.7. Enable or Disable SELinux</a></span></dt><dt><span class="section"><a href="#sec-sel-policy-changing">48.2.8. Changing the Policy</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0097">48.2.9. Specifying the Security Context of Entire File Systems</a></span></dt><dt><span class="section"><a href="#sec-sel-category-changing">48.2.10. Changing the Security Category of a File or User</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0085">48.2.11. Running a Command in a Specific Security Context</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0086">48.2.12. Useful Commands for Scripts</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0087">48.2.13. Changing to a Different Role</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0088">48.2.14. When to Reboot</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-analystcontrol">48.3. Analyst Control of SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#rhlcommon-section-0081">48.3.1. Enabling Kernel Auditing</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0092">48.3.2. Dumping and Viewing Logs</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#sec-sel-policy-customizing">49. Customizing SELinux Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-policy-customizing-intro">49.1. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-policy-customizing-modpolicy">49.1.1. Modular Policy</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-building-policy-module">49.2. Building a Local Policy Module</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-use-audit2allow">49.2.1. Using audit2allow to Build a Local Policy Module</a></span></dt><dt><span class="section"><a href="#sec-sel-analyze-te">49.2.2. Analyzing the Type Enforcement (TE) File</a></span></dt><dt><span class="section"><a href="#sec-sel-load-policy-package">49.2.3. Loading the Policy Package</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#selg-chapter-0054">50. References</a></span></dt></dl></dd><dt><span class="part"><a href="#pt-gls">VIII. Red Hat Training And Certification</a></span></dt><dd><dl><dt><span class="chapter"><a href="#id787954">51. Red Hat Training and Certification </a></span></dt><dd><dl><dt><span class="section"><a href="#id829426">51.1. Three Ways to Train</a></span></dt><dt><span class="section"><a href="#id816702">51.2. Microsoft Certified Professional Resource Center</a></span></dt></dl></dd><dt><span class="chapter"><a href="#id1067658">52. Certification Tracks</a></span></dt><dd><dl><dt><span class="section"><a href="#id852515">52.1. Free Pre-assessment tests</a></span></dt></dl></dd><dt><span class="chapter"><a href="#id873232">53. RH033: Red Hat Linux Essentials</a></span></dt><dd><dl><dt><span class="section"><a href="#id894216">53.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1066595">53.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id916642">53.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id782363">53.1.3. Audience</a></span></dt><dt><span class="section"><a href="#id873716">53.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id968261">53.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id966775">54. RH035: Red Hat Linux Essentials for Windows Professionals</a></span></dt><dd><dl><dt><span class="section"><a href="#id853968">54.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id830873">54.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id916407">54.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id829991">54.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id1044349">54.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id841235">54.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id836058">55. RH133: Red Hat Linux System Administration and Red Hat Certified Technician (RHCT) Certification</a></span></dt><dd><dl><dt><span class="section"><a href="#id1064663">55.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id811050">55.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id955399">55.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id873123">55.1.3. Audience</a></span></dt><dt><span class="section"><a href="#id1067874">55.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id961892">55.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id841891">56. RH202 RHCT EXAM - The fastest growing credential in all of Linux.</a></span></dt><dd><dl><dt><span class="section"><a href="#id965127">56.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id869970">56.1.1. Prerequisites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id915595">57. RH253 Red Hat Linux Networking and Security Administration</a></span></dt><dd><dl><dt><span class="section"><a href="#id856575">57.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1064675">57.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id859622">57.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id1058119">57.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id790844">57.1.4. Course Objectives </a></span></dt><dt><span class="section"><a href="#id857548">57.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1067872">58. RH300: RHCE Rapid track course (and RHCE exam)</a></span></dt><dd><dl><dt><span class="section"><a href="#id687329">58.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id780615">58.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id833974">58.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id870452">58.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id919739">58.1.4. Course Objectives </a></span></dt><dt><span class="section"><a href="#id830416">58.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1034514">59. RH302 RHCE EXAM</a></span></dt><dd><dl><dt><span class="section"><a href="#id1066495">59.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1087875">59.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id924044">59.1.2. Content</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1067544">60. RHS333: RED HAT enterprise security: network services</a></span></dt><dd><dl><dt><span class="section"><a href="#id995562">60.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id873332">60.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id830926">60.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id996965">60.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id836336">60.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id924669">60.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id833533">61. RH401: Red Hat Enterprise Deployment and systems management</a></span></dt><dd><dl><dt><span class="section"><a href="#id855602">61.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1065422">61.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id836477">61.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id818644">61.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id833516">61.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id1045390">61.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1071718">62. RH423: Red Hat Enterprise Directory services and authentication</a></span></dt><dd><dl><dt><span class="section"><a href="#id815015">62.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1044193">62.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id687317">62.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id772131">62.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id856919">62.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id955600">62.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id916926">63. SELinux Courses</a></span></dt><dd><dl><dt><span class="section"><a href="#id1042457">63.1. RHS427: Introduction to SELinux and Red Hat Targeted Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#id1067175">63.1.1. Audience</a></span></dt><dt><span class="section"><a href="#id1063752">63.1.2. Course Summary</a></span></dt></dl></dd><dt><span class="section"><a href="#id858295">63.2. RHS429: Red Hat Enterprise SELinux Policy Administration </a></span></dt></dl></dd><dt><span class="chapter"><a href="#id872701">64. RH436: Red Hat Enterprise storage management</a></span></dt><dd><dl><dt><span class="section"><a href="#id921578">64.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id858471">64.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id815123">64.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id871065">64.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id1042930">64.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id939435">64.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id774488">65. RH442: Red Hat Enterprise system monitoring and performance tuning</a></span></dt><dd><dl><dt><span class="section"><a href="#id871946">65.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id815672">65.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id1046122">65.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id784224">65.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id1041965">65.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id986688">65.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1066813">66. Red Hat Enterprise Linux Developer Courses</a></span></dt><dd><dl><dt><span class="section"><a href="#id915816">66.1. RHD143: Red Hat Linux Programming Essentials </a></span></dt><dt><span class="section"><a href="#id920609">66.2. RHD221 Red Hat Linux Device Drivers </a></span></dt><dt><span class="section"><a href="#id1045737">66.3. RHD236 Red Hat Linux Kernel Internals </a></span></dt><dt><span class="section"><a href="#id920037">66.4. RHD256 Red Hat Linux Application Development and Porting</a></span></dt></dl></dd><dt><span class="chapter"><a href="#id1024463">67. JBoss Courses</a></span></dt><dd><dl><dt><span class="section"><a href="#id841812">67.1. RHD161 JBoss and EJB3 for Java</a></span></dt><dd><dl><dt><span class="section"><a href="#id775487">67.1.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id836245">67.2. RHD163 JBoss for Web Developers </a></span></dt><dd><dl><dt><span class="section"><a href="#id856763">67.2.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id1101252">67.3. RHD167: JBOSS - HIBERNATE ESSENTIALS</a></span></dt><dd><dl><dt><span class="section"><a href="#id1101267">67.3.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id833142">67.3.2. Course Summary</a></span></dt></dl></dd><dt><span class="section"><a href="#id1014256">67.4. RHD267: JBOSS - ADVANCED HIBERNATE</a></span></dt><dd><dl><dt><span class="section"><a href="#id1014280">67.4.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id967506">67.5. RHD261:JBOSS for advanced J2EE developers</a></span></dt><dd><dl><dt><span class="section"><a href="#id887211">67.5.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id1082436">67.6. RH336: JBOSS for Administrators</a></span></dt><dd><dl><dt><span class="section"><a href="#id1018796">67.6.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id987009">67.6.2. Course Summary</a></span></dt></dl></dd><dt><span class="section"><a href="#id1014310">67.7. RHD439: JBoss Clustering</a></span></dt><dd><dl><dt><span class="section"><a href="#id948015">67.7.1. Prerequisites </a></span></dt></dl></dd><dt><span class="section"><a href="#id1058335">67.8. RHD449: JBoss jBPM </a></span></dt><dd><dl><dt><span class="section"><a href="#id1010139">67.8.1. Description </a></span></dt><dt><span class="section"><a href="#id1079022">67.8.2. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id1009430">67.9. RHD451 JBoss Rules</a></span></dt><dd><dl><dt><span class="section"><a href="#id1085588">67.9.1. Prerequisites</a></span></dt></dl></dd></dl></dd></dl></dd><dt><span class="appendix"><a href="#id870806">A. Revision History</a></span></dt><dt><span class="appendix"><a href="#colophon">B. Colophon</a></span></dt></dl></div><div xml:lang="en-US" class="preface" id="ch-intro" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Introduction</h1></div></div></div><a id="id817032" class="indexterm"></a><div class="para">
		Welcome to the <em class="citetitle">Red Hat Enterprise Linux Deployment Guide</em>.
	</div><div class="para">
		The Red Hat Enterprise Linux Deployment Guide contains information on how to customize your Red Hat Enterprise Linux system to fit your needs. If you are looking for a comprehensive, task-oriented guide for configuring and customizing your system, this is the manual for you.
	</div><div class="para">
		This manual discusses many intermediate topics such as the following:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				Setting up a network interface card (NIC)
			</div></li><li class="listitem"><div class="para">
				Configuring a Virtual Private Network (VPN)
			</div></li><li class="listitem"><div class="para">
				Configuring Samba shares
			</div></li><li class="listitem"><div class="para">
				Managing your software with RPM
			</div></li><li class="listitem"><div class="para">
				Determining information about your system
			</div></li><li class="listitem"><div class="para">
				Upgrading your kernel
			</div></li></ul></div><div class="para">
		This manual is divided into the following main categories:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				File systems
			</div></li><li class="listitem"><div class="para">
				Package management
			</div></li><li class="listitem"><div class="para">
				Network-related configuration
			</div></li><li class="listitem"><div class="para">
				System configuration
			</div></li><li class="listitem"><div class="para">
				System monitoring
			</div></li><li class="listitem"><div class="para">
				Kernel and Driver Configuration
			</div></li><li class="listitem"><div class="para">
				Security and Authentication
			</div></li><li class="listitem"><div class="para">
				Red Hat Training and Certification
			</div></li></ul></div><div class="para">
		This guide assumes you have a basic understanding of your Red Hat Enterprise Linux system. If you need help installing Red Hat Enterprise Linux, refer to the <em class="citetitle">Red Hat Enterprise Linux Installation Guide</em>.
	</div><div xml:lang="en-US" class="section" id="s1-intro-conventions" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="s1-intro-conventions">1. Document Conventions</h2></div></div></div><a id="id917407" class="indexterm"></a><div class="para">
		In this manual, certain words are represented in different fonts, typefaces, sizes, and weights. This highlighting is systematic; different words are represented in the same style to indicate their inclusion in a specific category. The types of words that are represented this way include the following:
	</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="command">command</code></span></dt><dd><div class="para">
					Linux commands (and other operating system commands, when used) are represented this way. This style should indicate to you that you can type the word or phrase on the command line and press <span class="keycap"><strong>Enter</strong></span> to invoke a command. Sometimes a command contains words that would be displayed in a different style on their own (such as file names). In these cases, they are considered to be part of the command, so the entire phrase is displayed as a command. For example:
				</div><div class="para">
					Use the <code class="command">cat testfile</code> command to view the contents of a file, named <code class="filename">testfile</code>, in the current working directory.
				</div></dd><dt class="varlistentry"><span class="term"><code class="filename">file name</code></span></dt><dd><div class="para">
					File names, directory names, paths, and RPM package names are represented this way. This style indicates that a particular file or directory exists with that name on your system. Examples:
				</div><div class="para">
					The <code class="filename">.bashrc</code> file in your home directory contains bash shell definitions and aliases for your own use.
				</div><div class="para">
					The <code class="filename">/etc/fstab</code> file contains information about different system devices and file systems.
				</div><div class="para">
					Install the <code class="filename">webalizer</code> RPM if you want to use a Web server log file analysis program.
				</div></dd><dt class="varlistentry"><span class="term"><span class="application"><strong>application</strong></span></span></dt><dd><div class="para">
					This style indicates that the program is an end-user application (as opposed to system software). For example:
				</div><div class="para">
					Use <span class="application"><strong>Mozilla</strong></span> to browse the Web.
				</div></dd><dt class="varlistentry"><span class="term"><span class="keycap"><strong>key</strong></span></span></dt><dd><div class="para">
					A key on the keyboard is shown in this style. For example:
				</div><div class="para">
					To use <span class="keycap"><strong>Tab</strong></span> completion to list particular files in a directory, type <code class="command">ls</code>, then a character, and finally the <span class="keycap"><strong>Tab</strong></span> key. Your terminal displays the list of files in the working directory that begin with that character.
				</div></dd><dt class="varlistentry"><span class="term"><span class="keycap"><strong>key</strong></span>+<span class="keycap"><strong>combination</strong></span></span></dt><dd><div class="para">
					A combination of keystrokes is represented in this way. For example:
				</div><div class="para">
					The <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Backspace</strong></span> key combination exits your graphical session and returns you to the graphical login screen or the console.
				</div></dd><dt class="varlistentry"><span class="term"><span class="guilabel"><strong>text found on a GUI interface</strong></span></span></dt><dd><div class="para">
					A title, word, or phrase found on a GUI interface screen or window is shown in this style. Text shown in this style indicates a particular GUI screen or an element on a GUI screen (such as text associated with a checkbox or field). Example:
				</div><div class="para">
					Select the <span class="guilabel"><strong>Require Password</strong></span> checkbox if you would like your screensaver to require a password before stopping.
				</div></dd><dt class="varlistentry"><span class="term"><span class="guimenu"><strong>top level of a menu on a GUI screen or window</strong></span></span></dt><dd><div class="para">
					A word in this style indicates that the word is the top level of a pulldown menu. If you click on the word on the GUI screen, the rest of the menu should appear. For example:
				</div><div class="para">
					Under <span class="guimenu"><strong>File</strong></span> on a GNOME terminal, the <span class="guimenuitem"><strong>New Tab</strong></span> option allows you to open multiple shell prompts in the same window.
				</div><div class="para">
					Instructions to type in a sequence of commands from a GUI menu look like the following example:
				</div><div class="para">
					Go to <span class="guimenu"><strong>Applications</strong></span> (the main menu on the panel) &gt; <span class="guimenu"><strong>Programming</strong></span> &gt; <span class="guimenuitem"><strong>Emacs Text Editor</strong></span> to start the <span class="application"><strong>Emacs</strong></span> text editor.
				</div></dd><dt class="varlistentry"><span class="term"><span class="guibutton"><strong>button on a GUI screen or window</strong></span></span></dt><dd><div class="para">
					This style indicates that the text can be found on a clickable button on a GUI screen. For example:
				</div><div class="para">
					Click on the <span class="guibutton"><strong>Back</strong></span> button to return to the webpage you last viewed.
				</div></dd><dt class="varlistentry"><span class="term"><code class="computeroutput">computer output</code></span></dt><dd><div class="para">
					Text in this style indicates text displayed to a shell prompt such as error messages and responses to commands. For example:
				</div><div class="para">
					The <code class="command">ls</code> command displays the contents of a directory. For example:
				</div><pre class="screen">
Desktop    about.html    logs     paulwesterberg.png
Mail    backupfiles    mail     reports
</pre><div class="para">
					The output returned in response to the command (in this case, the contents of the directory) is shown in this style.
				</div></dd><dt class="varlistentry"><span class="term"><code class="prompt">prompt</code></span></dt><dd><div class="para">
					A prompt, which is a computer's way of signifying that it is ready for you to input something, is shown in this style. Examples:
				</div><div class="para">
					<code class="prompt">$</code>
				</div><div class="para">
					<code class="prompt">#</code>
				</div><div class="para">
					<code class="prompt">[stephen@maturin stephen]$</code>
				</div><div class="para">
					<code class="prompt">leopard login:</code>
				</div></dd><dt class="varlistentry"><span class="term"><strong class="userinput"><code>user input</code></strong></span></dt><dd><div class="para">
					Text that the user types, either on the command line or into a text box on a GUI screen, is displayed in this style. In the following example, <strong class="userinput"><code>text</code></strong> is displayed in this style:
				</div><div class="para">
					To boot your system into the text based installation program, you must type in the <strong class="userinput"><code>text</code></strong> command at the <code class="prompt">boot:</code> prompt.
				</div></dd><dt class="varlistentry"><span class="term"><em class="replaceable"><code>&lt;replaceable&gt;</code></em></span></dt><dd><div class="para">
					Text used in examples that is meant to be replaced with data provided by the user is displayed in this style. In the following example, <em class="replaceable"><code>&lt;version-number&gt;</code></em> is displayed in this style:
				</div><div class="para">
					The directory for the kernel source is <code class="filename">/usr/src/kernels/<em class="replaceable"><code>&lt;version-number&gt;</code></em>/</code>, where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version and type of kernel installed on this system.
				</div></dd></dl></div><div class="para">
		Additionally, we use several different strategies to draw your attention to certain pieces of information. In order of urgency, these items are marked as a note, tip, important, caution, or warning. For example:
	</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
			Remember that Linux is case sensitive. In other words, a rose is not a ROSE is not a rOsE.
		</div></div></div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
			The directory <code class="filename">/usr/share/doc/</code> contains additional documentation for packages installed on your system.
		</div></div></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
			If you modify the DHCP configuration file, the changes do not take effect until you restart the DHCP daemon.
		</div></div></div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
			Do not perform routine tasks as root — use a regular user account unless you need to use the root account for system administration tasks.
		</div></div></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
			Be careful to remove only the necessary partitions. Removing other partitions could result in data loss or a corrupted system environment.
		</div></div></div></div><div class="section" id="s2-intro-feedback"><div class="titlepage"><div><div><h2 class="title" id="s2-intro-feedback">2. Send in Your Feedback</h2></div></div></div><div class="para">
			If you find an error in the <em class="citetitle">Red Hat Enterprise Linux Deployment Guide</em>, or if you have thought of a way to make this manual better, we would like to hear from you! Submit a report in Bugzilla (<a href="http://bugzilla.redhat.com/bugzilla/"><code class="filename">http://bugzilla.redhat.com/bugzilla/</code></a>) against the component <code class="computeroutput">Deployment_Guide</code>.
		</div><div class="para">
			If you have a suggestion for improving the documentation, try to be as specific as possible. If you have found an error, include the section number and some of the surrounding text so we can find it easily.
		</div></div></div><div class="part" id="pt-filesystems"><div class="titlepage"><div><div><h1 class="title">Part I. File Systems</h1></div></div></div><div class="partintro" id="id572015"><div></div><div class="para">
				<em class="firstterm">File system</em> refers to the files and directories stored on a computer. A file system can have different formats called <em class="firstterm">file system types</em>. These formats determine how the information is stored as files and directories. Some file system types store redundant copies of the data, while some file system types make hard drive access faster. This part discusses the ext3, swap, RAID, and LVM file system types. It also discusses the <code class="command">parted</code> utility to manage partitions and access control lists (ACLs) to customize file permissions.
			</div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="chapter"><a href="#ch-filesystem">1. File System Structure</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-filesystem-why">1.1. Why Share a Common Structure?</a></span></dt><dt><span class="section"><a href="#s1-filesystem-fhs">1.2. Overview of File System Hierarchy Standard (FHS)</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-filesystem-fsstnd">1.2.1. FHS Organization</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-filesystem-special-file">1.3. Special File Locations Under Red Hat Enterprise Linux</a></span></dt></dl></dd><dt><span class="chapter"><a href="#chap-Using_the_mount_Command">2. Using the <code class="command">mount</code> Command</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Using_the_mount_Command-Listing">2.1. Listing Currently Mounted File Systems</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting">2.2. Mounting a File System</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Type">2.2.1. Specifying the File System Type</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Options">2.2.2. Specifying the Mount Options</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Bind">2.2.3. Sharing Mounts</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Moving">2.2.4. Moving a Mount Point</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Using_the_mount_Command-Unmounting">2.3. Unmounting a File System</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Additional_Resources">2.4. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Using_the_mount_Command-Installed_Documentation">2.4.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Useful_Websites">2.4.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-ext3">3. The ext3 File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-filesystem-ext3">3.1. Features of ext3</a></span></dt><dt><span class="section"><a href="#s1-filesystem-ext3-create">3.2. Creating an ext3 File System</a></span></dt><dt><span class="section"><a href="#s1-filesystem-ext3-convert">3.3. Converting to an ext3 File System</a></span></dt><dt><span class="section"><a href="#s1-filesystem-ext2-revert">3.4. Reverting to an ext2 File System</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-proc">4. The <code class="filename">proc</code> File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-proc-virtual">4.1. A Virtual File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-viewing">4.1.1. Viewing Virtual Files</a></span></dt><dt><span class="section"><a href="#s2-proc-change">4.1.2. Changing Virtual Files</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-proc-topfiles">4.2. Top-level Files within the <code class="filename">proc</code> File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-apm">4.2.1.  <code class="filename">/proc/apm</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-buddyinfo">4.2.2.  <code class="filename">/proc/buddyinfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-cmdline">4.2.3.  <code class="filename">/proc/cmdline</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-cpuinfo">4.2.4.  <code class="filename">/proc/cpuinfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-crypto">4.2.5.  <code class="filename">/proc/crypto</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-devices">4.2.6.  <code class="filename">/proc/devices</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dma">4.2.7.  <code class="filename">/proc/dma</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-execdomains">4.2.8.  <code class="filename">/proc/execdomains</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-fb">4.2.9.  <code class="filename">/proc/fb</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-filesystems">4.2.10.  <code class="filename">/proc/filesystems</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-interrupts">4.2.11.  <code class="filename">/proc/interrupts</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-iomem">4.2.12.  <code class="filename">/proc/iomem</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-ioports">4.2.13.  <code class="filename">/proc/ioports</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-kcore">4.2.14.  <code class="filename">/proc/kcore</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-kmsg">4.2.15.  <code class="filename">/proc/kmsg</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-loadavg">4.2.16.  <code class="filename">/proc/loadavg</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-locks">4.2.17.  <code class="filename">/proc/locks</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-mdstat">4.2.18.  <code class="filename">/proc/mdstat</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-meminfo">4.2.19.  <code class="filename">/proc/meminfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-misc">4.2.20.  <code class="filename">/proc/misc</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-modules">4.2.21.  <code class="filename">/proc/modules</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-mounts">4.2.22.  <code class="filename">/proc/mounts</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-mtrr">4.2.23.  <code class="filename">/proc/mtrr</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-partitions">4.2.24.  <code class="filename">/proc/partitions</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-pci">4.2.25.  <code class="filename">/proc/pci</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-slabinfo">4.2.26.  <code class="filename">/proc/slabinfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-stat">4.2.27.  <code class="filename">/proc/stat</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-swaps">4.2.28.  <code class="filename">/proc/swaps</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-sysrq-trigger">4.2.29.  <code class="filename">/proc/sysrq-trigger</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-uptime">4.2.30.  <code class="filename">/proc/uptime</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-version">4.2.31.  <code class="filename">/proc/version</code> </a></span></dt></dl></dd><dt><span class="section"><a href="#s1-proc-directories">4.3. Directories within <code class="filename">/proc/</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-processdirs">4.3.1. Process Directories</a></span></dt><dt><span class="section"><a href="#s2-proc-dir-bus">4.3.2.  <code class="filename">/proc/bus/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-driver">4.3.3.  <code class="filename">/proc/driver/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-fs">4.3.4.  <code class="filename">/proc/fs</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-ide">4.3.5.  <code class="filename">/proc/ide/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-irq">4.3.6.  <code class="filename">/proc/irq/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-net">4.3.7.  <code class="filename">/proc/net/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-scsi">4.3.8.  <code class="filename">/proc/scsi/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-sys">4.3.9.  <code class="filename">/proc/sys/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-sysvipc">4.3.10.  <code class="filename">/proc/sysvipc/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-tty">4.3.11.  <code class="filename">/proc/tty/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-pid">4.3.12.  <code class="filename">/proc/&lt;PID&gt;/</code> </a></span></dt></dl></dd><dt><span class="section"><a href="#s1-proc-sysctl">4.4. Using the <code class="command">sysctl</code> Command</a></span></dt><dt><span class="section"><a href="#s1-proc-additional-resources">4.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-installed-documentation">4.5.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-proc-useful-websites">4.5.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-raid">5. Redundant Array of Independent Disks (RAID)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-raid-what-is">5.1. What is RAID?</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-raid-why-use">5.1.1. Who Should Use RAID?</a></span></dt><dt><span class="section"><a href="#s2-raid-approaches">5.1.2. Hardware RAID versus Software RAID</a></span></dt><dt><span class="section"><a href="#s2-raid-levels">5.1.3. RAID Levels and Linear Support</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-raid-config">5.2. Configuring Software RAID</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-raid-diskdruid-manual-part">5.2.1. Creating the RAID Partitions</a></span></dt><dt><span class="section"><a href="#s1-raid-diskdruid-manual-devmnt">5.2.2. Creating the RAID Devices and Mount Points</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-raid-manage">5.3. Managing Software RAID</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-raid-manage-reviewing">5.3.1. Reviewing RAID Configuration</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-creating">5.3.2. Creating a New RAID Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-replacing">5.3.3. Replacing a Faulty Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-extending">5.3.4. Extending a RAID Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-removing">5.3.5. Removing a RAID Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-preserving">5.3.6. Preserving the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-raid-resources">5.4. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-raid-resources-installed">5.4.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-swapspace">6. Swap Space</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-swap-what-is">6.1. What is Swap Space?</a></span></dt><dt><span class="section"><a href="#s1-swap-adding">6.2. Adding Swap Space</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-swap-extending-lvm2">6.2.1. Extending Swap on an LVM2 Logical Volume</a></span></dt><dt><span class="section"><a href="#s2-swap-creating-lvm2">6.2.2. Creating an LVM2 Logical Volume for Swap</a></span></dt><dt><span class="section"><a href="#s2-swap-creating-file">6.2.3. Creating a Swap File</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-swap-removing">6.3. Removing Swap Space</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-swap-reducing-lvm2">6.3.1. Reducing Swap on an LVM2 Logical Volume</a></span></dt><dt><span class="section"><a href="#s2-swap-removing-lvm2">6.3.2. Removing an LVM2 Logical Volume for Swap</a></span></dt><dt><span class="section"><a href="#s2-swap-removing-file">6.3.3. Removing a Swap File</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-swap-moving">6.4. Moving Swap Space</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-disk-storage">7. Managing Disk Storage</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-disk-storage-parted">7.1. Standard Partitions using <code class="command">parted</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-storage-parted-view-part-table">7.1.1. Viewing the Partition Table</a></span></dt><dt><span class="section"><a href="#s2-disk-storage-parted-create-part">7.1.2. Creating a Partition</a></span></dt><dt><span class="section"><a href="#s2-disk-storage-parted-remove-part">7.1.3. Removing a Partition</a></span></dt><dt><span class="section"><a href="#s2-disk-storage-parted-resize-part">7.1.4. Resizing a Partition</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-disk-storage-lvm">7.2. LVM Partition Management</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-disk-quotas">8. Implementing Disk Quotas</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-disk-quotas-configuring">8.1. Configuring Disk Quotas</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-quotas-enabling">8.1.1. Enabling Quotas</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-remounting">8.1.2. Remounting the File Systems</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-create-files">8.1.3. Creating the Quota Database Files</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-assigning-user">8.1.4. Assigning Quotas per User</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-assigning-group">8.1.5. Assigning Quotas per Group</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-assigning-file-system">8.1.6. Setting the Grace Period for Soft Limits</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-disk-quotas-managing">8.2. Managing Disk Quotas</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-quota-enabling">8.2.1. Enabling and Disabling</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-managing-rpt">8.2.2. Reporting on Disk Quotas</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-managing-accurate">8.2.3. Keeping Quotas Accurate</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-disk-quotas-additional-resources">8.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-quotas-install-docs">8.3.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-related-book">8.3.2. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-acls">9. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-acls-mounting">9.1. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-acls-mounting-nfs">9.1.1. NFS</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-acls-setting">9.2. Setting Access ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-setting-default">9.3. Setting Default ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-retrieving">9.4. Retrieving ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-archiving">9.5. Archiving File Systems With ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-compat-older">9.6. Compatibility with Older Systems</a></span></dt><dt><span class="section"><a href="#s1-acls-additional-resources">9.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-acls-installed-docs">9.7.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-acls-useful-websites">9.7.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-lvm">10. LVM (Logical Volume Manager)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-lvm-intro-whatis">10.1. What is LVM?</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-lvm2-intro-whatis">10.1.1. What is LVM2?</a></span></dt></dl></dd><dt><span class="section"><a href="#s-lvm-config">10.2. LVM Configuration</a></span></dt><dt><span class="section"><a href="#s1-lvm-diskdruid-auto">10.3. Automatic Partitioning</a></span></dt><dt><span class="section"><a href="#s1-lvm-diskdruid-manual">10.4. Manual LVM Partitioning</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-boot">10.4.1. Creating the <code class="command">/boot</code> Partition</a></span></dt><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-pv">10.4.2. Creating the LVM Physical Volumes</a></span></dt><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-vg">10.4.3. Creating the LVM Volume Groups</a></span></dt><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-lv">10.4.4. Creating the LVM Logical Volumes</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-system-config-lvm">10.5. Using the LVM utility <code class="filename">system-config-lvm</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s1-system-config-lvm-uninitialized">10.5.1. Utilizing uninitialized entities</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-add-unallocated">10.5.2. Adding Unallocated Volumes to a volume group</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-migrate-extents">10.5.3. Migrating extents</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-new-hdd">10.5.4. Adding a new hard disk using LVM</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-new-volumegrp">10.5.5. Adding a new volume group</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-ext-volumegrp">10.5.6. Extending a volume group</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-editing-lv">10.5.7. Editing a Logical Volume</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-lvm-additional-resources">10.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-lvm-installed-docs">10.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-lvm-useful-websites">10.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd></dl></div></div><div xml:lang="en-US" class="chapter" id="ch-filesystem" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 1. File System Structure</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-filesystem-why">1.1. Why Share a Common Structure?</a></span></dt><dt><span class="section"><a href="#s1-filesystem-fhs">1.2. Overview of File System Hierarchy Standard (FHS)</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-filesystem-fsstnd">1.2.1. FHS Organization</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-filesystem-special-file">1.3. Special File Locations Under Red Hat Enterprise Linux</a></span></dt></dl></div><a id="id837570" class="indexterm"></a><div class="section" id="s1-filesystem-why"><div class="titlepage"><div><div><h2 class="title" id="s1-filesystem-why">1.1. Why Share a Common Structure?</h2></div></div></div><div class="para">
			The file system structure is the most basic level of organization in an operating system. Almost all of the ways an operating system interacts with its users, applications, and security model are dependent upon the way it organizes files on storage devices. Providing a common file system structure ensures users and programs are able to access and write files.
		</div><div class="para">
			File systems break files down into two logical categories:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Shareable vs. unshareable files
				</div></li><li class="listitem"><div class="para">
					Variable vs. static files
				</div></li></ul></div><div class="para">
			<em class="firstterm">Shareable</em> files are those that can be accessed locally and by remote hosts; <em class="firstterm">unshareable</em> files are only available locally. <em class="firstterm">Variable</em> files, such as documents, can be changed at any time; <em class="firstterm">static</em> files, such as binaries, do not change without an action from the system administrator.
		</div><div class="para">
			The reason for looking at files in this manner is to help correlate the function of the file with the permissions assigned to the directories which hold them. The way in which the operating system and its users interact with a given file determines the directory in which it is placed, whether that directory is mounted with read-only or read/write permissions, and the level of access each user has to that file. The top level of this organization is crucial. Access to the underlying directories can be restricted or security problems could manifest themselves if, from the top level down, it does not adhere to a rigid structure.
		</div></div><div class="section" id="s1-filesystem-fhs"><div class="titlepage"><div><div><h2 class="title" id="s1-filesystem-fhs">1.2. Overview of File System Hierarchy Standard (FHS)</h2></div></div></div><a id="id925494" class="indexterm"></a><a id="id791072" class="indexterm"></a><a id="id1046964" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux uses the <em class="firstterm">Filesystem Hierarchy Standard</em> (<em class="firstterm">FHS</em>) file system structure, which defines the names, locations, and permissions for many file types and directories.
		</div><div class="para">
			The FHS document is the authoritative reference to any FHS-compliant file system, but the standard leaves many areas undefined or extensible. This section is an overview of the standard and a description of the parts of the file system not covered by the standard.
		</div><div class="para">
			Compliance with the standard means many things, but the two most important are compatibility with other compliant systems and the ability to mount a <code class="filename">/usr/</code> partition as read-only. This second point is important because the directory contains common executables and should not be changed by users. Also, since the <code class="filename">/usr/</code> directory is mounted as read-only, it can be mounted from the CD-ROM or from another machine via a read-only NFS mount.
		</div><div class="section" id="s2-filesystem-fsstnd"><div class="titlepage"><div><div><h3 class="title" id="s2-filesystem-fsstnd">1.2.1. FHS Organization</h3></div></div></div><a id="id832217" class="indexterm"></a><a id="id646498" class="indexterm"></a><a id="id646512" class="indexterm"></a><div class="para">
				The directories and files noted here are a small subset of those specified by the FHS document. Refer to the latest FHS document for the most complete information.
			</div><div class="para">
				The complete standard is available online at <a href="http://www.pathname.com/fhs">http://www.pathname.com/fhs/</a>.
			</div><div class="section" id="s3-filesystem-boot"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-boot">1.2.1.1. The <code class="filename">/boot/</code> Directory</h4></div></div></div><a id="id646552" class="indexterm"></a><a id="id632753" class="indexterm"></a><div class="para">
					The <code class="filename">/boot/</code> directory contains static files required to boot the system, such as the Linux kernel. These files are essential for the system to boot properly.
				</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
						Do not remove the <code class="filename">/boot/</code> directory. Doing so renders the system unbootable.
					</div></div></div></div><div class="section" id="s3-filesystem-dev"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-dev">1.2.1.2. The <code class="filename">/dev/</code> Directory</h4></div></div></div><a id="id632808" class="indexterm"></a><a id="id616118" class="indexterm"></a><div class="para">
					The <code class="filename">/dev/</code> directory contains device nodes that either represent devices that are attached to the system or virtual devices that are provided by the kernel. These device nodes are essential for the system to function properly. The <code class="command">udev</code> daemon takes care of creating and removing all these device nodes in <code class="filename">/dev/</code>.
				</div><div class="para">
					Devices in the <code class="filename">/dev</code> directory and subdirectories are either character (providing only a serial stream of input/output) or block (accessible randomly). Character devices include mouse, keyboard, modem while block devices include hard disk, floppy drive etc. If you have GNOME or KDE installed in your system, devices such as external drives or cds are automatically detected when connected (e.g via usb) or inserted (e.g via CD or DVD drive) and a popup window displaying the contents is automatically displayed. Files in the <code class="filename">/dev</code> directory are essential for the system to function properly.
				</div><div class="table"><h6>Table 1.1. Examples of common files in the <code class="filename">/dev</code></h6><div class="table-contents"><table summary="Examples of common files in the /dev" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
									File
								</th><th>
									Description
								</th></tr></thead><tbody><tr><td>
									/dev/hda
								</td><td>
									The master device on primary IDE channel.
								</td></tr><tr><td>
									/dev/hdb
								</td><td>
									The slave device on primary IDE channel.
								</td></tr><tr><td>
									/dev/tty0
								</td><td>
									The first virtual console.
								</td></tr><tr><td>
									/dev/tty1
								</td><td>
									The second virtual console.
								</td></tr><tr><td>
									/dev/sda
								</td><td>
									The first device on primary SCSI or SATA channel.
								</td></tr><tr><td>
									/dev/lp0
								</td><td>
									The first parallel port.
								</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s3-filesystem-etc"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-etc">1.2.1.3. The <code class="filename">/etc/</code> Directory</h4></div></div></div><a id="id687469" class="indexterm"></a><a id="id687481" class="indexterm"></a><div class="para">
					The <code class="filename">/etc/</code> directory is reserved for configuration files that are local to the machine. No binaries are to be placed in <code class="filename">/etc/</code>. Any binaries that were once located in <code class="filename">/etc/</code> should be placed into <code class="filename">/sbin/</code> or <code class="filename">/bin/</code>.
				</div><div class="para">
					Examples of directories in <code class="filename">/etc</code> are the <code class="filename">X11/</code> and <code class="filename">skel/</code>:
				</div><pre class="screen">/etc
   |- X11/
   |- skel/</pre><div class="para">
					The <code class="filename">/etc/X11/</code> directory is for X Window System configuration files, such as <code class="filename">xorg.conf</code>. The <code class="filename">/etc/skel/</code> directory is for "skeleton" user files, which are used to populate a home directory when a user is first created. Applications also store their configuration files in this directory and may reference them when they are executed.
				</div></div><div class="section" id="s3-filesystem-lib"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-lib">1.2.1.4. The <code class="filename">/lib/</code> Directory</h4></div></div></div><a id="id574134" class="indexterm"></a><a id="id574147" class="indexterm"></a><div class="para">
					The <code class="filename">/lib/</code> directory should contain only those libraries needed to execute the binaries in <code class="filename">/bin/</code> and <code class="filename">/sbin/</code>. These shared library images are particularly important for booting the system and executing commands within the root file system.
				</div></div><div class="section" id="s3-filesystem-media"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-media">1.2.1.5. The <code class="filename">/media/</code> Directory</h4></div></div></div><a id="id834855" class="indexterm"></a><a id="id834868" class="indexterm"></a><div class="para">
					The <code class="filename">/media/</code> directory contains subdirectories used as mount points for removable media such as usb storage media, DVDs, CD-ROMs, and Zip disks.
				</div></div><div class="section" id="s3-filesystem-mnt"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-mnt">1.2.1.6. The <code class="filename">/mnt/</code> Directory</h4></div></div></div><a id="id834907" class="indexterm"></a><a id="id834919" class="indexterm"></a><div class="para">
					The <code class="filename">/mnt/</code> directory is reserved for temporarily mounted file systems, such as NFS file system mounts. For all removable media, please use the <code class="filename">/media/</code> directory. Automatically detected removable media will be mounted in the <code class="filename">/media</code> directory.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						The <code class="filename">/mnt</code> directory must not be used by installation programs.
					</div></div></div></div><div class="section" id="s3-filesystem-opt"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-opt">1.2.1.7. The <code class="filename">/opt/</code> Directory</h4></div></div></div><a id="id834983" class="indexterm"></a><a id="id834995" class="indexterm"></a><div class="para">
					The <code class="filename">/opt/</code> directory provides storage for most application software packages.
				</div><div class="para">
					A package placing files in the <code class="filename">/opt/</code> directory creates a directory bearing the same name as the package. This directory, in turn, holds files that otherwise would be scattered throughout the file system, giving the system administrator an easy way to determine the role of each file within a particular package.
				</div><div class="para">
					For example, if <code class="filename">sample</code> is the name of a particular software package located within the <code class="filename">/opt/</code> directory, then all of its files are placed in directories inside the <code class="filename">/opt/sample/</code> directory, such as <code class="filename">/opt/sample/bin/</code> for binaries and <code class="filename">/opt/sample/man/</code> for manual pages.
				</div><div class="para">
					Packages that encompass many different sub-packages, data files, extra fonts, clipart etc are also located in the <code class="filename">/opt/</code> directory, giving that large package a way to organize itself. In this way, our <code class="filename">sample</code> package may have different tools that each go in their own sub-directories, such as <code class="filename">/opt/sample/tool1/</code> and <code class="filename">/opt/sample/tool2/</code>, each of which can have their own <code class="filename">bin/</code>, <code class="filename">man/</code>, and other similar directories.
				</div></div><div class="section" id="s3-filesystem-proc"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-proc">1.2.1.8. The <code class="filename">/proc/</code> Directory</h4></div></div></div><a id="id835096" class="indexterm"></a><a id="id835108" class="indexterm"></a><div class="para">
					The <code class="filename">/proc/</code> directory contains special files that either extract information from or send information to the kernel. Examples include system memory, cpu information, hardware configuration etc.
				</div><div class="para">
					Due to the great variety of data available within <code class="filename">/proc/</code> and the many ways this directory can be used to communicate with the kernel, an entire chapter has been devoted to the subject. For more information, refer to <a class="xref" href="#ch-proc">Chapter 4, <em>The <code class="filename">proc</code> File System</em></a>.
				</div></div><div class="section" id="s3-filesystem-sbin"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-sbin">1.2.1.9. The <code class="filename">/sbin/</code> Directory</h4></div></div></div><a id="id835162" class="indexterm"></a><a id="id835174" class="indexterm"></a><div class="para">
					The <code class="filename">/sbin/</code> directory stores executables used by the root user. The executables in <code class="filename">/sbin/</code> are used at boot time, for system administration and to perform system recovery operations. Of this directory, the FHS says: 
					<div class="blockquote"><blockquote class="blockquote"><div class="para">
							<code class="filename">/sbin</code> contains binaries essential for booting, restoring, recovering, and/or repairing the system in addition to the binaries in <code class="filename">/bin</code>. Programs executed after <code class="filename">/usr/</code> is known to be mounted (when there are no problems) are generally placed into <code class="filename">/usr/sbin</code>. Locally-installed system administration programs should be placed into <code class="filename">/usr/local/sbin</code>.
						</div></blockquote></div>

</div><div class="para">
					At a minimum, the following programs should be in <code class="filename">/sbin/</code>:
				</div><pre class="screen"><code class="filename">arp</code>, <code class="filename">clock</code>,
<code class="filename">halt</code>, <code class="filename">init</code>,
<code class="filename">fsck.*</code>, <code class="filename">grub</code>,
<code class="filename">ifconfig</code>, <code class="filename">mingetty</code>,
<code class="filename">mkfs.*</code>, <code class="filename">mkswap</code>,
<code class="filename">reboot</code>, <code class="filename">route</code>,
<code class="filename">shutdown</code>, <code class="filename">swapoff</code>,
<code class="filename">swapon</code></pre></div><div class="section" id="s3-filesystem-srv"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-srv">1.2.1.10. The <code class="filename">/srv/</code> Directory</h4></div></div></div><a id="id835315" class="indexterm"></a><a id="id835327" class="indexterm"></a><div class="para">
					The <code class="filename">/srv/</code> directory contains site-specific data served by your system running Red Hat Enterprise Linux. This directory gives users the location of data files for a particular service, such as FTP, WWW, or CVS. Data that only pertains to a specific user should go in the <code class="filename">/home/</code> directory.
				</div></div><div class="section" id="s3-filesystem-sys"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-sys">1.2.1.11. The <code class="filename">/sys/</code> Directory</h4></div></div></div><a id="id835372" class="indexterm"></a><a id="id789190" class="indexterm"></a><div class="para">
					The <code class="filename">/sys/</code> directory utilizes the new <code class="filename">sysfs</code> virtual file system specific to the 2.6 kernel. With the increased support for hot plug hardware devices in the 2.6 kernel, the <code class="filename">/sys/</code> directory contains information similarly held in <code class="filename">/proc/</code>, but displays a hierarchical view of specific device information in regards to hot plug devices.
				</div></div><div class="section" id="s3-filesystem-usr"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-usr">1.2.1.12. The <code class="filename">/usr/</code> Directory</h4></div></div></div><a id="id789240" class="indexterm"></a><a id="id789253" class="indexterm"></a><div class="para">
					The <code class="filename">/usr/</code> directory is for files that can be shared across multiple machines. The <code class="filename">/usr/</code> directory is often on its own partition and is mounted read-only. At a minimum, the following directories should be subdirectories of <code class="filename">/usr/</code>:
				</div><pre class="screen">/usr
   |- bin/
   |- etc/
   |- games/
   |- include/
   |- kerberos/
   |- lib/
   |- libexec/
   |- local/
   |- sbin/
   |- share/
   |- src/
   |- tmp -&gt; ../var/tmp/</pre><div class="para">
					Under the <code class="filename">/usr/</code> directory, the <code class="filename">bin/</code> subdirectory contains executables, <code class="filename">etc/</code> contains system-wide configuration files, <code class="filename">games</code> is for games, <code class="filename">include/</code> contains C header files, <code class="filename">kerberos/</code> contains binaries and other Kerberos-related files, and <code class="filename">lib/</code> contains object files and libraries that are not designed to be directly utilized by users or shell scripts. The <code class="filename">libexec/</code> directory contains small helper programs called by other programs, <code class="filename">sbin/</code> is for system administration binaries (those that do not belong in the <code class="filename">/sbin/</code> directory), <code class="filename">share/</code> contains files that are not architecture-specific, <code class="filename">src/</code> is for source code.
				</div></div><div class="section" id="s3-filesystem-usr-local"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-usr-local">1.2.1.13. The <code class="filename">/usr/local/</code> Directory</h4></div></div></div><a id="id789357" class="indexterm"></a><a id="id789369" class="indexterm"></a><div class="para">
					The FHS says: 
					<div class="blockquote"><blockquote class="blockquote"><div class="para">
							The <code class="filename">/usr/local</code> hierarchy is for use by the system administrator when installing software locally. It needs to be safe from being overwritten when the system software is updated. It may be used for programs and data that are shareable among a group of hosts, but not found in <code class="filename">/usr</code>.
						</div></blockquote></div>

</div><div class="para">
					The <code class="filename">/usr/local/</code> directory is similar in structure to the <code class="filename">/usr/</code> directory. It has the following subdirectories, which are similar in purpose to those in the <code class="filename">/usr/</code> directory:
				</div><pre class="screen">/usr/local
	|- bin/
	|- etc/
	|- games/
	|- include/
	|- lib/
	|- libexec/
	|- sbin/
	|- share/
	|- src/</pre><div class="para">
					In Red Hat Enterprise Linux, the intended use for the <code class="filename">/usr/local/</code> directory is slightly different from that specified by the FHS. The FHS says that <code class="filename">/usr/local/</code> should be where software that is to remain safe from system software upgrades is stored. Since software upgrades can be performed safely with <em class="firstterm">RPM Package Manager</em> (<em class="firstterm">RPM</em>), it is not necessary to protect files by putting them in <code class="filename">/usr/local/</code>. Instead, the <code class="filename">/usr/local/</code> directory is used for software that is local to the machine.
				</div><div class="para">
					For instance, if the <code class="filename">/usr/</code> directory is mounted as a read-only NFS share from a remote host, it is still possible to install a package or program under the <code class="filename">/usr/local/</code> directory.
				</div></div><div class="section" id="s3-filesystem-var"><div class="titlepage"><div><div><h4 class="title" id="s3-filesystem-var">1.2.1.14. The <code class="filename">/var/</code> Directory</h4></div></div></div><a id="id789484" class="indexterm"></a><a id="id789497" class="indexterm"></a><div class="para">
					Since the FHS requires Linux to mount <code class="filename">/usr/</code> as read-only, any programs that write log files or need <code class="filename">spool/</code> or <code class="filename">lock/</code> directories should write them to the <code class="filename">/var/</code> directory. The FHS states <code class="filename">/var/</code> is for:
					<div class="blockquote"><blockquote class="blockquote"><div class="para">
							...variable data files. This includes spool directories and files, administrative and logging data, and transient and temporary files.
						</div></blockquote></div>

</div><div class="para">
					Below are some of the directories found within the <code class="filename">/var/</code> directory:
				</div><pre class="screen">/var
   |- account/
   |- arpwatch/
   |- cache/
   |- crash/
   |- db/
   |- empty/
   |- ftp/
   |- gdm/
   |- kerberos/
   |- lib/
   |- local/
   |- lock/
   |- log/
   |- mail -&gt; spool/mail/
   |- mailman/
   |- named/
   |- nis/
   |- opt/
   |- preserve/
   |- run/
   +- spool/
       |- at/
       |- clientmqueue/
       |- cron/
       |- cups/
       |- exim/
       |- lpd/
       |- mail/
       |- mailman/
       |- mqueue/
       |- news/
       |- postfix/
       |- repackage/
       |- rwho/
       |- samba/
       |- squid/
       |- squirrelmail/
       |- up2date/
       |- uucp
       |- uucppublic/
       |- vbox/
|- tmp/
|- tux/
|- www/
|- yp/</pre><div class="para">
					System log files, such as <code class="filename">messages</code> and <code class="filename">lastlog</code>, go in the <code class="filename">/var/log/</code> directory. The <code class="filename">/var/lib/rpm/</code> directory contains RPM system databases. Lock files go in the <code class="filename">/var/lock/</code> directory, usually in directories for the program using the file. The <code class="filename">/var/spool/</code> directory has subdirectories for programs in which data files are stored.
				</div></div></div></div><div class="section" id="s1-filesystem-special-file"><div class="titlepage"><div><div><h2 class="title" id="s1-filesystem-special-file">1.3. Special File Locations Under Red Hat Enterprise Linux</h2></div></div></div><a id="id789603" class="indexterm"></a><a id="id789619" class="indexterm"></a><a id="id789642" class="indexterm"></a><a id="id789658" class="indexterm"></a><a id="id789670" class="indexterm"></a><a id="id789683" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux extends the FHS structure slightly to accommodate special files.
		</div><div class="para">
			Most files pertaining to RPM are kept in the <code class="filename">/var/lib/rpm/</code> directory. For more information on RPM, refer to the chapter <a class="xref" href="#ch-rpm">Chapter 11, <em>Package Management with RPM</em></a>.
		</div><div class="para">
			The <code class="filename">/var/cache/yum/</code> directory contains files used by the <span class="application"><strong>Package Updater</strong></span>, including RPM header information for the system. This location may also be used to temporarily store RPMs downloaded while updating the system. For more information about <span class="application"><strong>Red Hat Network</strong></span>, refer to <a class="xref" href="#entitlements">Chapter 14, <em>Product Subscriptions and Entitlements</em></a>.
		</div><div class="para">
			Another location specific to Red Hat Enterprise Linux is the <code class="filename">/etc/sysconfig/</code> directory. This directory stores a variety of configuration information. Many scripts that run at boot time use the files in this directory. Refer to <a class="xref" href="#ch-sysconfig">Chapter 30, <em>The <code class="filename">sysconfig</code> Directory</em></a> for more information about what is within this directory and the role these files play in the boot process.
		</div></div></div><div xml:lang="en-US" class="chapter" id="chap-Using_the_mount_Command" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 2. Using the <code class="command">mount</code> Command</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Using_the_mount_Command-Listing">2.1. Listing Currently Mounted File Systems</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting">2.2. Mounting a File System</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Type">2.2.1. Specifying the File System Type</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Options">2.2.2. Specifying the Mount Options</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Bind">2.2.3. Sharing Mounts</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Mounting-Moving">2.2.4. Moving a Mount Point</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Using_the_mount_Command-Unmounting">2.3. Unmounting a File System</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Additional_Resources">2.4. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Using_the_mount_Command-Installed_Documentation">2.4.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#sect-Using_the_mount_Command-Useful_Websites">2.4.2. Useful Websites</a></span></dt></dl></dd></dl></div><div class="para">
		On Linux, UNIX, and similar operating systems, file systems on different partitions and removable devices like CDs, DVDs, or USB flash drives can be attached to a certain point (that is, the <em class="firstterm">mount point</em>) in the directory tree, and detached again. To attach or detach a file system, you can use the <code class="command">mount</code> or <code class="command">umount</code> command respectively. This chapter describes the basic usage of these commands, and covers some advanced topics such as moving a mount point or creating shared subtrees.
	</div><div class="section" id="sect-Using_the_mount_Command-Listing"><div class="titlepage"><div><div><h2 class="title" id="sect-Using_the_mount_Command-Listing">2.1. Listing Currently Mounted File Systems</h2></div></div></div><div class="para">
			To display all currently attached file systems, run the <code class="command">mount</code> command with no additional arguments:
		</div><pre class="screen"><code class="command">mount</code></pre><div class="para">
			This command displays the list of known mount points. Each line provides important information about the device name, the file system type, the directory in which it is mounted, and relevant mount options in the following form:
		</div><div class="blockquote"><blockquote class="blockquote"><div class="para">
				<em class="replaceable"><code>device</code></em> on <em class="replaceable"><code>directory</code></em> type <em class="replaceable"><code>type</code></em> (<em class="replaceable"><code>options</code></em>)
			</div></blockquote></div><div class="para">
			By default, the output includes various virtual file systems such as <code class="systemitem">sysfs</code>, <code class="systemitem">tmpfs</code>, and others. To display only the devices with a certain file system type, supply the <code class="option">-t</code> option on the command line:
		</div><pre class="screen"><code class="command">mount</code> <code class="option">-t</code> <em class="replaceable"><code>type</code></em></pre><div class="para">
			For a list of common file system types, refer to <a class="xref" href="#tabl-Using_the_mount_Command-Types">Table 2.1, “Common File System Types”</a>. For an example on how to use the <code class="command">mount</code> command to list the mounted file systems, see <a class="xref" href="#exam-Using_the_mount_Command-Listing">Example 2.1, “Listing Currently Mounted <code class="systemitem">ext3</code> File Systems”</a>.
		</div><div class="example" id="exam-Using_the_mount_Command-Listing"><h6>Example 2.1. Listing Currently Mounted <code class="systemitem">ext3</code> File Systems</h6><div class="example-contents"><div class="para">
				Usually, both <code class="filename">/</code> and <code class="filename">/boot</code> partitions are formatted to use <code class="systemitem">ext3</code>. To display only the mount points that use this file system, type the following at a shell prompt:
			</div><pre class="screen">~]$ <code class="command">mount -t ext3</code>
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
/dev/vda1 on /boot type ext3 (rw)</pre></div></div><br class="example-break" /></div><div class="section" id="sect-Using_the_mount_Command-Mounting"><div class="titlepage"><div><div><h2 class="title" id="sect-Using_the_mount_Command-Mounting">2.2. Mounting a File System</h2></div></div></div><div class="para">
			To attach a certain file system, use the <code class="command">mount</code> command in the following form:
		</div><pre class="screen"><code class="command">mount</code> [<span class="optional"><em class="replaceable"><code>option</code></em>…</span>] <em class="replaceable"><code>device</code></em> <em class="replaceable"><code>directory</code></em></pre><div class="para">
			When the <code class="command">mount</code> command is run, it reads the content of the <code class="filename">/etc/fstab</code> configuration file to see if the given file system is listed. This file contains a list of device names and the directory in which the selected file systems should be mounted, as well as the file system type and mount options. Because of this, when you are mounting a file system that is specified in this file, you can use one of the following variants of the command:
		</div><pre class="screen"><code class="command">mount</code> [<span class="optional"><em class="replaceable"><code>option</code></em>…</span>] <em class="replaceable"><code>directory</code></em>
<code class="command">mount</code> [<span class="optional"><em class="replaceable"><code>option</code></em>…</span>] <em class="replaceable"><code>device</code></em></pre><div class="para">
			Note that unless you are logged in as <code class="systemitem">root</code>, you must have permissions to mount the file system (see <a class="xref" href="#sect-Using_the_mount_Command-Mounting-Options">Section 2.2.2, “Specifying the Mount Options”</a>).
		</div><div class="section" id="sect-Using_the_mount_Command-Mounting-Type"><div class="titlepage"><div><div><h3 class="title" id="sect-Using_the_mount_Command-Mounting-Type">2.2.1. Specifying the File System Type</h3></div></div></div><div class="para">
				In most cases, <code class="command">mount</code> detects the file system automatically. However, there are certain file systems, such as <code class="systemitem">NFS</code> (Network File System) or <code class="systemitem">CIFS</code> (Common Internet File System), that are not recognized, and need to be specified manually. To specify the file system type, use the <code class="command">mount</code> command in the following form:
			</div><pre class="screen"><code class="command">mount</code> <code class="option">-t</code> <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>device</code></em> <em class="replaceable"><code>directory</code></em></pre><div class="para">
				<a class="xref" href="#tabl-Using_the_mount_Command-Types">Table 2.1, “Common File System Types”</a> provides a list of common file system types that can be used with the <code class="command">mount</code> command. For a complete list of all available file system types, consult the relevant manual page as referred to in <a class="xref" href="#sect-Using_the_mount_Command-Installed_Documentation">Section 2.4.1, “Installed Documentation”</a>.
			</div><div class="table" id="tabl-Using_the_mount_Command-Types"><h6>Table 2.1. Common File System Types</h6><div class="table-contents"><table summary="Common File System Types" border="1"><colgroup><col width="20%" class="type" /><col width="80%" class="description" /></colgroup><thead><tr><th>
								Type
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								<code class="option">ext2</code>
							</td><td>
								The <code class="systemitem">ext2</code> file system.
							</td></tr><tr><td>
								<code class="option">ext3</code>
							</td><td>
								The <code class="systemitem">ext3</code> file system.
							</td></tr><tr><td>
								<code class="option">iso9660</code>
							</td><td>
								The <code class="systemitem">ISO 9660</code> file system. It is commonly used by optical media, typically CDs.
							</td></tr><tr><td>
								<code class="option">jfs</code>
							</td><td>
								The <code class="systemitem">JFS</code> file system created by IBM.
							</td></tr><tr><td>
								<code class="option">nfs</code>
							</td><td>
								The <code class="systemitem">NFS</code> file system. It is commonly used to access files over the network.
							</td></tr><tr><td>
								<code class="option">nfs4</code>
							</td><td>
								The <code class="systemitem">NFSv4</code> file system. It is commonly used to access files over the network.
							</td></tr><tr><td>
								<code class="option">ntfs</code>
							</td><td>
								The <code class="systemitem">NTFS</code> file system. It is commonly used on machines that are running the Windows operating system.
							</td></tr><tr><td>
								<code class="option">udf</code>
							</td><td>
								The <code class="systemitem">UDF</code> file system. It is commonly used by optical media, typically DVDs.
							</td></tr><tr><td>
								<code class="option">vfat</code>
							</td><td>
								The <code class="systemitem">FAT</code> file system. It is commonly used on machines that are running the Windows operating system, and on certain digital media such as USB flash drives or floppy disks.
							</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
				See <a class="xref" href="#exam-Using_the_mount_Command-Mounting-Type">Example 2.2, “Mounting a USB Flash Drive”</a> for an example usage.
			</div><div class="example" id="exam-Using_the_mount_Command-Mounting-Type"><h6>Example 2.2. Mounting a USB Flash Drive</h6><div class="example-contents"><div class="para">
					Older USB flash drives often use the FAT file system. Assuming that such drive uses the <code class="filename">/dev/sdc1</code> device and that the <code class="filename">/media/flashdisk/</code> directory exists, you can mount it to this directory by typing the following at a shell prompt as <code class="systemitem">root</code>:
				</div><pre class="screen">~]# <code class="command">mount -t vfat /dev/sdc1 /media/flashdisk</code></pre></div></div><br class="example-break" /></div><div class="section" id="sect-Using_the_mount_Command-Mounting-Options"><div class="titlepage"><div><div><h3 class="title" id="sect-Using_the_mount_Command-Mounting-Options">2.2.2. Specifying the Mount Options</h3></div></div></div><div class="para">
				To specify additional mount options, use the command in the following form:
			</div><pre class="screen"><code class="command">mount</code> <code class="option">-o</code> <em class="replaceable"><code>options</code></em></pre><div class="para">
				When supplying multiple options, do not insert a space after a comma, or <code class="command">mount</code> will incorrectly interpret the values following spaces as additional parameters.
			</div><div class="para">
				<a class="xref" href="#tabl-Using_the_mount_Command-Options">Table 2.2, “Common Mount Options”</a> provides a list of common mount options. For a complete list of all available options, consult the relevant manual page as referred to in <a class="xref" href="#sect-Using_the_mount_Command-Installed_Documentation">Section 2.4.1, “Installed Documentation”</a>.
			</div><div class="table" id="tabl-Using_the_mount_Command-Options"><h6>Table 2.2. Common Mount Options</h6><div class="table-contents"><table summary="Common Mount Options" border="1"><colgroup><col width="20%" class="option" /><col width="80%" class="description" /></colgroup><thead><tr><th>
								Option
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								<code class="option">async</code>
							</td><td>
								Allows the asynchronous input/output operations on the file system.
							</td></tr><tr><td>
								<code class="option">auto</code>
							</td><td>
								Allows the file system to be mounted automatically using the <code class="command">mount -a</code> command.
							</td></tr><tr><td>
								<code class="option">defaults</code>
							</td><td>
								Provides an alias for <code class="option">async,auto,dev,exec,nouser,rw,suid</code>.
							</td></tr><tr><td>
								<code class="option">exec</code>
							</td><td>
								Allows the execution of binary files on the particular file system.
							</td></tr><tr><td>
								<code class="option">loop</code>
							</td><td>
								Mounts an image as a loop device.
							</td></tr><tr><td>
								<code class="option">noauto</code>
							</td><td>
								Disallows the automatic mount of the file system using the <code class="command">mount -a</code> command.
							</td></tr><tr><td>
								<code class="option">noexec</code>
							</td><td>
								Disallows the execution of binary files on the particular file system.
							</td></tr><tr><td>
								<code class="option">nouser</code>
							</td><td>
								Disallows an ordinary user (that is, other than <code class="systemitem">root</code>) to mount and unmount the file system.
							</td></tr><tr><td>
								<code class="option">remount</code>
							</td><td>
								Remounts the file system in case it is already mounted.
							</td></tr><tr><td>
								<code class="option">ro</code>
							</td><td>
								Mounts the file system for reading only.
							</td></tr><tr><td>
								<code class="option">rw</code>
							</td><td>
								Mounts the file system for both reading and writing.
							</td></tr><tr><td>
								<code class="option">user</code>
							</td><td>
								Allows an ordinary user (that is, other than <code class="systemitem">root</code>) to mount and unmount the file system.
							</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
				See <a class="xref" href="#exam-Using_the_mount_Command-Mounting-Options">Example 2.3, “Mounting an ISO Image”</a> for an example usage.
			</div><div class="example" id="exam-Using_the_mount_Command-Mounting-Options"><h6>Example 2.3. Mounting an ISO Image</h6><div class="example-contents"><div class="para">
					An ISO image (or a disk image in general) can be mounted by using the loop device. Assuming that the ISO image of the Fedora 14 installation disc is present in the current working directory and that the <code class="filename">/media/cdrom/</code> directory exists, you can mount the image to this directory by running the following command as <code class="systemitem">root</code>:
				</div><pre class="screen">~]# <code class="command">mount -o ro,loop Fedora-14-x86_64-Live-Desktop.iso /media/cdrom</code></pre><div class="para">
					Note that ISO 9660 is by design a read-only file system.
				</div></div></div><br class="example-break" /></div><div class="section" id="sect-Using_the_mount_Command-Mounting-Bind"><div class="titlepage"><div><div><h3 class="title" id="sect-Using_the_mount_Command-Mounting-Bind">2.2.3. Sharing Mounts</h3></div></div></div><div class="para">
				Occasionally, certain system administration tasks require access to the same file system from more than one place in the directory tree (for example, when preparing a chroot environment). To address such requirements, the <code class="command">mount</code> command implements the <code class="option">--bind</code> option that provides a means for duplicating certain mounts. Its usage is as follows:
			</div><pre class="screen"><code class="command">mount</code> <code class="option">--bind</code> <em class="replaceable"><code>old_directory</code></em> <em class="replaceable"><code>new_directory</code></em></pre><div class="para">
				Although the above command allows a user to access the file system from both places, it does not apply on the file systems that are mounted within the original directory. To include these mounts as well, type:
			</div><pre class="screen"><code class="command">mount</code> <code class="option">--rbind</code> <em class="replaceable"><code>old_directory</code></em> <em class="replaceable"><code>new_directory</code></em></pre><div class="para">
				Additionally, to provide as much flexibility as possible, Red Hat Enterprise Linux 5.8 implements the functionality known as <em class="firstterm">shared subtrees</em>. This feature allows you to use the following four mount types:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Shared Mount</span></dt><dd><div class="para">
							A shared mount allows you to create an exact replica of a given mount point. When a shared mount is created, any mount within the original mount point is reflected in it, and vice versa. To create a shared mount, type the following at a shell prompt:
						</div><pre class="screen"><code class="command">mount</code> <code class="option">--make-shared</code> <em class="replaceable"><code>mount_point</code></em></pre><div class="para">
							Alternatively, you can change the mount type for the selected mount point and all mount points under it:
						</div><pre class="screen"><code class="command">mount</code> <code class="option">--make-rshared</code> <em class="replaceable"><code>mount_point</code></em></pre><div class="para">
							See <a class="xref" href="#exam-Using_the_mount_Command-Mounting-Bind-Shared">Example 2.4, “Creating a Shared Mount Point”</a> for an example usage.
						</div><div class="example" id="exam-Using_the_mount_Command-Mounting-Bind-Shared"><h6>Example 2.4. Creating a Shared Mount Point</h6><div class="example-contents"><div class="para">
								There are two places where other file systems are commonly mounted: the <code class="filename">/media</code> directory for removable media, and the <code class="filename">/mnt</code> directory for temporarily mounted file systems. By using a shared mount, you can make these two directories share the same content. To do so, as <code class="systemitem">root</code>, mark the <code class="filename">/media</code> directory as <span class="quote">“<span class="quote">shared</span>”</span>:
							</div><pre class="screen">~]# <code class="command">mount --bind /media /media</code>
~]# <code class="command">mount --make-shared /media</code></pre><div class="para">
								Then create its duplicate in <code class="filename">/mnt</code> by using the following command:
							</div><pre class="screen">~]# <code class="command">mount --bind /media /mnt</code></pre><div class="para">
								You can now verify that a mount within <code class="filename">/media</code> also appears in <code class="filename">/mnt</code>. For example, if you have non-empty media in your CD-ROM drive and the <code class="filename">/media/cdrom/</code> directory exists, run the following commands:
							</div><pre class="screen">~]# <code class="command">mount /dev/cdrom /media/cdrom</code>
~]# <code class="command">ls /media/cdrom</code>
EFI  GPL  isolinux  LiveOS
~]# <code class="command">ls /mnt/cdrom</code>
EFI  GPL  isolinux  LiveOS</pre><div class="para">
								Similarly, you can verify that any file system mounted in the <code class="filename">/mnt</code> directory is reflected in <code class="filename">/media</code>. For instance, if you have a non-empty USB flash drive that uses the <code class="filename">/dev/sdc1</code> device plugged in and the <code class="filename">/mnt/flashdisk/</code> directory is present, type:
							</div><pre class="screen">~]# <code class="command">mount /dev/sdc1 /mnt/flashdisk</code>
~]# <code class="command">ls /media/flashdisk</code>
en-US  publican.cfg
~]# <code class="command">ls /mnt/flashdisk</code>
en-US  publican.cfg</pre></div></div><br class="example-break" /></dd><dt class="varlistentry"><span class="term">Slave Mount</span></dt><dd><div class="para">
							A slave mount allows you to create a limited duplicate of a given mount point. When a slave mount is created, any mount within the original mount point is reflected in it, but no mount within a slave mount is reflected in its original. To create a slave mount, type the following at a shell prompt:
						</div><pre class="screen"><code class="command">mount</code> <code class="option">--make-slave</code> <em class="replaceable"><code>mount_point</code></em></pre><div class="para">
							Alternatively, you can change the mount type for the selected mount point and all mount points under it:
						</div><pre class="screen"><code class="command">mount</code> <code class="option">--make-rslave</code> <em class="replaceable"><code>mount_point</code></em></pre><div class="para">
							See <a class="xref" href="#exam-Using_the_mount_Command-Mounting-Bind-Slave">Example 2.5, “Creating a Slave Mount Point”</a> for an example usage.
						</div><div class="example" id="exam-Using_the_mount_Command-Mounting-Bind-Slave"><h6>Example 2.5. Creating a Slave Mount Point</h6><div class="example-contents"><div class="para">
								Imagine you want the content of the <code class="filename">/media</code> directory to appear in <code class="filename">/mnt</code> as well, but you do not want any mounts in the <code class="filename">/mnt</code> directory to be reflected in <code class="filename">/media</code>. To do so, as <code class="systemitem">root</code>, first mark the <code class="filename">/media</code> directory as <span class="quote">“<span class="quote">shared</span>”</span>:
							</div><pre class="screen">~]# <code class="command">mount --bind /media /media</code>
~]# <code class="command">mount --make-shared /media</code></pre><div class="para">
								Then create its duplicate in <code class="filename">/mnt</code>, but mark it as <span class="quote">“<span class="quote">slave</span>”</span>:
							</div><pre class="screen">~]# <code class="command">mount --bind /media /mnt</code>
~]# <code class="command">mount --make-slave /mnt</code></pre><div class="para">
								You can now verify that a mount within <code class="filename">/media</code> also appears in <code class="filename">/mnt</code>. For example, if you have non-empty media in your CD-ROM drive and the <code class="filename">/media/cdrom/</code> directory exists, run the following commands:
							</div><pre class="screen">~]# <code class="command">mount /dev/cdrom /media/cdrom</code>
~]# <code class="command">ls /media/cdrom</code>
EFI  GPL  isolinux  LiveOS
~]# <code class="command">ls /mnt/cdrom</code>
EFI  GPL  isolinux  LiveOS</pre><div class="para">
								You can also verify that file systems mounted in the <code class="filename">/mnt</code> directory are <span class="emphasis"><em>not</em></span> reflected in <code class="filename">/media</code>. For instance, if you have a non-empty USB flash drive that uses the <code class="filename">/dev/sdc1</code> device plugged in and the <code class="filename">/mnt/flashdisk/</code> directory is present, type: :
							</div><pre class="screen">~]# <code class="command">mount /dev/sdc1 /mnt/flashdisk</code>
~]# <code class="command">ls /media/flashdisk</code>
~]# <code class="command">ls /mnt/flashdisk</code>
en-US  publican.cfg</pre></div></div><br class="example-break" /></dd><dt class="varlistentry"><span class="term">Private Mount</span></dt><dd><div class="para">
							A private mount allows you to create an ordinary mount. When a private mount is created, no subsequent mounts within the original mount point are reflected in it, and no mount within a private mount is reflected in its original. To create a private mount, type the following at a shell prompt:
						</div><pre class="screen"><code class="command">mount</code> <code class="option">--make-private</code> <em class="replaceable"><code>mount_point</code></em></pre><div class="para">
							Alternatively, you can change the mount type for the selected mount point and all mount points under it:
						</div><pre class="screen"><code class="command">mount</code> <code class="option">--make-rprivate</code> <em class="replaceable"><code>mount_point</code></em></pre><div class="para">
							See <a class="xref" href="#exam-Using_the_mount_Command-Mounting-Bind-Private">Example 2.6, “Creating a Private Mount Point”</a> for an example usage.
						</div><div class="example" id="exam-Using_the_mount_Command-Mounting-Bind-Private"><h6>Example 2.6. Creating a Private Mount Point</h6><div class="example-contents"><div class="para">
								Taking into account the scenario in <a class="xref" href="#exam-Using_the_mount_Command-Mounting-Bind-Shared">Example 2.4, “Creating a Shared Mount Point”</a>, assume that you have previously created a shared mount point by using the following commands as <code class="systemitem">root</code>:
							</div><pre class="screen">~]# <code class="command">mount --bind /media /media</code>
~]# <code class="command">mount --make-shared /media</code>
~]# <code class="command">mount --bind /media /mnt</code></pre><div class="para">
								To mark the <code class="filename">/mnt</code> directory as <span class="quote">“<span class="quote">private</span>”</span>, type:
							</div><pre class="screen">~]# <code class="command">mount --make-private /mnt</code></pre><div class="para">
								You can now verify that none of the mounts within <code class="filename">/media</code> appears in <code class="filename">/mnt</code>. For example, if you have non-empty media in your CD-ROM drive and the <code class="filename">/media/cdrom/</code> directory exists, run the following commands:
							</div><pre class="screen">~]# <code class="command">mount /dev/cdrom /media/cdrom</code>
~]# <code class="command">ls /media/cdrom</code>
EFI  GPL  isolinux  LiveOS
~]# <code class="command">ls /mnt/cdrom</code>
~]#</pre><div class="para">
								You can also verify that file systems mounted in the <code class="filename">/mnt</code> directory are not reflected in <code class="filename">/media</code>. For instance, if you have a non-empty USB flash drive that uses the <code class="filename">/dev/sdc1</code> device plugged in and the <code class="filename">/mnt/flashdisk/</code> directory is present, type:
							</div><pre class="screen">~]# <code class="command">mount /dev/sdc1 /mnt/flashdisk</code>
~]# <code class="command">ls /media/flashdisk</code>
~]# <code class="command">ls /mnt/flashdisk</code>
en-US  publican.cfg</pre></div></div><br class="example-break" /></dd><dt class="varlistentry"><span class="term">Unbindable Mount</span></dt><dd><div class="para">
							An unbindable mount allows you to prevent a given mount point from being duplicated whatsoever. To create an unbindable mount, type the following at a shell prompt:
						</div><pre class="screen"><code class="command">mount</code> <code class="option">--make-unbindable</code> <em class="replaceable"><code>mount_point</code></em></pre><div class="para">
							Alternatively, you can change the mount type for the selected mount point and all mount points under it:
						</div><pre class="screen"><code class="command">mount</code> <code class="option">--make-runbindable</code> <em class="replaceable"><code>mount_point</code></em></pre><div class="para">
							See <a class="xref" href="#exam-Using_the_mount_Command-Mounting-Bind-Unbindable">Example 2.7, “Creating an Unbindable Mount Point”</a> for an example usage.
						</div><div class="example" id="exam-Using_the_mount_Command-Mounting-Bind-Unbindable"><h6>Example 2.7. Creating an Unbindable Mount Point</h6><div class="example-contents"><div class="para">
								To prevent the <code class="filename">/media</code> directory from being shared, as <code class="systemitem">root</code>, type the following at a shell prompt:
							</div><pre class="screen">~]# <code class="command">mount --bind /media /media</code>
~]# <code class="command">mount --make-unbindable /media</code></pre><div class="para">
								This way, any subsequent attempt to make a duplicate of this mount will fail with an error:
							</div><pre class="screen">~]# <code class="command">mount --bind /media /mnt</code>
mount: wrong fs type, bad option, bad superblock on /media/,
       missing code page or other error
       In some cases useful info is found in syslog - try
       dmesg | tail  or so</pre></div></div><br class="example-break" /></dd></dl></div></div><div class="section" id="sect-Using_the_mount_Command-Mounting-Moving"><div class="titlepage"><div><div><h3 class="title" id="sect-Using_the_mount_Command-Mounting-Moving">2.2.4. Moving a Mount Point</h3></div></div></div><div class="para">
				To change the directory in which a file system is mounted, use the following command:
			</div><pre class="screen"><code class="command">mount</code> <code class="option">--move</code> <em class="replaceable"><code>old_directory</code></em> <em class="replaceable"><code>new_directory</code></em></pre><div class="para">
				See <a class="xref" href="#exam-Using_the_mount_Command-Mounting-Moving">Example 2.8, “Moving an Existing NFS Mount Point”</a> for an example usage.
			</div><div class="example" id="exam-Using_the_mount_Command-Mounting-Moving"><h6>Example 2.8. Moving an Existing NFS Mount Point</h6><div class="example-contents"><div class="para">
					Imagine that you have an NFS storage that contains user directories. Assuming that this storage is already mounted in <code class="filename">/mnt/userdirs/</code>, as <code class="systemitem">root</code>, you can move this mount point to <code class="filename">/home</code> by using the following command:
				</div><pre class="screen">~]# <code class="command">mount --move /mnt/userdirs /home</code></pre><div class="para">
					To verify the mount point has been moved, list the content of both directories:
				</div><pre class="screen">~]# <code class="command">ls /mnt/userdirs</code>
~]# <code class="command">ls /home</code>
jill  joe</pre></div></div><br class="example-break" /></div></div><div class="section" id="sect-Using_the_mount_Command-Unmounting"><div class="titlepage"><div><div><h2 class="title" id="sect-Using_the_mount_Command-Unmounting">2.3. Unmounting a File System</h2></div></div></div><div class="para">
			To detach a previously mounted file system, use either of the following variants of the <code class="command">umount</code> command:
		</div><pre class="screen"><code class="command">umount</code> <em class="replaceable"><code>directory</code></em>
<code class="command">umount</code> <em class="replaceable"><code>device</code></em></pre><div class="para">
			Note that unless you are logged in as <code class="systemitem">root</code>, you must have permissions to unmount the file system (see <a class="xref" href="#sect-Using_the_mount_Command-Mounting-Options">Section 2.2.2, “Specifying the Mount Options”</a>). See <a class="xref" href="#exam-Using_the_mount_Command-Unmounting">Example 2.9, “Unmounting a CD”</a> for an example usage.
		</div><div class="important"><div class="admonition_header"><h2>Important: Make Sure the File System Is Not in Use</h2></div><div class="admonition"><div class="para">
				When a file system is in use (for example, when a process is reading a file on this file system), running the <code class="command">umount</code> command will fail with an error. To determine which processes are accessing the file system, use the <code class="command">fuser</code> command in the following form:
			</div><pre class="screen"><code class="command">fuser</code> <code class="option">-m</code> <em class="replaceable"><code>directory</code></em></pre><div class="para">
				For example, to list the processes that are accessing a file system mounted to the <code class="filename">/media/cdrom/</code> directory, type:
			</div><pre class="screen">~]$ <code class="command">fuser -m /media/cdrom</code>
/media/cdrom:         1793  2013  2022  2435 10532c 10672c</pre></div></div><div class="example" id="exam-Using_the_mount_Command-Unmounting"><h6>Example 2.9. Unmounting a CD</h6><div class="example-contents"><div class="para">
				To unmount a CD that was previously mounted to the <code class="filename">/media/cdrom/</code> directory, type the following at a shell prompt:
			</div><pre class="screen">~]$ <code class="command">umount /media/cdrom</code></pre></div></div><br class="example-break" /></div><div class="section" id="sect-Using_the_mount_Command-Additional_Resources"><div class="titlepage"><div><div><h2 class="title" id="sect-Using_the_mount_Command-Additional_Resources">2.4. Additional Resources</h2></div></div></div><div class="para">
			The following resources provide an in-depth documentation on the subject.
		</div><div class="section" id="sect-Using_the_mount_Command-Installed_Documentation"><div class="titlepage"><div><div><h3 class="title" id="sect-Using_the_mount_Command-Installed_Documentation">2.4.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">man 8 mount</code> — The manual page for the <code class="command">mount</code> command that provides a full documentation on its usage.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man 8 umount</code> — The manual page for the <code class="command">umount</code> command that provides a full documentation on its usage.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man 5 fstab</code> — The manual page providing a thorough description of the <code class="filename">/etc/fstab</code> file format.
					</div></li></ul></div></div><div class="section" id="sect-Using_the_mount_Command-Useful_Websites"><div class="titlepage"><div><div><h3 class="title" id="sect-Using_the_mount_Command-Useful_Websites">2.4.2. Useful Websites</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://lwn.net/Articles/159077/"><em class="citetitle">Shared subtrees</em></a> — An LWN article covering the concept of shared subtrees.
					</div></li><li class="listitem"><div class="para">
						<a href="http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob_plain;f=Documentation/sharedsubtree.txt;hb=ce9e3d9953c8cb67001719b5516da2928e956be4"><em class="citetitle">sharedsubtree.txt</em></a> — Extensive documentation that is shipped with the shared subtrees patches.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-ext3" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 3. The ext3 File System</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-filesystem-ext3">3.1. Features of ext3</a></span></dt><dt><span class="section"><a href="#s1-filesystem-ext3-create">3.2. Creating an ext3 File System</a></span></dt><dt><span class="section"><a href="#s1-filesystem-ext3-convert">3.3. Converting to an ext3 File System</a></span></dt><dt><span class="section"><a href="#s1-filesystem-ext2-revert">3.4. Reverting to an ext2 File System</a></span></dt></dl></div><a id="id840275" class="indexterm"></a><div class="para">
		The default file system is the journaling <em class="firstterm">ext3</em> file system.
	</div><div class="section" id="s1-filesystem-ext3"><div class="titlepage"><div><div><h2 class="title" id="s1-filesystem-ext3">3.1. Features of ext3</h2></div></div></div><a id="id860265" class="indexterm"></a><div class="para">
			The ext3 file system is essentially an enhanced version of the ext2 file system. These improvements provide the following advantages:
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Availability</span></dt><dd><div class="para">
						After an unexpected power failure or system crash (also called an <em class="firstterm">unclean system shutdown</em>), each mounted ext2 file system on the machine must be checked for consistency by the <code class="command">e2fsck</code> program. This is a time-consuming process that can delay system boot time significantly, especially with large volumes containing a large number of files. During this time, any data on the volumes is unreachable.
					</div><div class="para">
						The journaling provided by the ext3 file system means that this sort of file system check is no longer necessary after an unclean system shutdown. The only time a consistency check occurs using ext3 is in certain rare hardware failure cases, such as hard drive failures. The time to recover an ext3 file system after an unclean system shutdown does not depend on the size of the file system or the number of files; rather, it depends on the size of the <em class="firstterm">journal</em> used to maintain consistency. The default journal size takes about a second to recover, depending on the speed of the hardware.
					</div></dd><dt class="varlistentry"><span class="term">Data Integrity</span></dt><dd><div class="para">
						The ext3 file system prevents loss of data integrity in the event that an unclean system shutdown occurs. The ext3 file system allows you to choose the type and level of protection that your data receives. By default, the ext3 volumes are configured to keep a high level of data consistency with regard to the state of the file system.
					</div></dd><dt class="varlistentry"><span class="term">Speed</span></dt><dd><div class="para">
						Despite writing some data more than once, ext3 has a higher throughput in most cases than ext2 because ext3's journaling optimizes hard drive head motion. You can choose from three journaling modes to optimize speed, but doing so means trade-offs in regards to data integrity if the system was to fail.
					</div></dd><dt class="varlistentry"><span class="term">Easy Transition</span></dt><dd><div class="para">
						It is easy to migrate from ext2 to ext3 and gain the benefits of a robust journaling file system without reformatting. Refer to <a class="xref" href="#s1-filesystem-ext3-convert">Section 3.3, “Converting to an ext3 File System”</a> for more on how to perform this task.
					</div></dd></dl></div><div class="para">
			The following sections walk you through the steps for creating and tuning ext3 partitions. For ext2 partitions, skip the partitioning and formatting sections below and go directly to <a class="xref" href="#s1-filesystem-ext3-convert">Section 3.3, “Converting to an ext3 File System”</a>.
		</div></div><div class="section" id="s1-filesystem-ext3-create"><div class="titlepage"><div><div><h2 class="title" id="s1-filesystem-ext3-create">3.2. Creating an ext3 File System</h2></div></div></div><a id="id861890" class="indexterm"></a><div class="para">
			After installation, it is sometimes necessary to create a new ext3 file system. For example, if you add a new disk drive to the system, you may want to partition the drive and use the ext3 file system.
		</div><div class="para">
			The steps for creating an ext3 file system are as follows:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Format the partition with the ext3 file system using <code class="command">mkfs</code>.
				</div></li><li class="listitem"><div class="para">
					Label the partition using <code class="command">e2label</code>.
				</div></li></ol></div></div><div class="section" id="s1-filesystem-ext3-convert"><div class="titlepage"><div><div><h2 class="title" id="s1-filesystem-ext3-convert">3.3. Converting to an ext3 File System</h2></div></div></div><a id="id840057" class="indexterm"></a><a id="id840073" class="indexterm"></a><div class="para">
			The <code class="command">tune2fs</code> allows you to convert an <code class="filename">ext2</code> filesystem to <code class="filename">ext3</code>.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Always use the <code class="command">e2fsck</code> utility to check your filesystem before and after using <code class="command">tune2fs</code>. A default installation of Red Hat Enterprise Linux uses ext3 for all file systems.
			</div></div></div><div class="para">
			To convert an <code class="filename">ext2</code> filesystem to <code class="filename">ext3</code>, log in as root and type the following command in a terminal:
		</div><pre class="screen"><code class="command">tune2fs -j <em class="replaceable"><code>&lt;block_device&gt;</code></em></code></pre><div class="para">
			where <em class="replaceable"><code>&lt;block_device&gt;</code></em> contains the ext2 filesystem you wish to convert.
		</div><div class="para">
			A valid block device could be one of two types of entries:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					A mapped device — A logical volume in a volume group, for example, <code class="command">/dev/mapper/VolGroup00-LogVol02</code>.
				</div></li><li class="listitem"><div class="para">
					A static device — A traditional storage volume, for example, <code class="command">/dev/<em class="replaceable"><code>hdb</code></em><em class="replaceable"><code>X</code></em></code>, where <em class="replaceable"><code>hdb</code></em> is a storage device name and <em class="replaceable"><code>X</code></em> is the partition number.
				</div></li></ul></div><div class="para">
			Issue the <code class="command">df</code> command to display mounted file systems.
		</div><div class="para">
			For the remainder of this section, the sample commands use the following value for the block device:
		</div><pre class="screen">/dev/mapper/VolGroup00-LogVol02</pre><a id="id925544" class="indexterm"></a><div class="para">
			You must recreate the initrd image so that it will contain the ext3 kernel module. To create this, run the <code class="command">mkinitrd</code> program. For information on using the <code class="command">mkinitrd</code> command, type <code class="command">man mkinitrd</code>. Also, make sure your GRUB configuration loads the <code class="filename">initrd</code>.
		</div><div class="para">
			If you fail to make this change, the system still boots, but the file system is mounted as ext2 instead of ext3.
		</div></div><div class="section" id="s1-filesystem-ext2-revert"><div class="titlepage"><div><div><h2 class="title" id="s1-filesystem-ext2-revert">3.4. Reverting to an ext2 File System</h2></div></div></div><a id="id925590" class="indexterm"></a><a id="id925606" class="indexterm"></a><a id="id925624" class="indexterm"></a><a id="id925638" class="indexterm"></a><a id="id925650" class="indexterm"></a><div class="para">
			If you wish to revert a partition from ext3 to ext2 for any reason, you must first unmount the partition by logging in as root and typing,
		</div><pre class="screen"><code class="command">umount <em class="replaceable"><code>/dev/mapper/VolGroup00-LogVol02</code></em></code></pre><div class="para">
			Next, change the file system type to ext2 by typing the following command as root:
		</div><pre class="screen"><code class="command">tune2fs -O ^has_journal <em class="replaceable"><code>/dev/mapper/VolGroup00-LogVol02</code></em></code></pre><div class="para">
			Check the partition for errors by typing the following command as root:
		</div><pre class="screen"><code class="command">e2fsck -y <em class="replaceable"><code>/dev/mapper/VolGroup00-LogVol02</code></em></code></pre><div class="para">
			Then mount the partition again as ext2 file system by typing:
		</div><pre class="screen"><code class="command">mount -t ext2 <em class="replaceable"><code>/dev/mapper/VolGroup00-LogVol02</code></em> <em class="replaceable"><code>/mount/point</code></em></code></pre><div class="para">
			In the above command, replace <em class="replaceable"><code>/mount/point</code></em> with the mount point of the partition.
		</div><div class="para">
			Next, remove the <code class="filename">.journal</code> file at the root level of the partition by changing to the directory where it is mounted and typing:
		</div><pre class="screen"><code class="command">rm -f .journal</code></pre><div class="para">
			You now have an ext2 partition.
		</div><div class="para">
			If you want to permanently change the partition to ext2, remember to update the <code class="filename">/etc/fstab</code> file.
		</div></div></div><div xml:lang="en-US" class="chapter" id="ch-proc" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 4. The <code class="filename">proc</code> File System</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-proc-virtual">4.1. A Virtual File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-viewing">4.1.1. Viewing Virtual Files</a></span></dt><dt><span class="section"><a href="#s2-proc-change">4.1.2. Changing Virtual Files</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-proc-topfiles">4.2. Top-level Files within the <code class="filename">proc</code> File System</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-apm">4.2.1.  <code class="filename">/proc/apm</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-buddyinfo">4.2.2.  <code class="filename">/proc/buddyinfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-cmdline">4.2.3.  <code class="filename">/proc/cmdline</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-cpuinfo">4.2.4.  <code class="filename">/proc/cpuinfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-crypto">4.2.5.  <code class="filename">/proc/crypto</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-devices">4.2.6.  <code class="filename">/proc/devices</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dma">4.2.7.  <code class="filename">/proc/dma</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-execdomains">4.2.8.  <code class="filename">/proc/execdomains</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-fb">4.2.9.  <code class="filename">/proc/fb</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-filesystems">4.2.10.  <code class="filename">/proc/filesystems</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-interrupts">4.2.11.  <code class="filename">/proc/interrupts</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-iomem">4.2.12.  <code class="filename">/proc/iomem</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-ioports">4.2.13.  <code class="filename">/proc/ioports</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-kcore">4.2.14.  <code class="filename">/proc/kcore</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-kmsg">4.2.15.  <code class="filename">/proc/kmsg</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-loadavg">4.2.16.  <code class="filename">/proc/loadavg</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-locks">4.2.17.  <code class="filename">/proc/locks</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-mdstat">4.2.18.  <code class="filename">/proc/mdstat</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-meminfo">4.2.19.  <code class="filename">/proc/meminfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-misc">4.2.20.  <code class="filename">/proc/misc</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-modules">4.2.21.  <code class="filename">/proc/modules</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-mounts">4.2.22.  <code class="filename">/proc/mounts</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-mtrr">4.2.23.  <code class="filename">/proc/mtrr</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-partitions">4.2.24.  <code class="filename">/proc/partitions</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-pci">4.2.25.  <code class="filename">/proc/pci</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-slabinfo">4.2.26.  <code class="filename">/proc/slabinfo</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-stat">4.2.27.  <code class="filename">/proc/stat</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-swaps">4.2.28.  <code class="filename">/proc/swaps</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-sysrq-trigger">4.2.29.  <code class="filename">/proc/sysrq-trigger</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-uptime">4.2.30.  <code class="filename">/proc/uptime</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-version">4.2.31.  <code class="filename">/proc/version</code> </a></span></dt></dl></dd><dt><span class="section"><a href="#s1-proc-directories">4.3. Directories within <code class="filename">/proc/</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-processdirs">4.3.1. Process Directories</a></span></dt><dt><span class="section"><a href="#s2-proc-dir-bus">4.3.2.  <code class="filename">/proc/bus/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-driver">4.3.3.  <code class="filename">/proc/driver/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-fs">4.3.4.  <code class="filename">/proc/fs</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-ide">4.3.5.  <code class="filename">/proc/ide/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-irq">4.3.6.  <code class="filename">/proc/irq/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-net">4.3.7.  <code class="filename">/proc/net/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-scsi">4.3.8.  <code class="filename">/proc/scsi/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-sys">4.3.9.  <code class="filename">/proc/sys/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-dir-sysvipc">4.3.10.  <code class="filename">/proc/sysvipc/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-tty">4.3.11.  <code class="filename">/proc/tty/</code> </a></span></dt><dt><span class="section"><a href="#s2-proc-pid">4.3.12.  <code class="filename">/proc/&lt;PID&gt;/</code> </a></span></dt></dl></dd><dt><span class="section"><a href="#s1-proc-sysctl">4.4. Using the <code class="command">sysctl</code> Command</a></span></dt><dt><span class="section"><a href="#s1-proc-additional-resources">4.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-proc-installed-documentation">4.5.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-proc-useful-websites">4.5.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id856380" class="indexterm"></a><a id="id1068177" class="indexterm"></a><div class="para">
		The Linux kernel has two primary functions: to control access to physical devices on the computer and to schedule when and how processes interact with these devices. The <code class="filename">/proc/</code> directory — also called the <code class="filename">proc</code> file system — contains a hierarchy of special files which represent the current state of the kernel — allowing applications and users to peer into the kernel's view of the system.
	</div><div class="para">
		Within the <code class="filename">/proc/</code> directory, one can find a wealth of information detailing the system hardware and any processes currently running. In addition, some of the files within the <code class="filename">/proc/</code> directory tree can be manipulated by users and applications to communicate configuration changes to the kernel.
	</div><div class="section" id="s1-proc-virtual"><div class="titlepage"><div><div><h2 class="title" id="s1-proc-virtual">4.1. A Virtual File System</h2></div></div></div><a id="id916665" class="indexterm"></a><a id="id835835" class="indexterm"></a><a id="id1068514" class="indexterm"></a><div class="para">
			Under Linux, all data are stored as files. Most users are familiar with the two primary types of files: text and binary. But the <code class="filename">/proc/</code> directory contains another type of file called a <em class="firstterm">virtual file</em>. It is for this reason that <code class="filename">/proc/</code> is often referred to as a <em class="firstterm">virtual file system</em>.
		</div><div class="para">
			These virtual files have unique qualities. Most of them are listed as zero bytes in size and yet when one is viewed, it can contain a large amount of information. In addition, most of the time and date settings on virtual files reflect the current time and date, indicative of the fact they are constantly updated.
		</div><div class="para">
			Virtual files such as <code class="filename">/proc/interrupts</code>, <code class="filename">/proc/meminfo</code>, <code class="filename">/proc/mounts</code>, and <code class="filename">/proc/partitions</code> provide an up-to-the-moment glimpse of the system's hardware. Others, like the <code class="filename">/proc/filesystems</code> file and the <code class="filename">/proc/sys/</code> directory provide system configuration information and interfaces.
		</div><div class="para">
			For organizational purposes, files containing information on a similar topic are grouped into virtual directories and sub-directories. For instance, <code class="filename">/proc/ide/</code> contains information for all physical IDE devices. Likewise, process directories contain information about each running process on the system.
		</div><div class="section" id="s2-proc-viewing"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-viewing">4.1.1. Viewing Virtual Files</h3></div></div></div><a id="id1068423" class="indexterm"></a><a id="id1068437" class="indexterm"></a><div class="para">
				By using the <code class="command">cat</code>, <code class="command">more</code>, or <code class="command">less</code> commands on files within the <code class="filename">/proc/</code> directory, users can immediately access enormous amounts of information about the system. For example, to display the type of CPU a computer has, type <code class="command">cat /proc/cpuinfo</code> to receive output similar to the following:
			</div><pre class="screen">processor	: 0
vendor_id	: AuthenticAMD
cpu family	: 5
model		: 9
model name	: AMD-K6(tm) 3D+
Processor stepping	: 1 cpu
MHz		: 400.919
cache size	: 256 KB
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 1
wp		: yes
flags		: fpu vme de pse tsc msr mce cx8 pge mmx syscall 3dnow k6_mtrr
bogomips	: 799.53</pre><div class="para">
				When viewing different virtual files in the <code class="filename">/proc/</code> file system, some of the information is easily understandable while some is not human-readable. This is in part why utilities exist to pull data from virtual files and display it in a useful way. Examples of these utilities include <code class="command">lspci</code>, <code class="command">apm</code>, <code class="command">free</code>, and <code class="command">top</code>.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Some of the virtual files in the <code class="filename">/proc/</code> directory are readable only by the root user.
				</div></div></div></div><div class="section" id="s2-proc-change"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-change">4.1.2. Changing Virtual Files</h3></div></div></div><a id="id1047249" class="indexterm"></a><a id="id1047262" class="indexterm"></a><div class="para">
				As a general rule, most virtual files within the <code class="filename">/proc/</code> directory are read-only. However, some can be used to adjust settings in the kernel. This is especially true for files in the <code class="filename">/proc/sys/</code> subdirectory.
			</div><div class="para">
				To change the value of a virtual file, use the <code class="command">echo</code> command and a greater than symbol (<code class="command">&gt;</code>) to redirect the new value to the file. For example, to change the hostname on the fly, type:
			</div><pre class="screen"><code class="command">echo <em class="replaceable"><code>www.example.com</code></em> &gt; /proc/sys/kernel/hostname </code></pre><div class="para">
				Other files act as binary or Boolean switches. Typing <code class="command">cat /proc/sys/net/ipv4/ip_forward</code> returns either a <code class="computeroutput">0</code> or a <code class="computeroutput">1</code>. A <code class="computeroutput">0</code> indicates that the kernel is not forwarding network packets. Using the <code class="command">echo</code> command to change the value of the <code class="filename">ip_forward</code> file to <code class="computeroutput">1</code> immediately turns packet forwarding on.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					Another command used to alter settings in the <code class="filename">/proc/sys/</code> subdirectory is <code class="command">/sbin/sysctl</code>. For more information on this command, refer to <a class="xref" href="#s1-proc-sysctl">Section 4.4, “Using the <code class="command">sysctl</code> Command”</a>
				</div></div></div><div class="para">
				For a listing of some of the kernel configuration files available in the <code class="filename">/proc/sys/</code> subdirectory, refer to <a class="xref" href="#s2-proc-dir-sys">Section 4.3.9, “ <code class="filename">/proc/sys/</code> ”</a>.
			</div></div></div><div class="section" id="s1-proc-topfiles"><div class="titlepage"><div><div><h2 class="title" id="s1-proc-topfiles">4.2. Top-level Files within the <code class="filename">proc</code> File System</h2></div></div></div><a id="id782191" class="indexterm"></a><div class="para">
			Below is a list of some of the more useful virtual files in the top-level of the <code class="filename">/proc/</code> directory.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				In most cases, the content of the files listed in this section are not the same as those installed on your machine. This is because much of the information is specific to the hardware on which Red Hat Enterprise Linux is running for this documentation effort.
			</div></div></div><div class="section" id="s2-proc-apm"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-apm">4.2.1.  <code class="filename">/proc/apm</code> </h3></div></div></div><a id="id782244" class="indexterm"></a><div class="para">
				This file provides information about the state of the <em class="firstterm">Advanced Power Management (APM)</em> system and is used by the <code class="command">apm</code> command. If a system with no battery is connected to an AC power source, this virtual file would look similar to the following:
			</div><pre class="screen">1.16 1.2 0x07 0x01 0xff 0x80 -1% -1 ?</pre><div class="para">
				Running the <code class="command">apm -v</code> command on such a system results in output similar to the following:
			</div><pre class="screen">APM BIOS 1.2 (kernel driver 1.16ac) AC on-line, no system battery</pre><div class="para">
				For systems which do not use a battery as a power source, <code class="command">apm</code> is able do little more than put the machine in standby mode. The <code class="command">apm</code> command is much more useful on laptops. For example, the following output is from the command <code class="command">cat /proc/apm</code> on a laptop while plugged into a power outlet:
			</div><pre class="screen">1.16 1.2 0x03 0x01 0x03 0x09 100% -1 ?</pre><div class="para">
				When the same laptop is unplugged from its power source for a few minutes, the content of the <code class="filename">apm</code> file changes to something like the following:
			</div><pre class="screen">1.16 1.2 0x03 0x00 0x00 0x01 99% 1792 min</pre><div class="para">
				The <code class="command">apm -v</code> command now yields more useful data, such as the following:
			</div><pre class="screen">APM BIOS 1.2 (kernel driver 1.16) AC off-line, battery status high: 99% (1 day, 5:52)</pre></div><div class="section" id="s2-proc-buddyinfo"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-buddyinfo">4.2.2.  <code class="filename">/proc/buddyinfo</code> </h3></div></div></div><a id="id787258" class="indexterm"></a><div class="para">
				This file is used primarily for diagnosing memory fragmentation issues. Using the buddy algorithm, each column represents the number of pages of a certain order (a certain size) that are available at any given time. For example, for zone DMA (direct memory access), there are 90 of 2^(0*PAGE_SIZE) chunks of memory. Similarly, there are 6 of 2^(1*PAGE_SIZE) chunks, and 2 of 2^(2*PAGE_SIZE) chunks of memory available.
			</div><div class="para">
				The <code class="filename">DMA</code> row references the first 16 MB on a system, the <code class="filename">HighMem</code> row references all memory greater than 4 GB on a system, and the <code class="filename">Normal</code> row references all memory in between.
			</div><div class="para">
				The following is an example of the output typical of <code class="filename">/proc/buddyinfo</code>:
			</div><pre class="screen">Node 0, zone      DMA     90      6      2      1      1      ...
Node 0, zone   Normal   1650    310      5      0      0      ...
Node 0, zone  HighMem      2      0      0      1      1      ...</pre></div><div class="section" id="s2-proc-cmdline"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-cmdline">4.2.3.  <code class="filename">/proc/cmdline</code> </h3></div></div></div><a id="id787331" class="indexterm"></a><div class="para">
				This file shows the parameters passed to the kernel at the time it is started. A sample <code class="filename">/proc/cmdline</code> file looks like the following:
			</div><pre class="screen">ro root=/dev/VolGroup00/LogVol00 rhgb quiet 3</pre><div class="para">
				This output tells us the following:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">ro</span></dt><dd><div class="para">
							The root device is mounted read-only at boot time. The presence of <code class="computeroutput">ro</code> on the kernel boot line overrides any instances of <code class="computeroutput">rw</code>.
						</div></dd><dt class="varlistentry"><span class="term">root=/dev/VolGroup00/LogVol00</span></dt><dd><div class="para">
							This tells us on which disk device or, in this case, on which logical volume, the root filesystem image is located. With our sample <code class="filename">/proc/cmdline</code> output, the root filesystem image is located on the first logical volume (<code class="computeroutput">LogVol00</code>) of the first LVM volume group (<code class="computeroutput">VolGroup00</code>). On a system not using Logical Volume Management, the root file system might be located on <code class="filename">/dev/sda1</code> or <code class="filename">/dev/sda2</code>, meaning on either the first or second partition of the first SCSI or SATA disk drive, depending on whether we have a separate (preceding) boot or swap partition on that drive.
						</div><div class="para">
							For more information on LVM used in Red Hat Enterprise Linux, refer to <a href="http://www.tldp.org/HOWTO/LVM-HOWTO/index.html">http://www.tldp.org/HOWTO/LVM-HOWTO/index.html</a>.
						</div></dd><dt class="varlistentry"><span class="term">rhgb</span></dt><dd><div class="para">
							A short lowercase acronym that stands for <span class="emphasis"><em>Red Hat Graphical Boot</em></span>, providing "rhgb" on the kernel command line signals that graphical booting is supported, assuming that <code class="filename">/etc/inittab</code> shows that the default runlevel is set to 5 with a line like this:
						</div><pre class="screen">id:5:initdefault:</pre></dd><dt class="varlistentry"><span class="term">quiet</span></dt><dd><div class="para">
							Indicates that all verbose kernel messages except those which are extremely serious should be suppressed at boot time.
						</div></dd></dl></div></div><div class="section" id="s2-proc-cpuinfo"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-cpuinfo">4.2.4.  <code class="filename">/proc/cpuinfo</code> </h3></div></div></div><a id="id786870" class="indexterm"></a><div class="para">
				This virtual file identifies the type of processor used by your system. The following is an example of the output typical of <code class="filename">/proc/cpuinfo</code>:
			</div><pre class="screen">processor	: 0
vendor_id	: GenuineIntel
cpu family	: 15
model		: 2
model name	: Intel(R) Xeon(TM) CPU 2.40GHz
stepping	: 7 cpu
MHz		: 2392.371
cache size	: 512 KB
physical id	: 0
siblings	: 2
runqueue	: 0
fdiv_bug	: no
hlt_bug		: no
f00f_bug	: no
coma_bug	: no
fpu		: yes
fpu_exception	: yes
cpuid level	: 2
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca  cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm
bogomips	: 4771.02</pre><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">processor</code> — Provides each processor with an identifying number. On systems that have one processor, only a <code class="computeroutput">0</code> is present.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">cpu family</code> — Authoritatively identifies the type of processor in the system. For an Intel-based system, place the number in front of "86" to determine the value. This is particularly helpful for those attempting to identify the architecture of an older system such as a 586, 486, or 386. Because some RPM packages are compiled for each of these particular architectures, this value also helps users determine which packages to install.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">model name</code> — Displays the common name of the processor, including its project name.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">cpu MHz</code> — Shows the precise speed in megahertz for the processor to the thousandths decimal place.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">cache size</code> — Displays the amount of level 2 memory cache available to the processor.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">siblings</code> — Displays the number of sibling CPUs on the same physical CPU for architectures which use hyper-threading.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">flags</code> — Defines a number of different qualities about the processor, such as the presence of a floating point unit (FPU) and the ability to process MMX instructions.
					</div></li></ul></div></div><div class="section" id="s2-proc-crypto"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-crypto">4.2.5.  <code class="filename">/proc/crypto</code> </h3></div></div></div><a id="id787019" class="indexterm"></a><div class="para">
				This file lists all installed cryptographic ciphers used by the Linux kernel, including additional details for each. A sample <code class="filename">/proc/crypto</code> file looks like the following:
			</div><pre class="screen">name         : sha1
module       : kernel
type         : digest
blocksize    : 64
digestsize   : 20
name         : md5
module       : md5
type         : digest
blocksize    : 64
digestsize   : 16</pre></div><div class="section" id="s2-proc-devices"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-devices">4.2.6.  <code class="filename">/proc/devices</code> </h3></div></div></div><a id="id787069" class="indexterm"></a><a id="id787094" class="indexterm"></a><a id="id787120" class="indexterm"></a><a id="id787134" class="indexterm"></a><a id="id787151" class="indexterm"></a><a id="id787169" class="indexterm"></a><div class="para">
				This file displays the various character and block devices currently configured (not including devices whose modules are not loaded). Below is a sample output from this file:
			</div><pre class="screen">Character devices:
  1 mem
  4 /dev/vc/0
  4 tty
  4 ttyS
  5 /dev/tty
  5 /dev/console
  5 /dev/ptmx
  7 vcs
  10 misc
  13 input
  29 fb
  36 netlink
  128 ptm
  136 pts
  180 usb

Block devices:
  1 ramdisk
  3 ide0
  9 md
  22 ide1
  253 device-mapper
  254 mdp</pre><div class="para">
				The output from <code class="filename">/proc/devices</code> includes the major number and name of the device, and is broken into two major sections: <code class="computeroutput">Character devices</code> and <code class="computeroutput">Block devices</code>.
			</div><div class="para">
				<em class="firstterm">Character devices</em> are similar to <em class="firstterm">block devices</em>, except for two basic differences:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Character devices do not require buffering. Block devices have a buffer available, allowing them to order requests before addressing them. This is important for devices designed to store information — such as hard drives — because the ability to order the information before writing it to the device allows it to be placed in a more efficient order.
					</div></li><li class="listitem"><div class="para">
						Character devices send data with no preconfigured size. Block devices can send and receive information in blocks of a size configured per device.
					</div></li></ol></div><div class="para">
				For more information about devices refer to the following installed documentation:
			</div><pre class="screen">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/devices.txt</pre></div><div class="section" id="s2-proc-dma"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dma">4.2.7.  <code class="filename">/proc/dma</code> </h3></div></div></div><a id="id921997" class="indexterm"></a><div class="para">
				This file contains a list of the registered ISA DMA channels in use. A sample <code class="filename">/proc/dma</code> files looks like the following:
			</div><pre class="screen">4: cascade</pre></div><div class="section" id="s2-proc-execdomains"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-execdomains">4.2.8.  <code class="filename">/proc/execdomains</code> </h3></div></div></div><a id="id922044" class="indexterm"></a><a id="id922066" class="indexterm"></a><a id="id922084" class="indexterm"></a><div class="para">
				This file lists the <em class="firstterm">execution domains</em> currently supported by the Linux kernel, along with the range of personalities they support.
			</div><pre class="screen">0-0   Linux           [kernel]</pre><div class="para">
				Think of execution domains as the "personality" for an operating system. Because other binary formats, such as Solaris, UnixWare, and FreeBSD, can be used with Linux, programmers can change the way the operating system treats system calls from these binaries by changing the personality of the task. Except for the <code class="computeroutput">PER_LINUX</code> execution domain, different personalities can be implemented as dynamically loadable modules.
			</div></div><div class="section" id="s2-proc-fb"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-fb">4.2.9.  <code class="filename">/proc/fb</code> </h3></div></div></div><a id="id922133" class="indexterm"></a><a id="id922154" class="indexterm"></a><div class="para">
				This file contains a list of frame buffer devices, with the frame buffer device number and the driver that controls it. Typical output of <code class="filename">/proc/fb</code> for systems which contain frame buffer devices looks similar to the following:
			</div><pre class="screen">0 VESA VGA</pre></div><div class="section" id="s2-proc-filesystems"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-filesystems">4.2.10.  <code class="filename">/proc/filesystems</code> </h3></div></div></div><a id="id922199" class="indexterm"></a><div class="para">
				This file displays a list of the file system types currently supported by the kernel. Sample output from a generic <code class="filename">/proc/filesystems</code> file looks similar to the following:
			</div><pre class="screen">nodev   sysfs
nodev   rootfs
nodev   bdev
nodev   proc
nodev   sockfs
nodev   binfmt_misc
nodev   usbfs
nodev   usbdevfs
nodev   futexfs
nodev   tmpfs
nodev   pipefs
nodev   eventpollfs
nodev   devpts
	ext2
nodev   ramfs
nodev   hugetlbfs
	iso9660
nodev   mqueue
	ext3
nodev   rpc_pipefs
nodev   autofs</pre><div class="para">
				The first column signifies whether the file system is mounted on a block device. Those beginning with <code class="computeroutput">nodev</code> are not mounted on a device. The second column lists the names of the file systems supported.
			</div><div class="para">
				The <code class="command">mount</code> command cycles through the file systems listed here when one is not specified as an argument.
			</div></div><div class="section" id="s2-proc-interrupts"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-interrupts">4.2.11.  <code class="filename">/proc/interrupts</code> </h3></div></div></div><a id="id922266" class="indexterm"></a><div class="para">
				This file records the number of interrupts per IRQ on the x86 architecture. A standard <code class="filename">/proc/interrupts</code> looks similar to the following:
			</div><pre class="screen">  CPU0
  0:   80448940          XT-PIC  timer
  1:     174412          XT-PIC  keyboard
  2:          0          XT-PIC  cascade
  8:          1          XT-PIC  rtc
 10:     410964          XT-PIC  eth0
 12:      60330          XT-PIC  PS/2 Mouse
 14:    1314121          XT-PIC  ide0
 15:    5195422          XT-PIC  ide1
NMI:          0
ERR:          0</pre><div class="para">
				For a multi-processor machine, this file may look slightly different:
			</div><pre class="screen">	   CPU0       CPU1
  0: 1366814704          0          XT-PIC  timer
  1:        128        340    IO-APIC-edge  keyboard
  2:          0          0          XT-PIC  cascade
  8:          0          1    IO-APIC-edge  rtc
 12:       5323       5793    IO-APIC-edge  PS/2 Mouse
 13:          1          0          XT-PIC  fpu
 16:   11184294   15940594   IO-APIC-level  Intel EtherExpress Pro 10/100 Ethernet
 20:    8450043   11120093   IO-APIC-level  megaraid
 30:      10432      10722   IO-APIC-level  aic7xxx
 31:         23         22   IO-APIC-level  aic7xxx
NMI:          0
ERR:          0</pre><div class="para">
				The first column refers to the IRQ number. Each CPU in the system has its own column and its own number of interrupts per IRQ. The next column reports the type of interrupt, and the last column contains the name of the device that is located at that IRQ.
			</div><div class="para">
				Each of the types of interrupts seen in this file, which are architecture-specific, mean something different. For x86 machines, the following values are common:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">XT-PIC</code> — This is the old AT computer interrupts.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">IO-APIC-edge</code> — The voltage signal on this interrupt transitions from low to high, creating an <span class="emphasis"><em>edge</em></span>, where the interrupt occurs and is only signaled once. This kind of interrupt, as well as the <code class="computeroutput">IO-APIC-level</code> interrupt, are only seen on systems with processors from the 586 family and higher.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">IO-APIC-level</code> — Generates interrupts when its voltage signal is high until the signal is low again.
					</div></li></ul></div></div><div class="section" id="s2-proc-iomem"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-iomem">4.2.12.  <code class="filename">/proc/iomem</code> </h3></div></div></div><a id="id922387" class="indexterm"></a><div class="para">
				This file shows you the current map of the system's memory for each physical device:
			</div><pre class="screen">00000000-0009fbff : System RAM
0009fc00-0009ffff : reserved
000a0000-000bffff : Video RAM area
000c0000-000c7fff : Video ROM
000f0000-000fffff : System ROM
00100000-07ffffff : System RAM
00100000-00291ba8 : Kernel code
00291ba9-002e09cb : Kernel data
e0000000-e3ffffff : VIA Technologies, Inc. VT82C597 [Apollo VP3] e4000000-e7ffffff : PCI Bus #01
e4000000-e4003fff : Matrox Graphics, Inc. MGA G200 AGP
e5000000-e57fffff : Matrox Graphics, Inc. MGA G200 AGP
e8000000-e8ffffff : PCI Bus #01
e8000000-e8ffffff : Matrox Graphics, Inc. MGA G200 AGP
ea000000-ea00007f : Digital Equipment Corporation DECchip 21140 [FasterNet]
ea000000-ea00007f : tulip ffff0000-ffffffff : reserved</pre><div class="para">
				The first column displays the memory registers used by each of the different types of memory. The second column lists the kind of memory located within those registers and displays which memory registers are used by the kernel within the system RAM or, if the network interface card has multiple Ethernet ports, the memory registers assigned for each port.
			</div></div><div class="section" id="s2-proc-ioports"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-ioports">4.2.13.  <code class="filename">/proc/ioports</code> </h3></div></div></div><a id="id922442" class="indexterm"></a><div class="para">
				The output of <code class="filename">/proc/ioports</code> provides a list of currently registered port regions used for input or output communication with a device. This file can be quite long. The following is a partial listing:
			</div><pre class="screen">0000-001f : dma1
0020-003f : pic1
0040-005f : timer
0060-006f : keyboard
0070-007f : rtc
0080-008f : dma page reg
00a0-00bf : pic2
00c0-00df : dma2
00f0-00ff : fpu
0170-0177 : ide1
01f0-01f7 : ide0
02f8-02ff : serial(auto)
0376-0376 : ide1
03c0-03df : vga+
03f6-03f6 : ide0
03f8-03ff : serial(auto)
0cf8-0cff : PCI conf1
d000-dfff : PCI Bus #01
e000-e00f : VIA Technologies, Inc. Bus Master IDE
e000-e007 : ide0
e008-e00f : ide1
e800-e87f : Digital Equipment Corporation DECchip 21140 [FasterNet]
e800-e87f : tulip</pre><div class="para">
				The first column gives the I/O port address range reserved for the device listed in the second column.
			</div></div><div class="section" id="s2-proc-kcore"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-kcore">4.2.14.  <code class="filename">/proc/kcore</code> </h3></div></div></div><a id="id922500" class="indexterm"></a><div class="para">
				This file represents the physical memory of the system and is stored in the core file format. Unlike most <code class="filename">/proc/</code> files, <code class="filename">kcore</code> displays a size. This value is given in bytes and is equal to the size of the physical memory (RAM) used plus 4 KB.
			</div><div class="para">
				The contents of this file are designed to be examined by a debugger, such as <code class="command">gdb</code>, and is not human readable.
			</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
					Do not view the <code class="filename">/proc/kcore</code> virtual file. The contents of the file scramble text output on the terminal. If this file is accidentally viewed, press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>C</strong></span> to stop the process and then type <code class="command">reset</code> to bring back the command line prompt.
				</div></div></div></div><div class="section" id="s2-proc-kmsg"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-kmsg">4.2.15.  <code class="filename">/proc/kmsg</code> </h3></div></div></div><a id="id922588" class="indexterm"></a><div class="para">
				This file is used to hold messages generated by the kernel. These messages are then picked up by other programs, such as <code class="command">/sbin/klogd</code> or <code class="command">/bin/dmesg</code>.
			</div></div><div class="section" id="s2-proc-loadavg"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-loadavg">4.2.16.  <code class="filename">/proc/loadavg</code> </h3></div></div></div><a id="id922639" class="indexterm"></a><div class="para">
				This file provides a look at the load average in regard to both the CPU and IO over time, as well as additional data used by <code class="command">uptime</code> and other commands. A sample <code class="filename">/proc/loadavg</code> file looks similar to the following:
			</div><pre class="screen">0.20 0.18 0.12 1/80 11206</pre><div class="para">
				The first three columns measure CPU and IO utilization of the last one, five, and 15 minute periods. The fourth column shows the number of currently running processes and the total number of processes. The last column displays the last process ID used.
			</div><div class="para">
				In addition, load average also refers to the number of processes ready to run (i.e. in the run queue, waiting for a CPU share.
			</div></div><div class="section" id="s2-proc-locks"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-locks">4.2.17.  <code class="filename">/proc/locks</code> </h3></div></div></div><a id="id922706" class="indexterm"></a><div class="para">
				This file displays the files currently locked by the kernel. The contents of this file contain internal kernel debugging data and can vary tremendously, depending on the use of the system. A sample <code class="filename">/proc/locks</code> file for a lightly loaded system looks similar to the following:
			</div><pre class="screen">1: POSIX  ADVISORY  WRITE 3568 fd:00:2531452 0 EOF
2: FLOCK  ADVISORY  WRITE 3517 fd:00:2531448 0 EOF
3: POSIX  ADVISORY  WRITE 3452 fd:00:2531442 0 EOF
4: POSIX  ADVISORY  WRITE 3443 fd:00:2531440 0 EOF
5: POSIX  ADVISORY  WRITE 3326 fd:00:2531430 0 EOF
6: POSIX  ADVISORY  WRITE 3175 fd:00:2531425 0 EOF
7: POSIX  ADVISORY  WRITE 3056 fd:00:2548663 0 EOF</pre><div class="para">
				Each lock has its own line which starts with a unique number. The second column refers to the class of lock used, with <code class="computeroutput">FLOCK</code> signifying the older-style UNIX file locks from a <code class="command">flock</code> system call and <code class="computeroutput">POSIX</code> representing the newer POSIX locks from the <code class="command">lockf</code> system call.
			</div><div class="para">
				The third column can have two values: <code class="computeroutput">ADVISORY</code> or <code class="computeroutput">MANDATORY</code>. <code class="computeroutput">ADVISORY</code> means that the lock does not prevent other people from accessing the data; it only prevents other attempts to lock it. <code class="computeroutput">MANDATORY</code> means that no other access to the data is permitted while the lock is held. The fourth column reveals whether the lock is allowing the holder <code class="computeroutput">READ</code> or <code class="computeroutput">WRITE</code> access to the file. The fifth column shows the ID of the process holding the lock. The sixth column shows the ID of the file being locked, in the format of <code class="computeroutput"><em class="replaceable"><code>MAJOR-DEVICE</code></em>:<em class="replaceable"><code>MINOR-DEVICE</code></em>:<em class="replaceable"><code>INODE-NUMBER</code></em> </code>. The seventh and eighth column shows the start and end of the file's locked region.
			</div></div><div class="section" id="s2-proc-mdstat"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-mdstat">4.2.18.  <code class="filename">/proc/mdstat</code> </h3></div></div></div><a id="id922827" class="indexterm"></a><div class="para">
				This file contains the current information for multiple-disk, RAID configurations. If the system does not contain such a configuration, then <code class="filename">/proc/mdstat</code> looks similar to the following:
			</div><pre class="screen">Personalities :  read_ahead not set unused devices: &lt;none&gt;</pre><div class="para">
				This file remains in the same state as seen above unless a software RAID or <code class="filename">md</code> device is present. In that case, view <code class="filename">/proc/mdstat</code> to find the current status of <code class="filename">md<em class="replaceable"><code>X</code></em> </code> RAID devices.
			</div><div class="para">
				The <code class="filename">/proc/mdstat</code> file below shows a system with its <code class="filename">md0</code> configured as a RAID 1 device, while it is currently re-syncing the disks:
			</div><pre class="screen">Personalities : [linear] [raid1] read_ahead 1024 sectors
md0: active raid1 sda2[1] sdb2[0] 9940 blocks [2/2] [UU] resync=1% finish=12.3min algorithm 2 [3/3] [UUU]
unused devices: &lt;none&gt;</pre></div><div class="section" id="s2-proc-meminfo"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-meminfo">4.2.19.  <code class="filename">/proc/meminfo</code> </h3></div></div></div><a id="id922914" class="indexterm"></a><div class="para">
				This is one of the more commonly used files in the <code class="filename">/proc/</code> directory, as it reports a large amount of valuable information about the systems RAM usage.
			</div><div class="para">
				The following sample <code class="filename">/proc/meminfo</code> virtual file is from a system with 256 MB of RAM and 512 MB of swap space:
			</div><pre class="screen">MemTotal:       255908 kB
MemFree:         69936 kB
Buffers:         15812 kB
Cached:         115124 kB
SwapCached:          0 kB
Active:          92700 kB
Inactive:        63792 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:       255908 kB
LowFree:         69936 kB
SwapTotal:      524280 kB
SwapFree:       524280 kB
Dirty:               4 kB
Writeback:           0 kB
Mapped:          42236 kB
Slab:            25912 kB
Committed_AS:   118680 kB
PageTables:       1236 kB
VmallocTotal:  3874808 kB
VmallocUsed:      1416 kB
VmallocChunk:  3872908 kB
HugePages_Total:     0
HugePages_Free:      0
Hugepagesize:     4096 kB</pre><div class="para">
				Much of the information here is used by the <code class="command">free</code>, <code class="command">top</code>, and <code class="command">ps</code> commands. In fact, the output of the <code class="command">free</code> command is similar in appearance to the contents and structure of <code class="filename">/proc/meminfo</code>. But by looking directly at <code class="filename">/proc/meminfo</code>, more details are revealed:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">MemTotal</code> — Total amount of physical RAM, in kilobytes.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">MemFree</code> — The amount of physical RAM, in kilobytes, left unused by the system.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Buffers</code> — The amount of physical RAM, in kilobytes, used for file buffers.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Cached</code> — The amount of physical RAM, in kilobytes, used as cache memory.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">SwapCached</code> — The amount of swap, in kilobytes, used as cache memory.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Active</code> — The total amount of buffer or page cache memory, in kilobytes, that is in active use. This is memory that has been recently used and is usually not reclaimed for other purposes.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Inactive</code> — The total amount of buffer or page cache memory, in kilobytes, that are free and available. This is memory that has not been recently used and can be reclaimed for other purposes.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">HighTotal</code> and <code class="computeroutput">HighFree</code> — The total and free amount of memory, in kilobytes, that is not directly mapped into kernel space. The <code class="computeroutput">HighTotal</code> value can vary based on the type of kernel used.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">LowTotal</code> and <code class="computeroutput">LowFree</code> — The total and free amount of memory, in kilobytes, that is directly mapped into kernel space. The <code class="computeroutput">LowTotal</code> value can vary based on the type of kernel used.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">SwapTotal</code> — The total amount of swap available, in kilobytes.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">SwapFree</code> — The total amount of swap free, in kilobytes.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Dirty</code> — The total amount of memory, in kilobytes, waiting to be written back to the disk.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Writeback</code> — The total amount of memory, in kilobytes, actively being written back to the disk.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Mapped</code> — The total amount of memory, in kilobytes, which have been used to map devices, files, or libraries using the <code class="command">mmap</code> command.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Slab</code> — The total amount of memory, in kilobytes, used by the kernel to cache data structures for its own use.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Committed_AS</code> — The total amount of memory, in kilobytes, estimated to complete the workload. This value represents the worst case scenario value, and also includes swap memory.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">PageTables</code> — The total amount of memory, in kilobytes, dedicated to the lowest page table level.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">VMallocTotal</code> — The total amount of memory, in kilobytes, of total allocated virtual address space.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">VMallocUsed</code> — The total amount of memory, in kilobytes, of used virtual address space.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">VMallocChunk</code> — The largest contiguous block of memory, in kilobytes, of available virtual address space.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">HugePages_Total</code> — The total number of hugepages for the system. The number is derived by dividing <code class="computeroutput">Hugepagesize</code> by the megabytes set aside for hugepages specified in <code class="filename">/proc/sys/vm/hugetlb_pool</code>. <span class="emphasis"><em>This statistic only appears on the x86, Itanium, and AMD64 architectures.</em></span>
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">HugePages_Free</code> — The total number of hugepages available for the system. <span class="emphasis"><em>This statistic only appears on the x86, Itanium, and AMD64 architectures.</em></span>
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">Hugepagesize</code> — The size for each hugepages unit in kilobytes. By default, the value is 4096 KB on uniprocessor kernels for 32 bit architectures. For SMP, hugemem kernels, and AMD64, the default is 2048 KB. For Itanium architectures, the default is 262144 KB. <span class="emphasis"><em>This statistic only appears on the x86, Itanium, and AMD64 architectures.</em></span>
					</div></li></ul></div></div><div class="section" id="s2-proc-misc"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-misc">4.2.20.  <code class="filename">/proc/misc</code> </h3></div></div></div><a id="id923335" class="indexterm"></a><div class="para">
				This file lists miscellaneous drivers registered on the miscellaneous major device, which is device number 10:
			</div><pre class="screen">63 device-mapper 175 agpgart 135 rtc 134 apm_bios</pre><div class="para">
				The first column is the minor number of each device, while the second column shows the driver in use.
			</div></div><div class="section" id="s2-proc-modules"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-modules">4.2.21.  <code class="filename">/proc/modules</code> </h3></div></div></div><a id="id923386" class="indexterm"></a><div class="para">
				This file displays a list of all modules loaded into the kernel. Its contents vary based on the configuration and use of your system, but it should be organized in a similar manner to this sample <code class="filename">/proc/modules</code> file output:
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					This example has been reformatted into a readable format. Most of this information can also be viewed via the <code class="command">/sbin/lsmod</code> command.
				</div></div></div><pre class="screen">nfs      170109  0 -          Live 0x129b0000
lockd    51593   1 nfs,       Live 0x128b0000
nls_utf8 1729    0 -          Live 0x12830000
vfat     12097   0 -          Live 0x12823000
fat      38881   1 vfat,      Live 0x1287b000
autofs4  20293   2 -          Live 0x1284f000
sunrpc   140453  3 nfs,lockd, Live 0x12954000
3c59x    33257   0 -          Live 0x12871000
uhci_hcd 28377   0 -          Live 0x12869000
md5      3777    1 -          Live 0x1282c000
ipv6     211845 16 -          Live 0x128de000
ext3     92585   2 -          Live 0x12886000
jbd      65625   1 ext3,      Live 0x12857000
dm_mod   46677   3 -          Live 0x12833000</pre><div class="para">
				The first column contains the name of the module.
			</div><div class="para">
				The second column refers to the memory size of the module, in bytes.
			</div><div class="para">
				The third column lists how many instances of the module are currently loaded. A value of zero represents an unloaded module.
			</div><div class="para">
				The fourth column states if the module depends upon another module to be present in order to function, and lists those other modules.
			</div><div class="para">
				The fifth column lists what load state the module is in: <code class="command">Live</code>, <code class="command">Loading</code>, or <code class="command">Unloading</code> are the only possible values.
			</div><div class="para">
				The sixth column lists the current kernel memory offset for the loaded module. This information can be useful for debugging purposes, or for profiling tools such as <code class="filename">oprofile</code>.
			</div></div><div class="section" id="s2-proc-mounts"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-mounts">4.2.22.  <code class="filename">/proc/mounts</code> </h3></div></div></div><a id="id923503" class="indexterm"></a><div class="para">
				This file provides a list of all mounts in use by the system:
			</div><pre class="screen">rootfs / rootfs rw 0 0
/proc /proc proc rw,nodiratime 0 0 none
/dev ramfs rw 0 0
/dev/mapper/VolGroup00-LogVol00 / ext3 rw 0 0
none /dev ramfs rw 0 0
/proc /proc proc rw,nodiratime 0 0
/sys /sys sysfs rw 0 0
none /dev/pts devpts rw 0 0
usbdevfs /proc/bus/usb usbdevfs rw 0 0
/dev/hda1 /boot ext3 rw 0 0
none /dev/shm tmpfs rw 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw 0 0</pre><div class="para">
				The output found here is similar to the contents of <code class="filename">/etc/mtab</code>, except that <code class="filename">/proc/mount</code> is more up-to-date.
			</div><div class="para">
				The first column specifies the device that is mounted, the second column reveals the mount point, and the third column tells the file system type, and the fourth column tells you if it is mounted read-only (<code class="computeroutput">ro</code>) or read-write (<code class="computeroutput">rw</code>). The fifth and sixth columns are dummy values designed to match the format used in <code class="filename">/etc/mtab</code>.
			</div></div><div class="section" id="s2-proc-mtrr"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-mtrr">4.2.23.  <code class="filename">/proc/mtrr</code> </h3></div></div></div><a id="id923582" class="indexterm"></a><div class="para">
				This file refers to the current Memory Type Range Registers (MTRRs) in use with the system. If the system architecture supports MTRRs, then the <code class="filename">/proc/mtrr</code> file may look similar to the following:
			</div><pre class="screen">reg00: base=0x00000000 (   0MB), size= 256MB: write-back, count=1
reg01: base=0xe8000000 (3712MB), size=  32MB: write-combining, count=1</pre><div class="para">
				MTRRs are used with the Intel P6 family of processors (Pentium II and higher) and control processor access to memory ranges. When using a video card on a PCI or AGP bus, a properly configured <code class="filename">/proc/mtrr</code> file can increase performance more than 150%.
			</div><div class="para">
				Most of the time, this value is properly configured by default. More information on manually configuring this file can be found locally at the following location:
			</div><pre class="screen">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/mtrr.txt</pre></div><div class="section" id="s2-proc-partitions"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-partitions">4.2.24.  <code class="filename">/proc/partitions</code> </h3></div></div></div><a id="id923655" class="indexterm"></a><div class="para">
				This file contains partition block allocation information. A sampling of this file from a basic system looks similar to the following:
			</div><pre class="screen">major minor  #blocks  name
  3     0   19531250 hda
  3     1     104391 hda1
  3     2   19422585 hda2
253     0   22708224 dm-0
253     1     524288 dm-1</pre><div class="para">
				Most of the information here is of little importance to the user, except for the following columns:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">major</code> — The major number of the device with this partition. The major number in the <code class="filename">/proc/partitions</code>, (<code class="computeroutput">3</code>), corresponds with the block device <code class="computeroutput">ide0</code>, in <code class="filename">/proc/devices</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">minor</code> — The minor number of the device with this partition. This serves to separate the partitions into different physical devices and relates to the number at the end of the name of the partition.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">#blocks</code> — Lists the number of physical disk blocks contained in a particular partition.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">name</code> — The name of the partition.
					</div></li></ul></div></div><div class="section" id="s2-proc-pci"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-pci">4.2.25.  <code class="filename">/proc/pci</code> </h3></div></div></div><a id="id1061747" class="indexterm"></a><a id="id1061777" class="indexterm"></a><div class="para">
				This file contains a full listing of every PCI device on the system. Depending on the number of PCI devices, <code class="filename">/proc/pci</code> can be rather long. A sampling of this file from a basic system looks similar to the following:
			</div><pre class="screen">Bus  0, device 0, function 0: Host bridge: Intel Corporation 440BX/ZX - 82443BX/ZX Host bridge (rev 3). Master Capable. Latency=64. Prefetchable 32 bit memory at 0xe4000000 [0xe7ffffff].
Bus  0, device 1, function 0: PCI bridge: Intel Corporation 440BX/ZX - 82443BX/ZX AGP bridge (rev 3).   Master Capable. Latency=64. Min Gnt=128.
Bus  0, device 4, function 0: ISA bridge: Intel Corporation 82371AB PIIX4 ISA (rev 2).
Bus  0, device 4, function 1: IDE interface: Intel Corporation 82371AB PIIX4 IDE (rev 1). Master Capable. Latency=32. I/O at 0xd800 [0xd80f].
Bus  0, device 4, function 2: USB Controller: Intel Corporation 82371AB PIIX4 USB (rev 1). IRQ 5. Master Capable. Latency=32. I/O at 0xd400 [0xd41f].
Bus  0, device 4, function 3: Bridge: Intel Corporation 82371AB PIIX4 ACPI (rev 2). IRQ 9.
Bus  0, device 9, function 0: Ethernet controller: Lite-On Communications Inc LNE100TX (rev 33). IRQ 5. Master Capable. Latency=32. I/O at 0xd000 [0xd0ff].
Bus  0, device 12, function  0: VGA compatible controller: S3 Inc. ViRGE/DX or /GX (rev 1). IRQ 11. Master Capable. Latency=32. Min Gnt=4.Max Lat=255.</pre><div class="para">
				This output shows a list of all PCI devices, sorted in the order of bus, device, and function. Beyond providing the name and version of the device, this list also gives detailed IRQ information so an administrator can quickly look for conflicts.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					To get a more readable version of this information, type:
				</div><pre class="screen"><code class="command">lspci -vb</code></pre></div></div></div><div class="section" id="s2-proc-slabinfo"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-slabinfo">4.2.26.  <code class="filename">/proc/slabinfo</code> </h3></div></div></div><a id="id1061853" class="indexterm"></a><a id="id1061876" class="indexterm"></a><div class="para">
				This file gives full information about memory usage on the <em class="firstterm">slab</em> level. Linux kernels greater than version 2.2 use <em class="firstterm">slab pools</em> to manage memory above the page level. Commonly used objects have their own slab pools.
			</div><div class="para">
				Instead of parsing the highly verbose <code class="filename">/proc/slabinfo</code> file manually, the <code class="filename">/usr/bin/slabtop</code> program displays kernel slab cache information in real time. This program allows for custom configurations, including column sorting and screen refreshing.
			</div><div class="para">
				A sample screen shot of <code class="filename">/usr/bin/slabtop</code> usually looks like the following example:
			</div><pre class="screen">Active / Total Objects (% used)    : 133629 / 147300 (90.7%)
Active / Total Slabs (% used)      : 11492 / 11493 (100.0%)
Active / Total Caches (% used)     : 77 / 121 (63.6%)
Active / Total Size (% used)       : 41739.83K / 44081.89K (94.7%)
Minimum / Average / Maximum Object : 0.01K / 0.30K / 128.00K
OBJS   ACTIVE USE      OBJ   SIZE     SLABS OBJ/SLAB CACHE SIZE NAME
44814  43159  96%    0.62K   7469      6     29876K ext3_inode_cache
36900  34614  93%    0.05K    492     75      1968K buffer_head
35213  33124  94%    0.16K   1531     23      6124K dentry_cache
7364   6463  87%    0.27K    526      14      2104K radix_tree_node
2585   1781  68%    0.08K     55      47       220K vm_area_struct
2263   2116  93%    0.12K     73      31       292K size-128
1904   1125  59%    0.03K     16      119        64K size-32
1666    768  46%    0.03K     14      119        56K anon_vma
1512   1482  98%    0.44K    168       9       672K inode_cache
1464   1040  71%    0.06K     24      61        96K size-64
1320    820  62%    0.19K     66      20       264K filp
678    587  86%    0.02K      3      226        12K dm_io
678    587  86%    0.02K      3      226        12K dm_tio
576    574  99%    0.47K     72        8       288K proc_inode_cache
528    514  97%    0.50K     66        8       264K size-512
492    372  75%    0.09K     12       41        48K bio
465    314  67%    0.25K     31       15       124K size-256
452    331  73%    0.02K      2      226         8K biovec-1
420    420 100%    0.19K     21       20        84K skbuff_head_cache
305    256  83%    0.06K      5       61        20K biovec-4
290      4   1%    0.01K      1      290         4K revoke_table
264    264 100%    4.00K    264        1      1056K size-4096
260    256  98%    0.19K     13       20        52K biovec-16
260    256  98%    0.75K     52        5       208K biovec-64</pre><div class="para">
				Some of the more commonly used statistics in <code class="filename">/proc/slabinfo</code> that are included into <code class="filename">/usr/bin/slabtop</code> include:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">OBJS</code> — The total number of objects (memory blocks), including those in use (allocated), and some spares not in use.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">ACTIVE</code> — The number of objects (memory blocks) that are in use (allocated).
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">USE</code> — Percentage of total objects that are active. ((ACTIVE/OBJS)(100))
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">OBJ SIZE</code> — The size of the objects.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">SLABS</code> — The total number of slabs.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">OBJ/SLAB</code> — The number of objects that fit into a slab.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">CACHE SIZE</code> — The cache size of the slab.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">NAME</code> — The name of the slab.
					</div></li></ul></div><div class="para">
				For more information on the <code class="filename">/usr/bin/slabtop</code> program, refer to the <code class="filename">slabtop</code> man page.
			</div></div><div class="section" id="s2-proc-stat"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-stat">4.2.27.  <code class="filename">/proc/stat</code> </h3></div></div></div><a id="id1062084" class="indexterm"></a><a id="id1062107" class="indexterm"></a><a id="id1062121" class="indexterm"></a><div class="para">
				This file keeps track of a variety of different statistics about the system since it was last restarted. The contents of <code class="filename">/proc/stat</code>, which can be quite long, usually begins like the following example:
			</div><pre class="screen">cpu  259246 7001 60190 34250993 137517 772 0
cpu0 259246 7001 60190 34250993 137517 772 0
intr 354133732 347209999 2272 0 4 4 0 0 3 1 1249247 0 0 80143 0 422626 5169433
ctxt 12547729
btime 1093631447
processes 130523
procs_running 1
procs_blocked 0
preempt 5651840
cpu  209841 1554 21720 118519346 72939 154 27168
cpu0 42536 798 4841 14790880 14778 124 3117
cpu1 24184 569 3875 14794524 30209 29 3130
cpu2 28616 11 2182 14818198 4020 1 3493
cpu3 35350 6 2942 14811519 3045 0 3659
cpu4 18209 135 2263 14820076 12465 0 3373
cpu5 20795 35 1866 14825701 4508 0 3615
cpu6 21607 0 2201 14827053 2325 0 3334
cpu7 18544 0 1550 14831395 1589 0 3447
intr 15239682 14857833 6 0 6 6 0 5 0 1 0 0 0 29 0 2 0 0 0 0 0 0 0 94982 0 286812
ctxt 4209609
btime 1078711415
processes 21905
procs_running 1
procs_blocked 0</pre><div class="para">
				Some of the more commonly used statistics include:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">cpu</code> — Measures the number of <em class="firstterm">jiffies</em> (1/100 of a second for x86 systems) that the system has been in user mode, user mode with low priority (nice), system mode, idle task, I/O wait, IRQ (hardirq), and softirq respectively. The IRQ (hardirq) is the direct response to a hardware event. The IRQ takes minimal work for queuing the "heavy" work up for the softirq to execute. The softirq runs at a lower priority than the IRQ and therefore may be interrupted more frequently. The total for all CPUs is given at the top, while each individual CPU is listed below with its own statistics. The following example is a 4-way Intel Pentium Xeon configuration with multi-threading enabled, therefore showing four physical processors and four virtual processors totaling eight processors.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">page</code> — The number of memory pages the system has written in and out to disk.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">swap</code> — The number of swap pages the system has brought in and out.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">intr</code> — The number of interrupts the system has experienced.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">btime</code> — The boot time, measured in the number of seconds since January 1, 1970, otherwise known as the <em class="firstterm">epoch</em>.
					</div></li></ul></div></div><div class="section" id="s2-proc-swaps"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-swaps">4.2.28.  <code class="filename">/proc/swaps</code> </h3></div></div></div><a id="id1062257" class="indexterm"></a><div class="para">
				This file measures swap space and its utilization. For a system with only one swap partition, the output of <code class="filename">/proc/swaps</code> may look similar to the following:
			</div><pre class="screen">Filename                          Type        Size     Used    Priority
/dev/mapper/VolGroup00-LogVol01   partition   524280   0       -1</pre><div class="para">
				While some of this information can be found in other files in the <code class="filename">/proc/</code> directory, <code class="filename">/proc/swaps</code> provides a snapshot of every swap file name, the type of swap space, the total size, and the amount of space in use (in kilobytes). The priority column is useful when multiple swap files are in use. The lower the priority, the more likely the swap file is to be used.
			</div></div><div class="section" id="s2-proc-sysrq-trigger"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-sysrq-trigger">4.2.29.  <code class="filename">/proc/sysrq-trigger</code> </h3></div></div></div><a id="id1062323" class="indexterm"></a><div class="para">
				Using the <code class="command">echo</code> command to write to this file, a remote root user can execute most System Request Key commands remotely as if at the local terminal. To <code class="command">echo</code> values to this file, the <code class="filename">/proc/sys/kernel/sysrq</code> must be set to a value other than <code class="computeroutput">0</code>. For more information about the System Request Key, refer to <a class="xref" href="#s3-proc-sys-kernel">Section 4.3.9.3, “ <code class="filename">/proc/sys/kernel/</code> ”</a>.
			</div><div class="para">
				Although it is possible to write to this file, it cannot be read, even by the root user.
			</div></div><div class="section" id="s2-proc-uptime"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-uptime">4.2.30.  <code class="filename">/proc/uptime</code> </h3></div></div></div><a id="id1062392" class="indexterm"></a><div class="para">
				This file contains information detailing how long the system has been on since its last restart. The output of <code class="filename">/proc/uptime</code> is quite minimal:
			</div><pre class="screen">350735.47 234388.90</pre><div class="para">
				The first number is the total number of seconds the system has been up. The second number is how much of that time the machine has spent idle, in seconds.
			</div></div><div class="section" id="s2-proc-version"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-version">4.2.31.  <code class="filename">/proc/version</code> </h3></div></div></div><a id="id1062447" class="indexterm"></a><div class="para">
				This file specifies the version of the Linux kernel and <code class="filename">gcc</code> in use, as well as the version of Red Hat Enterprise Linux installed on the system:
			</div><pre class="screen">Linux version 2.6.8-1.523 (user@foo.redhat.com) (gcc version 3.4.1 20040714 \  (Red Hat Enterprise Linux 3.4.1-7)) #1 Mon Aug 16 13:27:03 EDT 2004</pre><div class="para">
				This information is used for a variety of purposes, including the version data presented when a user logs in.
			</div></div></div><div class="section" id="s1-proc-directories"><div class="titlepage"><div><div><h2 class="title" id="s1-proc-directories">4.3. Directories within <code class="filename">/proc/</code> </h2></div></div></div><a id="id1062505" class="indexterm"></a><div class="para">
			Common groups of information concerning the kernel are grouped into directories and subdirectories within the <code class="filename">/proc/</code> directory.
		</div><div class="section" id="s2-proc-processdirs"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-processdirs">4.3.1. Process Directories</h3></div></div></div><a id="id1062542" class="indexterm"></a><div class="para">
				Every <code class="filename">/proc/</code> directory contains a number of directories with numerical names. A listing of them may be similar to the following:
			</div><pre class="screen">dr-xr-xr-x    3 root     root            0 Feb 13 01:28 1
dr-xr-xr-x    3 root     root            0 Feb 13 01:28 1010
dr-xr-xr-x    3 xfs      xfs             0 Feb 13 01:28 1087
dr-xr-xr-x    3 daemon   daemon          0 Feb 13 01:28 1123
dr-xr-xr-x    3 root     root            0 Feb 13 01:28 11307
dr-xr-xr-x    3 apache   apache          0 Feb 13 01:28 13660
dr-xr-xr-x    3 rpc      rpc             0 Feb 13 01:28 637
dr-xr-xr-x    3 rpcuser  rpcuser         0 Feb 13 01:28 666</pre><div class="para">
				These directories are called <em class="firstterm">process directories</em>, as they are named after a program's process ID and contain information specific to that process. The owner and group of each process directory is set to the user running the process. When the process is terminated, its <code class="filename">/proc/</code> process directory vanishes.
			</div><div class="para">
				Each process directory contains the following files:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">cmdline</code> — Contains the command issued when starting the process.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">cwd</code> — A symbolic link to the current working directory for the process.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">environ</code> — A list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">exe</code> — A symbolic link to the executable of this process.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">fd</code> — A directory containing all of the file descriptors for a particular process. These are given in numbered links:
					</div><pre class="screen">total 0
lrwx------    1 root     root           64 May  8 11:31 0 -&gt; /dev/null
lrwx------    1 root     root           64 May  8 11:31 1 -&gt; /dev/null
lrwx------    1 root     root           64 May  8 11:31 2 -&gt; /dev/null
lrwx------    1 root     root           64 May  8 11:31 3 -&gt; /dev/ptmx
lrwx------    1 root     root           64 May  8 11:31 4 -&gt; socket:[7774817]
lrwx------    1 root     root           64 May  8 11:31 5 -&gt; /dev/ptmx
lrwx------    1 root     root           64 May  8 11:31 6 -&gt; socket:[7774829]
lrwx------    1 root     root           64 May  8 11:31 7 -&gt; /dev/ptmx</pre></li><li class="listitem"><div class="para">
						<code class="computeroutput">maps</code> — A list of memory maps to the various executables and library files associated with this process. This file can be rather long, depending upon the complexity of the process, but sample output from the <code class="command">sshd</code> process begins like the following:
					</div><pre class="screen">08048000-08086000 r-xp 00000000 03:03 391479     /usr/sbin/sshd
08086000-08088000 rw-p 0003e000 03:03 391479	/usr/sbin/sshd
08088000-08095000 rwxp 00000000 00:00 0
40000000-40013000 r-xp 0000000 03:03 293205	/lib/ld-2.2.5.so
40013000-40014000 rw-p 00013000 03:03 293205	/lib/ld-2.2.5.so
40031000-40038000 r-xp 00000000 03:03 293282	/lib/libpam.so.0.75
40038000-40039000 rw-p 00006000 03:03 293282	/lib/libpam.so.0.75
40039000-4003a000 rw-p 00000000 00:00 0
4003a000-4003c000 r-xp 00000000 03:03 293218	/lib/libdl-2.2.5.so
4003c000-4003d000 rw-p 00001000 03:03 293218	/lib/libdl-2.2.5.so</pre></li><li class="listitem"><div class="para">
						<code class="computeroutput">mem</code> — The memory held by the process. This file cannot be read by the user.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">root</code> — A link to the root directory of the process.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">stat</code> — The status of the process.
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">statm</code> — The status of the memory in use by the process. Below is a sample <code class="filename">/proc/statm</code> file:
					</div><pre class="screen">263 210 210 5 0 205 0</pre><div class="para">
						The seven columns relate to different memory statistics for the process. From left to right, they report the following aspects of the memory used:
					</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
								Total program size, in kilobytes.
							</div></li><li class="listitem"><div class="para">
								Size of memory portions, in kilobytes.
							</div></li><li class="listitem"><div class="para">
								Number of pages that are shared.
							</div></li><li class="listitem"><div class="para">
								Number of pages that are code.
							</div></li><li class="listitem"><div class="para">
								Number of pages of data/stack.
							</div></li><li class="listitem"><div class="para">
								Number of library pages.
							</div></li><li class="listitem"><div class="para">
								Number of dirty pages.
							</div></li></ol></div></li><li class="listitem"><div class="para">
						<code class="computeroutput">status</code> — The status of the process in a more readable form than <code class="filename">stat</code> or <code class="filename">statm</code>. Sample output for <code class="command">sshd</code> looks similar to the following:
					</div><pre class="screen">Name:	sshd
State:	S (sleeping)
Tgid:	797
Pid:	797
PPid:	1
TracerPid:	0
Uid:	0	0	0	0
Gid:	0	0	0	0
FDSize:	32
Groups:
VmSize:	    3072 kB
VmLck:	       0 kB
VmRSS:	     840 kB
VmData:	     104 kB
VmStk:	      12 kB
VmExe:	     300 kB
VmLib:	    2528 kB
SigPnd:	0000000000000000
SigBlk:	0000000000000000
SigIgn:	8000000000001000
SigCgt:	0000000000014005
CapInh:	0000000000000000
CapPrm:	00000000fffffeff
CapEff:	00000000fffffeff</pre><div class="para">
						The information in this output includes the process name and ID, the state (such as <code class="computeroutput">S (sleeping)</code> or <code class="computeroutput">R (running)</code>), user/group ID running the process, and detailed data regarding memory usage.
					</div></li></ul></div><div class="section" id="s3-proc-self"><div class="titlepage"><div><div><h4 class="title" id="s3-proc-self">4.3.1.1.  <code class="filename">/proc/self/</code> </h4></div></div></div><a id="id1062878" class="indexterm"></a><div class="para">
					The <code class="filename">/proc/self/</code> directory is a link to the currently running process. This allows a process to look at itself without having to know its process ID.
				</div><div class="para">
					Within a shell environment, a listing of the <code class="filename">/proc/self/</code> directory produces the same contents as listing the process directory for that process.
				</div></div></div><div class="section" id="s2-proc-dir-bus"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dir-bus">4.3.2.  <code class="filename">/proc/bus/</code> </h3></div></div></div><a id="id1062935" class="indexterm"></a><div class="para">
				This directory contains information specific to the various buses available on the system. For example, on a standard system containing PCI and USB buses, current data on each of these buses is available within a subdirectory within <code class="filename">/proc/bus/</code> by the same name, such as <code class="filename">/proc/bus/pci/</code>.
			</div><div class="para">
				The subdirectories and files available within <code class="filename">/proc/bus/</code> vary depending on the devices connected to the system. However, each bus type has at least one directory. Within these bus directories are normally at least one subdirectory with a numerical name, such as <code class="filename">001</code>, which contain binary files.
			</div><div class="para">
				For example, the <code class="filename">/proc/bus/usb/</code> subdirectory contains files that track the various devices on any USB buses, as well as the drivers required for them. The following is a sample listing of a <code class="filename">/proc/bus/usb/</code> directory:
			</div><pre class="screen">total 0 dr-xr-xr-x    1 root     root            0 May  3 16:25 001
-r--r--r--    1 root     root            0 May  3 16:25 devices
-r--r--r--    1 root     root            0 May  3 16:25 drivers</pre><div class="para">
				The <code class="filename">/proc/bus/usb/001/</code> directory contains all devices on the first USB bus and the <code class="filename">devices</code> file identifies the USB root hub on the motherboard.
			</div><div class="para">
				The following is a example of a <code class="filename">/proc/bus/usb/devices</code> file:
			</div><pre class="screen">T:  Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#=  1 Spd=12  MxCh= 2
B:  Alloc=  0/900 us ( 0%), #Int=  0, #Iso=  0
D:  Ver= 1.00 Cls=09(hub  ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
P:  Vendor=0000 ProdID=0000 Rev= 0.00
S:  Product=USB UHCI Root Hub
S:  SerialNumber=d400
C:* #Ifs= 1 Cfg#= 1 Atr=40 MxPwr=  0mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub
E:  Ad=81(I) Atr=03(Int.) MxPS=   8 Ivl=255ms</pre></div><div class="section" id="s2-proc-dir-driver"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dir-driver">4.3.3.  <code class="filename">/proc/driver/</code> </h3></div></div></div><a id="id1063046" class="indexterm"></a><div class="para">
				This directory contains information for specific drivers in use by the kernel.
			</div><div class="para">
				A common file found here is <code class="filename">rtc</code> which provides output from the driver for the system's <em class="firstterm">Real Time Clock (RTC)</em>, the device that keeps the time while the system is switched off. Sample output from <code class="filename">/proc/driver/rtc</code> looks like the following:
			</div><pre class="screen">rtc_time        : 16:21:00
rtc_date        : 2004-08-31
rtc_epoch       : 1900
alarm           : 21:16:27
DST_enable      : no
BCD             : yes
24hr            : yes
square_wave     : no
alarm_IRQ       : no
update_IRQ      : no
periodic_IRQ    : no
periodic_freq   : 1024
batt_status     : okay</pre><div class="para">
				For more information about the RTC, refer to the following installed documentation:
			</div><div class="para">
				<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/rtc.txt</code>.
			</div></div><div class="section" id="s2-proc-dir-fs"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dir-fs">4.3.4.  <code class="filename">/proc/fs</code> </h3></div></div></div><a id="id1063125" class="indexterm"></a><div class="para">
				This directory shows which file systems are exported. If running an NFS server, typing <code class="command">cat /proc/fs/nfsd/exports</code> displays the file systems being shared and the permissions granted for those file systems. For more on file system sharing with NFS, refer to <a class="xref" href="#ch-nfs">Chapter 20, <em>Network File System (NFS)</em></a>.
			</div></div><div class="section" id="s2-proc-dir-ide"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dir-ide">4.3.5.  <code class="filename">/proc/ide/</code> </h3></div></div></div><a id="id1063178" class="indexterm"></a><div class="para">
				This directory contains information about IDE devices on the system. Each IDE channel is represented as a separate directory, such as <code class="filename">/proc/ide/ide0</code> and <code class="filename">/proc/ide/ide1</code>. In addition, a <code class="filename">drivers</code> file is available, providing the version number of the various drivers used on the IDE channels:
			</div><pre class="screen">ide-floppy version 0.99.
newide ide-cdrom version 4.61
ide-disk version 1.18</pre><div class="para">
				Many chipsets also provide a file in this directory with additional data concerning the drives connected through the channels. For example, a generic Intel PIIX4 Ultra 33 chipset produces the <code class="filename">/proc/ide/piix</code> file which reveals whether DMA or UDMA is enabled for the devices on the IDE channels:
			</div><pre class="screen">Intel PIIX4 Ultra 33 Chipset.
------------- Primary Channel ---------------- Secondary Channel -------------
		enabled                          enabled

------------- drive0 --------- drive1 -------- drive0 ---------- drive1 ------
DMA enabled:    yes              no              yes               no
UDMA enabled:   yes              no              no                no
UDMA enabled:   2                X               X                 X
UDMA DMA PIO</pre><div class="para">
				Navigating into the directory for an IDE channel, such as <code class="filename">ide0</code>, provides additional information. The <code class="filename">channel</code> file provides the channel number, while the <code class="filename">model</code> identifies the bus type for the channel (such as <code class="computeroutput">pci</code>).
			</div><div class="section" id="s3-proc-dir-ide-device"><div class="titlepage"><div><div><h4 class="title" id="s3-proc-dir-ide-device">4.3.5.1. Device Directories</h4></div></div></div><a id="id1063269" class="indexterm"></a><div class="para">
					Within each IDE channel directory is a device directory. The name of the device directory corresponds to the drive letter in the <code class="filename">/dev/</code> directory. For instance, the first IDE drive on <code class="filename">ide0</code> would be <code class="filename">hda</code>.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						There is a symbolic link to each of these device directories in the <code class="filename">/proc/ide/</code> directory.
					</div></div></div><div class="para">
					Each device directory contains a collection of information and statistics. The contents of these directories vary according to the type of device connected. Some of the more useful files common to many devices include:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="filename">cache</code> — The device cache.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">capacity</code> — The capacity of the device, in 512 byte blocks.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">driver</code> — The driver and version used to control the device.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">geometry</code> — The physical and logical geometry of the device.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">media</code> — The type of device, such as a <code class="computeroutput">disk</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">model</code> — The model name or number of the device.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">settings</code> — A collection of current device parameters. This file usually contains quite a bit of useful, technical information. A sample <code class="filename">settings</code> file for a standard IDE hard disk looks similar to the following:
						</div><pre class="screen">name                value          min          max          mode
----                -----          ---          ---          ----
acoustic            0              0            254          rw
address             0              0            2            rw
bios_cyl            38752          0            65535        rw
bios_head           16             0            255          rw
bios_sect           63             0            63           rw
bswap               0              0            1            r
current_speed       68             0            70           rw
failures            0              0            65535        rw
init_speed          68             0            70           rw
io_32bit            0              0            3            rw
keepsettings        0              0            1            rw
lun                 0              0            7            rw
max_failures        1              0            65535        rw
multcount           16             0            16           rw
nice1               1              0            1            rw
nowerr              0              0            1            rw
number              0              0            3            rw
pio_mode            write-only     0            255          w
unmaskirq           0              0            1            rw
using_dma           1              0            1            rw
wcache              1              0            1            rw</pre></li></ul></div></div></div><div class="section" id="s2-proc-dir-irq"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dir-irq">4.3.6.  <code class="filename">/proc/irq/</code> </h3></div></div></div><a id="id1063463" class="indexterm"></a><div class="para">
				This directory is used to set IRQ to CPU affinity, which allows the system to connect a particular IRQ to only one CPU. Alternatively, it can exclude a CPU from handling any IRQs.
			</div><div class="para">
				Each IRQ has its own directory, allowing for the individual configuration of each IRQ. The <code class="filename">/proc/irq/prof_cpu_mask</code> file is a bitmask that contains the default values for the <code class="filename">smp_affinity</code> file in the IRQ directory. The values in <code class="filename">smp_affinity</code> specify which CPUs handle that particular IRQ.
			</div><div class="para">
				For more information about the <code class="filename">/proc/irq/</code> directory, refer to the following installed documentation:
			</div><pre class="screen">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/filesystems/proc.txt</pre></div><div class="section" id="s2-proc-dir-net"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dir-net">4.3.7.  <code class="filename">/proc/net/</code> </h3></div></div></div><a id="id1063538" class="indexterm"></a><div class="para">
				This directory provides a comprehensive look at various networking parameters and statistics. Each directory and virtual file within this directory describes aspects of the system's network configuration. Below is a partial list of the <code class="filename">/proc/net/</code> directory:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">arp</code> — Lists the kernel's ARP table. This file is particularly useful for connecting a hardware address to an IP address on a system.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">atm/</code> directory — The files within this directory contain <em class="firstterm">Asynchronous Transfer Mode (ATM)</em> settings and statistics. This directory is primarily used with ATM networking and ADSL cards.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">dev</code> — Lists the various network devices configured on the system, complete with transmit and receive statistics. This file displays the number of bytes each interface has sent and received, the number of packets inbound and outbound, the number of errors seen, the number of packets dropped, and more.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">dev_mcast</code> — Lists Layer2 multicast groups on which each device is listening.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">igmp</code> — Lists the IP multicast addresses which this system joined.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">ip_conntrack</code> — Lists tracked network connections for machines that are forwarding IP connections.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">ip_tables_names</code> — Lists the types of <code class="command">iptables</code> in use. This file is only present if <code class="command">iptables</code> is active on the system and contains one or more of the following values: <code class="filename">filter</code>, <code class="filename">mangle</code>, or <code class="filename">nat</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">ip_mr_cache</code> — Lists the multicast routing cache.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">ip_mr_vif</code> — Lists multicast virtual interfaces.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">netstat</code> — Contains a broad yet detailed collection of networking statistics, including TCP timeouts, SYN cookies sent and received, and much more.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">psched</code> — Lists global packet scheduler parameters.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">raw</code> — Lists raw device statistics.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">route</code> — Lists the kernel's routing table.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">rt_cache</code> — Contains the current routing cache.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">snmp</code> — List of Simple Network Management Protocol (SNMP) data for various networking protocols in use.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">sockstat</code> — Provides socket statistics.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">tcp</code> — Contains detailed TCP socket information.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">tr_rif</code> — Lists the token ring RIF routing table.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">udp</code> — Contains detailed UDP socket information.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">unix</code> — Lists UNIX domain sockets currently in use.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">wireless</code> — Lists wireless interface data.
					</div></li></ul></div></div><div class="section" id="s2-proc-dir-scsi"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dir-scsi">4.3.8.  <code class="filename">/proc/scsi/</code> </h3></div></div></div><a id="id842562" class="indexterm"></a><div class="para">
				This directory is analogous to the <code class="filename">/proc/ide/</code> directory, but it is for connected SCSI devices.
			</div><div class="para">
				The primary file in this directory is <code class="filename">/proc/scsi/scsi</code>, which contains a list of every recognized SCSI device. From this listing, the type of device, as well as the model name, vendor, SCSI channel and ID data is available.
			</div><div class="para">
				For example, if a system contains a SCSI CD-ROM, a tape drive, a hard drive, and a RAID controller, this file looks similar to the following:
			</div><pre class="screen">Attached devices:
Host: scsi1
Channel: 00
Id: 05
Lun: 00
Vendor: NEC
Model: CD-ROM DRIVE:466
Rev: 1.06
Type:   CD-ROM
ANSI SCSI revision: 02
Host: scsi1
Channel: 00
Id: 06
Lun: 00
Vendor: ARCHIVE
Model: Python 04106-XXX
Rev: 7350
Type:   Sequential-Access
ANSI SCSI revision: 02
Host: scsi2
Channel: 00
Id: 06
Lun: 00
Vendor: DELL
Model: 1x6 U2W SCSI BP
Rev: 5.35
Type:   Processor
ANSI SCSI revision: 02
Host: scsi2
Channel: 02
Id: 00
Lun: 00
Vendor: MegaRAID
Model: LD0 RAID5 34556R
Rev: 1.01
Type:   Direct-Access
ANSI SCSI revision: 02</pre><div class="para">
				Each SCSI driver used by the system has its own directory within <code class="filename">/proc/scsi/</code>, which contains files specific to each SCSI controller using that driver. From the previous example, <code class="filename">aic7xxx/</code> and <code class="filename">megaraid/</code> directories are present, since two drivers are in use. The files in each of the directories typically contain an I/O address range, IRQ information, and statistics for the SCSI controller using that driver. Each controller can report a different type and amount of information. The Adaptec AIC-7880 Ultra SCSI host adapter's file in this example system produces the following output:
			</div><pre class="screen">Adaptec AIC7xxx driver version: 5.1.20/3.2.4
Compile Options:
TCQ Enabled By Default : Disabled
AIC7XXX_PROC_STATS     : Enabled
AIC7XXX_RESET_DELAY    : 5
Adapter Configuration:
SCSI Adapter: Adaptec AIC-7880 Ultra SCSI host adapter
Ultra Narrow Controller     PCI MMAPed
I/O Base: 0xfcffe000
Adapter SEEPROM Config: SEEPROM found and used.
Adaptec SCSI BIOS: Enabled
IRQ: 30
SCBs: Active 0, Max Active 1, Allocated 15, HW 16, Page 255
Interrupts: 33726
BIOS Control Word: 0x18a6
Adapter Control Word: 0x1c5f
Extended Translation: Enabled
Disconnect Enable Flags: 0x00ff
Ultra Enable Flags: 0x0020
Tag Queue Enable Flags: 0x0000
Ordered Queue Tag Flags: 0x0000
Default Tag Queue Depth: 8
Tagged Queue By Device array for aic7xxx
host instance 1:       {255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255}
Actual queue depth per device for aic7xxx host instance 1:       {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1}
Statistics:

(scsi1:0:5:0) Device using Narrow/Sync transfers at 20.0 MByte/sec, offset 15
Transinfo settings: current(12/15/0/0), goal(12/15/0/0), user(12/15/0/0)
Total transfers 0 (0 reads and 0 writes)
		&lt; 2K      2K+     4K+     8K+    16K+    32K+    64K+   128K+
Reads:        0       0       0       0       0       0       0       0
Writes:       0       0       0       0       0       0       0       0

(scsi1:0:6:0) Device using Narrow/Sync transfers at 10.0 MByte/sec, offset 15
Transinfo settings: current(25/15/0/0), goal(12/15/0/0), user(12/15/0/0)
Total transfers 132 (0 reads and 132 writes)
		&lt; 2K      2K+     4K+     8K+    16K+    32K+    64K+   128K+
Reads:        0       0       0       0       0       0       0       0
Writes:       0       0       0       1     131       0       0       0</pre><div class="para">
				This output reveals the transfer speed to the SCSI devices connected to the controller based on channel ID, as well as detailed statistics concerning the amount and sizes of files read or written by that device. For example, this controller is communicating with the CD-ROM at 20 megabytes per second, while the tape drive is only communicating at 10 megabytes per second.
			</div></div><div class="section" id="s2-proc-dir-sys"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dir-sys">4.3.9.  <code class="filename">/proc/sys/</code> </h3></div></div></div><a id="id842675" class="indexterm"></a><a id="id842697" class="indexterm"></a><a id="id842712" class="indexterm"></a><a id="id842742" class="indexterm"></a><a id="id842761" class="indexterm"></a><a id="id842775" class="indexterm"></a><div class="para">
				The <code class="filename">/proc/sys/</code> directory is different from others in <code class="filename">/proc/</code> because it not only provides information about the system but also allows the system administrator to immediately enable and disable kernel features.
			</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
					Use caution when changing settings on a production system using the various files in the <code class="filename">/proc/sys/</code> directory. Changing the wrong setting may render the kernel unstable, requiring a system reboot.
				</div><div class="para">
					For this reason, be sure the options are valid for that file before attempting to change any value in <code class="filename">/proc/sys/</code>.
				</div></div></div><div class="para">
				A good way to determine if a particular file can be configured, or if it is only designed to provide information, is to list it with the <code class="option">-l</code> option at the shell prompt. If the file is writable, it may be used to configure the kernel. For example, a partial listing of <code class="filename">/proc/sys/fs</code> looks like the following:
			</div><pre class="screen">-r--r--r--    1 root     root            0 May 10 16:14 dentry-state
-rw-r--r--    1 root     root            0 May 10 16:14 dir-notify-enable
-r--r--r--    1 root     root            0 May 10 16:14 dquot-nr
-rw-r--r--    1 root     root            0 May 10 16:14 file-max
-r--r--r--    1 root     root            0 May 10 16:14 file-nr</pre><div class="para">
				In this listing, the files <code class="filename">dir-notify-enable</code> and <code class="filename">file-max</code> can be written to and, therefore, can be used to configure the kernel. The other files only provide feedback on current settings.
			</div><div class="para">
				Changing a value within a <code class="filename">/proc/sys/</code> file is done by echoing the new value into the file. For example, to enable the System Request Key on a running kernel, type the command:
			</div><pre class="screen"><code class="command">echo 1 &gt; /proc/sys/kernel/sysrq</code></pre><div class="para">
				This changes the value for <code class="filename">sysrq</code> from <code class="computeroutput">0</code> (off) to <code class="computeroutput">1</code> (on).
			</div><div class="para">
				A few <code class="filename">/proc/sys/</code> configuration files contain more than one value. To correctly send new values to them, place a space character between each value passed with the <code class="command">echo</code> command, such as is done in this example:
			</div><pre class="screen"><code class="command">echo 4 2 45 &gt; /proc/sys/kernel/acct</code></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Any configuration changes made using the <code class="command">echo</code> command disappear when the system is restarted. To make configuration changes take effect after the system is rebooted, refer to <a class="xref" href="#s1-proc-sysctl">Section 4.4, “Using the <code class="command">sysctl</code> Command”</a>.
				</div></div></div><div class="para">
				The <code class="filename">/proc/sys/</code> directory contains several subdirectories controlling different aspects of a running kernel.
			</div><div class="section" id="s3-proc-sys-dev"><div class="titlepage"><div><div><h4 class="title" id="s3-proc-sys-dev">4.3.9.1.  <code class="filename">/proc/sys/dev/</code> </h4></div></div></div><a id="id842954" class="indexterm"></a><div class="para">
					This directory provides parameters for particular devices on the system. Most systems have at least two directories, <code class="filename">cdrom/</code> and <code class="filename">raid/</code>. Customized kernels can have other directories, such as <code class="filename">parport/</code>, which provides the ability to share one parallel port between multiple device drivers.
				</div><div class="para">
					The <code class="filename">cdrom/</code> directory contains a file called <code class="filename">info</code>, which reveals a number of important CD-ROM parameters:
				</div><pre class="screen">CD-ROM information, Id: cdrom.c 3.20 2003/12/17
drive name:             hdc
drive speed:            48
drive # of slots:       1
Can close tray:         1
Can open tray:          1
Can lock tray:          1
Can change speed:       1
Can select disk:        0
Can read multisession:  1
Can read MCN:           1
Reports media changed:  1
Can play audio:         1
Can write CD-R:         0
Can write CD-RW:        0
Can read DVD:           0
Can write DVD-R:        0
Can write DVD-RAM:      0
Can read MRW:           0
Can write MRW:          0
Can write RAM:          0</pre><div class="para">
					This file can be quickly scanned to discover the qualities of an unknown CD-ROM. If multiple CD-ROMs are available on a system, each device is given its own column of information.
				</div><div class="para">
					Various files in <code class="filename">/proc/sys/dev/cdrom</code>, such as <code class="filename">autoclose</code> and <code class="filename">checkmedia</code>, can be used to control the system's CD-ROM. Use the <code class="command">echo</code> command to enable or disable these features.
				</div><div class="para">
					If RAID support is compiled into the kernel, a <code class="filename">/proc/sys/dev/raid/</code> directory becomes available with at least two files in it: <code class="filename">speed_limit_min</code> and <code class="filename">speed_limit_max</code>. These settings determine the acceleration of RAID devices for I/O intensive tasks, such as resyncing the disks.
				</div></div><div class="section" id="s3-proc-sys-fs"><div class="titlepage"><div><div><h4 class="title" id="s3-proc-sys-fs">4.3.9.2.  <code class="filename">/proc/sys/fs/</code> </h4></div></div></div><a id="id843080" class="indexterm"></a><div class="para">
					This directory contains an array of options and information concerning various aspects of the file system, including quota, file handle, inode, and dentry information.
				</div><div class="para">
					The <code class="filename">binfmt_misc/</code> directory is used to provide kernel support for miscellaneous binary formats.
				</div><div class="para">
					The important files in <code class="filename">/proc/sys/fs/</code> include:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="filename">dentry-state</code> — Provides the status of the directory cache. The file looks similar to the following:
						</div><pre class="screen">57411	52939	45	0	0	0</pre><div class="para">
							The first number reveals the total number of directory cache entries, while the second number displays the number of unused entries. The third number tells the number of seconds between when a directory has been freed and when it can be reclaimed, and the fourth measures the pages currently requested by the system. The last two numbers are not used and display only zeros.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">dquot-nr</code> — Lists the maximum number of cached disk quota entries.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">file-max</code> — Lists the maximum number of file handles that the kernel allocates. Raising the value in this file can resolve errors caused by a lack of available file handles.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">file-nr</code> — Lists the number of allocated file handles, used file handles, and the maximum number of file handles.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">overflowgid</code> and <code class="filename">overflowuid</code> — Defines the fixed group ID and user ID, respectively, for use with file systems that only support 16-bit group and user IDs.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">super-max</code> — Controls the maximum number of superblocks available.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">super-nr</code> — Displays the current number of superblocks in use.
						</div></li></ul></div></div><div class="section" id="s3-proc-sys-kernel"><div class="titlepage"><div><div><h4 class="title" id="s3-proc-sys-kernel">4.3.9.3.  <code class="filename">/proc/sys/kernel/</code> </h4></div></div></div><a id="id843255" class="indexterm"></a><a id="id843285" class="indexterm"></a><a id="id843300" class="indexterm"></a><a id="id843318" class="indexterm"></a><a id="id843337" class="indexterm"></a><div class="para">
					This directory contains a variety of different configuration files that directly affect the operation of the kernel. Some of the most important files include:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="filename">acct</code> — Controls the suspension of process accounting based on the percentage of free space available on the file system containing the log. By default, the file looks like the following:
						</div><pre class="screen">4	2	30</pre><div class="para">
							The first value dictates the percentage of free space required for logging to resume, while the second value sets the threshold percentage of free space when logging is suspended. The third value sets the interval, in seconds, that the kernel polls the file system to see if logging should be suspended or resumed.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">cap-bound</code> — Controls the <em class="firstterm">capability bounding</em> settings, which provides a list of capabilities for any process on the system. If a capability is not listed here, then no process, no matter how privileged, can do it. The idea is to make the system more secure by ensuring that certain things cannot happen, at least beyond a certain point in the boot process.
						</div><div class="para">
							For a valid list of values for this virtual file, refer to the following installed documentation:
						</div><div class="para">
							<code class="filename">/lib/modules/<em class="replaceable"><code>&lt;kernel-version&gt;</code></em>/build/include/linux/capability.h</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">ctrl-alt-del</code> — Controls whether <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Delete</strong></span> gracefully restarts the computer using <code class="command">init</code> (<code class="computeroutput">0</code>) or forces an immediate reboot without syncing the dirty buffers to disk (<code class="computeroutput">1</code>).
						</div></li><li class="listitem"><div class="para">
							<code class="filename">domainname</code> — Configures the system domain name, such as <code class="computeroutput">example.com</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">exec-shield</code> — Configures the Exec Shield feature of the kernel. Exec Shield provides protection against certain types of buffer overflow attacks.
						</div><div class="para">
							There are two possible values for this virtual file:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">0</code> — Disables Exec Shield.
								</div></li><li class="listitem"><div class="para">
									<code class="command">1</code> — Enables Exec Shield. This is the default value.
								</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
								If a system is running security-sensitive applications that were started while Exec Shield was disabled, these applications must be restarted when Exec Shield is enabled in order for Exec Shield to take effect.
							</div></div></div></li><li class="listitem"><div class="para">
							<code class="filename">exec-shield-randomize</code> — Enables location randomization of various items in memory. This helps deter potential attackers from locating programs and daemons in memory. Each time a program or daemon starts, it is put into a different memory location each time, never in a static or absolute memory address.
						</div><div class="para">
							There are two possible values for this virtual file:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">0</code> — Disables randomization of Exec Shield. This may be useful for application debugging purposes.
								</div></li><li class="listitem"><div class="para">
									<code class="command">1</code> — Enables randomization of Exec Shield. This is the default value. Note: The <code class="filename">exec-shield</code> file must also be set to <code class="command">1</code> for <code class="filename">exec-shield-randomize</code> to be effective.
								</div></li></ul></div></li><li class="listitem"><div class="para">
							<code class="filename">hostname</code> — Configures the system hostname, such as <code class="computeroutput">www.example.com</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">hotplug</code> — Configures the utility to be used when a configuration change is detected by the system. This is primarily used with USB and Cardbus PCI. The default value of <code class="computeroutput">/sbin/hotplug</code> should not be changed unless testing a new program to fulfill this role.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">modprobe</code> — Sets the location of the program used to load kernel modules. The default value is <code class="computeroutput">/sbin/modprobe</code> which means <code class="command">kmod</code> calls it to load the module when a kernel thread calls <code class="command">kmod</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">msgmax</code> — Sets the maximum size of any message sent from one process to another and is set to <code class="computeroutput">8192</code> bytes by default. Be careful when raising this value, as queued messages between processes are stored in non-swappable kernel memory. Any increase in <code class="filename">msgmax</code> would increase RAM requirements for the system.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">msgmnb</code> — Sets the maximum number of bytes in a single message queue. The default is <code class="computeroutput">16384</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">msgmni</code> — Sets the maximum number of message queue identifiers. The default is <code class="computeroutput">16</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">osrelease</code> — Lists the Linux kernel release number. This file can only be altered by changing the kernel source and recompiling.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">ostype</code> — Displays the type of operating system. By default, this file is set to <code class="computeroutput">Linux</code>, and this value can only be changed by changing the kernel source and recompiling.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">overflowgid</code> and <code class="filename">overflowuid</code> — Defines the fixed group ID and user ID, respectively, for use with system calls on architectures that only support 16-bit group and user IDs.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">panic</code> — Defines the number of seconds the kernel postpones rebooting when the system experiences a kernel panic. By default, the value is set to <code class="computeroutput">0</code>, which disables automatic rebooting after a panic.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">printk</code> — This file controls a variety of settings related to printing or logging error messages. Each error message reported by the kernel has a <em class="firstterm">loglevel</em> associated with it that defines the importance of the message. The loglevel values break down in this order:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="computeroutput">0</code> — Kernel emergency. The system is unusable.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">1</code> — Kernel alert. Action must be taken immediately.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">2</code> — Condition of the kernel is considered critical.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">3</code> — General kernel error condition.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">4</code> — General kernel warning condition.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">5</code> — Kernel notice of a normal but significant condition.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">6</code> — Kernel informational message.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">7</code> — Kernel debug-level messages.
								</div></li></ul></div><div class="para">
							Four values are found in the <code class="filename">printk</code> file:
						</div><pre class="screen">6     4     1     7</pre><div class="para">
							Each of these values defines a different rule for dealing with error messages. The first value, called the <em class="firstterm">console loglevel</em>, defines the lowest priority of messages printed to the console. (Note that, the lower the priority, the higher the loglevel number.) The second value sets the default loglevel for messages without an explicit loglevel attached to them. The third value sets the lowest possible loglevel configuration for the console loglevel. The last value sets the default value for the console loglevel.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">random/</code> directory — Lists a number of values related to generating random numbers for the kernel.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">rtsig-max</code> — Configures the maximum number of POSIX real-time signals that the system may have queued at any one time. The default value is <code class="computeroutput">1024</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">rtsig-nr</code> — Lists the current number of POSIX real-time signals queued by the kernel.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">sem</code> — Configures <em class="firstterm">semaphore</em> settings within the kernel. A semaphore is a System V IPC object that is used to control utilization of a particular process.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">shmall</code>— Sets the total amount of shared memory pages that can be used at one time, system-wide. By default, this value is <code class="computeroutput">2097152</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">shmmax</code> — Sets the largest shared memory segment size allowed by the kernel. By default, this value is <code class="computeroutput">33554432</code>. However, the kernel supports much larger values than this.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">shmmni</code> — Sets the maximum number of shared memory segments for the whole system. By default, this value is <code class="computeroutput">4096</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">sysrq</code> — Activates the System Request Key, if this value is set to anything other than zero (<code class="computeroutput">0</code>), the default.
						</div><div class="para">
							The System Request Key allows immediate input to the kernel through simple key combinations. For example, the System Request Key can be used to immediately shut down or restart a system, sync all mounted file systems, or dump important information to the console. To initiate a System Request Key, type <span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>SysRq</strong></span>+<span class="keycap"><strong> <em class="replaceable"><code>&lt;system request code&gt;</code></em> </strong></span> . Replace <em class="replaceable"><code>&lt;system request code&gt;</code></em> with one of the following system request codes:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">r</code> — Disables raw mode for the keyboard and sets it to XLATE (a limited keyboard mode which does not recognize modifiers such as <span class="keycap"><strong>Alt</strong></span>, <span class="keycap"><strong>Ctrl</strong></span>, or <span class="keycap"><strong>Shift</strong></span> for all keys).
								</div></li><li class="listitem"><div class="para">
									<code class="command">k</code> — Kills all processes active in a virtual console. Also called <em class="firstterm">Secure Access Key</em> (<em class="firstterm">SAK</em>), it is often used to verify that the login prompt is spawned from <code class="command">init</code> and not a Trojan copy designed to capture usernames and passwords.
								</div></li><li class="listitem"><div class="para">
									<code class="command">b</code> — Reboots the kernel without first unmounting file systems or syncing disks attached to the system.
								</div></li><li class="listitem"><div class="para">
									<code class="command">c</code> — Crashes the system without first unmounting file systems or syncing disks attached to the system.
								</div></li><li class="listitem"><div class="para">
									<code class="command">o</code> — Shuts off the system.
								</div></li><li class="listitem"><div class="para">
									<code class="command">s</code> — Attempts to sync disks attached to the system.
								</div></li><li class="listitem"><div class="para">
									<code class="command">u</code> — Attempts to unmount and remount all file systems as read-only.
								</div></li><li class="listitem"><div class="para">
									<code class="command">p</code> — Outputs all flags and registers to the console.
								</div></li><li class="listitem"><div class="para">
									<code class="command">t</code> — Outputs a list of processes to the console.
								</div></li><li class="listitem"><div class="para">
									<code class="command">m</code> — Outputs memory statistics to the console.
								</div></li><li class="listitem"><div class="para">
									<code class="command">0</code> through <code class="command">9</code> — Sets the log level for the console.
								</div></li><li class="listitem"><div class="para">
									<code class="command">e</code> — Kills all processes except <code class="command">init</code> using SIGTERM.
								</div></li><li class="listitem"><div class="para">
									<code class="command">i</code> — Kills all processes except <code class="command">init</code> using SIGKILL.
								</div></li><li class="listitem"><div class="para">
									<code class="command">l</code> — Kills all processes using SIGKILL (including <code class="command">init</code>). <span class="emphasis"><em>The system is unusable after issuing this System Request Key code.</em></span>
								</div></li><li class="listitem"><div class="para">
									<code class="command">h</code> — Displays help text.
								</div></li></ul></div><div class="para">
							This feature is most beneficial when using a development kernel or when experiencing system freezes.
						</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
								The System Request Key feature is considered a security risk because an unattended console provides an attacker with access to the system. For this reason, it is turned off by default.
							</div></div></div><div class="para">
							Refer to <code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/sysrq.txt</code> for more information about the System Request Key.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">sysrq-key</code> — Defines the key code for the System Request Key (<code class="computeroutput">84</code> is the default).
						</div></li><li class="listitem"><div class="para">
							<code class="filename">sysrq-sticky</code> — Defines whether the System Request Key is a chorded key combination. The accepted values are as follows:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="computeroutput">0</code> — <span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>SysRq</strong></span> and the system request code must be pressed simultaneously. This is the default value.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">1</code> — <span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>SysRq</strong></span> must be pressed simultaneously, but the system request code can be pressed anytime before the number of seconds specified in <code class="filename">/proc/sys/kernel/sysrq-timer</code> elapses.
								</div></li></ul></div></li><li class="listitem"><div class="para">
							<code class="filename">sysrq-timer</code> — Specifies the number of seconds allowed to pass before the system request code must be pressed. The default value is <code class="command">10</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">tainted</code> — Indicates whether a non-GPL module is loaded.
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="computeroutput">0</code> — No non-GPL modules are loaded.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">1</code> — At least one module without a GPL license (including modules with no license) is loaded.
								</div></li><li class="listitem"><div class="para">
									<code class="computeroutput">2</code> — At least one module was force-loaded with the command <code class="command">insmod -f</code>.
								</div></li></ul></div></li><li class="listitem"><div class="para">
							<code class="filename">threads-max</code> — Sets the maximum number of threads to be used by the kernel, with a default value of <code class="computeroutput">2048</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">version</code> — Displays the date and time the kernel was last compiled. The first field in this file, such as <code class="computeroutput">#3</code>, relates to the number of times a kernel was built from the source base.
						</div></li></ul></div></div><div class="section" id="s3-proc-sys-net"><div class="titlepage"><div><div><h4 class="title" id="s3-proc-sys-net">4.3.9.4.  <code class="filename">/proc/sys/net/</code> </h4></div></div></div><a id="id844543" class="indexterm"></a><a id="id844574" class="indexterm"></a><a id="id844588" class="indexterm"></a><a id="id844602" class="indexterm"></a><div class="para">
					This directory contains subdirectories concerning various networking topics. Various configurations at the time of kernel compilation make different directories available here, such as <code class="filename">ethernet/</code>, <code class="filename">ipv4/</code>, <code class="filename">ipx/</code>, and <code class="filename">ipv6/</code>. By altering the files within these directories, system administrators are able to adjust the network configuration on a running system.
				</div><div class="para">
					Given the wide variety of possible networking options available with Linux, only the most common <code class="filename">/proc/sys/net/</code> directories are discussed.
				</div><div class="para">
					The <code class="filename">/proc/sys/net/core/</code> directory contains a variety of settings that control the interaction between the kernel and networking layers. The most important of these files are:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="filename">message_burst</code> — Sets the amount of time in tenths of a second required to write a new warning message. This setting is used to mitigate <em class="firstterm">Denial of Service</em> (<em class="firstterm">DoS</em>) attacks. The default setting is <code class="computeroutput">50</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">message_cost</code> — Sets a cost on every warning message. The higher the value of this file (default of <code class="computeroutput">5</code>), the more likely the warning message is ignored. This setting is used to mitigate DoS attacks.
						</div><div class="para">
							The idea of a DoS attack is to bombard the targeted system with requests that generate errors and fill up disk partitions with log files or require all of the system's resources to handle the error logging. The settings in <code class="filename">message_burst</code> and <code class="filename">message_cost</code> are designed to be modified based on the system's acceptable risk versus the need for comprehensive logging.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">netdev_max_backlog</code> — Sets the maximum number of packets allowed to queue when a particular interface receives packets faster than the kernel can process them. The default value for this file is <code class="computeroutput">300</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">optmem_max</code> — Configures the maximum ancillary buffer size allowed per socket.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">rmem_default</code> — Sets the receive socket buffer default size in bytes.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">rmem_max</code> — Sets the receive socket buffer maximum size in bytes.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">wmem_default</code> — Sets the send socket buffer default size in bytes.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">wmem_max</code> — Sets the send socket buffer maximum size in bytes.
						</div></li></ul></div><div class="para">
					The <code class="filename">/proc/sys/net/ipv4/</code> directory contains additional networking settings. Many of these settings, used in conjunction with one another, are useful in preventing attacks on the system or when using the system to act as a router.
				</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
						An erroneous change to these files may affect remote connectivity to the system.
					</div></div></div><div class="para">
					The following is a list of some of the more important files within the <code class="filename">/proc/sys/net/ipv4/</code> directory:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="filename">icmp_destunreach_rate</code>, <code class="filename">icmp_echoreply_rate</code>, <code class="filename">icmp_paramprob_rate</code>, and <code class="filename">icmp_timeexeed_rate</code> — Set the maximum ICMP send packet rate, in 1/100 of a second, to hosts under certain conditions. A setting of <code class="computeroutput">0</code> removes any delay and is not a good idea.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">icmp_echo_ignore_all</code> and <code class="filename">icmp_echo_ignore_broadcasts</code> — Allows the kernel to ignore ICMP ECHO packets from every host or only those originating from broadcast and multicast addresses, respectively. A value of <code class="computeroutput">0</code> allows the kernel to respond, while a value of <code class="computeroutput">1</code> ignores the packets.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">ip_default_ttl</code> — Sets the default <em class="firstterm">Time To Live (TTL)</em>, which limits the number of hops a packet may make before reaching its destination. Increasing this value can diminish system performance.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">ip_forward</code> — Permits interfaces on the system to forward packets to one other. By default, this file is set to <code class="computeroutput">0</code>. Setting this file to <code class="computeroutput">1</code> enables network packet forwarding.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">ip_local_port_range</code> — Specifies the range of ports to be used by TCP or UDP when a local port is needed. The first number is the lowest port to be used and the second number specifies the highest port. Any systems that expect to require more ports than the default 1024 to 4999 should use a range from 32768 to 61000.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">tcp_syn_retries</code> — Provides a limit on the number of times the system re-transmits a SYN packet when attempting to make a connection.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">tcp_retries1</code> — Sets the number of permitted re-transmissions attempting to answer an incoming connection. Default of <code class="computeroutput">3</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">tcp_retries2</code> — Sets the number of permitted re-transmissions of TCP packets. Default of <code class="computeroutput">15</code>.
						</div></li></ul></div><div class="para">
					The file called
				</div><pre class="screen"><code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/networking/ ip-sysctl.txt</code></pre><div class="para">
					contains a complete list of files and options available in the <code class="filename">/proc/sys/net/ipv4/</code> directory.
				</div><div class="para">
					A number of other directories exist within the <code class="filename">/proc/sys/net/ipv4/</code> directory and each covers a different aspect of the network stack. The <code class="filename">/proc/sys/net/ipv4/conf/</code> directory allows each system interface to be configured in different ways, including the use of default settings for unconfigured devices (in the <code class="filename">/proc/sys/net/ipv4/conf/default/</code> subdirectory) and settings that override all special configurations (in the <code class="filename">/proc/sys/net/ipv4/conf/all/</code> subdirectory).
				</div><div class="para">
					The <code class="filename">/proc/sys/net/ipv4/neigh/</code> directory contains settings for communicating with a host directly connected to the system (called a network neighbor) and also contains different settings for systems more than one hop away.
				</div><div class="para">
					Routing over IPV4 also has its own directory, <code class="filename">/proc/sys/net/ipv4/route/</code>. Unlike <code class="filename">conf/</code> and <code class="filename">neigh/</code>, the <code class="filename">/proc/sys/net/ipv4/route/</code> directory contains specifications that apply to routing with any interfaces on the system. Many of these settings, such as <code class="filename">max_size</code>, <code class="filename">max_delay</code>, and <code class="filename">min_delay</code>, relate to controlling the size of the routing cache. To clear the routing cache, write any value to the <code class="filename">flush</code> file.
				</div><div class="para">
					Additional information about these directories and the possible values for their configuration files can be found in:
				</div><pre class="screen">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/filesystems/proc.txt</pre></div><div class="section" id="s3-proc-sys-vm"><div class="titlepage"><div><div><h4 class="title" id="s3-proc-sys-vm">4.3.9.5.  <code class="filename">/proc/sys/vm/</code> </h4></div></div></div><a id="id845098" class="indexterm"></a><a id="id845128" class="indexterm"></a><a id="id845143" class="indexterm"></a><div class="para">
					This directory facilitates the configuration of the Linux kernel's virtual memory (VM) subsystem. The kernel makes extensive and intelligent use of virtual memory, which is commonly referred to as swap space.
				</div><div class="para">
					The following files are commonly found in the <code class="filename">/proc/sys/vm/</code> directory:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="filename">block_dump</code> — Configures block I/O debugging when enabled. All read/write and block dirtying operations done to files are logged accordingly. This can be useful if diagnosing disk spin up and spin downs for laptop battery conservation. All output when <code class="filename">block_dump</code> is enabled can be retrieved via <code class="command">dmesg</code>. The default value is <code class="computeroutput">0</code>.
						</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
								If <code class="filename">block_dump</code> is enabled at the same time as kernel debugging, it is prudent to stop the <code class="command">klogd</code> daemon, as it generates erroneous disk activity caused by <code class="filename">block_dump</code>.
							</div></div></div></li><li class="listitem"><div class="para">
							<code class="filename">dirty_background_ratio</code> — Starts background writeback of dirty data at this percentage of total memory, via a pdflush daemon. The default value is <code class="command">10</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">dirty_expire_centisecs</code> — Defines when dirty in-memory data is old enough to be eligible for writeout. Data which has been dirty in-memory for longer than this interval is written out next time a pdflush daemon wakes up. The default value is <code class="command">3000</code>, expressed in hundredths of a second.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">dirty_ratio</code> — Starts active writeback of dirty data at this percentage of total memory for the generator of dirty data, via pdflush. The default value is <code class="command">40</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">dirty_writeback_centisecs</code> — Defines the interval between pdflush daemon wakeups, which periodically writes dirty in-memory data out to disk. The default value is <code class="command">500</code>, expressed in hundredths of a second.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">laptop_mode</code> — Minimizes the number of times that a hard disk needs to spin up by keeping the disk spun down for as long as possible, therefore conserving battery power on laptops. This increases efficiency by combining all future I/O processes together, reducing the frequency of spin ups. The default value is <code class="computeroutput">0</code>, but is automatically enabled in case a battery on a laptop is used.
						</div><div class="para">
							This value is controlled automatically by the acpid daemon once a user is notified battery power is enabled. No user modifications or interactions are necessary if the laptop supports the ACPI (Advanced Configuration and Power Interface) specification.
						</div><div class="para">
							For more information, refer to the following installed documentation:
						</div><div class="para">
							<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/laptop-mode.txt</code>
						</div></li><li class="listitem"><div class="para">
							<code class="filename">lower_zone_protection</code> — Determines how aggressive the kernel is in defending lower memory allocation zones. This is effective when utilized with machines configured with <code class="filename">highmem</code> memory space enabled. The default value is <code class="computeroutput">0</code>, no protection at all. All other integer values are in megabytes, and <code class="filename">lowmem</code> memory is therefore protected from being allocated by users.
						</div><div class="para">
							For more information, refer to the following installed documentation:
						</div><div class="para">
							<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/filesystems/proc.txt</code>
						</div></li><li class="listitem"><div class="para">
							<code class="filename">max_map_count</code> — Configures the maximum number of memory map areas a process may have. In most cases, the default value of <code class="computeroutput">65536</code> is appropriate.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">min_free_kbytes</code> — Forces the Linux VM (virtual memory manager) to keep a minimum number of kilobytes free. The VM uses this number to compute a <code class="filename">pages_min</code> value for each <code class="filename">lowmem</code> zone in the system. The default value is in respect to the total memory on the machine.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">nr_hugepages</code> — Indicates the current number of configured <code class="filename">hugetlb</code> pages in the kernel.
						</div><div class="para">
							For more information, refer to the following installed documentation:
						</div><div class="para">
							<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/vm/hugetlbpage.txt</code>
						</div></li><li class="listitem"><div class="para">
							<code class="filename">nr_pdflush_threads</code> — Indicates the number of pdflush daemons that are currently running. This file is read-only, and should not be changed by the user. Under heavy I/O loads, the default value of two is increased by the kernel.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">overcommit_memory</code> — Configures the conditions under which a large memory request is accepted or denied. The following three modes are available:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">0</code> — The kernel performs heuristic memory over commit handling by estimating the amount of memory available and failing requests that are blatantly invalid. Unfortunately, since memory is allocated using a heuristic rather than a precise algorithm, this setting can sometimes allow available memory on the system to be overloaded. This is the default setting.
								</div></li><li class="listitem"><div class="para">
									<code class="command">1</code> — The kernel performs no memory over commit handling. Under this setting, the potential for memory overload is increased, but so is performance for memory intensive tasks (such as those executed by some scientific software).
								</div></li><li class="listitem"><div class="para">
									<code class="command">2</code> — The kernel fails requests for memory that add up to all of swap plus the percent of physical RAM specified in <code class="filename">/proc/sys/vm/overcommit_ratio</code>. This setting is best for those who desire less risk of memory overcommitment.
								</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
										This setting is only recommended for systems with swap areas larger than physical memory.
									</div></div></div></li></ul></div></li><li class="listitem"><div class="para">
							<code class="filename">overcommit_ratio</code> — Specifies the percentage of physical RAM considered when <code class="filename">/proc/sys/vm/overcommit_memory</code> is set to <code class="command">2</code>. The default value is <code class="command">50</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">page-cluster</code> — Sets the number of pages read in a single attempt. The default value of <code class="computeroutput">3</code>, which actually relates to 16 pages, is appropriate for most systems.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">swappiness</code> — Determines how much a machine should swap. The higher the value, the more swapping occurs. The default value, as a percentage, is set to <code class="computeroutput">60</code>.
						</div></li></ul></div><div class="para">
					All kernel-based documentation can be found in the following locally installed location:
				</div><div class="para">
					<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/</code>, which contains additional information.
				</div></div></div><div class="section" id="s2-proc-dir-sysvipc"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-dir-sysvipc">4.3.10.  <code class="filename">/proc/sysvipc/</code> </h3></div></div></div><a id="id845622" class="indexterm"></a><div class="para">
				This directory contains information about System V IPC resources. The files in this directory relate to System V IPC calls for messages (<code class="filename">msg</code>), semaphores (<code class="filename">sem</code>), and shared memory (<code class="filename">shm</code>).
			</div></div><div class="section" id="s2-proc-tty"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-tty">4.3.11.  <code class="filename">/proc/tty/</code> </h3></div></div></div><a id="id845677" class="indexterm"></a><div class="para">
				This directory contains information about the available and currently used <em class="firstterm">tty devices</em> on the system. Originally called <em class="firstterm">teletype devices</em>, any character-based data terminals are called tty devices.
			</div><div class="para">
				In Linux, there are three different kinds of tty devices. <em class="firstterm">Serial devices</em> are used with serial connections, such as over a modem or using a serial cable. <em class="firstterm">Virtual terminals</em> create the common console connection, such as the virtual consoles available when pressing <span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>&lt;F-key&gt;</strong></span> at the system console. <em class="firstterm">Pseudo terminals</em> create a two-way communication that is used by some higher level applications, such as XFree86. The <code class="filename">drivers</code> file is a list of the current tty devices in use, as in the following example:
			</div><pre class="screen">serial               /dev/cua        5  64-127 serial:callout
serial               /dev/ttyS       4  64-127 serial
pty_slave            /dev/pts      136   0-255 pty:slave
pty_master           /dev/ptm      128   0-255 pty:master
pty_slave            /dev/ttyp       3   0-255 pty:slave
pty_master           /dev/pty        2   0-255 pty:master
/dev/vc/0            /dev/vc/0       4       0 system:vtmaster
/dev/ptmx            /dev/ptmx       5       2 system
/dev/console         /dev/console    5       1 system:console
/dev/tty             /dev/tty        5       0 system:/dev/tty
unknown              /dev/vc/%d      4    1-63 console</pre><div class="para">
				The <code class="filename">/proc/tty/driver/serial</code> file lists the usage statistics and status of each of the serial tty lines.
			</div><div class="para">
				In order for tty devices to be used as network devices, the Linux kernel enforces <em class="firstterm">line discipline</em> on the device. This allows the driver to place a specific type of header with every block of data transmitted over the device, making it possible for the remote end of the connection to a block of data as just one in a stream of data blocks. SLIP and PPP are common line disciplines, and each are commonly used to connect systems to one other over a serial link.
			</div><div class="para">
				Registered line disciplines are stored in the <code class="filename">ldiscs</code> file, and more detailed information is available within the <code class="filename">ldisc/</code> directory.
			</div></div><div class="section" id="s2-proc-pid"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-pid">4.3.12.  <code class="filename">/proc/&lt;PID&gt;/</code> </h3></div></div></div><a id="id845807" class="indexterm"></a><div class="para">
				Out of Memory (OOM) refers to a computing state where all available memory, including swap space, has been allocated. When this situation occurs, it will cause the system to panic and stop functioning as expected. There is a switch that controls OOM behavior in <code class="filename">/proc/sys/vm/panic_on_oom</code>. When set to <code class="filename">1</code> the kernel will panic on OOM. A setting of <code class="filename">0</code> instructs the kernel to call a function named <code class="filename">oom_killer</code> on an OOM. Usually, <code class="filename">oom_killer</code> can kill rogue processes and the system will survive.
			</div><div class="para">
				The easiest way to change this is to echo the new value to <code class="filename">/proc/sys/vm/panic_on_oom</code>.
			</div><pre class="screen">~]# <code class="command">cat /proc/sys/vm/panic_on_oom</code>
1
~]# <code class="command">echo 0 &gt; /proc/sys/vm/panic_on_oom</code>
~]# <code class="command">cat /proc/sys/vm/panic_on_oom</code>
0</pre><div class="para">
				It is also possible to prioritize which processes get killed by adjusting the <code class="filename">oom_killer</code> score. In <code class="filename">/proc/&lt;PID&gt;/</code> there are two tools labelled <code class="filename">oom_adj</code> and <code class="filename">oom_score</code>. Valid scores for <code class="filename">oom_adj</code> are in the range -16 to +15. To see the current <code class="filename">oom_killer</code> score, view the <code class="filename">oom_score</code> for the process. <code class="filename">oom_killer</code> will kill processes with the highest scores first.
			</div><div class="para">
				This example adjusts the oom_score of a process with a PID of 12465 to make it less likely that <code class="filename">oom_killer</code> will kill it.
			</div><pre class="screen">~]# <code class="command">cat /proc/12465/oom_score</code>
79872
~]# <code class="command">echo -5 &gt; /proc/12465/oom_adj</code>
~]# <code class="command">cat /proc/12465/oom_score</code>
78</pre><div class="para">
				There is also a special value of -17, which disables <code class="filename">oom_killer</code> for that process. In the example below, <code class="filename">oom_score</code> returns a value of 0, indicating that this process would not be killed.
			</div><pre class="screen">~]# <code class="command">cat /proc/12465/oom_score</code>
78
~]# <code class="command">echo -17 &gt; /proc/12465/oom_adj</code>
~]# <code class="command">cat /proc/12465/oom_score</code>
0</pre><div class="para">
				A function called <code class="filename">badness()</code> is used to determine the actual score for each process. This is done by adding up 'points' for each examined process. The process scoring is done in the following way:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						The basis of each process's score is its memory size.
					</div></li><li class="listitem"><div class="para">
						The memory size of any of the process's children (not including a kernel thread) is also added to the score
					</div></li><li class="listitem"><div class="para">
						The process's score is increased for 'niced' processes and decreased for long running processes.
					</div></li><li class="listitem"><div class="para">
						Processes with the <code class="filename">CAP_SYS_ADMIN</code> and <code class="filename">CAP_SYS_RAWIO</code> capabilities have their scores reduced.
					</div></li><li class="listitem"><div class="para">
						The final score is then bitshifted by the value saved in the <code class="filename">oom_adj</code> file.
					</div></li></ol></div><div class="para">
				Thus, a process with the highest <code class="filename">oom_score</code> value will most probably be a non-privileged, recently started process that, along with its children, uses a large amount of memory, has been 'niced', and handles no raw I/O.
			</div></div></div><div class="section" id="s1-proc-sysctl"><div class="titlepage"><div><div><h2 class="title" id="s1-proc-sysctl">4.4. Using the <code class="command">sysctl</code> Command</h2></div></div></div><a id="id846067" class="indexterm"></a><a id="id846081" class="indexterm"></a><a id="id846096" class="indexterm"></a><a id="id846118" class="indexterm"></a><a id="id846149" class="indexterm"></a><a id="id846168" class="indexterm"></a><div class="para">
			The <code class="command">/sbin/sysctl</code> command is used to view, set, and automate kernel settings in the <code class="filename">/proc/sys/</code> directory.
		</div><div class="para">
			For a quick overview of all settings configurable in the <code class="filename">/proc/sys/</code> directory, type the <code class="command">/sbin/sysctl -a</code> command as root. This creates a large, comprehensive list, a small portion of which looks something like the following:
		</div><pre class="screen">net.ipv4.route.min_delay = 2 kernel.sysrq = 0 kernel.sem = 250     32000     32     128</pre><div class="para">
			This is the same information seen if each of the files were viewed individually. The only difference is the file location. For example, the <code class="filename">/proc/sys/net/ipv4/route/min_delay</code> file is listed as <code class="computeroutput">net.ipv4.route.min_delay</code>, with the directory slashes replaced by dots and the <code class="computeroutput">proc.sys</code> portion assumed.
		</div><div class="para">
			The <code class="command">sysctl</code> command can be used in place of <code class="command">echo</code> to assign values to writable files in the <code class="filename">/proc/sys/</code> directory. For example, instead of using the command
		</div><pre class="screen"><code class="command">echo 1 &gt; /proc/sys/kernel/sysrq</code></pre><div class="para">
			use the equivalent <code class="command">sysctl</code> command as follows:
		</div><pre class="screen">~]# <code class="command">sysctl -w kernel.sysrq="1"</code>
kernel.sysrq = 1</pre><div class="para">
			While quickly setting single values like this in <code class="filename">/proc/sys/</code> is helpful during testing, this method does not work as well on a production system as special settings within <code class="filename">/proc/sys/</code> are lost when the machine is rebooted. To preserve custom settings, add them to the <code class="filename">/etc/sysctl.conf</code> file.
		</div><div class="para">
			Each time the system boots, the <code class="command">init</code> program runs the <code class="filename">/etc/rc.d/rc.sysinit</code> script. This script contains a command to execute <code class="command">sysctl</code> using <code class="filename">/etc/sysctl.conf</code> to determine the values passed to the kernel. Any values added to <code class="filename">/etc/sysctl.conf</code> therefore take effect each time the system boots.
		</div></div><div class="section" id="s1-proc-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-proc-additional-resources">4.5. Additional Resources</h2></div></div></div><a id="id846324" class="indexterm"></a><div class="para">
			Below are additional sources of information about <code class="filename">proc</code> file system.
		</div><div class="section" id="s2-proc-installed-documentation"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-installed-documentation">4.5.1. Installed Documentation</h3></div></div></div><a id="id846359" class="indexterm"></a><div class="para">
				Some of the best documentation about the <code class="filename">proc</code> file system is installed on the system by default.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/filesystems/proc.txt</code> — Contains assorted, but limited, information about all aspects of the <code class="filename">/proc/</code> directory.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/sysrq.txt</code> — An overview of System Request Key options.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/sysctl/</code> — A directory containing a variety of <code class="command">sysctl</code> tips, including modifying values that concern the kernel (<code class="filename">kernel.txt</code>), accessing file systems (<code class="filename">fs.txt</code>), and virtual memory use (<code class="filename">vm.txt</code>).
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/networking/ip-sysctl.txt</code> — A detailed overview of IP networking options.
					</div></li></ul></div></div><div class="section" id="s2-proc-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-proc-useful-websites">4.5.2. Useful Websites</h3></div></div></div><a id="id846487" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.linuxhq.com/">http://www.linuxhq.com/</a> — This website maintains a complete database of source, patches, and documentation for various versions of the Linux kernel.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-raid" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 5. Redundant Array of Independent Disks (RAID)</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-raid-what-is">5.1. What is RAID?</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-raid-why-use">5.1.1. Who Should Use RAID?</a></span></dt><dt><span class="section"><a href="#s2-raid-approaches">5.1.2. Hardware RAID versus Software RAID</a></span></dt><dt><span class="section"><a href="#s2-raid-levels">5.1.3. RAID Levels and Linear Support</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-raid-config">5.2. Configuring Software RAID</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-raid-diskdruid-manual-part">5.2.1. Creating the RAID Partitions</a></span></dt><dt><span class="section"><a href="#s1-raid-diskdruid-manual-devmnt">5.2.2. Creating the RAID Devices and Mount Points</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-raid-manage">5.3. Managing Software RAID</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-raid-manage-reviewing">5.3.1. Reviewing RAID Configuration</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-creating">5.3.2. Creating a New RAID Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-replacing">5.3.3. Replacing a Faulty Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-extending">5.3.4. Extending a RAID Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-removing">5.3.5. Removing a RAID Device</a></span></dt><dt><span class="section"><a href="#s2-raid-manage-preserving">5.3.6. Preserving the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-raid-resources">5.4. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-raid-resources-installed">5.4.1. Installed Documentation</a></span></dt></dl></dd></dl></div><div class="para">
		The basic idea behind RAID is to combine multiple small, inexpensive disk drives into an array to accomplish performance or redundancy goals not attainable with one large and expensive drive. This array of drives appears to the computer as a single logical storage unit or drive.
	</div><div class="section" id="s1-raid-what-is"><div class="titlepage"><div><div><h2 class="title" id="s1-raid-what-is">5.1. What is RAID?</h2></div></div></div><a id="id919344" class="indexterm"></a><div class="para">
			RAID allows information to access several disks. RAID uses techniques such as <em class="firstterm">disk striping</em> (RAID Level 0), <em class="firstterm">disk mirroring</em> (RAID Level 1), and <em class="firstterm">disk striping with parity</em> (RAID Level 5) to achieve redundancy, lower latency, increased bandwidth, and maximized ability to recover from hard disk crashes.
		</div><a id="id834382" class="indexterm"></a><div class="para">
			RAID consistently distributes data across each drive in the array. RAID then breaks down the data into consistently-sized chunks (commonly 32K or 64k, although other values are acceptable). Each chunk is then written to a hard drive in the RAID array according to the RAID level employed. When the data is read, the process is reversed, giving the illusion that the multiple drives in the array are actually one large drive.
		</div><div class="section" id="s2-raid-why-use"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-why-use">5.1.1. Who Should Use RAID?</h3></div></div></div><div class="para">
				System Administrators and others who manage large amounts of data would benefit from using RAID technology. Primary reasons to deploy RAID include:
			</div><a id="id921165" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Enhances speed
					</div></li><li class="listitem"><div class="para">
						Increases storage capacity using a single virtual disk
					</div></li><li class="listitem"><div class="para">
						Minimizes disk failure
					</div></li></ul></div></div><div class="section" id="s2-raid-approaches"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-approaches">5.1.2. Hardware RAID versus Software RAID</h3></div></div></div><div class="para">
				There are two possible RAID approaches: hardware RAID and software RAID.
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <a id="id836221" class="indexterm"></a>
					 <a id="id853561" class="indexterm"></a>
					 Hardware RAID </span></dt><dd><div class="para">
							The hardware-based array manages the RAID subsystem independently from the host. It presents a single disk per RAID array to the host.
						</div><div class="para">
							A hardware RAID device connects to the SCSI controller and presents the RAID arrays as a single SCSI drive. An external RAID system moves all RAID handling <span class="quote">“<span class="quote">intelligence</span>”</span> into a controller located in the external disk subsystem. The whole subsystem is connected to the host via a normal SCSI controller and appears to the host as a single disk.
						</div><div class="para">
							RAID controller cards function like a SCSI controller to the operating system, and handle all the actual drive communications. The user plugs the drives into the RAID controller (just like a normal SCSI controller) and then adds them to the RAID controllers configuration, and the operating system won't know the difference.
						</div></dd><dt class="varlistentry"><span class="term"> <a id="id918824" class="indexterm"></a>
					 <a id="id918836" class="indexterm"></a>
					 Software RAID </span></dt><dd><div class="para">
							Software RAID implements the various RAID levels in the kernel disk (block device) code. It offers the cheapest possible solution, as expensive disk controller cards or hot-swap chassis<sup>[<a id="id918857" href="#ftn.id918857" class="footnote">1</a>]</sup> are not required. Software RAID also works with cheaper IDE disks as well as SCSI disks. With today's faster CPUs, software RAID outperforms hardware RAID.
						</div><div class="para">
							The Linux kernel contains an MD driver that allows the RAID solution to be completely hardware independent. The performance of a software-based array depends on the server CPU performance and load.
						</div><div class="para">
							To learn more about software RAID, here are the key features:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									Threaded rebuild process
								</div></li><li class="listitem"><div class="para">
									Kernel-based configuration
								</div></li><li class="listitem"><div class="para">
									Portability of arrays between Linux machines without reconstruction
								</div></li><li class="listitem"><div class="para">
									Backgrounded array reconstruction using idle system resources
								</div></li><li class="listitem"><div class="para">
									Hot-swappable drive support
								</div></li><li class="listitem"><div class="para">
									Automatic CPU detection to take advantage of certain CPU optimizations
								</div></li></ul></div></dd></dl></div></div><div class="section" id="s2-raid-levels"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-levels">5.1.3. RAID Levels and Linear Support</h3></div></div></div><a id="id1064188" class="indexterm"></a><div class="para">
				RAID supports various configurations, including levels 0, 1, 4, 5, and linear. These RAID types are defined as follows:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <a id="id1064213" class="indexterm"></a>
					 Level 0 </span></dt><dd><div class="para">
							RAID level 0, often called <span class="quote">“<span class="quote">striping</span>”</span>, is a performance-oriented striped data mapping technique. This means the data being written to the array is broken down into strips and written across the member disks of the array, allowing high I/O performance at low inherent cost but provides no redundancy. The storage capacity of a level 0 array is equal to the total capacity of the member disks in a hardware RAID or the total capacity of member partitions in a software RAID.
						</div></dd><dt class="varlistentry"><span class="term"> <a id="id1064248" class="indexterm"></a>
					 Level 1 </span></dt><dd><div class="para">
							RAID level 1, or <span class="quote">“<span class="quote">mirroring</span>”</span>, has been used longer than any other form of RAID. Level 1 provides redundancy by writing identical data to each member disk of the array, leaving a <span class="quote">“<span class="quote">mirrored</span>”</span> copy on each disk. Mirroring remains popular due to its simplicity and high level of data availability. Level 1 operates with two or more disks that may use parallel access for high data-transfer rates when reading but more commonly operate independently to provide high I/O transaction rates. Level 1 provides very good data reliability and improves performance for read-intensive applications but at a relatively high cost. The storage capacity of the level 1 array is equal to the capacity of one of the mirrored hard disks in a hardware RAID or one of the mirrored partitions in a software RAID.
						</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
								RAID level 1 comes at a high cost because you write the same information to all of the disks in the array, which wastes drive space. For example, if you have RAID level 1 set up so that your root (<code class="filename">/</code>) partition exists on two 40G drives, you have 80G total but are only able to access 40G of that 80G. The other 40G acts like a mirror of the first 40G.
							</div></div></div></dd><dt class="varlistentry"><span class="term"> <a id="id1064309" class="indexterm"></a>
					 Level 4 </span></dt><dd><div class="para">
							RAID level 4 uses parity<sup>[<a id="id782455" href="#ftn.id782455" class="footnote">2</a>]</sup> concentrated on a single disk drive to protect data. It is better suited to transaction I/O rather than large file transfers. Because the dedicated parity disk represents an inherent bottleneck, level 4 is seldom used without accompanying technologies such as write-back caching. Although RAID level 4 is an option in some RAID partitioning schemes, it is not an option allowed in Red Hat Enterprise Linux RAID installations. The storage capacity of hardware RAID level 4 is equal to the capacity of member disks, minus the capacity of one member disk. The storage capacity of software RAID level 4 is equal to the capacity of the member partitions, minus the size of one of the partitions if they are of equal size.
						</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
								RAID level 4 takes up the same amount of space as RAID level 5, but level 5 has more advantages. For this reason, level 4 is not supported.
							</div></div></div></dd><dt class="varlistentry"><span class="term"> <a id="id782495" class="indexterm"></a>
					 Level 5 </span></dt><dd><div class="para">
							RAID level 5 is the most common type of RAID. By distributing parity across some or all of an array's member disk drives, RAID level 5 eliminates the write bottleneck inherent in level 4. The only performance bottleneck is the parity calculation process. With modern CPUs and software RAID, that usually is not a very big problem. As with level 4, the result is asymmetrical performance, with reads substantially outperforming writes. Level 5 is often used with write-back caching to reduce the asymmetry. The storage capacity of hardware RAID level 5 is equal to the capacity of member disks, minus the capacity of one member disk. The storage capacity of software RAID level 5 is equal to the capacity of the member partitions, minus the size of one of the partitions if they are of equal size.
						</div></dd><dt class="varlistentry"><span class="term"> <a id="id782529" class="indexterm"></a>
					 Linear RAID </span></dt><dd><div class="para">
							Linear RAID is a simple grouping of drives to create a larger virtual drive. In linear RAID, the chunks are allocated sequentially from one member drive, going to the next drive only when the first is completely filled. This grouping provides no performance benefit, as it is unlikely that any I/O operations will be split between member drives. Linear RAID also offers no redundancy and, in fact, decreases reliability — if any one member drive fails, the entire array cannot be used. The capacity is the total of all member disks.
						</div></dd></dl></div></div></div><div class="section" id="s1-raid-config"><div class="titlepage"><div><div><h2 class="title" id="s1-raid-config">5.2. Configuring Software RAID</h2></div></div></div><a id="id782569" class="indexterm"></a><a id="id841389" class="indexterm"></a><div class="para">
			Users can configure software RAID during the graphical installation process, the text-based installation process, or during a kickstart installation. This section discusses software RAID configuration during the installation process using the <span class="application"><strong>Disk Druid</strong></span> application, and covers the following steps:
		</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
					Creating <em class="firstterm">software RAID partitions</em> on physical hard drives.
				</div></li><li class="step"><div class="para">
					Creating <em class="firstterm">RAID devices</em> from the software RAID partitions.
				</div></li><li class="step"><div class="para">
					(Optional) Configuring <em class="firstterm">LVM</em> from the RAID devices.
				</div></li><li class="step"><div class="para">
					Creating <em class="firstterm">file systems</em> from the RAID devices.
				</div></li></ol></div><div class="para">
			To configure software RAID, select <span class="guimenuitem"><strong>Create custom layout</strong></span> from the pulldown list on the <span class="guilabel"><strong>Disk Partitioning Setup</strong></span> screen, click the <span class="guibutton"><strong>Next</strong></span> button, and follow the instructions in the rest of this section. The example screenshots in this section use two 10 GB disk drives (<code class="filename">/dev/hda</code> and <code class="filename">/dev/hdb</code>) to illustrate the creation of simple RAID 1 and RAID 0 configurations, and detail how to create a simple RAID configuration by implementing multiple RAID devices.
		</div><div class="section" id="s1-raid-diskdruid-manual-part"><div class="titlepage"><div><div><h3 class="title" id="s1-raid-diskdruid-manual-part">5.2.1. Creating the RAID Partitions</h3></div></div></div><a id="id841499" class="indexterm"></a><a id="id841515" class="indexterm"></a><div class="para">
				In a typical situation, the disk drives are new or are formatted. Both drives are shown as raw devices with no partition configuration in <a class="xref" href="#fig-raid-manual-free">Figure 5.1, “Two Blank Drives, Ready For Configuration”</a>.
			</div><div class="figure" id="fig-raid-manual-free"><div class="figure-contents"><div class="mediaobject"><img src="images/raid-manual-free.png" alt="Two Blank Drives, Ready For Configuration" /><div class="longdesc"><div class="para">
							Two Blank Drives, Ready For Configuration
						</div></div></div></div><h6>Figure 5.1. Two Blank Drives, Ready For Configuration</h6></div><br class="figure-break" /><div class="procedure"><ol class="1"><li class="step"><div class="para">
						In <span class="application"><strong>Disk Druid</strong></span>, click the <span class="guibutton"><strong>RAID</strong></span> button to enter the software RAID creation screen.
					</div></li><li class="step"><div class="para">
						Choose <span class="guimenuitem"><strong>Create a software RAID partition</strong></span> to create a RAID partition as shown in <a class="xref" href="#fig-raid-manual-part-opt">Figure 5.2, “RAID Partition Options”</a>. Note that no other RAID options (such as entering a mount point) are available until RAID partitions, as well as RAID devices, are created. Click <span class="guibutton"><strong>OK</strong></span> to confirm the choice.
					</div><div class="figure" id="fig-raid-manual-part-opt"><div class="figure-contents"><div class="mediaobject"><img src="images/raid-manual-part-opt.png" alt="RAID Partition Options" /><div class="longdesc"><div class="para">
									RAID Partition Options
								</div></div></div></div><h6>Figure 5.2. RAID Partition Options</h6></div><br class="figure-break" /></li><li class="step"><div class="para">
						A software RAID partition must be constrained to one drive. For <span class="guimenuitem"><strong>Allowable Drives</strong></span>, select the drive to use for RAID. If you have multiple drives, by default all drives are selected and you must deselect the drives you do not want.
					</div><div class="figure" id="fig-raid-manual-part-add"><div class="figure-contents"><div class="mediaobject"><img src="images/raid-manual-part-add.png" alt="Adding a RAID Partition" /><div class="longdesc"><div class="para">
									Adding a RAID Partition
								</div></div></div></div><h6>Figure 5.3. Adding a RAID Partition</h6></div><br class="figure-break" /></li><li class="step"><div class="para">
						Edit the <span class="guilabel"><strong>Size (MB)</strong></span> field, and enter the size that you want the partition to be (in MB).
					</div></li><li class="step"><div class="para">
						Select <span class="guilabel"><strong>Fixed Size</strong></span> to specify partition size. Select <span class="guilabel"><strong>Fill all space up to (MB)</strong></span> and enter a value (in MB) to specify partition size range. Select <span class="guilabel"><strong>Fill to maximum allowable size</strong></span> to allow maximum available space of the hard disk. Note that if you make more than one space growable, they share the available free space on the disk.
					</div></li><li class="step"><div class="para">
						Select <span class="guilabel"><strong>Force to be a primary partition</strong></span> if you want the partition to be a primary partition. A primary partition is one of the first four partitions on the hard drive. If unselected, the partition is created as a logical partition. If other operating systems are already on the system, unselecting this option should be considered. For more information on primary versus logical/extended partitions, refer to the appendix section of the <em class="citetitle">Red Hat Enterprise Linux Installation Guide</em>.
					</div></li></ol></div><div class="para">
				Repeat these steps to create as many partitions as needed for your RAID setup. Notice that all the partitions do not have to be RAID partitions. For example, you can configure only the <code class="filename">/boot</code> partition as a software RAID device, leaving the root partition (<code class="filename">/</code>), <code class="filename">/home</code>, and <code class="filename">swap</code> as regular file systems. <a class="xref" href="#fig-raid-manual-part-bootready-add">Figure 5.4, “RAID 1 Partitions Ready, Pre-Device and Mount Point Creation”</a> shows successfully allocated space for the RAID 1 configuration (for <code class="filename">/boot</code>), which is now ready for RAID device and mount point creation:
			</div><div class="figure" id="fig-raid-manual-part-bootready-add"><div class="figure-contents"><div class="mediaobject"><img src="images/raid-manual-part-bootready.png" alt="RAID 1 Partitions Ready, Pre-Device and Mount Point Creation" /><div class="longdesc"><div class="para">
							RAID 1 Partitions Ready, Pre-Device and Mount Point Creation
						</div></div></div></div><h6>Figure 5.4. RAID 1 Partitions Ready, Pre-Device and Mount Point Creation</h6></div><br class="figure-break" /></div><div class="section" id="s1-raid-diskdruid-manual-devmnt"><div class="titlepage"><div><div><h3 class="title" id="s1-raid-diskdruid-manual-devmnt">5.2.2. Creating the RAID Devices and Mount Points</h3></div></div></div><a id="id783547" class="indexterm"></a><a id="id783563" class="indexterm"></a><div class="para">
				Once you create all of your partitions as software RAID partitions, you must create the RAID device and mount point.
			</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
						On the main partitioning screen, click the <span class="guibutton"><strong>RAID</strong></span> button. The <span class="guilabel"><strong>RAID Options</strong></span> dialog appears as shown in <a class="xref" href="#fig-raid-manual-part-opt2">Figure 5.5, “RAID Options”</a>.
					</div><div class="figure" id="fig-raid-manual-part-opt2"><div class="figure-contents"><div class="mediaobject"><img src="images/raid-manual-part-opt2.png" alt="RAID Options" /><div class="longdesc"><div class="para">
									RAID Select Option
								</div></div></div></div><h6>Figure 5.5. RAID Options</h6></div><br class="figure-break" /></li><li class="step"><div class="para">
						Select the <span class="guilabel"><strong>Create a RAID device</strong></span> option, and click <span class="guibutton"><strong>OK</strong></span>. As shown in <a class="xref" href="#fig-raid-manual-mntpt">Figure 5.6, “Making a RAID Device and Assigning a Mount Point”</a>, the <span class="guilabel"><strong>Make RAID Device</strong></span> dialog appears, allowing you to make a RAID device and assign a mount point.
					</div><div class="figure" id="fig-raid-manual-mntpt"><div class="figure-contents"><div class="mediaobject"><img src="images/raid-manual-mntpt.png" alt="Making a RAID Device and Assigning a Mount Point" /><div class="longdesc"><div class="para">
									Making a RAID Device and Assigning a Mount Point
								</div></div></div></div><h6>Figure 5.6. Making a RAID Device and Assigning a Mount Point</h6></div><br class="figure-break" /></li><li class="step"><div class="para">
						Select a mount point from the <span class="guilabel"><strong>Mount Point</strong></span> pulldown list.
					</div></li><li class="step"><div class="para">
						Choose the file system type for the partition from the <span class="guilabel"><strong>File System Type</strong></span> pulldown list. At this point you can either configure a dynamic LVM file system or a traditional static ext2/ext3 file system. For more information on LVM and its configuration during the installation process, refer to <a class="xref" href="#ch-lvm">Chapter 10, <em>LVM (Logical Volume Manager)</em></a>. If LVM is not required, continue on with the following instructions.
					</div></li><li class="step"><div class="para">
						From the <span class="guilabel"><strong>RAID Device</strong></span> pulldown list, select a device name such as <span class="guilabel"><strong>md0</strong></span>.
					</div></li><li class="step"><div class="para">
						From the <span class="guilabel"><strong>RAID Level</strong></span>, choose the required RAID level.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							If you are making a RAID partition of <code class="filename">/boot</code>, you must choose RAID level 1, and it must use one of the first two drives (IDE first, SCSI second). If you are not creating a separate RAID partition of <code class="filename">/boot</code>, and you are making a RAID partition for the root file system (that is, <code class="filename">/</code>), it must be RAID level 1 and must use one of the first two drives (IDE first, SCSI second).
						</div></div></div></li><li class="step"><div class="para">
						The RAID partitions created appear in the <span class="guilabel"><strong>RAID Members</strong></span> list. Select which of these partitions should be used to create the RAID device.
					</div></li><li class="step"><div class="para">
						If configuring RAID 1 or RAID 5, specify the number of spare partitions in the <span class="guilabel"><strong>Number of spares</strong></span> field. If a software RAID partition fails, the spare is automatically used as a replacement. For each spare you want to specify, you must create an additional software RAID partition (in addition to the partitions for the RAID device). Select the partitions for the RAID device and the partition(s) for the spare(s).
					</div></li><li class="step"><div class="para">
						Click <span class="guibutton"><strong>OK</strong></span> to confirm the setup. The RAID device appears in the <span class="guilabel"><strong>Drive Summary</strong></span> list.
					</div></li><li class="step"><div class="para">
						Repeat this chapter's entire process for configuring additional partitions, devices, and mount points, such as the root partition (<code class="filename">/</code>), home partition (<code class="filename">/home</code>), or <code class="filename">swap</code>.
					</div></li></ol></div><div class="para">
				After completing the entire configuration, the figure as shown in <a class="xref" href="#fig-raid-manual-final">Figure 5.7, “Sample RAID Configuration”</a> resembles the default configuration, except for the use of RAID.
			</div><div class="figure" id="fig-raid-manual-final"><div class="figure-contents"><div class="mediaobject"><img src="images/raid-manual-final.png" alt="Sample RAID Configuration" /><div class="longdesc"><div class="para">
							Sample RAID Configuration
						</div></div></div></div><h6>Figure 5.7. Sample RAID Configuration</h6></div><br class="figure-break" /><div class="para">
				The figure as shown in <a class="xref" href="#fig-raid-manual-lvm-final">Figure 5.8, “Sample RAID With LVM Configuration”</a> is an example of a RAID and LVM configuration.
			</div><div class="figure" id="fig-raid-manual-lvm-final"><div class="figure-contents"><div class="mediaobject"><img src="images/raid-manual-lvm-final.png" alt="Sample RAID With LVM Configuration" /><div class="longdesc"><div class="para">
							Sample RAID With LVM Configuration
						</div></div></div></div><h6>Figure 5.8. Sample RAID With LVM Configuration</h6></div><br class="figure-break" /><div class="para">
				You can proceed with your installation process by clicking <span class="guibutton"><strong>Next</strong></span>. Refer to the <em class="citetitle">Red Hat Enterprise Linux Installation Guide</em> for further instructions.
			</div></div></div><div class="section" id="s1-raid-manage"><div class="titlepage"><div><div><h2 class="title" id="s1-raid-manage">5.3. Managing Software RAID</h2></div></div></div><a id="id784840" class="indexterm"></a><div class="para">
			This section discusses software RAID configuration and management after the installation, and covers the following topics:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Reviewing existing software RAID configuration.
				</div></li><li class="listitem"><div class="para">
					Creating a new RAID device.
				</div></li><li class="listitem"><div class="para">
					Replacing a faulty device in an array.
				</div></li><li class="listitem"><div class="para">
					Adding a new device to an existing array.
				</div></li><li class="listitem"><div class="para">
					Deactivating and removing an existing RAID device.
				</div></li><li class="listitem"><div class="para">
					Saving the configuration.
				</div></li></ul></div><div class="para">
			All examples in this section use the software RAID configuration from the previous section.
		</div><div class="section" id="s2-raid-manage-reviewing"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-manage-reviewing">5.3.1. Reviewing RAID Configuration</h3></div></div></div><div class="para">
				When a software RAID is in use, basic information about all presently active RAID devices are stored in the <code class="filename">/proc/mdstat</code> special file. To list these devices, display the content of this file by typing the following at a shell prompt:
			</div><pre class="synopsis"><code class="command">cat</code> <code class="filename">/proc/mdstat</code></pre><div class="para">
				To determine whether a certain device is a RAID device or a component device, run the command in the following form as <code class="systemitem">root</code>:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--query</code> <em class="replaceable"><code>device</code></em>…</pre><div class="para">
				In order to examine a RAID device in more detail, use the following command:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--detail</code> <em class="replaceable"><code>raid_device</code></em>…</pre><div class="para">
				Similarly, to examine a component device, type:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--examine</code> <em class="replaceable"><code>component_device</code></em>…</pre><div class="para">
				While the <code class="command">mdadm --detail</code> command displays information about a RAID device, <code class="command">mdadm --examine</code> only relays information about a RAID device as it relates to a given component device. This distinction is particularly important when working with a RAID device that itself is a component of another RAID device.
			</div><div class="para">
				The <code class="command">mdadm --query</code> command, as well as both <code class="command">mdadm --detail</code> and <code class="command">mdadm --examine</code> commands allow you to specify multiple devices at once.
			</div><div class="example" id="exam-raid-manage-reviewing"><h6>Example 5.1. Reviewing RAID configuration</h6><div class="example-contents"><div class="para">
					Assume the system uses configuration from <a class="xref" href="#fig-raid-manual-final">Figure 5.7, “Sample RAID Configuration”</a>. You can verify that <code class="filename">/dev/md0</code> is a RAID device by typing the following at a shell prompt:
				</div><pre class="screen">~]# <code class="command">mdadm --query /dev/md0</code>
/dev/md0: 125.38MiB raid1 2 devices, 0 spares. Use mdadm --detail for more detail.
/dev/md0: No md super block found, not an md component.</pre><div class="para">
					As you can see, the above command produces only a brief overview of the RAID device and its configuration. To display more detailed information, use the following command instead:
				</div><pre class="screen">~]# <code class="command">mdadm --detail /dev/md0</code>
/dev/md0:
        Version : 0.90
  Creation Time : Tue Jun 28 16:05:49 2011
     Raid Level : raid1
     Array Size : 128384 (125.40 MiB 131.47 MB)
  Used Dev Size : 128384 (125.40 MiB 131.47 MB)
   Raid Devices : 2
  Total Devices : 2
Preferred Minor : 0
    Persistence : Superblock is persistent

Update Time : Thu Jun 30 17:06:34 2011
          State : clean
 Active Devices : 2
Working Devices : 2
 Failed Devices : 0
  Spare Devices : 0

UUID : 49c5ac74:c2b79501:5c28cb9c:16a6dd9f
         Events : 0.6

Number   Major   Minor   RaidDevice State
       0       3        1        0      active sync   /dev/hda1
       1       3       65        1      active sync   /dev/hdb1</pre><div class="para">
					Finally, to list all presently active RAID devices, type:
				</div><pre class="screen">~]$ <code class="command">cat /proc/mdstat</code>
Personalities : [raid0] [raid1]
md0 : active raid1 hdb1[1] hda1[0]
      128384 blocks [2/2] [UU]
      
md1 : active raid0 hdb2[1] hda2[0]
      1573888 blocks 256k chunks

md2 : active raid0 hdb3[1] hda3[0]
      19132928 blocks 256k chunks

unused devices: &lt;none&gt;</pre></div></div><br class="example-break" /></div><div class="section" id="s2-raid-manage-creating"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-manage-creating">5.3.2. Creating a New RAID Device</h3></div></div></div><div class="para">
				To create a new RAID device, use the command in the following form as <code class="systemitem">root</code>:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--create</code> <em class="replaceable"><code>raid_device</code></em> <code class="option">--level</code>=<em class="replaceable"><code>level</code></em> <code class="option">--raid-devices</code>=<em class="replaceable"><code>number</code></em> <em class="replaceable"><code>component_device</code></em>…</pre><div class="para">
				This is the simplest way to create a RAID array. There are many more options that allow you to specify the number of spare devices, the block size of a stripe array, if the array has a write-intent bitmap, and much more. All these options can have a significant impact on the performance, but are beyond the scope of this document. For more detailed information, refer to the <em class="citetitle">CREATE MODE</em> section of the <code class="literal">mdadm</code>(8) manual page.
			</div><div class="example" id="exam-raid-manage-creating"><h6>Example 5.2. Creating a new RAID device</h6><div class="example-contents"><div class="para">
					Assume that the system has two unused SCSI disk drives available, and that each of these devices has exactly one partition of the same size:
				</div><pre class="screen">~]# <code class="command">ls /dev/sd*</code>
/dev/sda  /dev/sda1  /dev/sdb  /dev/sdb1</pre><div class="para">
					To create <code class="filename">/dev/md3</code> as a new RAID level 1 array from <code class="filename">/dev/sda1</code> and <code class="filename">/dev/sdb1</code>, run the following command:
				</div><pre class="screen">~]# <code class="command">mdadm --create /dev/md3 --level=1 --raid-devices=2 /dev/sda1 /dev/sdb1</code>
mdadm: array /dev/md3 started.</pre></div></div><br class="example-break" /></div><div class="section" id="s2-raid-manage-replacing"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-manage-replacing">5.3.3. Replacing a Faulty Device</h3></div></div></div><div class="para">
				To replace a particular device in a software RAID, first make sure it is marked as faulty by running the following command as <code class="systemitem">root</code>:
			</div><pre class="synopsis"><code class="command">mdadm</code> <em class="replaceable"><code>raid_device</code></em> <code class="option">--fail</code> <em class="replaceable"><code>component_device</code></em></pre><div class="para">
				Then remove the faulty device from the array by using the command in the following form:
			</div><pre class="synopsis"><code class="command">mdadm</code> <em class="replaceable"><code>raid_device</code></em> <code class="option">--remove</code> <em class="replaceable"><code>component_device</code></em></pre><div class="para">
				Once the device is operational again, you can re-add it to the array:
			</div><pre class="synopsis"><code class="command">mdadm</code> <em class="replaceable"><code>raid_device</code></em> <code class="option">--add</code> <em class="replaceable"><code>component_device</code></em></pre><div class="example" id="exam-raid-manage-replace"><h6>Example 5.3. Replacing a faulty device</h6><div class="example-contents"><div class="para">
					Assume the system has an active RAID device, <code class="filename">/dev/md3</code>, with the following layout (that is, the RAID device created in <a class="xref" href="#exam-raid-manage-creating">Example 5.2, “Creating a new RAID device”</a>):
				</div><pre class="screen">~]# <code class="command">mdadm --detail /dev/md3 | tail -n 3</code>
    Number   Major   Minor   RaidDevice State
       0       8        1        0      active sync   /dev/sda1
       1       8       17        1      active sync   /dev/sdb1</pre><div class="para">
					Imagine the first disk drive fails and needs to be replaced. To do so, first mark the <code class="filename">/dev/sdb1</code> device as faulty:
				</div><pre class="screen">~]# <code class="command">mdadm /dev/md3 --fail /dev/sdb1</code>
mdadm: set /dev/sdb1 faulty in /dev/md3</pre><div class="para">
					Then remove it from the RAID device:
				</div><pre class="screen">~]# <code class="command">mdadm /dev/md3 --remove /dev/sdb1</code>
mdadm: hot removed /dev/sdb1</pre><div class="para">
					As soon as the hardware is replaced, you can add the device back to the array by using the following command:
				</div><pre class="screen">~]# <code class="command">mdadm /dev/md3 --add /dev/sdb1</code>
mdadm: added /dev/sdb1</pre></div></div><br class="example-break" /></div><div class="section" id="s2-raid-manage-extending"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-manage-extending">5.3.4. Extending a RAID Device</h3></div></div></div><div class="para">
				To add a new device to an existing array, use the command in the following form as <code class="systemitem">root</code>:
			</div><pre class="synopsis"><code class="command">mdadm</code> <em class="replaceable"><code>raid_device</code></em> <code class="option">--add</code> <em class="replaceable"><code>component_device</code></em></pre><div class="para">
				This will add the device as a spare device. To grow the array to use this device actively, type the following at a shell prompt:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--grow</code> <em class="replaceable"><code>raid_device</code></em> <code class="option">--raid-devices</code>=<em class="replaceable"><code>number</code></em></pre><div class="example" id="exam-raid-manage-extending"><h6>Example 5.4. Extending a RAID device</h6><div class="example-contents"><div class="para">
					Assume the system has an active RAID device, <code class="filename">/dev/md3</code>, with the following layout (that is, the RAID device created in <a class="xref" href="#exam-raid-manage-creating">Example 5.2, “Creating a new RAID device”</a>):
				</div><pre class="screen">~]# <code class="command">mdadm --detail /dev/md3 | tail -n 3</code>
    Number   Major   Minor   RaidDevice State
       0       8        1        0      active sync   /dev/sda1
       1       8       17        1      active sync   /dev/sdb1</pre><div class="para">
					Also assume that a new SCSI disk drive, <code class="filename">/dev/sdc</code>, has been added and has exactly one partition. To add it to the <code class="filename">/dev/md3</code> array, type the following at a shell prompt:
				</div><pre class="screen">~]# <code class="command">mdadm /dev/md3 --add /dev/sdc1</code>
mdadm: added /dev/sdc1</pre><div class="para">
					This will add <code class="filename">/dev/sdc1</code> as a spare device. To change the size of the array to actually use it, type:
				</div><pre class="screen">~]# <code class="command">mdadm --grow /dev/md3 --raid-devices=3</code></pre></div></div><br class="example-break" /></div><div class="section" id="s2-raid-manage-removing"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-manage-removing">5.3.5. Removing a RAID Device</h3></div></div></div><div class="para">
				To remove an existing RAID device, first deactivate it by running the following command as <code class="systemitem">root</code>:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--stop</code> <em class="replaceable"><code>raid_device</code></em></pre><div class="para">
				Once deactivated, remove the RAID device itself:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--remove</code> <em class="replaceable"><code>raid_device</code></em></pre><div class="para">
				Finally, zero superblocks on all devices that were associated with the particular array:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--zero-superblock</code> <em class="replaceable"><code>component_device</code></em>…</pre><div class="example" id="exam-raid-manage-removing"><h6>Example 5.5. Removing a RAID device</h6><div class="example-contents"><div class="para">
					Assume the system has an active RAID device, <code class="filename">/dev/md3</code>, with the following layout (that is, the RAID device created in <a class="xref" href="#exam-raid-manage-extending">Example 5.4, “Extending a RAID device”</a>):
				</div><pre class="screen">~]# <code class="command">mdadm --detail /dev/md3 | tail -n 4</code>
    Number   Major   Minor   RaidDevice State
       0       8        1        0      active sync   /dev/sda1
       1       8       17        1      active sync   /dev/sdb1
       2       8       33        2      active sync   /dev/sdc1</pre><div class="para">
					In order to remove this device, first stop it by typing the following at a shell prompt:
				</div><pre class="screen">~]# <code class="command">mdadm --stop /dev/md3</code>
mdadm: stopped /dev/md3</pre><div class="para">
					Once stopped, you can remove the <code class="filename">/dev/md3</code> device by running the following command:
				</div><pre class="screen">~]# <code class="command">mdadm --remove /dev/md3</code></pre><div class="para">
					Finally, to remove the superblocks from all associated devices, type:
				</div><pre class="screen">~]# <code class="command">mdadm --zero-superblock /dev/sda1 /dev/sdb1 /dev/sdc1</code></pre></div></div><br class="example-break" /></div><div class="section" id="s2-raid-manage-preserving"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-manage-preserving">5.3.6. Preserving the Configuration</h3></div></div></div><div class="para">
				By default, changes made by the <code class="command">mdadm</code> command only apply to the current session, and will not survive a system restart. At boot time, the <code class="systemitem">mdmonitor</code> service reads the content of the <code class="filename">/etc/mdadm.conf</code> configuration file to see which RAID devices to start. If the software RAID was configured during the graphical installation process, this file contains directives listed in <a class="xref" href="#tabl-raid-manage-preserving-mdadm.conf">Table 5.1, “Common mdadm.conf directives”</a> by default.
			</div><div class="table" id="tabl-raid-manage-preserving-mdadm.conf"><h6>Table 5.1. Common mdadm.conf directives</h6><div class="table-contents"><table summary="Common mdadm.conf directives" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
								Option
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								<code class="option">ARRAY</code>
							</td><td>
								<div class="para">
									Allows you to identify a particular array.
								</div>

</td></tr><tr><td>
								<code class="option">DEVICE</code>
							</td><td>
								<div class="para">
									Allows you to specify a list of devices to scan for a RAID component (for example, <span class="quote">“<span class="quote">/dev/hda1</span>”</span>). You can also use the keyword <code class="option">partitions</code> to use all partitions listed in <code class="filename">/proc/partitions</code>, or <code class="option">containers</code> to specify an array container.
								</div>

</td></tr><tr><td>
								<code class="option">MAILADDR</code>
							</td><td>
								Allows you to specify an email address to use in case of an alert.
							</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
				To list what <code class="option">ARRAY</code> lines are presently in use regardless of the configuration, run the following command as <code class="systemitem">root</code>:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--detail</code> <code class="option">--scan</code></pre><div class="para">
				Use the output of this command to determine which lines to add to the <code class="filename">/etc/mdadm.conf</code> file. You can also display the <code class="option">ARRAY</code> line for a particular device:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--detail</code> <code class="option">--brief</code> <em class="replaceable"><code>raid_device</code></em></pre><div class="para">
				By redirecting the output of this command, you can add such a line to the configuration file with a single command:
			</div><pre class="synopsis"><code class="command">mdadm</code> <code class="option">--detail</code> <code class="option">--brief</code> <em class="replaceable"><code>raid_device</code></em> &gt;&gt; <code class="filename">/etc/mdadm.conf</code></pre><div class="example" id="exam-raid-manage-preserving"><h6>Example 5.6. Preserving the configuration</h6><div class="example-contents"><div class="para">
					By default, the <code class="filename">/etc/mdadm.conf</code> contains the software RAID configuration created during the system installation:
				</div><pre class="screen"># mdadm.conf written out by anaconda
DEVICE partitions
MAILADDR root
ARRAY /dev/md0 level=raid1 num-devices=2 UUID=49c5ac74:c2b79501:5c28cb9c:16a6dd9f
ARRAY /dev/md1 level=raid0 num-devices=2 UUID=76914c11:5bfa2c00:dc6097d1:a1f4506d
ARRAY /dev/md2 level=raid0 num-devices=2 UUID=2b5d38d0:aea898bf:92be20e2:f9d893c5</pre><div class="para">
					Assuming you have created the <code class="filename">/dev/md3</code> device as shown in <a class="xref" href="#exam-raid-manage-creating">Example 5.2, “Creating a new RAID device”</a>, you can make it persistent by running the following command:
				</div><pre class="screen">~]# <code class="command">mdadm --detail --brief /dev/md3 &gt;&gt; /etc/mdadm.conf</code></pre></div></div><br class="example-break" /></div></div><div class="section" id="s1-raid-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-raid-resources">5.4. Additional Resources</h2></div></div></div><div class="para">
			For more information on RAID, refer to the following resources.
		</div><div class="section" id="s2-raid-resources-installed"><div class="titlepage"><div><div><h3 class="title" id="s2-raid-resources-installed">5.4.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">mdadm</code> man page — A manual page for the <code class="command">mdadm</code> utility.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">mdadm.conf</code> man page — A manual page that provides a comprehensive list of available <code class="filename">/etc/mdadm.conf</code> configuration options.
					</div></li></ul></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><div class="para"><sup>[<a id="ftn.id918857" href="#id918857" class="para">1</a>] </sup>
								A hot-swap chassis allows you to remove a hard drive without having to power-down your system.
							</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id782455" href="#id782455" class="para">2</a>] </sup>
								Parity information is calculated based on the contents of the rest of the member disks in the array. This information can then be used to reconstruct data when one disk in the array fails. The reconstructed data can then be used to satisfy I/O requests to the failed disk before it is replaced and to repopulate the failed disk after it has been replaced.
							</div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-swapspace" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 6. Swap Space</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-swap-what-is">6.1. What is Swap Space?</a></span></dt><dt><span class="section"><a href="#s1-swap-adding">6.2. Adding Swap Space</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-swap-extending-lvm2">6.2.1. Extending Swap on an LVM2 Logical Volume</a></span></dt><dt><span class="section"><a href="#s2-swap-creating-lvm2">6.2.2. Creating an LVM2 Logical Volume for Swap</a></span></dt><dt><span class="section"><a href="#s2-swap-creating-file">6.2.3. Creating a Swap File</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-swap-removing">6.3. Removing Swap Space</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-swap-reducing-lvm2">6.3.1. Reducing Swap on an LVM2 Logical Volume</a></span></dt><dt><span class="section"><a href="#s2-swap-removing-lvm2">6.3.2. Removing an LVM2 Logical Volume for Swap</a></span></dt><dt><span class="section"><a href="#s2-swap-removing-file">6.3.3. Removing a Swap File</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-swap-moving">6.4. Moving Swap Space</a></span></dt></dl></div><a id="id855572" class="indexterm"></a><div class="section" id="s1-swap-what-is"><div class="titlepage"><div><div><h2 class="title" id="s1-swap-what-is">6.1. What is Swap Space?</h2></div></div></div><a id="id1067290" class="indexterm"></a><div class="para">
			<em class="firstterm">Swap space</em> in Linux is used when the amount of physical memory (RAM) is full. If the system needs more memory resources and the RAM is full, inactive pages in memory are moved to the swap space. While swap space can help machines with a small amount of RAM, it should not be considered a replacement for more RAM. Swap space is located on hard drives, which have a slower access time than physical memory.
		</div><div class="para">
			Swap space can be a dedicated swap partition (recommended), a swap file, or a combination of swap partitions and swap files.
		</div><a id="id1046503" class="indexterm"></a><div class="para">
			In years past, the recommended amount of swap space increased linearly with the amount of RAM in the system. But because the amount of memory in modern systems has increased into the hundreds of gigabytes, it is now recognized that the amount of swap space that a system needs is a function of the memory workload running on that system. However, given that swap space is usually designated at install time, and that it can be difficult to determine beforehand the memory workload of a system, we recommend determining system swap using the following table.
		</div><div class="table" id="table-Recommended_System_Swap_Space"><h6>Table 6.1. Recommended System Swap Space</h6><div class="table-contents"><table summary="Recommended System Swap Space" border="1"><colgroup><col align="left" class="col1" width="50%" /><col align="left" class="col2" width="50%" /></colgroup><thead><tr><th align="left">
							Amount of RAM in the System
						</th><th align="left">
							Recommended Amount of Swap Space
						</th></tr></thead><tbody><tr><td align="left">
							4GB of RAM or less
						</td><td align="left">
							a minimum of 2GB of swap space
						</td></tr><tr><td align="left">
							4GB to 16GB of RAM
						</td><td align="left">
							a minimum of 4GB of swap space
						</td></tr><tr><td align="left">
							16GB to 64GB of RAM
						</td><td align="left">
							a minimum of 8GB of swap space
						</td></tr><tr><td align="left">
							64GB to 256GB of RAM
						</td><td align="left">
							a minimum of 16GB of swap space
						</td></tr><tr><td align="left">
							256GB to 512GB of RAM
						</td><td align="left">
							a minimum of 32GB of swap space
						</td></tr></tbody></table></div></div><br class="table-break" /><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				File systems and LVM2 volumes assigned as swap space <span class="emphasis"><em>cannot</em></span> be in use when being modified. For example, no system processes can be assigned the swap space, as well as no amount of swap should be allocated and used by the kernel. Use the <code class="command">free</code> and <code class="command">cat /proc/swaps</code> commands to verify how much and where swap is in use.
			</div><div class="para">
				The best way to achieve swap space modifications is to boot your system in rescue mode, and then follow the instructions (for each scenario) in the remainder of this chapter. Refer to the Red Hat Enterprise Linux Installation Guide for instructions on booting into rescue mode. When prompted to mount the file system, select <span class="guibutton"><strong>Skip</strong></span>.
			</div></div></div></div><div class="section" id="s1-swap-adding"><div class="titlepage"><div><div><h2 class="title" id="s1-swap-adding">6.2. Adding Swap Space</h2></div></div></div><a id="id1040957" class="indexterm"></a><a id="id1040971" class="indexterm"></a><div class="para">
			Sometimes it is necessary to add more swap space after installation. For example, you may upgrade the amount of RAM in your system from 128 MB to 256 MB, but there is only 256 MB of swap space. It might be advantageous to increase the amount of swap space to 512 MB if you perform memory-intense operations or run applications that require a large amount of memory.
		</div><div class="para">
			You have three options: create a new swap partition, create a new swap file, or extend swap on an existing LVM2 logical volume. It is recommended that you extend an existing logical volume.
		</div><div class="section" id="s2-swap-extending-lvm2"><div class="titlepage"><div><div><h3 class="title" id="s2-swap-extending-lvm2">6.2.1. Extending Swap on an LVM2 Logical Volume</h3></div></div></div><a id="id1041006" class="indexterm"></a><div class="para">
				To extend an LVM2 swap logical volume (assuming <code class="filename">/dev/VolGroup00/LogVol01</code> is the volume you want to extend):
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Disable swapping for the associated logical volume:
					</div><pre class="screen"><code class="command">swapoff -v /dev/VolGroup00/LogVol01</code></pre></li><li class="listitem"><div class="para">
						Resize the LVM2 logical volume by 256 MB:
					</div><pre class="screen"><code class="command">lvm lvresize /dev/VolGroup00/LogVol01 -L +256M</code></pre></li><li class="listitem"><div class="para">
						Format the new swap space:
					</div><pre class="screen"><code class="command">mkswap /dev/VolGroup00/LogVol01</code></pre></li><li class="listitem"><div class="para">
						Enable the extended logical volume:
					</div><pre class="screen"><code class="command">swapon -va</code></pre></li><li class="listitem"><div class="para">
						Test that the logical volume has been extended properly:
					</div><pre class="screen"><code class="command">cat /proc/swaps</code>
<code class="command">free</code></pre></li></ol></div></div><div class="section" id="s2-swap-creating-lvm2"><div class="titlepage"><div><div><h3 class="title" id="s2-swap-creating-lvm2">6.2.2. Creating an LVM2 Logical Volume for Swap</h3></div></div></div><a id="id861737" class="indexterm"></a><div class="para">
				To add a swap volume group (assuming <code class="filename">/dev/VolGroup00/LogVol02</code> is the swap volume you want to add):
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Create the LVM2 logical volume of size 256 MB:
					</div><pre class="screen"><code class="command">lvm lvcreate VolGroup00 -n LogVol02 -L 256M</code></pre></li><li class="listitem"><div class="para">
						Format the new swap space:
					</div><pre class="screen"><code class="command">mkswap /dev/VolGroup00/LogVol02</code></pre></li><li class="listitem"><div class="para">
						Add the following entry to the <code class="filename">/etc/fstab</code> file:
					</div><pre class="screen">/dev/VolGroup00/LogVol02   swap     swap    defaults     0 0</pre></li><li class="listitem"><div class="para">
						Enable the extended logical volume:
					</div><pre class="screen"><code class="command">swapon -va</code></pre></li><li class="listitem"><div class="para">
						Test that the logical volume has been extended properly:
					</div><pre class="screen"><code class="command">cat /proc/swaps</code>
<code class="command">free</code></pre></li></ol></div></div><div class="section" id="s2-swap-creating-file"><div class="titlepage"><div><div><h3 class="title" id="s2-swap-creating-file">6.2.3. Creating a Swap File</h3></div></div></div><a id="id917148" class="indexterm"></a><div class="para">
				To add a swap file:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Determine the size of the new swap file in megabytes and multiply by 1024 to determine the number of blocks. For example, the block size of a 64 MB swap file is 65536.
					</div></li><li class="listitem"><div class="para">
						At a shell prompt as root, type the following command with <code class="command">count</code> being equal to the desired block size:
					</div><pre class="screen"><code class="command">dd if=/dev/zero of=/swapfile bs=1024 count=65536</code></pre></li><li class="listitem"><div class="para">
						Setup the swap file with the command:
					</div><pre class="screen"><code class="command">mkswap /swapfile</code></pre></li><li class="listitem"><div class="para">
						To enable the swap file immediately but not automatically at boot time:
					</div><pre class="screen"><code class="command">swapon /swapfile</code></pre></li><li class="listitem"><div class="para">
						To enable it at boot time, edit <code class="filename">/etc/fstab</code> to include the following entry:
					</div><pre class="screen">/swapfile          swap            swap    defaults        0 0</pre><div class="para">
						The next time the system boots, it enables the new swap file.
					</div></li><li class="listitem"><div class="para">
						After adding the new swap file and enabling it, verify it is enabled by viewing the output of the command <code class="command">cat /proc/swaps</code> or <code class="command">free</code>.
					</div></li></ol></div></div></div><div class="section" id="s1-swap-removing"><div class="titlepage"><div><div><h2 class="title" id="s1-swap-removing">6.3. Removing Swap Space</h2></div></div></div><a id="id917278" class="indexterm"></a><div class="para">
			Sometimes it can be prudent to reduce swap space after installation. For example, say you downgraded the amount of RAM in your system from 1 GB to 512 MB, but there is 2 GB of swap space still assigned. It might be advantageous to reduce the amount of swap space to 1 GB, since the larger 2 GB could be wasting disk space.
		</div><div class="para">
			You have three options: remove an entire LVM2 logical volume used for swap, remove a swap file, or reduce swap space on an existing LVM2 logical volume.
		</div><div class="section" id="s2-swap-reducing-lvm2"><div class="titlepage"><div><div><h3 class="title" id="s2-swap-reducing-lvm2">6.3.1. Reducing Swap on an LVM2 Logical Volume</h3></div></div></div><a id="id781880" class="indexterm"></a><div class="para">
				To reduce an LVM2 swap logical volume (assuming <code class="filename">/dev/VolGroup00/LogVol01</code> is the volume you want to reduce):
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Disable swapping for the associated logical volume:
					</div><pre class="screen"><code class="command">swapoff -v /dev/VolGroup00/LogVol01</code></pre></li><li class="listitem"><div class="para">
						Reduce the LVM2 logical volume by 512 MB:
					</div><pre class="screen"><code class="command">lvm lvreduce /dev/VolGroup00/LogVol01 -L -512M</code></pre></li><li class="listitem"><div class="para">
						Format the new swap space:
					</div><pre class="screen"><code class="command">mkswap /dev/VolGroup00/LogVol01</code></pre></li><li class="listitem"><div class="para">
						Enable the extended logical volume:
					</div><pre class="screen"><code class="command">swapon -va</code></pre></li><li class="listitem"><div class="para">
						Test that the logical volume has been reduced properly:
					</div><pre class="screen"><code class="command">cat /proc/swaps</code>
<code class="command">free</code></pre></li></ol></div></div><div class="section" id="s2-swap-removing-lvm2"><div class="titlepage"><div><div><h3 class="title" id="s2-swap-removing-lvm2">6.3.2. Removing an LVM2 Logical Volume for Swap</h3></div></div></div><a id="id781992" class="indexterm"></a><div class="para">
				The swap logical volume cannot be in use (no system locks or processes on the volume). The easiest way to achieve this is to boot your system in rescue mode. Refer to the <em class="citetitle">Red Hat Enterprise Linux Installation Guide</em> for instructions on booting into rescue mode. When prompted to mount the file system, select <span class="guibutton"><strong>Skip</strong></span>.
			</div><div class="para">
				To remove a swap volume group (assuming <code class="filename">/dev/VolGroup00/LogVol02</code> is the swap volume you want to remove):
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Disable swapping for the associated logical volume:
					</div><pre class="screen"><code class="command">swapoff -v /dev/VolGroup00/LogVol02</code></pre></li><li class="listitem"><div class="para">
						Remove the LVM2 logical volume of size 512 MB:
					</div><pre class="screen"><code class="command">lvm lvremove /dev/VolGroup00/LogVol02</code></pre></li><li class="listitem"><div class="para">
						Remove the following entry from the <code class="filename">/etc/fstab</code> file:
					</div><pre class="screen">/dev/VolGroup00/LogVol02   swap     swap    defaults     0 0</pre></li><li class="listitem"><div class="para">
						Test that the logical volume has been removed:
					</div><pre class="screen"><code class="command">cat /proc/swaps</code>
<code class="command">free</code></pre></li></ol></div></div><div class="section" id="s2-swap-removing-file"><div class="titlepage"><div><div><h3 class="title" id="s2-swap-removing-file">6.3.3. Removing a Swap File</h3></div></div></div><a id="id782109" class="indexterm"></a><div class="para">
				To remove a swap file:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						At a shell prompt as root, execute the following command to disable the swap file (where <code class="filename">/swapfile</code> is the swap file):
					</div><pre class="screen"><code class="command">swapoff -v /swapfile</code></pre></li><li class="listitem"><div class="para">
						Remove its entry from the <code class="filename">/etc/fstab</code> file.
					</div></li><li class="listitem"><div class="para">
						Remove the actual file:
					</div><pre class="screen"><code class="command">rm /swapfile</code></pre></li></ol></div></div></div><div class="section" id="s1-swap-moving"><div class="titlepage"><div><div><h2 class="title" id="s1-swap-moving">6.4. Moving Swap Space</h2></div></div></div><a id="id838987" class="indexterm"></a><div class="para">
			To move swap space from one location to another, follow the steps for removing swap space, and then follow the steps for adding swap space.
		</div></div></div><div xml:lang="en-US" class="chapter" id="ch-disk-storage" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 7. Managing Disk Storage</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-disk-storage-parted">7.1. Standard Partitions using <code class="command">parted</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-storage-parted-view-part-table">7.1.1. Viewing the Partition Table</a></span></dt><dt><span class="section"><a href="#s2-disk-storage-parted-create-part">7.1.2. Creating a Partition</a></span></dt><dt><span class="section"><a href="#s2-disk-storage-parted-remove-part">7.1.3. Removing a Partition</a></span></dt><dt><span class="section"><a href="#s2-disk-storage-parted-resize-part">7.1.4. Resizing a Partition</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-disk-storage-lvm">7.2. LVM Partition Management</a></span></dt></dl></div><div class="section" id="s1-disk-storage-parted"><div class="titlepage"><div><div><h2 class="title" id="s1-disk-storage-parted">7.1. Standard Partitions using <code class="command">parted</code></h2></div></div></div><a id="id791065" class="indexterm"></a><a id="id1076085" class="indexterm"></a><div class="para">
			The utility <code class="command">parted</code> allows users to: 
			<div class="itemizedlist"><ul><li class="listitem"><div class="para">
						View the existing partition table
					</div></li><li class="listitem"><div class="para">
						Change the size of existing partitions
					</div></li><li class="listitem"><div class="para">
						Add partitions from free space or additional hard drives
					</div></li></ul></div>

</div><div class="para">
			If you want to view the system's disk space usage or monitor the disk space usage, refer to <a class="xref" href="#s1-sysinfo-filesystems">Section 40.3, “File Systems”</a>.
		</div><a id="id916316" class="indexterm"></a><div class="para">
			By default, the <code class="filename">parted</code> package is included when installing Red Hat Enterprise Linux. To start <code class="command">parted</code>, log in as root and type the command <code class="command">parted <em class="replaceable"><code>/dev/sda</code></em></code> at a shell prompt (where <code class="command"><em class="replaceable"><code>/dev/sda</code></em></code> is the device name for the drive you want to configure).
		</div><div class="para">
			If you want to remove or resize a partition, the device on which that partition resides must not be in use. Creating a new partition on a device which is in use—while possible—is not recommended.
		</div><div class="para">
			For a device to not be in use, none of the partitions on the device can be mounted, and any swap space on the device must not be enabled.
		</div><div class="para">
			As well, the partition table should not be modified while it is in use because the kernel may not properly recognize the changes. If the partition table does not match the actual state of the mounted partitions, information could be written to the wrong partition, resulting in lost and overwritten data.
		</div><div class="para">
			The easiest way to achieve this is to boot your system in rescue mode. When prompted to mount the file system, select <span class="guibutton"><strong>Skip</strong></span>.
		</div><div class="para">
			Alternately, if the drive does not contain any partitions in use (system processes that use or lock the file system from being unmounted), you can unmount them with the <code class="command">umount</code> command and turn off all the swap space on the hard drive with the <code class="command">swapoff</code> command.
		</div><div class="para">
			<a class="xref" href="#table-parted-commands">Table 7.1, “<code class="command">parted </code> commands”</a> contains a list of commonly used <code class="command">parted</code> commands. The sections that follow explain some of these commands and arguments in more detail.
		</div><a id="id788104" class="indexterm"></a><div class="table" id="table-parted-commands"><h6>Table 7.1. <code class="command">parted </code> commands</h6><div class="table-contents"><table summary="parted  commands" border="1"><colgroup><col class="command" width="50%" /><col class="description" width="50%" /></colgroup><thead><tr><th>
							Command
						</th><th>
							Description
						</th></tr></thead><tbody><tr><td>
							<code class="command">check <em class="replaceable"><code>minor-num</code></em></code>
						</td><td>
							Perform a simple check of the file system
						</td></tr><tr><td>
							<code class="command">cp <em class="replaceable"><code>from</code></em> <em class="replaceable"><code>to</code></em></code>
						</td><td>
							Copy file system from one partition to another; <em class="replaceable"><code>from</code></em> and <em class="replaceable"><code>to</code></em> are the minor numbers of the partitions
						</td></tr><tr><td>
							<code class="command">help</code>
						</td><td>
							Display list of available commands
						</td></tr><tr><td>
							<code class="command">mklabel <em class="replaceable"><code>label</code></em></code>
						</td><td>
							Create a disk label for the partition table
						</td></tr><tr><td>
							<code class="command">mkfs <em class="replaceable"><code>minor-num</code></em> <em class="replaceable"><code>file-system-type</code></em></code>
						</td><td>
							Create a file system of type <em class="replaceable"><code>file-system-type</code></em>
						</td></tr><tr><td>
							<code class="command">mkpart <em class="replaceable"><code>part-type</code></em> <em class="replaceable"><code>fs-type</code></em> <em class="replaceable"><code>start-mb</code></em> <em class="replaceable"><code>end-mb</code></em></code>
						</td><td>
							Make a partition without creating a new file system
						</td></tr><tr><td>
							<code class="command">mkpartfs <em class="replaceable"><code>part-type</code></em> <em class="replaceable"><code>fs-type</code></em> <em class="replaceable"><code>start-mb</code></em> <em class="replaceable"><code>end-mb</code></em></code>
						</td><td>
							Make a partition and create the specified file system
						</td></tr><tr><td>
							<code class="command">move <em class="replaceable"><code>minor-num</code></em> <em class="replaceable"><code>start-mb</code></em> <em class="replaceable"><code>end-mb</code></em></code>
						</td><td>
							Move the partition
						</td></tr><tr><td>
							<code class="command">name <em class="replaceable"><code>minor-num</code></em> <em class="replaceable"><code>name</code></em></code>
						</td><td>
							Name the partition for Mac and PC98 disklabels only
						</td></tr><tr><td>
							<code class="command">print</code>
						</td><td>
							Display the partition table
						</td></tr><tr><td>
							<code class="command">quit</code>
						</td><td>
							Quit <code class="command">parted</code>
						</td></tr><tr><td>
							<code class="command">rescue</code> <em class="replaceable"><code>start-mb</code></em> <em class="replaceable"><code>end-mb</code></em>
						</td><td>
							Rescue a lost partition from <em class="replaceable"><code>start-mb</code></em> to <em class="replaceable"><code>end-mb</code></em>
						</td></tr><tr><td>
							<code class="command">resize <em class="replaceable"><code>minor-num</code></em> <em class="replaceable"><code>start-mb</code></em> <em class="replaceable"><code>end-mb</code></em></code>
						</td><td>
							Resize the partition from <em class="replaceable"><code>start-mb</code></em> to <em class="replaceable"><code>end-mb</code></em>
						</td></tr><tr><td>
							<code class="command">rm <em class="replaceable"><code>minor-num</code></em></code>
						</td><td>
							Remove the partition
						</td></tr><tr><td>
							<code class="command">select <em class="replaceable"><code>device</code></em></code>
						</td><td>
							Select a different device to configure
						</td></tr><tr><td>
							<code class="command">set <em class="replaceable"><code>minor-num</code></em> <em class="replaceable"><code>flag</code></em> <em class="replaceable"><code>state</code></em></code>
						</td><td>
							Set the flag on a partition; <em class="replaceable"><code>state</code></em> is either on or off
						</td></tr><tr><td>
							<code class="command">toggle [<em class="replaceable"><code>NUMBER</code></em> [<em class="replaceable"><code>FLAG</code></em>]</code>
						</td><td>
							Toggle the state of <em class="replaceable"><code>FLAG</code></em> on partition <em class="replaceable"><code>NUMBER</code></em>
						</td></tr><tr><td>
							<code class="command">unit <em class="replaceable"><code>UNIT</code></em></code>
						</td><td>
							Set the default unit to <em class="replaceable"><code>UNIT</code></em>
						</td></tr></tbody></table></div></div><br class="table-break" /><div class="section" id="s2-disk-storage-parted-view-part-table"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-storage-parted-view-part-table">7.1.1. Viewing the Partition Table</h3></div></div></div><a id="id839103" class="indexterm"></a><a id="id839120" class="indexterm"></a><a id="id839133" class="indexterm"></a><div class="para">
				After starting <code class="command">parted</code>, use the command <code class="command">print</code> to view the partition table. A table similar to the following appears:
			</div><pre class="screen">Model: ATA ST3160812AS (scsi)
Disk /dev/sda: 160GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number  Start   End    Size    Type      File system  Flags
 1      32.3kB  107MB  107MB   primary   ext3         boot
 2      107MB   105GB  105GB   primary   ext3
 3      105GB   107GB  2147MB  primary   linux-swap
 4      107GB   160GB  52.9GB  extended		      root
 5      107GB   133GB  26.2GB  logical   ext3
 6      133GB   133GB  107MB   logical   ext3
 7      133GB   160GB  26.6GB  logical                lvm</pre><div class="para">
				The first line contains the disk type, manufacturer, model number and interface, and the second line displays the disk label type. The remaining output below the fourth line shows the partition table.
			</div><div class="para">
				In the partition table, the <em class="firstterm">Minor</em> number is the partition <code class="computeroutput">number</code>. For example, the partition with minor number 1 corresponds to <code class="filename">/dev/sda1</code>. The <code class="computeroutput">Start</code> and <code class="computeroutput">End</code> values are in megabytes. Valid <code class="computeroutput">Type</code> are metadata, free, primary, extended, or logical. The <code class="computeroutput">Filesystem</code> is the file system type, which can be any of the following:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						ext2
					</div></li><li class="listitem"><div class="para">
						ext3
					</div></li><li class="listitem"><div class="para">
						fat16
					</div></li><li class="listitem"><div class="para">
						fat32
					</div></li><li class="listitem"><div class="para">
						hfs
					</div></li><li class="listitem"><div class="para">
						jfs
					</div></li><li class="listitem"><div class="para">
						linux-swap
					</div></li><li class="listitem"><div class="para">
						ntfs
					</div></li><li class="listitem"><div class="para">
						reiserfs
					</div></li><li class="listitem"><div class="para">
						hp-ufs
					</div></li><li class="listitem"><div class="para">
						sun-ufs
					</div></li><li class="listitem"><div class="para">
						xfs
					</div></li></ul></div><div class="para">
				If a <code class="computeroutput">Filesystem</code> of a device shows no value, this means that its file system type is unknown.
			</div><div class="para">
				The <span class="guilabel"><strong>Flags</strong></span> column lists the flags set for the partition. Available flags are boot, root, swap, hidden, raid, lvm, or lba.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><a id="id839346" class="indexterm"></a><div class="para">
					To select a different device without having to restart <code class="command">parted</code>, use the <code class="command">select</code> command followed by the device name (for example, <code class="filename">/dev/sda</code>). Doing so allows you to view or configure the partition table of a device.
				</div></div></div></div><div class="section" id="s2-disk-storage-parted-create-part"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-storage-parted-create-part">7.1.2. Creating a Partition</h3></div></div></div><a id="id839389" class="indexterm"></a><a id="id839406" class="indexterm"></a><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					Do not attempt to create a partition on a device that is in use.
				</div></div></div><div class="para">
				Before creating a partition, boot into rescue mode (or unmount any partitions on the device and turn off any swap space on the device).
			</div><div class="para">
				Start <code class="command">parted</code>, where /dev/<em class="replaceable"><code>sda</code></em> is the device on which to create the partition:
			</div><pre class="screen"><code class="command">parted /dev/<em class="replaceable"><code>sda</code></em></code></pre><div class="para">
				View the current partition table to determine if there is enough free space:
			</div><pre class="screen"><code class="command">print</code></pre><div class="para">
				If there is not enough free space, you can resize an existing partition. Refer to <a class="xref" href="#s2-disk-storage-parted-resize-part">Section 7.1.4, “Resizing a Partition”</a> for details.
			</div><div class="section" id="s3-disk-storage-parted-create-part-mkpart"><div class="titlepage"><div><div><h4 class="title" id="s3-disk-storage-parted-create-part-mkpart">7.1.2.1. Making the Partition</h4></div></div></div><a id="id839480" class="indexterm"></a><a id="id839501" class="indexterm"></a><div class="para">
					From the partition table, determine the start and end points of the new partition and what partition type it should be. You can only have four primary partitions (with no extended partition) on a device. If you need more than four partitions, you can have three primary partitions, one extended partition, and multiple logical partitions within the extended. For an overview of disk partitions, refer to the appendix <em class="citetitle">An Introduction to Disk Partitions</em> in the <em class="citetitle">Red Hat Enterprise Linux Installation Guide</em>.
				</div><div class="para">
					For example, to create a primary partition with an ext3 file system from 1024 megabytes until 2048 megabytes on a hard drive type the following command:
				</div><pre class="screen"><code class="command">mkpart primary ext3 1024 2048</code></pre><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
						If you use the <code class="command">mkpartfs</code> command instead, the file system is created after the partition is created. However, <code class="command">parted</code> does not support creating an ext3 file system. Thus, if you wish to create an ext3 file system, use <code class="command">mkpart</code> and create the file system with the <code class="command">mkfs</code> command as described later. 
					</div></div></div><div class="para">
					The changes start taking place as soon as you press <span class="keycap"><strong>Enter</strong></span>, so review the command before executing to it.
				</div><div class="para">
					After creating the partition, use the <code class="command">print</code> command to confirm that it is in the partition table with the correct partition type, file system type, and size. Also remember the minor number of the new partition so that you can label it. You should also view the output of
				</div><pre class="screen"><code class="command">cat /proc/partitions</code></pre><div class="para">
					to make sure the kernel recognizes the new partition.
				</div></div><div class="section" id="s3-disk-storage-parted-create-part-mkfs"><div class="titlepage"><div><div><h4 class="title" id="s3-disk-storage-parted-create-part-mkfs">7.1.2.2. Formatting the Partition</h4></div></div></div><a id="id778461" class="indexterm"></a><a id="id778482" class="indexterm"></a><div class="para">
					The partition still does not have a file system. Create the file system:
				</div><pre class="screen"><code class="command">mkfs -t ext3 /dev/<em class="replaceable"><code>sda6</code></em></code></pre><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
						Formatting the partition permanently destroys any data that currently exists on the partition.
					</div></div></div></div><div class="section" id="s3-disk-storage-parted-create-part-e2label"><div class="titlepage"><div><div><h4 class="title" id="s3-disk-storage-parted-create-part-e2label">7.1.2.3. Labeling the Partition</h4></div></div></div><a id="id778528" class="indexterm"></a><a id="id778548" class="indexterm"></a><div class="para">
					Next, give the partition a label. For example, if the new partition is <code class="filename">/dev/sda6</code> and you want to label it <code class="computeroutput">/work</code>:
				</div><pre class="screen"><code class="command">e2label /dev/sda6 /work</code></pre><div class="para">
					By default, the installation program uses the mount point of the partition as the label to make sure the label is unique. You can use any label you want.
				</div></div><div class="section" id="s2-disk-storage-parted-create-part-mp"><div class="titlepage"><div><div><h4 class="title" id="s2-disk-storage-parted-create-part-mp">7.1.2.4. Creating the Mount Point</h4></div></div></div><div class="para">
					As root, create the mount point:
				</div><pre class="screen"><code class="command">mkdir /work</code></pre></div><div class="section" id="s3-disk-storage-parted-create-part-fstab"><div class="titlepage"><div><div><h4 class="title" id="s3-disk-storage-parted-create-part-fstab">7.1.2.5. Add to <code class="filename">/etc/fstab</code></h4></div></div></div><div class="para">
					As root, edit the <code class="filename">/etc/fstab</code> file to include the new partition. The new line should look similar to the following:
				</div><pre class="screen">LABEL=/work           /work                 ext3    defaults        1 2</pre><div class="para">
					The first column should contain <code class="computeroutput">LABEL=</code> followed by the label you gave the partition. The second column should contain the mount point for the new partition, and the next column should be the file system type (for example, ext3 or swap). If you need more information about the format, read the man page with the command <code class="command">man fstab</code>.
				</div><div class="para">
					If the fourth column is the word <code class="computeroutput">defaults</code>, the partition is mounted at boot time. To mount the partition without rebooting, as root, type the command:
				</div><pre class="screen"><code class="command">mount /work</code></pre></div></div><div class="section" id="s2-disk-storage-parted-remove-part"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-storage-parted-remove-part">7.1.3. Removing a Partition</h3></div></div></div><a id="id778663" class="indexterm"></a><a id="id778679" class="indexterm"></a><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					Do not attempt to remove a partition on a device that is in use.
				</div></div></div><div class="para">
				Before removing a partition, boot into rescue mode (or unmount any partitions on the device and turn off any swap space on the device).
			</div><div class="para">
				Start <code class="command">parted</code>, where /dev/<em class="replaceable"><code>sda</code></em> is the device on which to remove the partition:
			</div><pre class="screen"><code class="command">parted /dev/<em class="replaceable"><code>sda</code></em></code></pre><div class="para">
				View the current partition table to determine the minor number of the partition to remove:
			</div><pre class="screen"><code class="command">print</code></pre><div class="para">
				Remove the partition with the command <code class="command">rm</code>. For example, to remove the partition with minor number 3:
			</div><pre class="screen"><code class="command">rm 3</code></pre><div class="para">
				The changes start taking place as soon as you press <span class="keycap"><strong>Enter</strong></span>, so review the command before committing to it.
			</div><div class="para">
				After removing the partition, use the <code class="command">print</code> command to confirm that it is removed from the partition table. You should also view the output of
			</div><pre class="screen"><code class="command">cat /proc/partitions</code></pre><div class="para">
				to make sure the kernel knows the partition is removed.
			</div><div class="para">
				The last step is to remove it from the <code class="filename">/etc/fstab</code> file. Find the line that declares the removed partition, and remove it from the file.
			</div></div><div class="section" id="s2-disk-storage-parted-resize-part"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-storage-parted-resize-part">7.1.4. Resizing a Partition</h3></div></div></div><a id="id778794" class="indexterm"></a><a id="id778810" class="indexterm"></a><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					Do not attempt to resize a partition on a device that is in use.
				</div></div></div><div class="para">
				Before resizing a partition, boot into rescue mode (or unmount any partitions on the device and turn off any swap space on the device).
			</div><div class="para">
				Start <code class="command">parted</code>, where /dev/<em class="replaceable"><code>sda</code></em> is the device on which to resize the partition:
			</div><pre class="screen"><code class="command">parted /dev/<em class="replaceable"><code>sda</code></em></code></pre><div class="para">
				View the current partition table to determine the minor number of the partition to resize as well as the start and end points for the partition:
			</div><pre class="screen"><code class="command">print</code></pre><div class="para">
				To resize the partition, use the <code class="command">resize</code> command followed by the minor number for the partition, the starting place in megabytes, and the end place in megabytes. For example:
			</div><pre class="screen"><code class="command">resize 3 1024 2048</code></pre><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					A partition cannot be made larger than the space available on the device
				</div></div></div><div class="para">
				After resizing the partition, use the <code class="command">print</code> command to confirm that the partition has been resized correctly, is the correct partition type, and is the correct file system type.
			</div><div class="para">
				After rebooting the system into normal mode, use the command <code class="command">df</code> to make sure the partition was mounted and is recognized with the new size.
			</div></div></div><div class="section" id="s1-disk-storage-lvm"><div class="titlepage"><div><div><h2 class="title" id="s1-disk-storage-lvm">7.2. LVM Partition Management</h2></div></div></div><a id="id778928" class="indexterm"></a><div class="para">
			The following commands can be found by issuing <code class="command">lvm help</code> at a command prompt.
		</div><div class="table" id="table-lvm-commands"><h6>Table 7.2. <code class="command">LVM</code> commands</h6><div class="table-contents"><table summary="LVM commands" border="1"><colgroup><col class="command" width="50%" /><col class="description" width="50%" /></colgroup><thead><tr><th>
							Command
						</th><th>
							Description
						</th></tr></thead><tbody><tr><td>
							<code class="command">dumpconfig</code>
						</td><td>
							Dump the active configuration
						</td></tr><tr><td>
							<code class="command">formats</code>
						</td><td>
							List the available metadata formats
						</td></tr><tr><td>
							<code class="command">help</code>
						</td><td>
							Display the help commands
						</td></tr><tr><td>
							<code class="command">lvchange</code>
						</td><td>
							Change the attributes of logical volume(s)
						</td></tr><tr><td>
							<code class="command">lvcreate</code>
						</td><td>
							Create a logical volume
						</td></tr><tr><td>
							<code class="command">lvdisplay</code>
						</td><td>
							Display information about a logical volume
						</td></tr><tr><td>
							<code class="command">lvextend</code>
						</td><td>
							Add space to a logical volume
						</td></tr><tr><td>
							<code class="command">lvmchange</code>
						</td><td>
							<span class="emphasis"><em>Due to use of the device mapper, this command has been deprecated</em></span>
						</td></tr><tr><td>
							<code class="command">lvmdiskscan</code>
						</td><td>
							List devices that may be used as physical volumes
						</td></tr><tr><td>
							<code class="command">lvmsadc</code>
						</td><td>
							Collect activity data
						</td></tr><tr><td>
							<code class="command">lvmsar</code>
						</td><td>
							Create activity report
						</td></tr><tr><td>
							<code class="command">lvreduce</code>
						</td><td>
							Reduce the size of a logical volume
						</td></tr><tr><td>
							<code class="command">lvremove</code>
						</td><td>
							Remove logical volume(s) from the system
						</td></tr><tr><td>
							<code class="command">lvrename</code>
						</td><td>
							Rename a logical volume
						</td></tr><tr><td>
							<code class="command">lvresize</code>
						</td><td>
							Resize a logical volume
						</td></tr><tr><td>
							<code class="command">lvs</code>
						</td><td>
							Display information about logical volumes
						</td></tr><tr><td>
							<code class="command">lvscan</code>
						</td><td>
							List all logical volumes in all volume groups
						</td></tr><tr><td>
							<code class="command">pvchange</code>
						</td><td>
							Change attributes of physical volume(s)
						</td></tr><tr><td>
							<code class="command">pvcreate</code>
						</td><td>
							Initialize physical volume(s) for use by LVM
						</td></tr><tr><td>
							<code class="command">pvdata</code>
						</td><td>
							Display the on-disk metadata for physical volume(s)
						</td></tr><tr><td>
							<code class="command">pvdisplay</code>
						</td><td>
							Display various attributes of physical volume(s)
						</td></tr><tr><td>
							<code class="command">pvmove</code>
						</td><td>
							Move extents from one physical volume to another
						</td></tr><tr><td>
							<code class="command">pvremove</code>
						</td><td>
							Remove LVM label(s) from physical volume(s)
						</td></tr><tr><td>
							<code class="command">pvresize</code>
						</td><td>
							Resize a physical volume in use by a volume group
						</td></tr><tr><td>
							<code class="command">pvs</code>
						</td><td>
							Display information about physical volumes
						</td></tr><tr><td>
							<code class="command">pvscan</code>
						</td><td>
							List all physical volumes
						</td></tr><tr><td>
							<code class="command">segtypes</code>
						</td><td>
							List available segment types
						</td></tr><tr><td>
							<code class="command">vgcfgbackup</code>
						</td><td>
							Backup volume group configuration
						</td></tr><tr><td>
							<code class="command">vgcfgrestore</code>
						</td><td>
							Restore volume group configuration
						</td></tr><tr><td>
							<code class="command">vgchange</code>
						</td><td>
							Change volume group attributes
						</td></tr><tr><td>
							<code class="command">vgck</code>
						</td><td>
							Check the consistency of a volume group
						</td></tr><tr><td>
							<code class="command">vgconvert</code>
						</td><td>
							Change volume group metadata format
						</td></tr><tr><td>
							<code class="command">vgcreate</code>
						</td><td>
							Create a volume group
						</td></tr><tr><td>
							<code class="command">vgdisplay</code>
						</td><td>
							Display volume group information
						</td></tr><tr><td>
							<code class="command">vgexport</code>
						</td><td>
							Unregister a volume group from the system
						</td></tr><tr><td>
							<code class="command">vgextend</code>
						</td><td>
							Add physical volumes to a volume group
						</td></tr><tr><td>
							<code class="command">vgimport</code>
						</td><td>
							Register exported volume group with system
						</td></tr><tr><td>
							<code class="command">vgmerge</code>
						</td><td>
							Merge volume groups
						</td></tr><tr><td>
							<code class="command">vgmknodes</code>
						</td><td>
							Create the special files for volume group devices in /dev/
						</td></tr><tr><td>
							<code class="command">vgreduce</code>
						</td><td>
							Remove a physical volume from a volume group
						</td></tr><tr><td>
							<code class="command">vgremove</code>
						</td><td>
							Remove a volume group
						</td></tr><tr><td>
							<code class="command">vgrename</code>
						</td><td>
							Rename a volume group
						</td></tr><tr><td>
							<code class="command">vgs</code>
						</td><td>
							Display information about volume groups
						</td></tr><tr><td>
							<code class="command">vgscan</code>
						</td><td>
							Search for all volume groups
						</td></tr><tr><td>
							<code class="command">vgsplit</code>
						</td><td>
							Move physical volumes into a new volume group
						</td></tr><tr><td>
							<code class="command">version</code>
						</td><td>
							Display software and driver version information
						</td></tr></tbody></table></div></div><br class="table-break" /></div></div><div xml:lang="en-US" class="chapter" id="ch-disk-quotas" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 8. Implementing Disk Quotas</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-disk-quotas-configuring">8.1. Configuring Disk Quotas</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-quotas-enabling">8.1.1. Enabling Quotas</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-remounting">8.1.2. Remounting the File Systems</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-create-files">8.1.3. Creating the Quota Database Files</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-assigning-user">8.1.4. Assigning Quotas per User</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-assigning-group">8.1.5. Assigning Quotas per Group</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-assigning-file-system">8.1.6. Setting the Grace Period for Soft Limits</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-disk-quotas-managing">8.2. Managing Disk Quotas</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-quota-enabling">8.2.1. Enabling and Disabling</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-managing-rpt">8.2.2. Reporting on Disk Quotas</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-managing-accurate">8.2.3. Keeping Quotas Accurate</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-disk-quotas-additional-resources">8.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-disk-quotas-install-docs">8.3.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-disk-quotas-related-book">8.3.2. Related Books</a></span></dt></dl></dd></dl></div><a id="id788565" class="indexterm"></a><a id="id783754" class="indexterm"></a><div class="para">
		Disk space can be restricted by implementing disk quotas which alert a system administrator before a user consumes too much disk space or a partition becomes full.
	</div><div class="para">
		Disk quotas can be configured for individual users as well as user groups. This makes it possible to manage the space allocated for user-specific files (such as email) separately from the space allocated to the projects a user works on (assuming the projects are given their own groups).
	</div><div class="para">
		In addition, quotas can be set not just to control the number of disk blocks consumed but to control the number of inodes (data structures that contain information about files in UNIX file systems). Because inodes are used to contain file-related information, this allows control over the number of files that can be created.
	</div><div class="para">
		The <code class="command">quota</code> RPM must be installed to implement disk quotas. <div class="note" xml:lang="en-US" lang="en-US"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
		For more information on installing RPM packages, refer to <a class="xref" href="#pt-pkg-management">Part II, “Package Management”</a>.
	</div></div></div>

</div><div class="section" id="s1-disk-quotas-configuring"><div class="titlepage"><div><div><h2 class="title" id="s1-disk-quotas-configuring">8.1. Configuring Disk Quotas</h2></div></div></div><a id="id872176" class="indexterm"></a><div class="para">
			To implement disk quotas, use the following steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Enable quotas per file system by modifying the <code class="filename">/etc/fstab</code> file.
				</div></li><li class="listitem"><div class="para">
					Remount the file system(s).
				</div></li><li class="listitem"><div class="para">
					Create the quota database files and generate the disk usage table.
				</div></li><li class="listitem"><div class="para">
					Assign quota policies.
				</div></li></ol></div><div class="para">
			Each of these steps is discussed in detail in the following sections.
		</div><div class="section" id="s2-disk-quotas-enabling"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-enabling">8.1.1. Enabling Quotas</h3></div></div></div><a id="id788712" class="indexterm"></a><a id="id1045400" class="indexterm"></a><div class="para">
				As root, using a text editor, edit the <code class="filename">/etc/fstab</code> file. Add the <code class="command">usrquota</code> and/or <code class="command">grpquota</code> options to the file systems that require quotas:
			</div><pre class="screen">/dev/VolGroup00/LogVol00 /         ext3    defaults        1 1
LABEL=/boot              /boot     ext3    defaults        1 2
none                     /dev/pts  devpts  gid=5,mode=620  0 0
none                     /dev/shm  tmpfs   defaults        0 0
none                     /proc     proc    defaults        0 0
none                     /sys      sysfs   defaults        0 0
/dev/VolGroup00/LogVol02 /home     ext3    defaults,usrquota,grpquota  1 2
/dev/VolGroup00/LogVol01 swap      swap    defaults        0 0 . . .</pre><div class="para">
				In this example, the <code class="filename">/home</code> file system has both user and group quotas enabled.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The following examples assume that a separate <code class="command">/home</code> partition was created during the installation of Red Hat Enterprise Linux. The root (<code class="command">/</code>) partition can be used for setting quota policies in the <code class="filename">/etc/fstab</code> file.
				</div></div></div></div><div class="section" id="s2-disk-quotas-remounting"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-remounting">8.1.2. Remounting the File Systems</h3></div></div></div><div class="para">
				After adding the <code class="command">usrquota</code> and/or <code class="command">grpquota</code> options, remount each file system whose <code class="filename">fstab</code> entry has been modified. If the file system is not in use by any process, use one of the following methods:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Issue the <code class="command">umount</code> command followed by the <code class="command">mount</code> command to remount the file system.(See the <code class="command">man</code> page for both <code class="command">umount</code> and <code class="command">mount</code> for the specific syntax for mounting and unmounting various filesystem types.)
					</div></li><li class="listitem"><div class="para">
						Issue the <code class="command">mount -o remount <em class="replaceable"><code>&lt;file-system&gt;</code></em> </code> command (where <code class="command"><em class="replaceable"><code>&lt;file-system&gt;</code></em> </code> is the name of the file system) to remount the file system. For example, to remount the <code class="filename">/home</code> file system, the command to issue is <code class="command">mount -o remount /home</code>.
					</div></li></ul></div><div class="para">
				If the file system is currently in use, the easiest method for remounting the file system is to reboot the system.
			</div></div><div class="section" id="s2-disk-quotas-create-files"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-create-files">8.1.3. Creating the Quota Database Files</h3></div></div></div><a id="id837900" class="indexterm"></a><a id="id807681" class="indexterm"></a><a id="id788536" class="indexterm"></a><div class="para">
				After each quota-enabled file system is remounted, the system is capable of working with disk quotas. However, the file system itself is not yet ready to support quotas. The next step is to run the <code class="command">quotacheck</code> command.
			</div><div class="para">
				The <code class="command">quotacheck</code> command examines quota-enabled file systems and builds a table of the current disk usage per file system. The table is then used to update the operating system's copy of disk usage. In addition, the file system's disk quota files are updated.
			</div><div class="para">
				To create the quota files (<code class="filename">aquota.user</code> and <code class="filename">aquota.group</code>) on the file system, use the <code class="option">-c</code> option of the <code class="command">quotacheck</code> command. For example, if user and group quotas are enabled for the <code class="filename">/home</code> file system, create the files in the <code class="filename">/home</code> directory:
			</div><pre class="screen"><code class="command">quotacheck -cug /home</code></pre><div class="para">
				The <code class="option">-c</code> option specifies that the quota files should be created for each file system with quotas enabled, the <code class="option">-u</code> option specifies to check for user quotas, and the <code class="option">-g</code> option specifies to check for group quotas.
			</div><div class="para">
				If neither the <code class="option">-u</code> or <code class="option">-g</code> options are specified, only the user quota file is created. If only <code class="option">-g</code> is specified, only the group quota file is created.
			</div><div class="para">
				After the files are created, run the following command to generate the table of current disk usage per file system with quotas enabled:
			</div><pre class="screen"><code class="command">quotacheck -avug</code></pre><div class="para">
				The options used are as follows:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="option">a</code> — Check all quota-enabled, locally-mounted file systems
					</div></li><li class="listitem"><div class="para">
						<code class="option">v</code> — Display verbose status information as the quota check proceeds
					</div></li><li class="listitem"><div class="para">
						<code class="option">u</code> — Check user disk quota information
					</div></li><li class="listitem"><div class="para">
						<code class="option">g</code> — Check group disk quota information
					</div></li></ul></div><div class="para">
				After <code class="command">quotacheck</code> has finished running, the quota files corresponding to the enabled quotas (user and/or group) are populated with data for each quota-enabled locally-mounted file system such as <code class="filename">/home</code>.
			</div></div><div class="section" id="s2-disk-quotas-assigning-user"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-assigning-user">8.1.4. Assigning Quotas per User</h3></div></div></div><a id="id916128" class="indexterm"></a><div class="para">
				The last step is assigning the disk quotas with the <code class="command">edquota</code> command.
			</div><div class="para">
				To configure the quota for a user, as root in a shell prompt, execute the command:
			</div><pre class="screen"><code class="command">edquota <em class="replaceable"><code>username</code></em></code></pre><div class="para">
				Perform this step for each user who needs a quota. For example, if a quota is enabled in <code class="filename">/etc/fstab</code> for the <code class="filename">/home</code> partition (<code class="filename">/dev/VolGroup00/LogVol02</code> in the example below) and the command <code class="command">edquota testuser</code> is executed, the following is shown in the editor configured as the default for the system:
			</div><pre class="screen">Disk quotas for user testuser (uid 501):
Filesystem                blocks     soft     hard    inodes   soft   hard
/dev/VolGroup00/LogVol02  440436        0        0     37418      0      0</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The text editor defined by the <code class="envar">EDITOR</code> environment variable is used by <code class="command">edquota</code>. To change the editor, set the <code class="envar">EDITOR</code> environment variable in your <code class="filename">~/.bash_profile</code> file to the full path of the editor of your choice.
				</div></div></div><div class="para">
				The first column is the name of the file system that has a quota enabled for it. The second column shows how many blocks the user is currently using. The next two columns are used to set soft and hard block limits for the user on the file system. The <code class="computeroutput">inodes</code> column shows how many inodes the user is currently using. The last two columns are used to set the soft and hard inode limits for the user on the file system.
			</div><a id="id886565" class="indexterm"></a><div class="para">
				The hard block limit is the absolute maximum amount of disk space that a user or group can use. Once this limit is reached, no further disk space can be used.
			</div><a id="id886580" class="indexterm"></a><a id="id886591" class="indexterm"></a><div class="para">
				The soft block limit defines the maximum amount of disk space that can be used. However, unlike the hard limit, the soft limit can be exceeded for a certain amount of time. That time is known as the <em class="firstterm">grace period</em>. The grace period can be expressed in seconds, minutes, hours, days, weeks, or months.
			</div><div class="para">
				If any of the values are set to 0, that limit is not set. In the text editor, change the desired limits. For example:
			</div><pre class="screen">Disk quotas for user testuser (uid 501):
Filesystem                blocks     soft     hard   inodes   soft   hard
/dev/VolGroup00/LogVol02  440436   500000   550000    37418      0      0</pre><div class="para">
				To verify that the quota for the user has been set, use the command:
			</div><pre class="screen"><code class="command">quota testuser</code></pre></div><div class="section" id="s2-disk-quotas-assigning-group"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-assigning-group">8.1.5. Assigning Quotas per Group</h3></div></div></div><a id="id924121" class="indexterm"></a><div class="para">
				Quotas can also be assigned on a per-group basis. For example, to set a group quota for the <code class="computeroutput">devel</code> group (the group must exist prior to setting the group quota), use the command:
			</div><pre class="screen"><code class="command">edquota -g devel</code></pre><div class="para">
				This command displays the existing quota for the group in the text editor:
			</div><pre class="screen">Disk quotas for group devel (gid 505):
Filesystem                blocks    soft     hard    inodes    soft    hard
/dev/VolGroup00/LogVol02  440400       0        0     37418       0       0</pre><div class="para">
				Modify the limits, then save the file.
			</div><div class="para">
				To verify that the group quota has been set, use the command:
			</div><pre class="screen"><code class="command">quota -g devel</code></pre></div><div class="section" id="s2-disk-quotas-assigning-file-system"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-assigning-file-system">8.1.6. Setting the Grace Period for Soft Limits</h3></div></div></div><a id="id924168" class="indexterm"></a><div class="para">
				If soft limits are set for a given quota (whether inode or block and for either users or groups) the grace period, or amount of time a soft limit can be exceeded, should be set with the command:
			</div><pre class="screen"><code class="command">edquota -t</code></pre><div class="para">
				While other <code class="command">edquota</code> commands operate on a particular user's or group's quota, the <code class="command">-t</code> option operates on every filesystem with quotas enabled.
			</div></div></div><div class="section" id="s1-disk-quotas-managing"><div class="titlepage"><div><div><h2 class="title" id="s1-disk-quotas-managing">8.2. Managing Disk Quotas</h2></div></div></div><a id="id924215" class="indexterm"></a><div class="para">
			If quotas are implemented, they need some maintenance — mostly in the form of watching to see if the quotas are exceeded and making sure the quotas are accurate.
		</div><div class="para">
			Of course, if users repeatedly exceed their quotas or consistently reach their soft limits, a system administrator has a few choices to make depending on what type of users they are and how much disk space impacts their work. The administrator can either help the user determine how to use less disk space or increase the user's disk quota.
		</div><div class="section" id="s2-disk-quota-enabling"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quota-enabling">8.2.1. Enabling and Disabling</h3></div></div></div><a id="id788585" class="indexterm"></a><a id="id788596" class="indexterm"></a><div class="para">
				It is possible to disable quotas without setting them to 0. To turn all user and group quotas off, use the following command:
			</div><pre class="screen"><code class="command">quotaoff -vaug</code></pre><div class="para">
				If neither the <code class="option">-u</code> or <code class="option">-g</code> options are specified, only the user quotas are disabled. If only <code class="option">-g</code> is specified, only group quotas are disabled. The <code class="command">-v</code> switch causes verbose status information to display as the command executes.
			</div><a id="id788631" class="indexterm"></a><a id="id788642" class="indexterm"></a><div class="para">
				To enable quotas again, use the <code class="command">quotaon</code> command with the same options.
			</div><div class="para">
				For example, to enable user and group quotas for all file systems, use the following command:
			</div><pre class="screen"><code class="command">quotaon -vaug</code></pre><div class="para">
				To enable quotas for a specific file system, such as <code class="filename">/home</code>, use the following command:
			</div><pre class="screen"><code class="command">quotaon -vug /home</code></pre><div class="para">
				If neither the <code class="option">-u</code> or <code class="option">-g</code> options are specified, only the user quotas are enabled. If only <code class="option">-g</code> is specified, only group quotas are enabled.
			</div></div><div class="section" id="s2-disk-quotas-managing-rpt"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-managing-rpt">8.2.2. Reporting on Disk Quotas</h3></div></div></div><a id="id918884" class="indexterm"></a><div class="para">
				Creating a disk usage report entails running the <code class="command">repquota</code> utility. For example, the command <code class="command">repquota /home</code> produces this output:
			</div><pre class="screen">*** Report for user quotas on device /dev/mapper/VolGroup00-LogVol02
Block grace time: 7days; Inode grace time: 7days
                        Block limits                File limits
User            used    soft    hard  grace    used  soft  hard  grace
----------------------------------------------------------------------
root      --      36       0       0              4     0     0
kristin   --     540       0       0            125     0     0
testuser  --  440400  500000  550000          37418     0     0</pre><div class="para">
				To view the disk usage report for all (option <code class="option">-a</code>) quota-enabled file systems, use the command:
			</div><pre class="screen"><code class="command">repquota -a</code></pre><div class="para">
				While the report is easy to read, a few points should be explained. The <code class="computeroutput">--</code> displayed after each user is a quick way to determine whether the block or inode limits have been exceeded. If either soft limit is exceeded, a <code class="computeroutput">+</code> appears in place of the corresponding <code class="computeroutput">-</code>; the first <code class="computeroutput">-</code> represents the block limit, and the second represents the inode limit.
			</div><div class="para">
				The <code class="computeroutput">grace</code> columns are normally blank. If a soft limit has been exceeded, the column contains a time specification equal to the amount of time remaining on the grace period. If the grace period has expired, <code class="computeroutput">none</code> appears in its place.
			</div></div><div class="section" id="s2-disk-quotas-managing-accurate"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-managing-accurate">8.2.3. Keeping Quotas Accurate</h3></div></div></div><a id="id918976" class="indexterm"></a><a id="id918998" class="indexterm"></a><div class="para">
				Whenever a file system is not unmounted cleanly (due to a system crash, for example), it is necessary to run quotacheck. However, quotacheck can be run on a regular basis, even if the system has not crashed. Safe methods for periodically running <code class="command">quotacheck</code> include:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Ensuring quotacheck runs on next reboot</span></dt><dd><div class="note" id="note-Best_method_for_most_systems"><div class="admonition_header"><h2>Best method for most systems</h2></div><div class="admonition"><div class="para">
								This method works best for (busy) multiuser systems which are periodically rebooted.
							</div></div></div><div class="para">
							As root, place a shell script into the <code class="filename">/etc/cron.daily/</code> or <code class="filename">/etc/cron.weekly/</code> directory—or schedule one using the <code class="command">crontab -e</code> command—that contains the <code class="command">touch /forcequotacheck</code> command. This creates an empty <code class="filename">forcequotacheck</code> file in the root directory, which the system init script looks for at boot time. If it is found, the init script runs <code class="command">quotacheck</code>. Afterward, the init script removes the <code class="filename">/forcequotacheck</code> file; thus, scheduling this file to be created periodically with <code class="systemitem">cron</code> ensures that <code class="command">quotacheck</code> is run during the next reboot.
						</div><div class="para">
							Refer to <a class="xref" href="#ch-autotasks">Chapter 37, <em>Automated Tasks</em></a> for more information about configuring <code class="systemitem">cron</code>.
						</div></dd><dt class="varlistentry"><span class="term">Running quotacheck in single user mode</span></dt><dd><div class="para">
							An alternative way to safely run <code class="command">quotacheck</code> is to (re-)boot the system into single-user mode to prevent the possibility of data corruption in quota files and run:
						</div><pre class="screen">~]# quotaoff -vaug /<em class="replaceable"><code>&lt;file_system&gt;</code></em>
~]# quotacheck -vaug /<em class="replaceable"><code>&lt;file_system&gt;</code></em>
~]# quotaon -vaug /<em class="replaceable"><code>&lt;file_system&gt;</code></em></pre></dd><dt class="varlistentry"><span class="term">Running quotacheck on a running system</span></dt><dd><div class="para">
							If necessary, it is possible to run <code class="command">quotacheck</code> on a machine during a time when no users are logged in, and thus have no open files on the file system being checked. Run the command <code class="command">quotacheck -vaug <em class="replaceable"><code>&lt;file_system&gt;</code></em> </code>; this command will fail if <code class="command">quotacheck</code> cannot remount the given <em class="replaceable"><code>&lt;file_system&gt;</code></em> as read-only. Note that, following the check, the file system will be remounted read-write.
						</div><div class="important" id="important-Do_not_run_quotacheck_on_a_live_file_system"><div class="admonition_header"><h2>Do not run quotacheck on a live file system</h2></div><div class="admonition"><div class="para">
								Running <code class="command">quotacheck</code> on a live file system mounted read-write is not recommended due to the possibility of quota file corruption.
							</div></div></div></dd></dl></div><div class="para">
				Refer to <a class="xref" href="#ch-autotasks">Chapter 37, <em>Automated Tasks</em></a> for more information about configuring <code class="command">cron</code>.
			</div></div></div><div class="section" id="s1-disk-quotas-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-disk-quotas-additional-resources">8.3. Additional Resources</h2></div></div></div><a id="id783922" class="indexterm"></a><div class="para">
			For more information on disk quotas, refer to the following resources.
		</div><div class="section" id="s2-disk-quotas-install-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-install-docs">8.3.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The <code class="command">quotacheck</code>, <code class="command">edquota</code>, <code class="command">repquota</code>, <code class="command">quota</code>, <code class="command">quotaon</code>, and <code class="command">quotaoff</code> man pages
					</div></li></ul></div></div><div class="section" id="s2-disk-quotas-related-book"><div class="titlepage"><div><div><h3 class="title" id="s2-disk-quotas-related-book">8.3.2. Related Books</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<em class="citetitle">Red Hat Enterprise Linux Introduction to System Administration</em>; Red Hat, Inc. — Available at <a href="http://www.redhat.com/docs/">http://www.redhat.com/docs/</a> and on the Documentation CD, this manual contains background information on storage management (including disk quotas) for new Red Hat Enterprise Linux system administrators.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-acls" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 9. Access Control Lists</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-acls-mounting">9.1. Mounting File Systems</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-acls-mounting-nfs">9.1.1. NFS</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-acls-setting">9.2. Setting Access ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-setting-default">9.3. Setting Default ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-retrieving">9.4. Retrieving ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-archiving">9.5. Archiving File Systems With ACLs</a></span></dt><dt><span class="section"><a href="#s1-acls-compat-older">9.6. Compatibility with Older Systems</a></span></dt><dt><span class="section"><a href="#s1-acls-additional-resources">9.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-acls-installed-docs">9.7.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-acls-useful-websites">9.7.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id833763" class="indexterm"></a><div class="para">
		Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, <em class="firstterm">Access Control Lists</em> (ACLs) were implemented.
	</div><a id="id871265" class="indexterm"></a><a id="id1065639" class="indexterm"></a><div class="para">
		The Red Hat Enterprise Linux 5 kernel provides ACL support for the ext3 file system and NFS-exported file systems. ACLs are also recognized on ext3 file systems accessed via Samba.
	</div><div class="para">
		Along with support in the kernel, the <code class="filename">acl</code> package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.
	</div><div class="para">
		The <code class="command">cp</code> and <code class="command">mv</code> commands copy or move any ACLs associated with files and directories.
	</div><div class="section" id="s1-acls-mounting"><div class="titlepage"><div><div><h2 class="title" id="s1-acls-mounting">9.1. Mounting File Systems</h2></div></div></div><a id="id816808" class="indexterm"></a><div class="para">
			Before using ACLs for a file or directory, the partition for the file or directory must be mounted with ACL support. If it is a local ext3 file system, it can mounted with the following command:
		</div><pre class="screen"><code class="command">mount -t ext3 -o acl <em class="replaceable"><code>&lt;device-name&gt;</code></em> <em class="replaceable"><code>&lt;partition&gt;</code></em></code></pre><div class="para">
			For example:
		</div><pre class="screen"><code class="command">mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work</code></pre><div class="para">
			Alternatively, if the partition is listed in the <code class="filename">/etc/fstab</code> file, the entry for the partition can include the <code class="computeroutput">acl</code> option:
		</div><pre class="screen">LABEL=/work      /work       ext3    acl        1 2</pre><div class="para">
			If an ext3 file system is accessed via Samba and ACLs have been enabled for it, the ACLs are recognized because Samba has been compiled with the <code class="option">--with-acl-support</code> option. No special flags are required when accessing or mounting a Samba share.
		</div><div class="section" id="s2-acls-mounting-nfs"><div class="titlepage"><div><div><h3 class="title" id="s2-acls-mounting-nfs">9.1.1. NFS</h3></div></div></div><a id="id835815" class="indexterm"></a><div class="para">
				By default, if the file system being exported by an NFS server supports ACLs and the NFS client can read ACLs, ACLs are utilized by the client system.
			</div><div class="para">
				To disable ACLs on NFS shares when configuring the server, include the <code class="computeroutput">no_acl</code> option in the <code class="filename">/etc/exports</code> file. To disable ACLs on an NFS share when mounting it on a client, mount it with the <code class="computeroutput">no_acl</code> option via the command line or the <code class="filename">/etc/fstab</code> file.
			</div></div></div><div class="section" id="s1-acls-setting"><div class="titlepage"><div><div><h2 class="title" id="s1-acls-setting">9.2. Setting Access ACLs</h2></div></div></div><a id="id784347" class="indexterm"></a><a id="id926050" class="indexterm"></a><div class="para">
			There are two types of ACLs: <em class="firstterm">access ACLs</em> and <em class="firstterm">default ACLs</em>. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.
		</div><div class="para">
			ACLs can be configured:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Per user
				</div></li><li class="listitem"><div class="para">
					Per group
				</div></li><li class="listitem"><div class="para">
					Via the effective rights mask
				</div></li><li class="listitem"><div class="para">
					For users not in the user group for the file
				</div></li></ol></div><a id="id874899" class="indexterm"></a><a id="id874915" class="indexterm"></a><div class="para">
			The <code class="command">setfacl</code> utility sets ACLs for files and directories. Use the <code class="computeroutput">-m</code> option to add or modify the ACL of a file or directory:
		</div><pre class="screen"><code class="command">setfacl -m <em class="replaceable"><code>&lt;rules&gt;</code></em> <em class="replaceable"><code>&lt;files&gt;</code></em></code></pre><div class="para">
			Rules (<em class="replaceable"><code>&lt;rules&gt;</code></em>) must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="computeroutput">u:<em class="replaceable"><code>&lt;uid&gt;</code></em>:<em class="replaceable"><code>&lt;perms&gt;</code></em></code></span></dt><dd><div class="para">
						Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.
					</div></dd><dt class="varlistentry"><span class="term"><code class="computeroutput">g:<em class="replaceable"><code>&lt;gid&gt;</code></em>:<em class="replaceable"><code>&lt;perms&gt;</code></em></code></span></dt><dd><div class="para">
						Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.
					</div></dd><dt class="varlistentry"><span class="term"><code class="computeroutput">m:<em class="replaceable"><code>&lt;perms&gt;</code></em></code></span></dt><dd><div class="para">
						Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.
					</div></dd><dt class="varlistentry"><span class="term"><code class="computeroutput">o:<em class="replaceable"><code>&lt;perms&gt;</code></em></code></span></dt><dd><div class="para">
						Sets the access ACL for users other than the ones in the group for the file.
					</div></dd></dl></div><div class="para">
			White space is ignored. Permissions (<em class="replaceable"><code>&lt;perms&gt;</code></em>) must be a combination of the characters <code class="computeroutput">r</code>, <code class="computeroutput">w</code>, and <code class="computeroutput">x</code> for read, write, and execute.
		</div><div class="para">
			If a file or directory already has an ACL, and the <code class="command">setfacl</code> command is used, the additional rules are added to the existing ACL or the existing rule is modified.
		</div><div class="para">
			For example, to give read and write permissions to user andrius:
		</div><pre class="screen"><code class="command">setfacl -m u:andrius:rw /project/somefile</code></pre><div class="para">
			To remove all the permissions for a user, group, or others, use the <code class="computeroutput">-x</code> option and do not specify any permissions:
		</div><pre class="screen"><code class="command">setfacl -x <em class="replaceable"><code>&lt;rules&gt;</code></em> <em class="replaceable"><code>&lt;files&gt;</code></em></code></pre><div class="para">
			For example, to remove all permissions from the user with UID 500:
		</div><pre class="screen"><code class="command">setfacl -x u:500 /project/somefile</code></pre></div><div class="section" id="s1-acls-setting-default"><div class="titlepage"><div><div><h2 class="title" id="s1-acls-setting-default">9.3. Setting Default ACLs</h2></div></div></div><a id="id853793" class="indexterm"></a><div class="para">
			To set a default ACL, add <code class="computeroutput">d:</code> before the rule and specify a directory instead of a file name.
		</div><div class="para">
			For example, to set the default ACL for the <code class="filename">/share/</code> directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
		</div><pre class="screen"><code class="command">setfacl -m d:o:rx /share</code></pre></div><div class="section" id="s1-acls-retrieving"><div class="titlepage"><div><div><h2 class="title" id="s1-acls-retrieving">9.4. Retrieving ACLs</h2></div></div></div><a id="id853838" class="indexterm"></a><a id="id853851" class="indexterm"></a><a id="id853868" class="indexterm"></a><div class="para">
			To determine the existing ACLs for a file or directory, use the <code class="command">getfacl</code> command. In the example below, the <code class="command">getfacl</code> is used to determine the existing ACLs for a file.
		</div><pre class="screen"><code class="command">getfacl home/john/picture.png</code></pre><div class="para">
			The above command returns the following output:
		</div><pre class="screen"># file: home/john/picture.png
# owner: john
# group: john
user::rw-
group::r--
other::r--</pre><div class="para">

</div><div class="para">
			If a directory with a default ACL is specified, the default ACL is also displayed as illustrated below.
		</div><pre class="screen">[john@main /]$ <code class="command">getfacl home/sales/</code>
# file: home/sales/
# owner: john
# group: john
user::rw-
user:barryg:r--
group::r--
mask::r--
other::r--
default:user::rwx
default:user:john:rwx
default:group::r-x
default:mask::rwx
default:other::r-x</pre></div><div class="section" id="s1-acls-archiving"><div class="titlepage"><div><div><h2 class="title" id="s1-acls-archiving">9.5. Archiving File Systems With ACLs</h2></div></div></div><a id="id790691" class="indexterm"></a><a id="id790704" class="indexterm"></a><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				The <code class="command">tar</code> and <code class="command">dump</code> commands do <span class="emphasis"><em>not</em></span> backup ACLs.
			</div></div></div><div class="para">
			The <code class="command">star</code> utility is similar to the <code class="command">tar</code> utility in that it can be used to generate archives of files; however, some of its options are different. Refer to <a class="xref" href="#tb-star-options">Table 9.1, “Command Line Options for <code class="command">star</code>”</a> for a listing of more commonly used options. For all available options, refer to the <code class="command">star</code> man page. The <code class="filename">star</code> package is required to use this utility.
		</div><div class="table" id="tb-star-options"><h6>Table 9.1. Command Line Options for <code class="command">star</code></h6><div class="table-contents"><table summary="Command Line Options for star" border="1"><colgroup><col width="40%" class="option" /><col width="60%" class="description" /></colgroup><thead><tr><th>
							Option
						</th><th>
							Description
						</th></tr></thead><tbody><tr><td>
							<code class="option">-c</code>
						</td><td>
							Creates an archive file.
						</td></tr><tr><td>
							<code class="option">-n</code>
						</td><td>
							Do not extract the files; use in conjunction with <code class="option">-x</code> to show what extracting the files does.
						</td></tr><tr><td>
							<code class="option">-r</code>
						</td><td>
							Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name.
						</td></tr><tr><td>
							<code class="option">-t</code>
						</td><td>
							Displays the contents of the archive file.
						</td></tr><tr><td>
							<code class="option">-u</code>
						</td><td>
							Updates the archive file. The files are written to the end of the archive if they do not exist in the archive or if the files are newer than the files of the same name in the archive. This option only work if the archive is a file or an unblocked tape that may backspace.
						</td></tr><tr><td>
							<code class="option">-x</code>
						</td><td>
							Extracts the files from the archive. If used with <code class="option">-U</code> and a file in the archive is older than the corresponding file on the file system, the file is not extracted.
						</td></tr><tr><td>
							<code class="option">-help</code>
						</td><td>
							Displays the most important options.
						</td></tr><tr><td>
							<code class="option">-xhelp</code>
						</td><td>
							Displays the least important options.
						</td></tr><tr><td>
							<code class="option">-/</code>
						</td><td>
							Do not strip leading slashes from file names when extracting the files from an archive. By default, they are striped when files are extracted.
						</td></tr><tr><td>
							<code class="option">-acl</code>
						</td><td>
							When creating or extracting, archive or restore any ACLs associated with the files and directories.
						</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s1-acls-compat-older"><div class="titlepage"><div><div><h2 class="title" id="s1-acls-compat-older">9.6. Compatibility with Older Systems</h2></div></div></div><div class="para">
			If an ACL has been set on any file on a given file system, that file system has the <code class="command">ext_attr</code> attribute. This attribute can be seen using the following command:
		</div><pre class="screen"><code class="command">tune2fs -l <em class="replaceable"><code>&lt;filesystem-device&gt;</code></em></code></pre><div class="para">
			A file system that has acquired the <code class="command">ext_attr</code> attribute can be mounted with older kernels, but those kernels do not enforce any ACLs which have been set.
		</div><div class="para">
			Versions of the <code class="command">e2fsck</code> utility included in version 1.22 and higher of the <code class="filename">e2fsprogs</code> package (including the versions in Red Hat Enterprise Linux 2.1 and 4) can check a file system with the <code class="command">ext_attr</code> attribute. Older versions refuse to check it.
		</div></div><div class="section" id="s1-acls-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-acls-additional-resources">9.7. Additional Resources</h2></div></div></div><a id="id779998" class="indexterm"></a><div class="para">
			Refer to the follow resources for more information.
		</div><div class="section" id="s2-acls-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-acls-installed-docs">9.7.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">acl</code> man page — Description of ACLs
					</div></li><li class="listitem"><div class="para">
						<code class="command">getfacl</code> man page — Discusses how to get file access control lists
					</div></li><li class="listitem"><div class="para">
						<code class="command">setfacl</code> man page — Explains how to set file access control lists
					</div></li><li class="listitem"><div class="para">
						<code class="command">star</code> man page — Explains more about the <code class="command">star</code> utility and its many options
					</div></li></ul></div></div><div class="section" id="s2-acls-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-acls-useful-websites">9.7.2. Useful Websites</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://acl.bestbits.at/">http://acl.bestbits.at/</a> — Website for ACLs
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-lvm" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 10. LVM (Logical Volume Manager)</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-lvm-intro-whatis">10.1. What is LVM?</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-lvm2-intro-whatis">10.1.1. What is LVM2?</a></span></dt></dl></dd><dt><span class="section"><a href="#s-lvm-config">10.2. LVM Configuration</a></span></dt><dt><span class="section"><a href="#s1-lvm-diskdruid-auto">10.3. Automatic Partitioning</a></span></dt><dt><span class="section"><a href="#s1-lvm-diskdruid-manual">10.4. Manual LVM Partitioning</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-boot">10.4.1. Creating the <code class="command">/boot</code> Partition</a></span></dt><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-pv">10.4.2. Creating the LVM Physical Volumes</a></span></dt><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-vg">10.4.3. Creating the LVM Volume Groups</a></span></dt><dt><span class="section"><a href="#s2-lvm-diskdruid-manual-lv">10.4.4. Creating the LVM Logical Volumes</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-system-config-lvm">10.5. Using the LVM utility <code class="filename">system-config-lvm</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s1-system-config-lvm-uninitialized">10.5.1. Utilizing uninitialized entities</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-add-unallocated">10.5.2. Adding Unallocated Volumes to a volume group</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-migrate-extents">10.5.3. Migrating extents</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-new-hdd">10.5.4. Adding a new hard disk using LVM</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-new-volumegrp">10.5.5. Adding a new volume group</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-ext-volumegrp">10.5.6. Extending a volume group</a></span></dt><dt><span class="section"><a href="#s1-system-config-lvm-editing-lv">10.5.7. Editing a Logical Volume</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-lvm-additional-resources">10.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-lvm-installed-docs">10.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-lvm-useful-websites">10.6.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id921012" class="indexterm"></a><div class="section" id="s1-lvm-intro-whatis"><div class="titlepage"><div><div><h2 class="title" id="s1-lvm-intro-whatis">10.1. What is LVM?</h2></div></div></div><a id="id840196" class="indexterm"></a><div class="para">
			LVM is a tool for logical volume management which includes allocating disks, striping, mirroring and resizing logical volumes.
		</div><a id="id857086" class="indexterm"></a><a id="id921189" class="indexterm"></a><div class="para">
			With LVM, a hard drive or set of hard drives is allocated to one or more <em class="firstterm">physical volumes</em>. LVM physical volumes can be placed on other block devices which might span two or more disks.
		</div><div class="para">
			The physical volumes are combined into <em class="firstterm">logical volumes</em>, with the exception of the <code class="filename">/boot</code> partition. The <code class="filename">/boot</code> partition cannot be on a logical volume group because the boot loader cannot read it. If the root (<code class="filename">/</code>) partition is on a logical volume, create a separate <code class="filename">/boot</code> partition which is not a part of a volume group.
		</div><div class="para">
			Since a physical volume cannot span over multiple drives, to span over more than one drive, create one or more physical volumes per drive.
		</div><a id="id854898" class="indexterm"></a><a id="id857458" class="indexterm"></a><a id="id862001" class="indexterm"></a><div class="figure" id="fig-lvm-group"><div class="figure-contents"><div class="mediaobject"><img src="images/lvg.png" alt="Logical Volumes" /><div class="longdesc"><div class="para">
						LVM Group
					</div></div></div></div><h6>Figure 10.1. Logical Volumes</h6></div><br class="figure-break" /><a id="id829214" class="indexterm"></a><a id="id829227" class="indexterm"></a><div class="para">
			The volume groups can be divided into <em class="firstterm">logical volumes</em>, which are assigned mount points, such as <code class="filename">/home</code> and <code class="filename">/</code> and file system types, such as ext2 or ext3. When "partitions" reach their full capacity, free space from the volume group can be added to the logical volume to increase the size of the partition. When a new hard drive is added to the system, it can be added to the volume group, and partitions that are logical volumes can be increased in size.
		</div><div class="figure" id="fig-lvm-volumes"><div class="figure-contents"><div class="mediaobject"><img src="images/lvols.png" alt="Logical Volumes" /><div class="longdesc"><div class="para">
						Logical Volumes
					</div></div></div></div><h6>Figure 10.2. Logical Volumes</h6></div><br class="figure-break" /><div class="para">
			On the other hand, if a system is partitioned with the ext3 file system, the hard drive is divided into partitions of defined sizes. If a partition becomes full, it is not easy to expand the size of the partition. Even if the partition is moved to another hard drive, the original hard drive space has to be reallocated as a different partition or not used.
		</div><div class="para">
			To learn how to configure LVM during the installation process, refer to <a class="xref" href="#s-lvm-config">Section 10.2, “LVM Configuration”</a>.
		</div><div class="section" id="s1-lvm2-intro-whatis"><div class="titlepage"><div><div><h3 class="title" id="s1-lvm2-intro-whatis">10.1.1. What is LVM2?</h3></div></div></div><a id="id872377" class="indexterm"></a><div class="para">
				LVM version 2, or LVM2, is the default for Red Hat Enterprise Linux 5, which uses the device mapper driver contained in the 2.6 kernel. LVM2 can be upgraded from versions of Red Hat Enterprise Linux running the 2.4 kernel.
			</div></div></div><div class="section" id="s-lvm-config"><div class="titlepage"><div><div><h2 class="title" id="s-lvm-config">10.2. LVM Configuration</h2></div></div></div><a id="id872408" class="indexterm"></a><a id="id872421" class="indexterm"></a><div class="para">
			LVM can be configured during the graphical installation process, the text-based installation process, or during a kickstart installation. You can use the <code class="filename">system-config-lvm</code> utility to create your own LVM configuration post-installation. The next two sections focus on using <span class="application"><strong>Disk Druid</strong></span> during installation to complete this task. The third section introduces the LVM utility (<code class="filename">system-config-lvm</code>) which allows you to manage your LVM volumes in X windows or graphically.
		</div><div class="para">
			Read <a class="xref" href="#s1-lvm-intro-whatis">Section 10.1, “What is LVM?”</a> first to learn about LVM. An overview of the steps required to configure LVM include:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Creating <em class="firstterm">physical volumes</em> from the hard drives.
				</div></li><li class="listitem"><div class="para">
					Creating <em class="firstterm">volume groups</em> from the physical volumes.
				</div></li><li class="listitem"><div class="para">
					Creating <em class="firstterm">logical volumes</em> from the volume groups and assign the logical volumes mount points.
				</div></li></ul></div><div class="para">
			Two 9.1 GB SCSI drives (<code class="command">/dev/sda</code> and <code class="command">/dev/sdb</code>) are used in the following examples. They detail how to create a simple configuration using a single LVM volume group with associated logical volumes during installation.
		</div></div><div class="section" id="s1-lvm-diskdruid-auto"><div class="titlepage"><div><div><h2 class="title" id="s1-lvm-diskdruid-auto">10.3. Automatic Partitioning</h2></div></div></div><a id="id783066" class="indexterm"></a><div class="para">
			On the <span class="guilabel"><strong>Disk Partitioning Setup</strong></span> screen, select <span class="guimenuitem"><strong>Remove linux partitions on selected drives and create default layout</strong></span> from the pulldown list.
		</div><div class="para">
			For Red Hat Enterprise Linux, LVM is the default method for disk partitioning. If you do not wish to have LVM implemented, or if you require RAID partitioning, manual disk partitioning through <span class="application"><strong>Disk Druid</strong></span> is required.
		</div><div class="para">
			The following properties make up the automatically created configuration:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					The <code class="command">/boot</code> partition resides on its own non-LVM partition. In the following example, it is the first partition on the first drive (<code class="command">/dev/sda1</code>). Bootable partitions <span class="emphasis"><em>cannot</em></span> reside on LVM logical volumes.
				</div></li><li class="listitem"><div class="para">
					A single LVM volume group (<code class="command">VolGroup00</code>) is created, which spans all selected drives and all remaining space available. In the following example, the remainder of the first drive (<code class="command">/dev/sda2</code>), and the entire second drive (<code class="command">/dev/sdb1</code>) are allocated to the volume group.
				</div></li><li class="listitem"><div class="para">
					Two LVM logical volumes (<code class="command">LogVol00</code> and <code class="command">LogVol01</code>) are created from the newly created spanned volume group. In the following example, the recommended swap space is automatically calculated and assigned to <code class="command">LogVol01</code>, and the remainder is allocated to the root file system, <code class="command">LogVol00</code>.
				</div></li></ul></div><div class="figure" id="fig-lvm-auto-config"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-auto-config.png" alt="Automatic LVM Configuration With Two SCSI Drives" /><div class="longdesc"><div class="para">
						Automatic LVM Configuration With Two SCSI Drives
					</div></div></div></div><h6>Figure 10.3. Automatic LVM Configuration With Two SCSI Drives</h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If enabling quotas are of interest to you, it may be best to modify the automatic configuration to include other mount points, such as <code class="command">/home</code> or <code class="command">/var</code>, so that each file system has its own independent quota configuration limits.
			</div><div class="para">
				In most cases, the default automatic LVM partitioning is sufficient, but advanced implementations could warrant modification or manual configuration of the partition tables.
			</div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If you anticipate future memory upgrades, leaving some free space in the volume group would allow for easy future expansion of the swap space logical volume on the system; in which case, the automatic LVM configuration should be modified to leave available space for future growth.
			</div></div></div></div><div class="section" id="s1-lvm-diskdruid-manual"><div class="titlepage"><div><div><h2 class="title" id="s1-lvm-diskdruid-manual">10.4. Manual LVM Partitioning</h2></div></div></div><a id="id781799" class="indexterm"></a><div class="para">
			The following section explains how to manually configure LVM for Red Hat Enterprise Linux. Because there are numerous ways to manually configure a system with LVM, the following example is similar to the default configuration done in <a class="xref" href="#s1-lvm-diskdruid-auto">Section 10.3, “Automatic Partitioning”</a>.
		</div><div class="para">
			On the <span class="guilabel"><strong>Disk Partitioning Setup</strong></span> screen, select <span class="guimenuitem"><strong>Create custom layout</strong></span> from the pulldown list and click the <span class="guibutton"><strong>Next</strong></span> button in the bottom right corner of the screen.
		</div><div class="section" id="s2-lvm-diskdruid-manual-boot"><div class="titlepage"><div><div><h3 class="title" id="s2-lvm-diskdruid-manual-boot">10.4.1. Creating the <code class="command">/boot</code> Partition</h3></div></div></div><a id="id848508" class="indexterm"></a><a id="id848525" class="indexterm"></a><div class="para">
				In a typical situation, the disk drives are new, or formatted clean. The following figure, <a class="xref" href="#fig-lvm-manual-free">Figure 10.4, “Two Blank Drives, Ready for Configuration”</a>, shows both drives as raw devices with no partitioning configured.
			</div><div class="figure" id="fig-lvm-manual-free"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-manual-free.png" alt="Two Blank Drives, Ready for Configuration" /><div class="longdesc"><div class="para">
							Two Blank Drives, Ready for Configuration
						</div></div></div></div><h6>Figure 10.4. Two Blank Drives, Ready for Configuration</h6></div><br class="figure-break" /><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					The <code class="filename">/boot</code> partition cannot reside on an LVM volume because the GRUB boot loader cannot read it.
				</div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Select <span class="guibutton"><strong>New</strong></span>.
					</div></li><li class="listitem"><div class="para">
						Select <span class="guilabel"><strong>/boot</strong></span> from the <span class="guilabel"><strong>Mount Point</strong></span> pulldown menu.
					</div></li><li class="listitem"><div class="para">
						Select <span class="guilabel"><strong>ext3</strong></span> from the <span class="guilabel"><strong>File System Type</strong></span> pulldown menu.
					</div></li><li class="listitem"><div class="para">
						Select only the <span class="guilabel"><strong>sda</strong></span> checkbox from the <span class="guilabel"><strong>Allowable Drives</strong></span> area.
					</div></li><li class="listitem"><div class="para">
						Leave <span class="guilabel"><strong>100</strong></span> (the default) in the <span class="guilabel"><strong>Size (MB)</strong></span> menu.
					</div></li><li class="listitem"><div class="para">
						Leave the <span class="guilabel"><strong>Fixed size</strong></span> (the default) radio button selected in the <span class="guilabel"><strong>Additional Size Options</strong></span> area.
					</div></li><li class="listitem"><div class="para">
						Select <span class="guilabel"><strong>Force to be a primary partition</strong></span> to make the partition be a primary partition. A primary partition is one of the first four partitions on the hard drive. If unselected, the partition is created as a logical partition. If other operating systems are already on the system, unselecting this option should be considered. For more information on primary versus logical/extended partitions, refer to the appendix section of the <em class="citetitle">Red Hat Enterprise Linux Installation Guide</em>.
					</div></li></ol></div><div class="para">
				Refer to <a class="xref" href="#fig-lvm-manual-boot">Figure 10.5, “Creation of the Boot Partition”</a> to verify your inputted values:
			</div><div class="figure" id="fig-lvm-manual-boot"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-manual-boot.png" alt="Creation of the Boot Partition" /><div class="longdesc"><div class="para">
							Creation of the Boot Partition
						</div></div></div></div><h6>Figure 10.5. Creation of the Boot Partition</h6></div><br class="figure-break" /><div class="para">
				Click <span class="guibutton"><strong>OK</strong></span> to return to the main screen. The following figure displays the boot partition correctly set:
			</div><div class="figure" id="fig-lvm-manual-postboot"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-manual-postboot.png" alt="The /boot Partition Displayed" /><div class="longdesc"><div class="para">
							The <code class="command">/boot</code> Partition Displayed
						</div></div></div></div><h6>Figure 10.6. The <code class="command">/boot</code> Partition Displayed</h6></div><br class="figure-break" /></div><div class="section" id="s2-lvm-diskdruid-manual-pv"><div class="titlepage"><div><div><h3 class="title" id="s2-lvm-diskdruid-manual-pv">10.4.2. Creating the LVM Physical Volumes</h3></div></div></div><a id="id848812" class="indexterm"></a><a id="id848830" class="indexterm"></a><a id="id848843" class="indexterm"></a><div class="para">
				Once the boot partition is created, the remainder of all disk space can be allocated to LVM partitions. The first step in creating a successful LVM implementation is the creation of the physical volume(s).
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Select <span class="guibutton"><strong>New</strong></span>.
					</div></li><li class="listitem"><div class="para">
						Select <span class="guilabel"><strong>physical volume (LVM)</strong></span> from the <span class="guilabel"><strong>File System Type</strong></span> pulldown menu as shown in <a class="xref" href="#fig-lvm-manual-pv01">Figure 10.7, “Creating a Physical Volume”</a>.
					</div><div class="figure" id="fig-lvm-manual-pv01"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-manual-pv01.png" alt="Creating a Physical Volume" /><div class="longdesc"><div class="para">
									Creating a Physical Volume
								</div></div></div></div><h6>Figure 10.7. Creating a Physical Volume</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
						You cannot enter a mount point yet (you can once you have created all your physical volumes and then all volume groups).
					</div></li><li class="listitem"><div class="para">
						A physical volume must be constrained to one drive. For <span class="guimenuitem"><strong>Allowable Drives</strong></span>, select the drive on which the physical volume are created. If you have multiple drives, all drives are selected, and you must deselect all but one drive.
					</div></li><li class="listitem"><div class="para">
						Enter the size that you want the physical volume to be.
					</div></li><li class="listitem"><div class="para">
						Select <span class="guilabel"><strong>Fixed size</strong></span> to make the physical volume the specified size, select <span class="guilabel"><strong>Fill all space up to (MB)</strong></span> and enter a size in MBs to give range for the physical volume size, or select <span class="guilabel"><strong>Fill to maximum allowable size</strong></span> to make it grow to fill all available space on the hard disk. If you make more than one growable, they share the available free space on the disk.
					</div></li><li class="listitem"><div class="para">
						Select <span class="guilabel"><strong>Force to be a primary partition</strong></span> if you want the partition to be a primary partition.
					</div></li><li class="listitem"><div class="para">
						Click <span class="guibutton"><strong>OK</strong></span> to return to the main screen.
					</div></li></ol></div><div class="para">
				Repeat these steps to create as many physical volumes as needed for your LVM setup. For example, if you want the volume group to span over more than one drive, create a physical volume on each of the drives. The following figure shows both drives completed after the repeated process:
			</div><div class="figure" id="fig-lvm-manual-pvdone"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-manual-pvdone.png" alt="Two Physical Volumes Created" /><div class="longdesc"><div class="para">
							Two Physical Volumes Created, Ready for Volume Groups
						</div></div></div></div><h6>Figure 10.8. Two Physical Volumes Created</h6></div><br class="figure-break" /></div><div class="section" id="s2-lvm-diskdruid-manual-vg"><div class="titlepage"><div><div><h3 class="title" id="s2-lvm-diskdruid-manual-vg">10.4.3. Creating the LVM Volume Groups</h3></div></div></div><a id="id849069" class="indexterm"></a><a id="id849088" class="indexterm"></a><a id="id849102" class="indexterm"></a><div class="para">
				Once all the physical volumes are created, the volume groups can be created:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Click the <span class="guibutton"><strong>LVM</strong></span> button to collect the physical volumes into volume groups. A volume group is basically a collection of physical volumes. You can have multiple logical volumes, but a physical volume can only be in one volume group.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							There is overhead disk space reserved in the volume group. The volume group size is slightly less than the total of physical volume sizes.
						</div></div></div><div class="figure" id="fig-lvm-manual-vg"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-manual-vg.png" alt="Creating an LVM Volume Group" /><div class="longdesc"><div class="para">
									Creating an LVM Volume Group
								</div></div></div></div><h6>Figure 10.9. Creating an LVM Volume Group</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
						Change the <span class="guilabel"><strong>Volume Group Name</strong></span> if desired.
					</div></li><li class="listitem"><div class="para">
						<a id="id849208" class="indexterm"></a>
						 <a id="id849222" class="indexterm"></a>
						All logical volumes inside the volume group must be allocated in <em class="firstterm">physical extent (PE)</em> units. A physical extent is an allocation unit for data.
					</div></li><li class="listitem"><div class="para">
						Select which physical volumes to use for the volume group.
					</div></li></ol></div></div><div class="section" id="s2-lvm-diskdruid-manual-lv"><div class="titlepage"><div><div><h3 class="title" id="s2-lvm-diskdruid-manual-lv">10.4.4. Creating the LVM Logical Volumes</h3></div></div></div><a id="id849259" class="indexterm"></a><a id="id849278" class="indexterm"></a><a id="id849292" class="indexterm"></a><div class="para">
				Create logical volumes with mount points such as <code class="filename">/</code>, <code class="filename">/home</code>, and swap space. Remember that <code class="filename">/boot</code> cannot be a logical volume. To add a logical volume, click the <span class="guibutton"><strong>Add</strong></span> button in the <span class="guilabel"><strong>Logical Volumes</strong></span> section. A dialog window as shown in <a class="xref" href="#fig-lvm-manual-lv">Figure 10.10, “Creating a Logical Volume”</a> appears.
			</div><div class="figure" id="fig-lvm-manual-lv"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-manual-lv.png" alt="Creating a Logical Volume" /><div class="longdesc"><div class="para">
							Creating a Logical Volume
						</div></div></div></div><h6>Figure 10.10. Creating a Logical Volume</h6></div><br class="figure-break" /><div class="para">
				Repeat these steps for each volume group you want to create.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					You may want to leave some free space in the volume group so you can expand the logical volumes later. The default automatic configuration does not do this, but this manual configuration example does — approximately 1 GB is left as free space for future expansion.
				</div></div></div><div class="figure" id="fig-lvm-manual-lvdone"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-manual-lvdone.png" alt="Pending Logical Volumes" /><div class="longdesc"><div class="para">
							Pending Logical Volumes
						</div></div></div></div><h6>Figure 10.11. Pending Logical Volumes</h6></div><br class="figure-break" /><div class="para">
				Click <span class="guilabel"><strong>OK</strong></span> to apply the volume group and all associated logical volumes.
			</div><div class="para">
				The following figure shows the final manual configuration:
			</div><div class="figure" id="fig-lvm-manual-done"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-manual-done.png" alt="Final Manual Configuration" /><div class="longdesc"><div class="para">
							Final Manual Configuration
						</div></div></div></div><h6>Figure 10.12. Final Manual Configuration</h6></div><br class="figure-break" /></div></div><div class="section" id="s1-system-config-lvm"><div class="titlepage"><div><div><h2 class="title" id="s1-system-config-lvm">10.5. Using the LVM utility <code class="filename">system-config-lvm</code></h2></div></div></div><a id="id849493" class="indexterm"></a><div class="para">
			The LVM utility allows you to manage logical volumes within X windows or graphically. You can access the application by selecting from your menu panel <span class="guimenuitem"><strong>System</strong></span> &gt; <span class="guimenuitem"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>Logical Volume Management</strong></span>. Alternatively you can start the Logical Volume Management utility by typing <code class="command">system-config-lvm</code> from a terminal.
		</div><div class="para">
			In the example used in this section, the following are the details for the volume group that was created during the installation:
		</div><pre class="screen">/boot - (Ext3) file system. Displayed under 'Uninitialized Entities'. (DO NOT initialize this partition).
LogVol00 - (LVM) contains the (/) directory (312 extents).
LogVol02 - (LVM) contains the (/home) directory (128 extents).
LogVol03 - (LVM) swap (28 extents).</pre><div class="para">
			The logical volumes above were created in disk entity <code class="filename">/dev/hda2</code> while <code class="filename">/boot</code> was created in <code class="filename">/dev/hda1</code>. The system also consists of 'Uninitialized Entities' which are illustrated in <a class="xref" href="#system-config-lvm-main10">Figure 10.17, “Uninitialized Entities”</a>. The figure below illustrates the main window in the LVM utility. The logical and the physical views of the above configuration are illustrated below. The three logical volumes exist on the same physical volume (hda2).
		</div><div class="figure" id="system-config-lvm-main1"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main1.png" width="444" alt="Main LVM Window" /><div class="longdesc"><div class="para">
						Main LVM Window
					</div></div></div></div><h6>Figure 10.13. Main LVM Window</h6></div><br class="figure-break" /><div class="para">
			The figure below illustrates the physical view for the volume. In this window, you can select and remove a volume from the volume group or migrate extents from the volume to another volume group. Steps to migrate extents are discussed in <a class="xref" href="#system-config-lvm-main36">Figure 10.22, “Migrate Extents”</a>.
		</div><div class="figure" id="system-config-lvm-main2"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main2.png" width="444" alt="Physical View Window" /><div class="longdesc"><div class="para">
						Physical View Window
					</div></div></div></div><h6>Figure 10.14. Physical View Window</h6></div><br class="figure-break" /><div class="para">
			The figure below illustrates the logical view for the selected volume group. The logical volume size is also indicated with the individual logical volume sizes illustrated.
		</div><div class="figure" id="system-config-lvm-main3"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main3.png" width="444" alt="Logical View Window" /><div class="longdesc"><div class="para">
						Logical View Window
					</div></div></div></div><h6>Figure 10.15. Logical View Window</h6></div><br class="figure-break" /><div class="para">
			On the left side column, you can select the individual logical volumes in the volume group to view more details about each. In this example the objective is to rename the logical volume name for 'LogVol03' to 'Swap'. To perform this operation select the respective logical volume and click on the <span class="guibutton"><strong>Edit Properties</strong></span> button. This will display the Edit Logical Volume window from which you can modify the Logical volume name, size (in extents) and also use the remaining space available in a logical volume group. The figure below illustrates this.
		</div><div class="para">
			Please note that this logical volume cannot be changed in size as there is currently no free space in the volume group. If there was remaining space, this option would be enabled (see <a class="xref" href="#system-config-lvm-main32">Figure 10.31, “Edit logical volume”</a>). Click on the <span class="guibutton"><strong>OK</strong></span> button to save your changes (this will remount the volume). To cancel your changes click on the <span class="guibutton"><strong>Cancel</strong></span> button. To revert to the last snapshot settings click on the <span class="guibutton"><strong>Revert</strong></span> button. A snapshot can be created by clicking on the <span class="guibutton"><strong>Create Snapshot</strong></span> button on the LVM utility window. If the selected logical volume is in use by the system (for example) the <code class="filename">/</code> (root) directory, this task will not be successful as the volume cannot be unmounted.
		</div><div class="figure" id="system-config-lvm-main7"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main7.png" width="444" alt="Edit Logical Volume" /><div class="longdesc"><div class="para">
						Edit Logical Volume
					</div></div></div></div><h6>Figure 10.16. Edit Logical Volume</h6></div><br class="figure-break" /><div class="section" id="s1-system-config-lvm-uninitialized"><div class="titlepage"><div><div><h3 class="title" id="s1-system-config-lvm-uninitialized">10.5.1. Utilizing uninitialized entities</h3></div></div></div><div class="para">
				'Uninitialized Entities' consist of unpartitioned space and non LVM file systems. In this example partitions 3, 4, 5, 6 and 7 were created during installation and some unpartitioned space was left on the hard disk. Please view each partition and ensure that you read the 'Properties for Disk Entity' on the right column of the window to ensure that you do not delete critical data. In this example partition 1 cannot be initialized as it is <code class="filename">/boot</code>. Uninitialized entities are illustrated below.
			</div><div class="figure" id="system-config-lvm-main10"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main10.png" width="444" alt="Uninitialized Entities" /><div class="longdesc"><div class="para">
							Uninitialized Entities
						</div></div></div></div><h6>Figure 10.17. Uninitialized Entities</h6></div><br class="figure-break" /><div class="para">
				In this example, partition 3 will be initialized and added to an existing volume group. To initialize a partition or unpartioned space, select the partition and click on the <span class="guibutton"><strong>Initialize Entity</strong></span> button. Once initialized, a volume will be listed in the 'Unallocated Volumes' list.
			</div></div><div class="section" id="s1-system-config-lvm-add-unallocated"><div class="titlepage"><div><div><h3 class="title" id="s1-system-config-lvm-add-unallocated">10.5.2. Adding Unallocated Volumes to a volume group</h3></div></div></div><div class="para">
				Once initialized, a volume will be listed in the 'Unallocated Volumes' list. The figure below illustrates an unallocated partition (Partition 3). The respective buttons at the bottom of the window allow you to: 
				<div class="itemizedlist"><ul><li class="listitem"><div class="para">
							create a new volume group,
						</div></li><li class="listitem"><div class="para">
							add the unallocated volume to an existing volume group,
						</div></li><li class="listitem"><div class="para">
							remove the volume from LVM.
						</div></li></ul></div>
				 To add the volume to an existing volume group, click on the <span class="guibutton"><strong>Add to Existing Volume Group</strong></span> button.
			</div><div class="figure" id="system-config-lvm-main13"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main13.png" width="444" alt="Unallocated Volumes" /><div class="longdesc"><div class="para">
							Unallocated Volumes
						</div></div></div></div><h6>Figure 10.18. Unallocated Volumes</h6></div><br class="figure-break" /><div class="para">
				Clicking on the <span class="guibutton"><strong>Add to Existing Volume Group</strong></span> button will display a pop up window listing the existing volume groups to which you can add the physical volume you are about to initialize. A volume group may span across one or more hard disks. In this example only one volume group exists as illustrated below.
			</div><div class="figure" id="system-config-lvm-main14"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main14.png" width="444" alt="Add physical volume to volume group" /><div class="longdesc"><div class="para">
							Add physical volume to volume group
						</div></div></div></div><h6>Figure 10.19. Add physical volume to volume group</h6></div><br class="figure-break" /><div class="para">
				Once added to an existing volume group the new logical volume is automatically added to the unused space of the selected volume group. You can use the unused space to: 
				<div class="itemizedlist"><ul><li class="listitem"><div class="para">
							create a new logical volume (click on the <span class="guibutton"><strong>Create New Logical Volume(s)</strong></span> button,
						</div></li><li class="listitem"><div class="para">
							select one of the existing logical volumes and increase the extents (see <a class="xref" href="#s1-system-config-lvm-ext-volumegrp">Section 10.5.6, “Extending a volume group”</a>),
						</div></li><li class="listitem"><div class="para">
							select an existing logical volume and remove it from the volume group by clicking on the <span class="guibutton"><strong>Remove Selected Logical Volume(s)</strong></span> button. Please note that you cannot select unused space to perform this operation.
						</div></li></ul></div>
				 The figure below illustrates the logical view of 'VolGroup00' after adding the new volume group.
			</div><div class="figure" id="system-config-lvm-main15"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main15.png" width="444" alt="Logical view of volume group" /><div class="longdesc"><div class="para">
							Logical view of volume group
						</div></div></div></div><h6>Figure 10.20. Logical view of volume group</h6></div><br class="figure-break" /><div class="para">
				In the figure below, the uninitialized entities (partitions 3, 5, 6 and 7) were added to 'VolGroup00'.
			</div><div class="figure" id="system-config-lvm-main21"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main21.png" width="444" alt="Logical view of volume group" /><div class="longdesc"><div class="para">
							Logical view of volume group
						</div></div></div></div><h6>Figure 10.21. Logical view of volume group</h6></div><br class="figure-break" /></div><div class="section" id="s1-system-config-lvm-migrate-extents"><div class="titlepage"><div><div><h3 class="title" id="s1-system-config-lvm-migrate-extents">10.5.3. Migrating extents</h3></div></div></div><div class="para">
				To migrate extents from a physical volume, select the volume and click on the <span class="guibutton"><strong>Migrate Selected Extent(s) From Volume</strong></span> button. Please note that you need to have a sufficient number of free extents to migrate extents within a volume group. An error message will be displayed if you do not have a sufficient number of free extents. To resolve this problem, please extend your volume group (see <a class="xref" href="#s1-system-config-lvm-ext-volumegrp">Section 10.5.6, “Extending a volume group”</a>). If a sufficient number of free extents is detected in the volume group, a pop up window will be displayed from which you can select the destination for the extents or automatically let LVM choose the physical volumes (PVs) to migrate them to. This is illustrated below.
			</div><div class="figure" id="system-config-lvm-main36"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main36.png" alt="Migrate Extents" /><div class="longdesc"><div class="para">
							Migrate Extents
						</div></div></div></div><h6>Figure 10.22. Migrate Extents</h6></div><br class="figure-break" /><div class="para">
				The figure below illustrates a migration of extents in progress. In this example, the extents were migrated to 'Partition 3'.
			</div><div class="figure" id="system-config-lvm-main23"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main23.png" width="444" alt="Migrating extents in progress" /><div class="longdesc"><div class="para">
							Migrating extents in progress
						</div></div></div></div><h6>Figure 10.23. Migrating extents in progress</h6></div><br class="figure-break" /><div class="para">
				Once the extents have been migrated, unused space is left on the physical volume. The figure below illustrates the physical and logical view for the volume group. Please note that the extents of LogVol00 which were initially in hda2 are now in hda3. Migrating extents allows you to move logical volumes in case of hard disk upgrades or to manage your disk space better.
			</div><div class="figure" id="system-config-lvm-main34"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main34.png" width="444" alt="Logical and physical view of volume group" /><div class="longdesc"><div class="para">
							Logical and physical view of volume group
						</div></div></div></div><h6>Figure 10.24. Logical and physical view of volume group</h6></div><br class="figure-break" /></div><div class="section" id="s1-system-config-lvm-new-hdd"><div class="titlepage"><div><div><h3 class="title" id="s1-system-config-lvm-new-hdd">10.5.4. Adding a new hard disk using LVM</h3></div></div></div><div class="para">
				In this example, a new IDE hard disk was added. The figure below illustrates the details for the new hard disk. From the figure below, the disk is uninitialized and not mounted. To initialize a partition, click on the <span class="guibutton"><strong>Initialize Entity</strong></span> button. For more details, see <a class="xref" href="#s1-system-config-lvm-uninitialized">Section 10.5.1, “Utilizing uninitialized entities”</a>. Once initialized, LVM will add the new volume to the list of unallocated volumes as illustrated in <a class="xref" href="#system-config-lvm-main17">Figure 10.26, “Create new volume group”</a>.
			</div><div class="figure" id="system-config-lvm-main16"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main16.png" width="444" alt="Uninitialized hard disk" /><div class="longdesc"><div class="para">
							Uninitialized hard disk
						</div></div></div></div><h6>Figure 10.25. Uninitialized hard disk</h6></div><br class="figure-break" /></div><div class="section" id="s1-system-config-lvm-new-volumegrp"><div class="titlepage"><div><div><h3 class="title" id="s1-system-config-lvm-new-volumegrp">10.5.5. Adding a new volume group</h3></div></div></div><div class="para">
				Once initialized, LVM will add the new volume to the list of unallocated volumes where you can add it to an existing volume group or create a new volume group. You can also remove the volume from LVM. The volume if removed from LVM will be listed in the list of 'Uninitialized Entities' as illustrated in <a class="xref" href="#system-config-lvm-main16">Figure 10.25, “Uninitialized hard disk”</a>. In this example, a new volume group was created as illustrated below.
			</div><div class="figure" id="system-config-lvm-main17"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main17.png" width="444" alt="Create new volume group" /><div class="longdesc"><div class="para">
							Create new volume group
						</div></div></div></div><h6>Figure 10.26. Create new volume group</h6></div><br class="figure-break" /><div class="para">
				Once created a new volume group will be displayed in the list of existing volume groups as illustrated below. The logical view will display the new volume group with unused space as no logical volumes have been created. To create a logical volume, select the volume group and click on the <span class="guibutton"><strong>Create New Logical Volume</strong></span> button as illustrated below. Please select the extents you wish to use on the volume group. In this example, all the extents in the volume group were used to create the new logical volume.
			</div><div class="figure" id="system-config-lvm-main18"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main18.png" width="444" alt="Create new logical volume" /><div class="longdesc"><div class="para">
							Create new logical volume
						</div></div></div></div><h6>Figure 10.27. Create new logical volume</h6></div><br class="figure-break" /><div class="para">
				The figure below illustrates the physical view of the new volume group. The new logical volume named 'Backups' in this volume group is also listed.
			</div><div class="figure" id="system-config-lvm-main26"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main26.png" width="444" alt="Physical view of new volume group" /><div class="longdesc"><div class="para">
							Physical view of new volume group
						</div></div></div></div><h6>Figure 10.28. Physical view of new volume group</h6></div><br class="figure-break" /></div><div class="section" id="s1-system-config-lvm-ext-volumegrp"><div class="titlepage"><div><div><h3 class="title" id="s1-system-config-lvm-ext-volumegrp">10.5.6. Extending a volume group</h3></div></div></div><div class="para">
				In this example, the objective was to extend the new volume group to include an uninitialized entity (partition). This was to increase the size or number of extents for the volume group. To extend the volume group, click on the <span class="guibutton"><strong>Extend Volume Group</strong></span> button. This will display the 'Extend Volume Group' window as illustrated below. On the 'Extend Volume Group' window, you can select disk entities (partitions) to add to the volume group. Please ensure that you check the contents of any 'Uninitialized Disk Entities' (partitions) to avoid deleting any critical data (see <a class="xref" href="#system-config-lvm-main16">Figure 10.25, “Uninitialized hard disk”</a>). In the example, the disk entity (partition) <code class="filename">/dev/hda6</code> was selected as illustrated below.
			</div><div class="figure" id="system-config-lvm-main27"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main27.png" width="444" alt="Select disk entities" /><div class="longdesc"><div class="para">
							Select disk entities
						</div></div></div></div><h6>Figure 10.29. Select disk entities</h6></div><br class="figure-break" /><div class="para">
				Once added, the new volume will be added as 'Unused Space' in the volume group. The figure below illustrates the logical and physical view of the volume group after it was extended.
			</div><div class="figure" id="system-config-lvm-main28"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main28.png" width="444" alt="Logical and physical view of an extended volume group" /><div class="longdesc"><div class="para">
							Logical and physical view of an extended volume group
						</div></div></div></div><h6>Figure 10.30. Logical and physical view of an extended volume group</h6></div><br class="figure-break" /></div><div class="section" id="s1-system-config-lvm-editing-lv"><div class="titlepage"><div><div><h3 class="title" id="s1-system-config-lvm-editing-lv">10.5.7. Editing a Logical Volume</h3></div></div></div><div class="para">
				The LVM utility allows you to select a logical volume in the volume group and modify its name, size and specify filesystem options. In this example, the logical volume named 'Backups" was extended onto the remaining space for the volume group.
			</div><div class="para">
				Clicking on the <span class="guibutton"><strong>Edit Properties</strong></span> button will display the 'Edit Logical Volume' popup window from which you can edit the properties of the logical volume. On this window, you can also mount the volume after making the changes and mount it when the system is rebooted. Please note that you should indicate the mount point. If the mount point you specify does not exist, a popup window will be displayed prompting you to create it. The 'Edit Logical Volume' window is illustrated below.
			</div><div class="figure" id="system-config-lvm-main32"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main32.png" alt="Edit logical volume" /><div class="longdesc"><div class="para">
							Edit logical volume
						</div></div></div></div><h6>Figure 10.31. Edit logical volume</h6></div><br class="figure-break" /><div class="para">
				If you wish to mount the volume, select the 'Mount' checkbox indicating the preferred mount point. To mount the volume when the system is rebooted, select the 'Mount when rebooted' checkbox. In this example, the new volume will be mounted in <code class="filename">/mnt/backups</code>. This is illustrated in the figure below.
			</div><div class="figure" id="system-config-lvm-main33"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main33.png" alt="Edit logical volume - specifying mount options" /><div class="longdesc"><div class="para">
							Edit logical volume - specifying mount options
						</div></div></div></div><h6>Figure 10.32. Edit logical volume - specifying mount options</h6></div><br class="figure-break" /><div class="para">
				The figure below illustrates the logical and physical view of the volume group after the logical volume was extended to the unused space. Please note in this example that the logical volume named 'Backups' spans across two hard disks. A volume can be striped across two or more physical devices using LVM.
			</div><div class="figure" id="system-config-lvm-main30"><div class="figure-contents"><div class="mediaobject"><img src="images/lvm-main30.png" width="444" alt="Edit logical volume" /><div class="longdesc"><div class="para">
							Edit logical volume
						</div></div></div></div><h6>Figure 10.33. Edit logical volume</h6></div><br class="figure-break" /></div></div><div class="section" id="s1-lvm-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-lvm-additional-resources">10.6. Additional Resources</h2></div></div></div><a id="id850771" class="indexterm"></a><div class="para">
			Use these sources to learn more about LVM.
		</div><div class="section" id="s2-lvm-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-lvm-installed-docs">10.6.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">rpm -qd lvm2</code> — This command shows all the documentation available from the <code class="command">lvm</code> package, including man pages.
					</div></li><li class="listitem"><div class="para">
						<code class="command">lvm help</code> — This command shows all LVM commands available.
					</div></li></ul></div></div><div class="section" id="s2-lvm-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-lvm-useful-websites">10.6.2. Useful Websites</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://sources.redhat.com/lvm2">http://sources.redhat.com/lvm2</a> — LVM2 webpage, which contains an overview, link to the mailing lists, and more.
					</div></li><li class="listitem"><div class="para">
						<a href="http://tldp.org/HOWTO/LVM-HOWTO/">http://tldp.org/HOWTO/LVM-HOWTO/</a> — LVM HOWTO from the Linux Documentation Project.
					</div></li></ul></div></div></div></div></div><div class="part" id="pt-pkg-management"><div class="titlepage"><div><div><h1 class="title">Part II. Package Management</h1></div></div></div><div class="partintro" id="id633713"><div></div><div class="para">
				All software on a Red Hat Enterprise Linux system is divided into RPM packages which can be installed, upgraded, or removed. This part describes how to manage the RPM packages on a Red Hat Enterprise Linux system using graphical and command line tools.
			</div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="chapter"><a href="#ch-rpm">11. Package Management with RPM</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-rpm-design">11.1. RPM Design Goals</a></span></dt><dt><span class="section"><a href="#s1-rpm-using">11.2. Using RPM</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-rpm-finding">11.2.1. Finding RPM Packages</a></span></dt><dt><span class="section"><a href="#s2-rpm-installing">11.2.2. Installing</a></span></dt><dt><span class="section"><a href="#s2-rpm-uninstalling">11.2.3. Uninstalling</a></span></dt><dt><span class="section"><a href="#s2-rpm-upgrading">11.2.4. Upgrading</a></span></dt><dt><span class="section"><a href="#s2-rpm-freshening">11.2.5. Freshening</a></span></dt><dt><span class="section"><a href="#s2-rpm-querying">11.2.6. Querying</a></span></dt><dt><span class="section"><a href="#s2-rpm-verifying">11.2.7. Verifying</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-check-rpm-sig">11.3. Checking a Package's Signature</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-keys-importing">11.3.1. Importing Keys</a></span></dt><dt><span class="section"><a href="#s2-keys-checking">11.3.2. Verifying Signature of Packages</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-rpm-impressing">11.4. Practical and Common Examples of RPM Usage</a></span></dt><dt><span class="section"><a href="#s1-rpm-additional-resources">11.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-rpm-installed-docs">11.5.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-rpm-useful-websites">11.5.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-rpm-related-books">11.5.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-graphical-rpm">12. <span class="application"><strong>Package Management Tool</strong></span></a></span></dt><dd><dl><dt><span class="section"><a href="#s1-graphical-rpm-analyzing">12.1. Listing and Analyzing Packages</a></span></dt><dt><span class="section"><a href="#s1-graphical-rpm-installing">12.2. Installing and Removing Packages</a></span></dt></dl></dd><dt><span class="chapter"><a href="#c1-yum">13. YUM (Yellowdog Updater Modified)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-yum-repo-setup">13.1. Setting Up a <span class="application"><strong>Yum</strong></span> Repository</a></span></dt><dt><span class="section"><a href="#s1-yum-useful-commands">13.2.  <code class="command">yum</code> Commands</a></span></dt><dt><span class="section"><a href="#s1-yum-common-options">13.3.  <code class="command">yum</code> Options</a></span></dt><dt><span class="section"><a href="#s1-yum-yumconf">13.4. Configuring <code class="command">yum</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s1-yum-yumconf-main">13.4.1.  <code class="command">[main]</code> Options</a></span></dt><dt><span class="section"><a href="#s1-yum-yumconf-repository">13.4.2.  <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> Options</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-yum-useful-variables">13.5. Useful <code class="command">yum</code> Variables</a></span></dt></dl></dd><dt><span class="chapter"><a href="#entitlements">14. Product Subscriptions and Entitlements</a></span></dt><dd><dl><dt><span class="section"><a href="#overview-of-entitlements">14.1. An Overview of Managing Subscriptions and Content</a></span></dt><dd><dl><dt><span class="section"><a href="#the-purpose-of-subscriptions">14.1.1. The Purpose of Subscription Management</a></span></dt><dt><span class="section"><a href="#defining-entitlements">14.1.2. Defining Subscriptions, Entitlements, and Products</a></span></dt><dt><span class="section"><a href="#rhsm-tools">14.1.3. Subscription Management Tools</a></span></dt><dt><span class="section"><a href="#entitlement-arch">14.1.4. Subscription and Content Architecture</a></span></dt><dt><span class="section"><a href="#enhanced-content">14.1.5. Advanced Content Management: Extended Update Support</a></span></dt><dt><span class="section"><a href="#classic-v-rhn">14.1.6. RHN Classic v. Certificate-based Red Hat Network</a></span></dt></dl></dd><dt><span class="section"><a href="#launching-ents-tools">14.2. Using Red Hat Subscription Manager Tools</a></span></dt><dd><dl><dt><span class="section"><a href="#launching-rhsm">14.2.1. Launching Red Hat Subscription Manager</a></span></dt><dt><span class="section"><a href="#about-ents-cli-script">14.2.2. About subscription-manager</a></span></dt><dt><span class="section"><a href="#about-rhsm-web">14.2.3. Looking at RHN Subscription Management</a></span></dt><dt><span class="section"><a href="#about-sam">14.2.4. Looking at Subscription Asset Manager</a></span></dt></dl></dd><dt><span class="section"><a href="#ents-special-types">14.3. Managing Special Deployment Scenarios</a></span></dt><dd><dl><dt><span class="section"><a href="#ents-multi-tenant">14.3.1. Local Subscription Services, Local Content Providers, and Multi-Tenant Organizations</a></span></dt><dt><span class="section"><a href="#ents-virtual">14.3.2. Virtual Guests and Hosts</a></span></dt><dt><span class="section"><a href="#ents-domains">14.3.3. Domains</a></span></dt></dl></dd><dt><span class="section"><a href="#registering-machine-ui">14.4. Registering, Unregistering, and Reregistering a System</a></span></dt><dd><dl><dt><span class="section"><a href="#registering-ui">14.4.1. Registering Consumers in the Hosted Environment</a></span></dt><dt><span class="section"><a href="#registering-multiorg">14.4.2. Registering Consumers to a Local Organization</a></span></dt><dt><span class="section"><a href="#registering-oflfine">14.4.3. Registering an Offline Consumer</a></span></dt><dt><span class="section"><a href="#registering-cmd">14.4.4. Registering from the Command Line</a></span></dt><dt><span class="section"><a href="#un-registering">14.4.5. Unregistering</a></span></dt><dt><span class="section"><a href="#reregistering">14.4.6. Restoring a Registration</a></span></dt></dl></dd><dt><span class="section"><a href="#rhn-migration">14.5. Migrating Systems from RHN Classic to Certificate-based Red Hat Network</a></span></dt><dd><dl><dt><span class="section"><a href="#install-migration-tools">14.5.1. Installing the Migration Tools</a></span></dt><dt><span class="section"><a href="#rhn-migrate-classic">14.5.2. Migrating from RHN Classic to Certificate-based Red Hat Network</a></span></dt><dt><span class="section"><a href="#rhn-migrate-unregister-only">14.5.3. Unregistering from RHN Classic Only</a></span></dt><dt><span class="section"><a href="#rhn-install-num">14.5.4. Migrating a Disconnected System</a></span></dt><dt><span class="section"><a href="#rhn-channel-mappings">14.5.5. Looking at Channel and Certificate Mappings</a></span></dt></dl></dd><dt><span class="section"><a href="#subscribing-ents">14.6. Handling Subscriptions</a></span></dt><dd><dl><dt><span class="section"><a href="#sub-ui">14.6.1. Subscribing and Unsubscribing through the Red Hat Subscription Manager GUI</a></span></dt><dt><span class="section"><a href="#sub-cli">14.6.2. Handling Subscriptions through the Command Line</a></span></dt><dt><span class="section"><a href="#stacking">14.6.3. Stacking Subscriptions</a></span></dt><dt><span class="section"><a href="#ADDING-SUB">14.6.4. Manually Adding a New Subscription</a></span></dt></dl></dd><dt><span class="section"><a href="#activating-machine">14.7. Redeeming Subscriptions on a Machine</a></span></dt><dd><dl><dt><span class="section"><a href="#activating-gui">14.7.1. Redeeming Subscriptions through the GUI</a></span></dt><dt><span class="section"><a href="#activating-register">14.7.2. Redeeming Subscriptions on a Machine through the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#viewing-ents">14.8. Viewing Available and Used Subscriptions</a></span></dt><dd><dl><dt><span class="section"><a href="#viewing-ents-ui">14.8.1. Viewing Subscriptions in the GUI</a></span></dt><dt><span class="section"><a href="#viewing-ents-cmd">14.8.2. Listing Subscriptions with the Command Line</a></span></dt><dt><span class="section"><a href="#viewing-available-sub">14.8.3. Viewing Subscriptions Used in Both RHN Classic and Certificate-based Red Hat Network</a></span></dt></dl></dd><dt><span class="section"><a href="#entitlements-and-yum">14.9. Working with Subscription yum Repos</a></span></dt><dt><span class="section"><a href="#responding-to-nags-ui">14.10. Responding to Subscription Notifications</a></span></dt><dt><span class="section"><a href="#sub-healing">14.11. Healing Subscriptions</a></span></dt><dd><dl><dt><span class="section"><a href="#healing-disable">14.11.1. Enabling Healing</a></span></dt><dt><span class="section"><a href="#healing-freq">14.11.2. Changing the Healing Check Frequency</a></span></dt></dl></dd><dt><span class="section"><a href="#sam">14.12. Working with Subscription Asset Manager</a></span></dt><dd><dl><dt><span class="section"><a href="#configuring-rhsm-sam">14.12.1. Configuring Subscription Manager to Work with Subscription Asset Manager</a></span></dt><dt><span class="section"><a href="#viewing-multi-org-info">14.12.2. Viewing Organization Information</a></span></dt></dl></dd><dt><span class="section"><a href="#uploading-new-certs">14.13. Updating Entitlements Certificates</a></span></dt><dd><dl><dt><span class="section"><a href="#updating-ent-certs">14.13.1. Updating Entitlement Certificates</a></span></dt><dt><span class="section"><a href="#refreshing-ent-info">14.13.2. Updating Subscription Information</a></span></dt></dl></dd><dt><span class="section"><a href="#rhsm-config">14.14. Configuring the Subscription Service</a></span></dt><dd><dl><dt><span class="section"><a href="#rhsm-files">14.14.1. Red Hat Subscription Manager Configuration Files</a></span></dt><dt><span class="section"><a href="#rhsm-config-cmd">14.14.2. Using the config Command</a></span></dt><dt><span class="section"><a href="#rhsm-http-proxy">14.14.3. Using an HTTP Proxy</a></span></dt><dt><span class="section"><a href="#changing-ents-server">14.14.4. Changing the Subscription Server</a></span></dt><dt><span class="section"><a href="#setting-up-rhsm-mirror">14.14.5. Configuring Red Hat Subscription Manager to Use a Local Content Provider</a></span></dt><dt><span class="section"><a href="#secure-cxn-ents-server">14.14.6. Managing Secure Connections to the Subscription Server</a></span></dt><dt><span class="section"><a href="#starting-rhsm">14.14.7. Starting and Stopping the Subscription Service</a></span></dt><dt><span class="section"><a href="#checking-rhsm-logs">14.14.8. Checking Logs</a></span></dt><dt><span class="section"><a href="#showing-incompatible-subsc">14.14.9. Showing and Hiding Incompatible Subscriptions</a></span></dt><dt><span class="section"><a href="#rhsm-facts">14.14.10. Checking and Adding System Facts</a></span></dt><dt><span class="section"><a href="#regen-certs-cli">14.14.11. Regenerating Identity Certificates</a></span></dt><dt><span class="section"><a href="#getting-system-uuid">14.14.12. Getting the System UUID</a></span></dt><dt><span class="section"><a href="#rhsm-package-profiles">14.14.13. Viewing Package Profiles</a></span></dt><dt><span class="section"><a href="#consumerid">14.14.14. Retrieving the Consumer ID, Registration Tokens, and Other Information</a></span></dt></dl></dd><dt><span class="section"><a href="#entitlement-certificates">14.15. About Certificates and Managing Entitlements</a></span></dt><dd><dl><dt><span class="section"><a href="#structure-of-identity-certs">14.15.1. The Structure of Identity Certificates</a></span></dt><dt><span class="section"><a href="#structure-of-ent-certificates">14.15.2. The Structure of Entitlement Certificates</a></span></dt><dt><span class="section"><a href="#structure-of-product-certificates">14.15.3. The Structure of Product Certificates</a></span></dt><dt><span class="section"><a href="#sat-certs">14.15.4. Anatomy of Satellite Certificates</a></span></dt></dl></dd></dl></dd></dl></div></div><div xml:lang="en-US" class="chapter" id="ch-rpm" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 11. Package Management with RPM</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-rpm-design">11.1. RPM Design Goals</a></span></dt><dt><span class="section"><a href="#s1-rpm-using">11.2. Using RPM</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-rpm-finding">11.2.1. Finding RPM Packages</a></span></dt><dt><span class="section"><a href="#s2-rpm-installing">11.2.2. Installing</a></span></dt><dt><span class="section"><a href="#s2-rpm-uninstalling">11.2.3. Uninstalling</a></span></dt><dt><span class="section"><a href="#s2-rpm-upgrading">11.2.4. Upgrading</a></span></dt><dt><span class="section"><a href="#s2-rpm-freshening">11.2.5. Freshening</a></span></dt><dt><span class="section"><a href="#s2-rpm-querying">11.2.6. Querying</a></span></dt><dt><span class="section"><a href="#s2-rpm-verifying">11.2.7. Verifying</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-check-rpm-sig">11.3. Checking a Package's Signature</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-keys-importing">11.3.1. Importing Keys</a></span></dt><dt><span class="section"><a href="#s2-keys-checking">11.3.2. Verifying Signature of Packages</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-rpm-impressing">11.4. Practical and Common Examples of RPM Usage</a></span></dt><dt><span class="section"><a href="#s1-rpm-additional-resources">11.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-rpm-installed-docs">11.5.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-rpm-useful-websites">11.5.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-rpm-related-books">11.5.3. Related Books</a></span></dt></dl></dd></dl></div><a id="id790924" class="indexterm"></a><a id="id816679" class="indexterm"></a><div class="para">
		The <em class="firstterm">RPM Package Manager</em> (RPM) is an open packaging system, which runs on Red Hat Enterprise Linux as well as other Linux and UNIX systems. Red Hat, Inc. encourages other vendors to use RPM for their own products. RPM is distributed under the terms of the GPL.
	</div><div class="para">
		The utility works only with packages built for processing by the <code class="filename">rpm</code> package. For the end user, RPM makes system updates easy. Installing, uninstalling, and upgrading RPM packages can be accomplished with short commands. RPM maintains a database of installed packages and their files, so you can invoke powerful queries and verifications on your system. If you prefer a graphical interface, you can use the <span class="application"><strong>Package Management Tool</strong></span> to perform many RPM commands. Refer to <a class="xref" href="#ch-graphical-rpm">Chapter 12, <em><span class="application"><strong>Package Management Tool</strong></span></em></a> for details.
	</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
			When installing a package, please ensure it is compatible with your operating system and architecture. This can usually be determined by checking the package name.
		</div></div></div><div class="para">
		During upgrades, RPM handles configuration files carefully, so that you never lose your customizations — something that you cannot accomplish with regular <code class="filename">.tar.gz</code> files.
	</div><div class="para">
		For the developer, RPM allows you to take software source code and package it into source and binary packages for end users. This process is quite simple and is driven from a single file and optional patches that you create. This clear delineation between <em class="firstterm">pristine</em> sources and your patches along with build instructions eases the maintenance of the package as new versions of the software are released.
	</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
			Because RPM makes changes to your system, you must be logged in as root to install, remove, or upgrade an RPM package.
		</div></div></div><div class="section" id="s1-rpm-design"><div class="titlepage"><div><div><h2 class="title" id="s1-rpm-design">11.1. RPM Design Goals</h2></div></div></div><a id="id854177" class="indexterm"></a><div class="para">
			To understand how to use RPM, it can be helpful to understand the design goals of RPM:
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> Upgradability </span></dt><dd><div class="para">
						With RPM, you can upgrade individual components of your system without completely reinstalling. When you get a new release of an operating system based on RPM (such as Red Hat Enterprise Linux), you do not need to reinstall on your machine (as you do with operating systems based on other packaging systems). RPM allows intelligent, fully-automated, in-place upgrades of your system. Configuration files in packages are preserved across upgrades, so you do not lose your customizations. There are no special upgrade files needed to upgrade a package because the same RPM file is used to install and upgrade the package on your system.
					</div></dd><dt class="varlistentry"><span class="term"> Powerful Querying </span></dt><dd><div class="para">
						RPM is designed to provide powerful querying options. You can do searches through your entire database for packages or just for certain files. You can also easily find out what package a file belongs to and from where the package came. The files an RPM package contains are in a compressed archive, with a custom binary header containing useful information about the package and its contents, allowing you to query individual packages quickly and easily.
					</div></dd><dt class="varlistentry"><span class="term"> System Verification </span></dt><dd><div class="para">
						Another powerful RPM feature is the ability to verify packages. If you are worried that you deleted an important file for some package, you can verify the package. You are then notified of any anomalies, if any — at which point, you can reinstall the package if necessary. Any configuration files that you modified are preserved during reinstallation.
					</div></dd><dt class="varlistentry"><span class="term"> Pristine Sources </span></dt><dd><div class="para">
						A crucial design goal was to allow the use of <span class="emphasis"><em>pristine </em></span> software sources, as distributed by the original authors of the software. With RPM, you have the pristine sources along with any patches that were used, plus complete build instructions. This is an important advantage for several reasons. For instance, if a new version of a program is released, you do not necessarily have to start from scratch to get it to compile. You can look at the patch to see what you <span class="emphasis"><em>might</em></span> need to do. All the compiled-in defaults, and all of the changes that were made to get the software to build properly, are easily visible using this technique.
					</div><div class="para">
						The goal of keeping sources pristine may seem important only for developers, but it results in higher quality software for end users, too.
					</div></dd></dl></div></div><div class="section" id="s1-rpm-using"><div class="titlepage"><div><div><h2 class="title" id="s1-rpm-using">11.2. Using RPM</h2></div></div></div><a id="id1041293" class="indexterm"></a><div class="para">
			RPM has five basic modes of operation (not counting package building): installing, uninstalling, upgrading, querying, and verifying. This section contains an overview of each mode. For complete details and options, try <code class="command">rpm --help</code> or <code class="command">man rpm</code>. You can also refer to <a class="xref" href="#s1-rpm-additional-resources">Section 11.5, “Additional Resources”</a> for more information on RPM.
		</div><div class="section" id="s2-rpm-finding"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-finding">11.2.1. Finding RPM Packages</h3></div></div></div><div class="para">
				Before using any RPM packages, you must know where to find them. An Internet search returns many RPM repositories, but if you are looking for RPM packages built by Red Hat, they can be found at the following locations:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The Red Hat Enterprise Linux CD-ROMs
					</div></li><li class="listitem"><div class="para">
						The Red Hat Errata Page available at <a href="http://rhn.redhat.com/errata/">http://www.redhat.com/apps/support/errata/</a>
					</div></li><li class="listitem"><div class="para">
						Red Hat Network — Refer to <a class="xref" href="#entitlements">Chapter 14, <em>Product Subscriptions and Entitlements</em></a> for more details on Red Hat Network.
					</div></li></ul></div></div><div class="section" id="s2-rpm-installing"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-installing">11.2.2. Installing</h3></div></div></div><a id="id847787" class="indexterm"></a><a id="id847801" class="indexterm"></a><div class="para">
				RPM packages typically have file names like <code class="filename">foo-1.0-1.i386.rpm</code>. The file name includes the package name (<code class="filename">foo</code>), version (<code class="filename">1.0</code>), release (<code class="filename">1</code>), and architecture (<code class="filename">i386</code>). To install a package, log in as root and type the following command at a shell prompt:
			</div><pre class="screen"><code class="command">rpm -ivh foo-1.0-1.i386.rpm</code></pre><div class="para">
				Alternatively, the following command can also be used:
			</div><pre class="screen"><code class="command">rpm -Uvh foo-1.0-1.i386.rpm</code></pre><div class="para">
				If the installation is successful, the following output is displayed:
			</div><pre class="screen">Preparing...                ########################################### [100%]
   1:foo                    ########################################### [100%]</pre><div class="para">
				As you can see, RPM prints out the name of the package and then prints a succession of hash marks as a progress meter while the package is installed.
			</div><div class="para">
				The signature of a package is checked automatically when installing or upgrading a package. The signature confirms that the package was signed by an authorized party. For example, if the verification of the signature fails, an error message such as the following is displayed:
			</div><pre class="screen">error: V3 DSA signature: BAD, key ID 0352860f</pre><div class="para">
				If it is a new, header-only, signature, an error message such as the following is displayed:
			</div><pre class="screen">error: Header V3 DSA signature: BAD, key ID 0352860f</pre><div class="para">
				If you do not have the appropriate key installed to verify the signature, the message contains the word <code class="computeroutput">NOKEY</code> such as:
			</div><pre class="screen">warning: V3 DSA signature: NOKEY, key ID 0352860f</pre><div class="para">
				Refer to <a class="xref" href="#s1-check-rpm-sig">Section 11.3, “Checking a Package's Signature”</a> for more information on checking a package's signature.
			</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					If you are installing a kernel package, you should use <code class="command">rpm -ivh</code> instead. Refer to <a class="xref" href="#ch-kernel">Chapter 42, <em>Manually Upgrading the Kernel</em></a> for details.
				</div></div></div><div class="section" id="s3-rpm-errors"><div class="titlepage"><div><div><h4 class="title" id="s3-rpm-errors">11.2.2.1. Package Already Installed</h4></div></div></div><div class="para">
					If a package of the same name and version is already installed, the following output is displayed:
				</div><pre class="screen">Preparing...                ########################################### [100%]
package foo-1.0-1 is already installed</pre><div class="para">
					However, if you want to install the package anyway, you can use the <code class="command">--replacepkgs</code> option, which tells RPM to ignore the error:
				</div><pre class="screen"><code class="command">rpm -ivh --replacepkgs foo-1.0-1.i386.rpm</code></pre><div class="para">
					This option is helpful if files installed from the RPM were deleted or if you want the original configuration files from the RPM to be installed.
				</div></div><div class="section" id="s3-rpm-conflicting-files"><div class="titlepage"><div><div><h4 class="title" id="s3-rpm-conflicting-files">11.2.2.2. Conflicting Files</h4></div></div></div><a id="id780334" class="indexterm"></a><div class="para">
					If you attempt to install a package that contains a file which has already been installed by another package, the following is displayed:
				</div><pre class="screen">Preparing...                ########################################### [100%]
file /usr/bin/foo from install of foo-1.0-1 conflicts with file from package bar-2.0.20</pre><div class="para">
					To make RPM ignore this error, use the <code class="command">--replacefiles</code> option:
				</div><pre class="screen"><code class="command">rpm -ivh --replacefiles foo-1.0-1.i386.rpm</code></pre></div><div class="section" id="s3-rpm-unresolved-dependency"><div class="titlepage"><div><div><h4 class="title" id="s3-rpm-unresolved-dependency">11.2.2.3. Unresolved Dependency</h4></div></div></div><a id="id780384" class="indexterm"></a><a id="id828340" class="indexterm"></a><div class="para">
					RPM packages may sometimes depend on other packages, which means that they require other packages to be installed to run properly. If you try to install a package which has an unresolved dependency, output similar to the following is displayed:
				</div><pre class="screen">error: Failed dependencies:
        bar.so.2 is needed by foo-1.0-1
Suggested resolutions:
	bar-2.0.20-3.i386.rpm</pre><div class="para">
					If you are installing a package from the Red Hat Enterprise Linux CD-ROM set, it usually suggest the package(s) needed to resolve the dependency. Find the suggested package(s) on the Red Hat Enterprise Linux CD-ROMs or from Red Hat Network , and add it to the command:
				</div><pre class="screen"><code class="command">rpm -ivh foo-1.0-1.i386.rpm bar-2.0.20-3.i386.rpm</code></pre><div class="para">
					If installation of both packages is successful, output similar to the following is displayed:
				</div><pre class="screen">Preparing...                ########################################### [100%]
   1:foo                    ########################################### [ 50%]
   2:bar                    ########################################### [100%]</pre><div class="para">
					If it does not suggest a package to resolve the dependency, you can try the <code class="option">-q --whatprovides</code> option combination to determine which package contains the required file.
				</div><pre class="screen"><code class="command">rpm -q --whatprovides bar.so.2</code></pre><div class="para">
					To force the installation anyway (which is not recommended since the package may not run correctly), use the <code class="option">--nodeps</code> option.
				</div></div></div><div class="section" id="s2-rpm-uninstalling"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-uninstalling">11.2.3. Uninstalling</h3></div></div></div><a id="id828419" class="indexterm"></a><a id="id828432" class="indexterm"></a><div class="para">
				Uninstalling a package is just as simple as installing one. Type the following command at a shell prompt:
			</div><pre class="screen"><code class="command">rpm -e foo</code></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Notice that we used the package <span class="emphasis"><em>name</em></span> <code class="filename">foo</code>, not the name of the original package <span class="emphasis"><em>file</em></span> <code class="filename">foo-1.0-1.i386.rpm</code>. To uninstall a package, replace <code class="filename">foo</code> with the actual package name of the original package.
				</div></div></div><div class="para">
				You can encounter a dependency error when uninstalling a package if another installed package depends on the one you are trying to remove. For example:
			</div><pre class="screen">error: Failed dependencies:
	foo is needed by (installed) bar-2.0.20-3.i386.rpm</pre><div class="para">
				To make RPM ignore this error and uninstall the package anyway (which may break the package dependent on it) use the <code class="option">--nodeps</code> option.
			</div></div><div class="section" id="s2-rpm-upgrading"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-upgrading">11.2.4. Upgrading</h3></div></div></div><a id="id1070347" class="indexterm"></a><a id="id1070360" class="indexterm"></a><div class="para">
				Upgrading a package is similar to installing one. Type the following command at a shell prompt:
			</div><pre class="screen"><code class="command">rpm -Uvh foo-2.0-1.i386.rpm</code></pre><div class="para">
				As part of upgrading a package, RPM automatically uninstalls any old versions of the <code class="filename">foo</code> package. Note that <code class="option">-U</code> will also install a package even when there are no previous versions of the package installed.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					It is not advisable to use the <code class="option">-U</code> option for installing kernel packages, because RPM replaces the previous kernel package. This does not affect a running system, but if the new kernel is unable to boot during your next restart, there would be no other kernel to boot instead.
				</div><div class="para">
					Using the <code class="option">-i</code> option adds the kernel to your GRUB boot menu (<code class="filename">/etc/grub.conf</code>). Similarly, removing an old, unneeded kernel removes the kernel from GRUB.
				</div></div></div><div class="para">
				Because RPM performs intelligent upgrading of packages with configuration files, you may see a message like the following:
			</div><a id="id1070429" class="indexterm"></a><a id="id1070443" class="indexterm"></a><pre class="screen">saving /etc/foo.conf as /etc/foo.conf.rpmsave</pre><div class="para">
				This message means that changes you made to the configuration file may not be <span class="emphasis"><em>forward compatible</em></span> with the new configuration file in the package, so RPM saved your original file and installed a new one. You should investigate the differences between the two configuration files and resolve them as soon as possible, to ensure that your system continues to function properly.
			</div><div class="para">
				If you attempt to upgrade to a package with an <span class="emphasis"><em>older</em></span> version number (that is, if a more updated version of the package is already installed), the output is similar to the following:
			</div><pre class="screen">package foo-2.0-1 (which is newer than foo-1.0-1) is already installed</pre><div class="para">
				To force RPM to upgrade anyway, use the <code class="command">--oldpackage</code> option:
			</div><pre class="screen"><code class="command">rpm -Uvh --oldpackage foo-1.0-1.i386.rpm</code></pre></div><div class="section" id="s2-rpm-freshening"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-freshening">11.2.5. Freshening</h3></div></div></div><a id="id1070511" class="indexterm"></a><a id="id1070524" class="indexterm"></a><a id="id1070538" class="indexterm"></a><div class="para">
				Freshening is similar to upgrading, except that only existent packages are upgraded. Type the following command at a shell prompt:
			</div><pre class="screen"><code class="command">rpm -Fvh foo-1.2-1.i386.rpm</code></pre><div class="para">
				RPM's freshen option checks the versions of the packages specified on the command line against the versions of packages that have already been installed on your system. When a newer version of an already-installed package is processed by RPM's freshen option, it is upgraded to the newer version. However, RPM's freshen option does not install a package if no previously-installed package of the same name exists. This differs from RPM's upgrade option, as an upgrade <span class="emphasis"><em>does</em></span> install packages whether or not an older version of the package was already installed.
			</div><div class="para">
				Freshening works for single packages or package groups. If you have just downloaded a large number of different packages, and you only want to upgrade those packages that are already installed on your system, freshening does the job. Thus, you do not have to delete any unwanted packages from the group that you downloaded before using RPM.
			</div><div class="para">
				In this case, issue the following command:
			</div><pre class="screen"><code class="command">rpm -Fvh *.rpm</code></pre><div class="para">
				RPM automatically upgrades only those packages that are already installed.
			</div></div><div class="section" id="s2-rpm-querying"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-querying">11.2.6. Querying</h3></div></div></div><a id="id1070603" class="indexterm"></a><a id="id1070616" class="indexterm"></a><div class="para">
				The RPM database stores information about all RPM packages installed in your system. It is stored in the directory <code class="filename">/var/lib/rpm/</code>, and is used to query what packages are installed, what versions each package is, and any changes to any files in the package since installation, among others.
			</div><div class="para">
				To query this database, use the <code class="command">-q</code> option. The <code class="command">rpm -q <em class="replaceable"><code>package name</code></em> </code> command displays the package name, version, and release number of the installed package <code class="command"><em class="replaceable"><code>package name</code></em> </code>. For example, using <code class="command">rpm -q foo</code> to query installed package <code class="filename">foo</code> might generate the following output:
			</div><pre class="screen">foo-2.0-1</pre><div class="para">
				You can also use the following <span class="emphasis"><em>Package Selection Options</em></span> with <code class="command">-q</code> to further refine or qualify your query:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">-a</code> — queries all currently installed packages.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-f <code class="filename"><em class="replaceable"><code>&lt;filename&gt;</code></em> </code> </code> — queries the RPM database for which package owns <code class="filename">f<em class="replaceable"><code>&lt;filename&gt;</code></em> </code>. When specifying a file, specify the absolute path of the file (for example, <code class="command">rpm -qf <code class="filename">/bin/ls</code> </code>).
					</div></li><li class="listitem"><div class="para">
						<code class="command">-p <code class="filename"><em class="replaceable"><code>&lt;packagefile&gt;</code></em> </code> </code> — queries the uninstalled package <code class="filename"><em class="replaceable"><code>&lt;packagefile&gt;</code></em> </code>.
					</div></li></ul></div><div class="para">
				There are a number of ways to specify what information to display about queried packages. The following options are used to select the type of information for which you are searching. These are called <span class="emphasis"><em>Package Query Options</em></span>.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">-i</code> displays package information including name, description, release, size, build date, install date, vendor, and other miscellaneous information.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-l</code> displays the list of files that the package contains.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-s</code> displays the state of all the files in the package.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-d</code> displays a list of files marked as documentation (man pages, info pages, READMEs, etc.).
					</div></li><li class="listitem"><div class="para">
						<code class="command">-c</code> displays a list of files marked as configuration files. These are the files you edit after installation to adapt and customize the package to your system (for example, <code class="filename">sendmail.cf</code>, <code class="filename">passwd</code>, <code class="filename">inittab</code>, etc.).
					</div></li></ul></div><div class="para">
				For options that display lists of files, add <code class="command">-v</code> to the command to display the lists in a familiar <code class="command">ls -l</code> format.
			</div></div><div class="section" id="s2-rpm-verifying"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-verifying">11.2.7. Verifying</h3></div></div></div><a id="id850923" class="indexterm"></a><a id="id850936" class="indexterm"></a><div class="para">
				Verifying a package compares information about files installed from a package with the same information from the original package. Among other things, verifying compares the size, MD5 sum, permissions, type, owner, and group of each file.
			</div><div class="para">
				The command <code class="command">rpm -V</code> verifies a package. You can use any of the <span class="emphasis"><em>Verify Options</em></span> listed for querying to specify the packages you wish to verify. A simple use of verifying is <code class="command">rpm -V foo</code>, which verifies that all the files in the <code class="command">foo</code> package are as they were when they were originally installed. For example:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						To verify a package containing a particular file:
					</div><pre class="screen"><code class="command">rpm -Vf /usr/bin/foo</code></pre><div class="para">
						In this example, <code class="filename">/usr/bin/foo</code> is the absolute path to the file used to query a package.
					</div></li><li class="listitem"><div class="para">
						To verify ALL installed packages throughout the system:
					</div><pre class="screen"><code class="command">rpm -Va</code></pre></li><li class="listitem"><div class="para">
						To verify an installed package against an RPM package file:
					</div><pre class="screen"><code class="command">rpm -Vp foo-1.0-1.i386.rpm</code></pre><div class="para">
						This command can be useful if you suspect that your RPM databases are corrupt.
					</div></li></ul></div><div class="para">
				If everything verified properly, there is no output. If there are any discrepancies, they are displayed. The format of the output is a string of eight characters (a <code class="computeroutput">c</code> denotes a configuration file) and then the file name. Each of the eight characters denotes the result of a comparison of one attribute of the file to the value of that attribute recorded in the RPM database. A single period (<code class="computeroutput">.</code>) means the test passed. The following characters denote specific discrepancies:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">5</code> — MD5 checksum
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">S</code> — file size
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">L</code> — symbolic link
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">T</code> — file modification time
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">D</code> — device
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">U</code> — user
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">G</code> — group
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">M</code> — mode (includes permissions and file type)
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">?</code> — unreadable file
					</div></li></ul></div><div class="para">
				If you see any output, use your best judgment to determine if you should remove the package, reinstall it, or fix the problem in another way.
			</div></div></div><div class="section" id="s1-check-rpm-sig"><div class="titlepage"><div><div><h2 class="title" id="s1-check-rpm-sig">11.3. Checking a Package's Signature</h2></div></div></div><a id="id851174" class="indexterm"></a><div class="para">
			If you wish to verify that a package has not been corrupted or tampered with, examine only the md5sum by typing the following command at a shell prompt (where <em class="replaceable"><code>&lt;rpm-file&gt;</code></em> is the file name of the RPM package):
		</div><pre class="screen"><code class="command">rpm -K --nosignature <em class="replaceable"><code>&lt;rpm-file&gt;</code></em></code></pre><div class="para">
			The message <code class="computeroutput"><em class="replaceable"><code>&lt;rpm-file&gt;</code></em>: md5 OK</code> is displayed. This brief message means that the file was not corrupted by the download. To see a more verbose message, replace <code class="option">-K</code> with <code class="option">-Kvv</code> in the command.
		</div><div class="para">
			On the other hand, how trustworthy is the developer who created the package? If the package is <em class="firstterm">signed</em> with the developer's GnuPG <em class="firstterm">key</em>, you know that the developer really is who they say they are.
		</div><a id="id851236" class="indexterm"></a><a id="id851250" class="indexterm"></a><a id="id851263" class="indexterm"></a><div class="para">
			An RPM package can be signed using <em class="firstterm">Gnu Privacy Guard</em> (or GnuPG), to help you make certain your downloaded package is trustworthy.
		</div><div class="para">
			GnuPG is a tool for secure communication; it is a complete and free replacement for the encryption technology of PGP, an electronic privacy program. With GnuPG, you can authenticate the validity of documents and encrypt/decrypt data to and from other recipients. GnuPG is capable of decrypting and verifying PGP 5.<em class="replaceable"><code>x</code></em> files as well.
		</div><div class="para">
			During installation, GnuPG is installed by default. That way you can immediately start using GnuPG to verify any packages that you receive from Red Hat. Before doing so, you must first import Red Hat's public key.
		</div><div class="section" id="s2-keys-importing"><div class="titlepage"><div><div><h3 class="title" id="s2-keys-importing">11.3.1. Importing Keys</h3></div></div></div><div class="para">
				To verify Red Hat packages, you must import the Red Hat GPG key. To do so, execute the following command at a shell prompt:
			</div><pre class="screen"><code class="command">rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release</code></pre><div class="para">
				To display a list of all keys installed for RPM verification, execute the command:
			</div><pre class="screen"><code class="command">rpm -qa gpg-pubkey*</code></pre><div class="para">
				For the Red Hat key, the output includes:
			</div><pre class="screen">gpg-pubkey-37017186-45761324</pre><div class="para">
				To display details about a specific key, use <code class="command">rpm -qi</code> followed by the output from the previous command:
			</div><pre class="screen"><code class="command">rpm -qi gpg-pubkey-37017186-45761324</code></pre></div><div class="section" id="s2-keys-checking"><div class="titlepage"><div><div><h3 class="title" id="s2-keys-checking">11.3.2. Verifying Signature of Packages</h3></div></div></div><div class="para">
				To check the GnuPG signature of an RPM file after importing the builder's GnuPG key, use the following command (replace <em class="replaceable"><code>&lt;rpm-file&gt;</code></em> with the filename of the RPM package):
			</div><pre class="screen"><code class="command">rpm -K <em class="replaceable"><code>&lt;rpm-file&gt;</code></em></code></pre><div class="para">
				If all goes well, the following message is displayed: <code class="computeroutput">md5 gpg OK</code>. This means that the signature of the package has been verified, and that it is not corrupt.
			</div></div></div><div class="section" id="s1-rpm-impressing"><div class="titlepage"><div><div><h2 class="title" id="s1-rpm-impressing">11.4. Practical and Common Examples of RPM Usage</h2></div></div></div><a id="id851395" class="indexterm"></a><a id="id851408" class="indexterm"></a><div class="para">
			RPM is a useful tool for both managing your system and diagnosing and fixing problems. The best way to make sense of all of its options is to look at some examples.
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Perhaps you have deleted some files by accident, but you are not sure what you deleted. To verify your entire system and see what might be missing, you could try the following command:
				</div><a id="id851438" class="indexterm"></a><a id="id851451" class="indexterm"></a><pre class="screen"><code class="command">rpm -Va</code></pre><div class="para">
					If some files are missing or appear to have been corrupted, you should probably either re-install the package or uninstall and then re-install the package.
				</div></li><li class="listitem"><div class="para">
					At some point, you might see a file that you do not recognize. To find out which package owns it, enter:
				</div><a id="id851484" class="indexterm"></a><a id="id851497" class="indexterm"></a><pre class="screen"><code class="command">rpm -qf /usr/bin/ggv</code></pre><div class="para">
					The output would look like the following:
				</div><pre class="screen">ggv-2.6.0-2</pre></li><li class="listitem"><div class="para">
					We can combine the above two examples in the following scenario. Say you are having problems with <code class="filename">/usr/bin/paste</code>. You would like to verify the package that owns that program, but you do not know which package owns <code class="command">paste</code>. Enter the following command,
				</div><pre class="screen"><code class="command">rpm -Vf /usr/bin/paste</code></pre><div class="para">
					and the appropriate package is verified.
				</div></li><li class="listitem"><div class="para">
					Do you want to find out more information about a particular program? You can try the following command to locate the documentation which came with the package that owns that program:
				</div><a id="id851559" class="indexterm"></a><a id="id851572" class="indexterm"></a><a id="id851586" class="indexterm"></a><pre class="screen"><code class="command">rpm -qdf /usr/bin/free</code></pre><div class="para">
					The output would be similar to the following:
				</div><pre class="screen">/usr/share/doc/procps-3.2.3/BUGS
/usr/share/doc/procps-3.2.3/FAQ
/usr/share/doc/procps-3.2.3/NEWS
/usr/share/doc/procps-3.2.3/TODO
/usr/share/man/man1/free.1.gz
/usr/share/man/man1/pgrep.1.gz
/usr/share/man/man1/pkill.1.gz
/usr/share/man/man1/pmap.1.gz
/usr/share/man/man1/ps.1.gz
/usr/share/man/man1/skill.1.gz
/usr/share/man/man1/slabtop.1.gz
/usr/share/man/man1/snice.1.gz
/usr/share/man/man1/tload.1.gz
/usr/share/man/man1/top.1.gz
/usr/share/man/man1/uptime.1.gz
/usr/share/man/man1/w.1.gz
/usr/share/man/man1/watch.1.gz
/usr/share/man/man5/sysctl.conf.5.gz
/usr/share/man/man8/sysctl.8.gz
/usr/share/man/man8/vmstat.8.gz</pre></li><li class="listitem"><div class="para">
					You may find a new RPM, but you do not know what it does. To find information about it, use the following command:
				</div><a id="id851627" class="indexterm"></a><a id="id851640" class="indexterm"></a><pre class="screen"><code class="command">rpm -qip crontabs-1.10-7.noarch.rpm</code></pre><div class="para">
					The output would be similar to the following:
				</div><pre class="screen">Name        : crontabs                     Relocations: (not relocatable)
Version     : 1.10                              Vendor: Red Hat, Inc.
Release     : 7                             Build Date: Mon 20 Sep 2004 05:58:10 PM EDT
Install Date: (not installed)               Build Host: tweety.build.redhat.com
Group       : System Environment/Base       Source RPM: crontabs-1.10-7.src.rpm
Size        : 1004                             License: Public Domain
Signature   : DSA/SHA1, Wed 05 Jan 2005 06:05:25 PM EST, Key ID 219180cddb42a60e
Packager    : Red Hat, Inc. &lt;http://bugzilla.redhat.com/bugzilla&gt;
Summary     : Root crontab files used to schedule the execution of programs.
Description : The crontabs package contains root crontab files. Crontab is the
program used to install, uninstall, or list the tables used to drive the
cron daemon. The cron daemon checks the crontab files to see when
particular commands are scheduled to be executed. If commands are
scheduled, then it executes them.</pre></li><li class="listitem"><div class="para">
					Perhaps you now want to see what files the <code class="filename">crontabs</code> RPM installs. You would enter the following:
				</div><a id="id851687" class="indexterm"></a><a id="id851702" class="indexterm"></a><pre class="screen"><code class="command">rpm -qlp crontabs-1.10-5.noarch.rpm</code></pre><div class="para">
					The output is similar to the following:
				</div><pre class="screen">/etc/cron.daily
/etc/cron.hourly
/etc/cron.monthly
/etc/cron.weekly
/etc/crontab
/usr/bin/run-parts</pre></li></ul></div><div class="para">
			These are just a few examples. As you use RPM, you may find more uses for it.
		</div></div><div class="section" id="s1-rpm-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-rpm-additional-resources">11.5. Additional Resources</h2></div></div></div><a id="id851746" class="indexterm"></a><div class="para">
			RPM is an extremely complex utility with many options and methods for querying, installing, upgrading, and removing packages. Refer to the following resources to learn more about RPM.
		</div><div class="section" id="s2-rpm-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-installed-docs">11.5.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">rpm --help</code> — This command displays a quick reference of RPM parameters.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man rpm</code> — The RPM man page gives more detail about RPM parameters than the <code class="command">rpm --help</code> command.
					</div></li></ul></div></div><div class="section" id="s2-rpm-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-useful-websites">11.5.2. Useful Websites</h3></div></div></div><div class="itemizedlist"><a id="id851825" class="indexterm"></a><ul><li class="listitem"><div class="para">
						<a href="http://www.rpm.org/">http://www.rpm.org/</a> — The RPM website.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.redhat.com/mailman/listinfo/rpm-list/">https://lists.rpm.org/mailman/listinfo/rpm-list</a> — Visit this link to subscribe to the RPM mailing list, which is archived there.
					</div></li></ul></div></div><div class="section" id="s2-rpm-related-books"><div class="titlepage"><div><div><h3 class="title" id="s2-rpm-related-books">11.5.3. Related Books</h3></div></div></div><div class="itemizedlist"><a id="id851883" class="indexterm"></a><a id="id851898" class="indexterm"></a><ul><li class="listitem"><div class="para">
						The <em class="citetitle">Red Hat RPM Guide</em> by Eric Foster-Johnson is an excellent resource on all details of the RPM package format and the RPM package management utility. It is available online at <a href="http://docs.fedoraproject.org/drafts/rpm-guide-en/">http://docs.fedoraproject.org/drafts/rpm-guide-en/</a>.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-graphical-rpm" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 12. <span class="application"><strong>Package Management Tool</strong></span></h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-graphical-rpm-analyzing">12.1. Listing and Analyzing Packages</a></span></dt><dt><span class="section"><a href="#s1-graphical-rpm-installing">12.2. Installing and Removing Packages</a></span></dt></dl></div><a id="id873638" class="indexterm"></a><a id="id856001" class="indexterm"></a><a id="id841292" class="indexterm"></a><div class="para">
		If you prefer to use a graphical interface to view and manage packages in your system, you can use the <span class="application"><strong>Package Management Tool</strong></span>, better known as <span class="emphasis"><em>pirut</em></span>. This tool allows you to perform basic package management of your system through an easy-to-use interface to remove installed packages or download (and install) packages compatible to your system. It also allows you to view what packages are installed in your system and which ones are available for download from Red Hat Network. In addition, the <span class="application"><strong>Package Management Tool</strong></span> also automatically resolves any critical dependencies when you install or remove packages in the same way that the <code class="command">rpm</code> command does.
	</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
			While the <span class="application"><strong>Package Management Tool</strong></span> can automatically resolve dependencies during package installation and removal, it <span class="emphasis"><em>cannot</em></span> perform a forced install / remove the same way that <code class="command">rpm -e --nodeps</code> or <code class="command">rpm -U --nodeps</code> can.
		</div></div></div><div class="para">
		The X Window System is required to run the <span class="application"><strong>Package Management Tool</strong></span>. To start the application, go to <span class="guimenu"><strong>Applications</strong></span> (the main menu on the panel) &gt; <span class="guimenu"><strong>Add/Remove Software</strong></span>. Alternatively, you can type the commands <code class="command">system-config-packages</code> or <code class="command">pirut</code> at shell prompt.
	</div><div class="figure" id="fig-redhat-config-packages"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-config-packages.png" width="444" alt="Package Management Tool" /><div class="longdesc"><div class="para">
					Package Management Tool
				</div></div></div></div><h6>Figure 12.1. Package Management Tool</h6></div><br class="figure-break" /><div class="section" id="s1-graphical-rpm-analyzing"><div class="titlepage"><div><div><h2 class="title" id="s1-graphical-rpm-analyzing">12.1. Listing and Analyzing Packages</h2></div></div></div><a id="id852864" class="indexterm"></a><a id="id852885" class="indexterm"></a><a id="id788465" class="indexterm"></a><div class="para">
			You can use the <span class="application"><strong>Package Management Tool</strong></span> to search and list all packages installed in your system, as well as any packages available for you to download. The <span class="guibutton"><strong><span class="accel">B</span>rowse</strong></span>, <span class="guibutton"><strong><span class="accel">S</span>earch</strong></span>, and <span class="guibutton"><strong><span class="accel">L</span>ist</strong></span> tabs present different options in viewing, analyzing, installing or removing packages.
		</div><div class="para">
			The <span class="guibutton"><strong><span class="accel">B</span>rowse</strong></span> tab allows you to view packages by group. In <a class="xref" href="#fig-redhat-config-packages">Figure 12.1, “Package Management Tool”</a>, the left window shows the different package group types you can choose from (for example, Desktop Environments, Applications, Development and more). When a package group type is selected, the right window displays the different package groups of that type.
		</div><div class="para">
			To view what packages are included in a package group, click <span class="guibutton"><strong><span class="accel">O</span>ptional packages</strong></span>. Installed packages are checked.
		</div><div class="figure" id="fig-redhat-optional-packages"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-optional-packages.png" width="444" alt="Optional Packages" /><div class="longdesc"><div class="para">
						Optional Packages
					</div></div></div></div><h6>Figure 12.2. Optional Packages</h6></div><br class="figure-break" /><div class="para">
			The <span class="guibutton"><strong><span class="accel">L</span>ist</strong></span> tab displays a list of packages installed or available for download. Packages already installed in your system are marked with a green check ( 
			<span class="inlinemediaobject"><img src="images/icon-greencheck-pkgs.png" /></span>
			 ).
		</div><div class="para">
			By default, the <span class="guibutton"><strong><span class="accel">A</span>ll packages</strong></span> option above the main window is selected; this specifies that all packages be displayed. Use the <span class="guibutton"><strong><span class="accel">I</span>nstalled packages</strong></span> option to display only packages that are already installed in your system, and the <span class="guibutton"><strong>A<span class="accel">v</span>ailable packages</strong></span> option to view what packages you can download and install.
		</div><div class="para">
			The <span class="guibutton"><strong><span class="accel">S</span>earch</strong></span> tab allows you to use keywords to search for particular packages. This tab also allows you to view a short description of a package. To do so, simply select a package and click the <span class="guibutton"><strong>Package <span class="accel">D</span>etails</strong></span> button below the main window.
		</div></div><div class="section" id="s1-graphical-rpm-installing"><div class="titlepage"><div><div><h2 class="title" id="s1-graphical-rpm-installing">12.2. Installing and Removing Packages</h2></div></div></div><a id="id1073527" class="indexterm"></a><a id="id1070159" class="indexterm"></a><a id="id1070180" class="indexterm"></a><a id="id1070202" class="indexterm"></a><a id="id1070223" class="indexterm"></a><a id="id1070240" class="indexterm"></a><div class="para">
			To install a package available for download, click the checkbox beside the package name. When you do so, an installation icon ( 
			<span class="inlinemediaobject"><img src="images/icon-install-prep.png" /></span>
			 ) appears beside its checkbox. This indicates that the package is queued for download and installation. You can select multiple packages to download and install; once you have made your selection, click the <span class="guibutton"><strong><span class="accel">A</span>pply</strong></span> button.
		</div><div class="figure" id="fig-install-packages"><div class="figure-contents"><div class="mediaobject"><img src="images/individual-pkgs.png" width="444" alt="Package installation" /><div class="longdesc"><div class="para">
						Package installation
					</div></div></div></div><h6>Figure 12.3. Package installation</h6></div><br class="figure-break" /><div class="para">
			If there are any package dependencies for your selected downloads, the <span class="application"><strong>Package Management Tool</strong></span> will notify you accordingly. Click <span class="guibutton"><strong><span class="accel">D</span>etails</strong></span> to view what additional packages are needed. To proceed with downloading and installing the package (along with all other dependent packages) click <span class="guibutton"><strong><span class="accel">C</span>ontinue</strong></span>.
		</div><div class="figure" id="fig-install-depend-packages"><div class="figure-contents"><div class="mediaobject"><img src="images/install-depend-prep.png" alt="Package dependencies: installation" /><div class="longdesc"><div class="para">
						Package dependencies: installation
					</div></div></div></div><h6>Figure 12.4. Package dependencies: installation</h6></div><br class="figure-break" /><div class="para">
			Removing a package can be done in a similar manner. To remove a package installed in your system, click the checkbox beside the package name. The green check appearing beside the package name will be replaced by a package removal icon ( 
			<span class="inlinemediaobject"><img src="images/icon-removal-prep.png" /></span>
			 ). This indicates that the package is queued for removal; you can also select multiple packages to be removed at the same time. Once you have selected the packages you want to remove, click the <span class="guimenu"><strong><span class="accel">A</span>pply</strong></span> button.
		</div><div class="figure" id="fig-remove-packages"><div class="figure-contents"><div class="mediaobject"><img src="images/removal-prep.png" width="444" alt="Package removal" /><div class="longdesc"><div class="para">
						Package removal
					</div></div></div></div><h6>Figure 12.5. Package removal</h6></div><br class="figure-break" /><div class="para">
			Note that if any other installed packages are dependent on the package you are removing, they will be removed as well. The <span class="application"><strong>Package Management Tool</strong></span> will notify you if there are any such dependencies. Click <span class="guibutton"><strong><span class="accel">D</span>etails</strong></span> to view what packages are dependent on the one you are removing. To proceed with removing your selected package/s (along with all other dependent packages) click <span class="guibutton"><strong><span class="accel">C</span>ontinue</strong></span>.
		</div><div class="figure" id="fig-remove-depend-packages"><div class="figure-contents"><div class="mediaobject"><img src="images/remove-depend-prep.png" alt="Package dependencies: removal" /><div class="longdesc"><div class="para">
						Package dependencies: removal
					</div></div></div></div><h6>Figure 12.6. Package dependencies: removal</h6></div><br class="figure-break" /><div class="para">
			You can install and remove multiple packages by selecting packages to be installed / removed and then clicking <span class="guibutton"><strong><span class="accel">A</span>pply</strong></span>. The <span class="guilabel"><strong>Package selections</strong></span> window displays the number of packages to be installed and removed.
		</div><div class="figure" id="fig-remove-install-packages"><div class="figure-contents"><div class="mediaobject"><img src="images/package-selections.png" alt="Installing and removing packages simultaneously" /><div class="longdesc"><div class="para">
						Installing and removing packages simultaneously
					</div></div></div></div><h6>Figure 12.7. Installing and removing packages simultaneously</h6></div><br class="figure-break" /></div></div><div xml:lang="en-US" class="chapter" id="c1-yum" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 13. YUM (Yellowdog Updater Modified)</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-yum-repo-setup">13.1. Setting Up a <span class="application"><strong>Yum</strong></span> Repository</a></span></dt><dt><span class="section"><a href="#s1-yum-useful-commands">13.2.  <code class="command">yum</code> Commands</a></span></dt><dt><span class="section"><a href="#s1-yum-common-options">13.3.  <code class="command">yum</code> Options</a></span></dt><dt><span class="section"><a href="#s1-yum-yumconf">13.4. Configuring <code class="command">yum</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s1-yum-yumconf-main">13.4.1.  <code class="command">[main]</code> Options</a></span></dt><dt><span class="section"><a href="#s1-yum-yumconf-repository">13.4.2.  <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> Options</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-yum-useful-variables">13.5. Useful <code class="command">yum</code> Variables</a></span></dt></dl></div><div class="para">
		<em class="firstterm">Yellowdog Update, Modified</em> (YUM) is a package manager that was developed by Duke University to improve the installation of RPMs. <code class="command">yum</code> searches numerous repositories for packages and their dependencies so they may be installed together in an effort to alleviate dependency issues. Red Hat Enterprise Linux 5.8 uses <code class="command">yum</code> to fetch packages and install RPMs.
	</div><div class="para">
		<code class="command">up2date</code> is now deprecated in favor of <code class="command">yum</code> (Yellowdog Updater Modified). The entire stack of tools which installs and updates software in Red Hat Enterprise Linux 5.8 is now based on <code class="command">yum</code>. This includes everything, from the initial installation via <span class="application"><strong>Anaconda</strong></span> to host software management tools like <code class="command">pirut</code>.
	</div><div class="para">
		<code class="command">yum</code> also allows system administrators to configure a local (i.e. available over a local network) repository to supplement packages provided by Red Hat. This is useful for user groups that use applications and packages that are not officially supported by Red Hat.
	</div><div class="para">
		Aside from being able to supplement available packages for local users, using a local <code class="command">yum</code> repository also saves bandwidth for the entire network. Further, clients that use local <code class="command">yum</code> repositories do not need to be registered individually to install or update the latest packages from Red Hat Network.
	</div><div class="section" id="s1-yum-repo-setup"><div class="titlepage"><div><div><h2 class="title" id="s1-yum-repo-setup">13.1. Setting Up a <span class="application"><strong>Yum</strong></span> Repository</h2></div></div></div><div class="para">
			To set up a repository for Red Hat Enterprise Linux packages, follow these steps:
		</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
					Install the <code class="filename">createrepo</code> package:
				</div><pre class="screen">~]# <code class="command">yum install createrepo</code></pre></li><li class="step"><div class="para">
					Copy all the packages you want to provide in the repository into one directory (<code class="filename">/mnt/local_repo</code> for example).
				</div></li><li class="step"><div class="para">
					Run <code class="command">createrepo</code> on that directory (for example, <code class="command">createrepo /mnt/local_repo</code>). This will create the necessary metadata for your <span class="application"><strong>Yum</strong></span> repository.
				</div></li></ol></div></div><div class="section" id="s1-yum-useful-commands"><div class="titlepage"><div><div><h2 class="title" id="s1-yum-useful-commands">13.2.  <code class="command">yum</code> Commands</h2></div></div></div><div class="para">
			<code class="command">yum</code> commands are typically run as <code class="command">yum <em class="replaceable"><code> &lt;command&gt; &lt;package name/s&gt;</code></em> </code>. By default, <code class="command">yum</code> will automatically attempt to check all configured repositories to resolve all package dependencies during an installation/upgrade.
		</div><div class="para">
			The following is a list of the most commonly-used <code class="command">yum</code> commands. For a complete list of available <code class="command">yum</code> commands, refer to <code class="command">man yum</code>.
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">yum install <em class="replaceable"><code>&lt;package name/s&gt;</code></em> </code> </span></dt><dd><div class="para">
						Used to install the latest version of a package or group of packages. If no package matches the specified package name(s), they are assumed to be a shell glob, and any matches are then installed.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">yum update <em class="replaceable"><code>&lt;package name/s&gt;</code></em> </code> </span></dt><dd><div class="para">
						Used to update the specified packages to the latest available version. If no package name/s are specified, then <code class="command">yum</code> will attempt to update all installed packages.
					</div><div class="para">
						If the <code class="command">--obsoletes</code> option is used (i.e. <code class="command">yum --obsoletes <em class="replaceable"><code>&lt;package name/s&gt;</code></em> </code>, <code class="command">yum</code> will process obsolete packages. As such, packages that are obsoleted across updates will be removed and replaced accordingly.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">yum check-update</code> </span></dt><dd><div class="para">
						This command allows you to determine whether any updates are available for your installed packages. <code class="command">yum</code> returns a list of all package updates from all repositories if any are available.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">yum remove <em class="replaceable"><code>&lt;package name/s&gt;</code></em> </code> </span></dt><dd><div class="para">
						Used to remove specified packages, along with any other packages dependent on the packages being removed.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">yum provides <em class="replaceable"><code>&lt;file name&gt;</code></em> </code> </span></dt><dd><div class="para">
						Used to determine which packages provide a specific file or feature.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">yum search <em class="replaceable"><code>&lt;keyword&gt;</code></em> </code> </span></dt><dd><div class="para">
						This command is used to find any packages containing the specified keyword in the description, summary, packager and package name fields of RPMs in all repositories.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">yum localinstall <em class="replaceable"><code>&lt;absolute path to package name/s&gt;</code></em> </code> </span></dt><dd><div class="para">
						Used when using <code class="command">yum</code> to install a package located locally in the machine.
					</div></dd></dl></div></div><div class="section" id="s1-yum-common-options"><div class="titlepage"><div><div><h2 class="title" id="s1-yum-common-options">13.3.  <code class="command">yum</code> Options</h2></div></div></div><div class="para">
			<code class="command">yum</code> options are typically stated before specific <code class="command">yum</code> commands; i.e. <code class="command">yum <em class="replaceable"><code>&lt;options&gt; &lt;command&gt; &lt;package name/s&gt;</code></em> </code>. Most of these options can be set as default using the configuration file.
		</div><div class="para">
			The following is a list of the most commonly-used <code class="command">yum</code> options. For a complete list of available <code class="command">yum</code> options, refer to <code class="command">man yum</code>.
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">-y</code> </span></dt><dd><div class="para">
						Answer "yes" to every question in the transaction.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">-t</code> </span></dt><dd><div class="para">
						Sets <code class="command">yum</code> to be "tolerant" of errors with regard to packages specified in the transaction. For example, if you run <code class="command">yum update package1 package2</code> and <code class="filename">package2</code> is already installed, <code class="command">yum</code> will continue to install <code class="command">package1</code>.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">--exclude=<em class="replaceable"><code>&lt;package name&gt;</code></em> </code> </span></dt><dd><div class="para">
						Excludes a specific package by name or glob in a specific transaction.
					</div></dd></dl></div></div><div class="section" id="s1-yum-yumconf"><div class="titlepage"><div><div><h2 class="title" id="s1-yum-yumconf">13.4. Configuring <code class="command">yum</code> </h2></div></div></div><div class="para">
			By default, <code class="command">yum</code> is configured through <code class="filename">/etc/yum.conf</code>. The following is an example of a typical <code class="filename">/etc/yum.conf</code> file:
		</div><pre class="screen">[main]
cachedir=/var/cache/yum
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
distroverpkg=redhat-release
tolerant=1
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
metadata_expire=1800
[myrepo]
name=RHEL 5 $releasever - $basearch
baseurl=http://local/path/to/yum/repository/
enabled=1</pre><div class="para">
			A typical <code class="filename">/etc/yum.conf</code> file is made up of two types of sections: a <code class="command">[main]</code> section, and a repository section. There can only be one <code class="command">[main]</code> section, but you can specify multiple repositories in a single <code class="filename">/etc/yum.conf</code>.
		</div><div class="section" id="s1-yum-yumconf-main"><div class="titlepage"><div><div><h3 class="title" id="s1-yum-yumconf-main">13.4.1.  <code class="command">[main]</code> Options</h3></div></div></div><div class="para">
				The <code class="command">[main]</code> section is mandatory, and there must only be one. For a complete list of options you can use in the <code class="command">[main]</code> section, refer to <code class="command">man yum.conf</code>.
			</div><div class="para">
				The following is a list of the most commonly-used options in the <code class="command">[main]</code> section.
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">cachedir</code> </span></dt><dd><div class="para">
							This option specifies the directory where <code class="command">yum</code> should store its cache and database files. By default, the cache directory of <code class="command">yum</code> is <code class="filename">/var/cache/yum</code>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">keepcache=<em class="replaceable"><code>&lt;1 or 0&gt;</code></em> </code> </span></dt><dd><div class="para">
							Setting <code class="command">keepcache=1</code> instructs <code class="command">yum</code> to keep the cache of headers and packages after a successful installation. <code class="command">keepcache=1</code> is the default.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">reposdir=<em class="replaceable"><code>&lt;absolute path to directory of .repo files&gt;</code></em> </code> </span></dt><dd><div class="para">
							This option allows you to specify a directory where <code class="filename">.repo</code> files are located. <code class="filename">.repo</code> files contain repository information (similar to the <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> section of <code class="filename">/etc/yum.conf</code>).
						</div><div class="para">
							<code class="command">yum</code> collects all repository information from <code class="filename">.repo</code> files and the <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> section of the <code class="filename">/etc/yum.conf</code> file to create a master list of repositories to use for each transaction. Refer to <a class="xref" href="#s1-yum-yumconf-repository">Section 13.4.2, “ <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> Options”</a> for more information about options you can use for both the <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> section and <code class="filename">.repo</code> files.
						</div><div class="para">
							If <code class="command">reposdir</code> is not set, <code class="command">yum</code> uses the default directory <code class="filename">/etc/yum.repos.d</code>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">gpgcheck=<em class="replaceable"><code>&lt;1 or 0&gt;</code></em> </code> </span></dt><dd><div class="para">
							This disables/enables GPG signature checking on packages on all repositories, including local package installation. The default is <code class="command">gpgcheck=0</code>, which disables GPG checking.
						</div><div class="para">
							If this option is set in the <code class="command">[main]</code> section of the <code class="filename">/etc/yum.conf</code> file, it sets the GPG checking rule for all repositories. However, you can also set this on individual repositories instead; i.e., you can enable GPG checking on one repository while disabling it on another.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">assumeyes=<em class="replaceable"><code>&lt;1 or 0&gt;</code></em> </code> </span></dt><dd><div class="para">
							This determines whether or not <code class="command">yum</code> should prompt for confirmation of critical actions. The default if <code class="command">assumeyes=0</code>, which means <code class="command">yum</code> will prompt you for confirmation.
						</div><div class="para">
							If <code class="command">assumeyes=1</code> is set, <code class="command">yum</code> behaves in the same way that the command line option <code class="command">-y</code> does.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">tolerant=<em class="replaceable"><code>&lt;1 or 0&gt;</code></em> </code> </span></dt><dd><div class="para">
							When enabled (<code class="command">tolerant=1</code>), <code class="command">yum</code> will be tolerant of errors on the command line with regard to packages. This is similar to the <code class="command">yum</code> command line option <code class="command">-t</code>.
						</div><div class="para">
							The default value for this is <code class="command">tolerant=0</code> (not tolerant).
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">exclude=<em class="replaceable"><code>&lt;package name/s&gt;</code></em> </code> </span></dt><dd><div class="para">
							This option allows you to exclude packages by keyword during installation/updates. If you are specifying multiple packages, this is a space-delimited list. Shell globs using wildcards (for example, * and ?) are allowed.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">retries=<em class="replaceable"><code>&lt;number of retries&gt;</code></em> </code> </span></dt><dd><div class="para">
							This sets the number of times <code class="command">yum</code> should attempt to retrieve a file before returning an error. Setting this to 0 makes <code class="command">yum</code> retry forever. The default value is 6.
						</div></dd></dl></div></div><div class="section" id="s1-yum-yumconf-repository"><div class="titlepage"><div><div><h3 class="title" id="s1-yum-yumconf-repository">13.4.2.  <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> Options</h3></div></div></div><div class="para">
				The <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> section of the <code class="filename">/etc/yum.conf</code> file contains information about a repository <code class="command">yum</code> can use to find packages during package installation, updating and dependency resolution. A repository entry takes the following form:
			</div><pre class="screen">[<em class="replaceable"><code>repository ID</code></em>]
name=<em class="replaceable"><code>repository name</code></em>
baseurl=<em class="replaceable"><code>url, file or ftp</code></em>://<em class="replaceable"><code>path to repository</code></em></pre><div class="para">
				You can also specify repository information in a separate <code class="filename">.repo</code> files (for example, <code class="filename">rhel5.repo</code>). The format of repository information placed in <code class="filename">.repo</code> files is identical with the <code class="command">[<em class="replaceable"><code>repository</code></em>]</code> of <code class="filename">/etc/yum.conf</code>.
			</div><div class="para">
				<code class="filename">.repo</code> files are typically placed in <code class="filename">/etc/yum.repos.d</code>, unless you specify a different repository path in the <code class="command">[main]</code> section of <code class="filename">/etc/yum.conf</code> with <code class="command">reposdir=</code>. <code class="filename">.repo</code> files and the <code class="filename">/etc/yum.conf</code> file can contain multiple repository entries.
			</div><div class="para">
				Each repository entry consists of the following mandatory parts:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">[<em class="replaceable"><code>repository ID</code></em>]</span></dt><dd><div class="para">
							The repository ID is a unique, one-word string that serves as a repository identifier.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">name=<em class="replaceable"><code>repository name</code></em> </code> </span></dt><dd><div class="para">
							This is a human-readable string describing the repository.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">baseurl=<em class="replaceable"><code>http, file or ftp</code></em>://<em class="replaceable"><code>path</code></em> </code> </span></dt><dd><div class="para">
							This is a URL to the directory where the <code class="filename">repodata</code>directory of a repository is located. If the repository is local to the machine, use <code class="command">baseurl=file://<em class="replaceable"><code>path to local repository</code></em> </code>. If the repository is located online using HTTP, use <code class="command">baseurl=http://<em class="replaceable"><code>link</code></em> </code>. If the repository is online and uses FTP, use <code class="command">baseurl=ftp://<em class="replaceable"><code>link</code></em> </code>.
						</div><div class="para">
							If a specific online repository requires basic HTTP authentication, you can specify your username and password in the <code class="command">baseurl</code> line by prepending it as <em class="replaceable"><code>username</code></em>:<em class="replaceable"><code>password</code></em>@<em class="replaceable"><code>link</code></em>. For example, if a repository on <a href="http://www.example.com/repo/">http://www.example.com/repo/</a> requires a username of "user" and a password os "password", then the <code class="command">baseurl</code> link can be specified as <code class="command">baseurl=http://user:password@www.example.com/repo/</code>.
						</div></dd></dl></div><div class="para">
				The following is a list of options most commonly used in repository entries. For a complete list of repository entries, refer to <code class="command">man yum.conf</code>.
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">gpgcheck=<em class="replaceable"><code>&lt;1 or 0&gt;</code></em> </code> </span></dt><dd><div class="para">
							This disables/enables GPG signature checking a specific repository. The default is <code class="command">gpgcheck=0</code>, which disables GPG checking.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">gpgkey=<em class="replaceable"><code>URL</code></em> </code> </span></dt><dd><div class="para">
							This option allows you to point to a URL of the ASCII-armoured GPG key file for a repository. This option is normally used if <code class="command">yum</code> needs a public key to verify a package and the required key was not imported into the RPM database.
						</div><div class="para">
							If this option is set, <code class="command">yum</code> will automatically import the key from the specified URL. You will be prompted before the key is installed unless you set <code class="command">assumeyes=1</code> (in the <code class="command">[main]</code> section of <code class="filename">/etc/yum.conf</code>) or <code class="command">-y</code> (in a <code class="command">yum</code> transaction).
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">exclude=<em class="replaceable"><code>&lt;package name/s&gt;</code></em> </code> </span></dt><dd><div class="para">
							This option is similar to the <code class="command">exclude</code> option in the <code class="command">[main]</code> section of <code class="filename">/etc/yum.conf</code>. However, it only applies to the repository in which it is specified.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">includepkgs=<em class="replaceable"><code>&lt;package name/s&gt;</code></em> </code> </span></dt><dd><div class="para">
							This option is the opposite of <code class="command">exclude</code>. When this option is set on a repository, <code class="command">yum</code> will only be able to see the specified packages in that repository. By default, all packages in a repository are visible to <code class="command">yum</code>.
						</div></dd></dl></div></div></div><div class="section" id="s1-yum-useful-variables"><div class="titlepage"><div><div><h2 class="title" id="s1-yum-useful-variables">13.5. Useful <code class="command">yum</code> Variables</h2></div></div></div><div class="para">
			The following is a list of variables you can use for both <code class="command">yum</code> commands and <code class="command">yum</code> configuration files (i.e. <code class="filename">/etc/yum.conf</code> and <code class="filename">.repo</code> files).
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">$releasever</code> </span></dt><dd><div class="para">
						This is replaced with the package's version, as listed in <code class="command">distroverpkg</code>. This defaults to the version of the <code class="command">redhat-release</code> package.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">$arch</code> </span></dt><dd><div class="para">
						This is replaced with your system's architecture, as listed by <code class="command">os.uname()</code> in Python.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">$basearch</code> </span></dt><dd><div class="para">
						This is replaced with your base architecture. For example, if <code class="command">$arch</code>=i686 then <code class="command">$basearch</code>=i386.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">$YUM<em class="replaceable"><code>0-9</code></em> </code> </span></dt><dd><div class="para">
						This is replaced with the value of the shell environment variable of the same name. If the shell environment variable does not exist, then the configuration file variable will not be replaced.
					</div></dd></dl></div></div></div><div xml:lang="en-US" class="chapter" id="entitlements" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 14. Product Subscriptions and Entitlements</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#overview-of-entitlements">14.1. An Overview of Managing Subscriptions and Content</a></span></dt><dd><dl><dt><span class="section"><a href="#the-purpose-of-subscriptions">14.1.1. The Purpose of Subscription Management</a></span></dt><dt><span class="section"><a href="#defining-entitlements">14.1.2. Defining Subscriptions, Entitlements, and Products</a></span></dt><dt><span class="section"><a href="#rhsm-tools">14.1.3. Subscription Management Tools</a></span></dt><dt><span class="section"><a href="#entitlement-arch">14.1.4. Subscription and Content Architecture</a></span></dt><dt><span class="section"><a href="#enhanced-content">14.1.5. Advanced Content Management: Extended Update Support</a></span></dt><dt><span class="section"><a href="#classic-v-rhn">14.1.6. RHN Classic v. Certificate-based Red Hat Network</a></span></dt></dl></dd><dt><span class="section"><a href="#launching-ents-tools">14.2. Using Red Hat Subscription Manager Tools</a></span></dt><dd><dl><dt><span class="section"><a href="#launching-rhsm">14.2.1. Launching Red Hat Subscription Manager</a></span></dt><dt><span class="section"><a href="#about-ents-cli-script">14.2.2. About subscription-manager</a></span></dt><dt><span class="section"><a href="#about-rhsm-web">14.2.3. Looking at RHN Subscription Management</a></span></dt><dt><span class="section"><a href="#about-sam">14.2.4. Looking at Subscription Asset Manager</a></span></dt></dl></dd><dt><span class="section"><a href="#ents-special-types">14.3. Managing Special Deployment Scenarios</a></span></dt><dd><dl><dt><span class="section"><a href="#ents-multi-tenant">14.3.1. Local Subscription Services, Local Content Providers, and Multi-Tenant Organizations</a></span></dt><dt><span class="section"><a href="#ents-virtual">14.3.2. Virtual Guests and Hosts</a></span></dt><dt><span class="section"><a href="#ents-domains">14.3.3. Domains</a></span></dt></dl></dd><dt><span class="section"><a href="#registering-machine-ui">14.4. Registering, Unregistering, and Reregistering a System</a></span></dt><dd><dl><dt><span class="section"><a href="#registering-ui">14.4.1. Registering Consumers in the Hosted Environment</a></span></dt><dt><span class="section"><a href="#registering-multiorg">14.4.2. Registering Consumers to a Local Organization</a></span></dt><dt><span class="section"><a href="#registering-oflfine">14.4.3. Registering an Offline Consumer</a></span></dt><dt><span class="section"><a href="#registering-cmd">14.4.4. Registering from the Command Line</a></span></dt><dt><span class="section"><a href="#un-registering">14.4.5. Unregistering</a></span></dt><dt><span class="section"><a href="#reregistering">14.4.6. Restoring a Registration</a></span></dt></dl></dd><dt><span class="section"><a href="#rhn-migration">14.5. Migrating Systems from RHN Classic to Certificate-based Red Hat Network</a></span></dt><dd><dl><dt><span class="section"><a href="#install-migration-tools">14.5.1. Installing the Migration Tools</a></span></dt><dt><span class="section"><a href="#rhn-migrate-classic">14.5.2. Migrating from RHN Classic to Certificate-based Red Hat Network</a></span></dt><dt><span class="section"><a href="#rhn-migrate-unregister-only">14.5.3. Unregistering from RHN Classic Only</a></span></dt><dt><span class="section"><a href="#rhn-install-num">14.5.4. Migrating a Disconnected System</a></span></dt><dt><span class="section"><a href="#rhn-channel-mappings">14.5.5. Looking at Channel and Certificate Mappings</a></span></dt></dl></dd><dt><span class="section"><a href="#subscribing-ents">14.6. Handling Subscriptions</a></span></dt><dd><dl><dt><span class="section"><a href="#sub-ui">14.6.1. Subscribing and Unsubscribing through the Red Hat Subscription Manager GUI</a></span></dt><dt><span class="section"><a href="#sub-cli">14.6.2. Handling Subscriptions through the Command Line</a></span></dt><dt><span class="section"><a href="#stacking">14.6.3. Stacking Subscriptions</a></span></dt><dt><span class="section"><a href="#ADDING-SUB">14.6.4. Manually Adding a New Subscription</a></span></dt></dl></dd><dt><span class="section"><a href="#activating-machine">14.7. Redeeming Subscriptions on a Machine</a></span></dt><dd><dl><dt><span class="section"><a href="#activating-gui">14.7.1. Redeeming Subscriptions through the GUI</a></span></dt><dt><span class="section"><a href="#activating-register">14.7.2. Redeeming Subscriptions on a Machine through the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#viewing-ents">14.8. Viewing Available and Used Subscriptions</a></span></dt><dd><dl><dt><span class="section"><a href="#viewing-ents-ui">14.8.1. Viewing Subscriptions in the GUI</a></span></dt><dt><span class="section"><a href="#viewing-ents-cmd">14.8.2. Listing Subscriptions with the Command Line</a></span></dt><dt><span class="section"><a href="#viewing-available-sub">14.8.3. Viewing Subscriptions Used in Both RHN Classic and Certificate-based Red Hat Network</a></span></dt></dl></dd><dt><span class="section"><a href="#entitlements-and-yum">14.9. Working with Subscription yum Repos</a></span></dt><dt><span class="section"><a href="#responding-to-nags-ui">14.10. Responding to Subscription Notifications</a></span></dt><dt><span class="section"><a href="#sub-healing">14.11. Healing Subscriptions</a></span></dt><dd><dl><dt><span class="section"><a href="#healing-disable">14.11.1. Enabling Healing</a></span></dt><dt><span class="section"><a href="#healing-freq">14.11.2. Changing the Healing Check Frequency</a></span></dt></dl></dd><dt><span class="section"><a href="#sam">14.12. Working with Subscription Asset Manager</a></span></dt><dd><dl><dt><span class="section"><a href="#configuring-rhsm-sam">14.12.1. Configuring Subscription Manager to Work with Subscription Asset Manager</a></span></dt><dt><span class="section"><a href="#viewing-multi-org-info">14.12.2. Viewing Organization Information</a></span></dt></dl></dd><dt><span class="section"><a href="#uploading-new-certs">14.13. Updating Entitlements Certificates</a></span></dt><dd><dl><dt><span class="section"><a href="#updating-ent-certs">14.13.1. Updating Entitlement Certificates</a></span></dt><dt><span class="section"><a href="#refreshing-ent-info">14.13.2. Updating Subscription Information</a></span></dt></dl></dd><dt><span class="section"><a href="#rhsm-config">14.14. Configuring the Subscription Service</a></span></dt><dd><dl><dt><span class="section"><a href="#rhsm-files">14.14.1. Red Hat Subscription Manager Configuration Files</a></span></dt><dt><span class="section"><a href="#rhsm-config-cmd">14.14.2. Using the config Command</a></span></dt><dt><span class="section"><a href="#rhsm-http-proxy">14.14.3. Using an HTTP Proxy</a></span></dt><dt><span class="section"><a href="#changing-ents-server">14.14.4. Changing the Subscription Server</a></span></dt><dt><span class="section"><a href="#setting-up-rhsm-mirror">14.14.5. Configuring Red Hat Subscription Manager to Use a Local Content Provider</a></span></dt><dt><span class="section"><a href="#secure-cxn-ents-server">14.14.6. Managing Secure Connections to the Subscription Server</a></span></dt><dt><span class="section"><a href="#starting-rhsm">14.14.7. Starting and Stopping the Subscription Service</a></span></dt><dt><span class="section"><a href="#checking-rhsm-logs">14.14.8. Checking Logs</a></span></dt><dt><span class="section"><a href="#showing-incompatible-subsc">14.14.9. Showing and Hiding Incompatible Subscriptions</a></span></dt><dt><span class="section"><a href="#rhsm-facts">14.14.10. Checking and Adding System Facts</a></span></dt><dt><span class="section"><a href="#regen-certs-cli">14.14.11. Regenerating Identity Certificates</a></span></dt><dt><span class="section"><a href="#getting-system-uuid">14.14.12. Getting the System UUID</a></span></dt><dt><span class="section"><a href="#rhsm-package-profiles">14.14.13. Viewing Package Profiles</a></span></dt><dt><span class="section"><a href="#consumerid">14.14.14. Retrieving the Consumer ID, Registration Tokens, and Other Information</a></span></dt></dl></dd><dt><span class="section"><a href="#entitlement-certificates">14.15. About Certificates and Managing Entitlements</a></span></dt><dd><dl><dt><span class="section"><a href="#structure-of-identity-certs">14.15.1. The Structure of Identity Certificates</a></span></dt><dt><span class="section"><a href="#structure-of-ent-certificates">14.15.2. The Structure of Entitlement Certificates</a></span></dt><dt><span class="section"><a href="#structure-of-product-certificates">14.15.3. The Structure of Product Certificates</a></span></dt><dt><span class="section"><a href="#sat-certs">14.15.4. Anatomy of Satellite Certificates</a></span></dt></dl></dd></dl></div><a id="id855334" class="indexterm"></a><a id="id920577" class="indexterm"></a><a id="id847306" class="indexterm"></a><div class="para">
		Effective asset management requires a mechanism to handle the software inventory — both the type of products and the number of systems that the software is installed on. The subscription service provides that mechanism and gives transparency into both global allocations of subscriptions for an entire organization and the specific subscriptions assigned to a single system.
	</div><div class="para">
		Red Hat Subscription Manager works with <code class="command">yum</code> to unit content delivery with subscription management. The Subscription Manager handles only the subscription-system associations. <code class="command">yum</code> or other package management tools handle the actual content delivery. <a class="xref" href="#c1-yum">Chapter 13, <em>YUM (Yellowdog Updater Modified)</em></a> describes how to use <code class="command">yum</code>.
	</div><div class="para">
		This chapter provides an overview of subscription management in Red Hat Enterprise Linux and the Red Hat Subscription Manager tools which are available.
	</div><div class="section" id="overview-of-entitlements"><div class="titlepage"><div><div><h2 class="title" id="overview-of-entitlements">14.1. An Overview of Managing Subscriptions and Content</h2></div></div></div><a id="id841068" class="indexterm"></a><a id="id846940" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux and other Red Hat products are sold through subscriptions, which make packages available and provide support for a set number of systems. Subscription management clarifies the relationships between local systems and available software resources because it gives a view into <span class="emphasis"><em>where</em></span> software subscriptions are assigned, apart from installing the packages.
		</div><div class="section" id="the-purpose-of-subscriptions"><div class="titlepage"><div><div><h3 class="title" id="the-purpose-of-subscriptions">14.1.1. The Purpose of Subscription Management</h3></div></div></div><div class="para">
				New government and industry regulations are setting new mandates for businesses to track how their infrastructure assets are used. These changes include legislation like Sarbanes-Oxley in the United States, standards like Payment Card Industry Data Security Standard (PCI-DSS), or accreditation like SAS-70. Software inventory maintenance is increasingly important to meet accounting and governmental standards.
			</div><div class="para">
				That means that there is increasing pressure on IT administrators to have an accurate, current accounting of the software used on their systems. Generally, this is called <span class="emphasis"><em>software license management</em></span>; with Red Hat's subscription model, this is <span class="emphasis"><em>subscription management</em></span>.
			</div><div class="figure" id="fig.ents-compliance"><div class="figure-contents"><div class="mediaobject"><img src="images/ents-compliant.png" width="444" alt="Managing Subscriptions for Software Inventory" /></div></div><h6>Figure 14.1. Managing Subscriptions for Software Inventory</h6></div><br class="figure-break" /><a id="id921334" class="indexterm"></a><a id="id921345" class="indexterm"></a><div class="para">
				Effective subscription management helps organizations achieve four primary goals:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Maintain regulatory compliance</em></span>. One of the key responsibilities of administrators is software compliance in conformance with legal or industry requirements. Subscription management helps track both subscription assignments and contract expirations, which helps administrators manage both systems and software inventories in accordance to their regulatory requirements.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Simplify IT audits</em></span>. Having a central and clear inventory of both current subscriptions and current systems, IT administrators can monitor and report on their infrastructure better.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Get better performance by doing better at assigning subscriptions</em></span>. The subscription service maintains dual inventories of available product subscriptions and registered server systems, with clear associations between subscriptions and systems. This makes it easier for IT administrators to assign relevant subscriptions to systems, because they have a view of what is in the inventory and what the system is currently subscribed to.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Lower costs and streamline procurement</em></span>. While <span class="emphasis"><em>under-</em></span>subscribing systems can run afoul of regulations, <span class="emphasis"><em>over-</em></span> subscribing systems can cause a significant impact on IT budgets. Subscription management helps subscriptions be assigned most efficiently, so costs could actually be lowered.
					</div></li></ul></div><div class="para">
				With Red Hat's commitment to free and open software, subscription management is focused on delivering tools that help IT administrators monitor their software/systems inventory for their own benefit. Subscription management <span class="emphasis"><em>does not</em></span> enforce or restrict access to products.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Most Red Hat products are licensed under a GNU General Public License (GPL), which allows free use of the software or code; this a different license than the Red Hat license agreement. A Red Hat license provides access to Red Hat services, like the Customer Portal and Content Delivery Network.
				</div><div class="para">
					The Red Hat subscription requires that, as long as there is any active subscription for a product, then every system which uses the Red Hat product must have an active subscription assigned to it. Otherwise, the subscription is violated. See <a href="http://www.redhat.com/subscriptions/">http://www.redhat.com/subscriptions/</a> and <a href="http://www.redhat.com/rhel/renew/faqs/#6">http://www.redhat.com/rhel/renew/faqs/#6</a> for more information on Red Hat's subscription model and terms.
				</div></div></div></div><div class="section" id="defining-entitlements"><div class="titlepage"><div><div><h3 class="title" id="defining-entitlements">14.1.2. Defining Subscriptions, Entitlements, and Products</h3></div></div></div><a id="id1041829" class="indexterm"></a><a id="id852075" class="indexterm"></a><div class="para">
				The basis of everything is a <span class="emphasis"><em>subscription</em></span>. A subscription contains both the <span class="emphasis"><em>products</em></span> that are available, the support levels, and the <span class="emphasis"><em>quantities</em></span>, or number of servers, that the product can be installed on.
			</div><div class="para">
				Subscriptions are managed though the Certificate-Based Red Hat Network service, which ties into the Subscription and Content Delivery Network (CDN).
			</div><div class="para">
				The subscription service maintains a complete list of subscriptions for an organization, identified by a unique ID (called a <span class="emphasis"><em>pool ID</em></span>). A system is <span class="emphasis"><em>registered</em></span>, or added, to the subscription service to allow it to manage the subscriptions for that system. Like the subscription, the system is also added to the subscription service inventory and is assigned a unique ID within the service. The subscriptions and system entries, together, comprise the <span class="emphasis"><em>inventory</em></span>.
			</div><div class="para">
				A system allocates one of the quantities of a product in a subscription to itself. When a subscription is consumed, it is an <span class="emphasis"><em>entitlement</em></span>. (An entitlement is roughly analogous to a user license, in that it grants all of the rights to that product to that system. Unlike a user license, an entitlement does not grant the right to <span class="emphasis"><em>use</em></span> the software; with the subscription model, an entitlement grants the ability to download the packages and receive updates.) Because the available quantity in a subscription lowers once a system subscribes to it, the system <span class="emphasis"><em>consumes</em></span> the subscription.
			</div><div class="figure" id="fig.ents-overview"><div class="figure-contents"><div class="mediaobject"><img src="images/entitlements-overview.png" width="444" alt="Managing Subscriptions, Illustrated" /></div></div><h6>Figure 14.2. Managing Subscriptions, Illustrated</h6></div><br class="figure-break" /><div class="para">
				The repository where the product software is located is organized according to the <span class="emphasis"><em>product</em></span>. Each product group within the repository may contain the primary software packages and then any required dependencies or associated packages. Altogether, the product and its associated packages are called a <span class="emphasis"><em>content set</em></span>. (A content set for a product even includes other versions of the product.) When a subscription grants access to a product, it includes access to all of the associated packages in that content set.
			</div><div class="para">
				A single subscription can have multiple products, and each system can have multiple different subscriptions, depending on how many entitlement certificates are loaded on the machine.
			</div><a id="id852190" class="indexterm"></a><a id="id811447" class="indexterm"></a><div class="para">
				Any number of products, for any number of different architectures, can be contained in a single subscription. The subscription options that are visible to a consumer are filtered, by default, according to whether the architecture for the product matches the architecture of the system. This is <span class="emphasis"><em>compatibility</em></span>. Depending on compatible subscriptions makes sure that subscriptions are allocated efficiently, only to systems which can actually use the products.
			</div><div class="para">
				The subscription tools can display even incompatible entitlements. Alternatively, the architecture definition for the system can be overridden by defining custom system facts for the subscription tools to use.
			</div><div class="para">
				It's important to distinguish between subscribing to a product and installing a product. A subscription is essentially a statement of whatever products an organization has purchased. The act of subscribing to a subscription means that a system is allowed to install the product with a valid certificate, but subscribing doesn't actually perform any installation or updates. In the reverse, a product can also be installed apart from any entitlements for the system; the system is just does not have a valid product certificate. Certificate-Based Red Hat Network and the Content Delivery Network harmonize with content delivery and installation by using <code class="command">yum</code> plug-ins that come with the Subscription Manager tools.
			</div></div><div class="section" id="rhsm-tools"><div class="titlepage"><div><div><h3 class="title" id="rhsm-tools">14.1.3. Subscription Management Tools</h3></div></div></div><a id="id811499" class="indexterm"></a><a id="id811511" class="indexterm"></a><div class="para">
				Subscriptions are managed through GUI and CLI tools called <span class="emphasis"><em>Red Hat Subscription Manager</em></span>. The Subscription Manager tracks and displays what entitlements are available to the local system and what entitlements have been consumed by the local system. The Subscription Manager works as a conduit back to the subscription service to synchronize changes like available product quantities or subscription expiration and renewals.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The Red Hat Subscription Manager tools are always run as <code class="command">root</code> because of the nature of the changes to the system. However, Red Hat Subscription Manager connects to the subscription service as a user account for the Customer Service Portal.
				</div></div></div><div class="para">
				The Subscription Manager handles both registration and subscriptions for a system. The Subscription Manager is part of the <code class="command">firstboot</code> process for configuring content and updates, but the system can be registered at any time through the Red Hat Subscription Manager GUI or CLI. New subscriptions, new products, and updates can be viewed and applied to a system through the Red Hat Subscription Manager tools.
			</div><div class="para">
				The different Subscription Manager clients are covered in <a class="xref" href="#launching-ents-tools">Section 14.2, “Using Red Hat Subscription Manager Tools”</a>.
			</div></div><div class="section" id="entitlement-arch"><div class="titlepage"><div><div><h3 class="title" id="entitlement-arch">14.1.4. Subscription and Content Architecture</h3></div></div></div><a id="id811582" class="indexterm"></a><a id="id783956" class="indexterm"></a><a id="id783968" class="indexterm"></a><div class="para">
				<span class="emphasis"><em>Content</em></span> includes new downloads, ISOs, updates, and errata, anything that can be installed on a system.
			</div><div class="para">
				Subscription management helps to clarify and to define the relationships between local server infrastructure and the content delivery systems. Subscription management and content delivery are tightly associated. Entitlements (assigned subscriptions) identify what a system is <span class="emphasis"><em>allowed</em></span> to install and update. In other words, entitlements define access to content. The content delivery system actually provides the software packages.
			</div><div class="para">
				There are three parties that are involved in subscriptions and content:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The subscription service
					</div></li><li class="listitem"><div class="para">
						The Content Delivery Network
					</div></li><li class="listitem"><div class="para">
						The system which uses the content
					</div></li></ul></div><div class="figure" id="fig.ents-content"><div class="figure-contents"><div class="mediaobject"><img src="images/entitlements-subscriptions.png" width="444" alt="Relationship Among Systems, the Subscription Service, and Content Delivery Network" /></div></div><h6>Figure 14.3. Relationship Among Systems, the Subscription Service, and Content Delivery Network</h6></div><br class="figure-break" /><div class="para">
				The subscription service handles the system registration (verifying that the system is allowed to access the content). It also supplies the system with information on what products are available and handles a central list of entitlements and remaining quantities for the entire organization.
			</div><div class="para">
				The content delivery network is responsible for delivering the content to the system when requested. The content server is configured in the Red Hat Subscription Manager configuration and then tied into the system's <code class="command">yum</code> service through the Red Hat Subscription Manager yum plug-in.
			</div><div class="para">
				Both the subscription service and the content server used by a system's Red Hat Subscription Manager tools can be customized. The default settings use the public subscription service and Content Delivery Network, but either one can be changed to use organization-specific services.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Systems have the option of using the older Red Hat Network and Satellite 5.x systems to deliver content. These content delivery mechanisms bypass the subscription service in Certificate-Based Red Hat Network, so there is no entitlement management. This is allowed for legacy infrastructures, but Red Hat strongly recommends registering new systems with the latest Certificate-based Red Hat Network.
				</div></div></div></div><div class="section" id="enhanced-content"><div class="titlepage"><div><div><h3 class="title" id="enhanced-content">14.1.5. Advanced Content Management: Extended Update Support</h3></div></div></div><a id="id1069526" class="indexterm"></a><a id="id1069538" class="indexterm"></a><a id="id1069550" class="indexterm"></a><div class="para">
				Sometimes software product installations are straightforward — you want to install a Red Hat Enterprise Linux server, so you install Red Hat Enterprise Linux. However, products can have dependencies with each other (product B is only worthwhile if product A is also installed) or products can interact with each other to provide extended functionality. There are two categories of these kinds of product interactions:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Dependencies</em></span>, where one product requires or relies on another product directly
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Modifiers</em></span>, where a product provides enhanced functionality or services for existing products
					</div></li></ul></div><div class="para">
				Dependencies are common and can be handled directly when processing content through tools like <code class="command">yum</code>.
			</div><div class="para">
				Modifiers can be more subtle. A modifier subscription extends another entitlement and provides different repository access and support than the product entitlement alone.
			</div><div class="para">
				If the system is subscribed to that product entitlement or combination of products, then the modifier subscription brings an enhanced <span class="emphasis"><em>content set</em></span> for that product. The content set can include additional new products, new functionality, or extended service and support, depending on the product being modified.
			</div><div class="para">
				One simple example of a modifier is <span class="emphasis"><em>extended update support</em></span> (EUS), which extends support for a minor release of Red Hat Enterprise Linux from six months to 24 months. An EUS subscription provides an enhanced support path, rather than a new product. EUS works only in conjunction with another product, to extend its support profile; it does not stand alone.
			</div><div class="note"><div class="admonition_header"><h2>Red Hat Enterprise Linux Add-ons and EUS Subscriptions</h2></div><div class="admonition"><div class="para">
					Red Hat Enterprise Linux add-ons have access to EUS streams as long as the underlying Red Hat Enterprise Linux product has an EUS subscription. For example, if an administrator has a Red Hat Enterprise Linux 2 Socket subscription, a File System subscription, and a Red Hat Enterprise Linux 2 Socket EUS subscription, then the system can access both non-EUS and EUS content for both the Red Hat Enterprise Linux server and the File System product.
				</div></div></div></div><div class="section" id="classic-v-rhn"><div class="titlepage"><div><div><h3 class="title" id="classic-v-rhn">14.1.6. RHN Classic v. Certificate-based Red Hat Network</h3></div></div></div><div class="para">
				During the firstboot process, there are two options given for the content server: (Certificate-based) Red Hat Network and RHN Classic. These systems are mutually exclusive, but they both handle software content and updates as well as subscriptions and system inventory.
			</div><div class="para">
				In 5.7 and later versions, entitlements and subscriptions are defined by <span class="emphasis"><em>available and installed products</em></span>. However, in older versions of Red Hat Enterprise Linux, subscriptions were defined by <span class="emphasis"><em>channel access</em></span>. These are two different approaches to content and entitlement access. Red Hat Network uses the product-based subscription model, while RHN Classic uses the channel-based model.
			</div><div class="para">
				Certificate-based Red Hat Network is focused on two things:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Subscription management
					</div></li><li class="listitem"><div class="para">
						Content delivery
					</div></li></ul></div><div class="para">
				Certificate-based Red Hat Network integrates the Customer Portal, Content Delivery Network, and subscription service (subscription management). It uses simple and streamlined local tools (the Red Hat Subscription Manager client) to give greater visibility into how entitlements and subscriptions are used and assigned and to help control software subscriptions as they are added and expire.
			</div><div class="para">
				Since the client tools for subscription management (the focus of Certificate-based Red Hat Network) are only available in Red Hat Enterprise Linux 5.7 systems and later, Certificate-based Red Hat Network can only be utilized by 5.7 and later systems.
			</div><div class="para">
				RHN Classic uses the traditional channel entitlement model, which provides a global view of content access but does not provide insight into system-level subscription uses. Along with content and global subscription management, RHN Classic also provides some systems management functions:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Kickstarting systems
					</div></li><li class="listitem"><div class="para">
						Managing configuration files
					</div></li><li class="listitem"><div class="para">
						Running scripts
					</div></li><li class="listitem"><div class="para">
						Taking system snapshots
					</div></li></ul></div><div class="para">
				Satellite 5.x systems use a channel-based model similar to RHN Classic.
			</div><div class="para">
				While RHN Classic has an expanded systems management feature set, RHN Classic does not provide the system-level view into installed and subscribed products that the enhanced Red Hat Network and subscription service do. RHN Classic is provided for older Red Hat Enterprise Linux systems (Red Hat Enterprise Linux 4.x, Red Hat Enterprise Linux 5.x, and Satellite 5.x) to migrate systems over to Red Hat Enterprise Linux 5.7 and later versions.
			</div><div class="para">
				The two subscription services are mututally exclusive, with separate inventories and using separate client tools. Both the RHN Classic and Red Hat Subscription Manager tools correctly identify which service a system is registered with. When a system is registered with RHN Classic, then the Red Hat Subscription Manager shows an error that the system is already registered and cannot be managed by the Subscription Manager tools. Likewise, similar errors are returned in the RHN Classic tools if a system is registered with Red Hat Network and the subscription service.
			</div><div class="para">
				For information on migrating from RHN Classic to Certificate-based Red Hat Network, see <a class="xref" href="#rhn-migration">Section 14.5, “Migrating Systems from RHN Classic to Certificate-based Red Hat Network”</a>.
			</div></div></div><div class="section" id="launching-ents-tools"><div class="titlepage"><div><div><h2 class="title" id="launching-ents-tools">14.2. Using Red Hat Subscription Manager Tools</h2></div></div></div><a id="id1069788" class="indexterm"></a><div class="para">
			The Red Hat Subscription Manager tool set encompasses three different tools:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					A GUI-based local client to manage the local machine
				</div></li><li class="listitem"><div class="para">
					A CLI client for advanced users and administrators to manage a local machine (and which can be tied into other applications and actions, like kickstarting machines)
				</div></li><li class="listitem"><div class="para">
					A web-based client for organizational, multi-system views of the subscriptions and inventoried resources
				</div></li></ul></div><div class="para">
			All of these tools, both local clients and the web-based tools, allow administrators to perform three major tasks directly related to managing subscriptions: registering machines, assigning subscriptions to systems, and updating the certificates required for authentication. Some minor operations, like updating system facts, are available to help display and track what subscriptions are available.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Both the Red Hat Subscription Manager GUI and CLI must be run as <code class="command">root</code>.
			</div></div></div><div class="section" id="launching-rhsm"><div class="titlepage"><div><div><h3 class="title" id="launching-rhsm">14.2.1. Launching Red Hat Subscription Manager</h3></div></div></div><a id="id1069862" class="indexterm"></a><a id="id1069878" class="indexterm"></a><div class="para">
				Red Hat Subscription Manager is listed as one of the administrative tools in the <span class="guimenu"><strong>System =&gt; Administration</strong></span> menu in the top management bar.
			</div><div class="figure" id="fig.rhsm-menu"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-menu-item.png" width="444" alt="Red Hat Subscription Manager Menu Option" /></div></div><h6>Figure 14.4. Red Hat Subscription Manager Menu Option</h6></div><br class="figure-break" /><div class="para">
				Alternatively, the Red Hat Subscription Manager GUI can be opened from the command line with a single command:
			</div><pre class="programlisting">[root@server1 ~]# subscription-manager-gui</pre><div class="para">
				The Red Hat Subscription Manager UI has a single window with tabbed sections that offer quick views into the current state of the system, showing installed products, subscriptions for the system, and available subscriptions the system has access to. These tabs also allow administrators to manage subscriptions by subscribing and unsubscribing the system.
			</div><div class="para">
				The Red Hat Subscription Manager has three main areas to manage products and subscriptions:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The <span class="guilabel"><strong>My Subscriptions</strong></span> area shows all of the current entitlements that the system is subscribed to.
					</div></li><li class="listitem"><div class="para">
						The <span class="guilabel"><strong>All Available Subscriptions</strong></span> area shows all of the subscriptions that are available to the system. The default displays only entitlements that are compatible with the hardware, but these can be filtered to show entitlements corresponding to other installed programs, only subscriptions that have not been installed, and subscriptions based on date.
					</div></li><li class="listitem"><div class="para">
						The <span class="guilabel"><strong>My Installed Software</strong></span> area shows the currently installed products on the system, along with their subscription status. This does not allow administrators to install software, only to view installed software.
					</div></li></ul></div><div class="figure" id="fig.rhsm-gui-overview"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-subscribe-prod.png" width="444" alt="Red Hat Subscription Manager Main Screen" /></div></div><h6>Figure 14.5. Red Hat Subscription Manager Main Screen</h6></div><br class="figure-break" /><div class="para">
				The top right box contains the tools required to perform maintenance tasks like changing the registration connection information and viewing system facts.
			</div></div><div class="section" id="about-ents-cli-script"><div class="titlepage"><div><div><h3 class="title" id="about-ents-cli-script">14.2.2. About subscription-manager</h3></div></div></div><a id="id1070027" class="indexterm"></a><a id="id1073537" class="indexterm"></a><div class="para">
				Any of the operations that can be performed through the Red Hat Subscription Manager UI can also be performed by running the <code class="command">subscription-manager</code> tool. This tools has the following format:
			</div><pre class="programlisting">[root@server1 ~]# subscription-manager <em class="replaceable"><code>command [options]</code></em></pre><div class="para">
				Each command has its own set of <span class="emphasis"><em>options</em></span> that are used with it. The <code class="command">subscription-manager</code> help and manpage have more information.
			</div><div class="table" id="tab.smcli-commands"><h6>Table 14.1. subscription-manager Commands</h6><div class="table-contents"><table summary="subscription-manager Commands" border="1"><colgroup><col width="30%" class="command" /><col width="70%" class="description" /></colgroup><thead><tr><th>
								Command
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								register
							</td><td>
								Registers or identifies a new system to the subscription service.
							</td></tr><tr><td>
								unregister
							</td><td>
								Unregisters a machine, which strips its subscriptions and removes the machine from the subscription service.
							</td></tr><tr><td>
								subscribe
							</td><td>
								Allocates a specific subscription to the machine.
							</td></tr><tr><td>
								redeem
							</td><td>
								Autosubscribes a machine to a pre-specified subscription that was purchased from a vendor, based on its hardware and BIOS information.
							</td></tr><tr><td>
								refresh
							</td><td>
								Pulls the latest entitlement data from the server. Normally, the system polls the entitlement server at a set interval (4 hours by default) to check for any changes in the available subscriptions. The <code class="command">refresh</code> command checks with the entitlement server right then, outside the normal interval.
							</td></tr><tr><td>
								unsubscribe
							</td><td>
								Removes a specific subscription or all subscriptions from the machine.
							</td></tr><tr><td>
								list
							</td><td>
								Lists all of the subscriptions that are compatible with a machine, either subscriptions that are actually consumed by the machine or unused subscriptions that are available to the machine.
							</td></tr><tr><td>
								identity
							</td><td>
								Handles the identity certificate and registration ID for a system. This command can be used to return the current UUID or generate a new identity certificate.
							</td></tr><tr><td>
								facts
							</td><td>
								Lists the system information, like the release version, number of CPUs, and other architecture information.
							</td></tr><tr><td>
								clean
							</td><td>
								Removes all of the subscription and identity data from the local system, <span class="emphasis"><em>without affecting the consumer information in the subscription service</em></span>. Any of the subscriptions consumed by the system are still consumed and are not available for other systems to use. The <code class="command">clean</code> command is useful in cases where the local entitlement information is corrupted or lost somehow, and the system will be reregistered using the <code class="command">register --consumerid=EXISTING_ID</code> command.
							</td></tr><tr><td>
								orgs, repos, environments
							</td><td>
								Lists all of the configured organizations, environments, and content repositories that are available to the given user account or system. These commands are used to view information in a multi-org infrastructure. They are not used to configure the local machine or multi-org infrastructure.
							</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="about-rhsm-web"><div class="titlepage"><div><div><h3 class="title" id="about-rhsm-web">14.2.3. Looking at RHN Subscription Management</h3></div></div></div><a id="id1073796" class="indexterm"></a><a id="id1073812" class="indexterm"></a><div class="para">
				The ultimate goal of entitlement management is <span class="emphasis"><em>to allow administrators to identify the relationship between their systems and the subscriptions used by those systems</em></span>. This can be done from two different perspectives: from the perspective of the local system looking externally to potential subscriptions and from the perspective of the organization, looking down at the total infrastructure of systems and all subscriptions.
			</div><div class="para">
				The Red Hat Subscription Manager GUI and CLI are both local clients which manage only the local machine. These tools are somewhat limited in their view; they only disclose information (such as available entitlements) from the perspective of that one system, so expired and depleted subscriptions or subscriptions for other architectures aren't displayed.
			</div><div class="para">
				RHN Subscription Management in the Customer Portal is a <span class="emphasis"><em>global</em></span> tool which is intended to give complete, organization-wide views into subscriptions and systems. It shows all subscriptions and all consumers for the entire organization. RHN Subscription Management can perform many of the tasks of the local tools, like registering consumers, assigning subscriptions, and viewing system facts and UUID. It can also manage the subscriptions themselves, such as viewing contract information and renewing subscriptions — a task not possible in the local clients.
			</div><div class="figure" id="fig.ents-rhsm-web-mainpage"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-web-mainpage.png" width="444" alt="RHN Subscription Management in the Customer Portal" /></div></div><h6>Figure 14.6. RHN Subscription Management in the Customer Portal</h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					RHN Subscription Management gives a global view of all consumers, of all types, for an organization, which is crucial for planning and effectively assigning subscriptions. However, it does <span class="bold bold"><strong>not</strong></span> provide any insight into what products are installed on a system and whether subscriptions are assigned for those products. To track the validity of installed products, you must use the local Subscription Manager tools.
				</div></div></div><div class="para">
				RHN Subscription Management also provides a view of systems and subscriptions managed under RHN Classic and provides access to the RHN Classic web tools.
			</div><a id="id1073906" class="indexterm"></a><div class="para">
				All of the subscriptions for an entire organization — the subscriptions that have been purchased and the systems to which they have been allocated — are viewable through the account pages at <a href="https://access.redhat.com/">https://access.redhat.com/</a>. Additional information about RHN Subscription Management is available with the portal documentation at <a href="https://access.redhat.com/knowledge/docs/Red_Hat_Customer_Portal/">https://access.redhat.com/knowledge/docs/Red_Hat_Customer_Portal/</a>.
			</div></div><div class="section" id="about-sam"><div class="titlepage"><div><div><h3 class="title" id="about-sam">14.2.4. Looking at Subscription Asset Manager</h3></div></div></div><a id="id1073944" class="indexterm"></a><a id="id1073960" class="indexterm"></a><div class="para">
				Subscription Asset Manager provides a local site not only to view subscriptions and systems for an infrastructure (as with the Customer Portal) but also to manage all of those systems. Subscription Asset Manager has three major functional areas:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Works with the client machine's Subscription Manager to manage subscriptions and content. In that way, it is a centralized, global, web-based Subscription Manager.
					</div></li><li class="listitem"><div class="para">
						Helps manage the subscriptions themselves. It receives a <span class="emphasis"><em>subscription manifest</em></span> from Red Hat Network. The manifest allocates that Subscription Asset Manager service a subset of all of an organization's subscriptions. From there, the Subscription Asset Manager locally assigns subscriptions to individual systems and can create activation keys.
					</div></li><li class="listitem"><div class="para">
						Works as a real-time proxy between the local system assets and the Red Hat content delivery network.
					</div></li></ul></div><div class="para">
				Subscription Asset Manager handles both client-side, local system management and backend subscription management. This allows Subscription Asset Manager to provide more in-depth information on the status of products and certificates through tools like its dashboard and activity reports.
			</div><div class="figure" id="fig.SAMDashboard"><div class="figure-contents"><div class="mediaobject"><img src="images/SAMDashboard.png" width="444" alt="Subscription Asset Manager Dashboard" /></div></div><h6>Figure 14.7. Subscription Asset Manager Dashboard</h6></div><br class="figure-break" /><div class="para">
				Because of the insight Subscription Asset Manager has into the local server assets, it can be used to define <span class="emphasis"><em>multi-tenant organizations</em></span>. Multi-tentant organizations allow completely separate silos of assets (organizations). Organizations can then be subdivided into environments; since a system can belong to multiple environments, it is possible to organize systems into overlapping circles according to the real-world infrastructure. This is covered more in <a class="xref" href="#ents-multi-tenant">Section 14.3.1, “Local Subscription Services, Local Content Providers, and Multi-Tenant Organizations”</a>.
			</div><div class="para">
				Subscription Asset Manager is available with Red Hat Enterprise Linux, but it must be installed and configured before it can be used to manage assets.
			</div><div class="para">
				For more information on configuring and using Subscription Asset Manager, see the documentation at <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Subscription_Asset_Manager/1.0/html/Installation_Guide/index.html">http://docs.redhat.com/docs/en-US/Red_Hat_Subscription_Asset_Manager/1.0/html/Installation_Guide/index.html</a>.
			</div></div></div><div class="section" id="ents-special-types"><div class="titlepage"><div><div><h2 class="title" id="ents-special-types">14.3. Managing Special Deployment Scenarios</h2></div></div></div><div class="para">
			There are different types of consumers and different ways of organizing consumers. The simplest environment has physical machines grouped together in one single, homogeneous group, connecting to Red Hat's hosted content and subscription services. While this is an easy arrangement to maintain, it does not accurately describe many enterprise environments, which have a lively mix of physical and virtual machines, divided across disparate organizational units and even subunits within those organizations and accessing locally-controlled content and subscription services.
		</div><div class="para">
			The first change is the ability to group systems into divisions and subdivisions. This is called <span class="emphasis"><em>multi-tenancy</em></span>, the ability create unrelated groups beneath the primary umbrella account. Multi-tenant (or multi-org) structures are for infrastructures which may have multiple content repositories or subscription services, and systems within the organization need to be grouped according to access to those repositories and services.
		</div><div class="para">
			The other part of heterogeneous environments is recognizing consumers <span class="emphasis"><em>other</em></span> than physical machines. Two special consumer types are common: virtual guests and server domains. The difference between these consumer types and physical, single-machine consumers is only in the type of information that the Red Hat Subscription Service uses and stores — not in any special configuration or management tasks.
		</div><div class="section" id="ents-multi-tenant"><div class="titlepage"><div><div><h3 class="title" id="ents-multi-tenant">14.3.1. Local Subscription Services, Local Content Providers, and Multi-Tenant Organizations</h3></div></div></div><div class="para">
				As <a class="xref" href="#entitlement-arch">Section 14.1.4, “Subscription and Content Architecture”</a> outlines, the subscription service, content repository, and client tools and inventory all work together to define the entitlements structure for a customer. The way that these elements are organized depends on a lot of factors, like who is maintaining the individual services, how systems in the inventory are group, and how user access to the different services is controlled.
			</div><div class="para">
				The most simplistic structure is the <span class="emphasis"><em>hosted</em></span> structure. The content and subscription services are hosted by Red Hat, and all systems within the inventory are contained in one monolithic group. User access is defined only by Red Hat Customer Portal account access.
			</div><div class="figure" id="fig.ents-multiorg-hosted"><div class="figure-contents"><div class="mediaobject"><img src="images/ents-multiorg-hosted.png" width="444" alt="Hosted Structure" /></div></div><h6>Figure 14.8. Hosted Structure</h6></div><br class="figure-break" /><div class="para">
				The next step allows a customer to have its own, local subscription service (Subscription Asset Manager), while still using Red Hat's hosted content delivery network. At this point, user access can be defined locally, within the Subscription Asset Manager configuration. Subscription Asset Manager can define independent groups, called <span class="emphasis"><em>organizations</em></span>. Systems belong to those organizations, and users are granted access to those organizations. Systems and users in one organization are essentially invisible to systems and users in other organizations.
			</div><div class="figure" id="fig.ents-multiorg-sam"><div class="figure-contents"><div class="mediaobject"><img src="images/ents-multiorg-sam.png" width="444" alt="Hosted Content/Local Subscriptions Structure" /></div></div><h6>Figure 14.9. Hosted Content/Local Subscriptions Structure</h6></div><br class="figure-break" /><div class="para">
				The last style of infrastructure is almost entirely local, with a Subscription Asset Manager that provides locally-hosted content providers and an integrated local subscription service.
			</div><div class="figure" id="fig.ents-multiorg"><div class="figure-contents"><div class="mediaobject"><img src="images/ents-multiorg.png" alt="Local Subscriptions and Local Content Provider Structure" /></div></div><h6>Figure 14.10. Local Subscriptions and Local Content Provider Structure</h6></div><br class="figure-break" /><div class="para">
				This allows the most control over how systems are grouped <span class="emphasis"><em>within</em></span> the subscriptions/content. A customer's main account can be divided into separate and independent <span class="emphasis"><em>organizations</em></span>. These organizations can use different content provider, can have different subscriptions allocated to them, and can have different users assigned to them with levels of access set per organization. Access control in this scenario is controlled entirely locally. The local Subscription Asset Manager, not the remote Red Hat Customer Portal, processes user authentication requests and applies local access control policies.
			</div><div class="para">
				A system is assigned to one organization. Within an organization, there can be different <span class="emphasis"><em>environments</em></span> which define access to product versions and content sets. There can be overlap between environments, with a system belonging to multiple environments.
			</div><div class="figure" id="fig.ents-multiorg2"><div class="figure-contents"><div class="mediaobject"><img src="images/ents-multiorg2.png" width="444" alt="Multi-Org" /></div></div><h6>Figure 14.11. Multi-Org</h6></div><br class="figure-break" /><div class="para">
				When there is only one organization — such as a hosted environment (where the single organization is implicit) — then the systems all default to use that one organization. When there are multiple organizations, then the organization for a system to use must be defined for that system. This affects register operations, where the system is registered to subscription service and then joined to the organization. It also affects other operations tangentially. It may affect subscribe operations because it affects repository availability and subscription allocations, and it affects redeem operations (activation of existing subscriptions) because subscriptions must be redeemed from the organization which issued the subscription.
			</div><div class="para">
				For more information on configuring and managing organizations, environments, and content repositories, see the Subscription Asset Manager documentation.
			</div></div><div class="section" id="ents-virtual"><div class="titlepage"><div><div><h3 class="title" id="ents-virtual">14.3.2. Virtual Guests and Hosts</h3></div></div></div><a id="id1074326" class="indexterm"></a><a id="id1074338" class="indexterm"></a><div class="para">
				When the Red Hat Subscription Manager process checks the system facts, it attempts to identify whether the system is a physical machine or a virtual guest. The Subscription Manager can detect guests for several different virtualization services, including:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						KVM
					</div></li><li class="listitem"><div class="para">
						Xen
					</div></li><li class="listitem"><div class="para">
						HyperV
					</div></li><li class="listitem"><div class="para">
						VMWare ESX
					</div></li></ul></div><div class="para">
				Subscription Manager records a unique identifier called a <span class="emphasis"><em>guest ID</em></span> as one of the system facts for a virtual guest. A special process, <code class="systemitem">libvirt-rhsm</code>, checks VMWare, KVM, and Xen processes and then relays that information to Subscription Manager and any configured subscription service (Certificate-based Red Hat Network or a local Subscription Asset Manager). Each guest machine on a host is assigned a guest ID, and that guest ID is both associated with the host and used to generate the identity certificate for the guest when it is registered.
			</div><div class="para">
				Some Red Hat Enterprise Linux variants are specifically planned for virtual hosts and guests. The corresponding subscriptions are divided into a certain quantity of physical hosts and then a quantity of allowed guests. Red Hat Enterprise Linux add-ons may even be inherited, so that when a host machine is subscribed to that entitlement, all of its guests are automatically included in that subscription. (Red Hat layered products usually do not draw any distinction between virtual and physical systems; the same type of subscription is used for both.) If the system is a guest, then virtual entitlements are listed with the available subscriptions. If no more virtual entitlements are available, then the subscription service will apply physical entitlements.
			</div><div class="para">
				Virtual and physical subscriptions are identified in the <span class="guilabel"><strong>Type</strong></span> column.
			</div><div class="figure" id="fig.virt-icon"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-virt-icons.png" width="444" alt="Virtual and Physical Subscription" /></div></div><h6>Figure 14.12. Virtual and Physical Subscription</h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The distinction of being a physical machine versus virtual machine matters only in the priority of how entitlements are consumed. Virtual machines are recorded in the subscription service inventory as a regular <code class="systemitem">system</code> type of consumer.
				</div></div></div><div class="para">
				Virtual guests are registered to the subscription service inventory as regular systems and subscribe to entitlements just like any other consumer.
			</div><div class="para">
				Virtual entitlements can only be used by virtual machines. Physical entitlements can be used by both physical and virtual machines. When ascertaining what subscriptions are available for autosubscription, preference is given first to virtual entitlements (which are more restrictive in the type of consumer which can use them), and then to physical entitlements.
			</div></div><div class="section" id="ents-domains"><div class="titlepage"><div><div><h3 class="title" id="ents-domains">14.3.3. Domains</h3></div></div></div><a id="id1074490" class="indexterm"></a><a id="id1074501" class="indexterm"></a><div class="para">
				Consumers in the subscription service inventory are identified by <span class="emphasis"><em>type</em></span>. Most consumers will have a type of <code class="systemitem">system</code>, meaning that each individual server subscribes to its own entitlements for its own use. There is another type of consumer, though, which is available for server groups, the <code class="systemitem">domain</code> type. <code class="systemitem">domain</code>-based entitlements are not allocated to a single system; they are distributed across the group of servers to govern the behavior of that group of servers. (That server group is called a domain.)
			</div><div class="para">
				There are two things to keep in mind about domain entitlements:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Each member of the domain is still registered to the subscription service as a <code class="systemitem">system</code> consumer and added to the inventory individually.
					</div></li><li class="listitem"><div class="para">
						The <code class="systemitem">domain</code> entitlements apply to the behavior <span class="emphasis"><em>of the entire server group</em></span>, not to any one system.
					</div></li></ul></div><div class="para">
				The domain entitlement simply governs the behavior of the domain. A domain entitlement is not limited to a specific type of behavior. Domain entitlements can describe a variety of types of behavior, such as storage quotas or the maximum number of messages to process per day. The entire domain is bound to the subscriptions when one of the domain servers subscribes to the <code class="systemitem">domain</code> entitlements using the Red Hat Subscription Manager tools, and the entitlement certificate is replicated between the domain servers.
			</div></div></div><div class="section" id="registering-machine-ui"><div class="titlepage"><div><div><h2 class="title" id="registering-machine-ui">14.4. Registering, Unregistering, and Reregistering a System</h2></div></div></div><a id="id1074608" class="indexterm"></a><a id="id1074620" class="indexterm"></a><a id="id1074632" class="indexterm"></a><a id="id1074644" class="indexterm"></a><a id="id1074656" class="indexterm"></a><a id="id1074668" class="indexterm"></a><a id="id1074680" class="indexterm"></a><a id="id1074692" class="indexterm"></a><a id="id1074704" class="indexterm"></a><div class="para">
			Entitlements are managed by organizing and maintaining the systems which use entitlement subscriptions. The entitlements and subscriptions are managed by Red Hat through the subscription service. A system is recognized to the subscription service by being <span class="emphasis"><em>registered</em></span> with the service. The subscription service assigns the system (called a <span class="emphasis"><em>consumer</em></span>) a unique ID (essentially as an inventory number) and issues that system an identifying certificate (with the UUID in its subject CN) to identify that system.
		</div><div class="para">
			Whenever a subscription is purchased by an organization, the consumer can <span class="emphasis"><em>subscribe</em></span> to that subscription. This means that a portion of the subscription is allocated to that consumer ID; when the consumer contacts the content delivery network and downloads the software, the licenses have been already assigned to the system. The system has valid certificates for its subscriptions.
		</div><div class="para">
			Systems can be registered with an subscription service during the firstboot process or as part of the kickstart setup (both described in the <em class="citetitle">Installation Guide</em>). Systems can also be registered after they've been configured or removed from the subscription service inventory (unregistered) if they will no longer be managed within that entitlement system.
		</div><div class="section" id="registering-ui"><div class="titlepage"><div><div><h3 class="title" id="registering-ui">14.4.1. Registering Consumers in the Hosted Environment</h3></div></div></div><a id="id807694" class="indexterm"></a><a id="id807710" class="indexterm"></a><a id="id807726" class="indexterm"></a><div class="para">
				For infrastructures which use Red Hat's hosted subscription and content delivery network, all that is required to register the system is the username and password of the Red Hat Network account.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Launch the Red Hat Subscription Manager GUI. For example:
					</div><pre class="screen">subscription-manager-gui</pre></li><li class="listitem"><div class="para">
						If the system is not already registered, then there will be a <span class="guibutton"><strong>Register</strong></span> button at the top of the window in the <span class="guilabel"><strong>Tools</strong></span> area.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-register.png" /></div></div></li><li class="listitem"><div class="para">
						Enter the username and password of the user account on the subscription service; this is the account used to access the Customer Portal.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-modify-reg.png" width="444" /></div></div></li><li class="listitem"><div class="para">
						Optionally, select the <span class="guilabel"><strong>Automatically subscribe...</strong></span> checkbox, so that the system is subscribed to the best matched subscription when it is registered. Otherwise, the system must be subscribed manually, as in <a class="xref" href="#subscribing-ents">Section 14.6, “Handling Subscriptions”</a>.
					</div></li></ol></div></div><div class="section" id="registering-multiorg"><div class="titlepage"><div><div><h3 class="title" id="registering-multiorg">14.4.2. Registering Consumers to a Local Organization</h3></div></div></div><div class="para">
				Infrastructures which manage their own local content repository and subscription service must have a defined <span class="emphasis"><em>organization</em></span>. This organization is essentially a group definition, and systems must be assigned to that group as part of the registration process. This allows there to be multiple, discrete organizations or tenants within the infrastructure.
			</div><div class="para">
				When a system is registered using the Subscription Manager GUI, Subscription Manager automatically scans the local subscription and content service to see what organizations are configured.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Make sure that the <code class="filename">rhsm.conf</code> configuration file points to the local subscription service (in the <em class="parameter"><code>hostname</code></em> parameter) and the local content server (in the <em class="parameter"><code>baseurl</code></em> parameter). The Subscription Manager configuration is described in <a class="xref" href="#rhsm-config">Section 14.14, “Configuring the Subscription Service”</a>.
					</div></li><li class="listitem"><div class="para">
						Launch the Red Hat Subscription Manager GUI. For example:
					</div><pre class="screen">subscription-manager-gui</pre></li><li class="listitem"><div class="para">
						Click the <span class="guibutton"><strong>Register</strong></span> button at the top of the window in the <span class="guilabel"><strong>Tools</strong></span> area.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-register.png" /></div></div></li><li class="listitem"><div class="para">
						Enter the username and password of the user account on the subscription service; this is the account used to access the Customer Portal.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-modify-reg.png" width="444" /></div></div></li><li class="listitem"><div class="para">
						Subscription Manager scans the network for available organizations.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-org-select.png" width="444" /></div></div><div class="para">
						When the configured organizations are detected, Subscription Manager prompts for the organization for the system to join. It is only possible to register with one organization.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-org-select2.png" width="444" /></div></div></li><li class="listitem"><div class="para">
						If the selected organization has multiple environments available, then the Subscription Manager will detect them and provide a list. It is possible to join multiple environments. Use the <span class="keycap"><strong>Ctrl</strong></span> key to select multiple environments from the list.
					</div><div class="para">
						If no environment is selected, then Subscription Manager uses the default environment for the organization.
					</div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
							It is only possible to join an environment during registration. The environments cannot be changed after registration.
						</div></div></div></li><li class="listitem"><div class="para">
						Optionally, select the <span class="guilabel"><strong>Automatically subscribe...</strong></span> checkbox, so that the system is subscribed to the best matched subscription when it is registered. Otherwise, the system must be subscribed manually, as in <a class="xref" href="#subscribing-ents">Section 14.6, “Handling Subscriptions”</a>.
					</div></li></ol></div></div><div class="section" id="registering-oflfine"><div class="titlepage"><div><div><h3 class="title" id="registering-oflfine">14.4.3. Registering an Offline Consumer</h3></div></div></div><div class="para">
				Some systems may not have internet connectivity, but administrators still want to assign and track the subscriptions for that system. This can be done by manually registering the system, rather than depending on Subscription Manager to perform the registration. This has two major steps, first to create an entry on the subscriptions service and then to configure the system.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Open the <span class="guilabel"><strong>Subscriptions</strong></span> tab in the Customer Portal, and select the <span class="guilabel"><strong>Overview</strong></span> item under the <span class="guilabel"><strong>Certificate-Based Management</strong></span> area.
					</div></li><li class="listitem"><div class="para">
						In the summary of consumers, click the <span class="guilabel"><strong>Register New System</strong></span> link to create the new inventory entry.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-web-consumer-add.png" width="444" /></div></div></li><li class="listitem"><div class="para">
						Fill in the required information for the new consumer type. A system requires information about the architecture and hardware in order to ascertain what subscriptions are available to that system.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-web-consumer-register.png" width="444" /></div></div></li><li class="listitem"><div class="para">
						Once the system is created, assign the appropriate subscriptions to that system.
					</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
								Open the <span class="guibutton"><strong>Available Subscriptions</strong></span> tab.
							</div></li><li class="listitem"><div class="para">
								Click the check boxes by all of the subscriptions to assign, and then click the <span class="guilabel"><strong>Add</strong></span> button.
							</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-web-consumer-sub-add.png" width="444" /></div></div></li></ol></div></li><li class="listitem"><div class="para">
						Once the subscriptions are added, open the <span class="guibutton"><strong>Applied Subscriptions</strong></span> tab.
					</div></li><li class="listitem"><div class="para">
						Click the <span class="guibutton"><strong>Download All Certificates</strong></span> button. This exports all of the entitlements certificates, for each product, to a single <code class="filename">.zip</code> file. Save the file to some kind of portable media, like a flash drive.
					</div></li><li class="listitem"><div class="para">
						Optionally, click the <span class="guibutton"><strong>Download Identity Certificate</strong></span> button. This saves the identity certificate for the registered consumer and could be used by the consumer to connect to the subscription service. If the consumer will permanently be offline, then this is not necessary, but if the consumer could ever be brought onto the network, then this is useful.
					</div></li><li class="listitem"><div class="para">
						Copy the entitlements certificates from the media device over to the consumer.
					</div></li><li class="listitem"><div class="para">
						If all entitlement certificates were downloaded in an archive file, then there are multiple archives in the downloaded <code class="filename">certificates.zip</code> file. Unzip the directories until the PEM files for the entitlement certificates are available.
					</div></li><li class="listitem"><div class="para">
						Import the entitlement certificates. This can be done using the <span class="guibutton"><strong>Import Certificates</strong></span> button in the Subscription Manager GUI or using the <code class="command">import</code> command. For example:
					</div><pre class="screen"># subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem
Successfully imported certificate 596576341785244687.pem
Successfully imported certificate 3195996649750311162.pem</pre></li><li class="listitem"><div class="para">
						If you downloaded an identity certificate, copy the <code class="filename">cert.pem</code> file directly into the <code class="filename">/etc/pki/consumer</code> directory. For example:
					</div><pre class="screen">cp /tmp/downloads/cert.pem /etc/pki/consumer</pre></li></ol></div></div><div class="section" id="registering-cmd"><div class="titlepage"><div><div><h3 class="title" id="registering-cmd">14.4.4. Registering from the Command Line</h3></div></div></div><a id="id808349" class="indexterm"></a><a id="id808365" class="indexterm"></a><a id="id808381" class="indexterm"></a><div class="para">
				The simplest way to register a machine is to pass the <code class="command">register</code> command with the user account information required to authenticate to the Certificate-Based Red Hat Network (the credentials used to access subscription service or the Customer Portal). When the system is successfully authenticated, it echoes back the newly-assigned consumer ID and the user account name which registered it.
			</div><div class="para">
				The <code class="command">register</code> options are listed in <a class="xref" href="#tab.register-options">Table 14.2, “register Options”</a>.
			</div><div class="example" id="ex.ents-register"><h6>Example 14.1. Registering a New Consumer</h6><div class="example-contents"><pre class="screen">[root@server1 ~]# subscription-manager register --username admin-example --password secret

7d133d55-876f-4f47-83eb-0ee931cb0a97 admin-example <em class="replaceable"><code>(the new consumer UUID and the account used for registration)</code></em></pre></div></div><br class="example-break" /><div class="para">
				In a multi-org environment, it is required that you specify which organization (essentially an independent group or unit within the main account) to join the system to. This is done by using the <code class="option">--org</code> option in addition to the username and password. The given user must also have the access permissions to add systems to that organization. (See <a class="xref" href="#sam">Section 14.12, “Working with Subscription Asset Manager”</a> for information about organizations and Subscription Asset Manager.)
			</div><div class="example" id="ex.ents-register-org"><h6>Example 14.2. Registering a New Consumer with an Organization</h6><div class="example-contents"><div class="para">
					If there is more than one organization, then the system must be assigned to one specific organization:
				</div><pre class="screen">[root@server1 ~]# subscription-manager register --username admin-example --password secret <strong class="userinput"><code>--org="IT Department"</code></strong>

7d133d55-876f-4f47-83eb-0ee931cb0a97 admin-example <em class="replaceable"><code>(the new consumer UUID and the account used for registration)</code></em></pre><div class="para">
					Organizations can be subdivided into environments, which define access to content based on repositories, product versions, and content sets. While a consumer can only belong to a single organization, it can be assigned to multiple environments within that organization. If no environment is given, the subscription service uses the default environment. See <a class="xref" href="#sam">Section 14.12, “Working with Subscription Asset Manager”</a> for information about organizations and Subscription Asset Manager.
				</div><div class="para">
					A system can only be added to an environment during registration.
				</div><pre class="screen">[root@server1 ~]# subscription-manager register --username admin-example --password secret <strong class="userinput"><code>--org="IT Department" --environment=Dev1,ITall</code></strong></pre></div></div><br class="example-break" /><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					If the system is in a multi-org environment and no organization is given, the <code class="command">register</code> command returns a <span class="errorcode">Remote Server</span> error.
				</div></div></div><div class="para">
				The <code class="command">register</code> command has an option, <code class="option">--autosubscribe</code>, which allows the system to be registered to the subscription service and immediately subscribed to the subscription which best matches its architecture in a single step.
			</div><div class="example" id="ex.ents-register-autosubscribe"><h6>Example 14.3. Automatically Subscribing While Registering</h6><div class="example-contents"><pre class="screen">[root@server1 ~]# subscription-manager register --username admin-example --password secret <strong class="userinput"><code>--autosubscribe</code></strong></pre></div></div><br class="example-break" /><div class="example" id="activating-cli"><h6>Example 14.4. Applying Subscriptions During Registration</h6><div class="example-contents"><div class="para">
					When using the command-line tools to register the system, there is an option that can pass the activation key to apply existing, already-assigned certificates along with the other registration information. The activation keys are set, in a comma-separated list, in the <code class="option">--activationkey</code> option.
				</div><div class="para">
					With an activation key, it is not necessary to give a username and password because the authentication is implicit in the activation key.
				</div><div class="para">
					In hosted or single organization environments, it is not necessary to specify an organization with the <code class="option">--org</code> option, but in multi-org environments, the <code class="option">--org</code> option is required. The organization is <span class="emphasis"><em>not</em></span> defined as part of the activation key. See <a class="xref" href="#sam">Section 14.12, “Working with Subscription Asset Manager”</a> for information about activation keys and Subscription Asset Manager.
				</div><div class="para">
					For example:
				</div><pre class="programlisting"><span class="perl_Comment"># subscription-manager register --activationkey=1234abcd --org="IT Dept"</span></pre></div></div><br class="example-break" /><div class="table" id="tab.register-options"><h6>Table 14.2. register Options</h6><div class="table-contents"><table summary="register Options" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
								Options
							</th><th>
								Description
							</th><th>
								Required
							</th></tr></thead><tbody><tr><td>
								--username=<span class="emphasis"><em>name</em></span>
							</td><td>
								Gives the content server user account name.
							</td><td>
								Required
							</td></tr><tr><td>
								--password=<span class="emphasis"><em>password</em></span>
							</td><td>
								Gives the password for the user account.
							</td><td>
								Required
							</td></tr><tr><td>
								--org=<span class="emphasis"><em>name</em></span>
							</td><td>
								Gives the organization to which to join the system.
							</td><td>
								Required, except for hosted environments
							</td></tr><tr><td>
								--environment=<span class="emphasis"><em>name</em></span>
							</td><td>
								Registers the consumer to an environment within an organization.
							</td><td>
								Optional
							</td></tr><tr><td>
								--name=<span class="emphasis"><em>machine_name</em></span>
							</td><td>
								Sets the name of the consumer (machine) to register. This defaults to be the same as the hostname.
							</td><td>
								Optional
							</td></tr><tr><td>
								--autosubscribe
							</td><td>
								Automatically subscribes this system to the best-matched compatible subscription. This is good for automated setup operations, since the system can be configured in a single step.
							</td><td>
								Optional
							</td></tr><tr><td>
								--activation_key
							</td><td>
								Applies existing subscriptions as part of the registration process. The subscriptions are pre-assigned by a vendor or by a systems administrator using Subscription Asset Manager.
							</td><td>
								Optional
							</td></tr><tr><td>
								--force
							</td><td>
								Registers the system even if it is already registered. Normally, any register operations will fail if the machine is already registered.
							</td><td>
								Optional
							</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="un-registering"><div class="titlepage"><div><div><h3 class="title" id="un-registering">14.4.5. Unregistering</h3></div></div></div><a id="id808812" class="indexterm"></a><a id="id808824" class="indexterm"></a><a id="id808836" class="indexterm"></a><div class="para">
				The only thing required to unregister a machine is to run the <code class="command">unregister</code> command. This removes the system's entry from the subscription service, unsubscribes it from any subscriptions, and, locally, deletes its identity and entitlement certificates.
			</div><div class="para">
				In the Red Hat Subscription Manager GUI, there is an <span class="guibutton"><strong>Unregister</strong></span> button at the top of the window in the <span class="guilabel"><strong>Tools</strong></span> area.
			</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-unregister.png" /></div></div><div class="para">
				From the command line, this requires only the <code class="command">unregister</code>.
			</div><div class="example" id="ex.ents-unregister"><h6>Example 14.5. Unregistering a Consumer</h6><div class="example-contents"><pre class="programlisting">[root@server1 ~]# subscription-manager unregister</pre></div></div><br class="example-break" /></div><div class="section" id="reregistering"><div class="titlepage"><div><div><h3 class="title" id="reregistering">14.4.6. Restoring a Registration</h3></div></div></div><a id="id808922" class="indexterm"></a><a id="id808934" class="indexterm"></a><a id="id808946" class="indexterm"></a><div class="para">
				There are times when the local registration and subscription information could be lost or corrupted. There could be a hardware failure or system crash. Or other IT considerations may require that a system be moved to a different machine. Whatever the reason, the local subscription configuration is lost.
			</div><div class="para">
				A system can be registered against an existing system entry in the Red Hat subscription service, which essentially restores or reregisters that consumer. The reregister operation uses the original consumer ID with the registration request, so that all of the previous subscriptions associated with the consumer entry are restored along with the registration.
			</div><div class="para">
				Reregistering a system uses the <code class="command">register</code> command. This command passes the original UUID for a system to issue a request to the subscription service to receive a new certificate using the same UUID. This essentially renews its previous registration.
			</div><div class="example" id="ex.ents-identity"><h6>Example 14.6. Registering a System Against an Existing Identity Certificate</h6><div class="example-contents"><div class="para">
					The <code class="command">register</code> command uses the original ID to identify itself to the subscription service and restore its previous subscriptions.
				</div><pre class="programlisting">[root@server1 ~]# subscription-manager register --username admin-example --password secret --consumerid=7d133d55-876f-4f47-83eb-0ee931cb0a97</pre></div></div><br class="example-break" /><div class="table" id="tab.reregister-options"><h6>Table 14.3. register Options to Reregister the System</h6><div class="table-contents"><table summary="register Options to Reregister the System" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
								Options
							</th><th>
								Description
							</th><th>
								Required
							</th></tr></thead><tbody><tr><td>
								--consumerid
							</td><td>
								Gives the consumer UUID used by an <span class="emphasis"><em>existing</em></span> consumer. The system's consumer entry must exist in the Red Hat subscription service for the reregister operation to succeed.
							</td><td>
								Required
							</td></tr><tr><td>
								--username=<span class="emphasis"><em>name</em></span>
							</td><td>
								Gives the content server user account name.
							</td><td>
								Optional
							</td></tr><tr><td>
								--password=<span class="emphasis"><em>password</em></span>
							</td><td>
								Gives the password for the user account.
							</td><td>
								Optional
							</td></tr></tbody></table></div></div><br class="table-break" /></div></div><div class="section" id="rhn-migration"><div class="titlepage"><div><div><h2 class="title" id="rhn-migration">14.5. Migrating Systems from RHN Classic to Certificate-based Red Hat Network</h2></div></div></div><div class="para">
			As described in <a class="xref" href="#classic-v-rhn">Section 14.1.6, “RHN Classic v. Certificate-based Red Hat Network”</a> and <a href="https://access.redhat.com/kb/docs/DOC-45987">https://access.redhat.com/kb/docs/DOC-45987</a>, there are differences in how RHN Classic and Certificate-based Red Hat Network define and manage subscriptions.
		</div><div class="para">
			As part of migration, the RHN Classic channels are mapped to Certificate-based Red Hat Network X.509 product certificates for every installed product. Subscription Manager can use those certificates to subscribe or autosubscribe the system to the appropriate subscriptions once it is registered.
		</div><div class="para">
			Migration tools are available to transition system registration from RHN Classic to Certificate-based Red Hat Network and then re-apply its previous subscriptions. Product certificates in general are described in <a class="xref" href="#structure-of-product-certificates">Section 14.15.3, “The Structure of Product Certificates”</a>.
		</div><div class="para">
			There are two migration paths supported:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					From being registered with RHN Classic Hosted to being registered with Certificate-based Red Hat Network, using <code class="command">rhn-migrate-classic-to-rhsm</code>
				</div></li><li class="listitem"><div class="para">
					From a disconnected (offline) system using RHN Classic-style channels to using Certificate-based Red Hat Network X.509 certificates for installed products, using <code class="command">install-num-migrate-to-rhsm</code>
				</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				There is no migration path from a Satellite system to Certificate-based Red Hat Network.
			</div></div></div><div class="section" id="install-migration-tools"><div class="titlepage"><div><div><h3 class="title" id="install-migration-tools">14.5.1. Installing the Migration Tools</h3></div></div></div><div class="para">
				The migration tools are contained in the <span class="package">subscription-manager-migration</span> package. An additional package, <span class="package">subscription-manager-migration-data</span>, is required to map the RHN Classic channels to Certificate-based Red Hat Network product certificates.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						The migration tools and data are in supplementary channels. If necessary, enable the supplementary repositories, as described in <a class="xref" href="#entitlements-and-yum">Section 14.9, “Working with Subscription yum Repos”</a>.
					</div></li><li class="listitem"><div class="para">
						Install the migration tool packages.
					</div><pre class="programlisting">[root@server ~]# yum <span class="perl_BString">install</span> subscription-manager-migration subscription-manager-migration-data</pre></li></ol></div></div><div class="section" id="rhn-migrate-classic"><div class="titlepage"><div><div><h3 class="title" id="rhn-migrate-classic">14.5.2. Migrating from RHN Classic to Certificate-based Red Hat Network</h3></div></div></div><div class="para">
				A system which was registered against the hosted subscription service, RHN Classic, can be migrated to Certificate-based Red Hat Network using the <code class="command">rhn-migrate-classic-to-rhsm</code> script.
			</div><div class="para">
				The general action is that it unregisters the system from RHN Classic, registers it with Certificate-based Red Hat Network, and opens Subscription Manager (either GUI or CLI) to assign subscriptions.
			</div><div class="para">
				The <code class="command">rhn-migrate-classic-to-rhsm</code> script has this syntax:
			</div><pre class="screen">rhn-migrate-classic-to-rhsm [--force|--cli-only|--help|--no-auto]</pre><div class="para">
				After running migration, the system facts list what script was used for migration and what the previous system ID was.
			</div><pre class="programlisting">[root@server ~]# subscription-manager facts --list <span class="perl_Keyword">|</span> <span class="perl_BString">grep</span> migr
migration.classic_system_id: 09876
migration.migrated_from: rhn_hosted_classic</pre><div class="para">
				This makes it easy to track the migration process for systems within the infrastructure.
			</div><div class="example" id="ex.rhn-migrate-basic"><h6>Example 14.7. Basic RHN Classic to Certificate-based Red Hat Network Migration</h6><div class="example-contents"><div class="para">
					Simply running the <code class="command">rhn-migrate-classic-to-rhsm</code> tool migrates the system profile and then opens the Subscription Manager GUI so that administrators can assign subscriptions to the system.
				</div><div class="para">
					While administrators only have to run the command, the script itself runs through a series of steps to migrate the account.
				</div><pre class="programlisting">[root@server ~]# rhn-migrate-classic-to-rhsm
RHN Username: jsmith@example.com
Password:</pre><div class="para">
					The script prompts for the username and password to use to connect to Red Hat Network. It uses these credentials to authenticate to both Red Hat Network Classic and Certificatebased Red Hat Network, to verify the account settings.
				</div><div class="para">
					Once the account is verified, the script creates a channel list for the system.
				</div><pre class="screen">Retrieving existing RHN classic subscription information ...
+----------------------------------+
System is currently subscribed to:
+----------------------------------+
rhel-i386-client-5</pre><div class="para">
					Each discovered channel is then mapped to a corresponding product certificate (<a class="xref" href="#rhn-channel-mappings">Section 14.5.5, “Looking at Channel and Certificate Mappings”</a>). Not every product has a product certificate, so not every channel may have a map. Only the channels with a certificate channel to a corresponding certificate map.
				</div><div class="para">
					The matching certificates are copied into the <code class="filename">/etc/pki/product</code> directory.
				</div><pre class="screen">List of channels for which certs are being copied
rhel-i386-client-5

Product Certificates copied successfully to /etc/pki/product !!</pre><div class="para">
					Then, the script unregisters the system from RHN Classic.
				</div><pre class="screen">Preparing to unregister system from RHN classic ...
System successfully unregistered from RHN Classic.</pre><div class="para">
					Then, it registers the system with Certificate-based Red Hat Network.
				</div><pre class="screen">Attempting to register system to Certificate-based RHN ...
The system has been registered with id: abcd1234
System server.example.com successfully registered to Certificate-based RHN.

Launching the GUI tool to manually subscribe the system ...</pre><div class="para">
					The last step opens the Subscription Manager GUI to the <span class="guilabel"><strong>All Available Subscriptions</strong></span> tab so that the administrator can manually assign the subscriptions to the system.
				</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-subscribe-avail.png" width="444" /></div></div></div></div><br class="example-break" /><div class="para">
				Alternatively, the <code class="command">rhn-migrate-classic-to-rhsm</code> can automatically subscribe the system to matching subscriptions.
			</div><div class="example" id="ex.rhn-migrate-cli"><h6>Example 14.8. All CLI-Based Migration</h6><div class="example-contents"><div class="para">
					The <code class="option">--cli-only</code> option tells the <code class="command">rhn-migrate-classic-to-rhsm</code> to register the system with the autosubscribe option, so all of the migration process occurs in the command line.
				</div><div class="para">
					The overall process is identical to the one in <a class="xref" href="#ex.rhn-migrate-basic">Example 14.7, “Basic RHN Classic to Certificate-based Red Hat Network Migration”</a> until the final step.
				</div><pre class="programlisting">[root@server ~]# rhn-migrate-classic-to-rhsm --cli-only
RHN Username: jsmith@example.com
Password:

....

Attempting to auto-subscribe to appropriate subscriptions ...
Installed Product Current Status:
ProductName:            <span class="perl_BString">Red</span> Hat Enterprise Linux Desktop
Status:                 Subscribed

Please visit https://access.redhat.com/management/consumers/abcd1234 to view the details, and to <span class="perl_BString">make</span> changes <span class="perl_Keyword">if</span> necessary.</pre></div></div><br class="example-break" /></div><div class="section" id="rhn-migrate-unregister-only"><div class="titlepage"><div><div><h3 class="title" id="rhn-migrate-unregister-only">14.5.3. Unregistering from RHN Classic Only</h3></div></div></div><div class="para">
				There may be an instance where a system should be unregistered from RHN Classic but is not yet ready to be registered to Certificate-based Red Hat Network. The <code class="command">rhn-migrate-classic-to-rhsm</code> tool can be used simply to unregister a system from RHN Classic. This still copies over the product certificates for the classic channels to configure the system in the style of certificate-based subscriptions, but it does not register the machine with subscription service.
			</div><div class="para">
				To unregister the system only, use the <code class="option">--no-auto</code> option.
			</div><pre class="programlisting">[root@server ~]# rhn-migrate-classic-to-rhsm --no-auto
RHN Username: jsmith@example.com
Password:

Retrieving existing RHN classic subscription information ...
+----------------------------------+
System is currently subscribed to:
+----------------------------------+
rhel-i386-client-5

List of channels <span class="perl_Keyword">for</span> <span class="perl_BString">which</span> certs are being copied
rhel-i386-client-5

Product Certificates copied successfully to /etc/pki/product !!

Preparing to unregister system from RHN classic ...
System successfully unregistered from RHN Classic.</pre><div class="para">
				Because there are product certificates, Subscription Manager will show a red, invalid status for the system and issue notifications until the system is registered and subscriptions applied.
			</div></div><div class="section" id="rhn-install-num"><div class="titlepage"><div><div><h3 class="title" id="rhn-install-num">14.5.4. Migrating a Disconnected System</h3></div></div></div><div class="para">
				Some systems may never be connected to an external network or may be prevented from accessing Red Hat Network or a Satellite system. These systems still require valid subscriptions and product certificates, though.
			</div><div class="para">
				The <code class="command">rhn-migrate-classic-to-rhsm</code> uses the information in <code class="filename">/etc/sysconfig/rhn/systemid</code> to get the previous registration information and map channels to certificates. If a system is disconnected, it may not have a <code class="filename">systemid</code> file.
			</div><div class="para">
				Most systems, even ones never registered with RHN Classic, do have an installation number. When Red Hat software is purchased through a vendor, the purchased software is identified in an installation number or subscription number (described in <a href="https://access.redhat.com/kb/docs/DOC-15408">https://access.redhat.com/kb/docs/DOC-15408</a>) in the <code class="filename">/etc/sysconfig/rhn/install-num file</code>.
			</div><div class="para">
				The installation number is in essence a code which contains all of the information about the products and versions purchased for the system. For example, this installation number shows that it is valid for RHEL Client and RHEL Workstation channels.
			</div><pre class="programlisting">[root@server ~]# python /usr/lib/python2.4/site-packages/instnum.py da3122afdb7edd23
Product: RHEL Client
<span class="perl_Reserved">Type</span>: Installer Only
Options: <span class="perl_Reserved">Eval</span> FullProd Workstation
Allowed CPU Sockets: Unlimited
Allowed Virtual Instances: Unlimited
Package Repositories: Client Workstation

key: 14299426 <span class="perl_String">"da3122"</span>
checksum: 175 <span class="perl_String">"af"</span>
options: 4416 <span class="perl_String">"Eval FullProd Workstation"</span>
socklimit: -1 <span class="perl_String">"Unlimited"</span>
virtlimit: -1 <span class="perl_String">"Unlimited"</span>
<span class="perl_Reserved">type</span>: 2 <span class="perl_String">"Installer Only"</span>
product: 1 <span class="perl_String">"client"</span>

{<span class="perl_String">"Workstation"</span>: <span class="perl_String">"Workstation"</span>, <span class="perl_String">"Base"</span>: <span class="perl_String">"Client"</span>}</pre><div class="para">
				For a system which is not connected to either RHN Classic or a Satellite system, the installation number can be used to transition the product information from the older channel-based subscription model to the X.509 certificate model, managed by Subscription Manager.
			</div><div class="para">
				The <code class="command">install-num-migrate-to-rhsm</code> script identifies the channels that a disconnected system is subscribed to and then copies in the appropriate product certificates. Simply run the command:
			</div><pre class="programlisting">[root@server ~]# <span class="perl_BString">install</span>-num-migrate-to-rhsm</pre><div class="para">
				The script copies in the product certificates for the channels into the <code class="filename">/etc/pki/product</code> directory.
			</div><div class="para">
				Once the system is migrated, it can be registered remotely and have entitlement certificates installed as described in <a class="xref" href="#registering-oflfine">Section 14.4.3, “Registering an Offline Consumer”</a>.
			</div><div class="para">
				Even though the system is not registered, the system facts display what script was used for migration.
			</div><pre class="programlisting">[root@server ~]# subscription-manager facts --list <span class="perl_Keyword">|</span> <span class="perl_BString">grep</span> migr
migration.migrated_from: <span class="perl_BString">install</span>_number</pre><div class="para">
				Because the system was not previously registered with RHN Classic, the migration facts do not include a system ID number.
			</div></div><div class="section" id="rhn-channel-mappings"><div class="titlepage"><div><div><h3 class="title" id="rhn-channel-mappings">14.5.5. Looking at Channel and Certificate Mappings</h3></div></div></div><div class="para">
				The <span class="package">subscription-manager-migration-data</span> package contains a mapping file that maps RHN Classic channels to Certificate-based Red Hat Network product certificates. This file (<code class="filename">/usr/share/rhsm/product/RHEL-5/channel-cert-mapping.txt</code>) uses simple keys to map the values:
			</div><pre class="screen"><em class="replaceable"><code>channel_name</code></em>: <em class="replaceable"><code>product_name-hash-product_cert</code></em>.pem</pre><div class="para">
				For example, this maps the Red Hat Enterprise Linux Client channel to the corresponding product certificate:
			</div><pre class="screen">rhel-i386-client-workstation-5: Client-Workstation-i386-b0d4c042-6e31-45a9-bd94-ff0b82e43b1a-71.pem</pre><div class="para">
				During migration, that mapping is translated into <span class="emphasis"><em>product_cert</em></span><code class="filename">.pem</code> and the product certificate is copied into the <code class="filename">/etc/pki/product</code> directory. For the <code class="command">rhel-i386-client-workstation-5</code>, this migrates to the <code class="filename">71.pem</code> product certificate (the last two digits of the mapping).
			</div><div class="para">
				However, many channels are available for legacy systems only or have not yet released an X.509 product certificate. In that case, the channel has no mapping.
			</div><pre class="screen">jbappplatform-4.3.0-fp-i386-server-5-rpm: none</pre><div class="para">
				This can create a situation where not all channels are migrated over to Certificate-based Red Hat Network or where products are not fully subscribed.
			</div></div></div><div class="section" id="subscribing-ents"><div class="titlepage"><div><div><h2 class="title" id="subscribing-ents">14.6. Handling Subscriptions</h2></div></div></div><a id="id809734" class="indexterm"></a><a id="id823838" class="indexterm"></a><a id="id823850" class="indexterm"></a><div class="para">
			Assigning a <span class="emphasis"><em>subscription</em></span> to a system gives the system the ability to install and update any Red Hat product in that subscription. A subscription is a list of all of the products, in all variations, that were purchased at one time, and it defines both the products and the number of times that subscription can be used (the quantity of that product). The quantity is roughly the number of user licenses available. When one of those licenses is allocated to a system, that system is <span class="emphasis"><em>subscribed</em></span> to the subscription.
		</div><div class="para">
			A subscription is available to a system based on the system's architecture and other installed products. Subscriptions that are available for a platform (based on its hardware and operating system) are <span class="emphasis"><em>compatible</em></span>. When the subscription is actually assigned to the machine, the subscription is <span class="emphasis"><em>consumed</em></span>.
		</div><div class="para">
			A system can be subscribed to multiple subscriptions, a single subscription, or a single product. Subscribing a system requires the ID number of the subscription or the subscription key for the product.
		</div><div class="para">
			Unsubscribing a machine removes the entitlement to any of the products in the subscription, but the machine remains registered with the subscription service. Unsubscribing one system frees the subscription so that it can be allocated to another system.
		</div><div class="section" id="sub-ui"><div class="titlepage"><div><div><h3 class="title" id="sub-ui">14.6.1. Subscribing and Unsubscribing through the Red Hat Subscription Manager GUI</h3></div></div></div><div class="section" id="subscribing-product-ui"><div class="titlepage"><div><div><h4 class="title" id="subscribing-product-ui">14.6.1.1. Subscribing to a Product</h4></div></div></div><a id="id823922" class="indexterm"></a><a id="id823938" class="indexterm"></a><a id="id823954" class="indexterm"></a><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Launch the Red Hat Subscription Manager GUI. For example:
						</div><pre class="screen">subscription-manager-gui</pre></li><li class="listitem"><div class="para">
							Open the <span class="guilabel"><strong>All Available Subscriptions</strong></span> tab.
						</div></li><li class="listitem"><div class="para">
							Set the filters to use to search for available entitlements. Subscriptions can be filtered by their active date and by their name. The checkboxes provide more fine-grained filtering:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<span class="emphasis"><em>match my system</em></span> shows only subscriptions which match the system architecture.
								</div></li><li class="listitem"><div class="para">
									<span class="emphasis"><em>match my installed products</em></span> shows subscriptions which work with currently installed products on the system.
								</div></li><li class="listitem"><div class="para">
									<span class="emphasis"><em>have no overlap with existing subscriptions</em></span> excludes subscriptions with duplicate products. If a system is already subscribed to an entitlement for a specific product or if multiple entitlements supply the same product, then the subscription service filters those subscriptions and shows only the best fit.
								</div></li></ul></div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-subscribe-filter.png" width="444" /></div></div></li><li class="listitem"><div class="para">
							Select the available entitlements. To select multiple subscriptions, use the <span class="keycap"><strong>Ctrl</strong></span> key.
						</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-subscribe-select.png" width="444" /></div></div></li><li class="listitem"><div class="para">
							Click the <span class="guibutton"><strong>Subscribe</strong></span> button.
						</div></li></ol></div></div><div class="section" id="unsubscribing-product-ui"><div class="titlepage"><div><div><h4 class="title" id="unsubscribing-product-ui">14.6.1.2. Unsubscribing through the GUI</h4></div></div></div><a id="id824122" class="indexterm"></a><a id="id824138" class="indexterm"></a><a id="id824154" class="indexterm"></a><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Launch the Red Hat Subscription Manager GUI. For example:
						</div><pre class="screen">subscription-manager-gui</pre></li><li class="listitem"><div class="para">
							Open the <span class="guilabel"><strong>My Subscriptions</strong></span> tab.
						</div><div class="para">
							All of the active subscriptions to which the system is currently subscribed are listed. (The products available through the subscription may or may not be installed.)
						</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-subscribed.png" width="444" /></div></div></li><li class="listitem"><div class="para">
							Select the entitlements to unsubscribe. To select multiple subscriptions, use the <span class="keycap"><strong>Ctrl</strong></span> key.
						</div></li><li class="listitem"><div class="para">
							Click the <span class="guibutton"><strong>Unsubscribe</strong></span> button in the bottom right of the window.
						</div></li></ol></div></div></div><div class="section" id="sub-cli"><div class="titlepage"><div><div><h3 class="title" id="sub-cli">14.6.2. Handling Subscriptions through the Command Line</h3></div></div></div><div class="section" id="subscribing-product-cmd"><div class="titlepage"><div><div><h4 class="title" id="subscribing-product-cmd">14.6.2.1. Subscribing from the Command Line</h4></div></div></div><a id="id824268" class="indexterm"></a><a id="id824284" class="indexterm"></a><a id="id824300" class="indexterm"></a><div class="para">
					Subscribing a machine through the command line requires specifying the individual product or subscription to subscribe to, using the <code class="option">--pool</code> option.
				</div><pre class="programlisting">[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567</pre><div class="para">
					The options for the <code class="command">subscribe</code> command are listed in <a class="xref" href="#tab.subscribe-options">Table 14.4, “subscribe Options”</a>.
				</div><div class="para">
					The ID of the subscription pool for the purchased product must be specified, and this pool ID is listed with the product subscription information, from running the <code class="command">list</code> command:
				</div><pre class="programlisting">[root@server1 ~]# subscription-manager list --available

+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+

ProductName:            RHEL <span class="perl_Keyword">for</span> Physical Servers
ProductId:              MKT-rhel-server
PoolId:                 ff8080812bc382e3012bc3845ca000cb
Quantity:               10
Expires:                2011-09-20</pre><div class="para">
					Alternatively, the system can be subscribed to the best-fitting subscriptions, as identified by the subscription service, by using the <code class="option">--auto</code> option (which is analogous to the <code class="option">--autosubscribe</code> option with the <code class="command">register</code> command).
				</div><pre class="programlisting">[root@server1 ~]# subscription-manager subscribe --auto</pre><div class="table" id="tab.subscribe-options"><h6>Table 14.4. subscribe Options</h6><div class="table-contents"><table summary="subscribe Options" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
									Options
								</th><th>
									Description
								</th><th>
									Required
								</th></tr></thead><tbody><tr><td>
									--pool=<span class="emphasis"><em>pool-id</em></span>
								</td><td>
									Gives the ID for the subscription to subscribe the machine to.
								</td><td>
									Required, unless <code class="option">--auto</code> is used
								</td></tr><tr><td>
									--auto
								</td><td>
									Automatically subscribes the system to the best-match subscription or subscriptions.
								</td><td>
									Optional
								</td></tr><tr><td>
									--quantity
								</td><td>
									Subscribes multiple counts of an entitlement to the system. This is used to cover subscriptions that define a count limit, like using two 2-socket server subscriptions to cover a 4-socket machine.
								</td><td>
									Optional
								</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="unsubscribing-product-cmd"><div class="titlepage"><div><div><h4 class="title" id="unsubscribing-product-cmd">14.6.2.2. Unsubscribing from the Command Line</h4></div></div></div><a id="id824502" class="indexterm"></a><a id="id824518" class="indexterm"></a><a id="id824534" class="indexterm"></a><div class="para">
					A system can be subscribed to multiple subscriptions and products. The system can be unsubscribed from a single subscription or product or from every subscribed product.
				</div><div class="para">
					Running the <code class="command">unsubscribe</code> command with the <code class="option">--all</code> unsubscribes the system from every product and subscription pool it is currently subscribed to.
				</div><pre class="programlisting">[root@server1 ~]# subscription-manager unsubscribe --all</pre><div class="para">
					It is also possible to unsubscribe from a single product. Each product has an identifying X.509 certificate installed with it, and the product to unsubscribe from can be identified with the <code class="command">unsubscribe</code> command to remove only that product subscription.
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Get the serial number for the product certificate, if you are unsubscribing from a single product. The serial number can be obtained from the <code class="filename">cert.pem</code> file or by using the <code class="command">list</code> command. For example:
						</div><pre class="programlisting">[root@server1 ~]# subscription-manager list --consumed

+-------------------------------------------+
    Consumed Product Subscriptions
+-------------------------------------------+

ProductName:         High availability <span class="perl_Keyword">(</span>cluster suite<span class="perl_Keyword">)</span>
ContractNumber:      0
SerialNumber:        11287514358600162
Active:              <span class="perl_BString">True</span>
Begins:              2010-09-18
Expires:             2011-11-18</pre></li><li class="listitem"><div class="para">
							Run the subscription-manager tool with the <code class="option">--serial</code> option to specify the certificate.
						</div><pre class="programlisting">[root@server1 ~]# subscription-manager unsubscribe --serial=11287514358600162</pre></li></ol></div></div></div><div class="section" id="stacking"><div class="titlepage"><div><div><h3 class="title" id="stacking">14.6.3. Stacking Subscriptions</h3></div></div></div><div class="para">
				Some subscriptions define a <span class="emphasis"><em>count</em></span> which works as a restriction on the subscription. For example, counts can be set on the number of sockets or CPUs on a machine, the number of virtual guests on a host, or the number of clients in a domain.
			</div><div class="para">
				The entire count must be covered for the system to be fully entitled. If there are four sockets on a machine, then the server subscriptions must cover four sockets, or if there are eight guests, then there must be enough to cover all eight guests.
			</div><div class="para">
				Many subscriptions can be combined together to cover the count on the system. Two subscriptions for <span class="emphasis"><em>RHEL Server for 2-Sockets</em></span> can be combined together to cover a four-socket machine. These subscriptions can be <span class="emphasis"><em>stacked</em></span>.
			</div><div class="para">
				There are some rules on what subscriptions can be stacked:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Subscriptions can be stacked by using multiple quantities from the same subscription set.
					</div></li><li class="listitem"><div class="para">
						Subscriptions from different contracts can be stacked together.
					</div></li><li class="listitem"><div class="para">
						Only the same product subscription can be stacked. <span class="emphasis"><em>RHEL Server for 2-Sockets</em></span> can be stacked with another <span class="emphasis"><em>RHEL Server for 2-Sockets</em></span> subscription, but not with <span class="emphasis"><em>RHEL Server for Virtualization</em></span>, even if they both cover the socket count.
					</div></li><li class="listitem"><div class="para">
						Stackable entitlements are indicated in the Subscription Manager UI with an asterisk (*). In the UI, available subscriptions are grouped first by what subscriptions are compatible for stacking, and then by other available subscriptions.
					</div></li></ul></div><div class="para">
				To stack subscriptions in the Subscription Manager UI, simply set the <span class="guilabel"><strong>Quantity</strong></span> field to the required quantity to cover the count.
			</div><div class="figure" id="fig.stacking-ui"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-stacking.png" width="444" alt="Stacking Quantities" /></div></div><h6>Figure 14.13. Stacking Quantities</h6></div><br class="figure-break" /><div class="para">
				To stack subscriptions from the command line, use the <code class="option">--quantity</code> option. The quantity taken applies to the product in the <code class="option">--pool</code> option:
			</div><pre class="programlisting">[root@server1 ~]# subscription-manager subscribe --pool=XYZ01234567 --quantity=2</pre></div><div class="section" id="ADDING-SUB"><div class="titlepage"><div><div><h3 class="title" id="ADDING-SUB">14.6.4. Manually Adding a New Subscription</h3></div></div></div><a id="id824789" class="indexterm"></a><a id="id824805" class="indexterm"></a><a id="id824821" class="indexterm"></a><div class="para">
				In certain situations, new product subscriptions can be added by uploading the X.509 entitlements certificate directly rather than polling the subscription service. For example, consumers which are offline must have subscriptions manually added because they cannot connect to the subscription service directly.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Retrieve the certificate information for the consumer from the Customer Portal.
					</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
								Open the <span class="guilabel"><strong>Subscriptions</strong></span> tab in the Customer Portal, and select the <span class="guilabel"><strong>Overview</strong></span> item under the <span class="guilabel"><strong>Certificate-Based Management</strong></span> area.
							</div></li><li class="listitem"><div class="para">
								In the summary of consumers, click the name of the offline consumer.
							</div></li><li class="listitem"><div class="para">
								If necessary, assign the subscriptions to the consumer.
							</div></li><li class="listitem"><div class="para">
								Open the <span class="guibutton"><strong>Applied Subscriptions</strong></span> tab.
							</div></li><li class="listitem"><div class="para">
								Click the <span class="guibutton"><strong>Download All Certificates</strong></span> button. This exports all of the entitlements certificates, for each product, to a single <code class="filename">.zip</code> file. Save the file to some kind of portable media, like a flash drive.
							</div><div class="para">
								To download individual entitlement certificates, click the <span class="guilabel"><strong>Download</strong></span> link on the row for the subscription.
							</div></li></ol></div></li><li class="listitem"><div class="para">
						Copy the certificates over to the consumer machine.
					</div></li><li class="listitem"><div class="para">
						If all certificates were downloaded in an archive file, then there are multiple archives in the downloaded <code class="filename">certificates.zip</code> file. Unzip the directories until the PEM files for the subscription certificates are available.
					</div></li><li class="listitem"><div class="para">
						Import the certificates.
					</div><div class="para">
						This can be done from the command line using the <code class="command">import</code> command:
					</div><pre class="screen"># subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem
Successfully imported certificate 596576341785244687.pem
Successfully imported certificate 3195996649750311162.pem</pre><div class="para">
						This can also be performed through the Subscription Manager GUI:
					</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
								Launch the Red Hat Subscription Manager GUI. For example:
							</div><pre class="screen">subscription-manager-gui</pre></li><li class="listitem"><div class="para">
								In the <span class="guilabel"><strong>Tools</strong></span> area, click the <span class="guibutton"><strong>Import Certificate</strong></span> button.
							</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-prod-subscribe1.png" /></div></div></li><li class="listitem"><div class="para">
								Click the file folder icon at the right of the field to navigate to the <code class="filename">.pem</code> file of the product certificate.
							</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-uploadcerts.png" width="444" /></div></div></li><li class="listitem"><div class="para">
								Click the <span class="guibutton"><strong>Import Certificate</strong></span> button.
							</div></li></ol></div></li></ol></div><div class="para">
				The consumer is then entitled for all of the subscription that were uploaded.
			</div></div></div><div class="section" id="activating-machine"><div class="titlepage"><div><div><h2 class="title" id="activating-machine">14.7. Redeeming Subscriptions on a Machine</h2></div></div></div><div class="para">
			Systems can be set up with pre-existing subscriptions already available to that system. For some systems which were purchased through third-party vendors, a subscription to Red Hat products is included with the purchase of the machine. Companies using the Subscription Asset Manager can allocate subscriptions to their own systems by creating <span class="emphasis"><em>activation keys</em></span> which are used to claim those assigned subscriptions.
		</div><div class="para">
			Red Hat Subscription Manager pulls information about the system hardware and the BIOS into the system facts to recognize the hardware vendor. If the vendor and BIOS information matches a certain configuration, then the subscription can be <span class="emphasis"><em>redeemed</em></span>, which will allow the system to be automatically subscribed to the entitlements purchased with the machine.
		</div><div class="para">
			This diverges from the normal subscription process by adding an extra step:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					The machine is registered first (<a class="xref" href="#registering-machine-ui">Section 14.4, “Registering, Unregistering, and Reregistering a System”</a>). This can be done as normal or the activation keys can be submitted with command-line registrations.
				</div></li><li class="listitem"><div class="para">
					The subscriptions are redeemed using the given activation keys.
				</div></li><li class="listitem"><div class="para">
					The system is then subscribed to its subscriptions (<a class="xref" href="#subscribing-ents">Section 14.6, “Handling Subscriptions”</a>).
				</div></li></ol></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Activation keys may be generated by a hardware vendor (external to your organization). Activation keys may also be generated using the <span class="emphasis"><em>Subscription Asset Manager</em></span>, which is a local subscription service, which is described in the <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Subscription_Asset_Manager/1.0/html/Installation_Guide/index.html">Subscription Asset Manager documentation</a> and <a class="xref" href="#sam">Section 14.12, “Working with Subscription Asset Manager”</a>.
			</div></div></div><div class="section" id="activating-gui"><div class="titlepage"><div><div><h3 class="title" id="activating-gui">14.7.1. Redeeming Subscriptions through the GUI</h3></div></div></div><div class="note"><div class="admonition_header"><h2>The Activate Subscription Button</h2></div><div class="admonition"><div class="para">
					If the machine does not have any subscriptions to be redeemed, then the <span class="guibutton"><strong>Activate Subscription</strong></span> button is not there.
				</div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Launch the Red Hat Subscription Manager GUI. For example:
					</div><pre class="screen">subscription-manager-gui</pre></li><li class="listitem"><div class="para">
						At the top of the main window, click the <span class="guibutton"><strong>Activate Subscription</strong></span> button.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-activate.png" width="444" /></div></div></li><li class="listitem"><div class="para">
						In the pop-up window, enter the email address to send the notification to when the redemption is complete.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-activate-email-popup.png" /></div></div></li><li class="listitem"><div class="para">
						Click the <span class="guibutton"><strong>Activate</strong></span> button.
					</div></li></ol></div><div class="para">
				It can take up to ten minutes for the confirmation email to arrive.
			</div></div><div class="section" id="activating-register"><div class="titlepage"><div><div><h3 class="title" id="activating-register">14.7.2. Redeeming Subscriptions on a Machine through the Command Line</h3></div></div></div><div class="para">
				The machine subscriptions are redeemed by running the <code class="command">redeem</code> command, with an email address to send the redemption email to when the process is complete.
			</div><pre class="programlisting"><span class="perl_Comment"># subscription-manager redeem --email=jsmith@example.com</span></pre><div class="para">
				In a multi-organization environment, it is also necessary to specify the organization which issued the activation keys. For example:
			</div><pre class="programlisting"><span class="perl_Comment"># subscription-manager redeem --email=jsmith@example.com --org="IT Dept"</span></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The machine must be registered <span class="emphasis"><em>first</em></span> so that the subscription service can properly identify the system and its subscriptions.
				</div></div></div></div></div><div class="section" id="viewing-ents"><div class="titlepage"><div><div><h2 class="title" id="viewing-ents">14.8. Viewing Available and Used Subscriptions</h2></div></div></div><div class="para">
			To manage subscriptions, administrators need to know both what subscriptions a system is currently consuming and what subscriptions are available to the system.
		</div><div class="section" id="viewing-ents-ui"><div class="titlepage"><div><div><h3 class="title" id="viewing-ents-ui">14.8.1. Viewing Subscriptions in the GUI</h3></div></div></div><a id="id825371" class="indexterm"></a><a id="id825387" class="indexterm"></a><a id="id825403" class="indexterm"></a><div class="para">
				The Red Hat Subscription Manager tools give a more detailed view of subscriptions and entitlements than is available through the global tools of the Customer Portal. Three tabs summarize each of the subscriptions and products for the specific machine: installed products (with subscriptions), subscribed entitlements, and available subscriptions.
			</div><div class="para">
				These summaries are always displayed in the Red Hat Subscription Manager UI.
			</div><div class="formalpara"><h5 class="formalpara" id="id825430">Subscribed Entitlements</h5>
					The <span class="guibutton"><strong>My Subscriptions</strong></span> area shows all of the current entitlements that the system is subscribed to.
				</div><div class="figure" id="fig.subscribed-tab"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-subscribed2.png" width="444" alt="My Subscriptions Tab" /></div></div><h6>Figure 14.14. My Subscriptions Tab</h6></div><br class="figure-break" /><div class="formalpara"><h5 class="formalpara" id="id825473">Available Subscriptions</h5>
					The <span class="guibutton"><strong>All Available Subscriptions</strong></span> area shows all of the subscriptions that are available to the system. The default displays only entitlements that are compatible with the hardware, but these can be filtered to show entitlements corresponding to other installed programs, only subscriptions that have not been installed, and subscriptions based on date.
				</div><div class="figure" id="fig.available-tab"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-subscribe-avail.png" width="444" alt="All Available Subscriptions Tab" /></div></div><h6>Figure 14.15. All Available Subscriptions Tab</h6></div><br class="figure-break" /><a id="id825518" class="indexterm"></a><a id="id825534" class="indexterm"></a><a id="id825550" class="indexterm"></a><div class="para">
				The filters dynamically search for available entitlements. Subscriptions can be filtered by their active date and by their name. The checkboxes provide more fine-grained filtering:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>match my system</em></span> shows only subscriptions which match the system architecture.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>match my installed products</em></span> shows subscriptions which work with currently installed products on the system.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>have no overlap with existing subscriptions</em></span> excludes subscriptions with duplicate products. If a system is already subscribed to an entitlement for a specific product or if multiple entitlements supply the same product, then the subscription service filters those subscriptions and shows only the best fit.
					</div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="id825614">My Installed Software</h5>
					The <span class="guibutton"><strong>My Installed Software</strong></span> area shows the currently installed products on the system, along with their subscription status. This doesn't allow administrators to install software, only to view installed software.
				</div><div class="figure" id="fig.installed-tab"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-installed.png" width="444" alt="My Installed Software Tab" /></div></div><h6>Figure 14.16. My Installed Software Tab</h6></div><br class="figure-break" /></div><div class="section" id="viewing-ents-cmd"><div class="titlepage"><div><div><h3 class="title" id="viewing-ents-cmd">14.8.2. Listing Subscriptions with the Command Line</h3></div></div></div><a id="id825668" class="indexterm"></a><a id="id825684" class="indexterm"></a><a id="id825700" class="indexterm"></a><div class="para">
				As with the three tabs in the UI, there are three different ways to use the <code class="command">list</code> command to display different areas of the subscriptions and products on the system.
			</div><div class="table" id="tab.list-options"><h6>Table 14.5. subscription-manager list Options</h6><div class="table-contents"><table summary="subscription-manager list Options" border="1"><colgroup><col width="30%" class="option" /><col width="70%" class="description" /></colgroup><thead><tr><th>
								Option
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								--installed (or nothing)
							</td><td>
								Lists all of the <span class="emphasis"><em>installed and subscribed</em></span> product on the system. If no option is given with <code class="command">list</code>, it is the same as using the <code class="option">--installed</code> argument.
							</td></tr><tr><td>
								--consumed
							</td><td>
								Lists all of the subscriptions allocated to the system.
							</td></tr><tr><td>
								--available [--all]
							</td><td>
								Using <code class="option">--available</code> alone lists all of the compatible, active subscriptions for the system. Using <code class="option">--available --all</code> lists all options, even ones not compatible with the system or with no more available quantities.
							</td></tr><tr><td>
								--ondate=YYYY-MM-DD
							</td><td>
								Shows subscriptions which are active and available on the specified date. This is only used with the <code class="option">--available</code> option. If this is not used, then the command uses the current date.
							</td></tr><tr><td>
								--installed
							</td><td>
								Lists all of the products that are installed on the system (and whether they have a subscription) and it lists all of the product subscriptions which are assigned to the system (and whether those products are installed).
							</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
				The <code class="command">list</code> command shows all of the subscriptions that are currently allocated to the system by using the <code class="option">--consumed</code> option.
			</div><pre class="programlisting">[root@server1 ~]# subscription-manager list --consumed

+-------------------------------------------+
    Consumed Product Subscriptions
+-------------------------------------------+

ProductName:        	<span class="perl_BString">Red</span> Hat Enterprise Linux Server
ContractNumber:     	1458961
SerialNumber:       	171286550006020205
Active:             	<span class="perl_BString">True</span>
Begins:             	2009-01-01
Expires:            	2011-12-31</pre><div class="para">
				The <code class="command">list</code> command shows all of the subscriptions that are compatible with and available to the system using the <code class="option">--available</code> option. To include every subscription the organization has — both the ones that are compatible with the system and others for other platforms — use the <code class="option">--all</code> option with the <code class="option">--available</code>. The <code class="option">--ondate</code> option shows only subscriptions which are active on that date, based on their activation and expiry dates.
			</div><pre class="programlisting">[root@server1 ~]# subscription-manager list --available --all

+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+

ProductName:            RHEL Workstation
ProductId:              MKT-rhel-workstation-mkt
PoolId:                 5e09a31f95885cc4
Quantity:               10
Expires:                2011-09-20

[snip]</pre><div class="para">
				The <code class="option">--installed</code> option correlates the products that are actually installed on the system (and their subscription status) and the products which could be installed on the system based on the assigned subscriptions (and whether those products are installed).
			</div><pre class="programlisting">[root@server1 ~]# subscription-manager list --installed

+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+
ProductName:         <span class="perl_BString">Red</span> Hat Enterprise Linux
Status:              Not Subscribed
Expires:
Subscription:
ContractNumber:
AccountNumber:

ProductName:         Awesome OS Server
Status:              Not Installed
Expires:             2012-02-20
Subscription:        54129829316535230
ContractNumber:      39
AccountNumber:       12331131231</pre></div><div class="section" id="viewing-available-sub"><div class="titlepage"><div><div><h3 class="title" id="viewing-available-sub">14.8.3. Viewing Subscriptions Used in Both RHN Classic and Certificate-based Red Hat Network</h3></div></div></div><div class="para">
				Administrators need to have a sense of all of the subscriptions allocated for their organization, altogether, regardless of whether the system is managed in RHN Classic or Certificate-based Red Hat Network. The Customer Portal provides a way of looking at the total consumed subscriptions.
			</div><div class="para">
				In the <span class="guilabel"><strong>Subscriptions Overview</strong></span> page, the <span class="guilabel"><strong>Subscription Utilization</strong></span> area at the top gives the current count for <span class="emphasis"><em>every</em></span> active subscription for the entire organization, and a total count of every used subscription, regardless of whether it is used in RHN Classic or Certificate-based Red Hat Network. These numbers are updated whenever the subscription count changes in the subscription server. (The subsequent Certificate-based Red Hat Network and RHN Classic sections gives usage subcounts based on system which are registered to that specific subscription service.)
			</div><div class="figure" id="fig.cross-system"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-total-count.png" width="444" alt="Total Counts of Subscriptions for All Subscription Services" /></div></div><h6>Figure 14.17. Total Counts of Subscriptions for All Subscription Services</h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
					RHN Classic is provided for legacy systems. Red Hat Enterprise Linux 5.7 and 6.1 and later systems should use Certificate-based Red Hat Network to manage subscriptions for systems.
				</div></div></div></div></div><div class="section" id="entitlements-and-yum"><div class="titlepage"><div><div><h2 class="title" id="entitlements-and-yum">14.9. Working with Subscription yum Repos</h2></div></div></div><a id="id826040" class="indexterm"></a><a id="id826052" class="indexterm"></a><a id="id826064" class="indexterm"></a><div class="para">
			As <a class="xref" href="#entitlement-arch">Section 14.1.4, “Subscription and Content Architecture”</a> says, Red Hat Subscription Manager works <span class="emphasis"><em>with</em></span> package management tools like <code class="command">yum</code>. Subscription Manager has its own <code class="command">yum</code> plug-ins: <code class="systemitem">product-id</code> for subscription-related information for products and <code class="systemitem">subscription-manager</code> which is used for the content repositories.
		</div><div class="para">
			As systems are subscribed to products, the associated content repositories (identified in the entitlement certificate) are made available to the system. The content repositories are based on the product and on the content delivery network, defined in the <em class="parameter"><code>baseurl</code></em> parameter of the <code class="filename">rhsm.conf</code> file.
		</div><div class="para">
			A subscription may include access to <span class="emphasis"><em>optional</em></span> content channels along with the default channels. This optional channels must be enabled before the packages in them can be installed (even if the system is fully entitled to the products in those channels).
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					List all available repos for the system, including disabled repos.
				</div><pre class="programlisting">[root@server ~]# yum repolist all
repo <span class="perl_BString">id</span>                      repo name                           status
rhel-5-server                <span class="perl_BString">Red</span> Hat Enterprise Linux 5Server -  enabled:    1,749
rhel-5-server-beta           <span class="perl_BString">Red</span> Hat Enterprise Linux 5Server Be enabled:      869
rhel-5-server-optional-rpms  <span class="perl_BString">Red</span> Hat Enterprise Linux 5Server Op disabled
rhel-5-server-supplementary  <span class="perl_BString">Red</span> Hat Enterprise Linux 5Server <span class="perl_BString">Su</span> disabled</pre><div class="para">
					The optional and supplementary channels are named <code class="option">rhel-5-server-optional-rpms</code> and <code class="option">rhel-5-server-supplementary</code>, respectively.
				</div></li><li class="listitem"><div class="para">
					The repositories can be enabled using the <code class="command">yum-config-manager</code> command:
				</div><pre class="programlisting">[root@server ~]# yum-config-manager --enable rhel-5-server-optional-rpms</pre></li></ol></div><div class="para">
			Alternatively, simply specify the optional or supplementary repository when installing a package with <code class="command">yum</code>. This uses the <code class="option">--enablerepo</code> <span class="emphasis"><em>repo_name</em></span> option. For example:
		</div><pre class="screen"># yum install rubygems --enablerepo=rhel-5-server-optional-rpms
Loaded plugins: <strong class="userinput"><code>product-id</code></strong>, refresh-packagekit, <strong class="userinput"><code>subscription-manager</code></strong>
Updating Red Hat repositories.
....</pre><div class="para">
			Using <code class="command">yum</code> is described in <a class="xref" href="#c1-yum">Chapter 13, <em>YUM (Yellowdog Updater Modified)</em></a>.
		</div></div><div class="section" id="responding-to-nags-ui"><div class="titlepage"><div><div><h2 class="title" id="responding-to-nags-ui">14.10. Responding to Subscription Notifications</h2></div></div></div><a id="id826233" class="indexterm"></a><a id="id826245" class="indexterm"></a><a id="id826257" class="indexterm"></a><div class="para">
			The Red Hat Subscription Manager provides a series of log and UI messages that indicate any changes to the valid certificates of any installed products for a system. In the Subscription Manager GUI, the status of the system entitlements is color-coded, where <span class="emphasis"><em>green</em></span> means all products are fully subscribed, <span class="emphasis"><em>yellow</em></span> means that some products may not be subscribed but updates are still in effect, and <span class="emphasis"><em>red</em></span> means that updates are disabled.
		</div><div class="figure" id="fig.ents-colorcoded"><div class="figure-contents"><div class="mediaobject"><img src="images/ents-colorcoded.png" width="444" alt="Color-Coded Status Views" /></div></div><h6>Figure 14.18. Color-Coded Status Views</h6></div><br class="figure-break" /><div class="para">
			The command-line tools also indicate that status of the machine. The green-yellow-red codes translate to text status messages of <span class="emphasis"><em>subscribed</em></span>, <span class="emphasis"><em>partially subscribed</em></span>, and <span class="emphasis"><em>expired/not subscribed</em></span>, respectively.
		</div><pre class="programlisting">[root@server ~]# subscription-manager list
+-------------------------------------------+
    Installed Product Status
+-------------------------------------------+

ProductName:            Red Hat Enterprise Linux Server
<strong class="userinput"><code>Status: Not Subscribed</code></strong>
Expires:
SerialNumber:
ContractNumber:
AccountNumber:</pre><div class="para">
			Whenever there is a warning about subscription changes, a small icon appears in the top menu bar, similar to a fuel gauge.
		</div><div class="figure" id="fig.ents-nag"><div class="figure-contents"><div class="mediaobject"><img src="images/ents-nag.png" alt="Subscription Notification Icon" /></div></div><h6>Figure 14.19. Subscription Notification Icon</h6></div><br class="figure-break" /><div class="para">
			As any installed product nears the expiration date of the subscription, the Subscription Manager daemon will issue a warning. A similar message is given when the system has products without a valid certificate, meaning either the system is not subscribed to a subscription that entitles that product or the product is installed past the expiration of the subscription. Clicking the <span class="guilabel"><strong>Manage My Subscriptions...</strong></span> button in the subscription notification window opens the Red Hat Subscription Manager GUI to view and update subscriptions.
		</div><div class="figure" id="fig.ents-nag-warning"><div class="figure-contents"><div class="mediaobject"><img src="images/ents-nag-warning.png" width="444" alt="Subscription Warning Message" /></div></div><h6>Figure 14.20. Subscription Warning Message</h6></div><br class="figure-break" /><div class="para">
			When the Subscription Manager UI opens, whether it was opened through a notification or just opened normally, there is a box in the upper left corner that shows the number of products that lack a valid certificate. The easiest way to allocate subscriptions which match invalidated products is to click the <span class="guibutton"><strong>Update Certificates</strong></span> button.
		</div><div class="figure" id="fig.rhsm-compliance"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-compliance2.png" alt="Update Certificates Button" /></div></div><h6>Figure 14.21. Update Certificates Button</h6></div><br class="figure-break" /><div class="para">
			The Subscription Assistant pop-up window shows a targeted list of available subscriptions that apply to the specific products that do not have valid certificates (assuming subscriptions are available).
		</div><div class="figure" id="fig.rhsm-compliance1"><div class="figure-contents"><div class="mediaobject"><img src="images/rhsm-compliance.png" width="444" alt="Subscription Assistant" /></div></div><h6>Figure 14.22. Subscription Assistant</h6></div><br class="figure-break" /><div class="para">
			Alternatively, you can respond to entitlements notifications by managing subscriptions generally:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					The entitlements certificate can be updated or a new one can be added (<a class="xref" href="#uploading-new-certs">Section 14.13, “Updating Entitlements Certificates”</a>).
				</div></li><li class="listitem"><div class="para">
					The system can be subscribed to another subscription that contains the product (<a class="xref" href="#subscribing-ents">Section 14.6, “Handling Subscriptions”</a>).
				</div></li></ul></div></div><div class="section" id="sub-healing"><div class="titlepage"><div><div><h2 class="title" id="sub-healing">14.11. Healing Subscriptions</h2></div></div></div><div class="para">
			Subscription Manager can monitor all of the active entitlements for a system. Along with passively warning that a subscription is close to expiration (<a class="xref" href="#responding-to-nags-ui">Section 14.10, “Responding to Subscription Notifications”</a>), Subscription Manager can be configured to re-subscribe to subscriptions, automatically and actively, as one nears its expiry. This is <span class="emphasis"><em>system healing</em></span>.
		</div><div class="para">
			System healing prevents a system from having unentitled products as long as any valid subscription is available for it.
		</div><div class="para">
			System healing is configured as part of the Subscription Manager daemon, <code class="systemitem">rhsmcertd</code>. This daemon checks the certificate validity dates daily. If a subscription is within 24 hours of expiring, then Subscription Manager will check for any available compatible subscriptions and automatically re-subscribes the system, much like auto-subscribing during registration.
		</div><div class="section" id="healing-disable"><div class="titlepage"><div><div><h3 class="title" id="healing-disable">14.11.1. Enabling Healing</h3></div></div></div><div class="para">
				System healing is disabled by default. It can be enabled by manually adding the <em class="parameter"><code>autoheal</code></em> parameter to the Subscription Manager configuration.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Open the Subscription Manager configuration file.
					</div><pre class="programlisting">vim /etc/rhsm/rhsm.conf</pre></li><li class="listitem"><div class="para">
						In the <code class="command">[rhsmcertd]</code> area, add the <em class="parameter"><code>autoheal</code></em> line, and set the value to true.
					</div><pre class="screen">[rhsmcertd]
certFrequency = 240
healFrequency = 1440
<strong class="userinput"><code>autoheal = true</code></strong></pre></li></ol></div><div class="para">
				The configuration can also be updated using the <code class="command">config</code> command:
			</div><pre class="screen">[root@server1 ~]# subscription-manager config --rhsmcertd.autoheal=true</pre></div><div class="section" id="healing-freq"><div class="titlepage"><div><div><h3 class="title" id="healing-freq">14.11.2. Changing the Healing Check Frequency</h3></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
					Healing cannot be disabled by changing the time interval. Setting the <code class="command">healFrequency</code> parameter to zero means that Subscription Manager simply uses the default time setting.
				</div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Open the Subscription Manager configuration file:
					</div><pre class="programlisting"># vim /etc/rhsm/rhsm.conf</pre></li><li class="listitem"><div class="para">
						In the <code class="systemitem">[rhsmcertd]</code> section, set the <code class="command">healFrequency</code> parameter to the time, in minutes, to check for changed subscriptions.
					</div><pre class="programlisting">[rhsmcertd]
certFrequency = 240
healFrequency = 1440</pre></li><li class="listitem"><div class="para">
						Restart the <code class="systemitem">rhsmcertd</code> daemon to reload the configuration.
					</div><pre class="programlisting"># service rhsmcertd start</pre></li></ol></div></div></div><div class="section" id="sam"><div class="titlepage"><div><div><h2 class="title" id="sam">14.12. Working with Subscription Asset Manager</h2></div></div></div><div class="para">
			Subscription Asset Manager works with the local Subscription Manager tools, but the local Subscription Manager must be configured to work with the given Subscription Asset Manager service.
		</div><div class="para">
			This section covers the procedures for setting up Subscription Manager to work with Subscription Asset Manager.
		</div><div class="para">
			The <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Subscription_Asset_Manager/1.0/html/Installation_Guide/index.html">Subscription Asset Manager documentation</a> details all the tasks for managing the infrastructure:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Creating organizations and environments.
				</div></li><li class="listitem"><div class="para">
					Creating activation keys.
				</div></li><li class="listitem"><div class="para">
					Managing subscription manifests from Red Hat.
				</div></li><li class="listitem"><div class="para">
					Viewing notification and system reports.
				</div></li></ul></div><div class="section" id="configuring-rhsm-sam"><div class="titlepage"><div><div><h3 class="title" id="configuring-rhsm-sam">14.12.1. Configuring Subscription Manager to Work with Subscription Asset Manager</h3></div></div></div><div class="para">
				Subscription Asset Manager performs two backend management functions:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Allocate subscriptions as a subscription service
					</div></li><li class="listitem"><div class="para">
						Work as a real-time proxy for the content delivery network
					</div></li></ul></div><div class="para">
				That means that the local Subscription Manager client needs to be configured to use Subscription Asset Manager as its subcription service and content provider, rather than using the default Red Hat Network (hosted) configuration.
			</div><div class="para">
				The subscription service URL is configured in the <em class="parameter"><code>hostname</code></em> parameter in the <code class="command">[server]</code> area in the <code class="filename">rhsm.conf</code> configuration file. The content delivery network URL is configured in the <em class="parameter"><code>baseurl</code></em> parameter in the <code class="command">[rhsm]</code> area. These values can be reset using the <code class="command">config</code> command. For example:
			</div><pre class="programlisting">[root@server1 ~]# subscription-manager config --server.<span class="perl_Others">hostname=</span>sam.example.com --rhsm.<span class="perl_Others">baseurl=</span>sam.example.com</pre><div class="para">
				Changing the Subscription Manager configuration with the <code class="command">config</code> command is covered in <a class="xref" href="#rhsm-config-cmd">Section 14.14.2, “Using the config Command”</a>.
			</div></div><div class="section" id="viewing-multi-org-info"><div class="titlepage"><div><div><h3 class="title" id="viewing-multi-org-info">14.12.2. Viewing Organization Information</h3></div></div></div><div class="para">
				Infrastructures that have their own local content and subscription services, such as Subscription Asset Manager, can define groups that organize their systems. The primary division is <span class="emphasis"><em>organizations</em></span>, which create independent units. The systems and users in one organization are invisible to the systems and users in another organization. Organizations can be subdivided into <span class="emphasis"><em>environments</em></span>, which provide associations with content repositories and allowed products, versions, and content sets. A system can belong to multiple environments.
			</div><div class="para">
				This is described in <a class="xref" href="#ents-multi-tenant">Section 14.3.1, “Local Subscription Services, Local Content Providers, and Multi-Tenant Organizations”</a>.
			</div><div class="para">
				Organizations, environments, and repositories are created and configured in the service application, such as Subscription Asset Manager. However, the organization structure for a system or for a user account can be viewed using the Subscription Manager command-line tools. The <code class="command">orgs</code>, <code class="command">environments</code>, and <code class="command">repos</code> commands list the organization, environment, and repository information for the system, depending on the organization and environments it belongs to.
			</div><div class="para">
				For example:
			</div><pre class="screen">[root@server1 ~]# subscription-manager orgs --username=jsmith --password=secret
+-------------------------------------------+
           admin Organizations
+-------------------------------------------+

OrgName:         Admin Owner
OrgKey:         admin

OrgName:         Dev East
OrgKey:         deveast

OrgName:         Dev West
OrgKey:         devwest

[root@server1 ~]# subscription-manager environments --username=jsmith --password=secret --org=admin
+-------------------------------------------+
           Environments
+-------------------------------------------+

Name:                        Locker
Description:                 None

Name:                        Dev
Description:

Name:                        Prod
Description:

[root@server1 ~]# subscription-manager repos --list
+----------------------------------------------------------+
     Entitled Repositories in /etc/yum.repos.d/redhat.repo
+----------------------------------------------------------+

RepoName:                    never-enabled-content
RepoId:                      never-enabled-content
RepoUrl:                     https://content.example.com/repos/optional
Enabled:                     0

RepoName:                    always-enabled-content
RepoId:                      always-enabled-content
RepoUrl:                     https://content.example.com/repos/dev
Enabled:                     1

RepoName:                    content
RepoId:                      content-label
RepoUrl:                     https://content.example.com/repos/prod
Enabled:                     1</pre></div></div><div class="section" id="uploading-new-certs"><div class="titlepage"><div><div><h2 class="title" id="uploading-new-certs">14.13. Updating Entitlements Certificates</h2></div></div></div><a id="id826951" class="indexterm"></a><a id="id826963" class="indexterm"></a><a id="id826975" class="indexterm"></a><div class="para">
			An entitlement certificate represents a subscription that has been consumed by a given system. It includes all of the products which are included in the subscription for service and support, the subscription's start and end dates, and the number of entitlements included for each product. An entitlement certificate does not list products that are <span class="emphasis"><em>currently installed</em></span> on the system; rather, it lists all of that products that are <span class="emphasis"><em>available</em></span> to the system.
		</div><div class="para">
			The entitlement certificate is an X.509 certificate and is stored in a base 64-encoded blob in a <code class="filename">.pem</code> file.
		</div><div class="para">
			When a subscription expires or is changed, then the entitlement certificate must be updated to account for the changes. The Red Hat Subscription Manager polls the subscription service periodically to check for updated entitlement certificates; this can also be updated immediately or pulled down from the Customer Portal. The entitlement certificates are updated by revoking the previous entitlement certificate and generating a new one to replace it.
		</div><div class="section" id="updating-ent-certs"><div class="titlepage"><div><div><h3 class="title" id="updating-ent-certs">14.13.1. Updating Entitlement Certificates</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Open the Red Hat Customer Portal.
					</div><pre class="screen">https://access.redhat.com/</pre></li><li class="listitem"><div class="para">
						Click the <span class="guilabel"><strong>Subscriptions</strong></span> tab to open the subscriptions menu, and select the <span class="guilabel"><strong>Consumers List</strong></span> option under <span class="guilabel"><strong>Certificate-Based Management</strong></span>.
					</div></li><li class="listitem"><div class="para">
						Click the system name in the list of consumers.
					</div></li><li class="listitem"><div class="para">
						Open the <span class="guilabel"><strong>Applied Subscriptions</strong></span> tab for the list of all active, assigned subscriptions for the consumer.
					</div></li><li class="listitem"><div class="para">
						Click the <span class="guibutton"><strong>Download All Certificates</strong></span> button above the list of subscriptions. If there is only one subscription, then click the <span class="guibutton"><strong>Download</strong></span> button by the certificate.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/ents-global-subscr.png" width="444" /></div></div><div class="para">
						To retrieve an individual entitlement certificate, click the <span class="guilabel"><strong>Download</strong></span> link in the subscription row.
					</div></li><li class="listitem"><div class="para">
						If all entitlement certificates were downloaded in an archive file, then there are multiple archives in the downloaded <code class="filename">certificates.zip</code> file. Unzip the directories until the PEM files for the entitlement certificates are available.
					</div></li><li class="listitem"><div class="para">
						Import the certificate PEM file. This can be done using the <span class="guibutton"><strong>Import Certificates</strong></span> button in the Subscription Manager GUI or using the <code class="command">import</code> command:
					</div><pre class="screen"># subscription-manager import --certificate=/tmp/export/entitlement_certificates/596576341785244687.pem --certificate=/tmp/export/entitlement_certificates/3195996649750311162.pem
Successfully imported certificate 596576341785244687.pem
Successfully imported certificate 3195996649750311162.pem</pre></li></ol></div></div><div class="section" id="refreshing-ent-info"><div class="titlepage"><div><div><h3 class="title" id="refreshing-ent-info">14.13.2. Updating Subscription Information</h3></div></div></div><div class="para">
				The <code class="command">refresh</code> command updates all of the subscription information that is available to the consumer. This removes expired subscriptions and adds new subscriptions to the list. This does not <span class="emphasis"><em>subscribe</em></span> the machine, but it does pull in the newest data for administrators to use.
			</div><pre class="screen">[root@server1 ~]# subscription-manager refresh</pre></div></div><div class="section" id="rhsm-config"><div class="titlepage"><div><div><h2 class="title" id="rhsm-config">14.14. Configuring the Subscription Service</h2></div></div></div><div class="para">
			By default, Red Hat Subscription Manager (both GUI and CLI) talk to the subscription service and the Customer Portal for their subscription services and content delivery, respectively. Red Hat Subscription Manager can be configured to use different content servers or subscription services. Other aspects of the Red Hat Subscription Manager — like the locations to look for system and product certificates or the system information used by Red Hat Subscription Manager to identify compatible entitlements — can also be customized to fit the network environment.
		</div><div class="section" id="rhsm-files"><div class="titlepage"><div><div><h3 class="title" id="rhsm-files">14.14.1. Red Hat Subscription Manager Configuration Files</h3></div></div></div><a id="id827222" class="indexterm"></a><a id="id827238" class="indexterm"></a><a id="id827253" class="indexterm"></a><div class="para">
				The primary configuration file for Red Hat Subscription Manager, both the GUI and CLI tools, is the <code class="filename">rhsm.conf</code> configuration file. There are other support files that either influence the Red Hat Subscription Manager service or can help administrators better use the Subscription Manager.
			</div><div class="section" id="all-rhsm-files"><div class="titlepage"><div><div><h4 class="title" id="all-rhsm-files">14.14.1.1. All Files Used by Red Hat Subscription Manager</h4></div></div></div><div class="para">
					All of the files related to the configuration of Red Hat Subscription Manager are used by both the GUI and CLI; there's no separate configuration.
				</div><div class="table" id="tab.all-rhsm-files"><h6>Table 14.6. Red Hat Subscription Manager Files and Directories</h6><div class="table-contents"><table summary="Red Hat Subscription Manager Files and Directories" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
									File or Directory
								</th><th>
									Description
								</th></tr></thead><tbody><tr><td>
									/etc/rhsm
								</td><td>
									The primary Red Hat Subscription Manager configuration directory.
								</td></tr><tr><td>
									/etc/rhsm/rhsm.conf
								</td><td>
									The Red Hat Subscription Manager configuration file. This is used by both the GUI and the CLI.
								</td></tr><tr><td>
									/etc/rhsm/facts
								</td><td>
									Any user-defined JSON files that override or add system facts to determine entitlement compatibility. Any facts files must end in <code class="filename">.facts</code>.
								</td></tr><tr><td>
									/var/lib/rhsm/cache/installed_products.json
								</td><td>
									A master list of installed products, which is sent by Subscription Manager to a hosted content service, such as Subscription Asset Manager.
								</td></tr><tr><td>
									/var/lib/rhsm/facts/facts.facts
								</td><td>
									The default system facts filed, gathered by the Subscription Manager.
								</td></tr><tr><td>
									/var/lib/rhsm/packages/
								</td><td>
									The package profile cache (a list of installed products) which is gathered and periodically updated by the Subscription Manager.
								</td></tr><tr><td>
									/var/log/rhsm
								</td><td>
									The Red Hat Subscription Manager log directory.
								</td></tr><tr><td>
									/var/log/rhsm/rhsm.log
								</td><td>
									The log for the Red Hat Subscription Manager tools.
								</td></tr><tr><td>
									/var/log/rhsm/rhsmcertd.log
								</td><td>
									The log for the Red Hat Subscription Manager daemon, <code class="command">rhsmcertd</code>.
								</td></tr><tr><td>
									/etc/pki/consumer
								</td><td>
									The directory which contains the identity certificates used by the system to identify itself to the subscription service.
								</td></tr><tr><td>
									/etc/pki/consumer/cert.pem
								</td><td>
									The base-64 consumer identity certificate file.
								</td></tr><tr><td>
									/etc/pki/consumer/key.pem
								</td><td>
									The base-64 consumer identity key file.
								</td></tr><tr><td>
									/etc/pki/entitlement
								</td><td>
									The directory which contains the entitlement certificates for the available subscriptions.
								</td></tr><tr><td>
									/etc/pki/product/<em class="replaceable"><code>product_serial#</code></em>.pem
								</td><td>
									The product certificates for installed software products.
								</td></tr><tr><td>
									/var/run/subsys/rhsm
								</td><td>
									Runtime files for Red Hat Subscription Manager
								</td></tr><tr><td>
									/etc/init.d/rhsmcertd
								</td><td>
									The subscription certificate daemon.
								</td></tr><tr><td>
									/etc/cron.daily/rhsm-complianced and /usr/libexec/rhsm-complianced
								</td><td>
									Files to run daily checks and notifications for subscription validity.
								</td></tr><tr><td>
									/etc/yum/pluginconf.d/rhsmplugin.conf
								</td><td>
									The configuration file to include the Red Hat Subscription Manager plug-in in the <code class="command">yum</code> configuration.
								</td></tr><tr><td>
									/usr/share/rhsm
								</td><td>
									All of the Python and script files used by both Red Hat Subscription Manager tool to perform subscription tasks.
								</td></tr><tr><td>
									/usr/share/rhsm/gui
								</td><td>
									All of the Python script and image files used to render the Red Hat Subscription Manager GUI.
								</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="rhsm.conf"><div class="titlepage"><div><div><h4 class="title" id="rhsm.conf">14.14.1.2. About the rhsm.conf File</h4></div></div></div><a id="id827607" class="indexterm"></a><a id="id827623" class="indexterm"></a><a id="id827639" class="indexterm"></a><div class="para">
					The main configuration file for the Subscription Manager is <code class="filename">rhsm.conf</code>. This file configures several important aspects of how Red Hat Subscription Manager interacts with both entitlements and content services:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							The subscription service connection information, including the server host and port
						</div></li><li class="listitem"><div class="para">
							The content service to use, in the form of a web address
						</div></li><li class="listitem"><div class="para">
							The location of all of the different certificates used by the subscription service, including CA certificates for SSL authentication, identity certificates for the system, and entitlement and product certificates
						</div></li></ul></div><div class="para">
					The <code class="filename">rhsm.conf</code> file is divided into three sections. Two major sections defined the subscription service (<code class="command">[server]</code>) and content and product delivery (<code class="command">[rhsm]</code>). The third section relates to the <code class="command">rhsmcertd</code> daemon. Each assertion is a simple <span class="emphasis"><em>attribute= value</em></span> pair. Any of the default values can be edited; all possible attributes are present and active in the default <code class="filename">rhsm.conf</code> file.
				</div><div class="example" id="ex.rhsm.conf"><h6>Example 14.9. Default rhsm.conf File</h6><div class="example-contents"><pre class="programlisting"><span class="perl_Comment"># Red Hat Subscription Manager Configuration File:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>
<span class="perl_Comment"># Unified Entitlement Platform Configuration</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>[server]
<span class="perl_Comment"># Server hostname:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span><span class="perl_BString">hostname</span> = subscription.rhn.redhat.com

<span class="perl_Comment"># Server prefix:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>prefix = /subscription

<span class="perl_Comment"># Server port:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>port = 443

<span class="perl_Comment"># Set to 1 to disable certificate validation:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>insecure = 0

<span class="perl_Comment"># Set the depth of certs which should be checked</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span><span class="perl_Comment"># when validating a certificate</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>ssl_verify_depth = 3

<span class="perl_Comment"># Server CA certificate location:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>ca_cert_dir = /etc/rhsm/ca/

<span class="perl_Comment"># an http proxy server to use</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>proxy_hostname =

<span class="perl_Comment"># port for http proxy server</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>proxy_port =

<span class="perl_Comment"># user name for authenticating to an http proxy, if needed</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>proxy_user =

<span class="perl_Comment"># password for basic http proxy auth, if needed</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>proxy_password =

[rhsm]
<span class="perl_Comment"># Content base URL:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span><span class="perl_Others">baseurl=</span> https://cdn.redhat.com

<span class="perl_Comment"># Default CA cert to use when generating yum repo configs:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>repo_ca_cert = %<span class="perl_Keyword">(</span>ca_cert_dir<span class="perl_Keyword">)</span>sredhat-uep.pem

<span class="perl_Comment"># Where the certificates should be stored</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>productCertDir = /etc/pki/product
entitlementCertDir = /etc/pki/entitlement
consumerCertDir = /etc/pki/consumer

[rhsmcertd]
<span class="perl_Comment"># Frequency of certificate refresh (in minutes):</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>certFrequency = 240
<span class="perl_Comment"># Frequency of autoheal check (1440 min = 1 day):</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>healFrequency = 1440
</pre></div></div><br class="example-break" /><div class="table" id="tab.rhsm.conf-parameters"><h6>Table 14.7. rhsm.conf Parameters</h6><div class="table-contents"><table summary="rhsm.conf Parameters" border="1"><colgroup><col class="col1" width="33%" /><col class="col2" width="33%" /><col class="col3" width="33%" /></colgroup><thead><tr><th>
									Parameter
								</th><th>
									Description
								</th><th>
									Default Value
								</th></tr></thead><tbody><tr><td colspan="3">
									<span class="bold bold"><strong>[server] Parameters</strong></span>
								</td></tr><tr><td>
									hostname
								</td><td>
									Gives the IP address or fully-qualified domain name of the subscription service.
								</td><td>
									subscription.rhn.redhat.com
								</td></tr><tr><td>
									prefix
								</td><td>
									Gives the directory, in the URL, to use to connect to the subscription service.
								</td><td>
									/subscription
								</td></tr><tr><td>
									port
								</td><td>
									Gives the port to use to connect to the subscription service.
								</td><td>
									443
								</td></tr><tr><td>
									insecure
								</td><td>
									Sets whether to use a secure (0) or insecure (1) connection for connections between the Subscription Manager clients and the subscription service.
								</td><td>
									0
								</td></tr><tr><td>
									ssl_verify_depth
								</td><td>
									Sets how far back in the certificate chain to verify the certificate.
								</td><td>
									3
								</td></tr><tr><td>
									proxy_hostname
								</td><td>
									Gives the hostname of the proxy server. This is required.
								</td><td>

</td></tr><tr><td>
									proxy_port
								</td><td>
									Gives the port of the proxy server. This is required.
								</td><td>

</td></tr><tr><td>
									proxy_user
								</td><td>
									Gives the user account to use to access the proxy server. This may not be required, depending on the proxy server configuration.
								</td><td>

</td></tr><tr><td>
									proxy_password
								</td><td>
									Gives the password credentials to access the proxy server. This may not be required, depending on the proxy server configuration.
								</td><td>

</td></tr><tr><td>
									ca_cert_dir
								</td><td>
									Gives the location for the CA certificate for the CA which issued the subscription service's certificates. This allows the client to identify and trust the subscription service for authentication for establishing an SSL connection.
								</td><td>
									/etc/rhsm/ca
								</td></tr><tr><td colspan="3">
									<span class="bold bold"><strong>[rhsm] Parameters</strong></span>
								</td></tr><tr><td>
									baseurl
								</td><td>
									Gives the full URL to access the content delivery system.
								</td><td>
									https://cdn.redhat.com
								</td></tr><tr><td>
									repo_ca_cert
								</td><td>
									Identifies the default CA certificate to use to set the yum repo configuration.
								</td><td>
									%(ca_cert_dir)sredhat-uep.pem
								</td></tr><tr><td>
									showIncompatiblePools
								</td><td>
									<div class="para">
										Sets whether to display subscription pools which are not compatible with the system's architecture but which have been purchased by an organization. By default, Subscription Manager only displays subscriptions which are compatible with, and therefore available to, the system.
									</div>
									 <div class="para">
										This parameter only applies to the Subscription Manager GUI. Incompatible subscriptions can be displayed in the CLI by using the <code class="option">--all</code> option with the <code class="command">list</code> command.
									</div>

</td><td>
									0
								</td></tr><tr><td>
									productCertDir
								</td><td>
									Sets the root directory where the product certificates are stored and can be accessed by Subscription Manager.
								</td><td>
									/etc/pki/product
								</td></tr><tr><td>
									consumerCertDir
								</td><td>
									Sets the directory where the identity certificate for the system is stored and can be accessed by Subscription Manager.
								</td><td>
									/etc/pki/consumer
								</td></tr><tr><td>
									entitlementCertDir
								</td><td>
									Sets the directory where the entitlement certificates for the system are stored and can be accessed by Subscription Manager. Each subscription has its own entitlement certificate.
								</td><td>
									/etc/pki/entitlement
								</td></tr><tr><td colspan="3">
									<span class="bold bold"><strong>[rhsmcertd] Parameters</strong></span>
								</td></tr><tr><td>
									certFrequency
								</td><td>
									Sets the interval, in minutes, to check and update entitlement certificates used by Subscription Manager.
								</td><td>
									240
								</td></tr><tr><td>
									healFrequency
								</td><td>
									Sets the interval, in minutes, to check for change subscriptions and installed products and to allocate subscriptions, as necessary, to maintain subscription status for all products.
								</td><td>
									240
								</td></tr></tbody></table></div></div><br class="table-break" /></div></div><div class="section" id="rhsm-config-cmd"><div class="titlepage"><div><div><h3 class="title" id="rhsm-config-cmd">14.14.2. Using the config Command</h3></div></div></div><div class="para">
				<code class="command">subscription-manager</code> has a subcommand that can change the <code class="filename">rhsm.conf</code> configuration file. Almost all of the connection information used by Subscription Manager to access the subscription server, content server, and any proxies is set in the configuration file, as well as general configuration parameters like the frequency Subscription Manager checks for entitlements updates. There are major divisions in the <code class="filename">rhsm.conf</code> file, such as <code class="command">[server]</code> which is used to configure the subscription server. When changing the Subscription Manager configuration, the settings are identified with the format <span class="emphasis"><em>section.parameter</em></span> and then the new value. For example: 
<pre class="screen">server.hostname=newsubscription.example.com</pre>

</div><div class="para">
				When changing the value for a parameter, the parameter is passed as an argument to the <code class="command">config</code> command:
			</div><pre class="screen">[root@server1 ~]# subscription-manager config --<em class="replaceable"><code>section.parameter</code></em>=<em class="replaceable"><code>newValue</code></em></pre><div class="para">
				For example, to change the hostname of the subscription service:
			</div><pre class="screen">[root@server1 ~]# subscription-manager config --server.hostname=subscription.example.com</pre><div class="para">
				All of the <code class="filename">rhsm.conf</code> file parameters are listed in <a class="xref" href="#tab.rhsm.conf-parameters">Table 14.7, “rhsm.conf Parameters”</a>. This is most commonly used to change connection settings:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						server.hostname (subscription server)
					</div></li><li class="listitem"><div class="para">
						server.proxy
					</div></li><li class="listitem"><div class="para">
						server.proxy_port
					</div></li><li class="listitem"><div class="para">
						server.proxy_user
					</div></li><li class="listitem"><div class="para">
						server.proxy_password
					</div></li><li class="listitem"><div class="para">
						rhsm.baseurl (content server)
					</div></li><li class="listitem"><div class="para">
						rhsm.certFrequency
					</div></li></ul></div><div class="para">
				The <code class="command">config</code> command also has a <code class="option">--remove</code> option. This deletes the the current value for the parameter without supplying a new parameter. A blank value tells Subscription Manager to use any default values that are set for that parameter rather than a user-defined value. For example:
			</div><pre class="screen">[root@server1 ~]# subscription-manager config --remove=rhsm.certFrequency

The default value for rhsm.certFrequency will now be used.</pre><div class="para">
				If a value does not have a default, then the command returns simply that the value has been removed:
			</div><pre class="screen">[root@server1 ~]# subscription-manager config --remove=server.proxy

You have removed the value in section server for parameter proxy.</pre></div><div class="section" id="rhsm-http-proxy"><div class="titlepage"><div><div><h3 class="title" id="rhsm-http-proxy">14.14.3. Using an HTTP Proxy</h3></div></div></div><div class="para">
				Some network environments may only allow external Internet access or access to content servers by going through an HTTP proxy.
			</div><div class="section" id="ents-proxy"><div class="titlepage"><div><div><h4 class="title" id="ents-proxy">14.14.3.1. Configuring an HTTP Proxy for GUI Use</h4></div></div></div><a id="id875692" class="indexterm"></a><a id="id875708" class="indexterm"></a><a id="id875724" class="indexterm"></a><div class="para">
					The Red Hat Subscription Manager GUI can be configured to use an HTTP proxy for all of its connections to the subscription service. (This is also an advanced configuration option at firstboot.) To configure the proxy:
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Launch the Red Hat Subscription Manager GUI. For example:
						</div><pre class="screen">subscription-manager-gui</pre></li><li class="listitem"><div class="para">
							Click the <span class="guibutton"><strong>Proxy Configuration</strong></span> button at the top of the window in the <span class="guilabel"><strong>Tools</strong></span> area.
						</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-proxy1.png" /></div></div></li><li class="listitem"><div class="para">
							Check the <span class="guilabel"><strong>...Connect to Red Hat Network via an HTTP Proxy</strong></span> checkbox and enter the server location, in the format <span class="emphasis"><em>hostname:port</em></span>.
						</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-proxy2.png" width="444" /></div></div></li><li class="listitem"><div class="para">
							If the proxy requires a username/password to allow access, then also select the <span class="guilabel"><strong>User authentication</strong></span> checkbox and fill in the user credentials.
						</div></li><li class="listitem"><div class="para">
							The configuration is automatically applied, so when the proxy is configured, simply close the window.
						</div></li></ol></div></div><div class="section" id="rhsm.conf-proxy"><div class="titlepage"><div><div><h4 class="title" id="rhsm.conf-proxy">14.14.3.2. Configuring HTTP Proxy in the rhsm.conf File</h4></div></div></div><a id="id875862" class="indexterm"></a><a id="id875878" class="indexterm"></a><a id="id875893" class="indexterm"></a><div class="para">
					The HTTP proxy settings can be configured in the <code class="filename">rhsm.conf</code> file; this is the same as configuring it in the Subscription Manager GUI. The proxy configuration is stored and used for every connection between the subscription service and the local system.
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Open the Subscription Manager configuration file.
						</div><pre class="programlisting">vim /etc/rhsm/rhsm.conf</pre></li><li class="listitem"><div class="para">
							Change the settings in the <code class="command">[server]</code> section that relate to the HTTP proxy. All parameters are described in <a class="xref" href="#tab.rhsm.conf-parameters">Table 14.7, “rhsm.conf Parameters”</a>. There are four parameters directly related to the proxy:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<em class="parameter"><code>proxy_hostname</code></em> for the IP address or fully-qualified domain name of the proxy server; this is required.
								</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
										Leaving the <em class="parameter"><code>proxy_hostname</code></em> argument blank means that no HTTP proxy is used.
									</div></div></div></li><li class="listitem"><div class="para">
									<em class="parameter"><code>proxy_port</code></em> for the proxy server port.
								</div></li><li class="listitem"><div class="para">
									<em class="parameter"><code>proxy_user</code></em> for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
								</div></li><li class="listitem"><div class="para">
									<em class="parameter"><code>proxy_password</code></em> for the password for the user account to connect to the proxy; this may not be required, depending on the proxy server's configuration.
								</div></li></ul></div><pre class="programlisting">[server]

<span class="perl_Comment"># an http proxy server to use</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>proxy_hostname = proxy.example.com

<span class="perl_Comment"># port for http proxy server</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>proxy_port = 443

<span class="perl_Comment"># user name for authenticating to an http proxy, if needed</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>proxy_user =

<span class="perl_Comment"># password for basic http proxy auth, if needed</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>proxy_password =</pre></li></ol></div></div><div class="section" id="ents-proxycmd"><div class="titlepage"><div><div><h4 class="title" id="ents-proxycmd">14.14.3.3. Passing HTTP Proxy Information with subscription-manager Commands</h4></div></div></div><a id="id876046" class="indexterm"></a><a id="id876061" class="indexterm"></a><a id="id876077" class="indexterm"></a><div class="para">
					Rather than using a permanently-configured HTTP proxy, as the GUI does, HTTP proxy information can be passed with a command invocations. The arguments listed in <a class="xref" href="#tab-ents-proxy">Table 14.8, “Proxy Arguments”</a> are available to every command used with <code class="command">subscription-manager</code>.
				</div><div class="table" id="tab-ents-proxy"><h6>Table 14.8. Proxy Arguments</h6><div class="table-contents"><table summary="Proxy Arguments" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
									Argument
								</th><th>
									Description
								</th><th>
									Required for a Proxy Connection?
								</th></tr></thead><tbody><tr><td>
									--proxy
								</td><td>
									Gives the proxy server to connect to, in the format <span class="emphasis"><em>hostname:port</em></span>.
								</td><td>
									Yes
								</td></tr><tr><td>
									--proxyuser
								</td><td>
									Gives the username to use to authenticate. This is only required if user authentication is required.
								</td><td>
									No
								</td></tr><tr><td>
									--proxypass
								</td><td>
									Gives the password to use with the user account. This is only required if user authentication is required.
								</td><td>
									No
								</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
					The proxy information can be passed with any <code class="command">subscription-manager</code> operation. For example:
				</div><pre class="programlisting">[root@server1 ~]# subscription-manager subscribe --pool=ff8080812bc382e3012bc3845ca000cb --proxy=proxy.example.com:8443 --proxyuser=jsmith --proxypass=secret</pre></div></div><div class="section" id="changing-ents-server"><div class="titlepage"><div><div><h3 class="title" id="changing-ents-server">14.14.4. Changing the Subscription Server</h3></div></div></div><a id="id876226" class="indexterm"></a><a id="id876241" class="indexterm"></a><a id="id876257" class="indexterm"></a><div class="para">
				The Subscription Manager usually connects to the subscription service, and the public server is configured in the <code class="filename">rhsm.conf</code> file.  The subscription service connection settings are in the <code class="command">[server]</code> section of the configuration file.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Open the Subscription Manager configuration file.
					</div><pre class="programlisting">vim /etc/rhsm/rhsm.conf</pre></li><li class="listitem"><div class="para">
						Change the settings in the <code class="command">[server]</code> section that relate to the subscription service connection. All parameters are described in <a class="xref" href="#tab.rhsm.conf-parameters">Table 14.7, “rhsm.conf Parameters”</a>. There are three parameters directly related to the connection:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<em class="parameter"><code>hostname</code></em> for the IP address or fully-qualified domain name of the machine
							</div></li><li class="listitem"><div class="para">
								<em class="parameter"><code>prefix</code></em> for the subscription service directory
							</div></li><li class="listitem"><div class="para">
								<em class="parameter"><code>port</code></em> for the subscription service port
							</div></li></ul></div><pre class="programlisting">[server]
<span class="perl_Others">hostname=</span>entitlements.server.example.com
<span class="perl_Others">prefix=</span>/candlepin
<span class="perl_Others">port=</span>8443</pre></li></ol></div></div><div class="section" id="setting-up-rhsm-mirror"><div class="titlepage"><div><div><h3 class="title" id="setting-up-rhsm-mirror">14.14.5. Configuring Red Hat Subscription Manager to Use a Local Content Provider</h3></div></div></div><a id="id876384" class="indexterm"></a><a id="id876400" class="indexterm"></a><a id="id876416" class="indexterm"></a><div class="para">
				By default, the Subscription Manager is configured to use Red Hat's content delivery service, which is available at <a href="https://cdn.redhat.com">https://cdn.redhat.com</a>. This can be changed to use a different external content delivery system or to use an organization-managed content system, such as Subscription Asset Manager.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Open the Subscription Manager configuration file.
					</div><pre class="programlisting">vim /etc/rhsm/rhsm.conf</pre></li><li class="listitem"><div class="para">
						Change the <em class="parameter"><code>baseurl</code></em> directive in the <code class="command">[rhsm]</code> section. This is the full URL to the service.
					</div><pre class="programlisting">[rhsm]
<span class="perl_Comment"># Content base URL:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span><span class="perl_Others">baseurl=</span> http://content.example.com/content</pre></li></ol></div></div><div class="section" id="secure-cxn-ents-server"><div class="titlepage"><div><div><h3 class="title" id="secure-cxn-ents-server">14.14.6. Managing Secure Connections to the Subscription Server</h3></div></div></div><a id="id876496" class="indexterm"></a><a id="id876512" class="indexterm"></a><a id="id876528" class="indexterm"></a><div class="para">
				Red Hat Subscription Manager assumes, by default, that the subscription clients connect to the subscription service using a secure (SSL) connection. This requires that the CA certificate of the subscription service be downloaded and available locally for the client and that the appropriate connections be configured.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Open the Subscription Manager configuration file.
					</div><pre class="programlisting">vim /etc/rhsm/rhsm.conf</pre></li><li class="listitem"><div class="para">
						Change the settings in the <code class="command">[server]</code> section that relate to a secure connection. All parameters are described in <a class="xref" href="#tab.rhsm.conf-parameters">Table 14.7, “rhsm.conf Parameters”</a>. There are three parameters directly related to the connection:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<em class="parameter"><code>insecure</code></em> to set whether to use a secure (0) or insecure (1) connection
							</div></li><li class="listitem"><div class="para">
								<em class="parameter"><code>ca_cert_dir</code></em> for the directory location for the CA certificate for authentication and verification
							</div></li><li class="listitem"><div class="para">
								<em class="parameter"><code>port</code></em> for the subscription service port; this should be an SSL port if a secure connection is required
							</div></li></ul></div><pre class="programlisting">[server]
<span class="perl_Others">port=</span>8443
insecure = 1
ca_cert = /etc/rhsm/ca</pre></li></ol></div></div><div class="section" id="starting-rhsm"><div class="titlepage"><div><div><h3 class="title" id="starting-rhsm">14.14.7. Starting and Stopping the Subscription Service</h3></div></div></div><a id="id876646" class="indexterm"></a><a id="id876657" class="indexterm"></a><a id="id876669" class="indexterm"></a><div class="para">
				The Red Hat Subscription Manager daemon, <code class="systemitem">rhsmcertd</code>, runs as a service on the system. The daemon, by default, starts with the system, and it can be started, stopped, or checked with the <code class="command">service</code> command.
			</div><pre class="programlisting">service rhsmcertd status
rhsmcertd <span class="perl_Keyword">(</span>pid 13084<span class="perl_Keyword">)</span> is running...</pre><div class="para">
				Red Hat Enterprise Linux has a tool called <span class="emphasis"><em>chkconfig</em></span> which manages the automatic startup and shutdown settings for each process on the server, described in <a class="xref" href="#s1-services-chkconfig">Section 17.5, “<code class="command">chkconfig</code>”</a>. When a system reboots, some services can be automatically restarted. <code class="command">chkconfig</code> also defines startup settings for different run levels of the server.
			</div><div class="para">
				The Red Hat Subscription Manager service, which runs routinely to check for changes in the entitlements for an organization, can be controlled by <code class="command">chkconfig</code>. By default, the Red Hat Subscription Manager daemon, <code class="systemitem">rhsmcertd</code>, is configured to run at levels 3, 4, and 5, so that the service is started automatically when the server reboots.
			</div><div class="para">
				The run level settings can be reset using <code class="command">chkconfig</code>. For example, to enable run level 2:
			</div><pre class="screen">chkconfig --level 2345 rhsmcertd on</pre><div class="para">
				To remove the <code class="systemitem">rhsmcertd</code> from the start list, change the run level settings off:
			</div><pre class="screen">chkconfig --level 2345 rhsmcertd off</pre><div class="para">
				Red Hat Enterprise Linux also has a GUI console that can manage the <code class="command">service</code> and <code class="command">chkconfig</code> settings.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						In the main menu, select the <span class="guimenu"><strong>System</strong></span> link and open the <span class="guimenuitem"><strong>Administration</strong></span> submenu.
					</div></li><li class="listitem"><div class="para">
						Open the <span class="guimenu"><strong>Services</strong></span> link.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							The <code class="filename">system-config-services</code> package must be installed for the <span class="guimenu"><strong>Services</strong></span> wizard to be available.
						</div></div></div><div class="informalfigure"><div class="mediaobject"><img src="images/ents-chkconfig1.png" width="444" /></div></div></li><li class="listitem"><div class="para">
						Scroll to the <code class="systemitem">rhsmcertd</code> item in the list of services on the left, and then edit the service as desired.
					</div><div class="informalfigure"><div class="mediaobject"><img src="images/ents-chkconfig2.png" width="444" /></div></div></li></ol></div></div><div class="section" id="checking-rhsm-logs"><div class="titlepage"><div><div><h3 class="title" id="checking-rhsm-logs">14.14.8. Checking Logs</h3></div></div></div><a id="id876882" class="indexterm"></a><a id="id876894" class="indexterm"></a><a id="id876906" class="indexterm"></a><a id="id876918" class="indexterm"></a><div class="para">
				There are two log files maintained for Red Hat Subscription Manager in the <code class="filename">/var/log/rhsm</code> directory:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">rhsm.log</code> shows every invocation and result of running the Subscription Manager GUI or CLI
					</div></li><li class="listitem"><div class="para">
						<code class="filename">rhsmcertd.log</code> shows every time a new certificate is generated, which happens on a schedule defined by the <em class="parameter"><code>certFrequency</code></em> parameter in the <code class="filename">rhsm.conf</code> file.
					</div></li></ul></div><div class="para">
				The <code class="filename">rhsm.log</code> log contains the sequence of every Python call for every operation invoked through the Subscription Manager tools. Each entry has this format:
			</div><pre class="screen">YYYY-MM-DD HH:MM:SS,process_id [MESSAGE_TYPE] call python_script response</pre><div class="para">
				The <span class="emphasis"><em>response</em></span> in the log entry can be very complex, spanning multiple lines, or relatively simply, with just a status code.
			</div><div class="para">
				Because each log entry in <code class="filename">rhsm.log</code> relates to the Python script or function that was called, there can be multiple log entries for a single operation.
			</div><div class="example" id="ex.rhsm.log"><h6>Example 14.10. rhsm.log Entry</h6><div class="example-contents"><pre class="programlisting"><span class="perl_DecVal">2010</span><span class="perl_Char">-</span><span class="perl_DecVal">10</span><span class="perl_Char">-</span><span class="perl_DecVal">01</span> <span class="perl_DecVal">17</span><span class="perl_Char">:</span><span class="perl_DecVal">27</span><span class="perl_Char">:</span><span class="perl_DecVal">57</span>,<span class="perl_DecVal">874</span> <span class="perl_Char">[INFO]</span> _request<span class="perl_Char">()</span> @connection.py<span class="perl_Char">:</span><span class="perl_DecVal">97</span> <span class="perl_Char">-</span> status code<span class="perl_Char">:</span> <span class="perl_DecVal">200</span>
<span class="perl_DecVal">2010</span><span class="perl_Char">-</span><span class="perl_DecVal">10</span><span class="perl_Char">-</span><span class="perl_DecVal">01</span> <span class="perl_DecVal">17</span><span class="perl_Char">:</span><span class="perl_DecVal">27</span><span class="perl_Char">:</span><span class="perl_DecVal">57</span>,<span class="perl_DecVal">875</span> <span class="perl_Char">[INFO]</span> perform<span class="perl_Char">()</span> @certlib.py<span class="perl_Char">:</span><span class="perl_DecVal">132</span> <span class="perl_Char">-</span> updated<span class="perl_Char">:</span>
Total updates<span class="perl_Char">:</span> <span class="perl_DecVal">0</span>
Found <span class="perl_Char">(local)</span> serial# <span class="perl_Char">[]</span>
Expected <span class="perl_Char">(UEP)</span> serial# <span class="perl_Char">[]</span>
Added <span class="perl_Char">(new)</span>
  <span class="perl_Char">&lt;</span><span class="perl_Others">NONE</span><span class="perl_Char">&gt;</span>
Deleted <span class="perl_Char">(rogue):</span>
  <span class="perl_Char">&lt;</span><span class="perl_Others">NONE</span><span class="perl_Char">&gt;</span>
Expired <span class="perl_Char">(</span><span class="perl_Keyword">not</span> deleted<span class="perl_Char">):</span>
  <span class="perl_Char">&lt;</span><span class="perl_Others">NONE</span><span class="perl_Char">&gt;</span>
Expired <span class="perl_Char">(deleted):</span>
  <span class="perl_Char">&lt;</span><span class="perl_Others">NONE</span><span class="perl_Char">&gt;</span>
<span class="perl_DecVal">2010</span><span class="perl_Char">-</span><span class="perl_DecVal">10</span><span class="perl_Char">-</span><span class="perl_DecVal">01</span> <span class="perl_DecVal">17</span><span class="perl_Char">:</span><span class="perl_DecVal">27</span><span class="perl_Char">:</span><span class="perl_DecVal">57</span>,<span class="perl_DecVal">878</span> <span class="perl_Char">[INFO]</span> __init__<span class="perl_Char">()</span> @connection.py<span class="perl_Char">:</span><span class="perl_DecVal">193</span> <span class="perl_Char">-</span> Using certificate authentication<span class="perl_Char">:</span> key <span class="perl_Char">=</span> <span class="perl_Char">/etc/pki/consumer/key</span>.pem, cert <span class="perl_Char">=</span> <span class="perl_Char">/etc/pki/consumer/cert</span>.pem, ca <span class="perl_Char">=</span> <span class="perl_Char">/etc/pki/CA/candlepin</span>.pem, insecure <span class="perl_Char">=</span> <span class="perl_Others">True</span>
<span class="perl_DecVal">2010</span><span class="perl_Char">-</span><span class="perl_DecVal">10</span><span class="perl_Char">-</span><span class="perl_DecVal">01</span> <span class="perl_DecVal">17</span><span class="perl_Char">:</span><span class="perl_DecVal">27</span><span class="perl_Char">:</span><span class="perl_DecVal">57</span>,<span class="perl_DecVal">878</span> <span class="perl_Char">[INFO]</span> __init__<span class="perl_Char">()</span> @connection.py<span class="perl_Char">:</span><span class="perl_DecVal">196</span> <span class="perl_Char">-</span> Connection Established<span class="perl_Char">:</span> host<span class="perl_Char">:</span> candlepin1.devlab.phx1.redhat.com, port<span class="perl_Char">:</span> <span class="perl_DecVal">443</span>, handler<span class="perl_Char">:</span> <span class="perl_Char">/candlepin</span></pre></div></div><br class="example-break" /><div class="para">
				The entries in the <code class="filename">rhsmcertd.log</code> file are much simpler. The log only records when the <code class="command">rhsmcertd</code> daemon starts or stops and every time a certificate is updated.
			</div><div class="example" id="ex.rhsmcertd.log"><h6>Example 14.11. rhsmcertd.log Entry</h6><div class="example-contents"><pre class="programlisting">Fri Oct  1 13:27:44 2010: started: interval = 240 minutes
Fri Oct  1 13:27:50 2010: certificates updated</pre></div></div><br class="example-break" /></div><div class="section" id="showing-incompatible-subsc"><div class="titlepage"><div><div><h3 class="title" id="showing-incompatible-subsc">14.14.9. Showing and Hiding Incompatible Subscriptions</h3></div></div></div><a id="id877068" class="indexterm"></a><a id="id877084" class="indexterm"></a><a id="id877099" class="indexterm"></a><div class="para">
				The entitlements that are made available to a consumer are filtered, by default, according to whether the architecture for the product matches the architecture of the system. This is <span class="emphasis"><em>compatibility</em></span>. The Red Hat Subscription Manager can be configured to display even incompatible entitlements.
			</div><div class="para">
				When running the command-line tools, the incompatible facts can be displayed simply by using the <code class="option">--all</code> option:
			</div><pre class="screen">[root@server1 ~]# subscription-manager list --available --all</pre><div class="para">
				To have the incompatible subscriptions displayed in the GUI and through the command-line by default, edit the <code class="filename">rhsm.conf</code> configuration file.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Open the Subscription Manager configuration file.
					</div><pre class="programlisting">vim /etc/rhsm/rhsm.conf</pre></li><li class="listitem"><div class="para">
						Change the <em class="parameter"><code>showIncompatiblePools</code></em> directive in the <code class="command">[rhsm]</code> section. A value of <code class="command">0</code> shows only compatible entitlements.
					</div><pre class="programlisting">[rhsm]
<span class="perl_Comment"># Content base URL:</span><span class="perl_Comment"></span>
<span class="perl_Comment"></span>showIncompatiblePools = 1</pre></li></ol></div></div><div class="section" id="rhsm-facts"><div class="titlepage"><div><div><h3 class="title" id="rhsm-facts">14.14.10. Checking and Adding System Facts</h3></div></div></div><a id="id877202" class="indexterm"></a><a id="id877214" class="indexterm"></a><a id="id877226" class="indexterm"></a><div class="para">
				Entitlements are available to a system based on whether the software is <span class="emphasis"><em>compatible</em></span> with the system's architecture. For example, there are different products and subscriptions for 32-bit and 64-bit platforms. Red Hat Subscription Manager determines compatibility by collecting a range of facts about the system's hardware and architecture and then comparing it with all available entitlements.
			</div><div class="para">
				The collected facts can be viewed, updated to acknowledge a hardware or configuration change, or overridden to force compatibility in the specified areas.
			</div><div class="para">
				The system facts are very similar to the information in <code class="filename">/etc/redhat-release</code> or <code class="filename">/etc/sysconfig</code>. In both the Red Hat Subscription Manager GUI and CLI, the facts are represented as simple <span class="emphasis"><em>attribute: value</em></span> pairs.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					Updating the facts resends the information about the system to the Red Hat subscription service so that it can update the list of subscriptions which match the system architecture. Updating the facts is a very good thing to do after hardware upgrades or other important system changes.
				</div></div></div><div class="section" id="rhsm-facts-gui"><div class="titlepage"><div><div><h4 class="title" id="rhsm-facts-gui">14.14.10.1. Checking Facts from the Red Hat Subscription Manager UI</h4></div></div></div><a id="id877296" class="indexterm"></a><a id="id877312" class="indexterm"></a><a id="id877328" class="indexterm"></a><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Launch the Red Hat Subscription Manager GUI. For example:
						</div><pre class="screen">subscription-manager-gui</pre></li><li class="listitem"><div class="para">
							In the <span class="guilabel"><strong>Tools</strong></span> at the top of the window, click the <span class="guibutton"><strong>View System Facts</strong></span> button.
						</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-view-facts.png" /></div></div></li><li class="listitem"><div class="para">
							All of the current facts for the system are listed in the table, broken down into categories. Each category is in a closed list; to reveal all of the facts in that category, click the arrow by the category name.
						</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-facts.png" width="444" /></div></div><div class="para">
							To update the facts, click the <span class="guibutton"><strong>Update Facts</strong></span> button in the bottom right of the window.
						</div></li></ol></div></div><div class="section" id="rhsm-facts-cmd"><div class="titlepage"><div><div><h4 class="title" id="rhsm-facts-cmd">14.14.10.2. Checking Facts with subscription-manager</h4></div></div></div><a id="id877440" class="indexterm"></a><a id="id877456" class="indexterm"></a><a id="id877472" class="indexterm"></a><div class="para">
					To simply list the facts, run the <code class="command">facts</code> with the <code class="option">--list</code> option.
				</div><pre class="programlisting">[root@server1 ~]# subscription-manager facts --list

cpu.architecture: i686
cpu.core<span class="perl_Keyword">(</span>s<span class="perl_Keyword">)</span>_per_socket: 4
cpu.cpu<span class="perl_Keyword">(</span>s<span class="perl_Keyword">)</span>: 4
cpu.cpu_family: 6
cpu.cpu_mhz: 2000.010
cpu.cpu_op-mode<span class="perl_Keyword">(</span>s<span class="perl_Keyword">)</span>: 32-bit, 64-bit
cpu.cpu_socket<span class="perl_Keyword">(</span>s<span class="perl_Keyword">)</span>: 1
cpu.l1d_cache: 32K
cpu.l1i_cache: 32K
cpu.l2_cache: 6144K
cpu.model: 23
cpu.stepping: 6
cpu.thread<span class="perl_Keyword">(</span>s<span class="perl_Keyword">)</span>_per_core: 1
cpu.vendor_id: GenuineIntel
cpu.virtualization: VT-x
distribution.<span class="perl_BString">id</span>: Santiago
distribution.name: <span class="perl_BString">Red</span> Hat Enterprise Linux Workstation
distribution.version: 5
dmi.baseboard.manufacturer: IBM
dmi.baseboard.product_name: Server Blade
... [snip] ...</pre><div class="para">
					To update the facts after a system change, use the <code class="option">--update</code> option with the <code class="command">facts</code> command.
				</div><pre class="programlisting">[root@server1 ~]# subscription-manager facts --update</pre></div><div class="section" id="rhsm-facts-overriding"><div class="titlepage"><div><div><h4 class="title" id="rhsm-facts-overriding">14.14.10.3. Overriding the Default System Facts</h4></div></div></div><a id="id877540" class="indexterm"></a><a id="id877556" class="indexterm"></a><a id="id877572" class="indexterm"></a><div class="para">
					The system facts, as collected, are stored in <code class="filename">/var/lib/rhsm/facts/facts.facts</code>. These facts are stored as <span class="emphasis"><em>attribute: value</em></span> pairs, in a comma-separated list.
				</div><pre class="programlisting">{"fact1": "value1","fact2": "value2"}</pre><div class="para">
					The primary file is generated and maintained by the Subscription Manager service. However, these values can be overridden to force architecture or platform compatibility (and thereby widening the available compatible subscriptions) by creating additional JSON facts files and dropping them in the <code class="filename">/etc/rhsm/facts</code> directory. These JSON files can override existing facts or even add new facts to be used by the subscription service.
				</div><div class="example" id="ex.facts-file"><h6>Example 14.12. Example Facts Override File</h6><div class="example-contents"><pre class="programlisting">vim /etc/rhsm/facts/my-example.<span class="perl_Function">facts</span>

{<span class="perl_String">"uname.machine"</span>: <span class="perl_String">"x86"</span>,<span class="perl_String">"kernel_version"</span>: <span class="perl_String">"2.6.32"</span>,<span class="perl_String">"physical_location"</span>: <span class="perl_String">"MTV colo rack 5"</span>}</pre></div></div><br class="example-break" /></div></div><div class="section" id="regen-certs-cli"><div class="titlepage"><div><div><h3 class="title" id="regen-certs-cli">14.14.11. Regenerating Identity Certificates</h3></div></div></div><div class="para">
				To regenerate the consumer's identity certificate (meaning it is revoked and replaced), use the <code class="command">identity</code> command. Although not required, using the <code class="option">--force</code> option will require the username and password and will cause the Subscription Manager to prompt for the credentials if they are not passed in the command:
			</div><pre class="programlisting">[root@server1 ~]# subscription-manager identity --regenerate --force
Username: jsmith@example.com
Password:
Identity certificate has been regenerated.</pre></div><div class="section" id="getting-system-uuid"><div class="titlepage"><div><div><h3 class="title" id="getting-system-uuid">14.14.12. Getting the System UUID</h3></div></div></div><a id="id877677" class="indexterm"></a><a id="id877689" class="indexterm"></a><a id="id877701" class="indexterm"></a><div class="para">
				The consumer or system UUID is a unique identifier used in the inventory subscription service. This UUID can be used to re-register the system if there is some kind of corruption or for internal tracking. In the GUI (<a class="xref" href="#rhsm-facts-gui">Section 14.14.10.1, “Checking Facts from the Red Hat Subscription Manager UI”</a>), this is listed as one of the system facts, under the system category:
			</div><div class="informalfigure"><div class="mediaobject"><img src="images/rhsm-system-uuid.png" width="444" /></div></div><div class="para">
				From the command-line, use the <code class="command">identity</code> command to return the current UUID. The UUID is the <span class="guilabel"><strong>Current identity is</strong></span> value.
			</div><pre class="screen">[root@server1 ~]# subscription-manager identity
Current identity is: 63701087-f625-4519-8ab2-633bb50cb261
name: server1.example.com
org name: 6340056
org id: 8a85f981302cbaf201302d89931e059a</pre></div><div class="section" id="rhsm-package-profiles"><div class="titlepage"><div><div><h3 class="title" id="rhsm-package-profiles">14.14.13. Viewing Package Profiles</h3></div></div></div><div class="para">
				A <span class="emphasis"><em>package profile</em></span> is the list of installed packages on a system (regardless of its subscription status). Red Hat Subscription Manager maintains a local list of installed packages to track the subscription status of the system. The package profile contains some general information about each package in the list:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Package name
					</div></li><li class="listitem"><div class="para">
						Package version
					</div></li><li class="listitem"><div class="para">
						Epoch
					</div></li><li class="listitem"><div class="para">
						Publisher
					</div></li></ul></div><div class="para">
				This package manifest is always visible locally in the <span class="guilabel"><strong>My Installed Software</strong></span> tab of the UI or by using the <code class="command">list --installed</code> command with the command-line tools.
			</div><div class="para">
				The Subscription Manager daemon, <code class="command">rhsmcertd</code>, checks the system periodically — once when it is first registered and then when it runs a refresh operation every four hours — to get the most current list of installed products. When the system is registered and then whenever there is a change to the package list, Subscription Manager sends an updated package profile to the subscription service.
			</div><div class="para">
				The package profile is stored in a cache file in <code class="filename">/var/lib/rhsm/packages/</code>.
			</div><div class="para">
				Having an updated package profile for a system helps the subscription service identify compatible subscriptions.
			</div></div><div class="section" id="consumerid"><div class="titlepage"><div><div><h3 class="title" id="consumerid">14.14.14. Retrieving the Consumer ID, Registration Tokens, and Other Information</h3></div></div></div><a id="id877864" class="indexterm"></a><a id="id877876" class="indexterm"></a><div class="para">
				Some pieces of information are used frequently when managing entitlements using the <code class="command">subscription-manager</code> script. Information like the consumer ID or subscription pool ID is pulled up and referenced automatically in the Red Hat Subscription Manager UI, but it has to be entered manually in the command line.
			</div><div class="para">
				<a class="xref" href="#tab.ents-information">Table 14.9, “Locations and Descriptions of Entitlement Data”</a> lists common information that is used to manage subscriptions, the operations they're used in, and the places to find the data.
			</div><div class="table" id="tab.ents-information"><h6>Table 14.9. Locations and Descriptions of Entitlement Data</h6><div class="table-contents"><table summary="Locations and Descriptions of Entitlement Data" border="1"><colgroup><col width="25%" /><col width="25%" /><col width="25%" /><col width="25%" /></colgroup><thead><tr><th>
								Information
							</th><th>
								Description
							</th><th>
								Operations Used In
							</th><th>
								Find It In ...
							</th></tr></thead><tbody><tr><td>
								Consumer ID
							</td><td>
								A unique identifier for each system that is registered to the subscription service.
							</td><td>
								identity
							</td><td>
								The simplest method is to use the <code class="command">identity</code> command to return the current UUID. 
<pre class="screen">[root@server1 ~]# subscription-manager identity
Current identity is: 63701087-f625-4519-8ab2-633bb50cb261
name: consumer-1.example.com
org name: 6340056
org id: 8a85f981302cbaf201302d89931e059a</pre>
								 The Subject CN element of the identity certificate for the system, <code class="filename">/etc/pki/consumer/cert.pem</code>. The UUID can also be returned by using <code class="command">openssl</code> to pretty-print the certificate. 
<pre class="screen">openssl x509 -text -in /etc/pki/consumer/cert.pem

Certificate:
... snip ...
Subject: CN=7d133d55 876f 4f47 83eb 0ee931cb0a97</pre>

</td></tr><tr><td>
								Pool ID
							</td><td>
								An identifier for a specific set of subscriptions. This set is created when subscriptions are purchased. Whenever a system needs to subscribe to a product, it references a pool ID to identify which purchased set of subscriptions to use.
							</td><td>
								subscribe
							</td><td>
								The <code class="command">PoolID</code> value given for a product when listing available subscriptions. For example: 
<pre class="screen">[root@server1 ~]# subscription-manager list --available
+----------------------+
Available Subscriptions
+----------------------+
ProductName: Red Hat Enterprise Linux, Standard (up to 2 sockets) 3 year
ProductId: MCT0346F3
PoolId: ff8080812bc382e3012bc3845ca000cb
Quantity: 2
Expires: 2011-02-28</pre>

</td></tr><tr><td>
								Product certificate serial number
							</td><td>
								The identification used for a specific, installed product. A certificate with a unique serial number is generated when a product is installed; this serial number is used to identify that specific product installation when managing subscriptions.
							</td><td>
								unsubscribe
							</td><td>
								The SerialNumber line in the product subscription information. This can be returned by running <code class="command">list --consumed</code>. 
<pre class="programlisting">[root@server1 ~]# subscription-manager list --consumed

+-----------------------------+
Consumed Product Subscriptions
+-----------------------------+

ProductName: High availability <span class="perl_Keyword">(</span>cluster suite<span class="perl_Keyword">)</span>
ContractNumber: 0
SerialNumber: 11287514358600162
....</pre>

</td></tr><tr><td>
								Product ID
							</td><td>
								The internal identifier used to identify a type of product.
							</td><td>

</td><td>
								The <code class="command">ProductID</code> value given for a product when listing available subscriptions. For example: 
<pre class="screen">[root@server1 ~]# subscription-manager list --available
+----------------------+
Available Subscriptions
+----------------------+

ProductName: RHEL for Physical Servers
ProductId: MKT-rhel-server
... snip ...</pre>

</td></tr></tbody></table></div></div><br class="table-break" /></div></div><div class="section" id="entitlement-certificates"><div class="titlepage"><div><div><h2 class="title" id="entitlement-certificates">14.15. About Certificates and Managing Entitlements</h2></div></div></div><a id="id878103" class="indexterm"></a><a id="id878115" class="indexterm"></a><div class="para">
			Part of managing subscriptions requires verifying the <span class="emphasis"><em>identity</em></span> of everything involved, such as the system, the subscription service, and the available products. The subscription service uses X.509 certificates to handle the identity and authentication aspects of the subscription service. These X.509 certificates also contain the actual data about available subscriptions and installed products.
		</div><div class="para">
			The first time a system is subscribed to a subscription, it downloads a certificate from the subscription service. The entitlement certificate contains all of the information about products that are available through that subscription. The entitlement certificate is revoked and reissued any time there is a change in the subscriptions for an organization. Once a product is actually installed on a machine, then another certificate is issued to manage the entitlements for the product on the system.
		</div><div class="para">
			Each certificate issued and used by the Subscription Manager services is a <code class="filename">.pem</code> formatted file. This file format stores both keys and certificates in a base-64 blob. For example:
		</div><pre class="programlisting">-----BEGIN CERTIFICATE-----
MIIDaTCCAtKgAwIBAgICBZYwDQYJKoZIhvcNAQEFBQAwSzEqMCgGA1UEAxMhY2Fu
ZGxlcGluMS5kZXZsYWIucGh4MS5yZWRoYXQuY29tMQswCQYDVQQGEwJVUzEQMA4G
A1UEBxMHUmFsZWlnaDAeFw0xMDEwMDYxNjMyMDVaFw0xMTEwMDYyMzU5NTlaMC8x
LTArBgNVBAMMJDQ4ODFiZDJmLTg2OGItNDM4Yy1hZjk2LThiMWQyODNkYWZmYzCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNyLw6+IMtjY03F7Otxj2GL
GTz5VKx1kfWY7q4OD4w+XlBHTkt+2tQV9S+4TFkUZ7XoI80LDL/BONpy/gq5c5cw
yKvjv2gjSS/pihgYNXc5zUOIfSj1vb3fHGHOkzdCcZMyWq1z0N/zaLClp/zP/pcM
og4NTAg2niNPjFYvkQ+oIl16WmQpefM0y0SY7N7oJd2T8dZjOiuLV2cVZLfwjrwG
9UpkT2J03g+n1ZA9q95ibLD5NVOdTy9+2lfRhdDViZaVoFiQXvg86qBHQ0ieENuF
a6bCvGgpTxcBuVXmsnl2+9dnMiwoDqPZp1HB6G2uNmyNe/IvkTOPFJ/ZVbtBTYUC
AwEAAaOB8zCB8DARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSwMHsGA1Ud
IwR0MHKAFGiY1N2UtulxcMFy0j6gQGLTyo6CoU+kTTBLMSowKAYDVQQDEyFjYW5k
bGVwaW4xLmRldmxhYi5waHgxLnJlZGhhdC5jb20xCzAJBgNVBAYTAlVTMRAwDgYD
VQQHEwdSYWxlaWdoggkA1s54sVacN0EwHQYDVR0OBBYEFGbB5fqOzh32g4Wqrwhc
/96IupIgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdEQQWMBSkEjAQMQ4wDAYD
VQQDDAV4ZW9wczANBgkqhkiG9w0BAQUFAAOBgQANxHRsev4fYfnHO9kYcHo4UeK7
owN+fq92gl76iRHRnhzkPlhWL+uV2tyqGG9zJASOX+qEDOqN5sVAB4iNQTDGiUbK
z757igD2hsQ4ewv9Vq3QtnajWnfdaUZH919GgWs09Etg6ucsKwgfx1fqjSRLBbOo
lZuvBTYROOX6W2vKXw==
-----END CERTIFICATE-----</pre><div class="para">
			Tools like <code class="command">openssl</code> or <code class="command">pk12util</code> can be used to extract and view information from these certificates, in a pretty-print format. The product- and subscription-related information is extracted and viewable in the Red Hat Subscription Manager GUI or command-line tools.
		</div><div class="para">
			This section describes the different certificates used by the subscription service and the entitlement information contained in those certificates. A much more detailed description of X.509 certificates and a public key infrastructure (PKI) is given in the Red Hat Certificate System documentation in <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Deployment_Guide/Introduction_to_Public_Key_Cryptography.html">chapter 1, "Introduction to Public-Key Cryptography,"</a> in the <em class="citetitle">Red Hat Certificate System Deployment Guide</em>.
		</div><a id="id878201" class="indexterm"></a><a id="id878217" class="indexterm"></a><div class="table" id="tab.entitlements-certificate-types"><h6>Table 14.10. Types of Certificates Used for Content and Entitlements</h6><div class="table-contents"><table summary="Types of Certificates Used for Content and Entitlements" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
							Certificate Type
						</th><th>
							Description
						</th><th>
							Default Location
						</th></tr></thead><tbody><tr><td>
							Consumer Identity Certificate
						</td><td>
							Used to identify the system (consumer) to the subscription service. This contains a unique ID which is assigned to the system when it is registered to the system. The identity certificate itself is generated by the subscription service when the system is registered and then sent to the consumer.
						</td><td>
							/etc/pki/consumer
						</td></tr><tr><td>
							Entitlement Certificate
						</td><td>
							Contains a list of products that are available to a system to install, based on the subscriptions that the system has been subscribed to. The entitlement certificate defines the software products, the content delivery location, and validity dates. The presence of an entitlement certificate means that the system has consumed one of the quantities from the subscription.
						</td><td>
							/etc/pki/entitlement
						</td></tr><tr><td>
							Product Certificate
						</td><td>
							Contains the information about a product after it has been installed.
						</td><td>
							/etc/pki/product/<em class="replaceable"><code>product_serial#</code></em>.pem
						</td></tr><tr><td>
							CA Certificate
						</td><td>
							A certificate for the certificate authority which issued the SSL server certificate used by the subscription service. This must be installed on a system for the system to use SSl to connect to the subscription service.
						</td><td>
							/etc/rhsm/ca/candlepin-ca.pem
						</td></tr><tr><td>
							Satellite Certificate
						</td><td>
							An XML-formatted certificate which contains a product list. This is used by local Satellite 5.x systems, not the newer subscription service.
						</td><td>

</td></tr></tbody></table></div></div><br class="table-break" /><div class="section" id="structure-of-identity-certs"><div class="titlepage"><div><div><h3 class="title" id="structure-of-identity-certs">14.15.1. The Structure of Identity Certificates</h3></div></div></div><a id="id878372" class="indexterm"></a><a id="id878388" class="indexterm"></a><div class="para">
				An identity certificate is a standard SSL client certificate. This certificate is issued by the subscription service when the system registers to it. The system consumer subsequently uses this certificate to authenticate to the subscription service whenever it contacts the service after registration.
			</div><div class="para">
				The certificate contains three important pieces of information:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The consumer UUID, in the subject CN of the certificate
					</div></li><li class="listitem"><div class="para">
						The subscription service which the system is registered to, in the issuer field of the certificate
					</div></li><li class="listitem"><div class="para">
						The user account which registered the system, as the DirName value in the Subject Alt Name
					</div></li></ul></div><div class="para">
				The validity period of this certificate is associated with the time when the system was registered, not to any subscription contract periods or user account settings.
			</div><div class="example" id="ex.identity-certs"><h6>Example 14.13. Identity Certificate</h6><div class="example-contents"><pre class="programlisting">Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1430 (0x596)
        Signature Algorithm: sha1WithRSAEncryption
        <strong class="userinput"><code>Issuer: CN=entitlement.server.example.com, C=US, L=Raleigh</code></strong>  
        Validity
            Not Before: Oct  6 16:32:05 2010 GMT
            Not After : Oct  6 23:59:59 2011 GMT
        <strong class="userinput"><code>Subject: CN=4881bd2f-868b-438c-af96-8b1d283daffc</code></strong>  
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a3:72:2f:0e:be:20:cb:63:63:4d:c5:ec:eb:71:
                    8f:61:8b:19:3c:f9:54:ac:75:91:f5:98:ee:ae:0e:
                    0f:8c:3e:5e:50:47:4e:4b:7e:da:d4:15:f5:2f:b8:
                    4c:59:14:67:b5:e8:23:cd:0b:0c:bf:c1:38:da:72:
                    fe:0a:b9:73:97:30:c8:ab:e3:bf:68:23:49:2f:e9:
                    8a:18:18:35:77:39:cd:43:88:7d:28:f5:bd:bd:df:
                    1c:61:ce:93:37:42:71:93:32:5a:ad:73:d0:df:f3:
                    68:b0:a5:a7:fc:cf:fe:97:0c:a2:0e:0d:4c:08:36:
                    9e:23:4f:8c:56:2f:91:0f:a8:22:5d:7a:5a:64:29:
                    79:f3:34:cb:44:98:ec:de:e8:25:dd:93:f1:d6:63:
                    3a:2b:8b:57:67:15:64:b7:f0:8e:bc:06:f5:4a:64:
                    4f:62:74:de:0f:a7:d5:90:3d:ab:de:62:6c:b0:f9:
                    35:53:9d:4f:2f:7e:da:57:d1:85:d0:d5:89:96:95:
                    a0:58:90:5e:f8:3c:ea:a0:47:43:48:9e:10:db:85:
                    6b:a6:c2:bc:68:29:4f:17:01:b9:55:e6:b2:79:76:
                    fb:d7:67:32:2c:28:0e:a3:d9:a7:51:c1:e8:6d:ae:
                    36:6c:8d:7b:f2:2f:91:33:8f:14:9f:d9:55:bb:41:
                    4d:85
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type:
                SSL Client, S/MIME
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Authority Key Identifier:
                keyid:68:98:D4:DD:94:B6:E9:71:70:C1:72:D2:3E:A0:40:62:D3:CA:8E:82
                DirName:/CN=entitlement.server.example.com/C=US/L=Raleigh
                serial:D6:CE:78:B1:56:9C:37:41

X509v3 Subject Key Identifier:
                66:C1:E5:FA:8E:CE:1D:F6:83:85:AA:AF:08:5C:FF:DE:88:BA:92:20
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            <strong class="userinput"><code>X509v3 Subject Alternative Name:</code></strong>  
                <strong class="userinput"><code>DirName:/CN=admin-example</code></strong>  
    Signature Algorithm: sha1WithRSAEncryption
        0d:c4:74:6c:7a:fe:1f:61:f9:c7:3b:d9:18:70:7a:38:51:e2:
        bb:a3:03:7e:7e:af:76:82:5e:fa:89:11:d1:9e:1c:e4:3e:58:
        56:2f:eb:95:da:dc:aa:18:6f:73:24:04:8e:5f:ea:84:0c:ea:
        8d:e6:c5:40:07:88:8d:41:30:c6:89:46:ca:cf:be:7b:8a:00:
        f6:86:c4:38:7b:0b:fd:56:ad:d0:b6:76:a3:5a:77:dd:69:46:
        47:f7:5f:46:81:6b:34:f4:4b:60:ea:e7:2c:2b:08:1f:c7:57:
        ea:8d:24:4b:05:b3:a8:95:9b:af:05:36:11:38:e5:fa:5b:6b:
        ca:5f</pre></div></div><br class="example-break" /></div><div class="section" id="structure-of-ent-certificates"><div class="titlepage"><div><div><h3 class="title" id="structure-of-ent-certificates">14.15.2. The Structure of Entitlement Certificates</h3></div></div></div><a id="id878513" class="indexterm"></a><a id="id878529" class="indexterm"></a><div class="para">
				An entitlement is analogous to an assigned software license. <span class="emphasis"><em>Entitlement certificates</em></span> contain a list of available products for a system — software that the system has been granted rights to download and update. When a system is subscribed to a subscription pool, the system pulls down the entitlement certificate from the subscription service, which contains all of the information about available products.
			</div><div class="para">
				An entitlement certificate contains a list of every <span class="emphasis"><em>potential</em></span> product from every potential content source. The structure of the entitlement certificate, then, allows multiple namespaces, each, for products, content servers, roles, orders, and systems. An entitlement certificate also contains <span class="emphasis"><em>complete</em></span> information about the subscribed pool, even for products which may not be compatible with the specific system. In an entitlement certificate, the architecture and version definitions contain all of the <span class="emphasis"><em>allowed</em></span> architectures and versions.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The local Subscription Manager polls the subscription service routinely (every four hours by default) to check for changes in the entitlements. When a subscription is changed in some way, then the original entitlement certificate is revoked and is replaced with a new entitlement certificate.
				</div></div></div><div class="para">
				The entitlement certificate is a <code class="filename">*.pem</code> file stored in the entitlement certificates directory, <code class="filename">/etc/pki/entitlement</code>. The name of the <code class="filename">*.pem</code> file is a generated numeric identifier that is generated by the subscription service. This ID is an inventory number that is used to associate a subscription quantity with the system in the software inventory.
			</div><div class="para">
				The heading of the certificate contains the name of the subscription service which issued it, the validity period of the certificate (which is tied to the installation date of the product), and then the serial number of the installation of the product.
			</div><pre class="programlisting">Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3c:da:6c:06:90:7f:ff
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=candlepin1.devlab.phx1.redhat.com, C=US, L=Raleigh
        Validity
            Not Before: Oct  8 17:55:28 2010 GMT
            Not After : Oct  2 23:59:59 2011 GMT
        Subject: CN=8a878c912b875189012b8cfbc3f2264a
... [snip] ...</pre><div class="para">
				The key definition of the product is given in custom certificate extensions that are appended to the certificate. Each <span class="emphasis"><em>namespace</em></span> defines certain information about a product, including its name, content servers which can deliver it, the format of delivery, and a GPG key to identify the release. Every individual entry is identified by a numeric object identifier (OID) with the same basic format:
			</div><pre class="programlisting">1.3.6.1.4.1.2312.9.<strong class="userinput"><code>2</code></strong>.<em class="replaceable"><code>product_#</code></em>.<em class="replaceable"><code>config_#</code></em>:
   ..<em class="replaceable"><code>config_value</code></em></pre><div class="para">
				The <code class="command">2</code> indicates that it is a product entry. <span class="emphasis"><em>product_#</em></span> is a unique ID which identifies the specific product or variant. <span class="emphasis"><em>config_#</em></span> relates to the installation information for that product, like its content server or the quantity available.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Every entitlements-related extension begins with the OID base <code class="command">1.3.6.1.4.1.2312.9</code>. The subsequent numbers identify different subscription areas:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">.2.</code> is the product-specific information
						</div></li><li class="listitem"><div class="para">
							<code class="command">.1.</code> is the subscription information
						</div></li><li class="listitem"><div class="para">
							<code class="command">.4.</code> contains the contract information, like its ID number and start and end dates
						</div></li><li class="listitem"><div class="para">
							<code class="command">.5.</code> contains the consumer information, like the consumer ID which installed a product
						</div></li></ul></div></div></div><div class="para">
				A product definition contains a series of entries which configure all of the information required to identify and install the product. Each type of information has its own ID, the <span class="emphasis"><em>config_#</em></span> in the OID, that is used consistently for all products. An example product is listed in <a class="xref" href="#ex.product-extensions">Example 14.14, “Annotated Red Hat Enterprise Linux High Availability Product Extensions in an Entitlement Certificate”</a>.
			</div><div class="example" id="ex.product-extensions"><h6>Example 14.14. Annotated Red Hat Enterprise Linux High Availability Product Extensions in an Entitlement Certificate</h6><div class="example-contents"><pre class="programlisting">
            <em class="replaceable"><code>content repository type</code></em>  
            1.3.6.1.4.1.2312.9.2.30393.1:
                ..yum
            <em class="replaceable"><code>product</code></em>  
            1.3.6.1.4.1.2312.9.2.30393.1.1:
                .HRed Hat Enterprise Linux High Availability (for RHEL Entitlement) (RPMs)
            <em class="replaceable"><code>channel name</code></em>  
            1.3.6.1.4.1.2312.9.2.30393.1.2:
                .Dred-hat-enterprise-linux-high-availability-for-rhel-entitlement-rpms
            <em class="replaceable"><code>vendor</code></em>  
            1.3.6.1.4.1.2312.9.2.30393.1.5:
                ..Red Hat
            <em class="replaceable"><code>download URL</code></em>  
            1.3.6.1.4.1.2312.9.2.30393.1.6:
                .Q/content/dist/rhel/entitlement/releases/$releasever/$basearch/highavailability/os
            <em class="replaceable"><code>key download URL</code></em>  
            1.3.6.1.4.1.2312.9.2.30393.1.7:
                .2file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
            <em class="replaceable"><code>flex quantity</code></em>  
            1.3.6.1.4.1.2312.9.2.30393.1.4:
                ..0
            <em class="replaceable"><code>quantity</code></em>  
            1.3.6.1.4.1.2312.9.2.30393.1.3:
                ..25
            <em class="replaceable"><code>repo enabled setting</code></em>  
            1.3.6.1.4.1.2312.9.2.30393.1.8:
                ..1</pre></div></div><br class="example-break" /></div><div class="section" id="structure-of-product-certificates"><div class="titlepage"><div><div><h3 class="title" id="structure-of-product-certificates">14.15.3. The Structure of Product Certificates</h3></div></div></div><a id="id878820" class="indexterm"></a><a id="id878836" class="indexterm"></a><div class="para">
				The products that are installed on a system through the subscriptions assigned to a system are identified by X.509 certificates. When an available product is installed, the subscription service generates a <span class="emphasis"><em>product certificate</em></span>, which contains the information about the product contract and the specific installation.
			</div><div class="para">
				Structurally, entitlement certificates and product certificates are very similar, because they both provide much of the same information about products. The main difference is that a product certificate contains information about a single product that has been installed, so no other subscription information (like other available products or other product versions) is included in a product certificate the way that it is in an entitlement certificate.
			</div><div class="para">
				A product certificate contains a single product namespace (meaning, a single product definition) which shows only <span class="emphasis"><em>what is actually installed on the system</em></span>. The architecture and version definitions in a product certificate reflect the architecture and version of the product that is actually installed.
			</div><div class="para">
				The product certificate is a <code class="filename">*.pem</code> file stored in the entitlement certificates directory, <code class="filename">/etc/pki/product/<em class="replaceable"><code>product_serial#</code></em>.pem</code>. The name of the <code class="filename">*.pem</code> file is a generated numeric identifier that is generated by the subscription service. As with entitlement tracking, the generated ID is an inventory number, used to track installed products and associate them with systems within the subscription service.
			</div></div><div class="section" id="sat-certs"><div class="titlepage"><div><div><h3 class="title" id="sat-certs">14.15.4. Anatomy of Satellite Certificates</h3></div></div></div><a id="id878912" class="indexterm"></a><a id="id878928" class="indexterm"></a><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Satellite certificates are used by Satellite 5.x deployments. They are not used on Red Hat Enterprise Linux 5.7 or by the subscription service.
				</div></div></div><div class="para">
				Every system has to have a secure, authoritative way to identify what subscriptions are available. For Satellite 5.x systems, this identification is done through a digitally-signed XML document that lists the products and quantities that a customer has purchased.
			</div><div class="para">
				As with entitlement certificates, a Satellite certificate contains the information about the subscription that was purchased, including the total number of systems that can be registered against that subscription and its start and end dates.
			</div><div class="para">
				There are two types of subscriptions:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>System entitlements</em></span> are subscriptions for services that can be performed, such as monitoring, provisioning, and virtualization.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Channel entitlements</em></span>, or <span class="emphasis"><em>content entitlements</em></span>, provide access to the different software product download channels on Red Hat Network. These include Red Hat Enterprise Linux add-ons like Supplementary and FastTrack and layered products like Red Hat Directory Server.
					</div></li></ul></div><div class="para">
				Both types can be included in a single Satellite certificate.
			</div><div class="para">
				A system entitlement and the metadata for an entitlement are both configured similarly in the certificate:
			</div><pre class="programlisting"><span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"configuration_area"</span><span class="perl_Keyword">&gt;</span>value<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span></pre><div class="para">
				The <code class="option">name</code> argument identifies what entity is being configured. This can be the organization which ordered the subscription (<code class="option">name="owner"</code>), the start and end dates for the entitlement (<code class="option">name="issued"</code> and <code class="option">name="expires"</code>), or the entitlement itself. A system entitlement uses the <code class="option">name</code> argument to set the service being entitled; every content entitlement is set as a <code class="option">name="channel-family"</code> type, with the specific product identified in an additional <code class="option">family</code> argument.
			</div><div class="para">
				The first section of the Satellite certificate is the metadata. The metadata identifies the organization which purchased it and the start and end dates of the entitlement. The field being set is in the <code class="option">name</code> argument, while the value is between the tags. The last lines of the certificate also set metadata for the subscription, including the version of the Satellite and the signature that signs the XML document (and allows the XML file to be used as a certificate).
			</div><pre class="programlisting">
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"product"</span><span class="perl_Keyword">&gt;</span>RHN-SATELLITE-001<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span>
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"owner"</span><span class="perl_Keyword">&gt;</span>Example Corp<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span>
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"issued"</span><span class="perl_Keyword">&gt;</span>2009-04-07 10:18:33<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span>
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"expires"</span><span class="perl_Keyword">&gt;</span>2009-11-25 00:00:00<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span>

... [snip] ...

<span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"satellite-version"</span><span class="perl_Keyword">&gt;</span>5.3<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span>
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"generation"</span><span class="perl_Keyword">&gt;</span>2<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span>
  <span class="perl_Keyword">&lt;rhn-cert-signature&gt;</span>
-----BEGIN PGP SIGNATURE-----
Version: Crypt::OpenPGP 1.03

iQBGBAARAwAGBQJJ22C+AAoJEJ5ynaAAAAkyyZ0An18+4hK5Ozt4HWieFvahsTnF
aPcaAJ0e5neOfdDZRLOgDE+Tp/Im3Hc3Rg==
=gqP7
-----END PGP SIGNATURE-----
<span class="perl_Keyword">&lt;/rhn-cert-signature&gt;</span></pre><div class="para">
				The <code class="option">name="slot"</code> field lists how many <span class="emphasis"><em>total</em></span> systems are allowed to use this Satellite certificate to receive content. It is a global quantity.
			</div><pre class="programlisting">  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"slots"</span><span class="perl_Keyword">&gt;</span>119<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span></pre><div class="para">
				The system entitlements are set by identifying the service type in the <code class="option">name</code> argument and then setting the quantity as the value within the tags.
			</div><pre class="programlisting">  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"provisioning-slots"</span><span class="perl_Keyword">&gt;</span>117<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span>
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"monitoring-slots"</span><span class="perl_Keyword">&gt;</span>20<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span>
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"virtualization_host"</span><span class="perl_Keyword">&gt;</span>67<span class="perl_Keyword">&lt;/rhn-cert-field&gt;</span></pre><div class="para">
				The content entitlements can include any combination of products, including base Red Hat Enterprise Linux subscriptions, variations of Red Hat Enterprise Linux, Red Hat Enterprise Linux add-ons, and general software products. General Red Hat Enterprise Linux server subscriptions are listed in the <code class="option">rhel-server</code> family, while a specific Virtualization Server subscription provides an additional <code class="option">rhel-server-vt</code> family..
			</div><pre class="programlisting">
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"channel-families"</span><span class="perl_Others"> quantity=</span><span class="perl_String">"95"</span><span class="perl_Others"> family=</span><span class="perl_String">"rhel-server"</span><span class="perl_Keyword">/&gt;</span>
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"channel-families"</span><span class="perl_Others"> quantity=</span><span class="perl_String">"67"</span><span class="perl_Others"> family=</span><span class="perl_String">"rhel-server-vt"</span><span class="perl_Keyword">/&gt;</span>
</pre><div class="para">
				Add-ons and products for Red Hat Enterprise Linux systems (but not necessarily operating system products) are also in a <code class="option">rhel-*</code> family, because that refers to the platform the product is supported on. In this example, Red Hat Directory Server is in the <code class="option">rhel-rhdirserv</code> family.
			</div><pre class="programlisting">
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"channel-families"</span><span class="perl_Others"> quantity=</span><span class="perl_String">"3"</span><span class="perl_Others"> family=</span><span class="perl_String">"rhel-rhdirserv"</span><span class="perl_Keyword">/&gt;</span>
</pre><div class="para">
				Most subscriptions will also include a subscription tool set to manage and enable within clients features such as provisioning or configuration management when registered to RHN Classic or Satellite 5.x.
			</div><pre class="programlisting">
  <span class="perl_Keyword">&lt;rhn-cert-field</span><span class="perl_Others"> name=</span><span class="perl_String">"channel-families"</span><span class="perl_Others"> quantity=</span><span class="perl_String">"212"</span><span class="perl_Others"> family=</span><span class="perl_String">"rhn-tools"</span><span class="perl_Keyword">/&gt;</span>
</pre></div></div></div></div><div class="part" id="pt-network-related-config"><div class="titlepage"><div><div><h1 class="title">Part III. Network-Related Configuration</h1></div></div></div><div class="partintro" id="id581097"><div></div><div class="para">
				After explaining how to configure the network, this part discusses topics related to networking such as how to allow remote logins, share files and directories over the network, and set up a Web server.
			</div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="chapter"><a href="#ch-networkscripts">15. Network Interfaces</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-networkscripts-files">15.1. Network Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-interfaces">15.2. Interface Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-networkscripts-interfaces-eth0">15.2.1. Ethernet Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-ipsec">15.2.2. IPsec Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-chan">15.2.3. Channel Bonding Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-alias">15.2.4. Alias and Clone Files</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-ppp0">15.2.5. Dialup Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-other">15.2.6. Other Interfaces</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-networkscripts-control">15.3. Interface Control Scripts</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-static-routes">15.4. Configuring Static Routes</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-functions">15.5. Network Function Files</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-resources">15.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-networkscripts-docs-inst">15.6.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-network-config">16. Network Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-network-config-overview">16.1. Overview</a></span></dt><dt><span class="section"><a href="#s1-network-config-ethernet">16.2. Establishing an Ethernet Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-isdn">16.3. Establishing an ISDN Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-modem">16.4. Establishing a Modem Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-xdsl">16.5. Establishing an xDSL Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-tokenring">16.6. Establishing a Token Ring Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-wireless">16.7. Establishing a Wireless Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-dns">16.8. Managing DNS Settings</a></span></dt><dt><span class="section"><a href="#s1-network-config-hosts">16.9. Managing Hosts</a></span></dt><dt><span class="section"><a href="#s1-network-profiles">16.10. Working with Profiles</a></span></dt><dt><span class="section"><a href="#s1-network-aliases">16.11. Device Aliases</a></span></dt><dt><span class="section"><a href="#s1-network-save-config">16.12. Saving and Restoring the Network Configuration</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-services">17. Controlling Access to Services</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-services-runlevels">17.1. Runlevels</a></span></dt><dt><span class="section"><a href="#s1-services-tcp-wrappers">17.2. TCP Wrappers</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-services-xinetd">17.2.1. <code class="command">xinetd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-services-serviceconf">17.3. <span class="application"><strong>Services Configuration Tool</strong></span></a></span></dt><dt><span class="section"><a href="#s1-services-ntsysv">17.4. <span class="application"><strong>ntsysv</strong></span></a></span></dt><dt><span class="section"><a href="#s1-services-chkconfig">17.5. <code class="command">chkconfig</code></a></span></dt><dt><span class="section"><a href="#s1-services-additional-resources">17.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#services-installed-docs">17.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#services-useful-websites">17.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-bind">18. Berkeley Internet Name Domain (BIND)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-bind-introduction">18.1. Introduction to DNS</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-introduction-zones">18.1.1. Nameserver Zones</a></span></dt><dt><span class="section"><a href="#s2-bind-introduction-nameservers">18.1.2. Nameserver Types</a></span></dt><dt><span class="section"><a href="#s2-bind-introduction-bind">18.1.3. BIND as a Nameserver</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-namedconf">18.2.  <code class="filename">/etc/named.conf</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-namedconf-state">18.2.1. Common Statement Types</a></span></dt><dt><span class="section"><a href="#s2-bind-namedconf-state-other">18.2.2. Other Statement Types</a></span></dt><dt><span class="section"><a href="#s2-bind-namedconf-comm">18.2.3. Comment Tags</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-zone">18.3. Zone Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-zone-directives">18.3.1. Zone File Directives</a></span></dt><dt><span class="section"><a href="#s3-bind-zone-rr">18.3.2. Zone File Resource Records</a></span></dt><dt><span class="section"><a href="#s2-bind-zone-examples">18.3.3. Example Zone File</a></span></dt><dt><span class="section"><a href="#s2-bind-configuration-zone-reverse">18.3.4. Reverse Name Resolution Zone Files</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-rndc">18.4. Using <code class="command">rndc</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-rndc-configuration-namedconf">18.4.1. Configuring <code class="filename">/etc/named.conf</code> </a></span></dt><dt><span class="section"><a href="#s2-bind-rndc-configuration-rndcconf">18.4.2. Configuring <code class="filename">/etc/rndc.conf</code> </a></span></dt><dt><span class="section"><a href="#s2-bind-rndc-options">18.4.3. Command Line Options</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-features">18.5. Advanced Features of BIND</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-features-protocol">18.5.1. DNS Protocol Enhancements</a></span></dt><dt><span class="section"><a href="#s2-bind-features-views">18.5.2. Multiple Views</a></span></dt><dt><span class="section"><a href="#s2-bind-features-security">18.5.3. Security</a></span></dt><dt><span class="section"><a href="#s2-bind-features-ipv6">18.5.4. IP version 6</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-mistakes">18.6. Common Mistakes to Avoid</a></span></dt><dt><span class="section"><a href="#s1-bind-additional-resources">18.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-installed-docs">18.7.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-bind-useful-websites">18.7.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-bind-related-books">18.7.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-openssh">19. OpenSSH</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-ssh-intro">19.1. Features of SSH</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-intro-why">19.1.1. Why Use SSH?</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ssh-version">19.2. SSH Protocol Versions</a></span></dt><dt><span class="section"><a href="#s1-ssh-conn">19.3. Event Sequence of an SSH Connection</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-protocol-conn-transport">19.3.1. Transport Layer</a></span></dt><dt><span class="section"><a href="#s2-ssh-protocol-authentication">19.3.2. Authentication</a></span></dt><dt><span class="section"><a href="#s2-ssh-protocol-connection">19.3.3. Channels</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-openssh-server-config">19.4. Configuring an OpenSSH Server</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-requiring">19.4.1. Requiring SSH for Remote Connections</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ssh-configfiles">19.5. OpenSSH Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-openssh-client-config">19.6. Configuring an OpenSSH Client</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-openssh-using-ssh">19.6.1. Using the <code class="command">ssh</code> Command</a></span></dt><dt><span class="section"><a href="#s2-openssh-using-scp">19.6.2. Using the <code class="command">scp</code> Command</a></span></dt><dt><span class="section"><a href="#s2-openssh-using-sftp">19.6.3. Using the <code class="command">sftp</code> Command</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ssh-beyondshell">19.7. More Than a Secure Shell</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-beyondshell-x11">19.7.1. X11 Forwarding</a></span></dt><dt><span class="section"><a href="#s2-ssh-beyondshell-tcpip">19.7.2. Port Forwarding</a></span></dt><dt><span class="section"><a href="#s2-openssh-generate-keypairs">19.7.3. Generating Key Pairs</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-openssh-additional-resources">19.8. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-openssh-installed-docs">19.8.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-openssh-useful-websites">19.8.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-nfs">20. Network File System (NFS)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-nfs-how">20.1. How It Works</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-how-daemons">20.1.1. Required Services</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-client-config">20.2. NFS Client Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-fstab">20.2.1. Mounting NFS File Systems using <code class="filename">/etc/fstab</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-client-config-autofs">20.3. <code class="command">autofs</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-config-autofs-new">20.3.1. What's new in <code class="command">autofs</code> version 5?</a></span></dt><dt><span class="section"><a href="#s2-nfs-config-autofs">20.3.2. <code class="command">autofs</code> Configuration</a></span></dt><dt><span class="section"><a href="#s2-nfs-config-autofs-commontasks">20.3.3. <code class="command">autofs</code> Common Tasks</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-client-config-options">20.4. Common NFS Mount Options</a></span></dt><dt><span class="section"><a href="#s1-nfs-start">20.5. Starting and Stopping NFS</a></span></dt><dt><span class="section"><a href="#s1-nfs-server-export">20.6. NFS Server Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-export">20.6.1. Exporting or Sharing NFS File Systems</a></span></dt><dt><span class="section"><a href="#s2-nfs-command-line">20.6.2. Command Line Configuration</a></span></dt><dt><span class="section"><a href="#s2-nfs-nfs-firewall-config">20.6.3. Running NFS Behind a Firewall</a></span></dt><dt><span class="section"><a href="#s2-nfs-hostname-formats">20.6.4. Hostname Formats</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-server-config-exports">20.7. The <code class="filename">/etc/exports</code> Configuration File</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-nfs-server-config-exportfs">20.7.1. The <code class="command">exportfs</code> Command</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-security">20.8. Securing NFS</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-security-hosts">20.8.1. Host Access</a></span></dt><dt><span class="section"><a href="#s2-nfs-security-files">20.8.2. File Permissions</a></span></dt></dl></dd><dt><span class="section"><a href="#s2-nfs-methodology-portmap">20.9. NFS and <code class="command">portmap</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s3-nfs-methodology-portmap-rpcinfo">20.9.1. Troubleshooting NFS and <code class="command">portmap</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-tcp">20.10. Using NFS over TCP</a></span></dt><dt><span class="section"><a href="#s1-nfs-additional-resources">20.11. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-installed-documentation">20.11.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-nfs-useful-websites">20.11.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-nfs-related-books">20.11.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-samba">21. Samba</a></span></dt><dd><dl><dt><span class="section"><a href="#samba-rgs-overview">21.1. Introduction to Samba</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-abilities">21.1.1. Samba Features</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-daemons">21.2. Samba Daemons and Related Services</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-services">21.2.1. Samba Daemons</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-connect-share">21.3. Connecting to a Samba Share</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-connect-share-cmdline">21.3.1. Command Line</a></span></dt><dt><span class="section"><a href="#s1-samba-mounting">21.3.2. Mounting the Share</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-configuring">21.4. Configuring a Samba Server</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-configuring-gui">21.4.1. Graphical Configuration</a></span></dt><dt><span class="section"><a href="#s2-samba-configuring-cmdline">21.4.2. Command Line Configuration</a></span></dt><dt><span class="section"><a href="#s2-samba-encrypted-passwords">21.4.3. Encrypted Passwords</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-startstop">21.5. Starting and Stopping Samba</a></span></dt><dt><span class="section"><a href="#s1-samba-servers">21.6. Samba Server Types and the <code class="command">smb.conf</code> File</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-standalone">21.6.1. Stand-alone Server</a></span></dt><dt><span class="section"><a href="#s2-samba-domain-member">21.6.2. Domain Member Server</a></span></dt><dt><span class="section"><a href="#s2-samba-domain-controller">21.6.3. Domain Controller</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-security-modes">21.7. Samba Security Modes</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-user-level">21.7.1. User-Level Security</a></span></dt><dt><span class="section"><a href="#s2-samba-share-level">21.7.2. Share-Level Security</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-account-info-dbs">21.8. Samba Account Information Databases</a></span></dt><dt><span class="section"><a href="#s1-samba-network-browsing">21.9. Samba Network Browsing</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-domain-browsing">21.9.1. Domain Browsing</a></span></dt><dt><span class="section"><a href="#s2-samba-wins">21.9.2. WINS (Windows Internetworking Name Server)</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-cups">21.10. Samba with CUPS Printing Support</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-cups-smb.conf">21.10.1. Simple <code class="filename">smb.conf</code> Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-programs">21.11. Samba Distribution Programs</a></span></dt><dt><span class="section"><a href="#s1-samba-resources">21.12. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-resources-installed">21.12.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-samba-resources-published">21.12.2. Related Books</a></span></dt><dt><span class="section"><a href="#s2-samba-resources-community">21.12.3. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-dhcp">22. Dynamic Host Configuration Protocol (DHCP)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-dhcp-why">22.1. Why Use DHCP?</a></span></dt><dt><span class="section"><a href="#s1-dhcp-configuring-server">22.2. Configuring a DHCP Server</a></span></dt><dd><dl><dt><span class="section"><a href="#config-file">22.2.1. Configuration File</a></span></dt><dt><span class="section"><a href="#lease-database">22.2.2. Lease Database</a></span></dt><dt><span class="section"><a href="#id1071897">22.2.3. Starting and Stopping the Server</a></span></dt><dt><span class="section"><a href="#dhcp-relay-agent">22.2.4. DHCP Relay Agent</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-dhcp-configuring-client">22.3. Configuring a DHCP Client</a></span></dt><dt><span class="section"><a href="#sect-Configuring_a_Multihomed_DHCP_Server">22.4. Configuring a Multihomed DHCP Server</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-dns_Host_Configuration">22.4.1. Host Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-dhcp-additional-resources">22.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-dhcp-installed-docs">22.5.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-httpd">23. Apache HTTP Server</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-httpd-v2">23.1. Apache HTTP Server 2.2</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-httpd-v2-features">23.1.1. Features of Apache HTTP Server 2.2</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-httpd-mig">23.2. Migrating Apache HTTP Server Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-httpd-v22-mig">23.2.1. Migrating Apache HTTP Server 2.0 Configuration Files</a></span></dt><dt><span class="section"><a href="#s3-httpd-v2-mig">23.2.2. Migrating Apache HTTP Server 1.3 Configuration Files to 2.0</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-startstop">23.3. Starting and Stopping <code class="command">httpd</code></a></span></dt><dt><span class="section"><a href="#s1-apache-config-ui">23.4. Apache HTTP Server Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-httpd-basic-settings">23.4.1. Basic Settings</a></span></dt><dt><span class="section"><a href="#s2-httpd-default-settings">23.4.2. Default Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-config">23.5. Configuration Directives in <code class="filename">httpd.conf</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-apache-tips">23.5.1. General Configuration Tips</a></span></dt><dt><span class="section"><a href="#s2-apache-sslcommands">23.5.2. Configuration Directives for SSL</a></span></dt><dt><span class="section"><a href="#s2-apache-mpm-containers">23.5.3. MPM Specific Server-Pool Directives</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-addmods">23.6. Adding Modules</a></span></dt><dt><span class="section"><a href="#s1-apache-virtualhosts">23.7. Virtual Hosts</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-apache-settingupvhosts">23.7.1. Setting Up Virtual Hosts</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-httpd-secure-server">23.8. Apache HTTP Secure Server Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-secureserver-optionalpackages">23.8.1. An Overview of Security-Related Packages</a></span></dt><dt><span class="section"><a href="#s2-secureserver-overview-certs">23.8.2. An Overview of Certificates and Security</a></span></dt><dt><span class="section"><a href="#s1-secureserver-oldcert">23.8.3. Using Pre-Existing Keys and Certificates</a></span></dt><dt><span class="section"><a href="#s2-secureserver-certs">23.8.4. Types of Certificates</a></span></dt><dt><span class="section"><a href="#s2-secureserver-generatingkey">23.8.5. Generating a Key</a></span></dt><dt><span class="section"><a href="#s1-use-new-key">23.8.6. How to configure the server to use the new key</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-additional-resources">23.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-apache-additional-resources-web">23.9.1. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-ftp">24. FTP</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-ftp-protocol">24.1. The File Transfer Protocol</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-protocol-multiport">24.1.1. Multiple Ports, Multiple Modes</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ftp-servers">24.2. FTP Servers</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-servers-vsftpd">24.2.1. <code class="command">vsftpd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s2-ftp-vsftpd-conf">24.3. Files Installed with <code class="command">vsftpd</code></a></span></dt><dt><span class="section"><a href="#s1-ftp-vsftpd-start">24.4. Starting and Stopping <code class="command">vsftpd</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-vsftpd-start-multi">24.4.1. Starting Multiple Copies of <code class="command">vsftpd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ftp-vsftpd-conf">24.5. <code class="command">vsftpd</code> Configuration Options</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-daemon">24.5.1. Daemon Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-login">24.5.2. Log In Options and Access Controls</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-anon">24.5.3. Anonymous User Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-usr">24.5.4. Local User Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-dir">24.5.5. Directory Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-file">24.5.6. File Transfer Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-log">24.5.7. Logging Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-net">24.5.8. Network Options</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ftp-resources">24.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-installed-documentation">24.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-ftp-useful-websites">24.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-email">25. Email</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-email-protocols">25.1. Email Protocols</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-protocols-send">25.1.1. Mail Transport Protocols</a></span></dt><dt><span class="section"><a href="#s2-email-protocols-client">25.1.2. Mail Access Protocols</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-types">25.2. Email Program Classifications</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-types-mta">25.2.1. Mail Transport Agent</a></span></dt><dt><span class="section"><a href="#s2-email-types-mda">25.2.2. Mail Delivery Agent</a></span></dt><dt><span class="section"><a href="#s2-email-types-mua">25.2.3. Mail User Agent</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-mta">25.3. Mail Transport Agents</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-mta-sendmail">25.3.1. Sendmail</a></span></dt><dt><span class="section"><a href="#s2-email-mta-postfix">25.3.2. Postfix</a></span></dt><dt><span class="section"><a href="#s2-email-mta-fetchmail">25.3.3. Fetchmail</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-switchmail">25.4. Mail Transport Agent (MTA) Configuration</a></span></dt><dt><span class="section"><a href="#s1-email-mda">25.5. Mail Delivery Agents</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-procmail-configuration">25.5.1. Procmail Configuration</a></span></dt><dt><span class="section"><a href="#s2-email-procmail-recipes">25.5.2. Procmail Recipes</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-mua">25.6. Mail User Agents</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-security">25.6.1. Securing Communication</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-additional-resources">25.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-installed-docs">25.7.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-email-useful-websites">25.7.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-email-related-books">25.7.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-ldap">26. Lightweight Directory Access Protocol (LDAP)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-ldap-adv">26.1. Why Use LDAP?</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-ldap-v3">26.1.1. OpenLDAP Features</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-terminology">26.2. LDAP Terminology</a></span></dt><dt><span class="section"><a href="#s1-ldap-daemonsutils">26.3. OpenLDAP Daemons and Utilities</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-pam-nss">26.3.1. NSS, PAM, and LDAP</a></span></dt><dt><span class="section"><a href="#s2-ldap-other-apps">26.3.2. PHP4, LDAP, and the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#s2-ldap-applications">26.3.3. LDAP Client Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-files">26.4. OpenLDAP Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-ldap-files-schemas">26.5. The <code class="filename">/etc/openldap/schema/</code> Directory</a></span></dt><dt><span class="section"><a href="#s1-ldap-quickstart">26.6. OpenLDAP Setup Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-files-slapd-conf">26.6.1. Editing <code class="filename">/etc/openldap/slapd.conf</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-pam">26.7. Configuring a System to Authenticate Using OpenLDAP</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-pamd">26.7.1. PAM and LDAP</a></span></dt><dt><span class="section"><a href="#s2-ldap-migrate">26.7.2. Migrating Old Authentication Information to LDAP Format</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-migrate">26.8. Migrating Directories from Earlier Releases</a></span></dt><dt><span class="section"><a href="#s1-ldap-additional-resources">26.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-installed-docs">26.9.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-ldap-additional-resources-web">26.9.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-ldap-related-books">26.9.3. Related Books</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-authconfig">27. Authentication Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-authconfig-user-info">27.1. User Information</a></span></dt><dt><span class="section"><a href="#s1-authconfig-auth">27.2. Authentication</a></span></dt><dt><span class="section"><a href="#authconfig-options">27.3. Options</a></span></dt><dt><span class="section"><a href="#s1-authconfig-command-line">27.4. Command Line Version</a></span></dt></dl></dd><dt><span class="chapter"><a href="#SSSD">28. Using and Caching Credentials with SSSD</a></span></dt><dd><dl><dt><span class="section"><a href="#about-sssd">28.1. About the sssd.conf File</a></span></dt><dt><span class="section"><a href="#Installing_SSSD-Starting_and_Stopping_SSSD">28.2. Starting and Stopping SSSD</a></span></dt><dt><span class="section"><a href="#Configuring_Services">28.3. Configuring Services</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuration_Options-NSS_Configuration_Options">28.3.1. Configuring the NSS Service</a></span></dt><dt><span class="section"><a href="#Configuration_Options-PAM_Configuration_Options">28.3.2. Configuring the PAM Service</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Domains">28.4. Creating Domains</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_Domains-Domain_Configuration_Options">28.4.1. General Rules and Options for Configuring a Domain</a></span></dt><dt><span class="section"><a href="#Configuring_Domains-Configuring_a_Native_LDAP_Domain">28.4.2. Configuring an LDAP Domain</a></span></dt><dt><span class="section"><a href="#Configuring_Domains-Setting_up_Kerberos_Authentication">28.4.3. Configuring Kerberos Authentication with a Domain</a></span></dt><dt><span class="section"><a href="#Domain_Configuration_Options-Configuring_a_Proxy_Domain">28.4.4. Configuring a Proxy Domain</a></span></dt></dl></dd><dt><span class="section"><a href="#config-sssd-domain-access">28.5. Configuring Access Control for SSSD Domains</a></span></dt><dd><dl><dt><span class="section"><a href="#id973609">28.5.1. Using the Simple Access Provider</a></span></dt><dt><span class="section"><a href="#id973729">28.5.2. Using the LDAP Access Filter</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Failover">28.6. Configuring Domain Failover</a></span></dt><dd><dl><dt><span class="section"><a href="#config-failover">28.6.1. Configuring Failover</a></span></dt><dt><span class="section"><a href="#Using_SRV_Records_with_Failover">28.6.2. Using SRV Records with Failover</a></span></dt></dl></dd><dt><span class="section"><a href="#sssd-cache">28.7. Deleting Domain Cache Files</a></span></dt><dt><span class="section"><a href="#usingnscd-sssd">28.8. Using NSCD with SSSD</a></span></dt><dt><span class="section"><a href="#SSSD-Troubleshooting">28.9. Troubleshooting SSSD</a></span></dt><dd><dl><dt><span class="section"><a href="#Troubleshooting-Using_SSSD_Log_Files">28.9.1. Using SSSD Log Files</a></span></dt><dt><span class="section"><a href="#Troubleshooting-Problems_with_SSSD_Configuration">28.9.2. Problems with SSSD Configuration</a></span></dt></dl></dd></dl></dd></dl></div></div><div xml:lang="en-US" class="chapter" id="ch-networkscripts" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 15. Network Interfaces</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-networkscripts-files">15.1. Network Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-interfaces">15.2. Interface Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-networkscripts-interfaces-eth0">15.2.1. Ethernet Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-ipsec">15.2.2. IPsec Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-chan">15.2.3. Channel Bonding Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-alias">15.2.4. Alias and Clone Files</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-ppp0">15.2.5. Dialup Interfaces</a></span></dt><dt><span class="section"><a href="#s2-networkscripts-interfaces-other">15.2.6. Other Interfaces</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-networkscripts-control">15.3. Interface Control Scripts</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-static-routes">15.4. Configuring Static Routes</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-functions">15.5. Network Function Files</a></span></dt><dt><span class="section"><a href="#s1-networkscripts-resources">15.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-networkscripts-docs-inst">15.6.1. Installed Documentation</a></span></dt></dl></dd></dl></div><a id="id790906" class="indexterm"></a><a id="id916574" class="indexterm"></a><div class="para">
		Under Red Hat Enterprise Linux, all network communications occur between configured software <em class="firstterm">interfaces</em> and <em class="firstterm">physical networking devices</em> connected to the system.
	</div><div class="para">
		The configuration files for network interfaces are located in the <code class="filename">/etc/sysconfig/network-scripts/</code> directory. The scripts used to activate and deactivate these network interfaces are also located here. Although the number and type of interface files can differ from system to system, there are three categories of files that exist in this directory:
	</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
				<em class="firstterm">Interface configuration files</em>
			</div></li><li class="listitem"><div class="para">
				<em class="firstterm">Interface control scripts</em>
			</div></li><li class="listitem"><div class="para">
				<em class="firstterm">Network function files</em>
			</div></li></ol></div><div class="para">
		The files in each of these categories work together to enable various network devices.
	</div><div class="para">
		This chapter explores the relationship between these files and how they are used.
	</div><div class="section" id="s1-networkscripts-files"><div class="titlepage"><div><div><h2 class="title" id="s1-networkscripts-files">15.1. Network Configuration Files</h2></div></div></div><a id="id854769" class="indexterm"></a><div class="para">
			Before delving into the interface configuration files, let us first itemize the primary configuration files used in network configuration. Understanding the role these files play in setting up the network stack can be helpful when customizing a Red Hat Enterprise Linux system.
		</div><div class="para">
			The primary network configuration files are as follows:
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="filename">/etc/hosts</code> </span></dt><dd><div class="para">
						The main purpose of this file is to resolve hostnames that cannot be resolved any other way. It can also be used to resolve hostnames on small networks with no DNS server. Regardless of the type of network the computer is on, this file should contain a line specifying the IP address of the loopback device (<code class="command">127.0.0.1</code>) as <code class="command">localhost.localdomain</code>. For more information, refer to the <code class="filename">hosts</code> man page.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">/etc/resolv.conf</code> </span></dt><dd><div class="para">
						This file specifies the IP addresses of DNS servers and the search domain. Unless configured to do otherwise, the network initialization scripts populate this file. For more information about this file, refer to the <code class="filename">resolv.conf</code> man page.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">/etc/sysconfig/network</code> </span></dt><dd><div class="para">
						This file specifies routing and host information for all network interfaces. For more information about this file and the directives it accepts, refer to <a class="xref" href="#s2-sysconfig-network">Section 30.1.21, “<code class="filename">/etc/sysconfig/network</code>”</a>.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">/etc/sysconfig/network-scripts/ifcfg-<em class="replaceable"><code>&lt;interface-name&gt;</code></em> </code> </span></dt><dd><div class="para">
						For each network interface, there is a corresponding interface configuration script. Each of these files provide information specific to a particular network interface. Refer to <a class="xref" href="#s1-networkscripts-interfaces">Section 15.2, “Interface Configuration Files”</a> for more information on this type of file and the directives it accepts.
					</div></dd></dl></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				The <code class="filename">/etc/sysconfig/networking/</code> directory is used by the <span class="application"><strong>Network Administration Tool</strong></span> (<code class="command">system-config-network</code>) and its contents should <span class="bold bold"><strong>not</strong></span> be edited manually. Using only one method for network configuration is strongly encouraged, due to the risk of configuration deletion.
			</div><div class="para">
				For more information about configuring network interfaces using the <span class="application"><strong>Network Administration Tool</strong></span>, refer to <a class="xref" href="#ch-network-config">Chapter 16, <em>Network Configuration</em></a>
			</div></div></div></div><div class="section" id="s1-networkscripts-interfaces"><div class="titlepage"><div><div><h2 class="title" id="s1-networkscripts-interfaces">15.2. Interface Configuration Files</h2></div></div></div><a id="id781152" class="indexterm"></a><a id="id781165" class="indexterm"></a><div class="para">
			Interface configuration files control the software interfaces for individual network devices. As the system boots, it uses these files to determine what interfaces to bring up and how to configure them. These files are usually named <code class="filename">ifcfg-<em class="replaceable"><code>&lt;name&gt;</code></em> </code>, where <em class="replaceable"><code>&lt;name&gt;</code></em> refers to the name of the device that the configuration file controls.
		</div><div class="section" id="s2-networkscripts-interfaces-eth0"><div class="titlepage"><div><div><h3 class="title" id="s2-networkscripts-interfaces-eth0">15.2.1. Ethernet Interfaces</h3></div></div></div><a id="id1074938" class="indexterm"></a><a id="id1074955" class="indexterm"></a><div class="para">
				One of the most common interface files is <code class="filename">ifcfg-eth0</code>, which controls the first Ethernet <em class="firstterm">network interface card</em> or <em class="firstterm">NIC</em> in the system. In a system with multiple NICs, there are multiple <code class="filename">ifcfg-eth<em class="replaceable"><code>&lt;X&gt;</code></em> </code> files (where <em class="replaceable"><code>&lt;X&gt;</code></em> is a unique number corresponding to a specific interface). Because each device has its own configuration file, an administrator can control how each interface functions individually.
			</div><div class="para">
				The following is a sample <code class="filename">ifcfg-eth0</code> file for a system using a fixed IP address:
			</div><pre class="screen">DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
NETWORK=10.0.1.0
NETMASK=255.255.255.0
IPADDR=10.0.1.27
USERCTL=no</pre><div class="para">
				The values required in an interface configuration file can change based on other values. For example, the <code class="filename">ifcfg-eth0</code> file for an interface using DHCP looks different because IP information is provided by the DHCP server:
			</div><pre class="screen">DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes</pre><div class="para">
				The <span class="application"><strong>Network Administration Tool</strong></span> (<code class="command">system-config-network</code>) is an easy way to make changes to the various network interface configuration files (refer to <a class="xref" href="#ch-network-config">Chapter 16, <em>Network Configuration</em></a> for detailed instructions on using this tool).
			</div><div class="para">
				However, it is also possible to manually edit the configuration files for a given network interface.
			</div><div class="para">
				Below is a listing of the configurable parameters in an Ethernet interface configuration file:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">BONDING_OPTS=<em class="replaceable"><code>&lt;parameters&gt;</code></em> </code> </span></dt><dd><div class="para">
							sets the configuration parameters for the bonding device, and is used in <code class="filename">/etc/sysconfig/network-scripts/ifcfg-bond<em class="replaceable"><code>&lt;N&gt;</code></em> </code> (see <a class="xref" href="#s2-networkscripts-interfaces-chan">Section 15.2.3, “Channel Bonding Interfaces”</a>). These parameters are identical to those used for bonding devices in <code class="filename">/sys/class/net/<em class="replaceable"><code>&lt;bonding device&gt;</code></em>/bonding</code>, and the module parameters for the bonding driver as described in <span class="emphasis"><em><code class="filename">bonding</code> Module Directives</em></span>.
						</div><div class="para">
							This configuration method is used so that multiple bonding devices can have different configurations. If you use <code class="command">BONDING_OPTS</code> in <code class="filename">ifcfg-<em class="replaceable"><code>&lt;name&gt;</code></em> </code>, do <span class="emphasis"><em>not</em></span> use <code class="filename">/etc/modprobe.conf</code> to specify options for the bonding device.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">BOOTPROTO=<em class="replaceable"><code>&lt;protocol&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;protocol&gt;</code></em> </code> is one of the following:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">none</code> — No boot-time protocol should be used.
								</div></li><li class="listitem"><div class="para">
									<code class="command">bootp</code> — The BOOTP protocol should be used.
								</div></li><li class="listitem"><div class="para">
									<code class="command">dhcp</code> — The DHCP protocol should be used.
								</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">BROADCAST=<em class="replaceable"><code>&lt;address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;address&gt;</code></em> </code> is the broadcast address. This directive is deprecated, as the value is calculated automatically with <code class="command">ipcalc</code>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">DEVICE=<em class="replaceable"><code>&lt;name&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;name&gt;</code></em> </code> is the name of the physical device (except for dynamically-allocated PPP devices where it is the <span class="emphasis"><em>logical name</em></span>).
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">DHCP_HOSTNAME=<em class="replaceable"><code>&lt;name&gt;</code></em></code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;name&gt;</code></em></code> is a short hostname to be sent to the DHCP server. Use this option only if the DHCP server requires the client to specify a hostname before receiving an IP address.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">DNS<em class="replaceable"><code>{1,2}</code></em>=<em class="replaceable"><code>&lt;address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;address&gt;</code></em> </code> is a name server address to be placed in <code class="filename">/etc/resolv.conf</code> if the <code class="command">PEERDNS</code> directive is set to <code class="command">yes</code>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">ETHTOOL_OPTS=<em class="replaceable"><code>&lt;options&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;options&gt;</code></em> </code> are any device-specific options supported by <code class="command">ethtool</code>. For example, if you wanted to force 100Mb, full duplex:
						</div><pre class="screen">ETHTOOL_OPTS="autoneg off speed 100 duplex full"</pre><div class="para">
							Instead of a custom initscript, use <code class="command">ETHTOOL_OPTS</code> to set the interface speed and duplex settings. Custom initscripts run outside of the network init script lead to unpredictable results during a post-boot network service restart.
						</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
								Changing speed or duplex settings almost always requires disabling autonegotiation with the <code class="command">autoneg off</code> option. This needs to be stated first, as the option entries are order-dependent.
							</div></div></div></dd><dt class="varlistentry"><span class="term"> <code class="command">GATEWAY=<em class="replaceable"><code>&lt;address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;address&gt;</code></em> is the IP address of the network router or gateway device (if any).
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">HOTPLUG=<em class="replaceable"><code>&lt;answer&gt;</code></em></code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;answer&gt;</code></em> is one of the following:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">yes</code> — This device should be activated when it is hot-plugged (this is the default option).
								</div></li><li class="listitem"><div class="para">
									<code class="command">no</code> — This device should not be activated when it is hot-plugged.
								</div></li></ul></div><div class="para">
							The <code class="option">HOTPLUG=no</code> option can be used to prevent a channel bonding interface from being activated when a bonding kernel module is loaded.
						</div><div class="para">
							Refer to <a class="xref" href="#s2-networkscripts-interfaces-chan">Section 15.2.3, “Channel Bonding Interfaces”</a> for more about channel bonding interfaces.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">HWADDR=<em class="replaceable"><code>&lt;MAC-address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;MAC-address&gt;</code></em> is the hardware address of the Ethernet device in the form <em class="replaceable"><code>AA:BB:CC:DD:EE:FF</code></em>. This directive must be used in machines containing more than one NIC to ensure that the interfaces are assigned the correct device names regardless of the configured load order for each NIC's module. This directive should <span class="bold bold"><strong>not</strong></span> be used in conjunction with <code class="command">MACADDR</code>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">IPADDR=<em class="replaceable"><code>&lt;address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;address&gt;</code></em> </code> is the IP address.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">LINKDELAY=<em class="replaceable"><code>&lt;time&gt;</code></em></code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;time&gt;</code></em> is the number of seconds to wait for link negotiation before configuring the device.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">MACADDR=<em class="replaceable"><code>&lt;MAC-address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;MAC-address&gt;</code></em> is the hardware address of the Ethernet device in the form <em class="replaceable"><code>AA:BB:CC:DD:EE:FF</code></em>. This directive is used to assign a MAC address to an interface, overriding the one assigned to the physical NIC. This directive should <span class="bold bold"><strong>not</strong></span> be used in conjunction with <code class="command">HWADDR</code>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">MASTER=<em class="replaceable"><code>&lt;bond-interface&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;bond-interface&gt;</code></em> </code> is the channel bonding interface to which the Ethernet interface is linked.
						</div><div class="para">
							This directive is used in conjunction with the <code class="command">SLAVE</code> directive.
						</div><div class="para">
							Refer to <a class="xref" href="#s2-networkscripts-interfaces-chan">Section 15.2.3, “Channel Bonding Interfaces”</a> for more information about channel bonding interfaces.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">NETMASK=<em class="replaceable"><code>&lt;mask&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;mask&gt;</code></em> </code> is the netmask value.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">NETWORK=<em class="replaceable"><code>&lt;address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;address&gt;</code></em> </code> is the network address. This directive is deprecated, as the value is calculated automatically with <code class="command">ipcalc</code>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">ONBOOT=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;answer&gt;</code></em> </code> is one of the following:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">yes</code> — This device should be activated at boot-time.
								</div></li><li class="listitem"><div class="para">
									<code class="command">no</code> — This device should not be activated at boot-time.
								</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">PEERDNS=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;answer&gt;</code></em> </code> is one of the following:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">yes</code> — Modify <code class="filename">/etc/resolv.conf</code> if the DNS directive is set. If using DHCP, then <code class="command">yes</code> is the default.
								</div></li><li class="listitem"><div class="para">
									<code class="command">no</code> — Do not modify <code class="filename">/etc/resolv.conf</code>.
								</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">SLAVE=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;answer&gt;</code></em> </code> is one of the following:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">yes</code> — This device is controlled by the channel bonding interface specified in the <code class="command">MASTER</code> directive.
								</div></li><li class="listitem"><div class="para">
									<code class="command">no</code> — This device is <span class="emphasis"><em>not</em></span> controlled by the channel bonding interface specified in the <code class="command">MASTER</code> directive.
								</div></li></ul></div><div class="para">
							This directive is used in conjunction with the <code class="command">MASTER</code> directive.
						</div><div class="para">
							Refer to <a class="xref" href="#s2-networkscripts-interfaces-chan">Section 15.2.3, “Channel Bonding Interfaces”</a> for more about channel bonding interfaces.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">SRCADDR=<em class="replaceable"><code>&lt;address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;address&gt;</code></em> </code> is the specified source IP address for outgoing packets.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">USERCTL=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;answer&gt;</code></em> </code> is one of the following:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">yes</code> — Non-root users are allowed to control this device.
								</div></li><li class="listitem"><div class="para">
									<code class="command">no</code> — Non-root users are not allowed to control this device.
								</div></li></ul></div></dd></dl></div></div><div class="section" id="s2-networkscripts-interfaces-ipsec"><div class="titlepage"><div><div><h3 class="title" id="s2-networkscripts-interfaces-ipsec">15.2.2. IPsec Interfaces</h3></div></div></div><a id="id810158" class="indexterm"></a><a id="id810176" class="indexterm"></a><div class="para">
				The following example shows the <code class="filename">ifcfg</code> file for a network-to-network IPsec connection for LAN A. The unique name to identify the connection in this example is <code class="filename">ipsec1</code>, so the resulting file is named <code class="filename">/etc/sysconfig/network-scripts/ifcfg-ipsec1</code>.
			</div><pre class="screen">TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=<em class="replaceable"><code>X.X.X.X</code></em>
</pre><div class="para">
				In the example above, <em class="replaceable"><code>X.X.X.X</code></em> is the publicly routable IP address of the destination IPsec router.
			</div><div class="para">
				Below is a listing of the configurable parameters for an IPsec interface:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">DST=<em class="replaceable"><code>&lt;address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;address&gt;</code></em> is the IP address of the IPsec destination host or router. This is used for both host-to-host and network-to-network IPsec configurations.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">DSTNET=<em class="replaceable"><code>&lt;network&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;network&gt;</code></em> is the network address of the IPsec destination network. This is only used for network-to-network IPsec configurations.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">SRC=<em class="replaceable"><code>&lt;address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;address&gt;</code></em> is the IP address of the IPsec source host or router. This setting is optional and is only used for host-to-host IPsec configurations.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">SRCNET=<em class="replaceable"><code>&lt;network&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;network&gt;</code></em> is the network address of the IPsec source network. This is only used for network-to-network IPsec configurations.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">TYPE=<em class="replaceable"><code>&lt;interface-type&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;interface-type&gt;</code></em> is <code class="command">IPSEC</code>. Both applications are part of the <code class="command">ipsec-tools</code> package.
						</div></dd></dl></div><div class="para">
				If manual key encryption with IPsec is being used, refer to <code class="filename">/usr/share/doc/initscripts-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/sysconfig.txt</code> (replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the version of the <code class="command">initscripts</code> package installed) for configuration parameters.
			</div><div class="para">
				The <code class="command">racoon</code> IKEv1 key management daemon negotiates and configures a set of parameters for IPSec. It can use preshared keys, RSA signatures, or GSS-API. If <code class="command">racoon</code> is used to automatically manage key encryption, the following options are required:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">IKE_METHOD=<em class="replaceable"><code>&lt;encryption-method&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;encryption-method&gt;</code></em> is either <code class="command">PSK</code>, <code class="command">X509</code>, or <code class="command">GSSAPI</code>. If <code class="command">PSK</code> is specified, the <code class="command">IKE_PSK</code> parameter must also be set. If <code class="command">X509</code> is specified, the <code class="command">IKE_CERTFILE</code> parameter must also be set.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">IKE_PSK=<em class="replaceable"><code>&lt;shared-key&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;shared-key&gt;</code></em> is the shared, secret value for the PSK (preshared keys) method.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">IKE_CERTFILE=<em class="replaceable"><code>&lt;cert-file&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;cert-file&gt;</code></em> is a valid <code class="filename">X.509</code> certificate file for the host.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">IKE_PEER_CERTFILE=<em class="replaceable"><code>&lt;cert-file&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;cert-file&gt;</code></em> is a valid <code class="filename">X.509</code> certificate file for the <span class="emphasis"><em>remote</em></span> host.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">IKE_DNSSEC=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <em class="replaceable"><code>&lt;answer&gt;</code></em> is <code class="command">yes</code>. The <code class="command">racoon</code> daemon retrieves the remote host's <code class="filename">X.509</code> certificate via DNS. If a <code class="command">IKE_PEER_CERTFILE</code> is specified, do <span class="emphasis"><em>not</em></span> include this parameter.
						</div></dd></dl></div><div class="para">
				For more information about the encryption algorithms available for IPsec, refer to the <code class="command">setkey</code> man page. For more information about <code class="command">racoon</code>, refer to the <code class="command">racoon</code> and <code class="command">racoon.conf</code> man pages.
			</div></div><div class="section" id="s2-networkscripts-interfaces-chan"><div class="titlepage"><div><div><h3 class="title" id="s2-networkscripts-interfaces-chan">15.2.3. Channel Bonding Interfaces</h3></div></div></div><a id="id810688" class="indexterm"></a><a id="id810706" class="indexterm"></a><div class="para">
				Red Hat Enterprise Linux allows administrators to bind multiple network interfaces together into a single channel using the <code class="filename">bonding</code> kernel module and a special network interface called a <em class="firstterm">channel bonding interface</em>. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy.
			</div><div class="para">
				To create a channel bonding interface, create a file in the <code class="filename">/etc/sysconfig/network-scripts/</code> directory called <code class="filename">ifcfg-bond<em class="replaceable"><code>&lt;N&gt;</code></em> </code>, replacing <em class="replaceable"><code>&lt;N&gt;</code></em> with the number for the interface, such as <code class="filename">0</code>.
			</div><div class="para">
				The contents of the file can be identical to whatever type of interface is getting bonded, such as an Ethernet interface. The only difference is that the <code class="command">DEVICE=</code> directive must be <code class="command">bond<em class="replaceable"><code>&lt;N&gt;</code></em> </code>, replacing <em class="replaceable"><code>&lt;N&gt;</code></em> with the number for the interface.
			</div><div class="para">
				The following is a sample channel bonding configuration file, <code class="filename">ifcfg-bond0</code>:
			</div><pre class="screen">DEVICE=bond0
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="<em class="replaceable"><code>&lt;bonding parameters separated by spaces&gt;</code></em>"</pre><div class="para">
				After the channel bonding interface is created, the network interfaces to be bound together must be configured by adding the <code class="command">MASTER=</code> and <code class="command">SLAVE=</code> directives to their configuration files. The configuration files for each of the channel-bonded interfaces can be nearly identical.
			</div><div class="para">
				For example, if two Ethernet interfaces are being channel bonded, both <code class="filename">eth0</code> and <code class="filename">eth1</code> may look like the following example:
			</div><pre class="screen">DEVICE=eth<em class="replaceable"><code>&lt;N&gt;</code></em>
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes
USERCTL=no</pre><div class="para">
				In this example, replace <em class="replaceable"><code>&lt;N&gt;</code></em> with the numerical value for the interface.
			</div><div class="para">
				For a channel bonding interface to be valid, the kernel module must be loaded. To ensure that the module is loaded when the channel bonding interface is brought up, add the following line to <code class="filename">/etc/modprobe.conf</code>:
			</div><pre class="screen"><code class="command">alias bond<em class="replaceable"><code>&lt;N&gt;</code></em> bonding</code></pre><div class="para">
				Replace <em class="replaceable"><code>&lt;N&gt;</code></em> with the number of the interface, such as <code class="command">0</code>.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Do <span class="emphasis"><em>not</em></span> place parameters for the bonding kernel module in the <code class="filename">/etc/modprobe.conf</code> file. Instead, specify them as a space-separated list in the <code class="option">BONDING_OPTS="<em class="replaceable"><code>&lt;bonding parameters&gt;</code></em>"</code> directive in the <code class="filename">ifcfg-bond<em class="replaceable"><code>&lt;N&gt;</code></em></code> interface file.
				</div><div class="para">
					The only exception is the <code class="option">debug</code> parameter, which cannot be used on a per-device basis, and which should therefore be specified in <code class="filename">/etc/modprobe.conf</code> as follows:
				</div><pre class="screen">options bonding debug=1</pre><div class="para">
					For further instructions and advice on configuring the bonding module, as well as to view the list of bonding parameters, refer to <a class="xref" href="#s2-modules-bonding">Section 43.5.2, “The Channel Bonding Module”</a>.
				</div></div></div></div><div class="section" id="s2-networkscripts-interfaces-alias"><div class="titlepage"><div><div><h3 class="title" id="s2-networkscripts-interfaces-alias">15.2.4. Alias and Clone Files</h3></div></div></div><a id="id810936" class="indexterm"></a><a id="id810954" class="indexterm"></a><div class="para">
				Two lesser-used types of interface configuration files are <em class="firstterm">alias</em> and <em class="firstterm">clone</em> files.
			</div><div class="para">
				Alias interface configuration files, which are used to bind multiple addresses to a single interface, use the <code class="filename">ifcfg-<em class="replaceable"><code>&lt;if-name&gt;</code></em>:<em class="replaceable"><code>&lt;alias-value&gt;</code></em> </code> naming scheme.
			</div><div class="para">
				For example, an <code class="filename">ifcfg-eth0:0</code> file could be configured to specify <code class="computeroutput">DEVICE=eth0:0</code> and a static IP address of 10.0.0.2, serving as an alias of an Ethernet interface already configured to receive its IP information via DHCP in <code class="filename">ifcfg-eth0</code>. Under this configuration, <code class="filename">eth0</code> is bound to a dynamic IP address, but the same physical network card can receive requests via the fixed, 10.0.0.2 IP address.
			</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					Alias interfaces do not support DHCP.
				</div></div></div><div class="para">
				A clone interface configuration file should use the following naming convention: <code class="filename">ifcfg-<em class="replaceable"><code>&lt;if-name&gt;</code></em>-<em class="replaceable"><code>&lt;clone-name&gt;</code></em> </code>. While an alias file allows multiple addresses for an existing interface, a clone file is used to specify additional options for an interface. For example, a standard DHCP Ethernet interface called <code class="filename">eth0</code>, may look similar to this:
			</div><pre class="screen">DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp</pre><div class="para">
				Since the default value for the <code class="command">USERCTL</code> directive is <code class="command">no</code> if it is not specified, users cannot bring this interface up and down. To give users the ability to control the interface, create a clone by copying <code class="filename">ifcfg-eth0</code> to <code class="filename">ifcfg-eth0-user</code> and add the following line to <code class="filename">ifcfg-eth0-user</code>:
			</div><pre class="screen">USERCTL=yes</pre><div class="para">
				This way a user can bring up the <code class="filename">eth0</code> interface using the <code class="command">/sbin/ifup eth0-user</code> command because the configuration options from <code class="filename">ifcfg-eth0</code> and <code class="filename">ifcfg-eth0-user</code> are combined. While this is a very basic example, this method can be used with a variety of options and interfaces.
			</div><div class="para">
				The easiest way to create alias and clone interface configuration files is to use the graphical <span class="application"><strong>Network Administration Tool</strong></span>. For more information on using this tool, refer to <a class="xref" href="#ch-network-config">Chapter 16, <em>Network Configuration</em></a>.
			</div></div><div class="section" id="s2-networkscripts-interfaces-ppp0"><div class="titlepage"><div><div><h3 class="title" id="s2-networkscripts-interfaces-ppp0">15.2.5. Dialup Interfaces</h3></div></div></div><a id="id811739" class="indexterm"></a><div class="para">
				If you are connecting to the Internet via a dialup connection, a configuration file is necessary for the interface.
			</div><div class="para">
				PPP interface files are named using the following format: 
				<div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="filename">ifcfg-ppp<em class="replaceable"><code>&lt;X&gt;</code></em> </code> </span></dt><dd><div class="para">
								where <em class="replaceable"><code>&lt;X&gt;</code></em> is a unique number corresponding to a specific interface.
							</div></dd></dl></div>

</div><div class="para">
				The PPP interface configuration file is created automatically when <code class="command">wvdial</code>, the <span class="application"><strong>Network Administration Tool</strong></span> or <span class="application"><strong>Kppp</strong></span> is used to create a dialup account. It is also possible to create and edit this file manually.
			</div><div class="para">
				The following is a typical <code class="filename">ifcfg-ppp0</code> file:
			</div><pre class="screen">DEVICE=ppp0
NAME=test
WVDIALSECT=test
MODEMPORT=/dev/modem
LINESPEED=115200
PAPNAME=test
USERCTL=true
ONBOOT=no
PERSIST=no
DEFROUTE=yes
PEERDNS=yes
DEMAND=no
IDLETIMEOUT=600</pre><div class="para">
				<em class="firstterm">Serial Line Internet Protocol (SLIP)</em> is another dialup interface, although it is used less frequently. SLIP files have interface configuration file names such as <code class="filename">ifcfg-sl0</code>.
			</div><div class="para">
				Other options that may be used in these files include:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">DEFROUTE=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;answer&gt;</code></em> </code> is one of the following:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">yes</code> — Set this interface as the default route.
								</div></li><li class="listitem"><div class="para">
									<code class="command">no</code> — Do not set this interface as the default route.
								</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">DEMAND=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;answer&gt;</code></em> </code> is one of the following:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">yes</code> — This interface allows <code class="command">pppd</code> to initiate a connection when someone attempts to use it.
								</div></li><li class="listitem"><div class="para">
									<code class="command">no</code> — A connection must be manually established for this interface.
								</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">IDLETIMEOUT=<em class="replaceable"><code>&lt;value&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em> </code> is the number of seconds of idle activity before the interface disconnects itself.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">INITSTRING=<em class="replaceable"><code>&lt;string&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;string&gt;</code></em> </code> is the initialization string passed to the modem device. This option is primarily used in conjunction with SLIP interfaces.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">LINESPEED=<em class="replaceable"><code>&lt;value&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em> </code> is the baud rate of the device. Possible standard values include <code class="command">57600</code>, <code class="command">38400</code>, <code class="command">19200</code>, and <code class="command">9600</code>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">MODEMPORT=<em class="replaceable"><code>&lt;device&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;device&gt;</code></em> </code> is the name of the serial device that is used to establish the connection for the interface.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">MTU=<em class="replaceable"><code>&lt;value&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em> </code> is the <em class="firstterm">Maximum Transfer Unit (MTU)</em> setting for the interface. The MTU refers to the largest number of bytes of data a frame can carry, not counting its header information. In some dialup situations, setting this to a value of <code class="command">576</code> results in fewer packets dropped and a slight improvement to the throughput for a connection.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">NAME=<em class="replaceable"><code>&lt;name&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;name&gt;</code></em> </code> is the reference to the title given to a collection of dialup connection configurations.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">PAPNAME=<em class="replaceable"><code>&lt;name&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;name&gt;</code></em> </code> is the username given during the <em class="firstterm">Password Authentication Protocol (PAP)</em> exchange that occurs to allow connections to a remote system.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">PERSIST=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;answer&gt;</code></em> </code> is one of the following:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">yes</code> — This interface should be kept active at all times, even if deactivated after a modem hang up.
								</div></li><li class="listitem"><div class="para">
									<code class="command">no</code> — This interface should not be kept active at all times.
								</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">REMIP=<em class="replaceable"><code>&lt;address&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;address&gt;</code></em> </code> is the IP address of the remote system. This is usually left unspecified.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">WVDIALSECT=<em class="replaceable"><code>&lt;name&gt;</code></em> </code> </span></dt><dd><div class="para">
							where <code class="command"><em class="replaceable"><code>&lt;name&gt;</code></em> </code> associates this interface with a dialer configuration in <code class="filename">/etc/wvdial.conf</code>. This file contains the phone number to be dialed and other important information for the interface.
						</div></dd></dl></div></div><div class="section" id="s2-networkscripts-interfaces-other"><div class="titlepage"><div><div><h3 class="title" id="s2-networkscripts-interfaces-other">15.2.6. Other Interfaces</h3></div></div></div><div class="para">
				Other common interface configuration files include the following:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="filename">ifcfg-lo</code> </span></dt><dd><div class="para">
							A local <em class="firstterm">loopback interface</em> is often used in testing, as well as being used in a variety of applications that require an IP address pointing back to the same system. Any data sent to the loopback device is immediately returned to the host's network layer.
						</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
								The loopback interface script, <code class="filename">/etc/sysconfig/network-scripts/ifcfg-lo</code>, should never be edited manually. Doing so can prevent the system from operating correctly.
							</div></div></div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifcfg-irlan0</code> </span></dt><dd><div class="para">
							An <em class="firstterm">infrared interface</em> allows information between devices, such as a laptop and a printer, to flow over an infrared link. This works in a similar way to an Ethernet device except that it commonly occurs over a peer-to-peer connection.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifcfg-plip0</code> </span></dt><dd><div class="para">
							A <em class="firstterm">Parallel Line Interface Protocol (PLIP)</em> connection works much the same way as an Ethernet device, except that it utilizes a parallel port.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifcfg-tr0</code> </span></dt><dd><div class="para">
							<em class="firstterm">Token Ring</em> topologies are not as common on <em class="firstterm">Local Area Networks</em> (<em class="firstterm">LANs</em>) as they once were, having been eclipsed by Ethernet.
						</div></dd></dl></div></div></div><div class="section" id="s1-networkscripts-control"><div class="titlepage"><div><div><h2 class="title" id="s1-networkscripts-control">15.3. Interface Control Scripts</h2></div></div></div><a id="id812556" class="indexterm"></a><a id="id812578" class="indexterm"></a><a id="id812599" class="indexterm"></a><a id="id812621" class="indexterm"></a><a id="id812634" class="indexterm"></a><div class="para">
			The interface control scripts activate and deactivated system interfaces. There are two primary interface control scripts that call on control scripts located in the <code class="filename">/etc/sysconfig/network-scripts/</code> directory: <code class="command">/sbin/ifdown</code> and <code class="command">/sbin/ifup</code>.
		</div><div class="para">
			The <code class="filename">ifup</code> and <code class="filename">ifdown</code> interface scripts are symbolic links to scripts in the <code class="filename">/sbin/</code> directory. When either of these scripts are called, they require the value of the interface to be specified, such as:
		</div><pre class="screen"><code class="command">ifup eth0</code></pre><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				The <code class="filename">ifup</code> and <code class="filename">ifdown</code> interface scripts are the only scripts that the user should use to bring up and take down network interfaces.
			</div><div class="para">
				The following scripts are described for reference purposes only.
			</div></div></div><div class="para">
			Two files used to perform a variety of network initialization tasks during the process of bringing up a network interface are <code class="filename">/etc/rc.d/init.d/functions</code> and <code class="filename">/etc/sysconfig/network-scripts/network-functions</code>. Refer to <a class="xref" href="#s1-networkscripts-functions">Section 15.5, “Network Function Files”</a> for more information.
		</div><div class="para">
			After verifying that an interface has been specified and that the user executing the request is allowed to control the interface, the correct script brings the interface up or down. The following are common interface control scripts found within the <code class="filename">/etc/sysconfig/network-scripts/</code> directory:
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="filename">ifup-aliases</code> </span></dt><dd><div class="para">
						Configures IP aliases from interface configuration files when more than one IP address is associated with an interface.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-ippp</code> and <code class="filename">ifdown-ippp</code> </span></dt><dd><div class="para">
						Brings ISDN interfaces up and down.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-ipsec</code> and <code class="filename">ifdown-ipsec</code> </span></dt><dd><div class="para">
						Brings IPsec interfaces up and down.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-ipv6</code> and <code class="filename">ifdown-ipv6</code> </span></dt><dd><div class="para">
						Brings IPv6 interfaces up and down.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-ipx</code> </span></dt><dd><div class="para">
						Brings up an IPX interface.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-plip</code> </span></dt><dd><div class="para">
						Brings up a PLIP interface.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-plusb</code> </span></dt><dd><div class="para">
						Brings up a USB interface for network connections.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-post</code> and <code class="filename">ifdown-post</code> </span></dt><dd><div class="para">
						Contains commands to be executed after an interface is brought up or down.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-ppp</code> and <code class="filename">ifdown-ppp</code> </span></dt><dd><div class="para">
						Brings a PPP interface up or down.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-routes</code> </span></dt><dd><div class="para">
						Adds static routes for a device as its interface is brought up.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifdown-sit</code> and <code class="filename">ifup-sit</code> </span></dt><dd><div class="para">
						Contains function calls related to bringing up and down an IPv6 tunnel within an IPv4 connection.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-sl</code> and <code class="filename">ifdown-sl</code> </span></dt><dd><div class="para">
						Brings a SLIP interface up or down.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">ifup-wireless</code> </span></dt><dd><div class="para">
						Brings up a wireless interface.
					</div></dd></dl></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				Removing or modifying any scripts in the <code class="filename">/etc/sysconfig/network-scripts/</code> directory can cause interface connections to act irregularly or fail. Only advanced users should modify scripts related to a network interface.
			</div></div></div><div class="para">
			The easiest way to manipulate all network scripts simultaneously is to use the <code class="command">/sbin/service</code> command on the network service (<code class="filename">/etc/rc.d/init.d/network</code>), as illustrated the following command:
		</div><pre class="screen"><code class="command">service network <em class="replaceable"><code>&lt;action&gt;</code></em></code></pre><div class="para">
			Here, <em class="replaceable"><code>&lt;action&gt;</code></em> can be either <code class="command">start</code>, <code class="command">stop</code>, or <code class="command">restart</code>.
		</div><div class="para">
			To view a list of configured devices and currently active network interfaces, use the following command:
		</div><pre class="screen"><code class="command">service network status</code></pre></div><div class="section" id="s1-networkscripts-static-routes"><div class="titlepage"><div><div><h2 class="title" id="s1-networkscripts-static-routes">15.4. Configuring Static Routes</h2></div></div></div><div class="para">
			Routing will be configured on routing devices, therefore it should not be necessary to configure static routes on Red Hat Enterprise Linux servers or clients. However, if static routes are required they can be configured for each interface. This can be useful if you have multiple interfaces in different subnets. Use the <code class="command">route</code> command to display the IP routing table.
		</div><div class="para">
			Static route configuration is stored in a <code class="filename">/etc/sysconfig/network-scripts/route-<em class="replaceable"><code>interface</code></em> </code> file. For example, static routes for the eth0 interface would be stored in the <code class="filename">/etc/sysconfig/network-scripts/route-eth0</code> file. The <code class="filename">route-<em class="replaceable"><code>interface</code></em> </code> file has two formats: IP command arguments and network/netmask directives.
		</div><div class="formalpara"><h5 class="formalpara" id="id813158">IP Command Arguments Format</h5>
				Define a default gateway on the first line. This is only required if the default gateway is not set via DHCP:
			</div><pre class="screen">default via <em class="replaceable"><code>X.X.X.X</code></em> dev <em class="replaceable"><code>interface</code></em></pre><div class="para">
			<em class="replaceable"><code>X.X.X.X</code></em> is the IP address of the default gateway. The <em class="replaceable"><code>interface</code></em> is the interface that is connected to, or can reach, the default gateway.
		</div><div class="para">
			Define a static route. Each line is parsed as an individual route:
		</div><pre class="screen"><em class="replaceable"><code>X.X.X.X/X</code></em> via <em class="replaceable"><code>X.X.X.X</code></em> dev <em class="replaceable"><code>interface</code></em></pre><div class="para">
			<em class="replaceable"><code>X.X.X.X/X</code></em> is the network number and netmask for the static route. <em class="replaceable"><code>X.X.X.X</code></em> and <em class="replaceable"><code>interface</code></em> are the IP address and interface for the default gateway respectively. The <em class="replaceable"><code>X.X.X.X</code></em> address does not have to be the default gateway IP address. In most cases, <em class="replaceable"><code>X.X.X.X</code></em> will be an IP address in a different subnet, and <em class="replaceable"><code>interface</code></em> will be the interface that is connected to, or can reach, that subnet. Add as many static routes as required.
		</div><div class="para">
			The following is a sample <code class="filename">route-eth0</code> file using the IP command arguments format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks:
		</div><pre class="screen">default via 192.168.0.1 dev eth0
10.10.10.0/24 via 192.168.0.1 dev eth0
172.16.1.0/24 via 192.168.0.1 dev eth0</pre><div class="para">
			Static routes should only be configured for other subnets. The above example is not necessary, since packets going to the 10.10.10.0/24 and 172.16.1.0/24 networks will use the default gateway anyway. Below is an example of setting static routes to a different subnet, on a machine in a 192.168.0.0/24 subnet. The example machine has an eth0 interface in the 192.168.0.0/24 subnet, and an eth1 interface (10.10.10.1) in the 10.10.10.0/24 subnet:
		</div><pre class="screen">10.10.10.0/24 via 10.10.10.1 dev eth1</pre><div class="warning"><div class="admonition_header"><h2>Duplicate Default Gateways</h2></div><div class="admonition"><div class="para">
				If the default gateway is already assigned from DHCP, the IP command arguments format can cause one of two errors during start-up, or when bringing up an interface from the down state using the <code class="command">ifup</code> command: "RTNETLINK answers: File exists" or 'Error: either "to" is a duplicate, or "<em class="replaceable"><code>X.X.X.X</code></em>" is a garbage.', where <em class="replaceable"><code>X.X.X.X</code></em> is the gateway, or a different IP address. These errors can also occur if you have another route to another network using the default gateway. Both of these errors are safe to ignore.
			</div></div></div><div class="formalpara"><h5 class="formalpara" id="id813290">Network/Netmask Directives Format</h5>
				You can also use the network/netmask directives format for <code class="filename">route-<em class="replaceable"><code>interface</code></em> </code> files. The following is a template for the network/netmask format, with instructions following afterwards:
			</div><pre class="screen">ADDRESS0=<em class="replaceable"><code>X.X.X.X</code></em>
NETMASK0=<em class="replaceable"><code>X.X.X.X</code></em>
GATEWAY0=<em class="replaceable"><code>X.X.X.X</code></em></pre><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="computeroutput">ADDRESS0=<em class="replaceable"><code>X.X.X.X</code></em> </code> is the network number for the static route.
				</div></li><li class="listitem"><div class="para">
					<code class="computeroutput">NETMASK0=<em class="replaceable"><code>X.X.X.X</code></em> </code> is the netmask for the network number defined with <code class="computeroutput">ADDRESS0=<em class="replaceable"><code>X.X.X.X</code></em> </code>.
				</div></li><li class="listitem"><div class="para">
					<code class="computeroutput">GATEWAY0=<em class="replaceable"><code>X.X.X.X</code></em> </code> is the default gateway, or an IP address that can be used to reach <code class="computeroutput">ADDRESS0=<em class="replaceable"><code>X.X.X.X</code></em> </code>
				</div></li></ul></div><div class="para">
			The following is a sample <code class="filename">route-eth0</code> file using the network/netmask directives format. The default gateway is 192.168.0.1, interface eth0. The two static routes are for the 10.10.10.0/24 and 172.16.1.0/24 networks. However, as mentioned before, this example is not necessary as the 10.10.10.0/24 and 172.16.1.0/24 networks would use the default gateway anyway:
		</div><pre class="screen">ADDRESS0=10.10.10.0
NETMASK0=255.255.255.0
GATEWAY0=192.168.0.1
ADDRESS1=172.16.1.0
NETMASK1=255.255.255.0
GATEWAY1=192.168.0.1</pre><div class="para">
			Subsequent static routes must be numbered sequentially, and must not skip any values. For example, <code class="computeroutput">ADDRESS0</code>, <code class="computeroutput">ADDRESS1</code>, <code class="computeroutput">ADDRESS2</code>, and so on.
		</div><div class="para">
			Below is an example of setting static routes to a different subnet, on a machine in the 192.168.0.0/24 subnet. The example machine has an eth0 interface in the 192.168.0.0/24 subnet, and an eth1 interface (10.10.10.1) in the 10.10.10.0/24 subnet:
		</div><pre class="screen">ADDRESS0=10.10.10.0
NETMASK0=255.255.255.0
GATEWAY0=10.10.10.1</pre><div class="para">
			DHCP should assign these settings automatically, therefore it should not be necessary to configure static routes on Red Hat Enterprise Linux servers or clients.
		</div></div><div class="section" id="s1-networkscripts-functions"><div class="titlepage"><div><div><h2 class="title" id="s1-networkscripts-functions">15.5. Network Function Files</h2></div></div></div><a id="id813449" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux makes use of several files that contain important common functions used to bring interfaces up and down. Rather than forcing each interface control file to contain these functions, they are grouped together in a few files that are called upon when necessary.
		</div><div class="para">
			The <code class="filename">/etc/sysconfig/network-scripts/network-functions</code> file contains the most commonly used IPv4 functions, which are useful to many interface control scripts. These functions include contacting running programs that have requested information about changes in the status of an interface, setting hostnames, finding a gateway device, verifying whether or not a particular device is down, and adding a default route.
		</div><div class="para">
			As the functions required for IPv6 interfaces are different from IPv4 interfaces, a <code class="filename">/etc/sysconfig/network-scripts/network-functions-ipv6</code> file exists specifically to hold this information. The functions in this file configure and delete static IPv6 routes, create and remove tunnels, add and remove IPv6 addresses to an interface, and test for the existence of an IPv6 address on an interface.
		</div></div><div class="section" id="s1-networkscripts-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-networkscripts-resources">15.6. Additional Resources</h2></div></div></div><a id="id813506" class="indexterm"></a><div class="para">
			The following are resources which explain more about network interfaces.
		</div><div class="section" id="s2-networkscripts-docs-inst"><div class="titlepage"><div><div><h3 class="title" id="s2-networkscripts-docs-inst">15.6.1. Installed Documentation</h3></div></div></div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="filename">/usr/share/doc/initscripts-<em class="replaceable"><code>&lt;version&gt;</code></em>/sysconfig.txt</code> </span></dt><dd><div class="para">
							A guide to available options for network configuration files, including IPv6 options not covered in this chapter.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">/usr/share/doc/iproute-<em class="replaceable"><code>&lt;version&gt;</code></em>/ip-cref.ps</code> </span></dt><dd><div class="para">
							This file contains a wealth of information about the <code class="command">ip</code> command, which can be used to manipulate routing tables, among other things. Use the <span class="application"><strong>ggv</strong></span> or <span class="application"><strong>kghostview</strong></span> application to view this file.
						</div></dd></dl></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-network-config" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 16. Network Configuration</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-network-config-overview">16.1. Overview</a></span></dt><dt><span class="section"><a href="#s1-network-config-ethernet">16.2. Establishing an Ethernet Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-isdn">16.3. Establishing an ISDN Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-modem">16.4. Establishing a Modem Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-xdsl">16.5. Establishing an xDSL Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-tokenring">16.6. Establishing a Token Ring Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-wireless">16.7. Establishing a Wireless Connection</a></span></dt><dt><span class="section"><a href="#s1-network-config-dns">16.8. Managing DNS Settings</a></span></dt><dt><span class="section"><a href="#s1-network-config-hosts">16.9. Managing Hosts</a></span></dt><dt><span class="section"><a href="#s1-network-profiles">16.10. Working with Profiles</a></span></dt><dt><span class="section"><a href="#s1-network-aliases">16.11. Device Aliases</a></span></dt><dt><span class="section"><a href="#s1-network-save-config">16.12. Saving and Restoring the Network Configuration</a></span></dt></dl></div><a id="id880148" class="indexterm"></a><a id="id847174" class="indexterm"></a><a id="id857964" class="indexterm"></a><a id="id926355" class="indexterm"></a><div class="para">
		To communicate with each other, computers must have a network connection. This is accomplished by having the operating system recognize an interface card (such as Ethernet, ISDN modem, or token ring) and configuring the interface to connect to the network.
	</div><div class="para">
		The <span class="application"><strong>Network Administration Tool</strong></span> can be used to configure the following types of network interfaces:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				Ethernet
			</div></li><li class="listitem"><div class="para">
				ISDN
			</div></li><li class="listitem"><div class="para">
				modem
			</div></li><li class="listitem"><div class="para">
				xDSL
			</div></li><li class="listitem"><div class="para">
				token ring
			</div></li><li class="listitem"><div class="para">
				CIPE
			</div></li><li class="listitem"><div class="para">
				wireless devices
			</div></li></ul></div><div class="para">
		It can also be used to configure IPsec connections, manage DNS settings, and manage the <code class="filename">/etc/hosts</code> file used to store additional hostnames and IP address combinations.
	</div><a id="id1045699" class="indexterm"></a><div class="para">
		To use the <span class="application"><strong>Network Administration Tool</strong></span>, you must have root privileges. To start the application, go to the Applications (the main menu on the panel) &gt; <span class="guimenu"><strong>System Settings</strong></span> &gt; <span class="guimenuitem"><strong>Network</strong></span>, or type the command <code class="command">system-config-network</code> at a shell prompt (for example, in an <span class="application"><strong>XTerm</strong></span> or a <span class="application"><strong>GNOME terminal</strong></span>). If you type the command, the graphical version is displayed if <span class="application"><strong>X</strong></span> is running; otherwise, the text-based version is displayed.
	</div><div class="para">
		To use the command line version, execute the command <code class="command">system-config-network-cmd --help</code> as root to view all of the options.
	</div><div class="figure" id="fig-network-config-main"><div class="figure-contents"><div class="mediaobject"><img src="images/neat.png" alt="Network Administration Tool" /><div class="longdesc"><div class="para">
					Main Window
				</div></div></div></div><h6>Figure 16.1.  <span class="application">Network Administration Tool</span> </h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
			Use the Red Hat Hardware Compatibility List (<a href="http://hardware.redhat.com/hcl/">http://hardware.redhat.com/hcl/</a>) to determine if Red Hat Enterprise Linux supports your hardware device.
		</div></div></div><div class="section" id="s1-network-config-overview"><div class="titlepage"><div><div><h2 class="title" id="s1-network-config-overview">16.1. Overview</h2></div></div></div><a id="id981901" class="indexterm"></a><div class="para">
			To configure a network connection with the <span class="application"><strong>Network Administration Tool</strong></span>, perform the following steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Add a network device associated with the physical hardware device.
				</div></li><li class="listitem"><div class="para">
					Add the physical hardware device to the hardware list, if it does not already exist.
				</div></li><li class="listitem"><div class="para">
					Configure the hostname and DNS settings.
				</div></li><li class="listitem"><div class="para">
					Configure any hosts that cannot be looked up through DNS.
				</div></li></ol></div><div class="para">
			This chapter discusses each of these steps for each type of network connection.
		</div></div><div class="section" id="s1-network-config-ethernet"><div class="titlepage"><div><div><h2 class="title" id="s1-network-config-ethernet">16.2. Establishing an Ethernet Connection</h2></div></div></div><a id="id880179" class="indexterm"></a><a id="id880193" class="indexterm"></a><div class="para">
			To establish an Ethernet connection, you need a network interface card (NIC), a network cable (usually a CAT5 cable), and a network to connect to. Different networks are configured to use different network speeds; make sure your NIC is compatible with the network to which you want to connect.
		</div><div class="para">
			To add an Ethernet connection, follow these steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Click the <span class="guilabel"><strong>Devices</strong></span> tab.
				</div></li><li class="listitem"><div class="para">
					Click the <span class="guibutton"><strong>New</strong></span> button on the toolbar.
				</div></li><li class="listitem"><div class="para">
					Select <span class="guilabel"><strong>Ethernet connection</strong></span> from the <span class="guilabel"><strong>Device Type</strong></span> list, and click <span class="guibutton"><strong>Forward</strong></span>.
				</div></li><li class="listitem"><div class="para">
					If you have already added the network interface card to the hardware list, select it from the <span class="guilabel"><strong>Ethernet card</strong></span> list. Otherwise, select <span class="guilabel"><strong>Other Ethernet Card</strong></span> to add the hardware device.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						The installation program detects supported Ethernet devices and prompts you to configure them. If you configured any Ethernet devices during the installation, they are displayed in the hardware list on the <span class="guilabel"><strong>Hardware</strong></span> tab.
					</div></div></div></li><li class="listitem"><div class="para">
					If you selected <span class="guilabel"><strong>Other Ethernet Card</strong></span>, the <span class="guilabel"><strong>Select Ethernet Adapter</strong></span> window appears. Select the manufacturer and model of the Ethernet card. Select the device name. If this is the system's first Ethernet card, select <span class="guilabel"><strong>eth0</strong></span> as the device name; if this is the second Ethernet card, select <span class="guilabel"><strong>eth1</strong></span> (and so on). The <span class="application"><strong>Network Administration Tool</strong></span> also allows you to configure the resources for the NIC. Click <span class="guibutton"><strong>Forward</strong></span> to continue.
				</div></li><li class="listitem"><div class="para">
					<a id="id981949" class="indexterm"></a>
					 <a id="id981963" class="indexterm"></a>
					 In the <span class="guilabel"><strong>Configure Network Settings</strong></span> window shown in <a class="xref" href="#fig-neat-ethernet-settings">Figure 16.2, “Ethernet Settings”</a>, choose between DHCP and a static IP address. If the device receives a different IP address each time the network is started, do not specify a hostname.
				</div></li><li class="listitem"><div class="para">
					Do not specify a value for the <span class="guilabel"><strong>Set MTU to</strong></span> or <span class="guilabel"><strong>Set MRU to</strong></span> fields. <em class="firstterm">MTU</em> stands for Maximum Transmission Unit and <em class="firstterm">MRU</em> for Maximum Receive Unit; the network configuration tool will choose appropriate values for both of these parameters. Click <span class="guibutton"><strong>Forward</strong></span> to continue.
				</div></li><li class="listitem"><div class="para">
					Click <span class="guibutton"><strong>Apply</strong></span> on the <span class="guilabel"><strong>Create Ethernet Device</strong></span> page.
				</div></li></ol></div><div class="figure" id="fig-neat-ethernet-settings"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-ethernet-settings-2.png" width="444" alt="Ethernet Settings" /><div class="longdesc"><div class="para">
						Ethernet Settings
					</div></div></div></div><h6>Figure 16.2. Ethernet Settings</h6></div><br class="figure-break" /><div class="para">
			After configuring the Ethernet device, it appears in the device list as shown in <a class="xref" href="#fig-neat-ethernet">Figure 16.3, “Ethernet Device”</a>.
		</div><div class="figure" id="fig-neat-ethernet"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-ethernet.png" alt="Ethernet Device" /><div class="longdesc"><div class="para">
						Ethernet Device
					</div></div></div></div><h6>Figure 16.3. Ethernet Device</h6></div><br class="figure-break" /><div class="para">
	Be sure to select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> to save the changes.
</div><div class="para">
			After adding the Ethernet device, you can edit its configuration by selecting the device from the device list and clicking <span class="guibutton"><strong>Edit</strong></span>. For example, when the device is added, it is configured to start at boot time by default. To change this setting, select to edit the device, modify the <span class="guilabel"><strong>Activate device when computer starts</strong></span> value, and save the changes.
		</div><a id="id778035" class="indexterm"></a><div class="para">
	When the device is added, it is not activated immediately, as seen by its <span class="guilabel"><strong>Inactive</strong></span> status. To activate the device, select it from the device list, and click the <span class="guibutton"><strong>Activate</strong></span> button. If the system is configured to activate the device when the computer starts (the default), this step does not have to be performed again.
</div><div class="para">
			If you associate more than one device with an Ethernet card, the subsequent devices are <em class="firstterm">device aliases</em>. A device alias allows you to setup multiple virtual devices for one physical device, thus giving the one physical device more than one IP address. For example, you can configure an eth1 device and an eth1:1 device. For details, refer to <a class="xref" href="#s1-network-aliases">Section 16.11, “Device Aliases”</a>.
		</div></div><div class="section" id="s1-network-config-isdn"><div class="titlepage"><div><div><h2 class="title" id="s1-network-config-isdn">16.3. Establishing an ISDN Connection</h2></div></div></div><a id="id838761" class="indexterm"></a><a id="id838775" class="indexterm"></a><div class="para">
			An ISDN connection is an Internet connection established with a ISDN modem card through a special phone line installed by the phone company. ISDN connections are popular in Europe.
		</div><div class="para">
			To add an ISDN connection, follow these steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Click the <span class="guilabel"><strong>Devices</strong></span> tab.
				</div></li><li class="listitem"><div class="para">
					Click the <span class="guibutton"><strong>New</strong></span> button on the toolbar.
				</div></li><li class="listitem"><div class="para">
					Select <span class="guilabel"><strong>ISDN connection</strong></span> from the <span class="guilabel"><strong>Device Type</strong></span> list, and click <span class="guibutton"><strong>Forward</strong></span>.
				</div></li><li class="listitem"><div class="para">
					Select the ISDN adapter from the pulldown menu. Then configure the resources and D channel protocol for the adapter. Click <span class="guibutton"><strong>Forward</strong></span> to continue.
				</div><div class="figure" id="fig-neat-isdn-settings"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-isdn-settings.png" width="444" alt="ISDN Settings" /><div class="longdesc"><div class="para">
								ISDN Settings
							</div></div></div></div><h6>Figure 16.4. ISDN Settings</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
					If your Internet Service Provider (ISP) is in the pre-configured list, select it. Otherwise, enter the required information about your ISP account. If you do not know the values, contact your ISP. Click <span class="guibutton"><strong>Forward</strong></span>.
				</div></li><li class="listitem"><div class="para">
					In the <span class="guilabel"><strong>IP Settings</strong></span> window, select the <span class="guilabel"><strong>Encapsulation Mode</strong></span> and whether to obtain an IP address automatically or to set a static IP instead. Click <span class="guibutton"><strong>Forward</strong></span> when finished.
				</div></li><li class="listitem"><div class="para">
					On the <span class="guilabel"><strong>Create Dialup Connection</strong></span> page, click <span class="guibutton"><strong>Apply</strong></span>.
				</div></li></ol></div><div class="para">
			After configuring the ISDN device, it appears in the device list as a device with type <span class="guilabel"><strong>ISDN</strong></span> as shown in <a class="xref" href="#fig-neat-isdn">Figure 16.5, “ISDN Device”</a>.
		</div><div class="para">
	Be sure to select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> to save the changes.
</div><div class="para">
			After adding the ISDN device, you can edit its configuration by selecting the device from the device list and clicking <span class="guibutton"><strong>Edit</strong></span>. For example, when the device is added, it is configured not to start at boot time by default. Edit its configuration to modify this setting. Compression, PPP options, login name, password, and more can be changed.
		</div><a id="id985452" class="indexterm"></a><div class="para">
	When the device is added, it is not activated immediately, as seen by its <span class="guilabel"><strong>Inactive</strong></span> status. To activate the device, select it from the device list, and click the <span class="guibutton"><strong>Activate</strong></span> button. If the system is configured to activate the device when the computer starts (the default), this step does not have to be performed again.
</div><div class="figure" id="fig-neat-isdn"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-isdn.png" alt="ISDN Device" /><div class="longdesc"><div class="para">
						ISDN Device
					</div></div></div></div><h6>Figure 16.5. ISDN Device</h6></div><br class="figure-break" /></div><div class="section" id="s1-network-config-modem"><div class="titlepage"><div><div><h2 class="title" id="s1-network-config-modem">16.4. Establishing a Modem Connection</h2></div></div></div><a id="id984228" class="indexterm"></a><a id="id984242" class="indexterm"></a><div class="para">
			A modem can be used to configure an Internet connection over an active phone line. An Internet Service Provider (ISP) account (also called a dial-up account) is required.
		</div><div class="para">
			To add a modem connection, follow these steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Click the <span class="guilabel"><strong>Devices</strong></span> tab.
				</div></li><li class="listitem"><div class="para">
					Click the <span class="guibutton"><strong>New</strong></span> button on the toolbar.
				</div></li><li class="listitem"><div class="para">
					Select <span class="guilabel"><strong>Modem connection</strong></span> from the <span class="guilabel"><strong>Device Type</strong></span> list, and click <span class="guibutton"><strong>Forward</strong></span>.
				</div></li><li class="listitem"><div class="para">
					If there is a modem already configured in the hardware list (on the <span class="guilabel"><strong>Hardware</strong></span> tab), the <span class="application"><strong>Network Administration Tool</strong></span> assumes you want to use it to establish a modem connection. If there are no modems already configured, it tries to detect any modems in the system. This probe might take a while. If a modem is not found, a message is displayed to warn you that the settings shown are not values found from the probe.
				</div></li><li class="listitem"><div class="para">
					After probing, the window in <a class="xref" href="#fig-neat-modem-settings">Figure 16.6, “Modem Settings”</a> appears.
				</div><div class="figure" id="fig-neat-modem-settings"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-modem-settings.png" width="444" alt="Modem Settings" /><div class="longdesc"><div class="para">
								Modem Settings
							</div></div></div></div><h6>Figure 16.6. Modem Settings</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
					Configure the modem device, baud rate, flow control, and modem volume. If you do not know these values, accept the defaults if the modem was probed successfully. If you do not have touch tone dialing, uncheck the corresponding checkbox. Click <span class="guibutton"><strong>Forward</strong></span>.
				</div></li><li class="listitem"><div class="para">
					If your ISP is in the pre-configured list, select it. Otherwise, enter the required information about your ISP account. If you do not know these values, contact your ISP. Click <span class="guibutton"><strong>Forward</strong></span>.
				</div></li><li class="listitem"><div class="para">
					On the <span class="guilabel"><strong>IP Settings</strong></span> page, select whether to obtain an IP address automatically or whether to set one statically. Click <span class="guibutton"><strong>Forward</strong></span> when finished.
				</div></li><li class="listitem"><div class="para">
					On the <span class="guilabel"><strong>Create Dialup Connection</strong></span> page, click <span class="guibutton"><strong>Apply</strong></span>.
				</div></li></ol></div><div class="para">
			After configuring the modem device, it appears in the device list with the type <code class="computeroutput">Modem</code> as shown in <a class="xref" href="#fig-neat-modem">Figure 16.7, “Modem Device”</a>.
		</div><div class="figure" id="fig-neat-modem"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-modem.png" alt="Modem Device" /><div class="longdesc"><div class="para">
						Modem Device
					</div></div></div></div><h6>Figure 16.7. Modem Device</h6></div><br class="figure-break" /><div class="para">
	Be sure to select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> to save the changes.
</div><div class="para">
			After adding the modem device, you can edit its configuration by selecting the device from the device list and clicking <span class="guibutton"><strong>Edit</strong></span>. For example, when the device is added, it is configured not to start at boot time by default. Edit its configuration to modify this setting. Compression, PPP options, login name, password, and more can also be changed.
		</div><a id="id974872" class="indexterm"></a><div class="para">
	When the device is added, it is not activated immediately, as seen by its <span class="guilabel"><strong>Inactive</strong></span> status. To activate the device, select it from the device list, and click the <span class="guibutton"><strong>Activate</strong></span> button. If the system is configured to activate the device when the computer starts (the default), this step does not have to be performed again.
</div></div><div class="section" id="s1-network-config-xdsl"><div class="titlepage"><div><div><h2 class="title" id="s1-network-config-xdsl">16.5. Establishing an xDSL Connection</h2></div></div></div><a id="id982232" class="indexterm"></a><a id="id982246" class="indexterm"></a><a id="id982261" class="indexterm"></a><a id="id982275" class="indexterm"></a><div class="para">
			DSL stands for <em class="firstterm">Digital Subscriber Lines</em>. There are different types of DSL such as ADSL, IDSL, and SDSL. The <span class="application"><strong>Network Administration Tool</strong></span> uses the term <em class="firstterm">xDSL</em> to mean all types of DSL connections.
		</div><div class="para">
			Some DSL providers require that the system is configured to obtain an IP address through DHCP with an Ethernet card. Some DSL providers require you to configure a PPPoE (Point-to-Point Protocol over Ethernet) connection with an Ethernet card. Ask your DSL provider which method to use.
		</div><div class="para">
			If you are required to use DHCP, refer to <a class="xref" href="#s1-network-config-ethernet">Section 16.2, “Establishing an Ethernet Connection”</a> to configure your Ethernet card.
		</div><div class="para">
			If you are required to use PPPoE, follow these steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Click the <span class="guilabel"><strong>Devices</strong></span> tab.
				</div></li><li class="listitem"><div class="para">
					Click the <span class="guibutton"><strong>New</strong></span> button.
				</div></li><li class="listitem"><div class="para">
					Select <span class="guilabel"><strong>xDSL connection</strong></span> from the <span class="guilabel"><strong>Device Type</strong></span> list, and click <span class="guibutton"><strong>Forward</strong></span> as shown in <a class="xref" href="#fig-neat-xdsl-selectdevicetype">Figure 16.8, “Select Device Type”</a>.
				</div><div class="figure" id="fig-neat-xdsl-selectdevicetype"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-xdsl-selectdevicetype.png" width="444" alt="Select Device Type" /><div class="longdesc"><div class="para">
								Select Device Type
							</div></div></div></div><h6>Figure 16.8. Select Device Type</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
					If your Ethernet card is in the hardware list, select the <span class="guilabel"><strong>Ethernet Device</strong></span> from the pulldown menu from the page shown in <a class="xref" href="#fig-neat-xdsl-settings">Figure 16.9, “xDSL Settings”</a>. Otherwise, the <span class="guilabel"><strong>Select Ethernet Adapter</strong></span> window appears.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						The installation program detects supported Ethernet devices and prompts you to configure them. If you configured any Ethernet devices during the installation, they are displayed in the hardware list on the <span class="guilabel"><strong>Hardware</strong></span> tab.
					</div></div></div><div class="figure" id="fig-neat-xdsl-settings"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-xdsl-settings.png" width="444" alt="xDSL Settings" /><div class="longdesc"><div class="para">
								xDSL Settings
							</div></div></div></div><h6>Figure 16.9. xDSL Settings</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
					Enter the <span class="guilabel"><strong>Provider Name</strong></span>, <span class="guilabel"><strong>Login Name</strong></span>, and <span class="guilabel"><strong>Password</strong></span>. If you are not setting up a T-Online account, select <span class="guilabel"><strong>Normal</strong></span> from the <span class="guilabel"><strong>Account Type</strong></span> pulldown menu.
				</div><div class="para">
					If you are setting up a T-Online account, select <span class="guilabel"><strong>T-Online</strong></span> from the <span class="guilabel"><strong>Account Type</strong></span> pulldown menu and enter any values in the <span class="guilabel"><strong>Login name</strong></span> and <span class="guilabel"><strong>Password</strong></span> field. You can further configure your T-Online account settings once the DSL connection has been fully configured (refer to <a class="xref" href="#tonline_setup">Setting Up a T-Online Account</a>).
				</div></li><li class="listitem"><div class="para">
					Click the <span class="guibutton"><strong>Forward</strong></span> to go to the <span class="guimenu"><strong>Create DSL Connection</strong></span> menu. Check your settings and click <span class="guibutton"><strong>Apply</strong></span> to finish.
				</div></li><li class="listitem"><div class="para">
					After configuring the DSL connection, it appears in the device list as shown in <a class="xref" href="#fig-neat-xdsl">Figure 16.10, “xDSL Device”</a>.
				</div><div class="figure" id="fig-neat-xdsl"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-xdsl.png" alt="xDSL Device" /><div class="longdesc"><div class="para">
								xDSL Device
							</div></div></div></div><h6>Figure 16.10. xDSL Device</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
					After adding the xDSL connection, you can edit its configuration by selecting the device from the device list and clicking <span class="guibutton"><strong>Edit</strong></span>.
				</div><div class="figure" id="fig-neat-xdsl-edit"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-tonline1.png" width="444" alt="xDSL Configuration" /><div class="longdesc"><div class="para">
								xDSL Configuration
							</div></div></div></div><h6>Figure 16.11. xDSL Configuration</h6></div><br class="figure-break" /><div class="para">
					For example, when the device is added, it is configured not to start at boot time by default. Edit its configuration to modify this setting. Click <span class="guibutton"><strong>OK</strong></span> when finished.
				</div></li><li class="listitem"><div class="para">
					Once you are satisfied with your xDSL connection settings, select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> to save the changes.
				</div></li></ol></div><div class="formalpara" id="tonline_setup"><h5 class="formalpara">Setting Up a T-Online Account</h5>
				If you are setting up a T-Online Account, follow these additional steps:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Select the device from the device list and click <span class="guibutton"><strong>Edit</strong></span>.
				</div></li><li class="listitem"><div class="para">
					Select the <span class="guilabel"><strong>Provider</strong></span> tab from the <span class="guimenu"><strong>xDSL Configuration</strong></span> menu as shown in <a class="xref" href="#fig-neat-xdsl-editProvidertab">Figure 16.12, “xDSL Configuration - Provider Tab”</a>.
				</div><div class="figure" id="fig-neat-xdsl-editProvidertab"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-tonlineProvidertab.png" width="444" alt="xDSL Configuration - Provider Tab" /><div class="longdesc"><div class="para">
								xDSL Configuration - Provider Tab
							</div></div></div></div><h6>Figure 16.12. xDSL Configuration - Provider Tab</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
					Click the <span class="guibutton"><strong>T-Online Account Setup</strong></span> button. This will open the <span class="guimenu"><strong>Account Setup</strong></span> window for your T-Online account as shown in <a class="xref" href="#fig-neat-xdsl-tonlinesettings">Figure 16.13, “Account Setup”</a>.
				</div><div class="figure" id="fig-neat-xdsl-tonlinesettings"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-tonlineAcctsetup.png" alt="Account Setup" /><div class="longdesc"><div class="para">
								Account Setup
							</div></div></div></div><h6>Figure 16.13. Account Setup</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
					Enter your <span class="guilabel"><strong>Adapter identifier</strong></span>, <span class="guilabel"><strong>Associated T-Online number</strong></span>, <span class="guilabel"><strong>Concurrent user number/suffix</strong></span>, and <span class="guilabel"><strong>Personal password.</strong></span>. Click <span class="guibutton"><strong>OK</strong></span> when finished to close the <span class="guimenu"><strong>Account Setup</strong></span> window.
				</div></li><li class="listitem"><div class="para">
					On the <span class="guimenu"><strong>xDSL Configuration</strong></span> window, click <span class="guibutton"><strong>OK</strong></span>. Be sure to select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> from the <span class="application"><strong>Network Administration Tool</strong></span> to save the changes.
				</div></li></ol></div><div class="para">
	When the device is added, it is not activated immediately, as seen by its <span class="guilabel"><strong>Inactive</strong></span> status. To activate the device, select it from the device list, and click the <span class="guibutton"><strong>Activate</strong></span> button. If the system is configured to activate the device when the computer starts (the default), this step does not have to be performed again.
</div></div><div class="section" id="s1-network-config-tokenring"><div class="titlepage"><div><div><h2 class="title" id="s1-network-config-tokenring">16.6. Establishing a Token Ring Connection</h2></div></div></div><a id="id975269" class="indexterm"></a><a id="id952988" class="indexterm"></a><div class="para">
			A <em class="firstterm">token ring network</em> is a network in which all the computers are connected in a circular pattern. A <em class="firstterm">token</em>, or a special network packet, travels around the token ring and allows computers to send information to each other.
		</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				For more information on using token rings under Linux, refer to the <em class="citetitle">Linux Token Ring Project</em> website available at <a href="http://www.linuxtr.net/">http://www.linuxtr.net/</a>.
			</div></div></div><div class="para">
			To add a token ring connection, follow these steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Click the <span class="guilabel"><strong>Devices</strong></span> tab.
				</div></li><li class="listitem"><div class="para">
					Click the <span class="guibutton"><strong>New</strong></span> button on the toolbar.
				</div></li><li class="listitem"><div class="para">
					Select <span class="guilabel"><strong>Token Ring connection</strong></span> from the <span class="guilabel"><strong>Device Type</strong></span> list and click <span class="guibutton"><strong>Forward</strong></span>.
				</div></li><li class="listitem"><div class="para">
					If you have already added the token ring card to the hardware list, select it from the <span class="guilabel"><strong>Tokenring card</strong></span> list. Otherwise, select <span class="guilabel"><strong>Other Tokenring Card</strong></span> to add the hardware device.
				</div></li><li class="listitem"><div class="para">
					If you selected <span class="guilabel"><strong>Other Tokenring Card</strong></span>, the <span class="guilabel"><strong>Select Token Ring Adapter</strong></span> window as shown in <a class="xref" href="#fig-neat-tokenring-settings">Figure 16.14, “Token Ring Settings”</a> appears. Select the manufacturer and model of the adapter. Select the device name. If this is the system's first token ring card, select <span class="guilabel"><strong>tr0</strong></span>; if this is the second token ring card, select <span class="guilabel"><strong>tr1</strong></span> (and so on). The <span class="application"><strong>Network Administration Tool</strong></span> also allows the user to configure the resources for the adapter. Click <span class="guibutton"><strong>Forward</strong></span> to continue.
				</div><div class="figure" id="fig-neat-tokenring-settings"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-tokenring-settings.png" width="444" alt="Token Ring Settings" /><div class="longdesc"><div class="para">
								Token Ring Settings
							</div></div></div></div><h6>Figure 16.14. Token Ring Settings</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
					On the <span class="guilabel"><strong>Configure Network Settings</strong></span> page, choose between DHCP and static IP address. You may specify a hostname for the device. If the device receives a dynamic IP address each time the network is started, do not specify a hostname. Click <span class="guibutton"><strong>Forward</strong></span> to continue.
				</div></li><li class="listitem"><div class="para">
					Click <span class="guibutton"><strong>Apply</strong></span> on the <span class="guilabel"><strong>Create Tokenring Device</strong></span> page.
				</div></li></ol></div><div class="para">
			After configuring the token ring device, it appears in the device list as shown in <a class="xref" href="#fig-neat-tokenring">Figure 16.15, “Token Ring Device”</a>.
		</div><div class="figure" id="fig-neat-tokenring"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-tokenring.png" alt="Token Ring Device" /><div class="longdesc"><div class="para">
						Token Ring Device
					</div></div></div></div><h6>Figure 16.15. Token Ring Device</h6></div><br class="figure-break" /><div class="para">
	Be sure to select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> to save the changes.
</div><div class="para">
			After adding the device, you can edit its configuration by selecting the device from the device list and clicking <span class="guibutton"><strong>Edit</strong></span>. For example, you can configure whether the device is started at boot time.
		</div><a id="id1006520" class="indexterm"></a><div class="para">
	When the device is added, it is not activated immediately, as seen by its <span class="guilabel"><strong>Inactive</strong></span> status. To activate the device, select it from the device list, and click the <span class="guibutton"><strong>Activate</strong></span> button. If the system is configured to activate the device when the computer starts (the default), this step does not have to be performed again.
</div></div><div class="section" id="s1-network-config-wireless"><div class="titlepage"><div><div><h2 class="title" id="s1-network-config-wireless">16.7. Establishing a Wireless Connection</h2></div></div></div><a id="id1006569" class="indexterm"></a><div class="para">
			Wireless Ethernet devices are becoming increasingly popular. The configuration is similar to the Ethernet configuration except that it allows you to configure settings such as the SSID and key for the wireless device.
		</div><div class="para">
			To add a wireless Ethernet connection, follow these steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Click the <span class="guilabel"><strong>Devices</strong></span> tab.
				</div></li><li class="listitem"><div class="para">
					Click the <span class="guibutton"><strong>New</strong></span> button on the toolbar.
				</div></li><li class="listitem"><div class="para">
					Select <span class="guilabel"><strong>Wireless connection</strong></span> from the <span class="guilabel"><strong>Device Type</strong></span> list and click <span class="guibutton"><strong>Forward</strong></span>.
				</div></li><li class="listitem"><div class="para">
					If you have already added the wireless network interface card to the hardware list, select it from the <span class="guilabel"><strong>Wireless card</strong></span> list. Otherwise, select <span class="guilabel"><strong>Other Wireless Card</strong></span> to add the hardware device.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						The installation program usually detects supported wireless Ethernet devices and prompts you to configure them. If you configured them during the installation, they are displayed in the hardware list on the <span class="guilabel"><strong>Hardware</strong></span> tab.
					</div></div></div></li><li class="listitem"><div class="para">
					If you selected <span class="guilabel"><strong>Other Wireless Card</strong></span>, the <span class="guilabel"><strong>Select Ethernet Adapter</strong></span> window appears. Select the manufacturer and model of the Ethernet card and the device. If this is the first Ethernet card for the system, select <span class="guilabel"><strong>eth0</strong></span>; if this is the second Ethernet card for the system, select <span class="guilabel"><strong>eth1</strong></span> (and so on). The <span class="application"><strong> Network Administration Tool</strong></span> also allows the user to configure the resources for the wireless network interface card. Click <span class="guibutton"><strong>Forward</strong></span> to continue.
				</div></li><li class="listitem"><div class="para">
					On the <span class="guilabel"><strong>Configure Wireless Connection</strong></span> page as shown in <a class="xref" href="#fig-neat-wireless-settings">Figure 16.16, “Wireless Settings”</a>, configure the settings for the wireless device.
				</div><div class="note"><div class="admonition_header"><h2>Note: Open System and Shared Key Authentication</h2></div><div class="admonition"><div class="para">
						For the <span class="guimenu"><strong>Authentication</strong></span> dropdown, note that wireless access points using WEP encryption have a choice between using open system and shared key authentication. Shared key authentication requires an exchange between the client and the access point during the association process that proves that the client has the correct WEP key. Open system authentication allows all wireless clients to connect. Counterintuitively, shared key authentication is less secure than open system, and thus is less widely deployed. It is therefore recommended to select <span class="guilabel"><strong>Open System (open)</strong></span> as the authentication method when you do not know which method the access point requires. If connecting to the access point using open system fails, then try switching to shared key authentication.
					</div></div></div><div class="figure" id="fig-neat-wireless-settings"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-wireless-settings.png" width="444" alt="Wireless Settings" /><div class="longdesc"><div class="para">
								Wireless Settings
							</div></div></div></div><h6>Figure 16.16. Wireless Settings</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
					On the <span class="guilabel"><strong>Configure Network Settings</strong></span> page, choose between DHCP and static IP address. You may specify a hostname for the device. If the device receives a dynamic IP address each time the network is started, do not specify a hostname. Click <span class="guibutton"><strong>Forward</strong></span> to continue.
				</div></li><li class="listitem"><div class="para">
					Click <span class="guibutton"><strong>Apply</strong></span> on the <span class="guilabel"><strong>Create Wireless Device</strong></span> page.
				</div></li></ol></div><div class="para">
			After configuring the wireless device, it appears in the device list as shown in <a class="xref" href="#fig-neat-wireless">Figure 16.17, “Wireless Device”</a>.
		</div><div class="figure" id="fig-neat-wireless"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-wireless.png" alt="Wireless Device" /><div class="longdesc"><div class="para">
						Wireless Device
					</div></div></div></div><h6>Figure 16.17. Wireless Device</h6></div><br class="figure-break" /><div class="para">
	Be sure to select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> to save the changes.
</div><div class="para">
			After adding the wireless device, you can edit its configuration by selecting the device from the device list and clicking <span class="guibutton"><strong>Edit</strong></span>. For example, you can configure the device to activate at boot time.
		</div><a id="id1047809" class="indexterm"></a><div class="para">
	When the device is added, it is not activated immediately, as seen by its <span class="guilabel"><strong>Inactive</strong></span> status. To activate the device, select it from the device list, and click the <span class="guibutton"><strong>Activate</strong></span> button. If the system is configured to activate the device when the computer starts (the default), this step does not have to be performed again.
</div></div><div class="section" id="s1-network-config-dns"><div class="titlepage"><div><div><h2 class="title" id="s1-network-config-dns">16.8. Managing DNS Settings</h2></div></div></div><a id="id1047859" class="indexterm"></a><div class="para">
			The <span class="guilabel"><strong>DNS</strong></span> tab allows you to configure the system's hostname, domain, name servers, and search domain. Name servers are used to look up other hosts on the network.
		</div><div class="para">
			If the DNS server names are retrieved from DHCP or PPPoE (or retrieved from the ISP), do not add primary, secondary, or tertiary DNS servers.
		</div><div class="para">
			If the hostname is retrieved dynamically from DHCP or PPPoE (or retrieved from the ISP), do not change it.
		</div><div class="figure" id="fig-neat-dns"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-dns.png" alt="DNS Configuration" /><div class="longdesc"><div class="para">
						DNS Configuration
					</div></div></div></div><h6>Figure 16.18. DNS Configuration</h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				The name servers section does not configure the system to be a name server. Instead, it configures which name servers to use when resolving IP addresses to hostnames and vice-versa.
			</div></div></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				If the hostname is changed and <code class="command">system-config-network</code> is started on the local host, you may not be able to start another <span class="application"><strong>X11</strong></span> application. As such, you may have to re-login to a new desktop session.
			</div></div></div></div><div class="section" id="s1-network-config-hosts"><div class="titlepage"><div><div><h2 class="title" id="s1-network-config-hosts">16.9. Managing Hosts</h2></div></div></div><a id="id962092" class="indexterm"></a><a id="id962106" class="indexterm"></a><a id="id962125" class="indexterm"></a><div class="para">
			The <span class="guilabel"><strong>Hosts</strong></span> tab allows you to add, edit, or remove hosts from the <code class="filename">/etc/hosts</code> file. This file contains IP addresses and their corresponding hostnames.
		</div><div class="para">
			When your system tries to resolve a hostname to an IP address or tries to determine the hostname for an IP address, it refers to the <code class="filename">/etc/hosts</code> file before using the name servers (if you are using the default Red Hat Enterprise Linux configuration). If the IP address is listed in the <code class="filename">/etc/hosts</code> file, the name servers are not used. If your network contains computers whose IP addresses are not listed in DNS, it is recommended that you add them to the <code class="filename">/etc/hosts</code> file.
		</div><div class="para">
			To add an entry to the <code class="filename">/etc/hosts</code> file, go to the <span class="guilabel"><strong>Hosts</strong></span> tab, click the <span class="guibutton"><strong>New</strong></span> button on the toolbar, provide the requested information, and click <span class="guilabel"><strong>OK</strong></span>. Select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> or press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>S</strong></span> to save the changes to the <code class="filename">/etc/hosts</code> file. The network or network services do not need to be restarted since the current version of the file is referred to each time an address is resolved.
		</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				Do not remove the <code class="computeroutput">localhost</code> entry. Even if the system does not have a network connection or have a network connection running constantly, some programs need to connect to the system via the localhost loopback interface.
			</div></div></div><div class="figure" id="fig-neat-hosts"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-hosts.png" alt="Hosts Configuration" /><div class="longdesc"><div class="para">
						Hosts Configuration
					</div></div></div></div><h6>Figure 16.19. Hosts Configuration</h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				To change lookup order, edit the <code class="filename">/etc/host.conf</code> file. The line <code class="computeroutput">order hosts, bind</code> specifies that <code class="filename">/etc/hosts</code> takes precedence over the name servers. Changing the line to <code class="filename">order bind, hosts</code> configures the system to resolve hostnames and IP addresses using the name servers first. If the IP address cannot be resolved through the name servers, the system then looks for the IP address in the <code class="filename">/etc/hosts</code> file.
			</div></div></div></div><div class="section" id="s1-network-profiles"><div class="titlepage"><div><div><h2 class="title" id="s1-network-profiles">16.10. Working with Profiles</h2></div></div></div><a id="id811282" class="indexterm"></a><a id="id811296" class="indexterm"></a><div class="para">
			Multiple logical network devices can be created for each physical hardware device. For example, if you have one Ethernet card in your system (eth0), you can create logical network devices with different nicknames and different configuration options, all to be specifically associated with eth0.
		</div><div class="para">
			Logical network devices are different from device aliases. Logical network devices associated with the same physical device must exist in different profiles and cannot be activated simultaneously. Device aliases are also associated with the same physical hardware device, but device aliases associated with the same physical hardware can be activated at the same time. Refer to <a class="xref" href="#s1-network-aliases">Section 16.11, “Device Aliases”</a> for details about creating device aliases.
		</div><div class="para">
			<em class="firstterm">Profiles</em> can be used to create multiple configuration sets for different networks. A configuration set can include logical devices as well as hosts and DNS settings. After configuring the profiles, you can use the <span class="application"><strong>Network Administration Tool</strong></span> to switch back and forth between them.
		</div><div class="para">
			By default, there is one profile called <span class="guilabel"><strong>Common</strong></span>. To create a new profile, select <span class="guimenu"><strong>Profile</strong></span> &gt; <span class="guimenuitem"><strong>New</strong></span> from the pull-down menu, and enter a unique name for the profile.
		</div><div class="para">
			You are now modifying the new profile as indicated by the status bar at the bottom of the main window.
		</div><div class="para">
			Click on an existing device already in the list and click the <span class="guibutton"><strong>Copy</strong></span> button to copy the existing device to a logical network device. If you use the <span class="guibutton"><strong>New</strong></span> button, a network alias is created, which is incorrect. To change the properties of the logical device, select it from the list and click <span class="guibutton"><strong>Edit</strong></span>. For example, the <span class="guilabel"><strong>Nickname</strong></span> can be changed to a more descriptive name, such as <strong class="userinput"><code>eth0_office</code></strong>, so that it can be recognized more easily. Once you have finished editing your new profile, make sure to save it by clicking <span class="guimenuitem"><strong>Save</strong></span> from the <span class="guisubmenu"><strong>File</strong></span> menu. If you forget to save after creating a profile, that profile will be lost.
		</div><div class="para">
			In the list of devices, there is a column of checkboxes labeled <span class="guilabel"><strong>Profile</strong></span>. For each profile, you can check or uncheck devices. Only the checked devices are included for the currently selected profile. For example, if you create a logical device named <strong class="userinput"><code>eth0_office</code></strong> in a profile called <strong class="userinput"><code>Office</code></strong> and want to activate the logical device if the profile is selected, uncheck the <code class="computeroutput">eth0</code> device and check the <code class="computeroutput">eth0_office</code> device.
		</div><div class="para">
			For example, <a class="xref" href="#fig-neat-office-profile">Figure 16.20, “Office Profile”</a> shows a profile called <span class="guilabel"><strong>Office</strong></span> with the logical device <span class="guilabel"><strong>eth0_office</strong></span>. It is configured to activate the first Ethernet card using DHCP.
		</div><div class="figure" id="fig-neat-office-profile"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-office-profile.png" alt="Office Profile" /><div class="longdesc"><div class="para">
						Creating an Office Profile
					</div></div></div></div><h6>Figure 16.20. Office Profile</h6></div><br class="figure-break" /><div class="para">
			Notice that the <span class="guilabel"><strong>Home</strong></span> profile as shown in <a class="xref" href="#fig-neat-home-profile">Figure 16.21, “Home Profile”</a> activates the <span class="guilabel"><strong>eth0_home</strong></span> logical device, which is associated with <code class="computeroutput">eth0</code>.
		</div><div class="figure" id="fig-neat-home-profile"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-home-profile.png" alt="Home Profile" /><div class="longdesc"><div class="para">
						Creating a Home Profile
					</div></div></div></div><h6>Figure 16.21. Home Profile</h6></div><br class="figure-break" /><div class="para">
			You can also configure <code class="computeroutput">eth0</code> to activate in the <span class="guilabel"><strong>Office</strong></span> profile only and to activate a PPP (modem) device in the <span class="guilabel"><strong>Home</strong></span> profile only. Another example is to have the <span class="guilabel"><strong>Common</strong></span> profile activate <code class="computeroutput">eth0</code> and an <span class="guilabel"><strong>Away</strong></span> profile activate a PPP device for use while traveling.
		</div><a id="id980844" class="indexterm"></a><a id="id980862" class="indexterm"></a><div class="para">
			To activate a profile at boot time, modify the boot loader configuration file to include the <code class="computeroutput">netprofile=<em class="replaceable"><code>&lt;profilename&gt;</code></em> </code> option. For example, if the system uses GRUB as the boot loader and <code class="filename">/boot/grub/grub.conf</code> contains:
		</div><pre class="screen">title Red Hat Enterprise Linux (2.6.9-5.EL)
         root (hd0,0)
	 kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 rhgb quiet
	 initrd /initrd-2.6.9-5.EL.img</pre><div class="para">
			Modify it to the following (where <em class="replaceable"><code>&lt;profilename&gt;</code></em> is the name of the profile to be activated at boot time):
		</div><pre class="screen">title Red Hat Enterprise Linux (2.6.9-5.EL)
         root (hd0,0)
	 kernel /vmlinuz-2.6.9-5.EL ro root=/dev/VolGroup00/LogVol00 \ 
	 	<strong class="userinput"><code>netprofile=<em class="replaceable"><code>&lt;profilename&gt;</code></em> </code></strong> \ 	  rhgb quiet
	 initrd /initrd-2.6.9-5.EL.img</pre><div class="para">
			To switch profiles after the system has booted, go to Applications (the main menu on the panel) &gt; <span class="guimenu"><strong>System Tools</strong></span> &gt; <span class="guimenuitem"><strong>Network Device Control</strong></span> (or type the command <code class="command">system-control-network</code>) to select a profile and activate it. The activate profile section only appears in the <span class="application"><strong>Network Device Control</strong></span> interface if more than the default <span class="guilabel"><strong>Common</strong></span> interface exists.
		</div><a id="id980945" class="indexterm"></a><div class="para">
			Alternatively, execute the following command to enable a profile (replace <em class="replaceable"><code>&lt;profilename&gt;</code></em> with the name of the profile):
		</div><pre class="screen"><code class="command">system-config-network-cmd --profile <em class="replaceable"><code>&lt;profilename&gt;</code></em> --activate</code></pre></div><div class="section" id="s1-network-aliases"><div class="titlepage"><div><div><h2 class="title" id="s1-network-aliases">16.11. Device Aliases</h2></div></div></div><a id="id965344" class="indexterm"></a><div class="para">
			<em class="firstterm">Device aliases</em> are virtual devices associated with the same physical hardware, but they can be activated at the same time to have different IP addresses. They are commonly represented as the device name followed by a colon and a number (for example, eth0:1). They are useful if you want to have multiple IP addresses for a system that only has one network card.
		</div><div class="para">
			After configuring the Ethernet device —such as <code class="computeroutput">eth0</code> —to use a static IP address (DHCP does not work with aliases), go to the <span class="guilabel"><strong>Devices</strong></span> tab and click <span class="guibutton"><strong>New</strong></span>. Select the Ethernet card to configure with an alias, set the static IP address for the alias, and click <span class="guibutton"><strong>Apply</strong></span> to create it. Since a device already exists for the Ethernet card, the one just created is the alias, such as <code class="computeroutput">eth0:1</code>.
		</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				If you are configuring an Ethernet device to have an alias, neither the device nor the alias can be configured to use DHCP. You must configure the IP addresses manually.
			</div></div></div><div class="para">
			<a class="xref" href="#fig-network-aliases">Figure 16.22, “Network Device Alias Example”</a> shows an example of one alias for the <code class="computeroutput">eth0</code> device. Notice the <code class="computeroutput">eth0:1</code> device — the first alias for <code class="computeroutput">eth0</code>. The second alias for <code class="computeroutput">eth0</code> would have the device name <code class="computeroutput">eth0:2</code>, and so on. To modify the settings for the device alias, such as whether to activate it at boot time and the alias number, select it from the list and click the <span class="guibutton"><strong>Edit</strong></span> button.
		</div><div class="figure" id="fig-network-aliases"><div class="figure-contents"><div class="mediaobject"><img src="images/neat-aliases.png" alt="Network Device Alias Example" /><div class="longdesc"><div class="para">
						Network Alias Example
					</div></div></div></div><h6>Figure 16.22. Network Device Alias Example</h6></div><br class="figure-break" /><div class="para">
			Select the alias and click the <span class="guibutton"><strong>Activate</strong></span> button to activate the alias. If you have configured multiple profiles, select which profiles in which to include it.
		</div><div class="para">
			To verify that the alias has been activated, use the command <code class="command">/sbin/ifconfig</code>. The output should show the device and the device alias with different IP addresses:
		</div><pre class="screen">eth0      Link encap:Ethernet
	HWaddr 00:A0:CC:60:B7:G4
	inet addr:192.168.100.5  Bcast:192.168.100.255  Mask:255.255.255.0
	UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
	RX packets:161930 errors:1 dropped:0 overruns:0 frame:0
	TX packets:244570 errors:0 dropped:0 overruns:0 carrier:0
	collisions:475 txqueuelen:100
	RX bytes:55075551 (52.5 Mb)  TX bytes:178108895 (169.8 Mb)
	Interrupt:10 Base address:0x9000  eth0:1    Link encap:Ethernet  HWaddr 00:A0:CC:60:B7:G4
	inet addr:192.168.100.42  Bcast:192.168.100.255  Mask:255.255.255.0
	UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
	Interrupt:10 Base address:0x9000  lo
	Link encap:Local Loopback
	inet addr:127.0.0.1  Mask:255.0.0.0
	UP LOOPBACK RUNNING  MTU:16436  Metric:1
	RX packets:5998 errors:0 dropped:0 overruns:0 frame:0
	TX packets:5998 errors:0 dropped:0 overruns:0 carrier:0
	collisions:0 txqueuelen:0
	RX bytes:1627579 (1.5 Mb)  TX bytes:1627579 (1.5 Mb)</pre></div><div class="section" id="s1-network-save-config"><div class="titlepage"><div><div><h2 class="title" id="s1-network-save-config">16.12. Saving and Restoring the Network Configuration</h2></div></div></div><a id="id1001576" class="indexterm"></a><a id="id1001591" class="indexterm"></a><a id="id1001605" class="indexterm"></a><div class="para">
			The command line version of <span class="application"><strong>Network Administration Tool</strong></span> can be used to save the system's network configuration to a file. This file can then be used to restore the network settings to a Red Hat Enterprise Linux system.
		</div><div class="para">
			This feature can be used as part of an automated backup script, to save the configuration before upgrading or reinstalling, or to copy the configuration to a different Red Hat Enterprise Linux system.
		</div><div class="para">
			To save, or <em class="firstterm">export</em>, the network configuration of a system to the file <code class="filename">/tmp/network-config</code>, execute the following command as root:
		</div><pre class="screen"><code class="command">system-config-network-cmd -e &gt; /tmp/network-config</code></pre><div class="para">
			To restore, or <em class="firstterm">import</em>, the network configuration from the file created from the previous command, execute the following command as root:
		</div><pre class="screen"><code class="command">system-config-network-cmd -i -c -f /tmp/network-config</code></pre><div class="para">
			The <code class="option">-i</code> option means to import the data, the <code class="option">-c</code> option means to clear the existing configuration prior to importing, and the <code class="option">-f</code> option specifies that the file to import is as follows.
		</div></div></div><div xml:lang="en-US" class="chapter" id="ch-services" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 17. Controlling Access to Services</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-services-runlevels">17.1. Runlevels</a></span></dt><dt><span class="section"><a href="#s1-services-tcp-wrappers">17.2. TCP Wrappers</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-services-xinetd">17.2.1. <code class="command">xinetd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-services-serviceconf">17.3. <span class="application"><strong>Services Configuration Tool</strong></span></a></span></dt><dt><span class="section"><a href="#s1-services-ntsysv">17.4. <span class="application"><strong>ntsysv</strong></span></a></span></dt><dt><span class="section"><a href="#s1-services-chkconfig">17.5. <code class="command">chkconfig</code></a></span></dt><dt><span class="section"><a href="#s1-services-additional-resources">17.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#services-installed-docs">17.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#services-useful-websites">17.6.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id775567" class="indexterm"></a><a id="id847171" class="indexterm"></a><div class="para">
		Maintaining security on your system is extremely important, and one approach for this task is to manage access to system services carefully. Your system may need to provide open access to particular services (for example, <code class="command">httpd</code> if you are running a Web server). However, if you do not need to provide a service, you should turn it off to minimize your exposure to possible bug exploits.
	</div><div class="para">
		There are several different methods for managing access to system services. Choose which method of management to use based on the service, your system's configuration, and your level of Linux expertise.
	</div><div class="para">
		The easiest way to deny access to a service is to turn it off. Both the services managed by <code class="command">xinetd</code> and the services in the <code class="filename">/etc/rc.d/init.d</code> hierarchy (also known as SysV services) can be configured to start or stop using three different applications:
	</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><span class="application"><strong>Services Configuration Tool </strong></span></span></dt><dd><div class="para">
					This is a graphical application that displays a description of each service, displays whether each service is started at boot time (for runlevels 3, 4, and 5), and allows services to be started, stopped, and restarted.
				</div></dd><dt class="varlistentry"><span class="term"><span class="application"><strong>ntsysv</strong></span></span></dt><dd><div class="para">
					This is a text-based application that allows you to configure which services are started at boot time for each runlevel. Non-<code class="command">xinetd</code> services can not be started, stopped, or restarted using this program.
				</div></dd><dt class="varlistentry"><span class="term"><code class="command">chkconfig</code></span></dt><dd><div class="para">
					This is a command line utility that allows you to turn services on and off for the different runlevels. Non-<code class="command">xinetd</code> services can not be started, stopped, or restarted using this utility.
				</div></dd></dl></div><div class="para">
		You may find that these tools are easier to use than the alternatives — editing the numerous symbolic links located in the directories below <code class="filename">/etc/rc.d</code> by hand or editing the <code class="command">xinetd</code> configuration files in <code class="filename">/etc/xinetd.d</code>.
	</div><div class="para">
		Another way to manage access to system services is by using <code class="command">iptables</code> to configure an IP firewall. If you are a new Linux user, note that <code class="command">iptables</code> may not be the best solution for you. Setting up <code class="command">iptables</code> can be complicated, and is best tackled by experienced Linux system administrators.
	</div><div class="para">
		On the other hand, the benefit of using <code class="command">iptables</code> is flexibility. For example, if you need a customized solution which provides certain hosts access to certain services, <code class="command">iptables</code> can provide it for you. Refer to <a class="xref" href="#s1-firewall-ipt">Section 46.8.1, “Netfilter and IPTables”</a> and <a class="xref" href="#s1-fireall-ipt-act">Section 46.8.3, “Using IPTables”</a> for more information about <code class="command">iptables</code>.
	</div><div class="para">
		Alternatively, if you are looking for a utility to set general access rules for your home machine, and/or if you are new to Linux, try the <span class="application"><strong>Security Level Configuration Tool</strong></span> (<code class="command">system-config-securitylevel</code>), which allows you to select the security level for your system, similar to the <span class="guilabel"><strong>Firewall Configuration</strong></span> screen in the installation program.
	</div><div class="para">
		Refer to <a class="xref" href="#ch-fw">Section 46.8, “Firewalls”</a> for more information.
	</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
			When you allow access for new services, always remember that both the firewall and SELinux need to be configured as well. One of the most common mistakes committed when configuring a new service is neglecting to implement the necessary firewall configuration and SELinux policies to allow access for it. Refer to <a class="xref" href="#s1-basic-firewall">Section 46.8.2, “Basic Firewall Configuration”</a> for more information.
		</div></div></div><div class="section" id="s1-services-runlevels"><div class="titlepage"><div><div><h2 class="title" id="s1-services-runlevels">17.1. Runlevels</h2></div></div></div><a id="id870973" class="indexterm"></a><div class="para">
			Before you can configure access to services, you must understand Linux runlevels. A runlevel is a state, or <em class="firstterm">mode</em>, that is defined by the services listed in the directory <code class="filename">/etc/rc.d/rc<em class="replaceable"><code>&lt;x&gt;</code></em>.d</code>, where <em class="replaceable"><code>&lt;x&gt;</code></em> is the number of the runlevel.
		</div><div class="para">
			The following runlevels exist:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					0 — Halt
				</div></li><li class="listitem"><div class="para">
					1 — Single-user mode
				</div></li><li class="listitem"><div class="para">
					2 — Not used (user-definable)
				</div></li><li class="listitem"><div class="para">
					3 — Full multi-user mode
				</div></li><li class="listitem"><div class="para">
					4 — Not used (user-definable)
				</div></li><li class="listitem"><div class="para">
					5 — Full multi-user mode (with an X-based login screen)
				</div></li><li class="listitem"><div class="para">
					6 — Reboot
				</div></li></ul></div><div class="para">
			If you use a text login screen, you are operating in runlevel 3. If you use a graphical login screen, you are operating in runlevel 5.
		</div><div class="para">
			The default runlevel can be changed by modifying the <code class="filename">/etc/inittab</code> file, which contains a line near the top of the file similar to the following:
		</div><pre class="screen">id:5:initdefault:</pre><div class="para">
			Change the number in this line to the desired runlevel. The change does not take effect until you reboot the system.
		</div></div><div class="section" id="s1-services-tcp-wrappers"><div class="titlepage"><div><div><h2 class="title" id="s1-services-tcp-wrappers">17.2. TCP Wrappers</h2></div></div></div><div class="para">
			<a id="id921540" class="indexterm"></a>
			 Many UNIX system administrators are accustomed to using TCP wrappers to manage access to certain network services. Any network services managed by <code class="command">xinetd</code> (as well as any program with built-in support for <code class="command">libwrap</code>) can use TCP wrappers to manage access. <code class="command">xinetd</code> can use the <code class="filename">/etc/hosts.allow</code> and <code class="filename">/etc/hosts.deny</code> files to configure access to system services. As the names imply, <code class="filename">hosts.allow</code> contains a list of rules that allow clients to access the network services controlled by <code class="command">xinetd</code>, and <code class="filename">hosts.deny</code> contains rules to deny access. The <code class="filename">hosts.allow</code> file takes precedence over the <code class="filename">hosts.deny</code> file. Permissions to grant or deny access can be based on individual IP address (or hostnames) or on a pattern of clients. Refer to <code class="filename">hosts_access</code> in section 5 of the man pages (<code class="command">man 5 hosts_access</code>) for details.
		</div><div class="section" id="s2-services-xinetd"><div class="titlepage"><div><div><h3 class="title" id="s2-services-xinetd">17.2.1. <code class="command">xinetd</code></h3></div></div></div><a id="id969332" class="indexterm"></a><a id="id969344" class="indexterm"></a><div class="para">
				To control access to Internet services, use <code class="command">xinetd</code>, which is a secure replacement for <code class="command">inetd</code>. The <code class="command">xinetd</code> daemon conserves system resources, provides access control and logging, and can be used to start special-purpose servers. <code class="command">xinetd</code> can also be used to grant or deny access to particular hosts, provide service access at specific times, limit the rate of incoming connections, limit the load created by connections, and more.
			</div><div class="para">
				<code class="command">xinetd</code> runs constantly and listens on all ports for the services it manages. When a connection request arrives for one of its managed services, <code class="command">xinetd</code> starts up the appropriate server for that service.
			</div><div class="para">
				The configuration file for <code class="command">xinetd</code> is <code class="filename">/etc/xinetd.conf</code>, but the file only contains a few defaults and an instruction to include the <code class="filename">/etc/xinetd.d</code> directory. To enable or disable an <code class="command">xinetd</code> service, edit its configuration file in the <code class="filename">/etc/xinetd.d</code> directory. If the <code class="computeroutput">disable</code> attribute is set to <strong class="userinput"><code>yes</code></strong>, the service is disabled. If the <code class="computeroutput">disable</code> attribute is set to <strong class="userinput"><code>no</code></strong>, the service is enabled. You can edit any of the <code class="command">xinetd</code> configuration files or change its enabled status using the <span class="application"><strong>Services Configuration Tool</strong></span>, <span class="application"><strong>ntsysv</strong></span>, or <code class="command">chkconfig</code>. For a list of network services controlled by <code class="command">xinetd</code>, review the contents of the <code class="filename">/etc/xinetd.d</code> directory with the command <code class="command">ls /etc/xinetd.d</code>.
			</div></div></div><div class="section" id="s1-services-serviceconf"><div class="titlepage"><div><div><h2 class="title" id="s1-services-serviceconf">17.3. <span class="application"><strong>Services Configuration Tool</strong></span></h2></div></div></div><a id="id780842" class="indexterm"></a><div class="para">
			The <span class="application"><strong>Services Configuration Tool</strong></span> is a graphical application developed by Red Hat to configure which SysV services in the <code class="filename">/etc/rc.d/init.d</code> directory are started at boot time (for runlevels 3, 4, and 5) and which <code class="command">xinetd</code> services are enabled. It also allows you to start, stop, and restart SysV services as well as  reload <code class="command">xinetd</code>.
		</div><div class="para">
			To start the <span class="application"><strong>Services Configuration Tool</strong></span> from the desktop, go to the Applications (the main menu on the panel) &gt; <span class="guimenu"><strong>System Settings</strong></span> &gt; <span class="guimenu"><strong>Server Settings</strong></span> &gt; <span class="guimenuitem"><strong>Services</strong></span> or type the command <code class="command">system-config-services</code> at a shell prompt (for example, in an <span class="application"><strong>XTerm</strong></span> or a <span class="application"><strong>GNOME terminal</strong></span>).
		</div><div class="figure" id="fig-serviceconf"><div class="figure-contents"><div class="mediaobject"><img src="images/serviceconf.png" width="444" alt="Services Configuration Tool" /><div class="longdesc"><div class="para">
						Configuring network services
					</div></div></div></div><h6>Figure 17.1. <span class="application">Services Configuration Tool</span></h6></div><br class="figure-break" /><div class="para">
			The <span class="application"><strong>Services Configuration Tool</strong></span> displays the current runlevel as well as the runlevel you are currently editing. To edit a different runlevel, select <span class="guimenu"><strong>Edit Runlevel</strong></span> from the pulldown menu and select runlevel 3, 4, or 5. Refer to <a class="xref" href="#s1-services-runlevels">Section 17.1, “Runlevels”</a> for a description of runlevels.
		</div><div class="para">
			The <span class="application"><strong>Services Configuration Tool</strong></span> lists the services from the <code class="filename">/etc/rc.d/init.d</code> directory as well as the services controlled by <code class="command">xinetd</code>. Click on the name of the service from the list on the left-hand side of the application to display a brief description of that service as well as the status of the service. If the service is not an <code class="command">xinetd</code> service, the status window shows whether the service is currently running. If the service is controlled by <code class="command">xinetd</code>, the status window displays the phrase <span class="guilabel"><strong>xinetd service</strong></span>.
		</div><div class="para">
			To start, stop, or restart a service immediately, select the service from the list and click the appropriate button on the toolbar (or choose the action from the <span class="guimenu"><strong>Actions</strong></span> pulldown menu). If the service is an <code class="command">xinetd</code> service, the action buttons are disabled because they cannot be started or stopped individually.
		</div><div class="para">
			If you enable/disable an <code class="command">xinetd</code> service by checking or unchecking the checkbox next to the service name, you must select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save Changes</strong></span> from the pulldown menu (or the <span class="guimenuitem"><strong>Save</strong></span> button above the tabs) to reload <code class="command">xinetd</code> and immediately enable/disable the <code class="command">xinetd</code> service that you changed. <code class="command">xinetd</code> is also configured to remember the setting. You can enable/disable multiple <code class="command">xinetd</code> services at a time and save the changes when you are finished.
		</div><div class="para">
			For example, assume you check <code class="command">rsync</code> to enable it in runlevel 3 and then save the changes. The <code class="command">rsync</code> service is immediately enabled. The next time <code class="command">xinetd</code> is started, <code class="command">rsync</code> is still enabled.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				When you save changes to <code class="command">xinetd</code> services, <code class="command">xinetd</code> is reloaded, and the changes take place immediately. When you save changes to other services, the runlevel is reconfigured, but the changes do not take effect immediately.
			</div></div></div><div class="para">
			To enable a non-<code class="command">xinetd</code> service to start at boot time for the currently selected runlevel, check the box beside the name of the service in the list. After configuring the runlevel, apply the changes by selecting <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save Changes</strong></span> from the pulldown menu. The runlevel configuration is changed, but the runlevel is not restarted; thus, the changes do not take place immediately.
		</div><div class="para">
			For example, assume you are configuring runlevel 3. If you change the value for the <code class="command">httpd</code> service from checked to unchecked and then select <span class="guimenuitem"><strong>Save Changes</strong></span>, the runlevel 3 configuration changes so that <code class="command">httpd</code> is not started at boot time. However, runlevel 3 is not reinitialized, so <code class="command">httpd</code> is still running. Select one of following options at this point:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Stop the <code class="command">httpd</code> service — Stop the service by selecting it from the list and clicking the <span class="guibutton"><strong>Stop</strong></span> button. A message appears stating that the service was stopped successfully.
				</div></li><li class="listitem"><div class="para">
					Reinitialize the runlevel — Reinitialize the runlevel by going to a shell prompt and typing the command <code class="command">telinit <em class="replaceable"><code>x</code></em></code> (where <em class="replaceable"><code>x</code></em> is the runlevel number; in this example, 3.). This option is recommended if you change the <span class="guilabel"><strong>Start at Boot</strong></span> value of multiple services and want to activate the changes immediately.
				</div></li><li class="listitem"><div class="para">
					Do nothing else — You do not have to stop the <code class="command">httpd</code> service. You can wait until the system is rebooted for the service to stop. The next time the system is booted, the runlevel is initialized without the <code class="command">httpd</code> service running.
				</div></li></ol></div><div class="para">
			To add a service to a runlevel, select the runlevel from the <span class="guimenu"><strong>Edit Runlevel</strong></span> pulldown menu, and then select <span class="guimenu"><strong>Actions</strong></span> &gt; <span class="guimenuitem"><strong>Add Service</strong></span>. To delete a service from a runlevel, select the runlevel from the <span class="guimenu"><strong>Edit Runlevel</strong></span> pulldown menu, select the service to be deleted from the list on the left, and select <span class="guimenu"><strong>Actions</strong></span> &gt; <span class="guimenuitem"><strong>Delete Service</strong></span>.
		</div></div><div class="section" id="s1-services-ntsysv"><div class="titlepage"><div><div><h2 class="title" id="s1-services-ntsysv">17.4. <span class="application"><strong>ntsysv</strong></span></h2></div></div></div><a id="id879854" class="indexterm"></a><div class="para">
			The <span class="application"><strong>ntsysv</strong></span> utility provides a simple interface for activating or deactivating services. You can use <span class="application"><strong>ntsysv</strong></span> to turn an <code class="command">xinetd</code>-managed service on or off. You can also use <span class="application"><strong>ntsysv</strong></span> to configure runlevels. By default, only the current runlevel is configured. To configure a different runlevel, specify one or more runlevels with the <code class="option">--level</code> option. For example, the command <code class="command">ntsysv --level 345</code> configures runlevels 3, 4, and 5.
		</div><div class="para">
			The <span class="application"><strong>ntsysv</strong></span> interface works like the text mode installation program. Use the up and down arrows to navigate up and down the list. The space bar selects/unselects services and is also used to "press" the <span class="guilabel"><strong>Ok</strong></span> and <span class="guilabel"><strong>Cancel</strong></span> buttons. To move between the list of services and the <span class="guilabel"><strong>Ok</strong></span> and <span class="guilabel"><strong>Cancel</strong></span> buttons, use the <span class="keycap"><strong>Tab</strong></span> key. An asterisk (<span class="guilabel"><strong>*</strong></span>) signifies that a service is set to on. Pressing the <span class="keycap"><strong>F1</strong></span> key displays a short description of the selected service.
		</div><div class="figure" id="fig-ntsysv"><div class="figure-contents"><div class="mediaobject"><img src="images/ntsysv.png" alt="The ntsysv utility" /><div class="longdesc"><div class="para">
						The <span class="application"><strong>ntsysv</strong></span> utility
					</div></div></div></div><h6>Figure 17.2. The <span class="application">ntsysv</span> utility</h6></div><br class="figure-break" /><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				Services managed by <code class="command">xinetd</code> are immediately affected by <span class="application"><strong>ntsysv</strong></span>. For all other services, changes do not take effect immediately. You must stop or start the individual service with the command <code class="command">service <em class="replaceable"><code>&lt;daemon&gt;</code></em> stop</code> (where <em class="replaceable"><code>&lt;daemon&gt;</code></em> is the name of the service you want to stop; for example, <code class="command">httpd</code>). Replace <code class="command">stop</code> with <code class="command">start</code> or <code class="command">restart</code> to start or restart the service.
			</div></div></div></div><div class="section" id="s1-services-chkconfig"><div class="titlepage"><div><div><h2 class="title" id="s1-services-chkconfig">17.5. <code class="command">chkconfig</code></h2></div></div></div><a id="id880035" class="indexterm"></a><div class="para">
			The <code class="command">chkconfig</code> command can also be used to activate and deactivate services. The <code class="command">chkconfig --list</code> command displays a list of system services and whether they are started (<code class="command">on</code>) or stopped (<code class="command">off</code>) in runlevels 0-6. At the end of the list is a section for the services managed by <code class="command">xinetd</code>.
		</div><div class="para">
			If the <code class="command">chkconfig --list</code> command is used to query a service managed by <code class="command">xinetd</code>, it displays whether the <code class="command">xinetd</code> service is enabled (<code class="command">on</code>) or disabled (<code class="command">off</code>). For example, the command <code class="command">chkconfig --list rsync</code> returns the following output:
		</div><pre class="screen">rsync          on</pre><div class="para">
			As shown, <code class="command">rsync</code> is enabled as an <code class="command">xinetd</code> service. If <code class="command">xinetd</code> is running, <code class="command">rsync</code> is enabled.
		</div><div class="para">
			If you use <code class="command">chkconfig --list</code> to query a service in <code class="filename">/etc/rc.d</code>, that service's settings for each runlevel are displayed. For example, the command <code class="command">chkconfig --list httpd</code> returns the following output:
		</div><pre class="screen">httpd         0:off   1:off   2:on    3:on    4:on    5:on    6:off</pre><div class="para">
			<code class="command">chkconfig</code> can also be used to configure a service to be started (or not) in a specific runlevel. For example, to turn <code class="command">nscd</code> off in runlevels 3, 4, and 5, use the following command:
		</div><pre class="screen"><code class="command">chkconfig --level 345 nscd off</code></pre><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				Services managed by <code class="command">xinetd</code> are immediately affected by <code class="command">chkconfig</code>. For example, if <code class="command">xinetd</code> is running while <code class="command">rsync</code> is disabled, and the command <code class="command">chkconfig rsync on</code> is executed, then <code class="command">rsync</code> is immediately enabled without having to restart <code class="command">xinetd</code> manually. Changes for other services do not take effect immediately after using <code class="command">chkconfig</code>. You must stop or start the individual service with the command <code class="command">service <em class="replaceable"><code>&lt;daemon&gt;</code></em> stop</code> (where <em class="replaceable"><code>&lt;daemon&gt;</code></em> is the name of the service you want to stop; for example, <code class="command">httpd</code>). Replace <code class="command">stop</code> with <code class="command">start</code> or <code class="command">restart</code> to start or restart the service.
			</div></div></div></div><div class="section" id="s1-services-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-services-additional-resources">17.6. Additional Resources</h2></div></div></div><div class="para">
			For more information, refer to the following resources.
		</div><div class="section" id="services-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="services-installed-docs">17.6.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The man pages for <code class="command">ntsysv</code>, <code class="command">chkconfig</code>, <code class="command">xinetd</code>, and <code class="filename">xinetd.conf</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man 5 hosts_access</code> — The man page for the format of host access control files (in section 5 of the man pages).
					</div></li></ul></div></div><div class="section" id="services-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="services-useful-websites">17.6.2. Useful Websites</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.xinetd.org">http://www.xinetd.org</a> — The <code class="command">xinetd</code> webpage. It contains sample configuration files and a more detailed list of features.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-bind" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 18. Berkeley Internet Name Domain (BIND)</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-bind-introduction">18.1. Introduction to DNS</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-introduction-zones">18.1.1. Nameserver Zones</a></span></dt><dt><span class="section"><a href="#s2-bind-introduction-nameservers">18.1.2. Nameserver Types</a></span></dt><dt><span class="section"><a href="#s2-bind-introduction-bind">18.1.3. BIND as a Nameserver</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-namedconf">18.2.  <code class="filename">/etc/named.conf</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-namedconf-state">18.2.1. Common Statement Types</a></span></dt><dt><span class="section"><a href="#s2-bind-namedconf-state-other">18.2.2. Other Statement Types</a></span></dt><dt><span class="section"><a href="#s2-bind-namedconf-comm">18.2.3. Comment Tags</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-zone">18.3. Zone Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-zone-directives">18.3.1. Zone File Directives</a></span></dt><dt><span class="section"><a href="#s3-bind-zone-rr">18.3.2. Zone File Resource Records</a></span></dt><dt><span class="section"><a href="#s2-bind-zone-examples">18.3.3. Example Zone File</a></span></dt><dt><span class="section"><a href="#s2-bind-configuration-zone-reverse">18.3.4. Reverse Name Resolution Zone Files</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-rndc">18.4. Using <code class="command">rndc</code> </a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-rndc-configuration-namedconf">18.4.1. Configuring <code class="filename">/etc/named.conf</code> </a></span></dt><dt><span class="section"><a href="#s2-bind-rndc-configuration-rndcconf">18.4.2. Configuring <code class="filename">/etc/rndc.conf</code> </a></span></dt><dt><span class="section"><a href="#s2-bind-rndc-options">18.4.3. Command Line Options</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-features">18.5. Advanced Features of BIND</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-features-protocol">18.5.1. DNS Protocol Enhancements</a></span></dt><dt><span class="section"><a href="#s2-bind-features-views">18.5.2. Multiple Views</a></span></dt><dt><span class="section"><a href="#s2-bind-features-security">18.5.3. Security</a></span></dt><dt><span class="section"><a href="#s2-bind-features-ipv6">18.5.4. IP version 6</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-bind-mistakes">18.6. Common Mistakes to Avoid</a></span></dt><dt><span class="section"><a href="#s1-bind-additional-resources">18.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-bind-installed-docs">18.7.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-bind-useful-websites">18.7.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-bind-related-books">18.7.3. Related Books</a></span></dt></dl></dd></dl></div><a id="id860197" class="indexterm"></a><a id="id1044553" class="indexterm"></a><div class="para">
		On most modern networks, including the Internet, users locate other computers by name. This frees users from the daunting task of remembering the numerical network address of network resources. The most effective way to configure a network to allow such name-based connections is to set up a <em class="firstterm">Domain Name Service</em> (<em class="firstterm">DNS</em>) or a <em class="firstterm">nameserver</em>, which resolves hostnames on the network to numerical addresses and vice versa.
	</div><div class="para">
		This chapter reviews the nameserver included in Red Hat Enterprise Linux and the <em class="firstterm">Berkeley Internet Name Domain</em> (<em class="firstterm">BIND</em>) DNS server, with an emphasis on the structure of its configuration files and how it may be administered both locally and remotely.
	</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
			BIND is also known as the service <code class="command">named</code> in Red Hat Enterprise Linux. You can manage it via the Services Configuration Tool (<code class="command">system-config-service</code>).
		</div></div></div><div class="section" id="s1-bind-introduction"><div class="titlepage"><div><div><h2 class="title" id="s1-bind-introduction">18.1. Introduction to DNS</h2></div></div></div><a id="id815354" class="indexterm"></a><a id="id1066646" class="indexterm"></a><a id="id835751" class="indexterm"></a><a id="id1065911" class="indexterm"></a><a id="id816563" class="indexterm"></a><a id="id1065368" class="indexterm"></a><a id="id1065386" class="indexterm"></a><div class="para">
			 DNS associates hostnames with their respective IP addresses, so that when users want to connect to other machines on the network, they can refer to them by name, without having to remember IP addresses.
		</div><div class="para">
			Use of DNS and FQDNs also has advantages for system administrators, allowing the flexibility to change the IP address for a host without affecting name-based queries to the machine. Conversely, administrators can shuffle which machines handle a name-based query.
		</div><div class="para">
			DNS is normally implemented using centralized servers that are authoritative for some domains and refer to other DNS servers for other domains.
		</div><div class="para">
			When a client host requests information from a nameserver, it usually connects to port 53. The nameserver then attempts to resolve the FQDN based on its resolver library, which may contain authoritative information about the host requested or cached data from an earlier query. If the nameserver does not already have the answer in its resolver library, it queries other nameservers, called <em class="firstterm">root nameservers</em>, to determine which nameservers are authoritative for the FQDN in question. Then, with that information, it queries the authoritative nameservers to determine the IP address of the requested host. If a reverse lookup is performed, the same procedure is used, except that the query is made with an unknown IP address rather than a name.
		</div><div class="section" id="s2-bind-introduction-zones"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-introduction-zones">18.1.1. Nameserver Zones</h3></div></div></div><a id="id774931" class="indexterm"></a><div class="para">
				On the Internet, the FQDN of a host can be broken down into different sections. These sections are organized into a hierarchy (much like a tree), with a main trunk, primary branches, secondary branches, and so forth. Consider the following FQDN:
			</div><pre class="screen">bob.sales.example.com</pre><div class="para">
				When looking at how an FQDN is resolved to find the IP address that relates to a particular system, read the name from right to left, with each level of the hierarchy divided by periods (<code class="computeroutput">.</code>). In this example, <code class="computeroutput">com</code> defines the <em class="firstterm">top level domain</em> for this FQDN. The name <code class="computeroutput">example</code> is a sub-domain under <code class="computeroutput">com</code>, while <code class="computeroutput">sales</code> is a sub-domain under <code class="computeroutput">example</code>. The name furthest to the left, <code class="computeroutput">bob</code>, identifies a specific machine hostname.
			</div><div class="para">
				Except for the hostname, each section is called a <em class="firstterm">zone</em>, which defines a specific <em class="firstterm">namespace</em>. A namespace controls the naming of the sub-domains to its left. While this example only contains two sub-domains, an FQDN must contain at least one sub-domain but may include many more, depending upon how the namespace is organized.
			</div><div class="para">
				Zones are defined on authoritative nameservers through the use of <em class="firstterm">zone files</em> (which describe the namespace of that zone), the mail servers to be used for a particular domain or sub-domain, and more. Zone files are stored on <em class="firstterm">primary nameservers</em> (also called <em class="firstterm">master nameservers</em>), which are truly authoritative and where changes are made to the files, and <em class="firstterm">secondary nameservers</em> (also called <em class="firstterm">slave nameservers</em>), which receive their zone files from the primary nameservers. Any nameserver can be a primary and secondary nameserver for different zones at the same time, and they may also be considered authoritative for multiple zones. It all depends on how the nameserver is configured.
			</div></div><div class="section" id="s2-bind-introduction-nameservers"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-introduction-nameservers">18.1.2. Nameserver Types</h3></div></div></div><a id="id811114" class="indexterm"></a><a id="id811132" class="indexterm"></a><a id="id969084" class="indexterm"></a><a id="id969101" class="indexterm"></a><a id="id969119" class="indexterm"></a><a id="id969132" class="indexterm"></a><a id="id969146" class="indexterm"></a><a id="id969160" class="indexterm"></a><div class="para">
				There are four primary nameserver configuration types:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">master</span></dt><dd><div class="para">
							Stores original and authoritative zone records for a namespace, and answers queries about the namespace from other nameservers.
						</div></dd><dt class="varlistentry"><span class="term">slave</span></dt><dd><div class="para">
							Answers queries from other nameservers concerning namespaces for which it is considered an authority. However, slave nameservers get their namespace information from master nameservers.
						</div></dd><dt class="varlistentry"><span class="term">caching-only</span></dt><dd><div class="para">
							Offers name-to-IP resolution services, but is not authoritative for any zones. Answers for all resolutions are cached in memory for a fixed period of time, which is specified by the retrieved zone record.
						</div></dd><dt class="varlistentry"><span class="term">forwarding</span></dt><dd><div class="para">
							Forwards requests to a specific list of nameservers for name resolution. If none of the specified nameservers can perform the resolution, the resolution fails.
						</div></dd></dl></div><div class="para">
				A nameserver may be one or more of these types. For example, a nameserver can be a master for some zones, a slave for others, and only offer forwarding resolutions for others.
			</div></div><div class="section" id="s2-bind-introduction-bind"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-introduction-bind">18.1.3. BIND as a Nameserver</h3></div></div></div><a id="id982365" class="indexterm"></a><a id="id982383" class="indexterm"></a><a id="id982400" class="indexterm"></a><a id="id982422" class="indexterm"></a><a id="id818738" class="indexterm"></a><div class="para">
				BIND performs name resolution services through the <code class="command">/usr/sbin/named</code> daemon. BIND also includes an administration utility called <code class="command">/usr/sbin/rndc</code>. More information about <code class="command">rndc</code> can be found in <a class="xref" href="#s1-bind-rndc">Section 18.4, “Using <code class="command">rndc</code> ”</a>.
			</div><div class="para">
				BIND stores its configuration files in the following locations:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="filename">/etc/named.conf</code> </span></dt><dd><div class="para">
							The configuration file for the <code class="command">named</code> daemon
						</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">/var/named/</code> directory</span></dt><dd><div class="para">
							The <code class="command">named</code> working directory which stores zone, statistic, and cache files
						</div></dd></dl></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					If you have installed the <code class="filename">bind-chroot</code> package, the BIND service will run in the <code class="command">/var/named/chroot</code> environment. All configuration files will be moved there. As such, <code class="filename">named.conf</code> will be located in <code class="filename">/var/named/chroot/etc/named.conf</code>, and so on.
				</div></div></div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					If you have installed the <code class="filename">caching-nameserver</code> package, the default configuration file is <code class="filename">/etc/named.caching-nameserver.conf</code>. To override this default configuration, you can create your own custom configuration file in <code class="filename">/etc/named.conf</code>. BIND will use the <code class="filename">/etc/named.conf</code> custom file instead of the default configuration file after you restart.
				</div></div></div><div class="para">
				The next few sections review the BIND configuration files in more detail.
			</div></div></div><div class="section" id="s1-bind-namedconf"><div class="titlepage"><div><div><h2 class="title" id="s1-bind-namedconf">18.2.  <code class="filename">/etc/named.conf</code> </h2></div></div></div><a id="id981082" class="indexterm"></a><a id="id981100" class="indexterm"></a><a id="id981117" class="indexterm"></a><div class="para">
			The <code class="filename">named.conf</code> file is a collection of statements using nested options surrounded by opening and closing ellipse characters, <code class="command">{ }</code>. Administrators must be careful when editing <code class="filename">named.conf</code> to avoid syntax errors as many seemingly minor errors prevent the <code class="command">named</code> service from starting.
		</div><div class="para">
			A typical <code class="filename">named.conf</code> file is organized similar to the following example:
		</div><pre class="screen"><em class="replaceable"><code>&lt;statement-1&gt;</code></em> ["<em class="replaceable"><code>&lt;statement-1-name&gt;</code></em>"] [<em class="replaceable"><code>&lt;statement-1-class&gt;</code></em>] {
	<em class="replaceable"><code>&lt;option-1&gt;</code></em>;
	<em class="replaceable"><code>&lt;option-2&gt;</code></em>;
	<em class="replaceable"><code>&lt;option-N&gt;</code></em>;
};
<em class="replaceable"><code>&lt;statement-2&gt;</code></em> ["<em class="replaceable"><code>&lt;statement-2-name&gt;</code></em>"] [<em class="replaceable"><code>&lt;statement-2-class&gt;</code></em>] {
	<em class="replaceable"><code>&lt;option-1&gt;</code></em>;
	<em class="replaceable"><code>&lt;option-2&gt;</code></em>;
	<em class="replaceable"><code>&lt;option-N&gt;</code></em>;
};
<em class="replaceable"><code>&lt;statement-N&gt;</code></em> ["<em class="replaceable"><code>&lt;statement-N-name&gt;</code></em>"] [<em class="replaceable"><code>&lt;statement-N-class&gt;</code></em>] {
	<em class="replaceable"><code>&lt;option-1&gt;</code></em>;
	<em class="replaceable"><code>&lt;option-2&gt;</code></em>;
	<em class="replaceable"><code>&lt;option-N&gt;</code></em>;
};</pre><div class="section" id="s2-bind-namedconf-state"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-namedconf-state">18.2.1. Common Statement Types</h3></div></div></div><div class="para">
				The following types of statements are commonly used in <code class="filename">/etc/named.conf</code>:
			</div><div class="section" id="s3-bind-namedconf-state-acl"><div class="titlepage"><div><div><h4 class="title" id="s3-bind-namedconf-state-acl">18.2.1.1.  <code class="command">acl</code> Statement</h4></div></div></div><div class="para">
					The <code class="command">acl</code> statement (or access control statement) defines groups of hosts which can then be permitted or denied access to the nameserver.
				</div><div class="para">
					An <code class="command">acl</code> statement takes the following form:
				</div><pre class="screen">acl <em class="replaceable"><code>&lt;acl-name&gt;</code></em> {
	<em class="replaceable"><code>&lt;match-element&gt;</code></em>;
	[<em class="replaceable"><code>&lt;match-element&gt;</code></em>; ...]
};</pre><div class="para">
					In this statement, replace <em class="replaceable"><code>&lt;acl-name&gt;</code></em> with the name of the access control list and replace <em class="replaceable"><code>&lt;match-element&gt;</code></em> with a semi-colon separated list of IP addresses. Most of the time, an individual IP address or IP network notation (such as <code class="command">10.0.1.0/24</code>) is used to identify the IP addresses within the <code class="command">acl</code> statement.
				</div><div class="para">
					The following access control lists are already defined as keywords to simplify configuration:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">any</code> — Matches every IP address
						</div></li><li class="listitem"><div class="para">
							<code class="command">localhost</code> — Matches any IP address in use by the local system
						</div></li><li class="listitem"><div class="para">
							<code class="command">localnets</code> — Matches any IP address on any network to which the local system is connected
						</div></li><li class="listitem"><div class="para">
							<code class="command">none</code> — Matches no IP addresses
						</div></li></ul></div><div class="para">
					When used in conjunction with other statements (such as the <code class="command">options</code> statement), <code class="command">acl</code> statements can be very useful in preventing the misuse of a BIND nameserver.
				</div><div class="para">
					The following example defines two access control lists and uses an <code class="command">options</code> statement to define how they are treated by the nameserver:
				</div><pre class="screen">acl black-hats {
	10.0.2.0/24;
	192.168.0.0/24;
};
acl red-hats {
	10.0.1.0/24;
};
options {
	blackhole { black-hats; };
	allow-query { red-hats; };
	allow-recursion { red-hats; };
};</pre><div class="para">
					This example contains two access control lists, <code class="command">black-hats</code> and <code class="command">red-hats</code>. Hosts in the <code class="command">black-hats</code> list are denied access to the nameserver, while hosts in the <code class="command">red-hats</code> list are given normal access.
				</div></div><div class="section" id="s3-bind-namedconf-state-inc"><div class="titlepage"><div><div><h4 class="title" id="s3-bind-namedconf-state-inc">18.2.1.2.  <code class="command">include</code> Statement</h4></div></div></div><div class="para">
					The <code class="command">include</code> statement allows files to be included in a <code class="filename">named.conf</code> file. In this way, sensitive configuration data (such as <code class="command">keys</code>) can be placed in a separate file with restrictive permissions.
				</div><div class="para">
					An <code class="command">include</code> statement takes the following form:
				</div><pre class="screen">include "<em class="replaceable"><code>&lt;file-name&gt;</code></em>"</pre><div class="para">
					In this statement, <em class="replaceable"><code>&lt;file-name&gt;</code></em> is replaced with an absolute path to a file.
				</div></div><div class="section" id="s3-bind-namedconf-state-opt"><div class="titlepage"><div><div><h4 class="title" id="s3-bind-namedconf-state-opt">18.2.1.3.  <code class="command">options</code> Statement</h4></div></div></div><div class="para">
					The <code class="command">options</code> statement defines global server configuration options and sets defaults for other statements. It can be used to specify the location of the <code class="command">named</code> working directory, the types of queries allowed, and much more.
				</div><div class="para">
					The <code class="command">options</code> statement takes the following form:
				</div><pre class="screen">options {
	<em class="replaceable"><code>&lt;option&gt;</code></em>;
	[<em class="replaceable"><code>&lt;option&gt;</code></em>; ...]
};</pre><div class="para">
					In this statement, the <em class="replaceable"><code>&lt;option&gt;</code></em> directives are replaced with a valid option.
				</div><div class="para">
					The following are commonly used options:
				</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">allow-query</code> </span></dt><dd><div class="para">
								Specifies which hosts are allowed to query this nameserver. By default, all hosts are allowed to query. An access control list, or collection of IP addresses or networks, may be used here to allow only particular hosts to query the nameserver.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">allow-recursion</code> </span></dt><dd><div class="para">
								Similar to <code class="command">allow-query</code>, this option applies to recursive queries. By default, all hosts are allowed to perform recursive queries on the nameserver.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">blackhole </code> </span></dt><dd><div class="para">
								Specifies which hosts are not allowed to query the server.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">directory</code> </span></dt><dd><div class="para">
								Specifies the <code class="command">named</code> working directory if different from the default value, <code class="filename">/var/named/</code>.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">forwarders</code> </span></dt><dd><div class="para">
								Specifies a list of valid IP addresses for nameservers where requests should be forwarded for resolution.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">forward</code> </span></dt><dd><div class="para">
								Specifies the forwarding behavior of a <code class="command">forwarders</code> directive.
							</div><div class="para">
								The following options are accepted:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<code class="command">first</code> — Specifies that the nameservers listed in the <code class="command">forwarders</code> directive be queried before <code class="command">named</code> attempts to resolve the name itself.
									</div></li><li class="listitem"><div class="para">
										<code class="command">only</code> — Specifies that <code class="command">named</code> does not attempt name resolution itself in the event that queries to nameservers specified in the <code class="command">forwarders</code> directive fail.
									</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">listen-on</code> </span></dt><dd><div class="para">
								Specifies the network interface on which <code class="command">named</code> listens for queries. By default, all interfaces are used.
							</div><div class="para">
								Using this directive on a DNS server which also acts a gateway, BIND can be configured to only answer queries that originate from one of the networks.
							</div><div class="para">
								The following is an example of a <code class="command">listen-on</code> directive:
							</div><pre class="screen">options {
	listen-on { 10.0.1.1; };
};</pre><div class="para">
								In this example, only requests that arrive from the network interface serving the private network (<code class="command">10.0.1.1</code>) are accepted.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">notify</code> </span></dt><dd><div class="para">
								Controls whether <code class="command">named</code> notifies the slave servers when a zone is updated. It accepts the following options:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<code class="command">yes</code> — Notifies slave servers.
									</div></li><li class="listitem"><div class="para">
										<code class="command">no</code> — Does not notify slave servers.
									</div></li><li class="listitem"><div class="para">
										<code class="command">explicit</code> — Only notifies slave servers specified in an <code class="command">also-notify</code> list within a zone statement.
									</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">pid-file</code> </span></dt><dd><div class="para">
								Specifies the location of the process ID file created by <code class="command">named</code>.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">root-delegation-only</code> </span></dt><dd><div class="para">
								Turns on the enforcement of delegation properties in top-level domains (TLDs) and root zones with an optional exclude list. <em class="firstterm">Delegation</em> is the process of dividing a single zone into multiple subzones. In order to create a delegated zone, items known as <em class="firstterm">NS records</em> are used. NameServer records (delegation records) announce the authoritative nameservers for a particular zone.
							</div><div class="para">
								The following <code class="command">root-delegation-only</code> example specifies an exclude list of TLDs from whom undelegated responses are expected and trusted:
							</div><pre class="screen">options {
	root-delegation-only exclude { "ad"; "ar"; "biz"; "cr"; "cu"; "de"; "dm"; "id";
		"lu"; "lv"; "md"; "ms"; "museum"; "name"; "no"; "pa";
		"pf"; "se"; "sr"; "to"; "tw"; "us"; "uy"; };
};</pre></dd><dt class="varlistentry"><span class="term"> <code class="command">statistics-file</code> </span></dt><dd><div class="para">
								Specifies an alternate location for statistics files. By default, <code class="command">named</code> statistics are saved to the <code class="filename">/var/named/named.stats</code> file.
							</div></dd></dl></div><div class="para">
					 There are several other options also available, many of which rely upon one another to work properly. Refer to the <em class="citetitle">BIND 9 Administrator Reference Manual</em> referenced in <a class="xref" href="#s2-bind-installed-docs">Section 18.7.1, “Installed Documentation”</a> and the <code class="filename">bind.conf</code> man page for more details.
				</div></div><div class="section" id="s3-bind-namedconf-state-zone"><div class="titlepage"><div><div><h4 class="title" id="s3-bind-namedconf-state-zone">18.2.1.4.  <code class="command">zone</code> Statement</h4></div></div></div><div class="para">
					A <code class="command">zone</code> statement defines the characteristics of a zone, such as the location of its configuration file and zone-specific options. This statement can be used to override the global <code class="command">options</code> statements.
				</div><div class="para">
					A <code class="command">zone</code> statement takes the following form:
				</div><pre class="screen">zone <em class="replaceable"><code>&lt;zone-name&gt;</code></em> <em class="replaceable"><code>&lt;zone-class&gt;</code></em> {
	<em class="replaceable"><code>&lt;zone-options&gt;</code></em>;
	[<em class="replaceable"><code>&lt;zone-options&gt;</code></em>; ...]
};</pre><div class="para">
					In this statement, <em class="replaceable"><code>&lt;zone-name&gt;</code></em> is the name of the zone, <em class="replaceable"><code>&lt;zone-class&gt;</code></em> is the optional class of the zone, and <em class="replaceable"><code>&lt;zone-options&gt;</code></em> is a list of options characterizing the zone.
				</div><div class="para">
					The <em class="replaceable"><code>&lt;zone-name&gt;</code></em> attribute for the zone statement is particularly important. It is the default value assigned for the <code class="command">$ORIGIN</code> directive used within the corresponding zone file located in the <code class="filename">/var/named/</code> directory. The <code class="command">named</code> daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						If you have installed the <code class="filename">caching-nameserver</code> package, the default configuration file will be in <code class="filename">/etc/named.rfc1912.zones</code>.
					</div></div></div><div class="para">
					For example, if a <code class="command">zone</code> statement defines the namespace for <code class="command">example.com</code>, use <code class="command">example.com</code> as the <em class="replaceable"><code>&lt;zone-name&gt;</code></em> so it is placed at the end of hostnames within the <code class="command">example.com</code> zone file.
				</div><div class="para">
					For more information about zone files, refer to <a class="xref" href="#s1-bind-zone">Section 18.3, “Zone Files”</a>.
				</div><div class="para">
					The most common <code class="command">zone</code> statement options include the following:
				</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">allow-query</code> </span></dt><dd><div class="para">
								Specifies the clients that are allowed to request information about this zone. The default is to allow all query requests.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">allow-transfer</code> </span></dt><dd><div class="para">
								Specifies the slave servers that are allowed to request a transfer of the zone's information. The default is to allow all transfer requests.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">allow-update</code> </span></dt><dd><div class="para">
								Specifies the hosts that are allowed to dynamically update information in their zone. The default is to deny all dynamic update requests.
							</div><div class="para">
								Be careful when allowing hosts to update information about their zone. Do not enable this option unless the host specified is completely trusted. In general, it is better to have an administrator manually update the records for a zone and reload the <code class="command">named</code> service.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">file</code> </span></dt><dd><div class="para">
								Specifies the name of the file in the <code class="command">named</code> working directory that contains the zone's configuration data.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">masters</code> </span></dt><dd><div class="para">
								Specifies the IP addresses from which to request authoritative zone information and is used only if the zone is defined as <code class="command">type</code> <code class="command">slave</code>.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="command">notify</code> </span></dt><dd><div class="para">
								Specifies whether or not <code class="command">named</code> notifies the slave servers when a zone is updated. This directive accepts the following options:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<code class="command">yes</code> — Notifies slave servers.
									</div></li><li class="listitem"><div class="para">
										<code class="command">no</code> — Does not notify slave servers.
									</div></li><li class="listitem"><div class="para">
										<code class="command">explicit</code> — Only notifies slave servers specified in an <code class="command">also-notify</code> list within a zone statement.
									</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">type</code> </span></dt><dd><div class="para">
								Defines the type of zone.
							</div><div class="para">
								Below is a list of valid options:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<code class="command">delegation-only</code> — Enforces the delegation status of infrastructure zones such as COM, NET, or ORG. Any answer that is received without an explicit or implicit delegation is treated as <code class="command">NXDOMAIN</code>. This option is only applicable in TLDs or root zone files used in recursive or caching implementations.
									</div></li><li class="listitem"><div class="para">
										<code class="command">forward</code> — Forwards all requests for information about this zone to other nameservers.
									</div></li><li class="listitem"><div class="para">
										<code class="command">hint</code> — A special type of zone used to point to the root nameservers which resolve queries when a zone is not otherwise known. No configuration beyond the default is necessary with a <code class="command">hint</code> zone.
									</div></li><li class="listitem"><div class="para">
										<code class="command">master</code> — Designates the nameserver as authoritative for this zone. A zone should be set as the <code class="command">master</code> if the zone's configuration files reside on the system.
									</div></li><li class="listitem"><div class="para">
										<code class="command">slave</code> — Designates the nameserver as a slave server for this zone. Also specifies the IP address of the master nameserver for the zone.
									</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="command">zone-statistics</code> </span></dt><dd><div class="para">
								Configures <code class="command">named</code> to keep statistics concerning this zone, writing them to either the default location (<code class="filename">/var/named/named.stats</code>) or the file listed in the <code class="command">statistics-file</code> option in the <code class="command">server</code> statement. Refer to <a class="xref" href="#s2-bind-namedconf-state-other">Section 18.2.2, “Other Statement Types”</a> for more information about the <code class="command">server</code> statement.
							</div></dd></dl></div></div><div class="section" id="s3-bind-configuration-named-zone"><div class="titlepage"><div><div><h4 class="title" id="s3-bind-configuration-named-zone">18.2.1.5. Sample <code class="command">zone</code> Statements</h4></div></div></div><a id="id958593" class="indexterm"></a><div class="para">
					Most changes to the <code class="filename">/etc/named.conf</code> file of a master or slave nameserver involves adding, modifying, or deleting <code class="command">zone</code> statements. While these <code class="command">zone</code> statements can contain many options, most nameservers require only a small subset to function efficiently. The following <code class="command">zone</code> statements are very basic examples illustrating a master-slave nameserver relationship.
				</div><div class="para">
					The following is an example of a <code class="command">zone</code> statement for the primary nameserver hosting <code class="command">example.com</code> (<code class="command">192.168.0.1</code>):
				</div><pre class="screen">zone "example.com" IN {
	type master;
	file "example.com.zone";
	allow-update { none; };
};</pre><div class="para">
					In the statement, the zone is identified as <code class="command">example.com</code>, the type is set to <code class="command">master</code>, and the <code class="command">named</code> service is instructed to read the <code class="filename">/var/named/example.com.zone</code> file. It also tells <code class="command">named</code> not to allow any other hosts to update.
				</div><div class="para">
					A slave server's <code class="command">zone</code> statement for <code class="command">example.com</code> is slightly different from the previous example. For a slave server, the type is set to <code class="command">slave</code> and in place of the <code class="command">allow-update</code> line is a directive telling <code class="command">named</code> the IP address of the master server.
				</div><div class="para">
					The following is an example slave server <code class="command">zone</code> statement for <code class="command">example.com</code> zone:
				</div><pre class="screen">zone "example.com" {
	type slave;
	file "example.com.zone";
	masters { 192.168.0.1; };
};</pre><div class="para">
					This <code class="command">zone</code> statement configures <code class="command">named</code> on the slave server to query the master server at the <code class="command">192.168.0.1</code> IP address for information about the <code class="command">example.com</code> zone. The information that the slave server receives from the master server is saved to the <code class="filename">/var/named/example.com.zone</code> file.
				</div></div></div><div class="section" id="s2-bind-namedconf-state-other"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-namedconf-state-other">18.2.2. Other Statement Types</h3></div></div></div><div class="para">
				The following is a list of lesser used statement types available within <code class="filename">named.conf</code>:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">controls</code> </span></dt><dd><div class="para">
							Configures various security requirements necessary to use the <code class="command">rndc</code> command to administer the <code class="command">named</code> service.
						</div><div class="para">
							Refer to <a class="xref" href="#s2-bind-rndc-configuration-namedconf">Section 18.4.1, “Configuring <code class="filename">/etc/named.conf</code> ”</a> to learn more about how the <code class="command">controls</code> statement is structured and what options are available.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">key "<em class="replaceable"><code>&lt;key-name&gt;</code></em>"</code> </span></dt><dd><div class="para">
							Defines a particular key by name. Keys are used to authenticate various actions, such as secure updates or the use of the <code class="command">rndc</code> command. Two options are used with <code class="command">key</code>:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">algorithm <em class="replaceable"><code>&lt;algorithm-name&gt;</code></em> </code> — The type of algorithm used, such as <code class="command">dsa</code> or <code class="command">hmac-md5</code>.
								</div></li><li class="listitem"><div class="para">
									<code class="command">secret "<em class="replaceable"><code>&lt;key-value&gt;</code></em>"</code> — The encrypted key.
								</div></li></ul></div><div class="para">
							Refer to <a class="xref" href="#s2-bind-rndc-configuration-rndcconf">Section 18.4.2, “Configuring <code class="filename">/etc/rndc.conf</code> ”</a> for instructions on how to write a <code class="command">key</code> statement.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">logging</code> </span></dt><dd><div class="para">
							Allows for the use of multiple types of logs, called <em class="firstterm">channels</em>. By using the <code class="command">channel</code> option within the <code class="command">logging</code> statement, a customized type of log can be constructed — with its own file name (<code class="command">file</code>), size limit (<code class="command">size</code>), versioning (<code class="command">version</code>), and level of importance (<code class="command">severity</code>). Once a customized channel is defined, a <code class="command">category</code> option is used to categorize the channel and begin logging when <code class="command">named</code> is restarted.
						</div><div class="para">
							By default, <code class="command">named</code> logs standard messages to the <code class="command">syslog</code> daemon, which places them in <code class="filename">/var/log/messages</code>. This occurs because several standard channels are built into BIND with various severity levels, such as <code class="command">default_syslog</code> (which handles informational logging messages) and <code class="command">default_debug</code> (which specifically handles debugging messages). A default category, called <code class="command">default</code>, uses the built-in channels to do normal logging without any special configuration.
						</div><div class="para">
							Customizing the logging process can be a very detailed process and is beyond the scope of this chapter. For information on creating custom BIND logs, refer to the <em class="citetitle">BIND 9 Administrator Reference Manual</em> referenced in <a class="xref" href="#s2-bind-installed-docs">Section 18.7.1, “Installed Documentation”</a>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">server</code> </span></dt><dd><div class="para">
							Specifies options that affect how <code class="command">named</code> should respond to remote nameservers, especially with regard to notifications and zone transfers.
						</div><div class="para">
							The <code class="command">transfer-format</code> option controls whether one resource record is sent with each message (<code class="command">one-answer</code>) or multiple resource records are sent with each message (<code class="command">many-answers</code>). While <code class="command">many-answers</code> is more efficient, only newer BIND nameservers understand it.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">trusted-keys</code> </span></dt><dd><div class="para">
							Contains assorted public keys used for secure DNS (DNSSEC). Refer to <a class="xref" href="#s2-bind-features-security">Section 18.5.3, “Security”</a> for more information concerning BIND security.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">view "<em class="replaceable"><code>&lt;view-name&gt;</code></em>"</code> </span></dt><dd><div class="para">
							Creates special views depending upon which network the host querying the nameserver is on. This allows some hosts to receive one answer regarding a zone while other hosts receive totally different information. Alternatively, certain zones may only be made available to particular trusted hosts while non-trusted hosts can only make queries for other zones.
						</div><div class="para">
							Multiple views may be used, but their names must be unique. The <code class="command">match-clients</code> option specifies the IP addresses that apply to a particular view. Any <code class="command">options</code> statement may also be used within a view, overriding the global options already configured for <code class="command">named</code>. Most <code class="command">view</code> statements contain multiple <code class="command">zone</code> statements that apply to the <code class="command">match-clients</code> list. The order in which <code class="command">view</code> statements are listed is important, as the first <code class="command">view</code> statement that matches a particular client's IP address is used.
						</div><div class="para">
							Refer to <a class="xref" href="#s2-bind-features-views">Section 18.5.2, “Multiple Views”</a> for more information about the <code class="command">view</code> statement.
						</div></dd></dl></div></div><div class="section" id="s2-bind-namedconf-comm"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-namedconf-comm">18.2.3. Comment Tags</h3></div></div></div><div class="para">
				The following is a list of valid comment tags used within <code class="filename">named.conf</code>:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">//</code> — When placed at the beginning of a line, that line is ignored by <code class="command">named</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">#</code> — When placed at the beginning of a line, that line is ignored by <code class="command">named</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">/*</code> and <code class="command">*/</code> — When text is enclosed in these tags, the block of text is ignored by <code class="command">named</code>.
					</div></li></ul></div></div></div><div class="section" id="s1-bind-zone"><div class="titlepage"><div><div><h2 class="title" id="s1-bind-zone">18.3. Zone Files</h2></div></div></div><a id="id1006885" class="indexterm"></a><div class="para">
			<em class="firstterm">Zone files</em> contain information about a namespace and are stored in the <code class="command">named</code> working directory (<code class="filename">/var/named/</code>) by default. Each zone file is named according to the <code class="command">file</code> option data in the <code class="command">zone</code> statement, usually in a way that relates to the domain in question and identifies the file as containing zone data, such as <code class="filename">example.com.zone</code>.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If you have installed the <code class="filename">bind-chroot</code> package, the BIND service will run in the <code class="command">/var/named/chroot</code> environment. All configuration files will be moved there. As such, you can find the zone files in <code class="filename">/var/named/chroot/var/named</code>.
			</div></div></div><div class="para">
			Each zone file may contain <em class="firstterm">directives</em> and <em class="firstterm">resource records</em>. Directives tell the nameserver to perform tasks or apply special settings to the zone. Resource records define the parameters of the zone and assign identities to individual hosts. Directives are optional, but resource records are required to provide name service to a zone.
		</div><div class="para">
			All directives and resource records should be entered on individual lines.
		</div><div class="para">
			Comments can be placed after semicolon characters (<code class="command">;</code>) in zone files.
		</div><div class="section" id="s2-bind-zone-directives"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-zone-directives">18.3.1. Zone File Directives</h3></div></div></div><a id="id1006989" class="indexterm"></a><div class="para">
				Directives begin with the dollar sign character (<code class="command">$</code>) followed by the name of the directive. They usually appear at the top of the zone file.
			</div><div class="para">
				The following are commonly used directives:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">$INCLUDE</code> </span></dt><dd><div class="para">
							Configures <code class="command">named</code> to include another zone file in this zone file at the place where the directive appears. This allows additional zone settings to be stored apart from the main zone file.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">$ORIGIN</code> </span></dt><dd><div class="para">
							Appends the domain name to unqualified records, such as those with the hostname and nothing more.
						</div><div class="para">
							For example, a zone file may contain the following line:
						</div><pre class="screen">
<code class="command">$ORIGIN example.com.</code>
</pre><div class="para">
							Any names used in resource records that do not end in a trailing period (<code class="command">.</code>) are appended with <code class="command">example.com</code>.
						</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
								The use of the <code class="command">$ORIGIN</code> directive is unnecessary if the zone is specified in <code class="filename">/etc/named.conf</code> because the zone name is used as the value for the <code class="command">$ORIGIN</code> directive by default.
							</div></div></div></dd><dt class="varlistentry"><span class="term"> <code class="command">$TTL</code> </span></dt><dd><div class="para">
							Sets the default <em class="firstterm">Time to Live (TTL)</em> value for the zone. This is the length of time, in seconds, that a zone resource record is valid. Each resource record can contain its own TTL value, which overrides this directive.
						</div><div class="para">
							Increasing this value allows remote nameservers to cache the zone information for a longer period of time, reducing the number of queries for the zone and lengthening the amount of time required to proliferate resource record changes.
						</div></dd></dl></div></div><div class="section" id="s3-bind-zone-rr"><div class="titlepage"><div><div><h3 class="title" id="s3-bind-zone-rr">18.3.2. Zone File Resource Records</h3></div></div></div><a id="id1007157" class="indexterm"></a><div class="para">
				The primary component of a zone file is its resource records.
			</div><div class="para">
				There are many types of zone file resource records. The following are used most frequently:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="command">A</code> </span></dt><dd><div class="para">
							This refers to the Address record, which specifies an IP address to assign to a name, as in this example:
						</div><pre class="screen">
<code class="command"><em class="replaceable"><code>&lt;host&gt;</code></em> IN A <em class="replaceable"><code>&lt;IP-address&gt;</code></em> </code>
</pre><div class="para">
							If the <em class="replaceable"><code>&lt;host&gt;</code></em> value is omitted, then an <code class="command">A</code> record points to a default IP address for the top of the namespace. This system is the target for all non-FQDN requests.
						</div><div class="para">
							Consider the following <code class="command">A</code> record examples for the <code class="command">example.com</code> zone file:
						</div><pre class="screen">server1		IN	A	10.0.1.3
		IN	A	10.0.1.5</pre><div class="para">
							Requests for <code class="command">example.com</code> are pointed to 10.0.1.3 or 10.0.1.5.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">CNAME</code> </span></dt><dd><div class="para">
							This refers to the Canonical Name record, which maps one name to another. This type of record  can also be referred to as an <em class="firstterm">alias record</em>.
						</div><div class="para">
							The next example tells <code class="command">named</code> that any requests sent to the <em class="replaceable"><code>&lt;alias-name&gt;</code></em> should point to the host, <em class="replaceable"><code>&lt;real-name&gt;</code></em>. <code class="command">CNAME</code> records are most commonly used to point to services that use a common naming scheme, such as <code class="command">www</code> for Web servers.
						</div><pre class="screen">
<code class="command"><em class="replaceable"><code>&lt;alias-name&gt;</code></em> IN CNAME <em class="replaceable"><code>&lt;real-name&gt;</code></em> </code>
</pre><div class="para">
							In the following example, an <code class="command">A</code> record binds a hostname to an IP address, while a <code class="command">CNAME</code> record points the commonly used <code class="command">www</code> hostname to it.
						</div><pre class="screen">server1		IN	A	10.0.1.5
www		IN	CNAME	server1</pre></dd><dt class="varlistentry"><span class="term"> <code class="command">MX</code> </span></dt><dd><div class="para">
							This refers to the Mail eXchange record, which tells where mail sent to a particular namespace controlled by this zone should go.
						</div><pre class="screen">
<code class="command"> IN MX <em class="replaceable"><code>&lt;preference-value&gt;</code></em> <em class="replaceable"><code>&lt;email-server-name&gt;</code></em> </code>
</pre><div class="para">
							Here, the <em class="replaceable"><code>&lt;preference-value&gt;</code></em> allows numerical ranking of the email servers for a namespace, giving preference to some email systems over others. The <code class="command">MX</code> resource record with the lowest <em class="replaceable"><code>&lt;preference-value&gt;</code></em> is preferred over the others. However, multiple email servers can possess the same value to distribute email traffic evenly among them.
						</div><div class="para">
							The <em class="replaceable"><code>&lt;email-server-name&gt;</code></em> may be a hostname or FQDN.
						</div><pre class="screen">IN     MX     10     mail.example.com.
IN     MX     20     mail2.example.com.</pre><div class="para">
							In this example, the first <code class="command">mail.example.com</code> email server is preferred to the <code class="command">mail2.example.com</code> email server when receiving email destined for the <code class="command">example.com</code> domain.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">NS</code> </span></dt><dd><div class="para">
							This refers to the NameServer record, which announces the authoritative nameservers for a particular zone.
						</div><div class="para">
							The following illustrates the layout of an <code class="command">NS</code> record:
						</div><pre class="screen">
<code class="command"> IN NS <em class="replaceable"><code>&lt;nameserver-name&gt;</code></em> </code>
</pre><div class="para">
							Here, <em class="replaceable"><code>&lt;nameserver-name&gt;</code></em> should be an FQDN.
						</div><div class="para">
							Next, two nameservers are listed as authoritative for the domain. It is not important whether these nameservers are slaves or if one is a master; they are both still considered authoritative.
						</div><pre class="screen">IN     NS     dns1.example.com.
IN     NS     dns2.example.com.</pre></dd><dt class="varlistentry"><span class="term"> <code class="command">PTR</code> </span></dt><dd><div class="para">
							This refers to the PoinTeR record, which is designed to point to another part of the namespace.
						</div><div class="para">
							<code class="command">PTR</code> records are primarily used for reverse name resolution, as they point IP addresses back to a particular name. Refer to <a class="xref" href="#s2-bind-configuration-zone-reverse">Section 18.3.4, “Reverse Name Resolution Zone Files”</a> for more examples of <code class="command">PTR</code> records in use.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="command">SOA</code> </span></dt><dd><div class="para">
							This refers to the Start Of Authority resource record, which proclaims important authoritative information about a namespace to the nameserver.
						</div><div class="para">
							Located after the directives, an <code class="command">SOA</code> resource record is the first resource record in a zone file.
						</div><div class="para">
							The following shows the basic structure of an <code class="command">SOA</code> resource record:
						</div><pre class="screen">@  IN	SOA  <em class="replaceable"><code>&lt;primary-name-server&gt;</code></em>  <em class="replaceable"><code>&lt;hostmaster-email&gt;</code></em> (
	<em class="replaceable"><code>&lt;serial-number&gt;</code></em>
	<em class="replaceable"><code>&lt;time-to-refresh&gt;</code></em>
	<em class="replaceable"><code>&lt;time-to-retry&gt;</code></em>
	<em class="replaceable"><code>&lt;time-to-expire&gt;</code></em>
	<em class="replaceable"><code>&lt;minimum-TTL&gt;</code></em> )</pre><div class="para">
							The <code class="command">@</code> symbol places the <code class="command">$ORIGIN</code> directive (or the zone's name, if the <code class="command">$ORIGIN</code> directive is not set) as the namespace being defined by this <code class="command">SOA</code> resource record. The hostname of the primary nameserver that is authoritative for this domain is the <em class="replaceable"><code>&lt;primary-name-server&gt;</code></em> directive, and the email of the person to contact about this namespace is the <em class="replaceable"><code>&lt;hostmaster-email&gt;</code></em> directive.
						</div><div class="para">
							The <em class="replaceable"><code>&lt;serial-number&gt;</code></em> directive is a numerical value incremented every time the zone file is altered to indicate it is time for <code class="command">named</code> to reload the zone. The <em class="replaceable"><code>&lt;time-to-refresh&gt;</code></em> directive is the numerical value slave servers use to determine how long to wait before asking the master nameserver if any changes have been made to the zone. The <em class="replaceable"><code>&lt;serial-number&gt;</code></em> directive is a numerical value used by the slave servers to determine if it is using outdated zone data and should therefore refresh it.
						</div><div class="para">
							The <em class="replaceable"><code>&lt;time-to-retry&gt;</code></em> directive is a numerical value used by slave servers to determine the length of time to wait before issuing a refresh request in the event that the master nameserver is not answering. If the master has not replied to a refresh request before the amount of time specified in the <em class="replaceable"><code>&lt;time-to-expire&gt;</code></em> directive elapses, the slave servers stop responding as an authority for requests concerning that namespace.
						</div><div class="para">
							In BIND 4 and 8, the <em class="replaceable"><code>&lt;minimum-TTL&gt;</code></em> directive is the amount of time other nameservers cache the zone's information. However, in BIND 9, the <em class="replaceable"><code>&lt;minimum-TTL&gt;</code></em> directive defines how long negative answers are cached for. Caching of negative answers can be set to a maximum of 3 hours (<code class="option">3H</code>).
						</div><div class="para">
							When configuring BIND, all times are specified in seconds. However, it is possible to use abbreviations when specifying units of time other than seconds, such as minutes (<code class="command">M</code>), hours (<code class="command">H</code>), days (<code class="command">D</code>), and weeks (<code class="command">W</code>). The table in <a class="xref" href="#tb-bind-seconds">Table 18.1, “Seconds compared to other time units”</a> shows an amount of time in seconds and the equivalent time in another format.
						</div><div class="table" id="tb-bind-seconds"><h6>Table 18.1. Seconds compared to other time units</h6><div class="table-contents"><table summary="Seconds compared to other time units" border="1"><colgroup><col width="50%" class="seconds" /><col width="50%" class="other" /></colgroup><thead><tr><th>
											Seconds
										</th><th>
											Other Time Units
										</th></tr></thead><tbody><tr><td>
											<code class="command">60</code>
										</td><td>
											<code class="command">1M</code>
										</td></tr><tr><td>
											<code class="command">1800</code>
										</td><td>
											<code class="command">30M</code>
										</td></tr><tr><td>
											<code class="command">3600</code>
										</td><td>
											<code class="command">1H</code>
										</td></tr><tr><td>
											<code class="command">10800</code>
										</td><td>
											<code class="command">3H</code>
										</td></tr><tr><td>
											<code class="command">21600</code>
										</td><td>
											<code class="command">6H</code>
										</td></tr><tr><td>
											<code class="command">43200</code>
										</td><td>
											<code class="command">12H</code>
										</td></tr><tr><td>
											<code class="command">86400</code>
										</td><td>
											<code class="command">1D</code>
										</td></tr><tr><td>
											<code class="command">259200</code>
										</td><td>
											<code class="command">3D</code>
										</td></tr><tr><td>
											<code class="command">604800</code>
										</td><td>
											<code class="command">1W</code>
										</td></tr><tr><td>
											<code class="command">31536000</code>
										</td><td>
											<code class="command">365D</code>
										</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
							The following example illustrates the form an <code class="command">SOA</code> resource record might take when it is populated with real values.
						</div><pre class="screen">@	IN	SOA	dns1.example.com.	hostmaster.example.com. (
		2001062501 ; serial
		21600      ; refresh after 6 hours
		3600       ; retry after 1 hour
		604800     ; expire after 1 week
		86400 )    ; minimum TTL of 1 day</pre></dd></dl></div></div><div class="section" id="s2-bind-zone-examples"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-zone-examples">18.3.3. Example Zone File</h3></div></div></div><a id="id1007997" class="indexterm"></a><div class="para">
				Seen individually, directives and resource records can be difficult to grasp. However, when placed together in a single file, they become easier to understand.
			</div><div class="para">
				The following example shows a very basic zone file.
			</div><pre class="screen">$ORIGIN example.com.
$TTL 86400
@		IN	SOA	dns1.example.com.	hostmaster.example.com. (
			2001062501 ; serial
			21600      ; refresh after 6 hours
			3600       ; retry after 1 hour
			604800     ; expire after 1 week
			86400 )    ; minimum TTL of 1 day
;
;
		IN	NS	dns1.example.com.
		IN	NS	dns2.example.com.
dns1		IN	A	10.0.1.1
		IN	AAAA	aaaa:bbbb::1
dns2		IN	A	10.0.1.2
		IN	AAAA	aaaa:bbbb::2
;
;
@		IN	MX	10	mail.example.com.
		IN	MX	20	mail2.example.com.
mail		IN	A	10.0.1.5
		IN	AAAA	aaaa:bbbb::5
mail2		IN	A	10.0.1.6
		IN	AAAA	aaaa:bbbb::6
;
;
; This sample zone file illustrates sharing the same IP addresses
; for multiple services:
;
services	IN	A	10.0.1.10
		IN	AAAA	aaaa:bbbb::10
		IN	A	10.0.1.11
		IN	AAAA	aaaa:bbbb::11
ftp		IN	CNAME	services.example.com.
www		IN	CNAME	services.example.com.
;
;</pre><div class="para">
				In this example, standard directives and <code class="command">SOA</code> values are used. The authoritative nameservers are set as <code class="command">dns1.example.com</code> and <code class="command">dns2.example.com</code>, which have <code class="command">A</code> records that tie them to <code class="command">10.0.1.1</code> and <code class="command">10.0.1.2</code>, respectively.
			</div><div class="para">
				The email servers configured with the <code class="command">MX</code> records point to <code class="command">mail</code> and <code class="command">mail2</code> via <code class="command">A</code> records. Since the <code class="command">mail</code> and <code class="command">mail2</code> names do not end in a trailing period (<code class="command">.</code>), the <code class="command">$ORIGIN</code> domain is placed after them, expanding them to <code class="command">mail.example.com</code> and <code class="command">mail2.example.com</code>. Through the related <code class="command">A</code> resource records, their IP addresses can be determined.
			</div><div class="para">
				Services available at the standard names, such as <code class="command">www.example.com</code> (<acronym class="acronym">WWW</acronym>), are pointed at the appropriate servers using a <code class="command">CNAME</code> record.
			</div><div class="para">
				This zone file would be called into service with a <code class="command">zone</code> statement in the <code class="filename">named.conf</code> similar to the following: 
<pre class="screen">
zone "example.com" IN {
	type master;
	file "example.com.zone";
	allow-update { none; };
};
</pre>

</div></div><div class="section" id="s2-bind-configuration-zone-reverse"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-configuration-zone-reverse">18.3.4. Reverse Name Resolution Zone Files</h3></div></div></div><a id="id1008165" class="indexterm"></a><div class="para">
				A reverse name resolution zone file is used to translate an IP address in a particular namespace into an FQDN. It looks very similar to a standard zone file, except that <code class="command">PTR</code> resource records are used to link the IP addresses to a fully qualified domain name.
			</div><div class="para">
				The following illustrates the layout of a <code class="command">PTR</code> record:
			</div><pre class="screen">
<code class="command"><em class="replaceable"><code>&lt;last-IP-digit&gt;</code></em> IN PTR <em class="replaceable"><code>&lt;FQDN-of-system&gt;</code></em> </code>
</pre><div class="para">
				The <em class="replaceable"><code>&lt;last-IP-digit&gt;</code></em> is the last number in an IP address which points to a particular system's FQDN.
			</div><div class="para">
				In the following example, IP addresses <code class="command">10.0.1.1</code> through <code class="command">10.0.1.6</code> are pointed to corresponding FQDNs. It can be located in <code class="filename">/var/named/example.com.rr.zone</code>.
			</div><pre class="screen">$ORIGIN 1.0.10.in-addr.arpa.
$TTL 86400
@	IN	SOA	dns1.example.com.	hostmaster.example.com. (
			2001062501 ; serial
			21600      ; refresh after 6 hours
			3600       ; retry after 1 hour
			604800     ; expire after 1 week
			86400 )    ; minimum TTL of 1 day
;
@	IN	NS	dns1.example.com.
;
1	IN	PTR	dns1.example.com.
2	IN	PTR	dns2.example.com.
;
5	IN	PTR	server1.example.com.
6	IN	PTR	server2.example.com.
;
3	IN	PTR	ftp.example.com.
4	IN	PTR	ftp.example.com.</pre><div class="para">
				This zone file would be called into service with a <code class="command">zone</code> statement in the <code class="filename">named.conf</code> file similar to the following:
			</div><pre class="screen">
zone "1.0.10.in-addr.arpa" IN {
	type master;
	file "example.com.rr.zone";
	allow-update { none; };
};
</pre><div class="para">
				There is very little difference between this example and a standard <code class="command">zone</code> statement, except for the zone name. Note that a reverse name resolution zone requires the first three blocks of the IP address reversed followed by <code class="command">.in-addr.arpa</code>. This allows the single block of IP numbers used in the reverse name resolution zone file to be associated with the zone.
			</div></div></div><div class="section" id="s1-bind-rndc"><div class="titlepage"><div><div><h2 class="title" id="s1-bind-rndc">18.4. Using <code class="command">rndc</code> </h2></div></div></div><a id="id1008301" class="indexterm"></a><div class="para">
			BIND includes a utility called <code class="command">rndc</code> which allows command line administration of the <code class="command">named</code> daemon from the localhost or a remote host.
		</div><div class="para">
			In order to prevent unauthorized access to the <code class="command">named</code> daemon, BIND uses a shared secret key authentication method to grant privileges to hosts. This means an identical key must be present in both <code class="filename">/etc/named.conf</code> and the <code class="command">rndc</code> configuration file, <code class="filename">/etc/rndc.conf</code>.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If you have installed the <code class="filename">bind-chroot</code> package, the BIND service will run in the <code class="command">/var/named/chroot</code> environment. All configuration files will be moved there. As such, the <code class="filename">rndc.conf</code> file is located in <code class="filename">/var/named/chroot/etc/rndc.conf</code>.
			</div><div class="para">
				Note that since the <code class="command">rndc</code> utility does not run in a <code class="command">chroot</code> environment, <code class="filename">/etc/rndc.conf</code> is a symlink to <code class="filename">/var/named/chroot/etc/rndc.conf</code>.
			</div></div></div><div class="section" id="s2-bind-rndc-configuration-namedconf"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-rndc-configuration-namedconf">18.4.1. Configuring <code class="filename">/etc/named.conf</code> </h3></div></div></div><a id="id1008413" class="indexterm"></a><div class="para">
				In order for <code class="command">rndc</code> to connect to a <code class="command">named</code> service, there must be a <code class="command">controls</code> statement in the BIND server's <code class="filename">/etc/named.conf</code> file.
			</div><div class="para">
				The <code class="command">controls</code> statement, shown in the following example, allows <code class="command">rndc</code> to connect from the localhost.
			</div><pre class="screen">
controls {
	inet 127.0.0.1
		allow { localhost; } keys { <em class="replaceable"><code>&lt;key-name&gt;</code></em>; };
};
</pre><div class="para">
				This statement tells <code class="command">named</code> to listen on the default TCP port 953 of the loopback address and allow <code class="command">rndc</code> commands coming from the localhost, if the proper key is given. The <em class="replaceable"><code>&lt;key-name&gt;</code></em> specifies a name in the <code class="command">key</code> statement within the <code class="filename">/etc/named.conf</code> file. The next example illustrates a sample <code class="command">key</code> statement.
			</div><pre class="screen">
key "<em class="replaceable"><code>&lt;key-name&gt;</code></em>" {
	algorithm hmac-md5;
	secret "<em class="replaceable"><code>&lt;key-value&gt;</code></em>";
};
</pre><div class="para">
				In this case, the <em class="replaceable"><code>&lt;key-value&gt;</code></em> uses the HMAC-MD5 algorithm. Use the following command to generate keys using the HMAC-MD5 algorithm:
			</div><pre class="screen">
<code class="command">dnssec-keygen -a hmac-md5 -b <em class="replaceable"><code>&lt;bit-length&gt;</code></em> -n HOST <em class="replaceable"><code>&lt;key-file-name&gt;</code></em> </code>
</pre><div class="para">
				A key with at least a 256-bit length is a good idea. The actual key that should be placed in the <em class="replaceable"><code>&lt;key-value&gt;</code></em> area can be found in the <code class="filename"><em class="replaceable"><code>&lt;key-file-name&gt;</code></em> </code> file generated by this command.
			</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					Because <code class="filename">/etc/named.conf</code> is world-readable, it is advisable to place the <code class="command">key</code> statement in a separate file, readable only by root, and then use an <code class="command">include</code> statement to reference it. For example:
				</div><pre class="screen">
<code class="command">include "/etc/rndc.key";</code>
</pre></div></div><div class="section" id="firewall-blocking"><div class="titlepage"><div><div><h4 class="title" id="firewall-blocking">18.4.1.1. Firewall Blocking Communication</h4></div></div></div><div class="para">
					If a firewall is blocking connections from the <code class="command">named</code> daemon to other nameservers, the recommended best practice is to change the firewall settings whenever possible.
				</div><div class="warning" id="warning-Warning-Avoid_Using_Fixed_UDP_Source_Ports"><div class="admonition_header"><h2>Warning: Avoid Using Fixed UDP Source Ports</h2></div><div class="admonition"><div class="para">
						DNS resolvers, that are not configured to perform DNSSEC validation or that need to query DNS zones that are not protected by DNSSEC only, use a 16-bit transaction identifier (TXID) and the destination UDP port number to check whether the DNS reply was sent by the server they queried for DNS data.
					</div><div class="para">
						Previously, BIND always used a fixed UDP source port when sending DNS queries. BIND used either a port configured using the <code class="command">query-source</code> (and <code class="command">query-source-v6</code>) directive, or one randomly chosen at startup. When a static query source port is used, TXID offers insufficient protection against spoofed replies and allows an attacker to efficiently perform <span class="emphasis"><em>cache-poisoning</em></span> attacks. To address this issue, BIND was updated to allow the use of a randomly-selected source port for each DNS query, making it more difficult for an attacker to spoof replies, when the query packets cannot be detected. A security update <sup>[<a id="id950819" href="#ftn.id950819" class="footnote">3</a>]</sup> was released for all the affected Red Hat Enterprise Linux versions. Additionally, the default configuration provided by the <span class="package">caching-nameserver</span> package was updated to no longer specify a fixed query source port.
					</div><div class="para">
						When deploying BIND as a DNS resolver, ensure that BIND is not forced, by the aforementioned configuration directives, to use a fixed query source port. Your firewall configuration must also permit the use of random query source ports. Previously, it was common practice to configure BIND to use port <code class="literal">53</code> as a query source port, and only allow DNS queries from that port on the firewall.
					</div></div></div></div></div><div class="section" id="s2-bind-rndc-configuration-rndcconf"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-rndc-configuration-rndcconf">18.4.2. Configuring <code class="filename">/etc/rndc.conf</code> </h3></div></div></div><a id="id950867" class="indexterm"></a><a id="id950894" class="indexterm"></a><div class="para">
				The <code class="command">key</code> is the most important statement in <code class="filename">/etc/rndc.conf</code>.
			</div><pre class="screen">
key "<em class="replaceable"><code>&lt;key-name&gt;</code></em>" {
	algorithm hmac-md5;
	secret "<em class="replaceable"><code>&lt;key-value&gt;</code></em>";
};
</pre><div class="para">
				The <em class="replaceable"><code>&lt;key-name&gt;</code></em> and <em class="replaceable"><code>&lt;key-value&gt;</code></em> should be exactly the same as their settings in <code class="filename">/etc/named.conf</code>.
			</div><div class="para">
				To match the keys specified in the target server's <code class="filename">/etc/named.conf</code>, add the following lines to <code class="filename">/etc/rndc.conf</code>.
			</div><pre class="screen">
options {
	default-server  localhost;
	default-key     "<em class="replaceable"><code>&lt;key-name&gt;</code></em>";
};
</pre><div class="para">
				This directive sets a global default key. However, the <code class="filename">rndc</code> configuration file can also specify different keys for different servers, as in the following example:
			</div><pre class="screen">
server localhost {
	key  "<em class="replaceable"><code>&lt;key-name&gt;</code></em>";
};
</pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Make sure that only the root user can read or write to the <code class="filename">/etc/rndc.conf</code> file.
				</div></div></div><div class="para">
				For more information about the <code class="filename">/etc/rndc.conf</code> file, refer to the <code class="filename">rndc.conf</code> man page.
			</div></div><div class="section" id="s2-bind-rndc-options"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-rndc-options">18.4.3. Command Line Options</h3></div></div></div><a id="id951035" class="indexterm"></a><div class="para">
				An <code class="command">rndc</code> command takes the following form:
			</div><pre class="screen">
<code class="command">rndc <em class="replaceable"><code>&lt;options&gt;</code></em> <em class="replaceable"><code>&lt;command&gt;</code></em> <em class="replaceable"><code>&lt;command-options&gt;</code></em> </code>
</pre><div class="para">
				When executing <code class="command">rndc</code> on a properly configured localhost, the following commands are available:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">halt</code> — Stops the <code class="filename">named</code> service immediately.
					</div></li><li class="listitem"><div class="para">
						<code class="command">querylog</code> — Logs all queries made to this nameserver.
					</div></li><li class="listitem"><div class="para">
						<code class="command">refresh</code> — Refreshes the nameserver's database.
					</div></li><li class="listitem"><div class="para">
						<code class="command">reload</code> — Reloads the zone files but keeps all other previously cached responses. This command also allows changes to zone files without losing all stored name resolutions.
					</div><div class="para">
						If changes made only affect a specific zone, reload only that specific zone by adding the name of the zone after the <code class="command">reload</code> command.
					</div></li><li class="listitem"><div class="para">
						<code class="command">stats</code> — Dumps the current <code class="command">named</code> statistics to the <code class="filename">/var/named/named.stats</code> file.
					</div></li><li class="listitem"><div class="para">
						<code class="command">stop</code> — Stops the server gracefully, saving any dynamic update and <em class="firstterm">Incremental Zone Transfers</em> (<em class="firstterm">IXFR</em>) data before exiting.
					</div></li></ul></div><div class="para">
				Occasionally, it may be necessary to override the default settings in the <code class="filename">/etc/rndc.conf</code> file. The following options are available:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">-c <em class="replaceable"><code>&lt;configuration-file&gt;</code></em> </code> — Specifies the alternate location of a configuration file.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-p <em class="replaceable"><code>&lt;port-number&gt;</code></em> </code> — Specifies a port number to use for the <code class="command">rndc</code> connection other than the default port 953.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-s <em class="replaceable"><code>&lt;server&gt;</code></em> </code> — Specifies a server other than the <code class="command">default-server</code> listed in <code class="filename">/etc/rndc.conf</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-y <em class="replaceable"><code>&lt;key-name&gt;</code></em> </code> — Specifies a key other than the <code class="command">default-key</code> option in <code class="filename">/etc/rndc.conf</code>.
					</div></li></ul></div><div class="para">
				Additional information about these options can be found in the <code class="command">rndc</code> man page.
			</div></div></div><div class="section" id="s1-bind-features"><div class="titlepage"><div><div><h2 class="title" id="s1-bind-features">18.5. Advanced Features of BIND</h2></div></div></div><a id="id951316" class="indexterm"></a><div class="para">
			Most BIND implementations only use <code class="command">named</code> to provide name resolution services or to act as an authority for a particular domain or sub-domain. However, BIND version 9 has a number of advanced features that allow for a more secure and efficient DNS service.
		</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
				Some of these advanced features, such as DNSSEC, TSIG, and IXFR (which are defined in the following section), should only be used in network environments with nameservers that support the features. If the network environment includes non-BIND or older BIND nameservers, verify that each advanced feature is supported before attempting to use it.
			</div></div></div><div class="para">
			All of the features mentioned are discussed in greater detail in the <em class="citetitle">BIND 9 Administrator Reference Manual</em> referenced in <a class="xref" href="#s2-bind-installed-docs">Section 18.7.1, “Installed Documentation”</a>.
		</div><div class="section" id="s2-bind-features-protocol"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-features-protocol">18.5.1. DNS Protocol Enhancements</h3></div></div></div><a id="id951376" class="indexterm"></a><div class="para">
				BIND supports Incremental Zone Transfers (IXFR), where a slave nameserver only downloads the updated portions of a zone modified on a master nameserver. The standard transfer process requires that the entire zone be transferred to each slave nameserver for even the smallest change. For very popular domains with very lengthy zone files and many slave nameservers, IXFR makes the notification and update process much less resource-intensive.
			</div><div class="para">
				Note that IXFR is only available when using <em class="firstterm">dynamic updating</em> to make changes to master zone records. If manually editing zone files to make changes, Automatic Zone Transfer (AXFR) is used. More information on dynamic updating is available in the <em class="citetitle">BIND 9 Administrator Reference Manual</em> referenced in <a class="xref" href="#s2-bind-installed-docs">Section 18.7.1, “Installed Documentation”</a>.
			</div></div><div class="section" id="s2-bind-features-views"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-features-views">18.5.2. Multiple Views</h3></div></div></div><a id="id951434" class="indexterm"></a><div class="para">
				Through the use of the <code class="command">view</code> statement in <code class="filename">named.conf</code>, BIND can present different information depending on which network a request originates from.
			</div><div class="para">
				This is primarily used to deny sensitive DNS entries from clients outside of the local network, while allowing queries from clients inside the local network.
			</div><div class="para">
				The <code class="command">view</code> statement uses the <code class="command">match-clients</code> option to match IP addresses or entire networks and give them special options and zone data.
			</div></div><div class="section" id="s2-bind-features-security"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-features-security">18.5.3. Security</h3></div></div></div><a id="id951493" class="indexterm"></a><div class="para">
				BIND supports a number of different methods to protect the updating and transfer of zones, on both master and slave nameservers:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <span class="emphasis"><em>DNSSEC</em></span> </span></dt><dd><div class="para">
							Short for <em class="firstterm">DNS SECurity</em>, this feature allows for zones to be cryptographically signed with a <em class="firstterm">zone key</em>.
						</div><div class="para">
							In this way, the information about a specific zone can be verified as coming from a nameserver that has signed it with a particular private key, as long as the recipient has that nameserver's public key.
						</div><div class="para">
							BIND version 9 also supports the SIG(0) public/private key method of message authentication.
						</div></dd><dt class="varlistentry"><span class="term"> <span class="emphasis"><em>TSIG</em></span> </span></dt><dd><div class="para">
							Short for <em class="firstterm">Transaction SIGnatures</em>, this feature allows a transfer from master to slave only after verifying that a shared secret key exists on both nameservers.
						</div><div class="para">
							This feature strengthens the standard IP address-based method of transfer authorization. An attacker would not only need to have access to the IP address to transfer the zone, but they would also need to know the secret key.
						</div><div class="para">
							BIND version 9 also supports <em class="firstterm">TKEY</em>, which is another shared secret key method of authorizing zone transfers.
						</div></dd></dl></div></div><div class="section" id="s2-bind-features-ipv6"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-features-ipv6">18.5.4. IP version 6</h3></div></div></div><a id="id951609" class="indexterm"></a><div class="para">
				BIND version 9 supports name service in IP version 6 (IPv6) environments through the use of <code class="command">A6</code> zone records.
			</div><div class="para">
				If the network environment includes both IPv4 and IPv6 hosts, use the <code class="command">lwresd</code> lightweight resolver daemon on all network clients. This daemon is a very efficient, caching-only nameserver which understands the new <code class="command">A6</code> and <code class="command">DNAME</code> records used under IPv6. Refer to the <code class="command">lwresd</code> man page for more information.
			</div></div></div><div class="section" id="s1-bind-mistakes"><div class="titlepage"><div><div><h2 class="title" id="s1-bind-mistakes">18.6. Common Mistakes to Avoid</h2></div></div></div><a id="id951669" class="indexterm"></a><div class="para">
			It is very common for beginners to make mistakes when editing BIND configuration files. Be sure to avoid the following issues:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<span class="emphasis"><em>Take care to increment the serial number when editing a zone file.</em></span>
				</div><div class="para">
					If the serial number is not incremented, the master nameserver has the correct, new information, but the slave nameservers are never notified of the change and do not attempt to refresh their data of that zone.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Be careful to use ellipses and semi-colons correctly in the <code class="filename">/etc/named.conf</code> file.</em></span>
				</div><div class="para">
					An omitted semi-colon or unclosed ellipse section can cause <code class="command">named</code> to refuse to start.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Remember to place periods (<code class="command">.</code>) in zone files after all FQDNs and omit them on hostnames.</em></span>
				</div><div class="para">
					A period at the end of a domain name denotes a fully qualified domain name. If the period is omitted, then <code class="command">named</code> appends the name of the zone or the <code class="command">$ORIGIN</code> value to complete it.
				</div></li><li class="listitem"><div class="para">
					If a firewall is blocking connections from the <code class="command">named</code> daemon to other nameservers, the recommended best practice is to change the firewall settings whenever possible. For important security information regarding fixed UDP source ports, refer to <a class="xref" href="#firewall-blocking">Section 18.4.1.1, “Firewall Blocking Communication”</a>
				</div></li></ul></div></div><div class="section" id="s1-bind-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-bind-additional-resources">18.7. Additional Resources</h2></div></div></div><a id="id951792" class="indexterm"></a><div class="para">
			The following sources of information provide additional resources regarding BIND.
		</div><div class="section" id="s2-bind-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-installed-docs">18.7.1. Installed Documentation</h3></div></div></div><a id="id951821" class="indexterm"></a><div class="para">
				BIND features a full range of installed documentation covering many different topics, each placed in its own subject directory. For each item below, replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the version of <code class="filename">bind</code> installed on the system:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="filename">/usr/share/doc/bind-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/</code> </span></dt><dd><div class="para">
							This directory lists the most recent features. 
						</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">/usr/share/doc/bind-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/arm/</code> </span></dt><dd><div class="para">
							This directory contains the <em class="citetitle">BIND 9 Administrator Reference Manual</em> in HTML and SGML formats, which details BIND resource requirements, how to configure different types of nameservers, how to perform load balancing, and other advanced topics. For most new users of BIND, this is the best place to start.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">/usr/share/doc/bind-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/draft/</code> </span></dt><dd><div class="para">
							This directory contains assorted technical documents that review issues related to DNS service and propose some methods to address them.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">/usr/share/doc/bind-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/misc/</code> </span></dt><dd><div class="para">
							This directory contains documents designed to address specific advanced issues. Users of BIND version 8 should consult the <code class="filename">migration</code> document for specific changes they must make when moving to BIND 9. The <code class="filename">options</code> file lists all of the options implemented in BIND 9 that are used in <code class="filename">/etc/named.conf</code>.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="filename">/usr/share/doc/bind-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/rfc/</code> </span></dt><dd><div class="para">
							This directory provides every RFC document related to BIND.
						</div></dd></dl></div><div class="para">
				There are also a number of man pages for the various applications and configuration files involved with BIND. The following lists some of the more important man pages.
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Administrative Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">man rndc</code> — Explains the different options available when using the <code class="command">rndc</code> command to control a BIND nameserver.
								</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Server Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">man named</code> — Explores assorted arguments that can be used to control the BIND nameserver daemon.
								</div></li><li class="listitem"><div class="para">
									<code class="command">man lwresd</code> — Describes the purpose of and options available for the lightweight resolver daemon.
								</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Configuration Files</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">man named.conf</code> — A comprehensive list of options available within the <code class="command">named</code> configuration file.
								</div></li><li class="listitem"><div class="para">
									<code class="command">man rndc.conf</code> — A comprehensive list of options available within the <code class="command">rndc</code> configuration file.
								</div></li></ul></div></dd></dl></div></div><div class="section" id="s2-bind-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-useful-websites">18.7.2. Useful Websites</h3></div></div></div><a id="id952164" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						 <a href="http://www.isc.org/index.pl?/sw/bind/">http://www.isc.org/index.pl?/sw/bind/</a> — The home page of the BIND project containing information about current releases as well as a PDF version of the <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.redhat.com/mirrors/LDP/HOWTO/DNS-HOWTO.html">http://www.redhat.com/mirrors/LDP/HOWTO/DNS-HOWTO.html</a> — Covers the use of BIND as a resolving, caching nameserver and the configuration of various zone files necessary to serve as the primary nameserver for a domain.
					</div></li></ul></div></div><div class="section" id="s2-bind-related-books"><div class="titlepage"><div><div><h3 class="title" id="s2-bind-related-books">18.7.3. Related Books</h3></div></div></div><a id="id952234" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<em class="citetitle">DNS and BIND</em> by Paul Albitz and Cricket Liu; O'Reilly &amp; Associates — A popular reference that explains both common and esoteric BIND configuration options, as well as providing strategies for securing a DNS server.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">The Concise Guide to DNS and BIND</em> by Nicolai Langfeldt; Que — Looks at the connection between multiple network services and BIND, with an emphasis on task-oriented, technical topics.
					</div></li></ul></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><div class="para"><sup>[<a id="ftn.id950819" href="#id950819" class="para">3</a>] </sup>
							The security update was <a href="https://rhn.redhat.com/errata/RHSA-2008-0533.html">RHSA-2008:0533</a>.
						</div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-openssh" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 19. OpenSSH</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-ssh-intro">19.1. Features of SSH</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-intro-why">19.1.1. Why Use SSH?</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ssh-version">19.2. SSH Protocol Versions</a></span></dt><dt><span class="section"><a href="#s1-ssh-conn">19.3. Event Sequence of an SSH Connection</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-protocol-conn-transport">19.3.1. Transport Layer</a></span></dt><dt><span class="section"><a href="#s2-ssh-protocol-authentication">19.3.2. Authentication</a></span></dt><dt><span class="section"><a href="#s2-ssh-protocol-connection">19.3.3. Channels</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-openssh-server-config">19.4. Configuring an OpenSSH Server</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-requiring">19.4.1. Requiring SSH for Remote Connections</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ssh-configfiles">19.5. OpenSSH Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-openssh-client-config">19.6. Configuring an OpenSSH Client</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-openssh-using-ssh">19.6.1. Using the <code class="command">ssh</code> Command</a></span></dt><dt><span class="section"><a href="#s2-openssh-using-scp">19.6.2. Using the <code class="command">scp</code> Command</a></span></dt><dt><span class="section"><a href="#s2-openssh-using-sftp">19.6.3. Using the <code class="command">sftp</code> Command</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ssh-beyondshell">19.7. More Than a Secure Shell</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ssh-beyondshell-x11">19.7.1. X11 Forwarding</a></span></dt><dt><span class="section"><a href="#s2-ssh-beyondshell-tcpip">19.7.2. Port Forwarding</a></span></dt><dt><span class="section"><a href="#s2-openssh-generate-keypairs">19.7.3. Generating Key Pairs</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-openssh-additional-resources">19.8. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-openssh-installed-docs">19.8.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-openssh-useful-websites">19.8.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id788191" class="indexterm"></a><div class="para">
		<span class="trademark">SSH</span>™ (or <span class="emphasis"><em>S</em></span>ecure <span class="emphasis"><em>SH</em></span>ell) is a protocol which facilitates secure communications between two systems using a client/server architecture and allows users to log into server host systems remotely. Unlike other remote communication protocols, such as FTP or Telnet, SSH encrypts the login session, rendering the connection difficult for intruders to collect unencrypted passwords.
	</div><div class="para">
		SSH is designed to replace older, less secure terminal applications used to log into remote hosts, such as <code class="command">telnet</code> or <code class="command">rsh</code>. A related program called <code class="command">scp</code> replaces older programs designed to copy files between hosts, such as <code class="command">rcp</code>. Because these older applications do not encrypt passwords transmitted between the client and the server, avoid them whenever possible. Using secure methods to log into remote systems decreases the risks for both the client system and the remote host.
	</div><div class="section" id="s1-ssh-intro"><div class="titlepage"><div><div><h2 class="title" id="s1-ssh-intro">19.1. Features of SSH</h2></div></div></div><a id="id828546" class="indexterm"></a><a id="id926462" class="indexterm"></a><div class="para">
			The SSH protocol provides the following safeguards:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					After an initial connection, the client can verify that it is connecting to the same server it had connected to previously.
				</div></li><li class="listitem"><div class="para">
					The client transmits its authentication information to the server using strong, 128-bit encryption.
				</div></li><li class="listitem"><div class="para">
					All data sent and received during a session is transferred using 128-bit encryption, making intercepted transmissions extremely difficult to decrypt and read.
				</div></li><li class="listitem"><div class="para">
					The client can forward X11<sup>[<a id="id1038268" href="#ftn.id1038268" class="footnote">4</a>]</sup> applications from the server. This technique, called <em class="firstterm">X11 forwarding</em>, provides a secure means to use graphical applications over a network.
				</div></li></ul></div><div class="para">
			Because the SSH protocol encrypts everything it sends and receives, it can be used to secure otherwise insecure protocols. Using a technique called <em class="firstterm">port forwarding</em>, an SSH server can become a conduit to securing otherwise insecure protocols, like POP, and increasing overall system and data security.
		</div><div class="para">
			The OpenSSH server and client can also be configured to create a tunnel similar to a virtual private network for traffic between server and client machines.
		</div><div class="para">
			Finally, OpenSSH servers and clients can be configured to authenticate using the GSSAPI implementation of the Kerberos network authentication protocol. For more information on configuring Kerberos authentication services, refer to <a class="xref" href="#ch-kerberos">Section 46.6, “Kerberos”</a>.
		</div><div class="para">
			Red Hat Enterprise Linux includes the general OpenSSH package (<code class="filename">openssh</code>) as well as the OpenSSH server (<code class="filename">openssh-server</code>) and client (<code class="filename">openssh-clients</code>) packages. Note, the OpenSSH packages require the OpenSSL package (<code class="filename">openssl</code>) which installs several important cryptographic libraries, enabling OpenSSH to provide encrypted communications.
		</div><div class="section" id="s2-ssh-intro-why"><div class="titlepage"><div><div><h3 class="title" id="s2-ssh-intro-why">19.1.1. Why Use SSH?</h3></div></div></div><a id="id970332" class="indexterm"></a><div class="para">
				Nefarious computer users have a variety of tools at their disposal enabling them to disrupt, intercept, and re-route network traffic in an effort to gain access to a system. In general terms, these threats can be categorized as follows:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Interception of communication between two systems</em></span> — In this scenario, the attacker can be somewhere on the network between the communicating parties, copying any information passed between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient.
					</div><div class="para">
						This attack can be mounted through the use of a packet sniffer — a common network utility.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Impersonation of a particular host</em></span> — Using this strategy, an attacker's system is configured to pose as the intended recipient of a transmission. If this strategy works, the user's system remains unaware that it is communicating with the wrong host.
					</div><div class="para">
						This attack can be mounted through techniques known as DNS poisoning<sup>[<a id="id788897" href="#ftn.id788897" class="footnote">5</a>]</sup> or IP spoofing<sup>[<a id="id788906" href="#ftn.id788906" class="footnote">6</a>]</sup>.
					</div></li></ul></div><div class="para">
				Both techniques intercept potentially sensitive information and, if the interception is made for hostile reasons, the results can be disastrous.
			</div><div class="para">
				If SSH is used for remote shell login and file copying, these security threats can be greatly diminished. This is because the SSH client and server use digital signatures to verify their identity. Additionally, all communication between the client and server systems is encrypted. Attempts to spoof the identity of either side of a communication does not work, since each packet is encrypted using a key known only by the local and remote systems.
			</div></div></div><div class="section" id="s1-ssh-version"><div class="titlepage"><div><div><h2 class="title" id="s1-ssh-version">19.2. SSH Protocol Versions</h2></div></div></div><a id="id981625" class="indexterm"></a><a id="id981639" class="indexterm"></a><div class="para">
			The SSH protocol allows any client and server programs built to the protocol's specifications to communicate securely and to be used interchangeably.
		</div><div class="para">
			Two varieties of SSH (version 1 and version 2) currently exist. The OpenSSH suite under Red Hat Enterprise Linux uses SSH version 2 which has an enhanced key exchange algorithm not vulnerable to the exploit in version 1. However, the OpenSSH suite does support version 1 connections.
		</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				It is recommended that only SSH version 2-compatible servers and clients are used whenever possible.
			</div></div></div></div><div class="section" id="s1-ssh-conn"><div class="titlepage"><div><div><h2 class="title" id="s1-ssh-conn">19.3. Event Sequence of an SSH Connection</h2></div></div></div><a id="id952914" class="indexterm"></a><div class="para">
			The following series of events help protect the integrity of SSH communication between two hosts.
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					A cryptographic handshake is made so that the client can verify that it is communicating with the correct server.
				</div></li><li class="listitem"><div class="para">
					The transport layer of the connection between the client and remote host is encrypted using a symmetric cipher.
				</div></li><li class="listitem"><div class="para">
					The client authenticates itself to the server.
				</div></li><li class="listitem"><div class="para">
					The remote client interacts with the remote host over the encrypted connection.
				</div></li></ol></div><div class="section" id="s2-ssh-protocol-conn-transport"><div class="titlepage"><div><div><h3 class="title" id="s2-ssh-protocol-conn-transport">19.3.1. Transport Layer</h3></div></div></div><a id="id819160" class="indexterm"></a><div class="para">
				The primary role of the transport layer is to facilitate safe and secure communication between the two hosts at the time of authentication and during subsequent communication. The transport layer accomplishes this by handling the encryption and decryption of data, and by providing integrity protection of data packets as they are sent and received. The transport layer also provides compression, speeding the transfer of information.
			</div><div class="para">
				Once an SSH client contacts a server, key information is exchanged so that the two systems can correctly construct the transport layer. The following steps occur during this exchange:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Keys are exchanged
					</div></li><li class="listitem"><div class="para">
						The public key encryption algorithm is determined
					</div></li><li class="listitem"><div class="para">
						The symmetric encryption algorithm is determined
					</div></li><li class="listitem"><div class="para">
						The message authentication algorithm is determined
					</div></li><li class="listitem"><div class="para">
						The hash algorithm is determined
					</div></li></ul></div><div class="para">
				During the key exchange, the server identifies itself to the client with a unique <em class="firstterm">host key</em>. If the client has never communicated with this particular server before, the server's host key is unknown to the client and it does not connect. OpenSSH gets around this problem by accepting the server's host key. This is done after the user is notified and has both accepted and verified the new host key. In subsequent connections, the server's host key is checked against the saved version on the client, providing confidence that the client is indeed communicating with the intended server. If, in the future, the host key no longer matches, the user must remove the client's saved version before a connection can occur.
			</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
					It is possible for an attacker to masquerade as an SSH server during the initial contact since the local system does not know the difference between the intended server and a false one set up by an attacker. To help prevent this, verify the integrity of a new SSH server by contacting the server administrator before connecting for the first time or in the event of a host key mismatch.
				</div></div></div><div class="para">
				SSH is designed to work with almost any kind of public key algorithm or encoding format. After an initial key exchange creates a hash value used for exchanges and a shared secret value, the two systems immediately begin calculating new keys and algorithms to protect authentication and future data sent over the connection.
			</div><div class="para">
				After a certain amount of data has been transmitted using a given key and algorithm (the exact amount depends on the SSH implementation), another key exchange occurs, generating another set of hash values and a new shared secret value. Even if an attacker is able to determine the hash and shared secret value, this information is only useful for a limited period of time.
			</div></div><div class="section" id="s2-ssh-protocol-authentication"><div class="titlepage"><div><div><h3 class="title" id="s2-ssh-protocol-authentication">19.3.2. Authentication</h3></div></div></div><a id="id819284" class="indexterm"></a><div class="para">
				Once the transport layer has constructed a secure tunnel to pass information between the two systems, the server tells the client the different authentication methods supported, such as using a private key-encoded signature or typing a password. The client then tries to authenticate itself to the server using one of these supported methods.
			</div><div class="para">
				SSH servers and clients can be configured to allow different types of authentication, which gives each side the optimal amount of control. The server can decide which encryption methods it supports based on its security model, and the client can choose the order of authentication methods to attempt from the available options.
			</div></div><div class="section" id="s2-ssh-protocol-connection"><div class="titlepage"><div><div><h3 class="title" id="s2-ssh-protocol-connection">19.3.3. Channels</h3></div></div></div><a id="id879524" class="indexterm"></a><div class="para">
				After a successful authentication over the SSH transport layer, multiple channels are opened via a technique called <em class="firstterm">multiplexing</em><sup>[<a id="id879547" href="#ftn.id879547" class="footnote">7</a>]</sup>. Each of these channels handles communication for different terminal sessions and for forwarded X11 sessions.
			</div><div class="para">
				Both clients and servers can create a new channel. Each channel is then assigned a different number on each end of the connection. When the client attempts to open a new channel, the clients sends the channel number along with the request. This information is stored by the server and is used to direct communication to that channel. This is done so that different types of sessions do not affect one another and so that when a given session ends, its channel can be closed without disrupting the primary SSH connection.
			</div><div class="para">
				Channels also support <em class="firstterm">flow-control</em>, which allows them to send and receive data in an orderly fashion. In this way, data is not sent over the channel until the client receives a message that the channel is open.
			</div><div class="para">
				The client and server negotiate the characteristics of each channel automatically, depending on the type of service the client requests and the way the user is connected to the network. This allows great flexibility in handling different types of remote connections without having to change the basic infrastructure of the protocol.
			</div></div></div><div class="section" id="s1-openssh-server-config"><div class="titlepage"><div><div><h2 class="title" id="s1-openssh-server-config">19.4. Configuring an OpenSSH Server</h2></div></div></div><a id="id879593" class="indexterm"></a><div class="para">
			To run an OpenSSH server, you must first make sure that you have the proper RPM packages installed. The <code class="filename">openssh-server</code> package is required and is dependent on the <code class="filename">openssh</code> package.
		</div><a id="id879619" class="indexterm"></a><div class="para">
			The OpenSSH daemon uses the configuration file <code class="filename">/etc/ssh/sshd_config</code>. The default configuration file should be sufficient for most purposes. If you want to configure the daemon in ways not provided by the default <code class="filename">sshd_config</code>, read the <code class="command">sshd</code> man page for a list of the keywords that can be defined in the configuration file.
		</div><a id="id818100" class="indexterm"></a><div class="para">
			To start the OpenSSH service, use the command <code class="command">/sbin/service sshd start</code>. To stop the OpenSSH server, use the command <code class="command">/sbin/service sshd stop</code>. If you want the daemon to start automatically at boot time, refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a> for information on how to manage services.
		</div><div class="para">
			If you reinstall, the reinstalled system creates a new set of identification keys. Any clients who had connected to the system with any of the OpenSSH tools before the reinstall will see the following message:
		</div><pre class="screen">@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.</pre><div class="para">
			If you want to keep the host keys generated for the system, backup the <code class="filename">/etc/ssh/ssh_host*key*</code> files and restore them after the reinstall. This process retains the system's identity, and when clients try to connect to the system after the reinstall, they will not receive the warning message.
		</div><div class="section" id="s2-ssh-requiring"><div class="titlepage"><div><div><h3 class="title" id="s2-ssh-requiring">19.4.1. Requiring SSH for Remote Connections</h3></div></div></div><a id="id818163" class="indexterm"></a><a id="id818177" class="indexterm"></a><div class="para">
				For SSH to be truly effective, using insecure connection protocols, such as Telnet and FTP, should be prohibited. Otherwise, a user's password may be protected using SSH for one session, only to be captured later while logging in using Telnet.
			</div><div class="para">
				Some services to disable include:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">telnet</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">rsh</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">rlogin</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">vsftpd</code>
					</div></li></ul></div><div class="para">
				To disable insecure connection methods to the system, use the command line program <code class="command">chkconfig</code>, the ncurses-based program <span class="application"><strong>/usr/sbin/ntsysv</strong></span>, or the <span class="application"><strong>Services Configuration Tool</strong></span> (<code class="command">system-config-services</code>) graphical application. All of these tools require root level access.
			</div><div class="para">
				For more information on runlevels and configuring services with <code class="command">chkconfig</code>, <span class="application"><strong>/usr/sbin/ntsysv</strong></span>, and the <span class="application"><strong>Services Configuration Tool</strong></span>, refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a>.
			</div></div></div><div class="section" id="s1-ssh-configfiles"><div class="titlepage"><div><div><h2 class="title" id="s1-ssh-configfiles">19.5. OpenSSH Configuration Files</h2></div></div></div><a id="id818302" class="indexterm"></a><a id="id818315" class="indexterm"></a><div class="para">
			OpenSSH has two different sets of configuration files: one for client programs (<code class="command">ssh</code>, <code class="command">scp</code>, and <code class="command">sftp</code>) and one for the server daemon (<code class="command">sshd</code>).
		</div><div class="para">
			System-wide SSH configuration information is stored in the <code class="filename">/etc/ssh/</code> directory:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">moduli</code> — Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">ssh_config</code> — The system-wide default SSH client configuration file. It is overridden if one is also present in the user's home directory (<code class="filename">~/.ssh/config</code>).
				</div></li><li class="listitem"><div class="para">
					<code class="filename">sshd_config</code> — The configuration file for the <code class="command">sshd</code> daemon.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">ssh_host_dsa_key</code> — The DSA private key used by the <code class="command">sshd</code> daemon.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">ssh_host_dsa_key.pub</code> — The DSA public key used by the <code class="command">sshd</code> daemon.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">ssh_host_key</code> — The RSA private key used by the <code class="command">sshd</code> daemon for version 1 of the SSH protocol.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">ssh_host_key.pub</code> — The RSA public key used by the <code class="command">sshd</code> daemon for version 1 of the SSH protocol.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">ssh_host_rsa_key</code> — The RSA private key used by the <code class="command">sshd</code> daemon for version 2 of the SSH protocol.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">ssh_host_rsa_key.pub</code> — The RSA public key used by the <code class="command">sshd</code> for version 2 of the SSH protocol.
				</div></li></ul></div><div class="para">
			User-specific SSH configuration information is stored in the user's home directory within the <code class="filename">~/.ssh/</code> directory:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">authorized_keys</code> — This file holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">id_dsa</code> — Contains the DSA private key of the user.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">id_dsa.pub</code> — The DSA public key of the user.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">id_rsa</code> — The RSA private key used by <code class="command">ssh</code> for version 2 of the SSH protocol.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">id_rsa.pub</code> — The RSA public key used by <code class="command">ssh</code> for version 2 of the SSH protocol
				</div></li><li class="listitem"><div class="para">
					<code class="filename">identity</code> — The RSA private key used by <code class="command">ssh</code> for version 1 of the SSH protocol.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">identity.pub</code> — The RSA public key used by <code class="command">ssh</code> for version 1 of the SSH protocol.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">known_hosts</code> — This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server.
				</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						If an SSH server's host key has changed, the client notifies the user that the connection cannot proceed until the server's host key is deleted from the <code class="filename">known_hosts</code> file using a text editor. Before doing this, however, contact the system administrator of the SSH server to verify the server is not compromised.
					</div></div></div></li></ul></div><div class="para">
			Refer to the <code class="command">ssh_config</code> and <code class="command">sshd_config</code> man pages for information concerning the various directives available in the SSH configuration files.
		</div></div><div class="section" id="s1-openssh-client-config"><div class="titlepage"><div><div><h2 class="title" id="s1-openssh-client-config">19.6. Configuring an OpenSSH Client</h2></div></div></div><a id="id817095" class="indexterm"></a><div class="para">
			To connect to an OpenSSH server from a client machine, you must have the <code class="filename">openssh-clients</code> and <code class="filename">openssh</code> packages installed on the client machine.
		</div><div class="section" id="s2-openssh-using-ssh"><div class="titlepage"><div><div><h3 class="title" id="s2-openssh-using-ssh">19.6.1. Using the <code class="command">ssh</code> Command</h3></div></div></div><a id="id817133" class="indexterm"></a><a id="id817149" class="indexterm"></a><div class="para">
				The <code class="command">ssh</code> command is a secure replacement for the <code class="command">rlogin</code>, <code class="command">rsh</code>, and <code class="command">telnet</code> commands. It allows you to log in to a remote machine as well as execute commands on a remote machine.
			</div><div class="para">
				Logging in to a remote machine with <code class="command">ssh</code> is similar to using <code class="command">telnet</code>. To log in to a remote machine named penguin.example.net, type the following command at a shell prompt:
			</div><pre class="screen"><code class="command">ssh penguin.example.net</code></pre><div class="para">
				The first time you <code class="command">ssh</code> to a remote machine, you will see a message similar to the following:
			</div><pre class="screen">The authenticity of host 'penguin.example.net' can't be established.
DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b:01:5d:b3:07:38:e2:11:0c.
Are you sure you want to continue connecting (yes/no)?</pre><div class="para">
				Type <strong class="userinput"><code>yes</code></strong> to continue. This will add the server to your list of known hosts (<code class="filename">~/.ssh/known_hosts</code>) as seen in the following message:
			</div><pre class="screen">Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts.</pre><div class="para">
				Next, you will see a prompt asking for your password for the remote machine. After entering your password, you will be at a shell prompt for the remote machine. If you do not specify a username the username that you are logged in as on the local client machine is passed to the remote machine. If you want to specify a different username, use the following command:
			</div><pre class="screen"><code class="command">ssh <em class="replaceable"><code>username</code></em>@penguin.example.net</code></pre><div class="para">
				You can also use the syntax <code class="command">ssh -l <em class="replaceable"><code>username</code></em> penguin.example.net</code>.
			</div><div class="para">
				The <code class="command">ssh</code> command can be used to execute a command on the remote machine without logging in to a shell prompt. The syntax is <code class="command"> ssh <em class="replaceable"><code>hostname</code></em> <em class="replaceable"><code>command</code></em></code>. For example, if you want to execute the command <code class="command">ls /usr/share/doc</code> on the remote machine penguin.example.net, type the following command at a shell prompt:
			</div><pre class="screen"><code class="command">ssh penguin.example.net ls /usr/share/doc</code></pre><div class="para">
				After you enter the correct password, the contents of the remote directory <code class="filename">/usr/share/doc</code> will be displayed, and you will return to your local shell prompt.
			</div></div><div class="section" id="s2-openssh-using-scp"><div class="titlepage"><div><div><h3 class="title" id="s2-openssh-using-scp">19.6.2. Using the <code class="command">scp</code> Command</h3></div></div></div><a id="id817313" class="indexterm"></a><a id="id817330" class="indexterm"></a><a id="id817350" class="indexterm"></a><div class="para">
				The <code class="command">scp</code> command can be used to transfer files between machines over a secure, encrypted connection. It is similar to <code class="command">rcp</code>.
			</div><div class="para">
				The general syntax to transfer a local file to a remote system is as follows:
			</div><pre class="screen"><code class="command">scp <em class="replaceable"><code>&lt;localfile&gt;</code></em> <em class="replaceable"><code>username@tohostname:&lt;remotefile&gt;</code></em></code></pre><div class="para">
				The <em class="replaceable"><code>&lt;localfile&gt;</code></em> specifies the source including path to the file, such as <code class="filename">/var/log/maillog</code>. The <em class="replaceable"><code>&lt;remotefile&gt;</code></em> specifies the destination, which can be a new filename such as <code class="filename">/tmp/hostname-maillog</code>. For the remote system, if you do not have a preceding <code class="command">/</code>, the path will be relative to the home directory of <em class="replaceable"><code>username</code></em>, typically <code class="filename">/home/username/</code>.
			</div><div class="para">
				To transfer the local file <code class="filename">shadowman</code> to the home directory of your account on penguin.example.net, type the following at a shell prompt (replace <em class="replaceable"><code>username</code></em> with your username):
			</div><pre class="screen"><code class="command">scp shadowman <em class="replaceable"><code>username</code></em>@penguin.example.net:shadowman</code></pre><div class="para">
				This will transfer the local file <code class="filename">shadowman</code> to <code class="filename">/home/<em class="replaceable"><code>username</code></em>/shadowman</code> on penguin.example.net. Alternately, you can leave off the final <code class="computeroutput">shadowman</code> in the <code class="command">scp</code> command.
			</div><div class="para">
				The general syntax to transfer a remote file to the local system is as follows:
			</div><pre class="screen"><code class="command">scp <em class="replaceable"><code>username@tohostname:&lt;remotefile&gt;</code></em> <em class="replaceable"><code>&lt;newlocalfile&gt;</code></em></code></pre><div class="para">
				The <em class="replaceable"><code>&lt;remotefile&gt;</code></em> specifies the source including path, and <em class="replaceable"><code>&lt;newlocalfile&gt;</code></em> specifies the destination including path.
			</div><div class="para">
				Multiple files can be specified as the source files. For example, to transfer the contents of the directory <code class="filename">downloads/</code> to an existing directory called <code class="filename">uploads/</code> on the remote machine penguin.example.net, type the following at a shell prompt:
			</div><pre class="screen"><code class="command">scp downloads/* <em class="replaceable"><code>username</code></em>@penguin.example.net:uploads/</code></pre></div><div class="section" id="s2-openssh-using-sftp"><div class="titlepage"><div><div><h3 class="title" id="s2-openssh-using-sftp">19.6.3. Using the <code class="command">sftp</code> Command</h3></div></div></div><a id="id817528" class="indexterm"></a><a id="id817545" class="indexterm"></a><div class="para">
				The <code class="command">sftp</code> utility can be used to open a secure, interactive FTP session. It is similar to <code class="command">ftp</code> except that it uses a secure, encrypted connection. The general syntax is <code class="command">sftp<em class="replaceable"><code> username@hostname.com</code></em></code>. Once authenticated, you can use a set of commands similar to those used by FTP. Refer to the <code class="command">sftp</code> man page for a list of these commands. To read the man page, execute the command <code class="command">man sftp</code> at a shell prompt. The <code class="command">sftp</code> utility is only available in OpenSSH version 2.5.0p1 and higher.
			</div></div></div><div class="section" id="s1-ssh-beyondshell"><div class="titlepage"><div><div><h2 class="title" id="s1-ssh-beyondshell">19.7. More Than a Secure Shell</h2></div></div></div><div class="para">
			A secure command line interface is just the beginning of the many ways SSH can be used. Given the proper amount of bandwidth, X11 sessions can be directed over an SSH channel. Or, by using TCP/IP forwarding, previously insecure port connections between systems can be mapped to specific SSH channels.
		</div><div class="section" id="s2-ssh-beyondshell-x11"><div class="titlepage"><div><div><h3 class="title" id="s2-ssh-beyondshell-x11">19.7.1. X11 Forwarding</h3></div></div></div><a id="id817621" class="indexterm"></a><div class="para">
				Opening an X11 session over an SSH connection is as easy as connecting to the SSH server using the <code class="option">-Y</code> option and running an X program on a local machine.
			</div><pre class="screen"><code class="command">ssh -Y &lt;user&gt;@example.com</code></pre><div class="para">
				When an X program is run from the secure shell prompt, the SSH client and server create a new secure channel, and the X program data is sent over that channel to the client machine transparently.
			</div><div class="para">
				X11 forwarding can be very useful. For example, X11 forwarding can be used to create a secure, interactive session of the <span class="application"><strong>Printer Configuration Tool</strong></span>. To do this, connect to the server using <span class="application"><strong>ssh</strong></span> and type:
			</div><pre class="screen"><code class="command">system-config-printer &amp;</code></pre><div class="para">
				After supplying the root password for the server, the <span class="application"><strong>Printer Configuration Tool</strong></span> appears and allows the remote user to safely configure printing on the remote system.
			</div></div><div class="section" id="s2-ssh-beyondshell-tcpip"><div class="titlepage"><div><div><h3 class="title" id="s2-ssh-beyondshell-tcpip">19.7.2. Port Forwarding</h3></div></div></div><a id="id817690" class="indexterm"></a><div class="para">
				SSH can secure otherwise insecure TCP/IP protocols via port forwarding. When using this technique, the SSH server becomes an encrypted conduit to the SSH client.
			</div><div class="para">
				Port forwarding works by mapping a local port on the client to a remote port on the server. SSH can map any port from the server to any port on the client; port numbers do not need to match for this technique to work.
			</div><div class="para">
				To create a TCP/IP port forwarding channel which listens for connections on the localhost, use the following command:
			</div><pre class="screen"><code class="command">ssh -L <em class="replaceable"><code>local-port</code></em>:<em class="replaceable"><code>remote-hostname</code></em>:<em class="replaceable"><code>remote-port</code></em> <em class="replaceable"><code>username</code></em>@<em class="replaceable"><code>hostname</code></em></code></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Setting up port forwarding to listen on ports below 1024 requires root level access.
				</div></div></div><div class="para">
				To check email on a server called <code class="command">mail.example.com</code> using POP3 through an encrypted connection, use the following command:
			</div><pre class="screen"><code class="command">ssh -L 1100:mail.example.com:110 mail.example.com</code></pre><div class="para">
				Once the port forwarding channel is in place between the client machine and the mail server, direct a POP3 mail client to use port 1100 on the localhost to check for new mail. Any requests sent to port 1100 on the client system are directed securely to the <code class="command">mail.example.com</code> server.
			</div><div class="para">
				If <code class="command">mail.example.com</code> is not running an SSH server, but another machine on the same network is, SSH can still be used to secure part of the connection. However, a slightly different command is necessary:
			</div><pre class="screen"><code class="command">ssh -L 1100:mail.example.com:110 other.example.com</code></pre><div class="para">
				In this example, POP3 requests from port 1100 on the client machine are forwarded through the SSH connection on port 22 to the SSH server, <code class="command">other.example.com</code>. Then, <code class="command">other.example.com</code> connects to port 110 on <code class="command">mail.example.com</code> to check for new mail. Note, when using this technique only the connection between the client system and <code class="command">other.example.com</code> SSH server is secure.
			</div><div class="para">
				Port forwarding can also be used to get information securely through network firewalls. If the firewall is configured to allow SSH traffic via its standard port (22) but blocks access to other ports, a connection between two hosts using the blocked ports is still possible by redirecting their communication over an established SSH connection.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Using port forwarding to forward connections in this manner allows any user on the client system to connect to that service. If the client system becomes compromised, the attacker also has access to forwarded services.
				</div><div class="para">
					System administrators concerned about port forwarding can disable this functionality on the server by specifying a <code class="command">No</code> parameter for the <code class="command">AllowTcpForwarding</code> line in <code class="filename">/etc/ssh/sshd_config</code> and restarting the <code class="command">sshd</code> service.
				</div></div></div></div><div class="section" id="s2-openssh-generate-keypairs"><div class="titlepage"><div><div><h3 class="title" id="s2-openssh-generate-keypairs">19.7.3. Generating Key Pairs</h3></div></div></div><a id="id817864" class="indexterm"></a><div class="para">
				If you do not want to enter your password every time you use <code class="command">ssh</code>, <code class="command">scp</code>, or <code class="command">sftp</code> to connect to a remote machine, you can generate an authorization key pair.
			</div><div class="para">
				Keys must be generated for each user. To generate keys for a user, use the following steps as the user who wants to connect to remote machines. If you complete the steps as root, only root will be able to use the keys.
			</div><div class="para">
				Starting with OpenSSH version 3.0, <code class="filename">~/.ssh/authorized_keys2</code>, <code class="filename">~/.ssh/known_hosts2</code>, and <code class="filename">/etc/ssh_known_hosts2</code> are obsolete. SSH Protocol 1 and 2 share the <code class="filename">~/.ssh/authorized_keys</code>, <code class="filename">~/.ssh/known_hosts</code>, and <code class="filename">/etc/ssh/ssh_known_hosts</code> files.
			</div><div class="para">
				Red Hat Enterprise Linux 5.8 uses SSH Protocol 2 and RSA keys by default.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					If you reinstall and want to save your generated key pair, backup the <code class="filename">.ssh</code> directory in your home directory. After reinstalling, copy this directory back to your home directory. This process can be done for all users on your system, including root.
				</div></div></div><div class="section" id="s3-openssh-rsa-keys-v2"><div class="titlepage"><div><div><h4 class="title" id="s3-openssh-rsa-keys-v2">19.7.3.1. Generating an RSA Key Pair for Version 2</h4></div></div></div><a id="id817956" class="indexterm"></a><a id="id817970" class="indexterm"></a><div class="para">
					Use the following steps to generate an RSA key pair for version 2 of the SSH protocol. This is the default starting with OpenSSH 2.9.
				</div><a id="id817992" class="indexterm"></a><div class="orderedlist"><ol><li class="listitem"><div class="para">
							To generate an RSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:
						</div><pre class="screen"><code class="command">ssh-keygen -t rsa</code></pre><div class="para">
							Accept the default file location of <code class="filename">~/.ssh/id_rsa</code>. Enter a passphrase different from your account password and confirm it by entering it again.
						</div><div class="para">
							The public key is written to <code class="filename">~/.ssh/id_rsa.pub</code>. The private key is written to <code class="filename">~/.ssh/id_rsa</code>. Never distribute your private key to anyone.
						</div></li><li class="listitem"><div class="para">
							Change the permissions of the <code class="filename">.ssh</code> directory using the following command:
						</div><pre class="screen"><code class="command">chmod 755 ~/.ssh</code></pre></li><li class="listitem"><div class="para">
							Copy the contents of <code class="filename">~/.ssh/id_rsa.pub</code> into the file <code class="filename">~/.ssh/authorized_keys</code> on the machine to which you want to connect. If the file <code class="filename">~/.ssh/authorized_keys</code> exist, append the contents of the file <code class="filename">~/.ssh/id_rsa.pub</code> to the file <code class="filename">~/.ssh/authorized_keys</code> on the other machine.
						</div></li><li class="listitem"><div class="para">
							Change the permissions of the <code class="filename">authorized_keys</code> file using the following command:
						</div><pre class="screen"><code class="command">chmod 644 ~/.ssh/authorized_keys</code></pre></li><li class="listitem"><div class="para">
							If you are running GNOME or are running in a graphical desktop with GTK2+ libraries installed, skip to <a class="xref" href="#s3-openssh-ssh-agent-with-gnome">Section 19.7.3.4, “Configuring <code class="command">ssh-agent</code> with a GUI”</a>. If you are not running the X Window System, skip to <a class="xref" href="#s3-openssh-config-ssh-agent">Section 19.7.3.5, “Configuring <code class="command">ssh-agent</code>”</a>.
						</div></li></ol></div></div><div class="section" id="s3-openssh-dsa-key"><div class="titlepage"><div><div><h4 class="title" id="s3-openssh-dsa-key">19.7.3.2. Generating a DSA Key Pair for Version 2</h4></div></div></div><a id="id982642" class="indexterm"></a><a id="id982656" class="indexterm"></a><div class="para">
					Use the following steps to generate a DSA key pair for version 2 of the SSH Protocol.
				</div><a id="id982680" class="indexterm"></a><div class="orderedlist"><ol><li class="listitem"><div class="para">
							To generate a DSA key pair to work with version 2 of the protocol, type the following command at a shell prompt:
						</div><pre class="screen"><code class="command">ssh-keygen -t dsa</code></pre><div class="para">
							Accept the default file location of <code class="filename">~/.ssh/id_dsa</code>. Enter a passphrase different from your account password and confirm it by entering it again.
						</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
								A passphrase is a string of words and characters used to authenticate a user. Passphrases differ from passwords in that you can use spaces or tabs in the passphrase. Passphrases are generally longer than passwords because they are usually phrases instead of a single word.
							</div></div></div><div class="para">
							The public key is written to <code class="filename">~/.ssh/id_dsa.pub</code>. The private key is written to <code class="filename">~/.ssh/id_dsa</code>. It is important never to give anyone the private key.
						</div></li><li class="listitem"><div class="para">
							Change the permissions of the <code class="filename">.ssh</code> directory with the following command:
						</div><pre class="screen"><code class="command">chmod 755 ~/.ssh</code></pre></li><li class="listitem"><div class="para">
							Copy the contents of <code class="filename">~/.ssh/id_dsa.pub</code> into the file <code class="filename">~/.ssh/authorized_keys</code> on the machine to which you want to connect. If the file <code class="filename">~/.ssh/authorized_keys</code> exist, append the contents of the file <code class="filename">~/.ssh/id_dsa.pub</code> to the file <code class="filename">~/.ssh/authorized_keys</code> on the other machine.
						</div></li><li class="listitem"><div class="para">
							Change the permissions of the <code class="filename">authorized_keys</code> file using the following command:
						</div><pre class="screen"><code class="command">chmod 644 ~/.ssh/authorized_keys</code></pre></li><li class="listitem"><div class="para">
							If you are running GNOME or a graphical desktop environment with the GTK2+ libraries installed, skip to <a class="xref" href="#s3-openssh-ssh-agent-with-gnome">Section 19.7.3.4, “Configuring <code class="command">ssh-agent</code> with a GUI”</a>. If you are not running the X Window System, skip to <a class="xref" href="#s3-openssh-config-ssh-agent">Section 19.7.3.5, “Configuring <code class="command">ssh-agent</code>”</a>.
						</div></li></ol></div></div><div class="section" id="s3-openssh-rsa-keys-v1"><div class="titlepage"><div><div><h4 class="title" id="s3-openssh-rsa-keys-v1">19.7.3.3. Generating an RSA Key Pair for Version 1.3 and 1.5</h4></div></div></div><a id="id982846" class="indexterm"></a><a id="id982861" class="indexterm"></a><div class="para">
					Use the following steps to generate an RSA key pair, which is used by version 1 of the SSH Protocol. If you are only connecting between systems that use DSA, you do not need an RSA version 1.3 or RSA version 1.5 key pair.
				</div><a id="id982885" class="indexterm"></a><div class="orderedlist"><ol><li class="listitem"><div class="para">
							To generate an RSA (for version 1.3 and 1.5 protocol) key pair, type the following command at a shell prompt:
						</div><pre class="screen"><code class="command">ssh-keygen -t rsa1</code></pre><div class="para">
							Accept the default file location (<code class="filename">~/.ssh/identity</code>). Enter a passphrase different from your account password. Confirm the passphrase by entering it again.
						</div><div class="para">
							The public key is written to <code class="filename">~/.ssh/identity.pub</code>. The private key is written to <code class="filename">~/.ssh/identity</code>. Do not give anyone the private key.
						</div></li><li class="listitem"><div class="para">
							Change the permissions of your <code class="filename">.ssh</code> directory and your key with the commands <code class="command">chmod 755 ~/.ssh</code> and <code class="command">chmod 644 ~/.ssh/identity.pub</code>.
						</div></li><li class="listitem"><div class="para">
							Copy the contents of <code class="filename">~/.ssh/identity.pub</code> into the file <code class="filename">~/.ssh/authorized_keys</code> on the machine to which you wish to connect. If the file <code class="filename">~/.ssh/authorized_keys</code> does not exist, you can copy the file <code class="filename">~/.ssh/identity.pub</code> to the file <code class="filename">~/.ssh/authorized_keys</code> on the remote machine.
						</div></li><li class="listitem"><div class="para">
							If you are running GNOME, skip to <a class="xref" href="#s3-openssh-ssh-agent-with-gnome">Section 19.7.3.4, “Configuring <code class="command">ssh-agent</code> with a GUI”</a>. If you are not running GNOME, skip to <a class="xref" href="#s3-openssh-config-ssh-agent">Section 19.7.3.5, “Configuring <code class="command">ssh-agent</code>”</a>.
						</div></li></ol></div></div><div class="section" id="s3-openssh-ssh-agent-with-gnome"><div class="titlepage"><div><div><h4 class="title" id="s3-openssh-ssh-agent-with-gnome">19.7.3.4. Configuring <code class="command">ssh-agent</code> with a GUI</h4></div></div></div><a id="id983025" class="indexterm"></a><a id="id983046" class="indexterm"></a><div class="para">
					The <code class="command">ssh-agent</code> utility can be used to save your passphrase so that you do not have to enter it each time you initiate an <code class="command">ssh</code> or <code class="command">scp</code> connection. If you are using GNOME, the <code class="command">gnome-ssh-askpass</code> package contains the application used to prompt you for your passphrase when you log in to GNOME and save it until you log out of GNOME. You will not have to enter your password or passphrase for any <code class="command">ssh</code> or <code class="command">scp</code> connection made during that GNOME session. If you are not using GNOME, refer to <a class="xref" href="#s3-openssh-config-ssh-agent">Section 19.7.3.5, “Configuring <code class="command">ssh-agent</code>”</a>.
				</div><div class="para">
					To save your passphrase during your GNOME session, follow the following steps:
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							You will need to have the package <code class="filename">gnome-ssh-askpass</code> installed; you can use the command <code class="command">rpm -q openssh-askpass</code> to determine if it is installed or not. If it is not installed, install it from your Red Hat Enterprise Linux CD-ROM set, from a Red Hat FTP mirror site, or using Red Hat Network.
						</div></li><li class="listitem"><div class="para">
							Select <span class="guimenu"><strong>Main Menu Button</strong></span> (on the Panel) &gt; <span class="guimenuitem"><strong>Preferences</strong></span> &gt; <span class="guimenuitem"><strong>More Preferences</strong></span> &gt; <span class="guilabel"><strong>Sessions</strong></span>, and click on the <span class="guilabel"><strong>Startup Programs</strong></span> tab. Click <span class="guibutton"><strong>Add</strong></span> and enter <strong class="userinput"><code>/usr/bin/ssh-add</code></strong> in the <span class="guilabel"><strong>Startup Command</strong></span> text area. Set it a priority to a number higher than any existing commands to ensure that it is executed last. A good priority number for <code class="command">ssh-add</code> is 70 or higher. The higher the priority number, the lower the priority. If you have other programs listed, this one should have the lowest priority. Click <span class="guibutton"><strong>Close</strong></span> to exit the program.
						</div></li><li class="listitem"><div class="para">
							Log out and then log back into GNOME; in other words, restart X. After GNOME is started, a dialog box will appear prompting you for your passphrase(s). Enter the passphrase requested. If you have both DSA and RSA key pairs configured, you will be prompted for both. From this point on, you should not be prompted for a password by <code class="command">ssh</code>, <code class="command">scp</code>, or <code class="command">sftp</code>.
						</div></li></ol></div></div><div class="section" id="s3-openssh-config-ssh-agent"><div class="titlepage"><div><div><h4 class="title" id="s3-openssh-config-ssh-agent">19.7.3.5. Configuring <code class="command">ssh-agent</code></h4></div></div></div><a id="id983214" class="indexterm"></a><a id="id983232" class="indexterm"></a><div class="para">
					The <code class="command">ssh-agent</code> can be used to store your passphrase so that you do not have to enter it each time you make a <code class="command">ssh</code> or <code class="command">scp</code> connection. If you are not running the X Window System, follow these steps from a shell prompt. If you are running GNOME but you do not want to configure it to prompt you for your passphrase when you log in (refer to <a class="xref" href="#s3-openssh-ssh-agent-with-gnome">Section 19.7.3.4, “Configuring <code class="command">ssh-agent</code> with a GUI”</a>), this procedure will work in a terminal window, such as an XTerm. If you are running X but not GNOME, this procedure will work in a terminal window. However, your passphrase will only be remembered for that terminal window; it is not a global setting.
				</div><a id="id983270" class="indexterm"></a><a id="id983287" class="indexterm"></a><div class="orderedlist"><ol><li class="listitem" id="nox"><div class="para">
							At a shell prompt, type the following command:
						</div><pre class="screen"><code class="command">exec /usr/bin/ssh-agent $SHELL</code></pre></li><li class="listitem"><div class="para">
							Then type the command:
						</div><pre class="screen"><code class="command">ssh-add</code></pre><div class="para">
							and enter your passphrase(s). If you have more than one key pair configured, you will be prompted for each one.
						</div></li><li class="listitem"><div class="para">
							When you log out, your passphrase(s) will be forgotten. You must execute these two commands each time you log in to a virtual console or open a terminal window.
						</div></li></ol></div></div></div></div><div class="section" id="s1-openssh-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-openssh-additional-resources">19.8. Additional Resources</h2></div></div></div><a id="id983366" class="indexterm"></a><a id="id983381" class="indexterm"></a><div class="para">
			The OpenSSH and OpenSSL projects are in constant development, and the most up-to-date information for them is available from their websites. The man pages for OpenSSH and OpenSSL tools are also good sources of detailed information.
		</div><div class="section" id="s2-openssh-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-openssh-installed-docs">19.8.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The <code class="command">ssh</code>, <code class="command">scp</code>, <code class="command">sftp</code>, <code class="command">sshd</code>, and <code class="command">ssh-keygen</code> man pages — These man pages include information on how to use these commands as well as all the parameters that can be used with them.
					</div></li></ul></div></div><div class="section" id="s2-openssh-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-openssh-useful-websites">19.8.2. Useful Websites</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.openssh.com/">http://www.openssh.com/</a> — The OpenSSH FAQ page, bug reports, mailing lists, project goals, and a more technical explanation of the security features.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.openssl.org/">http://www.openssl.org/</a> — The OpenSSL FAQ page, mailing lists, and a description of the project goal.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.freesshd.com/">http://www.freesshd.com/</a> — SSH client software for other platforms.
					</div></li></ul></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><div class="para"><sup>[<a id="ftn.id1038268" href="#id1038268" class="para">4</a>] </sup>
						X11 refers to the X11R7 windowing display system, traditionally referred to as the X Window System or X. Red Hat Enterprise Linux includes X11R7, an open source X Window System.
					</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id788897" href="#id788897" class="para">5</a>] </sup>
							DNS poisoning occurs when an intruder cracks a DNS server, pointing client systems to a maliciously duplicated host.
						</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id788906" href="#id788906" class="para">6</a>] </sup>
							IP spoofing occurs when an intruder sends network packets which falsely appear to be from a trusted host on the network.
						</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id879547" href="#id879547" class="para">7</a>] </sup>
					A multiplexed connection consists of several signals being sent over a shared, common medium. With SSH, different channels are sent over a common secure connection.
				</div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-nfs" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 20. Network File System (NFS)</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-nfs-how">20.1. How It Works</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-how-daemons">20.1.1. Required Services</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-client-config">20.2. NFS Client Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-fstab">20.2.1. Mounting NFS File Systems using <code class="filename">/etc/fstab</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-client-config-autofs">20.3. <code class="command">autofs</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-config-autofs-new">20.3.1. What's new in <code class="command">autofs</code> version 5?</a></span></dt><dt><span class="section"><a href="#s2-nfs-config-autofs">20.3.2. <code class="command">autofs</code> Configuration</a></span></dt><dt><span class="section"><a href="#s2-nfs-config-autofs-commontasks">20.3.3. <code class="command">autofs</code> Common Tasks</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-client-config-options">20.4. Common NFS Mount Options</a></span></dt><dt><span class="section"><a href="#s1-nfs-start">20.5. Starting and Stopping NFS</a></span></dt><dt><span class="section"><a href="#s1-nfs-server-export">20.6. NFS Server Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-export">20.6.1. Exporting or Sharing NFS File Systems</a></span></dt><dt><span class="section"><a href="#s2-nfs-command-line">20.6.2. Command Line Configuration</a></span></dt><dt><span class="section"><a href="#s2-nfs-nfs-firewall-config">20.6.3. Running NFS Behind a Firewall</a></span></dt><dt><span class="section"><a href="#s2-nfs-hostname-formats">20.6.4. Hostname Formats</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-server-config-exports">20.7. The <code class="filename">/etc/exports</code> Configuration File</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-nfs-server-config-exportfs">20.7.1. The <code class="command">exportfs</code> Command</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-security">20.8. Securing NFS</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-security-hosts">20.8.1. Host Access</a></span></dt><dt><span class="section"><a href="#s2-nfs-security-files">20.8.2. File Permissions</a></span></dt></dl></dd><dt><span class="section"><a href="#s2-nfs-methodology-portmap">20.9. NFS and <code class="command">portmap</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s3-nfs-methodology-portmap-rpcinfo">20.9.1. Troubleshooting NFS and <code class="command">portmap</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-nfs-tcp">20.10. Using NFS over TCP</a></span></dt><dt><span class="section"><a href="#s1-nfs-additional-resources">20.11. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-nfs-installed-documentation">20.11.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-nfs-useful-websites">20.11.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-nfs-related-books">20.11.3. Related Books</a></span></dt></dl></dd></dl></div><a id="id833204" class="indexterm"></a><a id="id1040735" class="indexterm"></a><div class="para">
		A <em class="firstterm">Network File System</em> (<acronym class="acronym">NFS</acronym>) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network.
	</div><div class="para">
		This chapter focuses on fundamental NFS concepts and supplemental information.
	</div><div class="section" id="s1-nfs-how"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-how">20.1. How It Works</h2></div></div></div><a id="id637878" class="indexterm"></a><a id="id829282" class="indexterm"></a><a id="id1065784" class="indexterm"></a><div class="para">
			Currently, there are three versions of NFS. NFS version 2 (NFSv2) is older and is widely supported. NFS version 3 (NFSv3) has more features, including 64bit file handles, Safe Async writes and more robust error handling. NFS version 4 (NFSv4) works through firewalls and on the Internet, no longer requires portmapper, supports ACLs, and utilizes stateful operations. Red Hat Enterprise Linux supports NFSv2, NFSv3, and NFSv4 clients, and when mounting a file system via NFS, Red Hat Enterprise Linux uses NFSv3 by default, if the server supports it.
		</div><div class="para">
			All versions of NFS can use <em class="firstterm">Transmission Control Protocol</em> (<acronym class="acronym">TCP</acronym>) running over an IP network, with NFSv4 requiring it. NFSv2 and NFSv3 can use the <em class="firstterm">User Datagram Protocol</em> (<acronym class="acronym">UDP</acronym>) running over an IP network to provide a stateless network connection between the client and server.
		</div><div class="para">
			When using NFSv2 or NFSv3 with UDP, the stateless UDP connection under normal conditions has less Protocol overhead than TCP which can translate into better performance on very clean, non-congested networks. The NFS server sends the client a file handle after the client is authorized to access the shared volume. This file handle is an opaque object stored on the server's side and is passed along with RPC requests from the client. The NFS server can be restarted without affecting the clients and the cookie remains intact. However, because UDP is stateless, if the server goes down unexpectedly, UDP clients continue to saturate the network with requests for the server. For this reason, TCP is the preferred protocol when connecting to an NFS server.
		</div><div class="para">
			Because protocol support has been incorporated into the v4 protocol, NFSv4 has no interaction with the <code class="command">portmap</code>, <code class="command">rpc.lockd</code>, and <code class="command">rpc.statd</code> daemons. NFSv4 listens on the well-known TCP port 2049, which eliminates the need for <code class="command">portmap</code> interaction. The mounting and locking protocols have been incorporated into the V4 protocol which eliminates the need for interaction with <code class="command">rpc.lockd</code> and <code class="command">rpc.statd</code>. The <code class="command">rpc.mountd</code> daemon is still required on the server, but is not involved in any over-the-wire operations.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				TCP is the default transport protocol for NFS under Red Hat Enterprise Linux. UDP can be used for compatibility purposes as needed, but is not recommended for wide usage.
			</div><div class="para">
				All the RPC/NFS daemon have a <code class="option">-p</code> command line option that can set the port, making firewall configuration easier.
			</div></div></div><div class="para">
			After the client is granted access by TCP wrappers, the NFS server refers to its configuration file, <code class="filename">/etc/exports</code>, to determine whether the client is allowed to access any of the exported file systems. Once access is granted, all file and directory operations are available to the user.
		</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				In order for NFS to work with a default installation of Red Hat Enterprise Linux with a firewall enabled, IPTables with the default TCP port 2049 must be configured. Without proper IPTables configuration, NFS does not function properly.
			</div><div class="para">
				The NFS initialization script and <code class="command">rpc.nfsd</code> process now allow binding to any specified port during system start up. However, this can be error prone if the port is unavailable or conflicts with another daemon.
			</div></div></div><div class="section" id="s2-nfs-how-daemons"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-how-daemons">20.1.1. Required Services</h3></div></div></div><a id="id781286" class="indexterm"></a><div class="para">
				Red Hat Enterprise Linux uses a combination of kernel-level support and daemon processes to provide NFS file sharing. All NFS versions rely on <em class="firstterm">Remote Procedure Calls</em> (<acronym class="acronym">RPC</acronym>) between clients and servers. RPC services under Linux are controlled by the <code class="command">portmap</code> service. To share or mount NFS file systems, the following services work together, depending on which version of NFS is implemented:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">nfs</code> — (<code class="command">/sbin/service nfs start</code>) starts the NFS server and the appropriate RPC processes to service requests for shared NFS file systems.
					</div></li><li class="listitem"><div class="para">
						<code class="command">nfslock</code> — (<code class="command">/sbin/service nfslock start</code>) is a mandatory service that starts the appropriate RPC processes to allow NFS clients to lock files on the server.
					</div></li><li class="listitem"><div class="para">
						<code class="command">portmap</code> — accepts port reservations from local RPC services. These ports are then made available (or advertised) so the corresponding remote RPC services access them. <code class="command">portmap</code> responds to requests for RPC services and sets up connections to the requested RPC service.
					</div></li></ul></div><div class="para">
				The following RPC processes facilitate NFS services:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">rpc.mountd</code> — This process receives mount requests from NFS clients and verifies the requested file system is currently exported. This process is started automatically by the <code class="command">nfs</code> service and does not require user configuration.
					</div></li><li class="listitem"><div class="para">
						<code class="command">rpc.nfsd</code> — Allows explicit NFS versions and protocols the server advertises to be defined. It works with the Linux kernel to meet the dynamic demands of NFS clients, such as providing server threads each time an NFS client connects. This process corresponds to the <code class="command">nfs</code> service.
					</div></li><li class="listitem"><div class="para">
						<code class="command">rpc.lockd</code> — allows NFS clients to lock files on the server. If <code class="command">rpc.lockd</code> is not started, file locking will fail. <code class="command">rpc.lockd</code> implements the <em class="firstterm">Network Lock Manager (NLM)</em> protocol. This process corresponds to the <code class="command">nfslock</code> service. This is not used with NFSv4.
					</div></li><li class="listitem"><div class="para">
						<code class="command">rpc.statd</code> — This process implements the <em class="firstterm">Network Status Monitor (NSM)</em> RPC protocol which notifies NFS clients when an NFS server is restarted without being gracefully brought down. This process is started automatically by the <code class="command">nfslock</code> service and does not require user configuration. This is not used with NFSv4.
					</div></li><li class="listitem"><div class="para">
						<code class="command">rpc.rquotad</code> — This process provides user quota information for remote users. This process is started automatically by the <code class="command">nfs</code> service and does not require user configuration.
					</div></li><li class="listitem"><div class="para">
						<code class="command">rpc.idmapd</code> — This process provides NFSv4 client and server upcalls which map between on-the-wire NFSv4 names (which are strings in the form of user@domain) and local UIDs and GIDs. For <code class="command">idmapd</code> to function with NFSv4, the <code class="filename">/etc/idmapd.conf</code> must be configured. This service is required for use with NFSv4.
					</div></li></ul></div><div class="para">
				To use NFS on your system, make sure you have the <span class="package">nfs-utils</span>, <span class="package">nfs-utils-lib</span>, and <span class="package">portmap</span> packages installed.
			</div></div></div><div class="section" id="s1-nfs-client-config"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-client-config">20.2. NFS Client Configuration</h2></div></div></div><a id="id983524" class="indexterm"></a><div class="para">
			NFS shares are mounted on the client side using the <code class="command">mount</code> command. The format of the command is as follows:
		</div><pre class="screen"><code class="command">mount -t <em class="replaceable"><code>&lt;nfs-type&gt;</code></em> -o <em class="replaceable"><code>&lt;options&gt;</code></em> <em class="replaceable"><code>&lt;host&gt;</code></em>:<em class="replaceable"><code>&lt;/remote/export&gt;</code></em> <em class="replaceable"><code>&lt;/local/directory&gt;</code></em></code></pre><div class="para">
			Replace <em class="replaceable"><code>&lt;nfs-type&gt;</code></em> with either <code class="command">nfs</code> for NFSv2 or NFSv3 servers, or <code class="command">nfs4</code> for NFSv4 servers. Replace <em class="replaceable"><code>&lt;options&gt;</code></em> with a comma separated list of options for the NFS file system (refer to <a class="xref" href="#s1-nfs-client-config-options">Section 20.4, “Common NFS Mount Options”</a> for details). Replace <em class="replaceable"><code>&lt;host&gt;</code></em> with the remote host, <em class="replaceable"><code>&lt;/remote/export&gt;</code></em> with the remote directory being mounted, and <em class="replaceable"><code>&lt;/local/directory&gt;</code></em> with the local directory where the remote file system is to be mounted.
		</div><div class="para">
			Refer to the <code class="command">mount</code> man page for more details.
		</div><div class="para">
			If accessing an NFS share by manually issuing the <code class="command">mount</code> command, the file system must be remounted manually after the system is rebooted. Red Hat Enterprise Linux offers two methods for mounting remote file systems automatically at boot time: the <code class="filename">/etc/fstab</code> file or the <code class="command">autofs</code> service.
		</div><div class="section" id="s2-nfs-fstab"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-fstab">20.2.1. Mounting NFS File Systems using <code class="filename">/etc/fstab</code></h3></div></div></div><div class="para">
				<a id="id813630" class="indexterm"></a>
				 <a id="id813640" class="indexterm"></a>
				 An alternate way to mount an NFS share from another machine is to add a line to the <code class="filename">/etc/fstab</code> file. The <code class="filename">/etc/fstab</code> file is referenced by the <code class="command">netfs</code> service at boot time, so lines referencing NFS shares have the same effect as manually typing the <code class="command">mount</code> command during the boot process. Each line in this file must state the hostname of the NFS server, the directory on the server being exported, and the directory on the local machine where the NFS share is to be mounted. You must be root to modify the <code class="filename">/etc/fstab</code> file.
			</div><div class="para">
				The general syntax for a line in <code class="filename">/etc/fstab</code> is as follows:
			</div><pre class="screen"><code class="command"><em class="replaceable"><code>&lt;server&gt;</code></em>:<em class="replaceable"><code>&lt;/remote/export&gt;</code></em> <em class="replaceable"><code>&lt;/local/directory&gt;</code></em> <em class="replaceable"><code>&lt;nfs-type&gt;</code></em> <em class="replaceable"><code>&lt;options&gt;</code></em> 0 0</code></pre><div class="para">
				Replace <code class="option"><em class="replaceable"><code>&lt;server&gt;</code></em></code> with the hostname, IP address, or fully qualified domain name of the server exporting the file system. Replace <code class="option"><em class="replaceable"><code>&lt;/remote/export&gt;</code></em></code> with the path to the exported directory, and <code class="option"><em class="replaceable"><code>&lt;/local/directory&gt;</code></em></code> with the local file system on which the exported directory is mounted. Replace <code class="option"><em class="replaceable"><code>&lt;nfs-type&gt;</code></em></code> with either <code class="command">nfs</code> for NFSv2 or NFSv3 servers, or <code class="command">nfs4</code> for NFSv4 servers. Finally, replace <em class="replaceable"><code>&lt;options&gt;</code></em> with a comma separated list of options for the NFS file system (see <a class="xref" href="#s1-nfs-client-config-options">Section 20.4, “Common NFS Mount Options”</a> for details). Note that the mount point must exist before <code class="filename">/etc/fstab</code> is read, otherwise the mount fails.
			</div><div class="para">
				The following is a sample <code class="filename">/etc/fstab</code> line to mount an NFS export:
			</div><pre class="screen">server:/usr/local/pub    /pub   nfs    defaults 0 0</pre><div class="para">
				After adding this line to <code class="filename">/etc/fstab</code> on the client system, type the command <code class="filename">mount /pub</code> at a shell prompt, and the mount point <code class="filename">/pub</code> is mounted from the server. The mount point <code class="filename">/pub</code> must exist on the client machine before this command can be executed.
			</div><div class="para">
				For more information about the <code class="filename">/etc/fstab</code> configuration file and its contents, refer to the <code class="filename">fstab</code> manual page.
			</div></div></div><div class="section" id="s1-nfs-client-config-autofs"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-client-config-autofs">20.3. <code class="command">autofs</code></h2></div></div></div><a id="id969541" class="indexterm"></a><a id="id969558" class="indexterm"></a><div class="para">
			One drawback to using <code class="filename">/etc/fstab</code> is that, regardless of how infrequently a user accesses the NFS mounted file system, the system must dedicate resources to keep the mounted file system in place. This is not a problem with one or two mounts, but when the system is maintaining mounts to many systems at one time, overall system performance can be affected. An alternative to <code class="filename">/etc/fstab</code> is to use the kernel-based automount utility. An automounter consists of two components. One is a kernel module that implements a file system, while the other is a user-space daemon that performs all of the other functions. The automount utility can mount and unmount NFS file systems automatically (on demand mounting) therefore saving system resources. The automount utility can be used to mount other file systems including AFS, SMBFS, CIFS and local file systems.
		</div><div class="para">
			<code class="command">autofs</code> uses <code class="filename">/etc/auto.master</code> (master map) as its default primary configuration file. This can be changed to use another supported network source and name using the autofs configuration (in <code class="filename">/etc/sysconfig/autofs</code>) in conjunction with the Name Service Switch mechanism. An instance of the version 4 daemon was run for each mount point configured in the master map and so it could be run manually from the command line for any given mount point. This is not possible with version 5 because it uses a single daemon to manage all configured mount points, so all automounts must be configured in the master map. This is in line with the usual requirements of other industry standard automounters. Mount point, hostname, exported directory, and options can all be specified in a set of files (or other supported network sources) rather than configuring them manually for each host. Please ensure that you have the <code class="command">autofs</code> package installed if you wish to use this service.
		</div><div class="section" id="s2-nfs-config-autofs-new"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-config-autofs-new">20.3.1. What's new in <code class="command">autofs</code> version 5?</h3></div></div></div><a id="id969629" class="indexterm"></a><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Direct map support</span></dt><dd><div class="para">
							Autofs direct maps provide a mechanism to automatically mount file systems at arbitrary points in the file system hierarchy. A direct map is denoted by a mount point of "/-" in the master map. Entries in a direct map contain an absolute path name as a key (instead of the relative path names used in indirect maps).
						</div></dd><dt class="varlistentry"><span class="term">Lazy mount and unmount support </span></dt><dd><div class="para">
							Multimount map entries describe a hierarchy of mount points under a single key. A good example of this is the "-hosts" map, commonly used for automounting all exports from a host under "<code class="filename">/net/&lt;host&gt;</code>" as a multi-mount map entry. When using the "<code class="filename">-hosts</code>" map, an '<code class="command">ls</code>' of "<code class="command">/net/&lt;host&gt;</code>" will mount autofs trigger mounts for each export from <code class="command">&lt;host&gt;</code> and mount and expire them as they are accessed. This can greatly reduce the number of active mounts needed when accessing a server with a large number of exports.
						</div></dd><dt class="varlistentry"><span class="term">Enhanced LDAP support</span></dt><dd><div class="para">
							The Lightweight Directory Access Protocol, or LDAP, support in autofs version 5 has been enhanced in several ways with respect to autofs version 4. The autofs configuration file (<code class="filename">/etc/sysconfig/autofs</code>) provides a mechanism to specify the autofs schema that a site implements, thus precluding the need to determine this via trial and error in the application itself. In addition, authenticated binds to the LDAP server are now supported, using most mechanisms supported by the common LDAP server implementations. A new configuration file has been added for this support: <code class="filename">/etc/autofs_ldap_auth.conf</code>. The default configuration file is self-documenting, and uses an XML format.
						</div></dd><dt class="varlistentry"><span class="term">Proper use of the Name Service Switch (<code class="command">nsswitch</code>) configuration.</span></dt><dd><div class="para">
							The Name Service Switch configuration file exists to provide a means of determining from where specific configuration data comes. The reason for this configuration is to allow administrators the flexibility of using the back-end database of choice, while maintaining a uniform software interface to access the data. While the version 4 automounter is becoming increasingly better at handling the name service switch configuration, it is still not complete. Autofs version 5, on the other hand, is a complete implementation. See the manual page for nsswitch.conf for more information on the supported syntax of this file. Please note that not all nss databases are valid map sources and the parser will reject ones that are invalid. Valid sources are files, yp, nis, nisplus, ldap and hesiod.
						</div></dd><dt class="varlistentry"><span class="term">Multiple master map entries per autofs mount point</span></dt><dd><div class="para">
							One thing that is frequently used but not yet mentioned is the handling of multiple master map entries for the direct mount point "/-". The map keys for each entry are merged and behave as one map.
						</div><div class="para">
							An example is seen in the connectathon test maps for the direct mounts below:
						</div><pre class="screen">/- /tmp/auto_dcthon
/- /tmp/auto_test3_direct
/- /tmp/auto_test4_direct</pre></dd></dl></div></div><div class="section" id="s2-nfs-config-autofs"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-config-autofs">20.3.2. <code class="command">autofs</code> Configuration</h3></div></div></div><a id="id969800" class="indexterm"></a><a id="id969817" class="indexterm"></a><div class="para">
				The primary configuration file for the automounter is <code class="filename">/etc/auto.master</code>, also referred to as the master map which may be changed as described in the introduction section above. The master map lists autofs-controlled mount points on the system, and their corresponding configuration files or network sources known as automount maps. The format of the master map is as follows:
			</div><pre class="screen">&lt;mount-point&gt; &lt;map-name&gt; &lt;options&gt;</pre><div class="para">
				where:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">mount-point</code> is the autofs mount point such as <code class="filename">/home</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">map-name</code> is the name of a map source which contains a list of mount points, and the file system location from which those mount points should be mounted. The syntax for a map entry is described below.
					</div></li><li class="listitem"><div class="para">
						<code class="command">options</code> if supplied, will apply to all entries in the given map provided they don't themselves have options specified. This behavior is different from autofs version 4 where the options where cumulative. This has been changed to meet our primary goal of mixed environment compatibility.
					</div></li></ul></div><div class="para">
				The following is a sample <code class="filename">/etc/auto.master</code> file:
			</div><pre class="screen">~]$ <code class="command">cat /etc/auto.master</code>
/home /etc/auto.misc</pre><div class="para">
				The general format of maps is similar to the master map, however the "options" appear between the mount point and the location instead of at the end of the entry as in the master map:
			</div><pre class="screen">&lt;mount-point&gt;   [&lt;options&gt;]   &lt;location&gt;</pre><div class="para">
				where:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">&lt;mount-point&gt;</code> is the autofs mount point. This can be a single directory name for an indirect mount or the full path of the mount point for direct mounts. Each direct and indirect map entry key (<code class="command">&lt;mount-point&gt;</code> above) may be followed by a space separated list of offset directories (sub directory names each beginning with a "/") making them what is known as a mutli-mount entry.
					</div></li><li class="listitem"><div class="para">
						&lt;options&gt; if supplied, are the mount options for the map entries that do not specify their own options.
					</div></li><li class="listitem"><div class="para">
						&lt;location&gt; is the file system location such as a local file system path (preceded with the Sun map format escape character ":" for map names beginning with "/"), an NFS file system or other valid file system location.
					</div></li></ul></div><div class="para">
				The following is a sample map file:
			</div><pre class="screen">~]$ <code class="command">cat /etc/auto.misc</code>
payroll -fstype=nfs personnel:/dev/hda3
sales -fstype=ext3 :/dev/hda4</pre><div class="para">
				The first column in a map file indicates the autofs mount point (<code class="filename">sales</code> and <code class="filename">payroll</code> from the server called <code class="filename">personnel</code>). The second column indicates the options for the autofs mount while the third column indicates the source of the mount. Following the above configuration, the autofs mount points will be <code class="filename">/home/payroll</code> and <code class="filename">/home/sales</code>. The <code class="command">-fstype=</code> option is often omitted and is generally not needed for correct operation.
			</div><div class="para">
				The automounter will create the directories if they do not exist. If the directories exist before the automounter was started, the automounter will not remove them when it exits. You can start or restart the automount daemon by issuing the following command:
			</div><pre class="screen"><code class="command">service autofs start</code></pre><div class="para">
				or
			</div><pre class="screen"><code class="command">service autofs restart</code></pre><div class="para">
				Using the above configuration, if a process requires access to an autofs unmounted directory such as <code class="filename">/home/payroll/2006/July.sxc</code>, the automount daemon automatically mounts the directory. If a timeout is specified, the directory will automatically be unmounted if the directory is not accessed for the timeout period.
			</div><div class="para">
				You can view the status of the automount daemon by issuing the following command in your terminal:
			</div><pre class="screen"><code class="command">/sbin/service/autofs status</code></pre></div><div class="section" id="s2-nfs-config-autofs-commontasks"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-config-autofs-commontasks">20.3.3. <code class="command">autofs</code> Common Tasks</h3></div></div></div><a id="id964060" class="indexterm"></a><a id="id964077" class="indexterm"></a><div class="section" id="s2-nfs-config-autofs-augmenting"><div class="titlepage"><div><div><h4 class="title" id="s2-nfs-config-autofs-augmenting">20.3.3.1. Overriding or augmenting site configuration files</h4></div></div></div><a id="id964098" class="indexterm"></a><div class="para">
					It can be useful to override site defaults for a specific mount point on a client system. For example, assuming that the automounter maps are stored in NIS and the <code class="filename">/etc/nsswitch.conf</code> file has the following directive:
				</div><pre class="screen">automount:  files nis</pre><div class="para">
					and the NIS <code class="filename">auto.master</code> map file contains the following:
				</div><pre class="screen">/home auto.home</pre><div class="para">
					Also assume the NIS <code class="filename">auto.home</code> map contains the following:
				</div><pre class="screen">beth     fileserver.example.com:/export/home/beth
joe      fileserver.example.com:/export/home/joe
*        fileserver.example.com:/export/home/&amp;</pre><div class="para">
					and the file map <code class="filename">/etc/auto.home</code> does not exist.
				</div><div class="para">
					For the above example, lets assume that the client system needs to mount home directories from a different server. In this case, the client will need to use the following <code class="filename">/etc/auto.master</code> map:
				</div><pre class="screen">/home /etc/auto.home2
+auto.master</pre><div class="para">
					And the <code class="filename">/etc/auto.home2</code> map contains the entry:
				</div><pre class="screen">*   labserver.example.com:/export/home/&amp;</pre><div class="para">
					Because only the first occurrence of a mount point is processed, <code class="filename">/home</code> will contain the contents of <code class="filename">/etc/auto.home2</code> instead of the NIS <code class="filename">auto.home</code> map.
				</div><div class="para">
					Alternatively, if you just want to augment the site-wide <code class="literal">auto.home</code> map with a few entries, create a <code class="filename">/etc/auto.home</code> file map, and in it put your new entries and at the end, include the NIS auto.home map. Then the <code class="filename">/etc/auto.home</code> file map might look similar to:
				</div><pre class="screen">mydir someserver:/export/mydir
+auto.home</pre><div class="para">
					Given the NIS <code class="filename">auto.home</code> map listed above, an <code class="command">ls</code> of <code class="filename">/home</code> would now give:
				</div><pre class="screen">~]$ <code class="command">ls /home</code>
beth  joe  mydir</pre><div class="para">
					This last example works as expected because <code class="filename">autofs</code> knows not to include the contents of a file map of the same name as the one it is reading and so moves on to the next map source in the <code class="filename">nsswitch</code> configuration.
				</div></div><div class="section" id="s2-nfs-config-autofs-LDAP"><div class="titlepage"><div><div><h4 class="title" id="s2-nfs-config-autofs-LDAP">20.3.3.2. Using LDAP to Store Automounter Maps</h4></div></div></div><a id="id964266" class="indexterm"></a><div class="para">
					LDAP client libraries must be installed on all systems which are to retrieve automounter maps from LDAP. On RHEL 5, the <code class="filename">openldap</code> package should be installed automatically as a dependency of the <code class="filename">automounter</code>. To configure LDAP access, modify <code class="filename">/etc/openldap/ldap.conf</code>. Ensure that BASE and URI are set appropriately for your site. Please also ensure that the schema is set in the configuration.
				</div><div class="para">
					The most recently established schema for storing automount maps in LDAP is described by <code class="filename">rfc2307bis</code>. To use this schema it is necessary to set it in the <code class="filename">autofs</code> configuration (<code class="filename">/etc/sysconfig/autofs</code>) by removing the comment characters from the schema definition. For example:
				</div><pre class="screen">DEFAULT_MAP_OBJECT_CLASS="automountMap"
DEFAULT_ENTRY_OBJECT_CLASS="automount"
DEFAULT_MAP_ATTRIBUTE="automountMapName"
DEFAULT_ENTRY_ATTRIBUTE="automountKey"
DEFAULT_VALUE_ATTRIBUTE="automountInformation"</pre><div class="para">
					Ensure that these are the only schema entries not commented in the configuration. Please also note that the <code class="command">automountKey</code> replaces the <code class="command">cn</code> attribute in the <code class="filename">rfc2307bis</code> schema. An <code class="filename">LDIF</code> of a sample configuration is described below:
				</div><pre class="screen"># extended LDIF
#
# LDAPv3
# base &lt;&gt; with scope subtree
# filter: (&amp;(objectclass=automountMap)(automountMapName=auto.master))
# requesting: ALL
#

# auto.master, example.com
dn: automountMapName=auto.master,dc=example,dc=com
objectClass: top
objectClass: automountMap
automountMapName: auto.master

# extended LDIF
#
# LDAPv3
# base &lt;automountMapName=auto.master,dc=example,dc=com&gt; with scope subtree
# filter: (objectclass=automount)
# requesting: ALL
#

# /home, auto.master, example.com
dn: automountMapName=auto.master,dc=example,dc=com
objectClass: automount
cn: /home

automountKey: /home
automountInformation: auto.home

# extended LDIF
#
# LDAPv3
# base &lt;&gt; with scope subtree
# filter: (&amp;(objectclass=automountMap)(automountMapName=auto.home))
# requesting: ALL
#

# auto.home, example.com
dn: automountMapName=auto.home,dc=example,dc=com
objectClass: automountMap
automountMapName: auto.home

# extended LDIF
#
# LDAPv3
# base &lt;automountMapName=auto.home,dc=example,dc=com&gt; with scope subtree
# filter: (objectclass=automount)
# requesting: ALL
#

# foo, auto.home, example.com
dn: automountKey=foo,automountMapName=auto.home,dc=example,dc=com
objectClass: automount
automountKey: foo
automountInformation: filer.example.com:/export/foo

# /, auto.home, example.com
dn: automountKey=/,automountMapName=auto.home,dc=example,dc=com
objectClass: automount
automountKey: /
automountInformation: filer.example.com:/export/&amp;</pre></div><div class="section" id="s2-nfs-config-autofs-adapting"><div class="titlepage"><div><div><h4 class="title" id="s2-nfs-config-autofs-adapting">20.3.3.3. Adapting Autofs v4 Maps To Autofs v5</h4></div></div></div><a id="id964368" class="indexterm"></a><div class="formalpara" id="v4-multimap-entities"><h5 class="formalpara">v4 Multi-map entries</h5>
						Autofs version 4 introduced the notion of a multi-map entry in the master map. A multi-map entry is of the form:
					</div><pre class="screen">&lt;mount-point&gt; &lt;maptype1&gt; &lt;mapname1&gt; &lt;options1&gt; -- &lt;maptype2&gt; &lt;mapname2&gt; &lt;options2&gt; -- ...</pre><div class="para">
					Any number of maps can be combined into a single map in this manner. This feature is no longer present in v5. This is because Version 5 supports included maps which can be used to attain the same results. Consider the following multi-map example:
				</div><pre class="screen"><code class="command">/home file /etc/auto.home -- nis auto.home</code></pre><div class="para">
					This can be replaced by the following configuration for v5:
				</div><div class="para">
					<code class="filename">/etc/nsswitch.conf</code> must list:
				</div><pre class="screen">automount: files nis</pre><div class="para">
					<code class="filename">/etc/auto.master</code> should contain:
				</div><pre class="screen">/home  auto.home</pre><div class="para">
					<code class="filename">/etc/auto.home</code> should contain:
				</div><pre class="screen">&lt;entries for the home directory&gt;
+auto.home</pre><div class="para">
					In this way, the entries from <code class="filename">/etc/auto.home</code> and the nis <code class="filename">auto.home</code> map are combined.
				</div><div class="formalpara" id="multiple-master"><h5 class="formalpara">Multiple master maps</h5>
						In autofs version 4, it is possible to merge the contents of master maps from each source, such as files, nis, hesiod, and LDAP. The version 4 automounter looks for a master map for each of the sources listed in <code class="filename">/etc/nsswitch.conf</code>. The map is read if it exists and its contents are merged into one large <code class="filename">auto.master</code> map.
					</div><div class="para">
					In version 5, this is no longer the behaviour. Only the first master map found from the list of sources in <code class="filename">nsswitch.conf</code> is consulted. If it is desirable to merge the contents of multiple master maps, included maps can be used. Consider the following example:
				</div><pre class="screen">/etc/nsswitch.conf:
automount: files nis</pre><pre class="screen">/etc/auto.master:
/home  /etc/auto.home
+auto.master</pre><div class="para">
					The above configuration will merge the contents of the file-based <code class="filename">auto.master</code> and the NIS-based <code class="filename">auto.master</code>. However, because included map entries are only allowed in file maps, there is no way to include both an NIS <code class="filename">auto.master</code> and an LDAP <code class="filename">auto.master</code>.
				</div><div class="para">
					This limitation can be overcome by creating a master maps that have a different name in the source. In the example above if we had an LDAP master map named <code class="filename">auto.master.ldap</code> we could also add <code class="filename">"+auto.master.ldap"</code> to the file based master map and provided that "<code class="filename">ldap</code>" is listed as a source in our nsswitch configuration it would also be included.
				</div></div></div></div><div class="section" id="s1-nfs-client-config-options"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-client-config-options">20.4. Common NFS Mount Options</h2></div></div></div><a id="id964557" class="indexterm"></a><div class="para">
			Beyond mounting a file system via NFS on a remote host, other options can be specified at the time of the mount to make it easier to use. These options can be used with manual <code class="command">mount</code> commands, <code class="filename">/etc/fstab</code> settings, and <code class="command">autofs</code>.
		</div><div class="para">
			The following are options commonly used for NFS mounts:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="option">hard</code> or <code class="option">soft</code> — Specifies whether the program using a file via an NFS connection should stop and wait (<code class="option">hard</code>) for the server to come back online, if the host serving the exported file system is unavailable, or if it should report an error (<code class="option">soft</code>).
				</div><div class="para">
					If <code class="option">hard</code> is specified, the user cannot terminate the process waiting for the NFS communication to resume unless the <code class="option">intr</code> option is also specified.
				</div><div class="para">
					If <code class="option">soft</code> is specified, the user can set an additional <code class="option">timeo=<em class="replaceable"><code>&lt;value&gt;</code></em></code> option, where <code class="option"><em class="replaceable"><code>&lt;value&gt;</code></em></code> specifies the number of seconds to pass before the error is reported.
				</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Using soft mounts is not recommended as they can generate I/O errors in very congested networks or when using a very busy server.
			</div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="option">intr</code> — Allows NFS requests to be interrupted if the server goes down or cannot be reached.
				</div></li><li class="listitem"><div class="para">
					<code class="option">nfsvers=2</code> or <code class="option">nfsvers=3</code> — Specifies which version of the NFS protocol to use. This is useful for hosts that run multiple NFS servers. If no version is specified, NFS uses the highest supported version by the kernel and <code class="command">mount</code> command. This option is not supported with NFSv4 and should not be used.
				</div></li><li class="listitem"><div class="para">
					<code class="option">noacl</code> — Turns off all ACL processing. This may be needed when interfacing with older versions of Red Hat Enterprise Linux, Red Hat Linux, or Solaris, since the most recent ACL technology is not compatible with older systems.
				</div></li><li class="listitem"><div class="para">
					<code class="option">nolock</code> — Disables file locking. This setting is occasionally required when connecting to older NFS servers.
				</div></li><li class="listitem"><div class="para">
					<code class="option">noexec</code> — Prevents execution of binaries on mounted file systems. This is useful if the system is mounting a non-Linux file system via NFS containing incompatible binaries.
				</div></li><li class="listitem"><div class="para">
					<code class="option">nosuid</code> — Disables set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program.
				</div></li><li class="listitem"><div class="para">
					<code class="option">port=num</code> — Specifies the numeric value of the NFS server port. If <code class="command"><em class="replaceable"><code>num</code></em></code> is <code class="command">0</code> (the default), then <code class="command">mount</code> queries the remote host's portmapper for the port number to use. If the remote host's NFS daemon is not registered with its portmapper, the standard NFS port number of TCP 2049 is used instead.
				</div></li><li class="listitem"><div class="para">
					<code class="option">rsize=num</code> and <code class="option">wsize=num</code> — These settings speed up NFS communication for reads (<code class="option">rsize</code>) and writes (<code class="option">wsize</code>) by setting a larger data block size, in bytes, to be transferred at one time. Be careful when changing these values; some older Linux kernels and network cards do not work well with larger block sizes. For NFSv2 or NFSv3, the default values for both parameters is set to 8192. For NFSv4, the default values for both parameters is set to 32768.
				</div></li><li class="listitem"><div class="para">
					<code class="option">sec=mode</code> — Specifies the type of security to utilize when authenticating an NFS connection.
				</div><div class="para">
					<code class="option">sec=sys</code> is the default setting, which uses local UNIX UIDs and GIDs by means of AUTH_SYS to authenticate NFS operations.
				</div><div class="para">
					<code class="option">sec=krb5</code> uses Kerberos V5 instead of local UNIX UIDs and GIDs to authenticate users.
				</div><div class="para">
					<code class="option">sec=krb5i</code> uses Kerberos V5 for user authentication and performs integrity checking of NFS operations using secure checksums to prevent data tampering.
				</div><div class="para">
					<code class="option">sec=krb5p</code> uses Kerberos V5 for user authentication, integrity checking, and encrypts NFS traffic to prevent traffic sniffing. This is the most secure setting, but it also has the most performance overhead involved.
				</div></li><li class="listitem"><div class="para">
					<code class="option">tcp</code> — Specifies for the NFS mount to use the TCP protocol.
				</div></li><li class="listitem"><div class="para">
					<code class="option">udp</code> — Specifies for the NFS mount to use the UDP protocol.
				</div></li></ul></div><div class="para">
			Many more options are listed on the <code class="command">mount</code> and <code class="command">nfs</code> man pages.
		</div></div><div class="section" id="s1-nfs-start"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-start">20.5. Starting and Stopping NFS</h2></div></div></div><a id="id1059241" class="indexterm"></a><a id="id1059253" class="indexterm"></a><a id="id1059265" class="indexterm"></a><a id="id1059277" class="indexterm"></a><a id="id1059289" class="indexterm"></a><a id="id1059301" class="indexterm"></a><a id="id1059313" class="indexterm"></a><div class="para">
			To run an NFS server, the <code class="command">portmap</code> service must be running. To verify that <code class="command">portmap</code> is active, type the following command as root:
		</div><pre class="screen"><code class="command">service portmap status</code></pre><div class="para">
			If the <code class="command">portmap</code> service is running, then the <code class="command">nfs</code> service can be started. To start an NFS server, as root type:
		</div><pre class="screen"><code class="command">service nfs start</code></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				<code class="command">nfslock</code> also has to be started for both the NFS client and server to function properly. To start NFS locking as root type: <code class="command">/sbin/service nfslock start</code>. If NFS is set to start at boot, please ensure that <code class="command">nfslock</code> also starts by running <code class="command">chkconfig --list nfslock</code>. If <code class="command">nfslock</code> is not set to <code class="command">on</code>, this implies that you will need to manually run the <code class="command">/sbin/service nfslock start</code> each time the computer starts. To set <code class="command">nfslock</code> to automatically start on boot, type the following command in a terminal <code class="command">chkconfig nfslock on</code>.
			</div></div></div><div class="para">
			To stop the server, as root, type:
		</div><pre class="screen"><code class="command">service nfs stop</code></pre><div class="para">
			The <code class="option">restart</code> option is a shorthand way of stopping and then starting NFS. This is the most efficient way to make configuration changes take effect after editing the configuration file for NFS.
		</div><div class="para">
			To restart the server, as root, type:
		</div><pre class="screen"><code class="command">service nfs restart</code></pre><div class="para">
			The <code class="option">condrestart</code> (<em class="firstterm">conditional restart</em>) option only starts <code class="command">nfs</code> if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
		</div><div class="para">
			To conditionally restart the server, as root, type:
		</div><pre class="screen"><code class="command">service nfs condrestart</code></pre><div class="para">
			To reload the NFS server configuration file without restarting the service, as root, type:
		</div><pre class="screen"><code class="command">service nfs reload</code></pre><div class="para">
			By default, the <code class="command">nfs</code> service does <span class="emphasis"><em>not</em></span> start automatically at boot time. To configure the NFS to start up at boot time, use an initscript utility, such as <code class="command">/sbin/chkconfig</code>, <span class="application"><strong>/usr/sbin/ntsysv</strong></span>, or the <span class="application"><strong>Services Configuration Tool</strong></span> program. Refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a> for more information regarding these tools.
		</div></div><div class="section" id="s1-nfs-server-export"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-server-export">20.6. NFS Server Configuration</h2></div></div></div><a id="id1059504" class="indexterm"></a><div class="para">
			There are three ways to configure an NFS server under Red Hat Enterprise Linux: using the <span class="application"><strong>NFS Server Configuration Tool</strong></span> (<code class="command">system-config-nfs</code>), manually editing its configuration file (<code class="filename">/etc/exports</code>), or using the <code class="command">/usr/sbin/exportfs</code> command.
		</div><div class="para">
			To use the NFS Server Configuration Tool, you must be running X Windows, have root privileges, and have the system-config-nfs RPM package installed. To start the application, click on <span class="guimenu"><strong>System</strong></span> &gt; <span class="guimenu"><strong>Administration</strong></span> &gt; <span class="guimenu"><strong>Server Settings</strong></span> &gt; <span class="guimenu"><strong>NFS</strong></span>. You can also type the command <code class="command">system-config-nfs</code> in a terminal. The NFS Server Configuration tool window is illustrated below.
		</div><div class="figure" id="fig-system-config-nfs"><div class="figure-contents"><div class="mediaobject"><img src="images/system-config-nfs.png" width="444" alt="NFS Server Configuration Tool" /><div class="longdesc"><div class="para">
						NFS Configuration Tool
					</div></div></div></div><h6>Figure 20.1. <span class="application">NFS Server Configuration Tool</span></h6></div><br class="figure-break" /><div class="para">
			Based on certain firewall settings, you may need to configure the NFS daemon processes to use specific networking ports. The NFS server settings allows you to specify the ports for each process instead of using the random ports assigned by the portmapper. You can set the NFS Server settings by clicking on the <span class="guibutton"><strong>Server Settings</strong></span> button. The figure below illustrates the NFS Server Settings window.
		</div><div class="figure" id="fig-nfs-server-settings"><div class="figure-contents"><div class="mediaobject"><img src="images/nfs-server-settings.png" width="444" alt="NFS Server Settings" /><div class="longdesc"><div class="para">
						NFS Server Settings
					</div></div></div></div><h6>Figure 20.2. <span class="application">NFS Server Settings</span></h6></div><br class="figure-break" /><div class="section" id="s2-nfs-export"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-export">20.6.1. Exporting or Sharing NFS File Systems</h3></div></div></div><a id="id1059648" class="indexterm"></a><a id="id1059660" class="indexterm"></a><a id="id1059667" class="indexterm"></a><a id="id1059683" class="indexterm"></a><div class="para">
				Sharing or serving files from an NFS server is known as exporting the directories. The <span class="application"><strong>NFS Server Configuration Tool</strong></span> can be used to configure a system as an NFS server.
			</div><div class="para">
				To add an NFS share, click the <span class="guibutton"><strong>Add</strong></span> button. The dialog box shown in <a class="xref" href="#fig-add-share">Figure 20.3, “Add Share”</a> appears.
			</div><div class="para">
				The <span class="guilabel"><strong>Basic</strong></span> tab requires the following information:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Directory</strong></span> — Specify the directory to share, such as <code class="filename">/tmp</code>.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Host(s)</strong></span> — Specify the host(s) with which to share the directory. Refer to <a class="xref" href="#s2-nfs-hostname-formats">Section 20.6.4, “Hostname Formats”</a> for an explanation of possible formats.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Basic permissions</strong></span> — Specify whether the directory should have read-only or read/write permissions.
					</div></li></ul></div><div class="figure" id="fig-add-share"><div class="figure-contents"><div class="mediaobject"><img src="images/nfs-add.png" alt="Add Share" /><div class="longdesc"><div class="para">
							Add NFS Share
						</div></div></div></div><h6>Figure 20.3. Add Share</h6></div><br class="figure-break" /><div class="para">
				The <span class="guilabel"><strong>General Options</strong></span> tab allows the following options to be configured:
			</div><div class="figure" id="fig-nfs-general-options"><div class="figure-contents"><div class="mediaobject"><img src="images/nfs-general-options.png" alt="NFS General Options" /><div class="longdesc"><div class="para">
							General Options
						</div></div></div></div><h6>Figure 20.4. NFS General Options</h6></div><br class="figure-break" /><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Allow connections from port 1024 and higher</strong></span> — Services started on port numbers less than 1024 must be started as root. Select this option to allow the NFS service to be started by a user other than root. This option corresponds to <code class="command">insecure</code>.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Allow insecure file locking</strong></span> — Do not require a lock request. This option corresponds to <code class="command">insecure_locks</code>.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Disable subtree checking</strong></span> — If a subdirectory of a file system is exported, but the entire file system is not exported, the server checks to see if the requested file is in the subdirectory exported. This check is called <em class="firstterm">subtree checking</em>. Select this option to disable subtree checking. If the entire file system is exported, selecting to disable subtree checking can increase the transfer rate. This option corresponds to <code class="command">no_subtree_check</code>.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Sync write operations on request</strong></span> — Enabled by default, this option does not allow the server to reply to requests before the changes made by the request are written to the disk. This option corresponds to <code class="command">sync</code>. If this is not selected, the <code class="command">async</code> option is used.
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Force sync of write operations immediately</strong></span> — Do not delay writing to disk. This option corresponds to <code class="command">no_wdelay</code>.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Hide filesystems beneath</strong></span> turns the <code class="command">nohide</code> option on or off. When the <code class="command">nohide</code> option is off, nested directories are revealed. The clients can therefore navigate through a filesystem from the parent without noticing any changes.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Export only if mounted</strong></span> sets the <code class="command">mountpoint</code> option which allows a directory to be exported only if it has been mounted.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Optional Mount Point</strong></span> specifies the path to an optional mount point. Click on the <span class="guibutton"><strong>Browse</strong></span> to navigate to the preferred mount point or type the path if known.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Set explicit Filesystem ID:</strong></span> sets the <code class="command">fsid=X</code> option. This is mainly used in a clustered setup. Using a consistent filesystem ID in all clusters avoids having stale NFS filehandles.
					</div></li></ul></div><div class="figure" id="fig-nfs-user-access"><div class="figure-contents"><div class="mediaobject"><img src="images/nfs-user-access.png" alt="NFS User Access" /><div class="longdesc"><div class="para">
							User Access
						</div></div></div></div><h6>Figure 20.5. NFS User Access</h6></div><br class="figure-break" /><div class="para">
				The <span class="guilabel"><strong>User Access</strong></span> tab allows the following options to be configured:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Treat remote root user as local root</strong></span> — By default, the user and group IDs of the root user are both 0. Root squashing maps the user ID 0 and the group ID 0 to the user and group IDs of anonymous so that root on the client does not have root privileges on the NFS server. If this option is selected, root is not mapped to anonymous, and root on a client has root privileges to exported directories. Selecting this option can greatly decrease the security of the system. Do not select it unless it is absolutely necessary. This option corresponds to <code class="command">no_root_squash</code>.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Treat all client users as anonymous users</strong></span> — If this option is selected, all user and group IDs are mapped to the anonymous user. This option corresponds to <code class="command">all_squash</code>.
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Specify local user ID for anonymous users</strong></span> — If <span class="guilabel"><strong>Treat all client users as anonymous users</strong></span> is selected, this option lets you specify a user ID for the anonymous user. This option corresponds to <code class="command">anonuid</code>.
							</div></li><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Specify local group ID for anonymous users</strong></span> — If <span class="guilabel"><strong>Treat all client users as anonymous users</strong></span> is selected, this option lets you specify a group ID for the anonymous user. This option corresponds to <code class="command">anongid</code>.
							</div></li></ul></div></li></ul></div><div class="para">
				To edit an existing NFS share, select the share from the list, and click the <span class="guibutton"><strong>Properties</strong></span> button. To delete an existing NFS share, select the share from the list, and click the <span class="guibutton"><strong>Delete</strong></span> button.
			</div><a id="id1060144" class="indexterm"></a><a id="id1060154" class="indexterm"></a><div class="para">
				After clicking <span class="guibutton"><strong>OK</strong></span> to add, edit, or delete an NFS share from the list, the changes take place immediately — the server daemon is restarted and the old configuration file is saved as <code class="filename">/etc/exports.bak</code>. The new configuration is written to <code class="filename">/etc/exports</code>.
			</div><div class="para">
				The <span class="application"><strong>NFS Server Configuration Tool</strong></span> reads and writes directly to the <code class="filename">/etc/exports</code> configuration file. Thus, the file can be modified manually after using the tool, and the tool can be used after modifying the file manually (provided the file was modified with correct syntax).
			</div><div class="para">
				The next this section discusses manually editing <code class="filename">/etc/exports</code> and using the <code class="command">/usr/sbin/exportfs</code> command to export NFS file systems.
			</div></div><div class="section" id="s2-nfs-command-line"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-command-line">20.6.2. Command Line Configuration</h3></div></div></div><a id="id1060214" class="indexterm"></a><div class="para">
				If you prefer editing configuration files using a text editor or if you do not have the X Window System installed, you can modify the configuration file directly.
			</div><div class="para">
				The <code class="filename">/etc/exports</code> file controls what directories the NFS server exports. Its format is as follows:
			</div><pre class="screen"><em class="replaceable"><code>directory</code></em> <em class="replaceable"><code>hostname</code></em>(<em class="replaceable"><code>options</code></em>)</pre><div class="para">
				The only option that needs to be specified is one of <code class="command">sync</code> or <code class="command">async</code> (<code class="command">sync</code> is recommended). If <code class="command">sync</code> is specified, the server does not reply to requests before the changes made by the request are written to the disk.
			</div><div class="para">
				For example,
			</div><pre class="screen">/misc/export speedy.example.com(sync)</pre><div class="para">
				would allow users from <code class="filename">speedy.example.com</code> to mount <code class="filename">/misc/export</code> with the default read-only permissions, but,
			</div><pre class="screen">/misc/export speedy.example.com(rw,sync)</pre><div class="para">
				would allow users from <code class="filename">speedy.example.com</code> to mount <code class="filename">/misc/export</code> with read/write privileges.
			</div><div class="para">
				Refer to <a class="xref" href="#s2-nfs-hostname-formats">Section 20.6.4, “Hostname Formats”</a> for an explanation of possible hostname formats.
			</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
					Be careful with spaces in the <code class="filename">/etc/exports</code> file. If there are no spaces between the hostname and the options in parentheses, the options apply only to the hostname. If there is a space between the hostname and the options, the options apply to the rest of the world. For example, examine the following lines:
				</div><pre class="screen">/misc/export speedy.example.com(rw,sync) /misc/export speedy.example.com (rw,sync)</pre><div class="para">
					The first line grants users from <code class="filename">speedy.example.com</code> read-write access and denies all other users. The second line grants users from <code class="filename">speedy.example.com</code> read-only access (the default) and allows the rest of the world read-write access.
				</div></div></div><div class="para">
				Each time you change <code class="filename">/etc/exports</code>, you must inform the NFS daemon of the change, or reload the configuration file with the following command:
			</div><pre class="screen"><code class="command">service nfs reload</code></pre></div><div class="section" id="s2-nfs-nfs-firewall-config"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-nfs-firewall-config">20.6.3. Running NFS Behind a Firewall</h3></div></div></div><a id="id1060377" class="indexterm"></a><div class="para">
				Because NFS requires portmap, which dynamically assigns ports for RPC services and can cause problems for configuring firewall rules, you can edit the <code class="filename">/etc/sysconfig/nfs</code> configuration file to control which ports the required RPC services run on. Refer to and read <a class="xref" href="#s2-sysconfig-nfs">Section 30.1.22, “<code class="filename">/etc/sysconfig/nfs</code>”</a> for instructions on how to configure a firewall to allow NFS.
			</div></div><div class="section" id="s2-nfs-hostname-formats"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-hostname-formats">20.6.4. Hostname Formats</h3></div></div></div><a id="id929489" class="indexterm"></a><div class="para">
				The host(s) can be in the following forms:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Single machine — A fully qualified domain name (that can be resolved by the server), hostname (that can be resolved by the server), or an IP address.
					</div></li><li class="listitem"><div class="para">
						Series of machines specified with wildcards — Use the * or ? character to specify a string match. Wildcards are not to be used with IP addresses; however, they may accidentally work if reverse DNS lookups fail. When specifying wildcards in fully qualified domain names, dots (.) are not included in the wildcard. For example, <code class="computeroutput">*.example.com</code> includes one.example.com but does not include one.two.example.com.
					</div></li><li class="listitem"><div class="para">
						IP networks — Use <em class="replaceable"><code>a.b.c.d/z</code></em>, where <em class="replaceable"><code>a.b.c.d</code></em> is the network and <em class="replaceable"><code>z</code></em> is the number of bits in the netmask (for example 192.168.0.0/24). Another acceptable format is <em class="replaceable"><code>a.b.c.d/netmask</code></em>, where <em class="replaceable"><code>a.b.c.d</code></em> is the network and <em class="replaceable"><code>netmask</code></em> is the netmask (for example, 192.168.100.8/255.255.255.0).
					</div></li><li class="listitem"><div class="para">
						Netgroups — In the format <em class="replaceable"><code>@group-name</code></em>, where <em class="replaceable"><code>group-name</code></em> is the NIS netgroup name.
					</div></li></ul></div></div></div><div class="section" id="s1-nfs-server-config-exports"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-server-config-exports">20.7. The <code class="filename">/etc/exports</code> Configuration File</h2></div></div></div><a id="id929594" class="indexterm"></a><div class="para">
			The <code class="filename">/etc/exports</code> file controls which file systems are exported to remote hosts and specifies options. Blank lines are ignored, comments can be made by starting a line with the hash mark (<code class="command">#</code>), and long lines can be wrapped with a backslash (<code class="command">\</code>). Each exported file system should be on its own individual line, and any lists of authorized hosts placed after an exported file system must be separated by space characters. Options for each of the hosts must be placed in parentheses directly after the host identifier, without any spaces separating the host and the first parenthesis. Valid host types are <code class="command">gss/krb5</code>, <code class="command">gss/krb5i</code>, and <code class="command">gss/krb5p</code>.
		</div><div class="para">
			A line for an exported file system has the following structure:
		</div><pre class="screen"><em class="replaceable"><code>&lt;export&gt;</code></em> <em class="replaceable"><code>&lt;host1&gt;</code></em>(<em class="replaceable"><code>&lt;options&gt;</code></em>) <em class="replaceable"><code>&lt;hostN&gt;</code></em>(<em class="replaceable"><code>&lt;options&gt;</code></em>)...</pre><div class="para">
			In this structure, replace <em class="replaceable"><code>&lt;export&gt;</code></em> with the directory being exported, replace <em class="replaceable"><code>&lt;host1&gt;</code></em> with the host or network to which the export is being shared, and replace <em class="replaceable"><code>&lt;options&gt;</code></em> with the options for that host or network. Additional hosts can be specified in a space separated list.
		</div><div class="para">
			The following methods can be used to specify host names:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<span class="emphasis"><em>single host</em></span> — Where one particular host is specified with a fully qualified domain name, hostname, or IP address.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>wildcards</em></span> — Where a <code class="command">*</code> or <code class="command">?</code> character is used to take into account a grouping of fully qualified domain names that match a particular string of letters. Wildcards should not be used with IP addresses; however, it is possible for them to work accidentally if reverse DNS lookups fail.
				</div><div class="para">
					Be careful when using wildcards with fully qualified domain names, as they tend to be more exact than expected. For example, the use of <code class="command">*.example.com</code> as a wildcard allows sales.example.com to access an exported file system, but not bob.sales.example.com. To match both possibilities both <code class="command">*.example.com</code> and <code class="command">*.*.example.com</code> must be specified.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>IP networks</em></span> — Allows the matching of hosts based on their IP addresses within a larger network. For example, <code class="command">192.168.0.0/28</code> allows the first 16 IP addresses, from 192.168.0.0 to 192.168.0.15, to access the exported file system, but not 192.168.0.16 and higher.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>netgroups</em></span> — Permits an NIS netgroup name, written as <code class="command">@<em class="replaceable"><code>&lt;group-name&gt;</code></em></code>, to be used. This effectively puts the NIS server in charge of access control for this exported file system, where users can be added and removed from an NIS group without affecting <code class="filename">/etc/exports</code>.
				</div></li></ul></div><div class="para">
			In its simplest form, the <code class="filename">/etc/exports</code> file only specifies the exported directory and the hosts permitted to access it, as in the following example:
		</div><pre class="screen">/exported/directory bob.example.com</pre><div class="para">
			In the example, <code class="computeroutput">bob.example.com</code> can mount <code class="filename">/exported/directory/</code>. Because no options are specified in this example, the following default NFS options take effect:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="option">ro</code> — Mounts of the exported file system are read-only. Remote hosts are not able to make changes to the data shared on the file system. To allow hosts to make changes to the file system, the read/write (<code class="option">rw</code>) option must be specified.
				</div></li><li class="listitem"><div class="para">
					<code class="option">wdelay</code> — Causes the NFS server to delay writing to the disk if it suspects another write request is imminent. This can improve performance by reducing the number of times the disk must be accessed by separate write commands, reducing write overhead. The <code class="option">no_wdelay</code> option turns off this feature, but is only available when using the <code class="option">sync</code> option.
				</div></li><li class="listitem"><div class="para">
					<code class="option">root_squash</code> — Prevents root users connected remotely from having root privileges and assigns them the user ID for the user <code class="computeroutput">nfsnobody</code>. This effectively "squashes" the power of the remote root user to the lowest local user, preventing unauthorized alteration of files on the remote server. Alternatively, the <code class="option">no_root_squash</code> option turns off root squashing. To squash every remote user, including root, use the <code class="option">all_squash</code> option. To specify the user and group IDs to use with remote users from a particular host, use the <code class="option">anonuid</code> and <code class="option">anongid</code> options, respectively. In this case, a special user account can be created for remote NFS users to share and specify <code class="option">(anonuid=<em class="replaceable"><code>&lt;uid-value&gt;</code></em>,anongid=<em class="replaceable"><code>&lt;gid-value&gt;</code></em>)</code>, where <code class="option"><em class="replaceable"><code>&lt;uid-value&gt;</code></em></code> is the user ID number and <code class="option"><em class="replaceable"><code>&lt;gid-value&gt;</code></em></code> is the group ID number.
				</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				By default, <em class="firstterm">access control lists</em> (<acronym class="acronym">ACLs</acronym>) are supported by NFS under Red Hat Enterprise Linux. To disable this feature, specify the <code class="command">no_acl</code> option when exporting the file system.
			</div></div></div><div class="para">
			Each default for every exported file system must be explicitly overridden. For example, if the <code class="option">rw</code> option is not specified, then the exported file system is shared as read-only. The following is a sample line from <code class="filename">/etc/exports</code> which overrides two default options:
		</div><pre class="screen">/another/exported/directory 192.168.0.3(rw,sync)</pre><div class="para">
			In this example <code class="command">192.168.0.3</code> can mount <code class="filename">/another/exported/directory/</code> read/write and all transfers to disk are committed to the disk before the write request by the client is completed.
		</div><div class="para">
			Additionally, other options are available where no default value is specified. These include the ability to disable sub-tree checking, allow access from insecure ports, and allow insecure file locks (necessary for certain early NFS client implementations). Refer to the <code class="filename">exports</code> man page for details on these lesser used options.
		</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				The format of the <code class="filename">/etc/exports</code> file is very precise, particularly in regards to use of the space character. Remember to always separate exported file systems from hosts and hosts from one another with a space character. However, there should be no other space characters in the file except on comment lines.
			</div><div class="para">
				For example, the following two lines do not mean the same thing:
			</div><pre class="screen">/home bob.example.com(rw)
/home bob.example.com (rw)</pre><div class="para">
				The first line allows only users from <code class="filename">bob.example.com</code> read/write access to the <code class="filename">/home</code> directory. The second line allows users from <code class="filename">bob.example.com</code> to mount the directory as read-only (the default), while the rest of the world can mount it read/write.
			</div></div></div><div class="section" id="s1-nfs-server-config-exportfs"><div class="titlepage"><div><div><h3 class="title" id="s1-nfs-server-config-exportfs">20.7.1. The <code class="command">exportfs</code> Command</h3></div></div></div><a id="id930020" class="indexterm"></a><div class="para">
				Every file system being exported to remote users via NFS, as well as the access level for those file systems, are listed in the <code class="filename">/etc/exports</code> file. When the <code class="command">nfs</code> service starts, the <code class="command">/usr/sbin/exportfs</code> command launches and reads this file, passes control to <code class="command">rpc.mountd</code> (if NFSv2 or NFSv3) for the actual mounting process, then to <code class="command">rpc.nfsd</code> where the file systems are then available to remote users.
			</div><div class="para">
				When issued manually, the <code class="command">/usr/sbin/exportfs</code> command allows the root user to selectively export or unexport directories without restarting the NFS service. When given the proper options, the <code class="command">/usr/sbin/exportfs</code> command writes the exported file systems to <code class="filename">/var/lib/nfs/xtab</code>. Since <code class="command">rpc.mountd</code> refers to the <code class="filename">xtab</code> file when deciding access privileges to a file system, changes to the list of exported file systems take effect immediately.
			</div><div class="para">
				The following is a list of commonly used options available for <code class="command">/usr/sbin/exportfs</code>:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="option">-r</code> — Causes all directories listed in <code class="filename">/etc/exports</code> to be exported by constructing a new export list in <code class="filename">/etc/lib/nfs/xtab</code>. This option effectively refreshes the export list with any changes that have been made to <code class="filename">/etc/exports</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-a</code> — Causes all directories to be exported or unexported, depending on what other options are passed to <code class="command">/usr/sbin/exportfs</code>. If no other options are specified, <code class="command">/usr/sbin/exportfs</code> exports all file systems specified in <code class="filename">/etc/exports</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-o <em class="replaceable"><code>file-systems</code></em></code> — Specifies directories to be exported that are not listed in <code class="filename">/etc/exports</code>. Replace <em class="replaceable"><code>file-systems</code></em> with additional file systems to be exported. These file systems must be formatted in the same way they are specified in <code class="filename">/etc/exports</code>. Refer to <a class="xref" href="#s1-nfs-server-config-exports">Section 20.7, “The <code class="filename">/etc/exports</code> Configuration File”</a> for more information on <code class="filename">/etc/exports</code> syntax. This option is often used to test an exported file system before adding it permanently to the list of file systems to be exported.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-i</code> — Ignores <code class="filename">/etc/exports</code>; only options given from the command line are used to define exported file systems.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-u</code> — Unexports all shared directories. The command <code class="command">/usr/sbin/exportfs -ua</code> suspends NFS file sharing while keeping all NFS daemons up. To re-enable NFS sharing, type <code class="command">exportfs -r</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-v</code> — Verbose operation, where the file systems being exported or unexported are displayed in greater detail when the <code class="command">exportfs</code> command is executed.
					</div></li></ul></div><div class="para">
				If no options are passed to the <code class="command">/usr/sbin/exportfs</code> command, it displays a list of currently exported file systems.
			</div><div class="para">
				For more information about the <code class="command">/usr/sbin/exportfs</code> command, refer to the <code class="command">exportfs</code> man page.
			</div><div class="section" id="s3-nfs-server-config-exportfs-nfsv4"><div class="titlepage"><div><div><h4 class="title" id="s3-nfs-server-config-exportfs-nfsv4">20.7.1.1. Using <code class="command">exportfs</code> with NFSv4</h4></div></div></div><a id="id930275" class="indexterm"></a><div class="para">
					The <code class="command">exportfs</code> command is used in maintaining the NFS table of exported file systems. When typed in a terminal with no arguments, the <code class="command">exportfs</code> command shows all the exported directories.
				</div><div class="para">
					Since NFSv4 no longer utilizes the <code class="literal">MOUNT</code> protocol, which was used with the NFSv2 and NFSv3 protocols, the mounting of file systems has changed.
				</div><div class="para">
					An NFSv4 client now has the ability to see all of the exports served by the NFSv4 server as a single file system, called the NFSv4 pseudo-file system. On Red Hat Enterprise Linux, the pseudo-file system is identified as a single, real file system, identified at export with the <code class="option">fsid=0</code> option.
				</div><div class="para">
					For example, the following commands could be executed on an NFSv4 server:
				</div><pre class="screen"><code class="command">mkdir /exports</code>
<code class="command">mkdir /exports/opt</code>
<code class="command">mkdir /exports/etc</code>
<code class="command">mount --bind /usr/local/opt /exports/opt</code>
<code class="command">mount --bind /usr/local/etc /exports/etc</code>
<code class="command">exportfs -o fsid=0,insecure,no_subtree_check gss/krb5p:/exports</code>
<code class="command">exportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/opt</code>
<code class="command">exportfs -o rw,nohide,insecure,no_subtree_check gss/krb5p:/exports/etc</code></pre><div class="para">
					In this example, clients are provided with multiple file systems to mount, by using the <code class="option">--bind</code> option which creates unbreakable links.
				</div><div class="para">
					Because of the pseudo-file systems feature, NFS version 2, 3 and 4 export configurations are not always compatible. For example, given the following directory tree:
				</div><pre class="screen">/home
/home/sam
/home/john
/home/joe</pre><div class="para">
					and the export:
				</div><pre class="screen">/home *(rw,fsid=0,sync)</pre><div class="para">
					Using NFS version 2,3 and 4 the following would work:
				</div><pre class="screen"><code class="command">mount server:/home /mnt/home</code>
<code class="command">ls /mnt/home/joe</code></pre><div class="para">
					Using v4 the following would work:
				</div><pre class="screen"><code class="command">mount -t nfs4 server:/ /mnt/home</code>
<code class="command">ls /mnt/home/joe</code></pre><div class="para">
					The difference being "<code class="command">server:/home</code>" and "<code class="command">server:/</code>". To make the exports configurations compatible for all version, one needs to export (read only) the root filesystem with an <code class="command">fsid=0</code>. The <code class="command">fsid=0</code> signals the NFS server that this export is the root.
				</div><pre class="screen">/ *(ro,fsid=0)
/home *(rw,sync,nohide)</pre><div class="para">
					Now with these exports, both "<code class="command">mount server:/home /mnt/home</code>" and "<code class="command">mount -t nfs server:/home /mnt/home</code>" will work as expected.
				</div></div></div></div><div class="section" id="s1-nfs-security"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-security">20.8. Securing NFS</h2></div></div></div><a id="id930464" class="indexterm"></a><div class="para">
			NFS is well suited for sharing entire file systems with a large number of known hosts in a transparent manner. However, with ease of use comes a variety of potential security problems.
		</div><div class="para">
			The following points should be considered when exporting NFS file systems on a server or mounting them on a client. Doing so minimizes NFS security risks and better protects data on the server.
		</div><div class="section" id="s2-nfs-security-hosts"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-security-hosts">20.8.1. Host Access</h3></div></div></div><a id="id930497" class="indexterm"></a><div class="para">
				Depending on which version of NFS you plan to implement, depends on your existing network environment, and your security concerns. The following sections explain the differences between implementing security measures with NFSv2, NFSv3, and NFSv4. If at all possible, use of NFSv4 is recommended over other versions of NFS.
			</div><div class="section" id="s3-nfs-security-hosts-nonnfsv4"><div class="titlepage"><div><div><h4 class="title" id="s3-nfs-security-hosts-nonnfsv4">20.8.1.1. Using NFSv2 or NFSv3</h4></div></div></div><a id="id930528" class="indexterm"></a><div class="para">
					NFS controls who can mount an exported file system based on the host making the mount request, not the user that actually uses the file system. Hosts must be given explicit rights to mount the exported file system. Access control is not possible for users, other than through file and directory permissions. In other words, once a file system is exported via NFS, any user on any remote host connected to the NFS server can access the shared data. To limit the potential risks, administrators often allow read-only access or squash user permissions to a common user and group ID. Unfortunately, these solutions prevent the NFS share from being used in the way it was originally intended.
				</div><div class="para">
					Additionally, if an attacker gains control of the DNS server used by the system exporting the NFS file system, the system associated with a particular hostname or fully qualified domain name can be pointed to an unauthorized machine. At this point, the unauthorized machine <span class="emphasis"><em>is</em></span> the system permitted to mount the NFS share, since no username or password information is exchanged to provide additional security for the NFS mount.
				</div><div class="para">
					Wildcards should be used sparingly when exporting directories via NFS as it is possible for the scope of the wildcard to encompass more systems than intended.
				</div><div class="para">
					It is also possible to restrict access to the <code class="command">portmap</code> service via TCP wrappers. Access to ports used by <code class="command">portmap</code>, <code class="command">rpc.mountd</code>, and <code class="command">rpc.nfsd</code> can also be limited by creating firewall rules with <code class="command">iptables</code>.
				</div><div class="para">
					For more information on securing NFS and <code class="command">portmap</code>, refer to <a class="xref" href="#ch-iptables">Section 46.9, “IPTables”</a>.
				</div></div><div class="section" id="s3-nfs-security-hosts-nfsv4"><div class="titlepage"><div><div><h4 class="title" id="s3-nfs-security-hosts-nfsv4">20.8.1.2. Using NFSv4</h4></div></div></div><a id="id930617" class="indexterm"></a><div class="para">
					The release of NFSv4 brought a revolution to authentication and security to NFS exports. NFSv4 mandates the implementation of the RPCSEC_GSS kernel module, the Kerberos version 5 GSS-API mechanism, SPKM-3, and LIPKEY. With NFSv4, the mandatory security mechanisms are oriented towards authenticating individual users, and not client machines as used in NFSv2 and NFSv3.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						It is assumed that a Kerberos ticket-granting server (KDC) is installed and configured correctly, prior to configuring an NFSv4 server. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC.
					</div></div></div><div class="para">
					NFSv4 includes ACL support based on the Microsoft Windows NT model, not the POSIX model, because of its features and because it is widely deployed. NFSv2 and NFSv3 do not have support for native ACL attributes.
				</div><div class="para">
					Another important security feature of NFSv4 is the removal of the use of the MOUNT protocol for mounting file systems. This protocol presented possible security holes because of the way that it handled file handles.
				</div><div class="para">
					For more information on the RPCSEC_GSS framework, including how <code class="command">rpc.svcgssd</code> and <code class="command">rpc.gssd</code> inter operate, refer to <a href="http://www.citi.umich.edu/projects/nfsv4/gssd/">http://www.citi.umich.edu/projects/nfsv4/gssd/</a>.
				</div></div></div><div class="section" id="s2-nfs-security-files"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-security-files">20.8.2. File Permissions</h3></div></div></div><a id="id930693" class="indexterm"></a><div class="para">
				Once the NFS file system is mounted read/write by a remote host, the only protection each shared file has is its permissions. If two users that share the same user ID value mount the same NFS file system, they can modify each others files. Additionally, anyone logged in as root on the client system can use the <code class="command">su -</code> command to become a user who could access particular files via the NFS share.
			</div><div class="para">
				By default, access control lists (ACLs) are supported by NFS under Red Hat Enterprise Linux. It is not recommended that this feature be disabled.
			</div><div class="para">
				The default behavior when exporting a file system via NFS is to use <em class="firstterm">root squashing</em>. This sets the user ID of anyone accessing the NFS share as the root user on their local machine to a value of the server's <code class="computeroutput">nfsnobody</code> account. Never turn off root squashing.
			</div><div class="para">
				If exporting an NFS share as read-only, consider using the <code class="option">all_squash</code> option, which makes every user accessing the exported file system take the user ID of the <code class="computeroutput">nfsnobody</code> user.
			</div></div></div><div class="section" id="s2-nfs-methodology-portmap"><div class="titlepage"><div><div><h2 class="title" id="s2-nfs-methodology-portmap">20.9. NFS and <code class="command">portmap</code></h2></div></div></div><a id="id930764" class="indexterm"></a><a id="id930777" class="indexterm"></a><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				The following section only applies to NFSv2 or NFSv3 implementations that require the <code class="command">portmap</code> service for backward compatibility.
			</div></div></div><div class="para">
			The <code class="command">portmapper</code> maps RPC services to the ports they are listening on. RPC processes notify <code class="command">portmap</code> when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts <code class="command">portmap</code> on the server with a particular RPC program number. The <code class="command">portmap</code> service redirects the client to the proper port number so it can communicate with the requested service.
		</div><div class="para">
			Because RPC-based services rely on <code class="command">portmap</code> to make all connections with incoming client requests, <code class="command">portmap</code> must be available before any of these services start.
		</div><div class="para">
			The <code class="command">portmap</code> service uses TCP wrappers for access control, and access control rules for <code class="command">portmap</code> affect <span class="emphasis"><em>all</em></span> RPC-based services. Alternatively, it is possible to specify access control rules for each of the NFS RPC daemons. The man pages for <code class="command">rpc.mountd</code> and <code class="command">rpc.statd</code> contain information regarding the precise syntax for these rules.
		</div><div class="section" id="s3-nfs-methodology-portmap-rpcinfo"><div class="titlepage"><div><div><h3 class="title" id="s3-nfs-methodology-portmap-rpcinfo">20.9.1. Troubleshooting NFS and <code class="command">portmap</code></h3></div></div></div><a id="id930874" class="indexterm"></a><a id="id930889" class="indexterm"></a><a id="id930898" class="indexterm"></a><div class="para">
				Because <code class="command">portmap</code> provides coordination between RPC services and the port numbers used to communicate with them, it is useful to view the status of current RPC services using <code class="command">portmap</code> when troubleshooting. The <code class="command">rpcinfo</code> command shows each RPC-based service with port numbers, an RPC program number, a version number, and an IP protocol type (TCP or UDP).
			</div><div class="para">
				To make sure the proper NFS RPC-based services are enabled for <code class="command">portmap</code>, issue the following command as root:
			</div><pre class="screen"><code class="command">rpcinfo -p</code></pre><div class="para">
				The following is sample output from this command:
			</div><pre class="screen">program vers proto   port
100000    2   tcp    111  portmapper
100000    2   udp    111  portmapper
100021    1   udp  32774  nlockmgr
100021    3   udp  32774  nlockmgr
100021    4   udp  32774  nlockmgr
100021    1   tcp  34437  nlockmgr
100021    3   tcp  34437  nlockmgr
100021    4   tcp  34437  nlockmgr
100011    1   udp    819  rquotad
100011    2   udp    819  rquotad
100011    1   tcp    822  rquotad
100011    2   tcp    822  rquotad
100003    2   udp   2049  nfs
100003    3   udp   2049  nfs
100003    2   tcp   2049  nfs
100003    3   tcp   2049  nfs
100005    1   udp    836  mountd
100005    1   tcp    839  mountd
100005    2   udp    836  mountd
100005    2   tcp    839  mountd
100005    3   udp    836  mountd
100005    3   tcp    839  mountd</pre><div class="para">
				If one of the NFS services does not start up correctly, <code class="command">portmap</code> is unable to map RPC requests from clients for that service to the correct port. In many cases, if NFS is not present in <code class="command">rpcinfo</code> output, restarting NFS causes the service to correctly register with <code class="command">portmap</code> and begin working. For instructions on starting NFS, refer to <a class="xref" href="#s1-nfs-start">Section 20.5, “Starting and Stopping NFS”</a>.
			</div><div class="para">
				Other useful options are available for the <code class="command">rpcinfo</code> command. Refer to the <code class="command">rpcinfo</code> man page for more information.
			</div></div></div><div class="section" id="s1-nfs-tcp"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-tcp">20.10. Using NFS over TCP</h2></div></div></div><a id="id931005" class="indexterm"></a><div class="para">
			The default transport protocol for NFSv4 is TCP; however, the Red Hat Enterprise Linux 5 kernel includes support for NFS over UDP. To use NFS over UDP, include the <code class="option">-o udp</code> option to <code class="command">mount</code> when mounting the NFS-exported file system on the client system.
		</div><div class="para">
			There are three ways to configure an NFS file system export. On demand via the command line (client side), automatically via the <code class="filename">/etc/fstab</code> file (client side), and automatically via autofs configuration files, such as <code class="filename">/etc/auto.master</code> and <code class="filename">/etc/auto.misc</code> (server side with NIS).
		</div><div class="para">
			For example, on demand via the command line (client side):
		</div><pre class="screen"><code class="command">mount -o udp shadowman.example.com:/misc/export /misc/local</code></pre><div class="para">
			When the NFS mount is specified in <code class="filename">/etc/fstab</code> (client side):
		</div><pre class="screen">server:/usr/local/pub    /pub   nfs    rsize=8192,wsize=8192,timeo=14,intr,udp</pre><div class="para">
			When the NFS mount is specified in an autofs configuration file for a NIS server, available for NIS enabled workstations:
		</div><pre class="screen">myproject  -rw,soft,intr,rsize=8192,wsize=8192,udp penguin.example.net:/proj52</pre><div class="para">
			Since the default is TCP, if the <code class="option">-o udp</code> option is not specified, the NFS-exported file system is accessed via TCP.
		</div><div class="para">
			The advantages of using TCP include the following:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Improved connection durability, thus less <code class="computeroutput">NFS stale file handles</code> messages.
				</div></li><li class="listitem"><div class="para">
					Performance gain on heavily loaded networks because TCP acknowledges every packet, unlike UDP which only acknowledges completion.
				</div></li><li class="listitem"><div class="para">
					TCP has better congestion control than UDP. On a very congested network, UDP packets are the first packets that are dropped. This means that if NFS is writing data (in 8K chunks) all of that 8K must be retransmitted over UDP. Because of TCP's reliability, only parts of that 8K data are transmitted at a time.
				</div></li><li class="listitem"><div class="para">
					Error detection. When a TCP connection breaks (due to the server being unavailable) the client stops sending data and restarts the connection process once the server becomes available. With UDP, since it's connection-less, the client continues to pound the network with data until the server reestablishes a connection.
				</div></li></ul></div><div class="para">
			The main disadvantage is that there is a very small performance hit due to the overhead associated with the TCP protocol.
		</div></div><div class="section" id="s1-nfs-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-nfs-additional-resources">20.11. Additional Resources</h2></div></div></div><a id="id931150" class="indexterm"></a><div class="para">
			Administering an NFS server can be a challenge. Many options, including quite a few not mentioned in this chapter, are available for exporting or mounting NFS shares. Consult the following sources for more information.
		</div><div class="section" id="s2-nfs-installed-documentation"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-installed-documentation">20.11.1. Installed Documentation</h3></div></div></div><a id="id931177" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/nfs-utils-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/</code> — Replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the version number of the NFS package installed. This directory contains a wealth of information about the NFS implementation for Linux, including a look at various NFS configurations and their impact on file transfer performance.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man mount</code> — Contains a comprehensive look at mount options for both NFS server and client configurations.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man fstab</code> — Gives details for the format of the <code class="filename">/etc/fstab</code> file used to mount file systems at boot-time.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man nfs</code> — Provides details on NFS-specific file system export and mount options.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man exports</code> — Shows common options used in the <code class="filename">/etc/exports</code> file when exporting NFS file systems.
					</div></li></ul></div></div><div class="section" id="s2-nfs-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-useful-websites">20.11.2. Useful Websites</h3></div></div></div><a id="id931285" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://nfs.sourceforge.net/">http://nfs.sourceforge.net/</a> — The home of the Linux NFS project and a great place for project status updates.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.citi.umich.edu/projects/nfsv4/linux/">http://www.citi.umich.edu/projects/nfsv4/linux/</a> — An NFSv4 for Linux 2.6 kernel resource.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.nfsv4.org/">http://www.nfsv4.org</a> — The home of NFS version 4 and all related standards.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html">http://www.vanemery.com/Linux/NFSv4/NFSv4-no-rpcsec.html</a> — Describes the details of NFSv4 with Fedora Core 2, which includes the 2.6 kernel.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.sane.nl/events/sane2000/papers/pawlowski.pdf">http://www.sane.nl/events/sane2000/papers/pawlowski.pdf</a> — An excellent whitepaper on the features and enhancements of the NFS Version 4 protocol.
					</div></li><li class="listitem"><div class="para">
						<a href="http://wiki.autofs.net">http://wiki.autofs.net</a> — The Autofs wiki, discussions, documentation and enhancements.
					</div></li></ul></div></div><div class="section" id="s2-nfs-related-books"><div class="titlepage"><div><div><h3 class="title" id="s2-nfs-related-books">20.11.3. Related Books</h3></div></div></div><a id="id931404" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<em class="citetitle">Managing NFS and NIS</em> by Hal Stern, Mike Eisler, and Ricardo Labiaga; O'Reilly &amp; Associates — Makes an excellent reference guide for the many different NFS export and mount options available.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">NFS Illustrated</em> by Brent Callaghan; Addison-Wesley Publishing Company — Provides comparisons of NFS to other network file systems and shows, in detail, how NFS communication occurs.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-samba" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 21. Samba</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#samba-rgs-overview">21.1. Introduction to Samba</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-abilities">21.1.1. Samba Features</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-daemons">21.2. Samba Daemons and Related Services</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-services">21.2.1. Samba Daemons</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-connect-share">21.3. Connecting to a Samba Share</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-connect-share-cmdline">21.3.1. Command Line</a></span></dt><dt><span class="section"><a href="#s1-samba-mounting">21.3.2. Mounting the Share</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-configuring">21.4. Configuring a Samba Server</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-configuring-gui">21.4.1. Graphical Configuration</a></span></dt><dt><span class="section"><a href="#s2-samba-configuring-cmdline">21.4.2. Command Line Configuration</a></span></dt><dt><span class="section"><a href="#s2-samba-encrypted-passwords">21.4.3. Encrypted Passwords</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-startstop">21.5. Starting and Stopping Samba</a></span></dt><dt><span class="section"><a href="#s1-samba-servers">21.6. Samba Server Types and the <code class="command">smb.conf</code> File</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-standalone">21.6.1. Stand-alone Server</a></span></dt><dt><span class="section"><a href="#s2-samba-domain-member">21.6.2. Domain Member Server</a></span></dt><dt><span class="section"><a href="#s2-samba-domain-controller">21.6.3. Domain Controller</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-security-modes">21.7. Samba Security Modes</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-user-level">21.7.1. User-Level Security</a></span></dt><dt><span class="section"><a href="#s2-samba-share-level">21.7.2. Share-Level Security</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-account-info-dbs">21.8. Samba Account Information Databases</a></span></dt><dt><span class="section"><a href="#s1-samba-network-browsing">21.9. Samba Network Browsing</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-domain-browsing">21.9.1. Domain Browsing</a></span></dt><dt><span class="section"><a href="#s2-samba-wins">21.9.2. WINS (Windows Internetworking Name Server)</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-cups">21.10. Samba with CUPS Printing Support</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-cups-smb.conf">21.10.1. Simple <code class="filename">smb.conf</code> Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-samba-programs">21.11. Samba Distribution Programs</a></span></dt><dt><span class="section"><a href="#s1-samba-resources">21.12. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-samba-resources-installed">21.12.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-samba-resources-published">21.12.2. Related Books</a></span></dt><dt><span class="section"><a href="#s2-samba-resources-community">21.12.3. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id816701" class="indexterm"></a><a id="id852903" class="indexterm"></a><div class="para">
		<em class="firstterm">Samba</em> is an open source implementation of the Server Message Block (SMB) protocol. It allows the networking of Microsoft <span class="trademark">Windows</span>®, Linux, UNIX, and other operating systems together, enabling access to Windows-based file and printer shares. Samba's use of SMB allows it to appear as a Windows server to Windows clients.
	</div><div class="section" id="samba-rgs-overview"><div class="titlepage"><div><div><h2 class="title" id="samba-rgs-overview">21.1. Introduction to Samba</h2></div></div></div><a id="id963527" class="indexterm"></a><div class="para">
			The third major release of Samba, version 3.0.0, introduced numerous improvements from prior versions, including:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					The ability to join an Active Directory domain by means of LDAP and Kerberos
				</div></li><li class="listitem"><div class="para">
					Built in Unicode support for internationalization
				</div></li><li class="listitem"><div class="para">
					Support for Microsoft Windows XP Professional client connections to Samba servers without needing local registry hacking
				</div></li><li class="listitem"><div class="para">
					Two new documents developed by the Samba.org team, which include a 400+ page reference manual, and a 300+ page implementation and integration manual. For more information about these published titles, refer to <a class="xref" href="#s2-samba-resources-published">Section 21.12.2, “Related Books”</a>.
				</div></li></ul></div><div class="section" id="s2-samba-abilities"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-abilities">21.1.1. Samba Features</h3></div></div></div><a id="id852723" class="indexterm"></a><div class="para">
				Samba is a powerful and versatile server application. Even seasoned system administrators must know its abilities and limitations before attempting installation and configuration.
			</div><div class="para">
				What Samba can do:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Serve directory trees and printers to Linux, UNIX, and Windows clients
					</div></li><li class="listitem"><div class="para">
						Assist in network browsing (with or without NetBIOS)
					</div></li><li class="listitem"><div class="para">
						Authenticate Windows domain logins
					</div></li><li class="listitem"><div class="para">
						Provide Windows Internet Name Service (WINS) name server resolution
					</div></li><li class="listitem"><div class="para">
						Act as a Windows <span class="trademark">NT</span>®-style Primary Domain Controller (PDC)
					</div></li><li class="listitem"><div class="para">
						Act as a Backup Domain Controller (BDC) for a Samba-based PDC
					</div></li><li class="listitem"><div class="para">
						Act as an Active Directory domain member server
					</div></li><li class="listitem"><div class="para">
						Join a Windows NT/2000/2003 PDC
					</div></li></ul></div><div class="para">
				What Samba cannot do:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Act as a BDC for a Windows PDC (and vice versa)
					</div></li><li class="listitem"><div class="para">
						Act as an Active Directory domain controller
					</div></li></ul></div></div></div><div class="section" id="s1-samba-daemons"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-daemons">21.2. Samba Daemons and Related Services</h2></div></div></div><a id="id1073260" class="indexterm"></a><div class="para">
			The following is a brief introduction to the individual Samba daemons and services.
		</div><div class="section" id="s2-samba-services"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-services">21.2.1. Samba Daemons</h3></div></div></div><a id="id1073286" class="indexterm"></a><div class="para">
				Samba is comprised of three daemons (<code class="command">smbd</code>, <code class="command">nmbd</code>, and <code class="command">winbindd</code>). Two services (<code class="command">smb</code> and <code class="command">windbind</code>) control how the daemons are started, stopped, and other service-related features. Each daemon is listed in detail, as well as which specific service has control over it.
			</div><div class="formalpara" id="s3-samba-daemon-smbd"><h5 class="formalpara"> <code class="command">smbd</code> </h5><a id="id983671" class="indexterm"></a>
					The <code class="command">smbd</code> server daemon provides file sharing and printing services to Windows clients. In addition, it is responsible for user authentication, resource locking, and data sharing through the SMB protocol. The default ports on which the server listens for SMB traffic are TCP ports 139 and 445.
				</div><div class="para">
				The <code class="command">smbd</code> daemon is controlled by the <code class="command">smb</code> service.
			</div><div class="formalpara" id="s3-samba-daemon-nmbd"><h5 class="formalpara"> <code class="command">nmbd</code> </h5><a id="id983725" class="indexterm"></a>
					The <code class="command">nmbd</code> server daemon understands and replies to NetBIOS name service requests such as those produced by SMB/CIFS in Windows-based systems. These systems include Windows 95/98/ME, Windows NT, Windows 2000, Windows XP, and LanManager clients. It also participates in the browsing protocols that make up the Windows <span class="guilabel"><strong>Network Neighborhood</strong></span> view. The default port that the server listens to for NMB traffic is UDP port 137.
				</div><div class="para">
				The <code class="command">nmbd</code> daemon is controlled by the <code class="command">smb</code> service.
			</div><div class="formalpara" id="s3-samba-daemon-winbindd"><h5 class="formalpara"> <code class="command">winbindd</code> </h5><a id="id966613" class="indexterm"></a>
					The <code class="command">winbind</code> service resolves user and group information on a server running Windows NT 2000 or Windows Server 2003. This makes Windows user / group information understandable by UNIX platforms. This is achieved by using Microsoft RPC calls, Pluggable Authentication Modules (PAM), and the Name Service Switch (NSS). This allows Windows NT domain users to appear and operate as UNIX users on a UNIX machine. Though bundled with the Samba distribution, the <code class="command">winbind</code> service is controlled separately from the <code class="command">smb</code> service.
				</div><div class="para">
				The <code class="command">winbindd</code> daemon is controlled by the <code class="command">winbind</code> service and does not require the <code class="command">smb</code> service to be started in order to operate. Winbindd is also used when Samba is an Active Directory member, and may also be used on a Samba domain controller (to implement nested groups and/or interdomain trust). Because <code class="command">winbind</code> is a client-side service used to connect to Windows NT-based servers, further discussion of <code class="command">winbind</code> is beyond the scope of this manual.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					You may refer to <a class="xref" href="#s1-samba-programs">Section 21.11, “Samba Distribution Programs”</a> for a list of utilities included in the Samba distribution.
				</div></div></div></div></div><div class="section" id="s1-samba-connect-share"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-connect-share">21.3. Connecting to a Samba Share</h2></div></div></div><a id="id966708" class="indexterm"></a><div class="para">
			You can use <span class="application"><strong>Nautilus</strong></span> to view available Samba shares on your network. Select <span class="guimenu"><strong>Places</strong></span> (on the Panel) &gt; <span class="guimenuitem"><strong>Network Servers</strong></span> to view a list of Samba workgroups on your network. You can also type <strong class="userinput"><code>smb:</code></strong> in the <span class="guilabel"><strong>File</strong></span> &gt; <span class="guilabel"><strong>Open Location</strong></span> bar of Nautilus to view the workgroups.
		</div><div class="para">
			As shown in <a class="xref" href="#fig-samba-nautilus-workgroups">Figure 21.1, “SMB Workgroups in Nautilus”</a>, an icon appears for each available SMB workgroup on the network.
		</div><div class="figure" id="fig-samba-nautilus-workgroups"><div class="figure-contents"><div class="mediaobject"><img src="images/samba-nautilus.png" width="444" alt="SMB Workgroups in Nautilus" /><div class="longdesc"><div class="para">
						SMB Workgroups in Nautilus
					</div></div></div></div><h6>Figure 21.1. SMB Workgroups in Nautilus</h6></div><br class="figure-break" /><div class="para">
			Double-click one of the workgroup icons to view a list of computers within the workgroup.
		</div><div class="figure" id="fig-samba-nautilus-machines"><div class="figure-contents"><div class="mediaobject"><img src="images/samba-nautilus-machines.png" width="444" alt="SMB Machines in Nautilus" /><div class="longdesc"><div class="para">
						SMB Machines in Nautilus
					</div></div></div></div><h6>Figure 21.2. SMB Machines in Nautilus</h6></div><br class="figure-break" /><div class="para">
			As you can see from <a class="xref" href="#fig-samba-nautilus-machines">Figure 21.2, “SMB Machines in Nautilus”</a>, there is an icon for each machine within the workgroup. Double-click on an icon to view the Samba shares on the machine. If a username and password combination is required, you are prompted for them.
		</div><div class="para">
			Alternately, you can also specify the Samba server and sharename in the <span class="guilabel"><strong>Location:</strong></span> bar for <span class="application"><strong>Nautilus</strong></span> using the following syntax (replace <em class="replaceable"><code>&lt;servername&gt;</code></em> and <em class="replaceable"><code>&lt;sharename&gt;</code></em> with the appropriate values):
		</div><pre class="screen"><code class="command">smb://<em class="replaceable"><code>&lt;servername&gt;</code></em>/<em class="replaceable"><code>&lt;sharename&gt;</code></em></code></pre><div class="section" id="s2-samba-connect-share-cmdline"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-connect-share-cmdline">21.3.1. Command Line</h3></div></div></div><a id="id931462" class="indexterm"></a><a id="id931479" class="indexterm"></a><a id="id931496" class="indexterm"></a><div class="para">
				To query the network for Samba servers, use the <code class="command">findsmb</code> command. For each server found, it displays its IP address, NetBIOS name, workgroup name, operating system, and SMB server version.
			</div><a id="id931519" class="indexterm"></a><a id="id931536" class="indexterm"></a><div class="para">
				To connect to a Samba share from a shell prompt, type the following command:
			</div><pre class="screen"><code class="command">smbclient //<em class="replaceable"><code>&lt;hostname&gt;</code></em>/<em class="replaceable"><code>&lt;sharename&gt;</code></em> -U <em class="replaceable"><code>&lt;username&gt;</code></em></code></pre><div class="para">
				Replace <em class="replaceable"><code>&lt;hostname&gt;</code></em> with the hostname or IP address of the Samba server you want to connect to, <em class="replaceable"><code>&lt;sharename&gt;</code></em> with the name of the shared directory you want to browse, and <em class="replaceable"><code>&lt;username&gt;</code></em> with the Samba username for the system. Enter the correct password or press <span class="keycap"><strong>Enter</strong></span> if no password is required for the user.
			</div><div class="para">
				If you see the <code class="prompt">smb:\&gt;</code> prompt, you have successfully logged in. Once you are logged in, type <strong class="userinput"><code>help</code></strong> for a list of commands. If you wish to browse the contents of your home directory, replace <em class="replaceable"><code>sharename</code></em> with your username. If the <code class="command">-U</code> switch is not used, the username of the current user is passed to the Samba server.
			</div><div class="para">
				To exit <code class="command">smbclient</code>, type <strong class="userinput"><code>exit</code></strong> at the <code class="prompt">smb:\&gt;</code> prompt.
			</div></div><div class="section" id="s1-samba-mounting"><div class="titlepage"><div><div><h3 class="title" id="s1-samba-mounting">21.3.2. Mounting the Share</h3></div></div></div><a id="id931634" class="indexterm"></a><div class="para">
				Sometimes it is useful to mount a Samba share to a directory so that the files in the directory can be treated as if they are part of the local file system.
			</div><div class="para">
				To mount a Samba share to a directory, create create a directory to mount it to (if it does not already exist), and execute the following command as root:
			</div><pre class="screen"><code class="command">mount -t cifs -o <em class="replaceable"><code>&lt;username&gt;</code></em>,<em class="replaceable"><code>&lt;password&gt;</code></em> //<em class="replaceable"><code>&lt;servername&gt;</code></em>/<em class="replaceable"><code>&lt;sharename&gt;</code></em> <em class="replaceable"><code>/mnt/point/</code></em></code></pre><div class="para">
				This command mounts <em class="replaceable"><code>&lt;sharename&gt;</code></em> from <em class="replaceable"><code>&lt;servername&gt;</code></em> in the local directory <em class="replaceable"><code>/mnt/point/</code></em>. For more information about mounting a samba share, refer to <code class="command">man mount.cifs</code>.
			</div></div></div><div class="section" id="s1-samba-configuring"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-configuring">21.4. Configuring a Samba Server</h2></div></div></div><a id="id931730" class="indexterm"></a><a id="id931743" class="indexterm"></a><div class="para">
			The default configuration file (<code class="filename">/etc/samba/smb.conf</code>) allows users to view their home directories as a Samba share. It also shares all printers configured for the system as Samba shared printers. In other words, you can attach a printer to the system and print to it from the Windows machines on your network.
		</div><div class="section" id="s2-samba-configuring-gui"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-configuring-gui">21.4.1. Graphical Configuration</h3></div></div></div><a id="id931778" class="indexterm"></a><div class="para">
				To configure Samba using a graphical interface, use the <span class="application"><strong>Samba Server Configuration Tool</strong></span>. For command line configuration, skip to <a class="xref" href="#s2-samba-configuring-cmdline">Section 21.4.2, “Command Line Configuration”</a>.
			</div><div class="para">
				The <span class="application"><strong>Samba Server Configuration Tool</strong></span> is a graphical interface for managing Samba shares, users, and basic server settings. It modifies the configuration files in the <code class="filename">/etc/samba/</code> directory. Any changes to these files not made using the application are preserved.
			</div><div class="para">
				To use this application, you must be running the X Window System, have root privileges, and have the <code class="filename">system-config-samba</code> RPM package installed. To start the <span class="application"><strong>Samba Server Configuration Tool</strong></span> from the desktop, go to the <span class="guimenu"><strong>System</strong></span> (on the Panel) &gt; <span class="guimenuitem"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>Server Settings</strong></span> &gt; <span class="guimenuitem"><strong>Samba</strong></span> or type the command <code class="command">system-config-samba</code> at a shell prompt (for example, in an XTerm or a GNOME terminal).
			</div><div class="figure" id="fig-s-c-samba"><div class="figure-contents"><div class="mediaobject"><img src="images/s-c-samba.png" width="444" alt="Samba Server Configuration Tool" /><div class="longdesc"><div class="para">
							<span class="application"><strong>Samba Server Configuration Tool</strong></span>
						</div></div></div></div><h6>Figure 21.3.  <span class="application">Samba Server Configuration Tool</span> </h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The <span class="application"><strong>Samba Server Configuration Tool</strong></span> does not display shared printers or the default stanza that allows users to view their own home directories on the Samba server.
				</div></div></div><div class="section" id="s3-samba-gui-server-settings"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-gui-server-settings">21.4.1.1. Configuring Server Settings</h4></div></div></div><a id="id931924" class="indexterm"></a><div class="para">
					The first step in configuring a Samba server is to configure the basic settings for the server and a few security options. After starting the application, select <span class="guimenu"><strong>Preferences</strong></span> &gt; <span class="guimenuitem"><strong>Server Settings</strong></span> from the pulldown menu. The <span class="guilabel"><strong>Basic</strong></span> tab is displayed as shown in <a class="xref" href="#fig-samba-basic">Figure 21.4, “Configuring Basic Server Settings”</a>.
				</div><div class="figure" id="fig-samba-basic"><div class="figure-contents"><div class="mediaobject"><img src="images/s-c-samba-basic.png" alt="Configuring Basic Server Settings" /><div class="longdesc"><div class="para">
								Configuring Basic Server Settings
							</div></div></div></div><h6>Figure 21.4. Configuring Basic Server Settings</h6></div><br class="figure-break" /><div class="para">
					On the <span class="guilabel"><strong>Basic</strong></span> tab, specify which workgroup the computer should be in as well as a brief description of the computer. They correspond to the <code class="command">workgroup</code> and <code class="command">server string</code> options in <code class="filename">smb.conf</code>.
				</div><div class="figure" id="fig-samba-security"><div class="figure-contents"><div class="mediaobject"><img src="images/s-c-samba-security.png" alt="Configuring Security Server Settings" /><div class="longdesc"><div class="para">
								Configuring Security Server Settings
							</div></div></div></div><h6>Figure 21.5. Configuring Security Server Settings</h6></div><br class="figure-break" /><div class="para">
					The <span class="guilabel"><strong>Security</strong></span> tab contains the following options:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Authentication Mode</strong></span> — This corresponds to the <code class="command">security</code> option. Select one of the following types of authentication.
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<span class="guilabel"><strong>ADS</strong></span> — The Samba server acts as a domain member in an Active Directory Domain (ADS) realm. For this option, Kerberos must be installed and configured on the server, and Samba must become a member of the ADS realm using the <code class="command">net</code> utility, which is part of the <code class="filename">samba-client</code> package. Refer to the <code class="command">net</code> man page for details. This option does not configure Samba to be an ADS Controller. Specify the realm of the Kerberos server in the <span class="guilabel"><strong>Kerberos Realm</strong></span> field.
								</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
										The <span class="guilabel"><strong>Kerberos Realm</strong></span> field must be supplied in all uppercase letters, such as <code class="command">EXAMPLE.COM</code>.
									</div><div class="para">
										Using a Samba server as a domain member in an ADS realm assumes proper configuration of Kerberos, including the <code class="filename">/etc/krb5.conf</code> file.
									</div></div></div></li><li class="listitem"><div class="para">
									<span class="guilabel"><strong>Domain</strong></span> — The Samba server relies on a Windows NT Primary or Backup Domain Controller to verify the user. The server passes the username and password to the Controller and waits for it to return. Specify the NetBIOS name of the Primary or Backup Domain Controller in the <span class="guilabel"><strong>Authentication Server</strong></span> field.
								</div><div class="para">
									The <span class="guilabel"><strong>Encrypted Passwords</strong></span> option must be set to <span class="guilabel"><strong>Yes</strong></span> if this is selected.
								</div></li><li class="listitem"><div class="para">
									<span class="guilabel"><strong>Server</strong></span> — The Samba server tries to verify the username and password combination by passing them to another Samba server. If it can not, the server tries to verify using the user authentication mode. Specify the NetBIOS name of the other Samba server in the <span class="guilabel"><strong>Authentication Server</strong></span> field.
								</div></li><li class="listitem"><div class="para">
									<span class="guilabel"><strong>Share</strong></span> — Samba users do not have to enter a username and password combination on a per Samba server basis. They are not prompted for a username and password until they try to connect to a specific shared directory from a Samba server.
								</div></li><li class="listitem"><div class="para">
									<span class="guilabel"><strong>User</strong></span> — (Default) Samba users must provide a valid username and password on a per Samba server basis. Select this option if you want the <span class="guilabel"><strong>Windows Username</strong></span> option to work. Refer to <a class="xref" href="#s3-samba-gui-users">Section 21.4.1.2, “Managing Samba Users”</a> for details.
								</div></li></ul></div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Encrypt Passwords</strong></span> — This option must be enabled if the clients are connecting from a system with Windows 98, Windows NT 4.0 with Service Pack 3, or other more recent versions of Microsoft Windows. The passwords are transferred between the server and the client in an encrypted format instead of as a plain-text word that can be intercepted. This corresponds to the <code class="command">encrypted passwords</code> option. Refer to <a class="xref" href="#s2-samba-encrypted-passwords">Section 21.4.3, “Encrypted Passwords”</a> for more information about encrypted Samba passwords.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Guest Account</strong></span> — When users or guest users log into a Samba server, they must be mapped to a valid user on the server. Select one of the existing usernames on the system to be the guest Samba account. When guests log in to the Samba server, they have the same privileges as this user. This corresponds to the <code class="command">guest account</code> option.
						</div></li></ul></div><div class="para">
					After clicking <span class="guibutton"><strong>OK</strong></span>, the changes are written to the configuration file and the daemon is restarted; thus, the changes take effect immediately.
				</div></div><div class="section" id="s3-samba-gui-users"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-gui-users">21.4.1.2. Managing Samba Users</h4></div></div></div><a id="id968613" class="indexterm"></a><div class="para">
					The <span class="application"><strong>Samba Server Configuration Tool</strong></span> requires that an existing user account be active on the system acting as the Samba server before a Samba user can be added. The Samba user is associated with the existing user account.
				</div><div class="figure" id="fig-samba-users"><div class="figure-contents"><div class="mediaobject"><img src="images/s-c-samba-users.png" alt="Managing Samba Users" /><div class="longdesc"><div class="para">
								Managing Samba Users
							</div></div></div></div><h6>Figure 21.6. Managing Samba Users</h6></div><br class="figure-break" /><div class="para">
					To add a Samba user, select <span class="guimenu"><strong>Preferences</strong></span> &gt; <span class="guimenuitem"><strong>Samba Users</strong></span> from the pulldown menu, and click the <span class="guibutton"><strong>Add User</strong></span> button. In the <span class="guilabel"><strong>Create New Samba User</strong></span> window select a <span class="guilabel"><strong>Unix Username</strong></span> from the list of existing users on the local system.
				</div><div class="para">
					If the user has a different username on a Windows machine and needs to log into the Samba server from the Windows machine, specify that Windows username in the <span class="guilabel"><strong>Windows Username</strong></span> field. The <span class="guilabel"><strong>Authentication Mode</strong></span> on the <span class="guilabel"><strong>Security</strong></span> tab of the <span class="guilabel"><strong>Server Settings</strong></span> preferences must be set to <span class="guilabel"><strong>User</strong></span> for this option to work.
				</div><div class="para">
					Also, configure a <span class="guilabel"><strong>Samba Password</strong></span> for the Samba User and confirm it by typing it again. Even if you opt to use encrypted passwords for Samba, it is recommended that the Samba passwords for all users are different from their system passwords.
				</div><div class="para">
					To edit an existing user, select the user from the list, and click <span class="guibutton"><strong>Edit User</strong></span>. To delete an existing Samba user, select the user, and click the <span class="guibutton"><strong>Delete User</strong></span> button. Deleting a Samba user does not delete the associated system user account.
				</div><div class="para">
					The users are modified immediately after clicking the <span class="guibutton"><strong>OK</strong></span> button.
				</div></div><div class="section" id="s3-samba-gui-add-share"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-gui-add-share">21.4.1.3. Adding a Share</h4></div></div></div><a id="id968766" class="indexterm"></a><div class="para">
					To create a Samba share, click the <span class="guibutton"><strong>Add</strong></span> button from the main Samba configuration window.
				</div><div class="figure" id="fig-samba-add-share"><div class="figure-contents"><div class="mediaobject"><img src="images/s-c-samba-create-share.png" alt="Adding a Share" /><div class="longdesc"><div class="para">
								Adding a Samba Share
							</div></div></div></div><h6>Figure 21.7. Adding a Share</h6></div><br class="figure-break" /><div class="para">
					The <span class="guilabel"><strong>Basic</strong></span> tab configures the following options:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Directory</strong></span> — The directory to share via Samba. The directory must exist before it can be entered here.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Share name</strong></span> — The actual name of the share that is seen from remote machines. By default, it is the same value as <span class="guilabel"><strong>Directory</strong></span>, but can be configured.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Descriptions</strong></span> — A brief description of the share.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Writable</strong></span> — Enables users to read and write to the shared directory
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Visible</strong></span> — Grants read-only rights to users for the shared directory.
						</div></li></ul></div><div class="para">
					On the <span class="guilabel"><strong>Access</strong></span> tab, select whether to allow only specified users to access the share or whether to allow all Samba users to access the share. If you select to allow access to specific users, select the users from the list of available Samba users.
				</div><div class="para">
					The share is added immediately after clicking <span class="guibutton"><strong>OK</strong></span>.
				</div></div></div><div class="section" id="s2-samba-configuring-cmdline"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-configuring-cmdline">21.4.2. Command Line Configuration</h3></div></div></div><a id="id962196" class="indexterm"></a><div class="para">
				Samba uses <code class="filename">/etc/samba/smb.conf</code> as its configuration file. If you change this configuration file, the changes do not take effect until you restart the Samba daemon with the command <code class="command">service smb restart</code>.
			</div><div class="para">
				To specify the Windows workgroup and a brief description of the Samba server, edit the following lines in your <code class="filename">smb.conf</code> file:
			</div><pre class="screen">workgroup = <em class="replaceable"><code>WORKGROUPNAME</code></em>
server string = <em class="replaceable"><code>BRIEF COMMENT ABOUT SERVER</code></em></pre><div class="para">
				Replace <em class="replaceable"><code>WORKGROUPNAME</code></em> with the name of the Windows workgroup to which this machine should belong. The <em class="replaceable"><code>BRIEF COMMENT ABOUT SERVER</code></em> is optional and is used as the Windows comment about the Samba system.
			</div><div class="para">
				To create a Samba share directory on your Linux system, add the following section to your <code class="command">smb.conf</code> file (after modifying it to reflect your needs and your system):
			</div><pre class="screen">[<em class="replaceable"><code>sharename</code></em>]
comment = <em class="replaceable"><code>Insert a comment here</code></em>
path = <em class="replaceable"><code>/home/share/</code></em>
valid users = <em class="replaceable"><code>tfox carole</code></em>
public = no
writable = yes
printable = no
create mask = 0765</pre><div class="para">
				The above example allows the users <code class="command">tfox</code> and <code class="command">carole</code> to read and write to the directory <code class="filename">/home/share</code>, on the Samba server, from a Samba client.
			</div></div><div class="section" id="s2-samba-encrypted-passwords"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-encrypted-passwords">21.4.3. Encrypted Passwords</h3></div></div></div><div class="para">
				Encrypted passwords are enabled by default because it is more secure to do so. To create a user with an encrypted password, use the command <code class="command">smbpasswd -a <em class="replaceable"><code>&lt;username&gt;</code></em> </code>.
			</div><a id="id962322" class="indexterm"></a><a id="id962336" class="indexterm"></a><a id="id962351" class="indexterm"></a><a id="id962365" class="indexterm"></a><a id="id962379" class="indexterm"></a><a id="id962394" class="indexterm"></a><a id="id962424" class="indexterm"></a></div></div><div class="section" id="s1-samba-startstop"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-startstop">21.5. Starting and Stopping Samba</h2></div></div></div><a id="id962450" class="indexterm"></a><a id="id962469" class="indexterm"></a><a id="id962487" class="indexterm"></a><a id="id962506" class="indexterm"></a><a id="id962524" class="indexterm"></a><div class="para">
			To start a Samba server, type the following command in a shell prompt while logged in as root:
		</div><pre class="screen"><code class="command">service smb start</code></pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				To set up a domain member server, you must first join the domain or Active Directory using the <code class="command">net join</code> command <span class="emphasis"><em>before</em></span> starting the <code class="command">smb</code> service.
			</div></div></div><div class="para">
			To stop the server, type the following command in a shell prompt while logged in as root:
		</div><pre class="screen"><code class="command">service smb stop</code></pre><div class="para">
			The <code class="option">restart</code> option is a quick way of stopping and then starting Samba. This is the most reliable way to make configuration changes take effect after editing the configuration file for Samba. Note that the restart option starts the daemon even if it was not running originally.
		</div><div class="para">
			To restart the server, type the following command in a shell prompt while logged in as root:
		</div><pre class="screen"><code class="command">service smb restart</code></pre><div class="para">
			The <code class="option">condrestart</code> (<em class="firstterm">conditional restart</em>) option only starts <code class="command">smb</code> on the condition that it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				When the <code class="command">smb.conf</code> file is changed, Samba automatically reloads it after a few minutes. Issuing a manual <code class="command">restart</code> or <code class="command">reload</code> is just as effective.
			</div></div></div><div class="para">
			To conditionally restart the server, type the following command as root:
		</div><pre class="screen"><code class="command">service smb condrestart</code></pre><div class="para">
			A manual reload of the <code class="command">smb.conf</code> file can be useful in case of a failed automatic reload by the <code class="command">smb</code> service. To ensure that the Samba server configuration file is reloaded without restarting the service, type the following command as root:
		</div><pre class="screen"><code class="command">service smb reload</code></pre><div class="para">
			By default, the <code class="command">smb</code> service does <span class="emphasis"><em>not</em></span> start automatically at boot time. To configure Samba to start at boot time, use an initscript utility, such as <code class="command">/sbin/chkconfig</code>, <code class="command">/usr/sbin/ntsysv</code>, or the <span class="application"><strong>Services Configuration Tool</strong></span> program. Refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a> for more information regarding these tools.
		</div></div><div class="section" id="s1-samba-servers"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-servers">21.6. Samba Server Types and the <code class="command">smb.conf</code> File</h2></div></div></div><a id="id962724" class="indexterm"></a><a id="id962738" class="indexterm"></a><div class="para">
			Samba configuration is straightforward. All modifications to Samba are done in the <code class="filename">/etc/samba/smb.conf</code> configuration file. Although the default <code class="filename">smb.conf</code> file is well documented, it does not address complex topics such as LDAP, Active Directory, and the numerous domain controller implementations.
		</div><div class="para">
			The following sections describe the different ways a Samba server can be configured. Keep in mind your needs and the changes required to the <code class="filename">smb.conf</code> file for a successful configuration.
		</div><div class="section" id="s2-samba-standalone"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-standalone">21.6.1. Stand-alone Server</h3></div></div></div><a id="id962784" class="indexterm"></a><div class="para">
				A stand-alone server can be a workgroup server or a member of a workgroup environment. A stand-alone server is not a domain controller and does not participate in a domain in any way. The following examples include several anonymous share-level security configurations and one user-level security configuration. For more information on share-level and user-level security modes, refer to <a class="xref" href="#s1-samba-security-modes">Section 21.7, “Samba Security Modes”</a>.
			</div><div class="section" id="s3-samba-standalone-anonreadonly"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-standalone-anonreadonly">21.6.1.1. Anonymous Read-Only</h4></div></div></div><a id="id962824" class="indexterm"></a><div class="para">
					The following <code class="command">smb.conf</code> file shows a sample configuration needed to implement anonymous read-only file sharing. The <code class="command">security = share</code> parameter makes a share anonymous. Note, security levels for a single Samba server cannot be mixed. The <code class="command">security</code> directive is a global Samba parameter located in the <code class="command">[global]</code> configuration section of the <code class="command">smb.conf</code> file.
				</div><pre class="screen">[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
[data]
comment = Documentation Samba Server
path = /export
read only = Yes
guest only = Yes</pre></div><div class="section" id="s3-samba-standalone-anonreadwrite"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-standalone-anonreadwrite">21.6.1.2. Anonymous Read/Write</h4></div></div></div><a id="id962882" class="indexterm"></a><div class="para">
					The following <code class="command">smb.conf</code> file shows a sample configuration needed to implement anonymous read/write file sharing. To enable anonymous read/write file sharing, set the <code class="command">read only</code> directive to <code class="command">no</code>. The <code class="command">force user</code> and <code class="command">force group</code> directives are also added to enforce the ownership of any newly placed files specified in the share.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						Although having an anonymous read/write server is possible, it is not recommended. Any files placed in the share space, regardless of user, are assigned the user/group combination as specified by a generic user (<code class="command">force user</code>) and group (<code class="command">force group</code>) in the <code class="filename">smb.conf</code> file.
					</div></div></div><pre class="screen">[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
[data]
comment = Data
path = /export
force user = docsbot
force group = users
read only = No
guest ok = Yes</pre></div><div class="section" id="s3-samba-standalone-anonprint"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-standalone-anonprint">21.6.1.3. Anonymous Print Server</h4></div></div></div><a id="id962968" class="indexterm"></a><div class="para">
					The following <code class="command">smb.conf</code> file shows a sample configuration needed to implement an anonymous print server. Setting <code class="command">browseable</code> to <code class="command">no</code> as shown does not list the printer in Windows <span class="guilabel"><strong>Network Neighborhood</strong></span>. Although hidden from browsing, configuring the printer explicitly is possible. By connecting to <code class="command">DOCS_SRV</code> using NetBIOS, the client can have access to the printer if the client is also part of the <code class="command">DOCS</code> workgroup. It is also assumed that the client has the correct local printer driver installed, as the <code class="command">use client driver</code> directive is set to <code class="command">Yes</code>. In this case, the Samba server has no responsibility for sharing printer drivers to the client.
				</div><pre class="screen">[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = share
printcap name = cups
disable spools= Yes
show add printer wizard = No
printing = cups
[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = Yes</pre></div><div class="section" id="s3-samba-standalone-readwriteall"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-standalone-readwriteall">21.6.1.4. Secure Read/Write File and Print Server</h4></div></div></div><a id="id963041" class="indexterm"></a><div class="para">
					The following <code class="command">smb.conf</code> file shows a sample configuration needed to implement a secure read/write print server. Setting the <code class="command">security</code> directive to <code class="command">user</code> forces Samba to authenticate client connections. Notice the <code class="command">[homes]</code> share does not have a <code class="command">force user</code> or <code class="command">force group</code> directive as the <code class="command">[public]</code> share does. The <code class="command">[homes]</code> share uses the authenticated user details for any files created as opposed to the <code class="command">force user</code> and <code class="command">force group</code> in <code class="command">[public]</code>.
				</div><pre class="screen">[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = user
printcap name = cups
disable spools = Yes
show add printer wizard = No
printing = cups
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[public]
comment = Data
path = /export
force user = docsbot
force group = users
guest ok = Yes
[printers]
comment = All Printers
path = /var/spool/samba
printer admin = john, ed, @admins
create mask = 0600
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = Yes</pre></div></div><div class="section" id="s2-samba-domain-member"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-domain-member">21.6.2. Domain Member Server</h3></div></div></div><a id="id963129" class="indexterm"></a><div class="para">
				A domain member, while similar to a stand-alone server, is logged into a domain controller (either Windows or Samba) and is subject to the domain's security rules. An example of a domain member server would be a departmental server running Samba that has a machine account on the Primary Domain Controller (PDC). All of the department's clients still authenticate with the PDC, and desktop profiles and all network policy files are included. The difference is that the departmental server has the ability to control printer and network shares.
			</div><div class="section" id="s3-samba-domain-member-ads"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-domain-member-ads">21.6.2.1. Active Directory Domain Member Server</h4></div></div></div><a id="id963165" class="indexterm"></a><div class="para">
					The following <code class="command">smb.conf</code> file shows a sample configuration needed to implement an Active Directory domain member server. In this example, Samba authenticates users for services being run locally but is also a client of the Active Directory. Ensure that your kerberos <code class="command">realm</code> parameter is shown in all caps (for example <code class="command">realm = EXAMPLE.COM</code>). Since Windows 2000/2003 requires Kerberos for Active Directory authentication, the <code class="command">realm</code> directive is required. If Active Directory and Kerberos are running on different servers, the <code class="command">password server</code> directive may be required to help the distinction.
				</div><pre class="screen">[global]
realm = EXAMPLE.COM
security = ADS
encrypt passwords = yes
# Optional. Use only if Samba cannot determine the Kerberos server automatically.
password server = kerberos.example.com</pre><div class="para">
					In order to join a member server to an Active Directory domain, the following steps must be completed:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							Configuration of the <code class="filename">smb.conf</code> file on the member server
						</div></li><li class="listitem"><div class="para">
							Configuration of Kerberos, including the <code class="filename">/etc/krb5.conf</code> file, on the member server
						</div></li><li class="listitem"><div class="para">
							Creation of the machine account on the Active Directory domain server
						</div></li><li class="listitem"><div class="para">
							Association of the member server to the Active Directory domain
						</div></li></ul></div><div class="para">
					To create the machine account and join the Windows 2000/2003 Active Directory, Kerberos must first be initialized for the member server wishing to join the Active Directory domain. To create an administrative Kerberos ticket, type the following command as root on the member server:
				</div><pre class="screen"><code class="command">kinit administrator@EXAMPLE.COM</code></pre><div class="para">
					The <code class="command">kinit</code> command is a Kerberos initialization script that references the Active Directory administrator account and Kerberos realm. Since Active Directory requires Kerberos tickets, <code class="command">kinit</code> obtains and caches a Kerberos ticket-granting ticket for client/server authentication. For more information on Kerberos, the <code class="command">/etc/krb5.conf</code> file, and the <code class="command">kinit</code> command, refer to <a class="xref" href="#ch-kerberos">Section 46.6, “Kerberos”</a>.
				</div><div class="para">
					To join an Active Directory server (windows1.example.com), type the following command as root on the member server:
				</div><pre class="screen"><code class="command">net ads join -S windows1.example.com -U administrator%password</code></pre><div class="para">
					Since the machine <code class="command">windows1</code> was automatically found in the corresponding Kerberos realm (the <code class="command">kinit</code> command succeeded), the <code class="command">net</code> command connects to the Active Directory server using its required administrator account and password. This creates the appropriate machine account on the Active Directory and grants permissions to the Samba domain member server to join the domain.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						Since <code class="command">security = ads</code> and not <code class="command">security = user</code> is used, a local password backend such as <code class="filename">smbpasswd</code> is not needed. Older clients that do not support <code class="command">security = ads</code> are authenticated as if <code class="command">security = domain</code> had been set. This change does not affect functionality and allows local users not previously in the domain.
					</div></div></div></div><div class="section" id="s3-samba-domain-member-nt4"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-domain-member-nt4">21.6.2.2. Windows NT4-based Domain Member Server</h4></div></div></div><a id="id959002" class="indexterm"></a><div class="para">
					The following <code class="command">smb.conf</code> file shows a sample configuration needed to implement a Windows NT4-based domain member server. Becoming a member server of an NT4-based domain is similar to connecting to an Active Directory. The main difference is NT4-based domains do not use Kerberos in their authentication method, making the <code class="command">smb.conf</code> file simpler. In this instance, the Samba member server functions as a pass through to the NT4-based domain server.
				</div><pre class="screen">[global]
workgroup = DOCS
netbios name = DOCS_SRV
security = domain
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[public]
comment = Data
path = /export
force user = docsbot
force group = users
guest ok = Yes</pre><div class="para">
					Having Samba as a domain member server can be useful in many situations. There are times where the Samba server can have other uses besides file and printer sharing. It may be beneficial to make Samba a domain member server in instances where Linux-only applications are required for use in the domain environment. Administrators appreciate keeping track of all machines in the domain, even if not Windows-based. In the event the Windows-based server hardware is deprecated, it is quite easy to modify the <code class="command">smb.conf</code> file to convert the server to a Samba-based PDC. If Windows NT-based servers are upgraded to Windows 2000/2003, the <code class="command">smb.conf</code> file is easily modifiable to incorporate the infrastructure change to Active Directory if needed.
				</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						After configuring the <code class="command">smb.conf</code> file, join the domain <span class="emphasis"><em>before</em></span> starting Samba by typing the following command as root:
					</div><pre class="screen"><code class="command">net rpc join -U administrator%password</code></pre></div></div><div class="para">
					Note that the <code class="option">-S</code> option, which specifies the domain server hostname, does not need to be stated in the <code class="command">net rpc join</code> command. Samba uses the hostname specified by the <code class="command">workgroup</code> directive in the <code class="filename">smb.conf</code> file instead of it being stated explicitly.
				</div></div></div><div class="section" id="s2-samba-domain-controller"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-domain-controller">21.6.3. Domain Controller</h3></div></div></div><a id="id959118" class="indexterm"></a><div class="para">
				A domain controller in Windows NT is functionally similar to a Network Information Service (NIS) server in a Linux environment. Domain controllers and NIS servers both host user/group information databases as well as related services. Domain controllers are mainly used for security, including the authentication of users accessing domain resources. The service that maintains the user/group database integrity is called the <em class="firstterm">Security Account Manager</em> (SAM). The SAM database is stored differently between Windows and Linux Samba-based systems, therefore SAM replication cannot be achieved and platforms cannot be mixed in a PDC/BDC environment.
			</div><div class="para">
				In a Samba environment, there can be only one PDC and zero or more BDCs.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Samba cannot exist in a mixed Samba/Windows domain controller environment (Samba cannot be a BDC of a Windows PDC or vice versa). Alternatively, Samba PDCs and BDCs <span class="emphasis"><em>can</em></span> coexist.
				</div></div></div><div class="section" id="s3-samba-pdc-tdbsam"><div class="titlepage"><div><div><h4 class="title" id="s3-samba-pdc-tdbsam">21.6.3.1. Primary Domain Controller (PDC) using <code class="command">tdbsam</code> </h4></div></div></div><a id="id959184" class="indexterm"></a><div class="para">
					The simplest and most common implementation of a Samba PDC uses the <code class="command">tdbsam</code> password database backend. Planned to replace the aging <code class="command">smbpasswd</code> backend, <code class="command">tdbsam</code> has numerous improvements that are explained in more detail in <a class="xref" href="#s1-samba-account-info-dbs">Section 21.8, “Samba Account Information Databases”</a>. The <code class="command">passdb backend</code> directive controls which backend is to be used for the PDC.
				</div><pre class="screen">[global]
workgroup = DOCS
netbios name = DOCS_SRV
passdb backend = tdbsam
security = user
add user script = /usr/sbin/useradd -m "%u"
delete user script = /usr/sbin/userdel -r "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
add user to group script = /usr/sbin/usermod -G "%g" "%u"
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null  -g machines "%u"
# The following specifies the default logon script
# Per user logon scripts can be specified in the user
# account using pdbedit logon script = logon.bat
# This sets the default profile path.
# Set per user paths with pdbedit
logon drive = H:
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
[homes]
	comment = Home Directories
	valid users = %S
	read only = No
[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon/scripts
	browseable = No
	read only = No
# For profiles to work, create a user directory under the
# path shown.
<code class="command">mkdir -p /var/lib/samba/profiles/john</code>
[Profiles]
	comment = Roaming Profile Share
	path = /var/lib/samba/profiles
	read only = No
	browseable = No
	guest ok = Yes
	profile acls = Yes
# Other resource shares ... ...</pre><div class="para">
					To provide a functional PDC system which uses the <code class="command">tdbsam</code> follow these steps:
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Use a configuration of the <code class="filename">smb.conf</code> file as shown in the example above.
						</div></li><li class="listitem"><div class="para">
							Add the root user to the Samba password database.
						</div><pre class="screen"><code class="command">smbpasswd -a root</code>
Provide the password here.</pre></li><li class="listitem"><div class="para">
							Start the <code class="command">smb</code> service.
						</div></li><li class="listitem"><div class="para">
							Make sure all profile, user, and netlogon directories are created.
						</div></li><li class="listitem"><div class="para">
							Add groups that users can be members of.
						</div><pre class="screen"><code class="command">groupadd -f users</code>
<code class="command">groupadd -f nobody</code>
<code class="command">groupadd -f ntadmins</code></pre></li><li class="listitem"><div class="para">
							Associate the UNIX groups with their respective Windows groups. 
<pre class="screen"><code class="command">net groupmap add ntgroup="Domain Users" unixgroup=users</code>
<code class="command">net groupmap add ntgroup="Domain Guests" unixgroup=nobody</code>
<code class="command">net groupmap add ntgroup="Domain Admins" unixgroup=ntadmins</code></pre>

</div></li><li class="listitem"><div class="para">
							Grant access rights to a user or a group. For example, to grant the right to add client machines to the domain on a Samba domain controller, to the members to the Domain Admins group, execute the following command: 
<pre class="screen"><code class="command">net rpc rights grant 'DOCS\Domain Admins' SetMachineAccountPrivilege -S PDC -U root</code></pre>

</div></li></ol></div><div class="para">
					Keep in mind that Windows systems prefer to have a primary group which is mapped to a domain group such as Domain Users.
				</div><div class="para">
					Windows groups and users use the same namespace thus not allowing the existence of a group and a user with the same name like in UNIX.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						If you need more than one domain controller or have more than 250 users, do <span class="emphasis"><em>not</em></span> use a <code class="command">tdbsam</code> authentication backend. LDAP is recommended in these cases.
					</div></div></div></div><div class="section" id="samba-rgs-pdc-ads"><div class="titlepage"><div><div><h4 class="title" id="samba-rgs-pdc-ads">21.6.3.2. Primary Domain Controller (PDC) with Active Directory</h4></div></div></div><a id="id959451" class="indexterm"></a><div class="para">
					Although it is possible for Samba to be a member of an Active Directory, it is not possible for Samba to operate as an Active Directory domain controller.
				</div></div></div></div><div class="section" id="s1-samba-security-modes"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-security-modes">21.7. Samba Security Modes</h2></div></div></div><a id="id959488" class="indexterm"></a><div class="para">
			There are only two types of security modes for Samba, <span class="emphasis"><em>share-level</em></span> and <span class="emphasis"><em>user-level</em></span>, which are collectively known as <span class="emphasis"><em><em class="firstterm">security levels</em> </em></span>. Share-level security can only be implemented in one way, while user-level security can be implemented in one of four different ways. The different ways of implementing a security level are called <span class="emphasis"><em><em class="firstterm">security modes</em> </em></span>.
		</div><div class="section" id="s2-samba-user-level"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-user-level">21.7.1. User-Level Security</h3></div></div></div><a id="id959539" class="indexterm"></a><div class="para">
				User-level security is the default setting for Samba. Even if the <code class="command">security = user</code> directive is not listed in the <code class="command">smb.conf</code> file, it is used by Samba. If the server accepts the client's username/password, the client can then mount multiple shares without specifying a password for each instance. Samba can also accept session-based username/password requests. The client maintains multiple authentication contexts by using a unique UID for each logon.
			</div><div class="para">
				In <code class="command">smb.conf</code>, the <code class="command">security = user</code> directive that sets user-level security is:
			</div><pre class="screen">[GLOBAL]
...
security = user
...</pre><div class="para">
				The following sections describe other implementations of user-level security.
			</div><div class="section" id="s2-samba-domain-security-mode"><div class="titlepage"><div><div><h4 class="title" id="s2-samba-domain-security-mode">21.7.1.1. Domain Security Mode (User-Level Security)</h4></div></div></div><a id="id959607" class="indexterm"></a><div class="para">
					In domain security mode, the Samba server has a machine account (domain security trust account) and causes all authentication requests to be passed through to the domain controllers. The Samba server is made into a domain member server by using the following directives in <code class="command">smb.conf</code>:
				</div><pre class="screen">[GLOBAL]
...
security = domain
workgroup = MARKETING
...</pre></div><div class="section" id="s2-samba-ads-security-mode"><div class="titlepage"><div><div><h4 class="title" id="s2-samba-ads-security-mode">21.7.1.2. Active Directory Security Mode (User-Level Security)</h4></div></div></div><a id="id959650" class="indexterm"></a><div class="para">
					If you have an Active Directory environment, it is possible to join the domain as a native Active Directory member. Even if a security policy restricts the use of NT-compatible authentication protocols, the Samba server can join an ADS using Kerberos. Samba in Active Directory member mode can accept Kerberos tickets.
				</div><div class="para">
					In <code class="command">smb.conf</code>, the following directives make Samba an Active Directory member server:
				</div><pre class="screen">[GLOBAL]
...
security = ADS
realm = EXAMPLE.COM
password server = kerberos.example.com
...</pre></div><div class="section" id="s2-samba-server-security-mode"><div class="titlepage"><div><div><h4 class="title" id="s2-samba-server-security-mode">21.7.1.3. Server Security Mode (User-Level Security)</h4></div></div></div><a id="id959697" class="indexterm"></a><div class="para">
					Server security mode was previously used when Samba was not capable of acting as a domain member server.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						It is highly recommended to <span class="emphasis"><em>not</em></span> use this mode since there are numerous security drawbacks.
					</div></div></div><div class="para">
					In <code class="filename">smb.conf</code>, the following directives enable Samba to operate in server security mode:
				</div><pre class="screen">[GLOBAL]
...
encrypt passwords = Yes
security = server
password server = "NetBIOS_of_Domain_Controller"
...</pre></div></div><div class="section" id="s2-samba-share-level"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-share-level">21.7.2. Share-Level Security</h3></div></div></div><a id="id959765" class="indexterm"></a><div class="para">
				With share-level security, the server accepts only a password without an explicit username from the client. The server expects a password for each share, independent of the username. There have been recent reports that Microsoft Windows clients have compatibility issues with share-level security servers. Samba developers strongly discourage use of share-level security.
			</div><div class="para">
				In <code class="filename">smb.conf</code>, the <code class="command">security = share</code> directive that sets share-level security is:
			</div><pre class="screen">[GLOBAL]
...
security = share
...</pre></div></div><div class="section" id="s1-samba-account-info-dbs"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-account-info-dbs">21.8. Samba Account Information Databases</h2></div></div></div><a id="id959817" class="indexterm"></a><div class="para">
			The latest release of Samba offers many new features including new password database backends not previously available. Samba version 3.0.0 fully supports all databases used in previous versions of Samba. However, although supported, many backends may not be suitable for production use.
		</div><div class="para">
			The following is a list different backends you can use with Samba. Other backends not listed here may also be available.
		</div><a id="id959846" class="indexterm"></a><a id="id959861" class="indexterm"></a><a id="id959879" class="indexterm"></a><a id="id959901" class="indexterm"></a><a id="id959923" class="indexterm"></a><a id="id959938" class="indexterm"></a><a id="id959960" class="indexterm"></a><a id="id959982" class="indexterm"></a><a id="id960005" class="indexterm"></a><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Plain Text</span></dt><dd><div class="para">
						Plain text backends are nothing more than the <code class="command">/etc/passwd</code> type backends. With a plain text backend, all usernames and passwords are sent unencrypted between the client and the Samba server. This method is very unsecure and is not recommended for use by any means. It is possible that different Windows clients connecting to the Samba server with plain text passwords cannot support such an authentication method.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">smbpasswd</code> </span></dt><dd><div class="para">
						A popular backend used in previous Samba packages, the <code class="command">smbpasswd</code> backend utilizes a plain ASCII text layout that includes the MS Windows LanMan and NT account, and encrypted password information. The <code class="command">smbpasswd</code> backend lacks the storage of the Windows NT/2000/2003 SAM extended controls. The <code class="command">smbpasswd</code> backend is not recommended because it does not scale well or hold any Windows information, such as RIDs for NT-based groups. The <code class="command">tdbsam</code> backend solves these issues for use in a smaller database (250 users), but is still not an enterprise-class solution. 
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">ldapsam_compat</code> </span></dt><dd><div class="para">
						The <code class="command">ldapsam_compat</code> backend allows continued OpenLDAP support for use with upgraded versions of Samba. This option normally used when migrating to Samba 3.0.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">tdbsam</code> </span></dt><dd><div class="para">
						The <code class="command">tdbsam</code> backend provides an ideal database backend for local servers, servers that do not need built-in database replication, and servers that do not require the scalability or complexity of LDAP. The <code class="command">tdbsam</code> backend includes all of the <code class="command">smbpasswd</code> database information as well as the previously-excluded SAM information. The inclusion of the extended SAM data allows Samba to implement the same account and system access controls as seen with Windows NT/2000/2003-based systems.
					</div><div class="para">
						The <code class="command">tdbsam</code> backend is recommended for 250 users at most. Larger organizations should require Active Directory or LDAP integration due to scalability and possible network infrastructure concerns.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="command">ldapsam</code> </span></dt><dd><div class="para">
						The <code class="command">ldapsam</code> backend provides an optimal distributed account installation method for Samba. LDAP is optimal because of its ability to replicate its database to any number of servers using the OpenLDAP <code class="command">slurpd</code> daemon. LDAP databases are light-weight and scalable, and as such are preferred by large enterprises.
					</div><div class="para">
						If you are upgrading from a previous version of Samba to 3.0, note that the <code class="filename">/usr/share/doc/samba-<em class="replaceable"><code>&lt;version&gt;</code></em>/LDAP/samba.schema</code> has changed. This file contains the <em class="firstterm">attribute syntax definitions</em> and <em class="firstterm">objectclass definitions</em> that the <code class="command">ldapsam</code> backend will need in order to function properly.
					</div><div class="para">
						As such, if you are using the <code class="command">ldapsam</code> backend for your Samba server, you will need to configure <code class="command">slapd</code> to include this schema file. Refer to <a class="xref" href="#s1-ldap-files-schemas">Section 26.5, “The <code class="filename">/etc/openldap/schema/</code> Directory”</a> for directions on how to do this.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							You will need to have the <code class="filename">openldap-server</code> package installed if you want to use the <code class="command">ldapsam</code> backend.
						</div></div></div></dd><dt class="varlistentry"><span class="term"> <code class="command">mysqlsam</code> </span></dt><dd><div class="para">
						The <code class="command">mysqlsam</code> backend uses a MySQL-based database backend. This is useful for sites that already implement MySQL. At present, <code class="command">mysqlsam</code> is now packed in a module separate from Samba, and as such is not officially supported by Samba.
					</div></dd></dl></div></div><div class="section" id="s1-samba-network-browsing"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-network-browsing">21.9. Samba Network Browsing</h2></div></div></div><a id="id960318" class="indexterm"></a><a id="id960332" class="indexterm"></a><div class="para">
			<em class="firstterm">Network browsing</em> enables Windows and Samba servers to appear in the Windows <span class="guilabel"><strong>Network Neighborhood</strong></span>. Inside the <span class="guilabel"><strong>Network Neighborhood</strong></span>, icons are represented as servers and if opened, the server's shares and printers that are available are displayed.
		</div><div class="para">
			Network browsing capabilities require NetBIOS over TCP/IP. NetBIOS-based networking uses broadcast (UDP) messaging to accomplish browse list management. Without NetBIOS and WINS as the primary method for TCP/IP hostname resolution, other methods such as static files (<code class="filename">/etc/hosts</code>) or DNS, must be used.
		</div><div class="para">
			A domain master browser collates the browse lists from local master browsers on all subnets so that browsing can occur between workgroups and subnets. Also, the domain master browser should preferably be the local master browser for its own subnet.
		</div><div class="section" id="s2-samba-domain-browsing"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-domain-browsing">21.9.1. Domain Browsing</h3></div></div></div><a id="id960418" class="indexterm"></a><div class="para">
				By default, a Windows server PDC for a domain is also the domain master browser for that domain. A Samba server must <span class="emphasis"><em>not</em></span> be set up as a domain master server in this type of situation
			</div><div class="para">
				For subnets that do not include the Windows server PDC, a Samba server can be implemented as a local master browser. Configuring the <code class="filename">smb.conf</code> for a local master browser (or no browsing at all) in a domain controller environment is the same as workgroup configuration.
			</div></div><div class="section" id="s2-samba-wins"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-wins">21.9.2. WINS (Windows Internetworking Name Server)</h3></div></div></div><a id="id960473" class="indexterm"></a><a id="id960487" class="indexterm"></a><div class="para">
				Either a Samba server or a Windows NT server can function as a WINS server. When a WINS server is used with NetBIOS enabled, UDP unicasts can be routed which allows name resolution across networks. Without a WINS server, the UDP broadcast is limited to the local subnet and therefore cannot be routed to other subnets, workgroups, or domains. If WINS replication is necessary, do not use Samba as your primary WINS server, as Samba does not currently support WINS replication.
			</div><div class="para">
				In a mixed NT/2000/2003 server and Samba environment, it is recommended that you use the Microsoft WINS capabilities. In a Samba-only environment, it is recommended that you use <span class="emphasis"><em>only one</em></span> Samba server for WINS.
			</div><div class="para">
				The following is an example of the <code class="filename">smb.conf</code> file in which the Samba server is serving as a WINS server:
			</div><pre class="screen">[global]
wins support = Yes</pre><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					All servers (including Samba) should connect to a WINS server to resolve NetBIOS names. Without WINS, browsing only occurs on the local subnet. Furthermore, even if a domain-wide list is somehow obtained, hosts  cannot be resolved for the client without WINS.
				</div></div></div></div></div><div class="section" id="s1-samba-cups"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-cups">21.10. Samba with CUPS Printing Support</h2></div></div></div><a id="id960563" class="indexterm"></a><div class="para">
			Samba allows client machines to share printers connected to the Samba server. In addition, Samba also allows client machines to send documents built in Linux to Windows printer shares. Although there are other printing systems that function with Red Hat Enterprise Linux, CUPS (Common UNIX Print System) is the recommended printing system due to its close integration with Samba.
		</div><div class="section" id="s2-samba-cups-smb.conf"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-cups-smb.conf">21.10.1. Simple <code class="filename">smb.conf</code> Settings</h3></div></div></div><a id="id960604" class="indexterm"></a><div class="para">
				The following example shows a very basic <code class="filename">smb.conf</code> configuration for CUPS support:
			</div><pre class="screen">[global]
load printers = Yes
printing = cups
printcap name = cups
[printers]
comment = All Printers
path = /var/spool/samba/print
printer = IBMInfoP
browseable = No
public = Yes
guest ok = Yes
writable = No
printable = Yes
printer admin = @ntadmins
[print$]
comment = Printer Drivers Share
path = /var/lib/samba/drivers
write list = ed, john
printer admin = ed, john</pre><div class="para">
				Other printing configurations are also possible. To add additional security and privacy for printing confidential documents, users can have their own print spooler not located in a public path. If a job fails, other users would not have access to the file.
			</div><div class="para">
				The <code class="command">print$</code> share contains printer drivers for clients to access if not available locally. The <code class="command">print$</code> share is optional and may not be required depending on the organization.
			</div><div class="para">
				Setting <code class="command">browseable</code> to <code class="command">Yes</code> enables the printer to be viewed in the Windows Network Neighborhood, provided the Samba server is set up correctly in the domain/workgroup.
			</div></div></div><div class="section" id="s1-samba-programs"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-programs">21.11. Samba Distribution Programs</h2></div></div></div><a id="id960683" class="indexterm"></a><div class="formalpara" id="s2-samba-programs-findsmb"><h5 class="formalpara"> <code class="filename">findsmb</code> </h5><a id="id960710" class="indexterm"></a><a id="id960733" class="indexterm"></a>
				<code class="command">findsmb <em class="replaceable"><code>&lt;subnet_broadcast_address&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">findsmb</code> program is a Perl script which reports information about SMB-aware systems on a specific subnet. If no subnet is specified the local subnet is used. Items displayed include IP address, NetBIOS name, workgroup or domain name, operating system, and version.
		</div><div class="para">
			The following example shows the output of executing <code class="command">findsmb</code> as any valid user on a system:
		</div><pre class="screen">~]# <code class="command">findsmb</code>
IP ADDR       NETBIOS NAME  WORKGROUP/OS/VERSION
------------------------------------------------------------------
10.1.59.25    VERVE         [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.59.26    STATION22     [MYGROUP] [Unix] [Samba 3.0.2-7.FC1]
10.1.56.45    TREK         +[WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.94    PIXEL         [MYGROUP] [Unix] [Samba 3.0.0-15]
10.1.57.137   MOBILE001     [WORKGROUP] [Windows 5.0] [Windows 2000 LAN Manager]
10.1.57.141   JAWS         +[KWIKIMART] [Unix] [Samba 2.2.7a-security-rollup-fix]
10.1.56.159   FRED         +[MYGROUP] [Unix] [Samba 3.0.0-14.3E]
10.1.59.192   LEGION       *[MYGROUP] [Unix] [Samba 2.2.7-security-rollup-fix]
10.1.56.205   NANCYN       +[MYGROUP] [Unix] [Samba 2.2.7a-security-rollup-fix]</pre><div class="formalpara" id="s2-samba-programs-net"><h5 class="formalpara"> <code class="filename">net</code> </h5><a id="id960833" class="indexterm"></a><a id="id960855" class="indexterm"></a>
				<code class="command">net <em class="replaceable"><code>&lt;protocol&gt; &lt;function&gt; &lt;misc_options&gt; &lt;target_options&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">net</code> utility is similar to the <code class="command">net</code> utility used for Windows and MS-DOS. The first argument is used to specify the protocol to use when executing a command. The <code class="command"><em class="replaceable"><code>&lt;protocol&gt;</code></em> </code> option can be <code class="command">ads</code>, <code class="command">rap</code>, or <code class="command">rpc</code> for specifying the type of server connection. Active Directory uses <code class="command">ads</code>, Win9x/NT3 uses <code class="command">rap</code>, and Windows NT4/2000/2003 uses <code class="command">rpc</code>. If the protocol is omitted, <code class="command">net</code> automatically tries to determine it.
		</div><div class="para">
			The following example displays a list the available shares for a host named <code class="command">wakko</code>:
		</div><pre class="screen">~]# <code class="command">net -l share -S wakko</code>
Password:

Enumerating shared resources (exports) on remote server:

Share name   Type     Description
----------   ----     -----------
data         Disk     Wakko data share
tmp          Disk     Wakko tmp share
IPC$         IPC      IPC Service (Samba Server)
ADMIN$       IPC      IPC Service (Samba Server)</pre><div class="para">
			The following example displays a list of Samba users for a host named <code class="command">wakko</code>:
		</div><pre class="screen">~]# <code class="command">net -l user -S wakko</code>
root password:
User name             Comment
-----------------------------
andriusb              Documentation
joe                   Marketing
lisa                  Sales</pre><div class="formalpara" id="s2-samba-programs-nmblookup"><h5 class="formalpara"> <code class="filename">nmblookup</code> </h5><a id="id960981" class="indexterm"></a><a id="id961003" class="indexterm"></a>
				<code class="command">nmblookup <em class="replaceable"><code>&lt;options&gt; &lt;netbios_name&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">nmblookup</code> program resolves NetBIOS names into IP addresses. The program broadcasts its query on the local subnet until the target machine replies.
		</div><div class="para">
			Here is an example:
		</div><pre class="screen">~]# <code class="command">nmblookup trek</code>
querying trek on 10.1.59.255
10.1.56.45 trek&lt;00&gt;</pre><div class="formalpara" id="s2-samba-programs-pdbedit"><h5 class="formalpara"> <code class="filename">pdbedit</code> </h5><a id="id932119" class="indexterm"></a><a id="id932142" class="indexterm"></a>
				<code class="command">pdbedit <em class="replaceable"><code>&lt;options&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">pdbedit</code> program manages accounts located in the SAM database. All backends are supported including <code class="filename">smbpasswd</code>, LDAP, NIS+, and the <code class="filename">tdb</code> database library.
		</div><div class="para">
			The following are examples of adding, deleting, and listing users:
		</div><pre class="screen">~]# <code class="command">pdbedit -a kristin</code>
new password:
retype new password:
Unix username:        kristin
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1210235352-3804200048-1474496110-2012
Primary Group SID:    S-1-5-21-1210235352-3804200048-1474496110-2077
Full Name: Home Directory:       \\wakko\kristin
HomeDir Drive:
Logon Script:
Profile Path:         \\wakko\kristin\profile
Domain:               WAKKO
Account desc:
Workstations: Munged
dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
Password last set:    Thu, 29 Jan 2004 08:29:28
GMT Password can change:  Thu, 29 Jan 2004 08:29:28 GMT
Password must change: Mon, 18 Jan 2038 22:14:07 GMT

~]# <code class="command">pdbedit -v -L kristin</code>
Unix username:        kristin
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-1210235352-3804200048-1474496110-2012
Primary Group SID:    S-1-5-21-1210235352-3804200048-1474496110-2077
Full Name:
Home Directory:       \\wakko\kristin
HomeDir Drive:
Logon Script:
Profile Path:         \\wakko\kristin\profile
Domain:               WAKKO
Account desc:
Workstations: Munged
dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
Password last set:    Thu, 29 Jan 2004 08:29:28 GMT
Password can change:  Thu, 29 Jan 2004 08:29:28 GMT
Password must change: Mon, 18 Jan 2038 22:14:07 GMT

~]# <code class="command">pdbedit -L</code>
andriusb:505:
joe:503:
lisa:504:
kristin:506:

~]# <code class="command">pdbedit -x joe</code>
~]# <code class="command">pdbedit -L</code>

andriusb:505: lisa:504: kristin:506:</pre><div class="formalpara" id="s2-samba-programs-rpcclient"><h5 class="formalpara"> <code class="filename">rpcclient</code> </h5><a id="id932241" class="indexterm"></a><a id="id932263" class="indexterm"></a>
				<code class="command">rpcclient <em class="replaceable"><code>&lt;server&gt; &lt;options&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">rpcclient</code> program issues administrative commands using Microsoft RPCs, which provide access to the Windows administration graphical user interfaces (GUIs) for systems management. This is most often used by advanced users that understand the full complexity of Microsoft RPCs.
		</div><div class="formalpara" id="s2-samba-programs-smbcacls"><h5 class="formalpara"> <code class="filename">smbcacls</code> </h5><a id="id932317" class="indexterm"></a><a id="id932339" class="indexterm"></a>
				<code class="command">smbcacls <em class="replaceable"><code>&lt;//server/share&gt; &lt;filename&gt; &lt;options&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">smbcacls</code> program modifies Windows ACLs on files and directories shared by the Samba server.
		</div><div class="formalpara" id="s2-samba-programs-smbclient"><h5 class="formalpara"> <code class="filename">smbclient</code> </h5><a id="id932390" class="indexterm"></a><a id="id932413" class="indexterm"></a>
				<code class="command">smbclient <em class="replaceable"><code>&lt;//server/share&gt; &lt;password&gt; &lt;options&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">smbclient</code> program is a versatile UNIX client which provides functionality similar to <code class="command">ftp</code>.
		</div><div class="formalpara" id="s2-samba-programs-smbcontrol"><h5 class="formalpara"> <code class="filename">smbcontrol</code> </h5><a id="id932468" class="indexterm"></a><a id="id932490" class="indexterm"></a>
				<code class="command">smbcontrol -i <em class="replaceable"><code>&lt;options&gt;</code></em> </code>
			</div><div class="para">
			<code class="command">smbcontrol <em class="replaceable"><code>&lt;options&gt; &lt;destination&gt; &lt;messagetype&gt; &lt;parameters&gt;</code></em> </code>
		</div><div class="para">
			The <code class="command">smbcontrol</code> program sends control messages to running <code class="command">smbd</code> or <code class="command">nmbd</code> daemons. Executing <code class="command">smbcontrol -i</code> runs commands interactively until a blank line or a 'q' is entered.
		</div><div class="formalpara" id="s2-samba-programs-smbpasswd"><h5 class="formalpara"> <code class="filename">smbpasswd</code> </h5><a id="id932585" class="indexterm"></a><a id="id932608" class="indexterm"></a>
				<code class="command">smbpasswd <em class="replaceable"><code>&lt;options&gt; &lt;username&gt; &lt;password&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">smbpasswd</code> program manages encrypted passwords. This program can be run by a superuser to change any user's password as well as by an ordinary user to change their own Samba password.
		</div><div class="formalpara" id="s2-samba-programs-smbspool"><h5 class="formalpara"> <code class="filename">smbspool</code> </h5><a id="id932660" class="indexterm"></a><a id="id932683" class="indexterm"></a>
				<code class="command">smbspool <em class="replaceable"><code>&lt;job&gt; &lt;user&gt; &lt;title&gt; &lt;copies&gt; &lt;options&gt; &lt;filename&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">smbspool</code> program is a CUPS-compatible printing interface to Samba. Although designed for use with CUPS printers, <code class="command">smbspool</code> can work with non-CUPS printers as well.
		</div><div class="formalpara" id="s2-samba-programs-smbstatus"><h5 class="formalpara"> <code class="filename">smbstatus</code> </h5><a id="id932739" class="indexterm"></a><a id="id932761" class="indexterm"></a>
				<code class="command">smbstatus <em class="replaceable"><code>&lt;options&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">smbstatus</code> program displays the status of current connections to a Samba server.
		</div><div class="formalpara" id="s2-samba-programs-smbtar"><h5 class="formalpara"> <code class="filename">smbtar</code> </h5><a id="id932812" class="indexterm"></a><a id="id932835" class="indexterm"></a>
				<code class="command">smbtar <em class="replaceable"><code>&lt;options&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">smbtar</code> program performs backup and restores of Windows-based share files and directories to a local tape archive. Though similar to the <code class="command">tar</code> command, the two are not compatible.
		</div><div class="formalpara" id="s2-samba-programs-testparm"><h5 class="formalpara"> <code class="filename">testparm</code> </h5><a id="id932891" class="indexterm"></a><a id="id932914" class="indexterm"></a>
				<code class="command">testparm <em class="replaceable"><code>&lt;options&gt; &lt;filename&gt; &lt;hostname IP_address&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">testparm</code> program checks the syntax of the <code class="filename">smb.conf</code> file. If your <code class="filename">smb.conf</code> file is in the default location (<code class="filename">/etc/samba/smb.conf</code>) you do not need to specify the location. Specifying the hostname and IP address to the <code class="command">testparm</code> program verifies that the <code class="filename">hosts.allow</code> and <code class="filename">host.deny</code> files are configured correctly. The <code class="command">testparm</code> program also displays a summary of your <code class="filename">smb.conf</code> file and the server's role (stand-alone, domain, etc.) after testing. This is convenient when debugging as it excludes comments and concisely presents information for experienced administrators to read.
		</div><div class="para">
			For example:
		</div><pre class="screen">~]# <code class="command">testparm</code>
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[tmp]"
Processing section "[html]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

<strong class="userinput"><code>&lt;enter&gt;</code></strong>
# Global parameters
[global]
	workgroup = MYGROUP
	server string = Samba Server
	security = SHARE
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	dns proxy = No
[homes]
	comment = Home Directories
	read only = No
	browseable = No
[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No
[tmp]
	comment = Wakko tmp
	path = /tmp
	guest only = Yes
[html]
	comment = Wakko www
	path = /var/www/html
	force user = andriusb
	force group = users
	read only = No
	guest only = Yes</pre><div class="formalpara" id="s2-samba-programs-wbinfo"><h5 class="formalpara"> <code class="filename">wbinfo</code> </h5><a id="id933030" class="indexterm"></a><a id="id933053" class="indexterm"></a>
				<code class="command">wbinfo <em class="replaceable"><code>&lt;options&gt;</code></em> </code>
			</div><div class="para">
			The <code class="command">wbinfo</code> program displays information from the <code class="command">winbindd</code> daemon. The <code class="command">winbindd</code> daemon must be running for <code class="command">wbinfo</code> to work.
		</div></div><div class="section" id="s1-samba-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-samba-resources">21.12. Additional Resources</h2></div></div></div><a id="id933114" class="indexterm"></a><div class="para">
			The following sections give you the means to explore Samba in greater detail.
		</div><div class="section" id="s2-samba-resources-installed"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-resources-installed">21.12.1. Installed Documentation</h3></div></div></div><a id="id933141" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/samba-&lt;<em class="replaceable"><code>version-number</code></em>&gt;/</code> — All additional files included with the Samba distribution. This includes all helper scripts, sample configuration files, and documentation.
					</div><div class="para">
						This directory also contains online versions of <em class="citetitle">The Official Samba-3 HOWTO-Collection</em> and <em class="citetitle">Samba-3 by Example</em>, both of which are cited below.
					</div></li></ul></div></div><div class="section" id="s2-samba-resources-published"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-resources-published">21.12.2. Related Books</h3></div></div></div><a id="id933202" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<em class="citetitle">The Official Samba-3 HOWTO-Collection</em> by John H. Terpstra and Jelmer R. Vernooij; Prentice Hall — The official Samba-3 documentation as issued by the Samba development team. This is more of a reference guide than a step-by-step guide.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">Samba-3 by Example</em> by John H. Terpstra; Prentice Hall — This is another official release issued by the Samba development team which discusses detailed examples of OpenLDAP, DNS, DHCP, and printing configuration files. This has step-by-step related information that helps in real-world implementations.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">Using Samba, 2nd Edition</em> by Jay T's, Robert Eckstein, and David Collier-Brown; O'Reilly — A good resource for novice to advanced users, which includes comprehensive reference material.
					</div></li></ul></div></div><div class="section" id="s2-samba-resources-community"><div class="titlepage"><div><div><h3 class="title" id="s2-samba-resources-community">21.12.3. Useful Websites</h3></div></div></div><a id="id933276" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.samba.org/">http://www.samba.org/</a> — Homepage for the Samba distribution and all official documentation created by the Samba development team. Many resources are available in HTML and PDF formats, while others are only available for purchase. Although many of these links are not Red Hat Enterprise Linux specific, some concepts may apply.
					</div></li><li class="listitem"><div class="para">
						<a href="http://us1.samba.org/samba/archives.html">http://samba.org/samba/archives.html </a> — Active email lists for the Samba community. Enabling digest mode is recommended due to high levels of list activity.
					</div></li><li class="listitem"><div class="para">
						Samba newsgroups — Samba threaded newsgroups, such as gmane.org, that use the NNTP protocol are also available. This an alternative to receiving mailing list emails.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-dhcp" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 22. Dynamic Host Configuration Protocol (DHCP)</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-dhcp-why">22.1. Why Use DHCP?</a></span></dt><dt><span class="section"><a href="#s1-dhcp-configuring-server">22.2. Configuring a DHCP Server</a></span></dt><dd><dl><dt><span class="section"><a href="#config-file">22.2.1. Configuration File</a></span></dt><dt><span class="section"><a href="#lease-database">22.2.2. Lease Database</a></span></dt><dt><span class="section"><a href="#id1071897">22.2.3. Starting and Stopping the Server</a></span></dt><dt><span class="section"><a href="#dhcp-relay-agent">22.2.4. DHCP Relay Agent</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-dhcp-configuring-client">22.3. Configuring a DHCP Client</a></span></dt><dt><span class="section"><a href="#sect-Configuring_a_Multihomed_DHCP_Server">22.4. Configuring a Multihomed DHCP Server</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-dns_Host_Configuration">22.4.1. Host Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-dhcp-additional-resources">22.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-dhcp-installed-docs">22.5.1. Installed Documentation</a></span></dt></dl></dd></dl></div><a id="id1063734" class="indexterm"></a><a id="id841305" class="indexterm"></a><div class="para">
		Dynamic Host Configuration Protocol (<acronym class="acronym">DHCP</acronym>) is a network protocol that automatically assigns TCP/IP information to client machines. Each DHCP client connects to the centrally located DHCP server, which returns that client's network configuration (including the IP address, gateway, and DNS servers).
	</div><div class="section" id="s1-dhcp-why"><div class="titlepage"><div><div><h2 class="title" id="s1-dhcp-why">22.1. Why Use DHCP?</h2></div></div></div><a id="id782397" class="indexterm"></a><div class="para">
			DHCP is useful for automatic configuration of client network interfaces. When configuring the client system, the administrator chooses DHCP instead of specifying an IP address, netmask, gateway, or DNS servers. The client retrieves this information from the DHCP server. DHCP is also useful if an administrator wants to change the IP addresses of a large number of systems. Instead of reconfiguring all the systems, he can just edit one DHCP configuration file on the server for the new set of IP addresses. If the DNS servers for an organization changes, the changes are made on the DHCP server, not on the DHCP clients. When the administrator restarts the network or reboots the clients, the changes will go into effect.
		</div><div class="para">
			If an organization has a functional DHCP server properly connected to a network, laptops and other mobile computer users can move these devices from office to office.
		</div></div><div class="section" id="s1-dhcp-configuring-server"><div class="titlepage"><div><div><h2 class="title" id="s1-dhcp-configuring-server">22.2. Configuring a DHCP Server</h2></div></div></div><a id="id871559" class="indexterm"></a><div class="para">
			The <code class="filename">dhcp</code> package contains an ISC DHCP server. First, install the package as the superuser:
		</div><pre class="screen">~]# <code class="command">yum install dhcp</code></pre><div class="para">
			Installing the <code class="filename">dhcp</code> package creates a file, <code class="filename">/etc/dhcpd.conf</code>, which is merely an empty configuration file:
		</div><pre class="screen">~]# <code class="command">cat /etc/dhcpd.conf</code>
#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample</pre><div class="para">
			The sample configuration file can be found at <code class="filename">/usr/share/doc/dhcp-&lt;<em class="replaceable"><code>version</code></em>&gt;/dhcpd.conf.sample</code>. You should use this file to help you configure <code class="filename">/etc/dhcpd.conf</code>, which is explained in detail below.
		</div><div class="para">
			DHCP also uses the file <code class="filename">/var/lib/dhcpd/dhcpd.leases</code> to store the client lease database. Refer to <a class="xref" href="#lease-database">Section 22.2.2, “Lease Database”</a> for more information.
		</div><div class="section" id="config-file"><div class="titlepage"><div><div><h3 class="title" id="config-file">22.2.1. Configuration File</h3></div></div></div><a id="id921700" class="indexterm"></a><a id="id855260" class="indexterm"></a><div class="para">
				The first step in configuring a DHCP server is to create the configuration file that stores the network information for the clients. Use this file to declare options and global options for client systems.
			</div><div class="para">
				The configuration file can contain extra tabs or blank lines for easier formatting. Keywords are case-insensitive and lines beginning with a hash mark (#) are considered comments.
			</div><div class="para">
				Two DNS update schemes are currently implemented — the ad-hoc DNS update mode and the interim DHCP-DNS interaction draft update mode. If and when these two are accepted as part of the Internet Engineering Task Force (IETF) standards process, there will be a third mode — the standard DNS update method. You must configure the DNS server for compatibility with these schemes. Version 3.0b2pl11 and previous versions used the ad-hoc mode; however, it has been deprecated. To keep the same behavior, add the following line to the top of the configuration file:
			</div><pre class="screen">ddns-update-style ad-hoc;</pre><div class="para">
				To use the recommended mode, add the following line to the top of the configuration file:
			</div><pre class="screen">ddns-update-style interim;</pre><div class="para">
				Refer to the <code class="filename">dhcpd.conf</code> man page for details about the different modes.
			</div><div class="para">
				There are two types of statements in the configuration file:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Parameters — State how to perform a task, whether to perform a task, or what network configuration options to send to the client.
					</div></li><li class="listitem"><div class="para">
						Declarations — Describe the topology of the network, describe the clients, provide addresses for the clients, or apply a group of parameters to a group of declarations.
					</div></li></ul></div><a id="id969019" class="indexterm"></a><div class="para">
				The parameters that start with the keyword option are referred to as <em class="firstterm">options</em>. These options control DHCP options; whereas, parameters configure values that are not optional or control how the DHCP server behaves.
			</div><a id="id969041" class="indexterm"></a><div class="para">
				Parameters (including options) declared before a section enclosed in curly brackets ({ }) are considered global parameters. Global parameters apply to all the sections below it.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					If the configuration file is changed, the changes do not take effect until the DHCP daemon is restarted with the command <code class="command">service dhcpd restart</code>.
				</div></div></div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					Instead of changing a DHCP configuration file and restarting the service each time, using the <code class="command">omshell</code> command provides an interactive way to connect to, query, and change the configuration of a DHCP server. By using <code class="command">omshell</code>, all changes can be made while the server is running. For more information on <code class="command">omshell</code>, refer to the <code class="command">omshell</code> man page.
				</div></div></div><div class="para">
				In <a class="xref" href="#subnet">Example 22.1, “Subnet Declaration”</a>, the <code class="filename">routers</code>, <code class="filename">subnet-mask</code>, <code class="filename">domain-name</code>, <code class="filename">domain-name-servers</code>, and <code class="filename">time-offset</code> options are used for any <code class="filename">host</code> statements declared below it.
			</div><a id="id1046453" class="indexterm"></a><div class="para">
				Additionally, a <code class="filename">subnet</code> can be declared, a <code class="filename">subnet</code> declaration must be included for every subnet in the network. If it is not, the DHCP server fails to start.
			</div><div class="para">
				In this example, there are global options for every DHCP client in the subnet and a <code class="filename">range</code> declared. Clients are assigned an IP address within the <code class="filename">range</code>.
			</div><div class="example" id="subnet"><h6>Example 22.1. Subnet Declaration</h6><div class="example-contents"><pre class="screen">subnet 192.168.1.0 netmask 255.255.255.0 {
        option routers                  192.168.1.254;
        option subnet-mask              255.255.255.0;

option domain-name              "example.com";
        option domain-name-servers       192.168.1.1;

option time-offset              -18000;     # Eastern Standard Time

range 192.168.1.10 192.168.1.100;
}</pre></div></div><br class="example-break" /><a id="id970227" class="indexterm"></a><div class="para">
				All subnets that share the same physical network should be declared within a <code class="filename">shared-network</code> declaration as shown in <a class="xref" href="#shared-network">Example 22.2, “Shared-network Declaration”</a>. Parameters within the <code class="filename">shared-network</code>, but outside the enclosed <code class="filename">subnet</code> declarations, are considered to be global parameters. The name of the <code class="filename">shared-network</code> must be a descriptive title for the network, such as using the title 'test-lab' to describe all the subnets in a test lab environment.
			</div><div class="example" id="shared-network"><h6>Example 22.2. Shared-network Declaration</h6><div class="example-contents"><pre class="screen">shared-network name {
    option domain-name              "test.redhat.com";
    option domain-name-servers      ns1.redhat.com, ns2.redhat.com;
    option routers                  192.168.0.254;
    more parameters for EXAMPLE shared-network
    subnet 192.168.1.0 netmask 255.255.252.0 {
        parameters for subnet
        range 192.168.1.1 192.168.1.254;
    }
    subnet 192.168.2.0 netmask 255.255.252.0 {
        parameters for subnet
        range 192.168.2.1 192.168.2.254;
    }
}</pre></div></div><br class="example-break" /><a id="id970286" class="indexterm"></a><div class="para">
				As demonstrated in <a class="xref" href="#group">Example 22.3, “Group Declaration”</a>, the <code class="filename">group</code> declaration is used to apply global parameters to a group of declarations. For example, shared networks, subnets, and hosts can be grouped.
			</div><div class="example" id="group"><h6>Example 22.3. Group Declaration</h6><div class="example-contents"><pre class="screen">group {
   option routers                  192.168.1.254;
   option subnet-mask              255.255.255.0;

option domain-name              "example.com";
   option domain-name-servers       192.168.1.1;

option time-offset              -18000;     # Eastern Standard Time

host apex {
      option host-name "apex.example.com";
      hardware ethernet 00:A0:78:8E:9E:AA;
      fixed-address 192.168.1.4;
   }

host raleigh {
      option host-name "raleigh.example.com";
      hardware ethernet 00:A1:DD:74:C3:F2;
      fixed-address 192.168.1.6;
   }
}</pre></div></div><br class="example-break" /><div class="para">
				To configure a DHCP server that leases a dynamic IP address to a system within a subnet, modify <a class="xref" href="#dynamic-ip">Example 22.4, “Range Parameter”</a> with your values. It declares a default lease time, maximum lease time, and network configuration values for the clients. This example assigns IP addresses in the <code class="filename">range</code> 192.168.1.10 and 192.168.1.100 to client systems.
			</div><div class="example" id="dynamic-ip"><h6>Example 22.4. Range Parameter</h6><div class="example-contents"><pre class="screen">default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "example.com";

subnet 192.168.1.0 netmask 255.255.255.0 {
   range 192.168.1.10 192.168.1.100;
}</pre></div></div><br class="example-break" /><div class="para">
				To assign an IP address to a client based on the MAC address of the network interface card, use the <code class="filename">hardware ethernet</code> parameter within a <code class="filename">host</code> declaration. As demonstrated in <a class="xref" href="#static-ip">Example 22.5, “Static IP Address using DHCP”</a>, the <code class="filename">host apex</code> declaration specifies that the network interface card with the MAC address 00:A0:78:8E:9E:AA always receives the IP address 192.168.1.4.
			</div><div class="para">
				Note that the optional parameter <code class="filename">host-name</code> can also be used to assign a host name to the client.
			</div><div class="example" id="static-ip"><h6>Example 22.5. Static IP Address using DHCP</h6><div class="example-contents"><pre class="screen">host apex {
   option host-name "apex.example.com";
   hardware ethernet 00:A0:78:8E:9E:AA;
   fixed-address 192.168.1.4;
}</pre></div></div><br class="example-break" /><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					The sample configuration file provided can be used as a starting point and custom configuration options can be added to it. To copy it to the proper location, use the following command: 
<pre class="screen"><code class="command">cp /usr/share/doc/dhcp-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/dhcpd.conf.sample /etc/dhcpd.conf</code></pre>
					 (where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the DHCP version number).
				</div></div></div><div class="para">
				For a complete list of option statements and what they do, refer to the <code class="filename">dhcp-options</code> man page.
			</div></div><div class="section" id="lease-database"><div class="titlepage"><div><div><h3 class="title" id="lease-database">22.2.2. Lease Database</h3></div></div></div><div class="para">
				On the DHCP server, the file <code class="filename">/var/lib/dhcpd/dhcpd.leases</code> stores the DHCP client lease database. Do not change this file. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease.
			</div><div class="para">
				All times in the lease database are in Coordinated Universal Time (UTC), not local time.
			</div><div class="para">
				The lease database is recreated from time to time so that it is not too large. First, all known leases are saved in a temporary lease database. The <code class="filename">dhcpd.leases</code> file is renamed <code class="filename">dhcpd.leases~</code> and the temporary lease database is written to <code class="filename">dhcpd.leases</code>.
			</div><div class="para">
				The DHCP daemon could be killed or the system could crash after the lease database has been renamed to the backup file but before the new file has been written. If this happens, the <code class="filename">dhcpd.leases</code> file does not exist, but it is required to start the service. Do not create a new lease file. If you do, all old leases are lost which causes many problems. The correct solution is to rename the <code class="filename">dhcpd.leases~</code> backup file to <code class="filename">dhcpd.leases</code> and then start the daemon.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1071897">22.2.3. Starting and Stopping the Server</h3></div></div></div><a id="id1071903" class="indexterm"></a><a id="id1071917" class="indexterm"></a><a id="id1071930" class="indexterm"></a><a id="id1071948" class="indexterm"></a><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					When the DHCP server is started for the first time, it fails unless the <code class="filename">dhcpd.leases</code> file exists. Use the command <code class="command">touch /var/lib/dhcpd/dhcpd.leases</code> to create the file if it does not exist.
				</div><div class="para">
					If the same server is also running BIND as a DNS server, this step is not necessary, as starting the <code class="command">named</code> service automatically checks for a <code class="filename">dhcpd.leases</code> file.
				</div></div></div><div class="para">
				To start the DHCP service, use the command <code class="command">/sbin/service dhcpd start</code>. To stop the DHCP server, use the command <code class="command">/sbin/service dhcpd stop</code>.
			</div><div class="para">
				By default, the DHCP service does not start at boot time. To configure the daemon to start automatically at boot time, refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a>.
			</div><a id="id1072009" class="indexterm"></a><a id="id1072023" class="indexterm"></a><div class="para">
				If more than one network interface is attached to the system, but the DHCP server should only be started on one of the interfaces, configure the DHCP server to start only on that device. In <code class="filename">/etc/sysconfig/dhcpd</code>, add the name of the interface to the list of <code class="command">DHCPDARGS</code>:
			</div><pre class="screen"># Command line options here
DHCPDARGS=eth0</pre><div class="para">
				This is useful for a firewall machine with two network cards. One network card can be configured as a DHCP client to retrieve an IP address to the Internet. The other network card can be used as a DHCP server for the internal network behind the firewall. Specifying only the network card connected to the internal network makes the system more secure because users can not connect to the daemon via the Internet.
			</div><div class="para">
				Other command line options that can be specified in <code class="filename">/etc/sysconfig/dhcpd</code> include:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">-p <em class="replaceable"><code>&lt;portnum&gt;</code></em> </code> — Specifies the UDP port number on which <code class="command">dhcpd</code> should listen. The default is port 67. The DHCP server transmits responses to the DHCP clients at a port number one greater than the UDP port specified. For example, if the default port 67 is used, the server listens on port 67 for requests and responses to the client on port 68. If a port is specified here and the DHCP relay agent is used, the same port on which the DHCP relay agent should listen must be specified. Refer to <a class="xref" href="#dhcp-relay-agent">Section 22.2.4, “DHCP Relay Agent”</a> for details.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-f</code> — Runs the daemon as a foreground process. This is mostly used for debugging.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-d</code> — Logs the DHCP server daemon to the standard error descriptor. This is mostly used for debugging. If this is not specified, the log is written to <code class="filename">/var/log/messages</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-cf <em class="replaceable"><code>&lt;filename&gt;</code></em> </code> — Specifies the location of the configuration file. The default location is <code class="filename">/etc/dhcpd.conf</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-lf <em class="replaceable"><code>&lt;filename&gt;</code></em> </code> — Specifies the location of the lease database file. If a lease database file already exists, it is very important that the same file be used every time the DHCP server is started. It is strongly recommended that this option only be used for debugging purposes on non-production machines. The default location is <code class="filename">/var/lib/dhcpd/dhcpd.leases</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">-q</code> — Do not print the entire copyright message when starting the daemon.
					</div></li></ul></div></div><div class="section" id="dhcp-relay-agent"><div class="titlepage"><div><div><h3 class="title" id="dhcp-relay-agent">22.2.4. DHCP Relay Agent</h3></div></div></div><a id="id1072192" class="indexterm"></a><a id="id1072206" class="indexterm"></a><a id="id1072224" class="indexterm"></a><div class="para">
				The DHCP Relay Agent (<code class="command">dhcrelay</code>) allows for the relay of DHCP and BOOTP requests from a subnet with no DHCP server on it to one or more DHCP servers on other subnets.
			</div><div class="para">
				When a DHCP client requests information, the DHCP Relay Agent forwards the request to the list of DHCP servers specified when the DHCP Relay Agent is started. When a DHCP server returns a reply, the reply is broadcast or unicast on the network that sent the original request.
			</div><div class="para">
				The DHCP Relay Agent listens for DHCP requests on all interfaces unless the interfaces are specified in <code class="filename">/etc/sysconfig/dhcrelay</code> with the <code class="computeroutput">INTERFACES</code> directive.
			</div><div class="para">
				To start the DHCP Relay Agent, use the command <code class="command">service dhcrelay start</code>.
			</div></div></div><div class="section" id="s1-dhcp-configuring-client"><div class="titlepage"><div><div><h2 class="title" id="s1-dhcp-configuring-client">22.3. Configuring a DHCP Client</h2></div></div></div><a id="id961061" class="indexterm"></a><a id="id961075" class="indexterm"></a><div class="para">
			The first step for configuring a DHCP client is to make sure the kernel recognizes the network interface card. Most cards are recognized during the installation process and the system is configured to use the correct kernel module for the card. If a card is added after installation, <span class="application"><strong>Kudzu</strong></span> <sup>[<a id="id961097" href="#ftn.id961097" class="footnote">8</a>]</sup> will recognize it and prompt you for the proper kernel module (Be sure to check the Hardware Compatibility List at <a href="http://hardware.redhat.com/hcl/">http://hardware.redhat.com/hcl/</a>). If either the installation program or kudzu does not recognize the network card, you can load the correct kernel module (refer to <a class="xref" href="#ch-modules">Chapter 43, <em>General Parameters and Modules</em></a> for details).
		</div><div class="para">
			To configure a DHCP client manually, modify the <code class="filename">/etc/sysconfig/network</code> file to enable networking and the configuration file for each network device in the <code class="filename">/etc/sysconfig/network-scripts</code> directory. In this directory, each device should have a configuration file named <code class="filename">ifcfg-eth0</code>, where <code class="filename">eth0</code> is the network device name.
		</div><div class="para">
			The <code class="filename">/etc/sysconfig/network</code> file should contain the following line:
		</div><pre class="screen">NETWORKING=yes</pre><div class="para">
			The <code class="computeroutput">NETWORKING</code> variable must be set to <code class="computeroutput">yes</code> if you want networking to start at boot time.
		</div><div class="para">
			The <code class="filename">/etc/sysconfig/network-scripts/ifcfg-eth0</code> file should contain the following lines:
		</div><pre class="screen">DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes</pre><div class="para">
			A configuration file is needed for each device to be configured to use DHCP.
		</div><div class="para">
			Other options for the network script includes:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">DHCP_HOSTNAME</code> — Only use this option if the DHCP server requires the client to specify a hostname before receiving an IP address. (The DHCP server daemon in Red Hat Enterprise Linux does not support this feature.)
				</div></li><li class="listitem"><div class="para">
					<code class="command">PEERDNS=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code>, where <code class="command"><em class="replaceable"><code>&lt;answer&gt;</code></em> </code> is one of the following:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">yes</code> — Modify <code class="filename">/etc/resolv.conf</code> with information from the server. If using DHCP, then <code class="command">yes</code> is the default.
						</div></li><li class="listitem"><div class="para">
							<code class="command">no</code> — Do not modify <code class="filename">/etc/resolv.conf</code>.
						</div></li></ul></div></li><li class="listitem"><div class="para">
					<code class="command">SRCADDR=<em class="replaceable"><code>&lt;address&gt;</code></em> </code>, where <code class="command"><em class="replaceable"><code>&lt;address&gt;</code></em> </code> is the specified source IP address for outgoing packets.
				</div></li><li class="listitem"><div class="para">
					<code class="command">USERCTL=<em class="replaceable"><code>&lt;answer&gt;</code></em> </code>, where <code class="command"><em class="replaceable"><code>&lt;answer&gt;</code></em> </code> is one of the following:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">yes</code> — Non-root users are allowed to control this device.
						</div></li><li class="listitem"><div class="para">
							<code class="command">no</code> — Non-root users are not allowed to control this device.
						</div></li></ul></div></li></ul></div><div class="para">
			If you prefer using a graphical interface, refer to <a class="xref" href="#ch-network-config">Chapter 16, <em>Network Configuration</em></a> for instructions on using the <span class="application"><strong>Network Administration Tool</strong></span> to configure a network interface to use DHCP.
		</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				For advanced configurations of client DHCP options such as protocol timing, lease requirements and requests, dynamic DNS support, aliases, as well as a wide variety of values to override, prepend, or append to client-side configurations, refer to the <code class="command">dhclient</code> and <code class="command">dhclient.conf</code> man pages.
			</div></div></div></div><div class="section" id="sect-Configuring_a_Multihomed_DHCP_Server"><div class="titlepage"><div><div><h2 class="title" id="sect-Configuring_a_Multihomed_DHCP_Server">22.4. Configuring a Multihomed DHCP Server</h2></div></div></div><a id="id961377" class="indexterm"></a><div class="para">
			A multihomed DHCP server serves multiple networks, that is, multiple subnets. The examples in these sections detail how to configure a DHCP server to serve multiple networks, select which network interfaces to listen on, and how to define network settings for systems that move networks.
		</div><div class="para">
			Before making any changes, back up the existing <code class="filename">/etc/sysconfig/dhcpd</code> and <code class="filename">/etc/dhcpd.conf</code> files.
		</div><div class="para">
			The DHCP daemon listens on all network interfaces unless otherwise specified. Use the <code class="filename">/etc/sysconfig/dhcpd</code> file to specify which network interfaces the DHCP daemon listens on. The following <code class="filename">/etc/sysconfig/dhcpd</code> example specifies that the DHCP daemon listens on the <code class="filename">eth0</code> and <code class="filename">eth1</code> interfaces:
		</div><div class="para">
			
<pre class="screen">DHCPDARGS="eth0 eth1";</pre>

</div><div class="para">
			If a system has three network interfaces cards -- <code class="filename">eth0</code>, <code class="filename">eth1</code>, and <code class="filename">eth2</code> -- and it is only desired that the DHCP daemon listens on <code class="filename">eth0</code>, then only specify <code class="computeroutput">eth0</code> in <code class="filename">/etc/sysconfig/dhcpd</code>:
		</div><pre class="screen">DHCPDARGS="eth0";</pre><div class="para">
			The following is a basic <code class="filename">/etc/dhcpd.conf</code> file, for a server that has two network interfaces, <code class="filename">eth0</code> in a 10.0.0.0/24 network, and <code class="filename">eth1</code> in a 172.16.0.0/24 network. Multiple <code class="computeroutput">subnet</code> declarations allow different settings to be defined for multiple networks:
		</div><div class="para">
			
<pre class="screen">ddns-update-style <em class="replaceable"><code>interim</code></em>;
default-lease-time <em class="replaceable"><code>600</code></em>;
max-lease-time <em class="replaceable"><code>7200</code></em>;

subnet 10.0.0.0 netmask 255.255.255.0 {
	option subnet-mask 255.255.255.0;
	option routers 10.0.0.1;
	range 10.0.0.5 10.0.0.15;
}

subnet 172.16.0.0 netmask 255.255.255.0 {
	option subnet-mask 255.255.255.0;
	option routers 172.16.0.1;
	range 172.16.0.5 172.16.0.15;

}</pre>

</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="computeroutput">subnet <em class="replaceable"><code>10.0.0.0</code></em> netmask <em class="replaceable"><code>255.255.255.0</code></em> </code> </span></dt><dd><div class="para">
						A <code class="computeroutput">subnet</code> declaration is required for every network your DHCP server is serving. Multiple subnets require multiple <code class="computeroutput">subnet</code> declarations. If the DHCP server does not have a network interface in a range of a <code class="computeroutput">subnet</code> declaration, the DHCP server does not serve that network.
					</div><div class="para">
						If there is only one <code class="computeroutput">subnet</code> declaration, and no network interfaces are in the range of that subnet, the DHCP daemon fails to start, and an error such as the following is logged to <code class="filename">/var/log/messages</code>:
					</div><div class="para">
						
<pre class="screen">dhcpd: No subnet declaration for eth0 (0.0.0.0).
dhcpd: ** Ignoring requests on eth0.  If this is not what
dhcpd:    you want, please write a subnet declaration
dhcpd:    in your dhcpd.conf file for the network segment
dhcpd:    to which interface eth1 is attached. **
dhcpd:
dhcpd:
dhcpd: Not configured to listen on any interfaces!</pre>

</div></dd><dt class="varlistentry"><span class="term"> <code class="computeroutput">option subnet-mask <em class="replaceable"><code>255.255.255.0</code></em>;</code> </span></dt><dd><div class="para">
						The <code class="computeroutput">option subnet-mask</code> option defines a subnet mask, and overrides the <code class="computeroutput">netmask</code> value in the <code class="computeroutput">subnet</code> declaration. In simple cases, the subnet and netmask values are the same.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="computeroutput">option routers <em class="replaceable"><code>10.0.0.1</code></em>;</code> </span></dt><dd><div class="para">
						The <code class="computeroutput">option routers</code> option defines the default gateway for the subnet. This is required for systems to reach internal networks on a different subnet, as well as external networks.
					</div></dd><dt class="varlistentry"><span class="term"> <code class="computeroutput">range <em class="replaceable"><code>10.0.0.5 10.0.0.15</code></em>;</code> </span></dt><dd><div class="para">
						The <code class="computeroutput">range</code> option specifies the pool of available IP addresses. Systems are assigned an address from the range of specified IP addresses.
					</div></dd></dl></div><div class="para">
			For further information, refer to the <code class="computeroutput">dhcpd.conf(5)</code> man page.
		</div><div class="warning"><div class="admonition_header"><h2>Alias Interfaces</h2></div><div class="admonition"><div class="para">
				Alias interfaces are not supported by DHCP. If an alias interface is the only interface, in the only subnet specified in <code class="filename">/etc/dhcpd.conf</code>, the DHCP daemon fails to start.
			</div></div></div><div class="section" id="sect-dns_Host_Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-dns_Host_Configuration">22.4.1. Host Configuration</h3></div></div></div><a id="id965616" class="indexterm"></a><div class="para">
				Before making any changes, back up the existing <code class="filename">/etc/sysconfig/dhcpd</code> and <code class="filename">/etc/dhcpd.conf</code> files.
			</div><div class="formalpara"><h5 class="formalpara" id="id965641">Configuring a single system for multiple networks</h5>
					The following <code class="filename">/etc/dhcpd.conf</code> example creates two subnets, and configures an IP address for the same system, depending on which network it connects to:
				</div><div class="para">
				
<pre class="screen">ddns-update-style <em class="replaceable"><code>interim</code></em>;
default-lease-time <em class="replaceable"><code>600</code></em>;
max-lease-time <em class="replaceable"><code>7200</code></em>;

subnet 10.0.0.0 netmask 255.255.255.0 {
	option subnet-mask 255.255.255.0;
	option routers 10.0.0.1;
	range 10.0.0.5 10.0.0.15;
}

subnet 172.16.0.0 netmask 255.255.255.0 {
	option subnet-mask 255.255.255.0;
	option routers 172.16.0.1;
	range 172.16.0.5 172.16.0.15;

}

host example0 {
	hardware ethernet 00:1A:6B:6A:2E:0B;
	fixed-address 10.0.0.20;
}

host example1 {
	hardware ethernet 00:1A:6B:6A:2E:0B;
	fixed-address 172.16.0.20;
}</pre>

</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <code class="computeroutput">host <em class="replaceable"><code>example0</code></em> </code> </span></dt><dd><div class="para">
							The <code class="computeroutput">host</code> declaration defines specific parameters for a single system, such as an IP address. To configure specific parameters for multiple hosts, use multiple <code class="computeroutput">host</code> declarations.
						</div><div class="para">
							Most DHCP clients ignore the name in <code class="computeroutput">host</code> declarations, and as such, this name can anything, as long as it is unique to other <code class="computeroutput">host</code> declarations. To configure the same system for multiple networks, use a different name for each <code class="computeroutput">host</code> declaration, otherwise the DHCP daemon fails to start. Systems are identified by the <code class="computeroutput">hardware ethernet</code> option, not the name in the <code class="computeroutput">host</code> declaration.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="computeroutput">hardware ethernet <em class="replaceable"><code>00:1A:6B:6A:2E:0B</code></em>;</code> </span></dt><dd><div class="para">
							The <code class="computeroutput">hardware ethernet</code> option identifies the system. To find this address, run the <code class="command">ifconfig</code> command on the desired system, and look for the <code class="computeroutput">HWaddr</code> address.
						</div></dd><dt class="varlistentry"><span class="term"> <code class="computeroutput">fixed-address <em class="replaceable"><code>10.0.0.20</code></em>;</code> </span></dt><dd><div class="para">
							The <code class="computeroutput">fixed-address</code> option assigns a valid IP address to the system specified by the <code class="computeroutput">hardware ethernet</code> option. This address must be outside the IP address pool specified with the <code class="computeroutput">range</code> option.
						</div></dd></dl></div><div class="para">
				If <code class="computeroutput">option</code> statements do not end with a semicolon, the DHCP daemon fails to start, and an error such as the following is logged to <code class="filename">/var/log/messages</code>:
			</div><div class="para">
				
<pre class="screen">/etc/dhcpd.conf line 20: semicolon expected.
dhcpd: }
dhcpd: ^
dhcpd: /etc/dhcpd.conf line 38: unexpected end of file
dhcpd:
dhcpd: ^
dhcpd: Configuration file errors encountered -- exiting</pre>

</div><div class="formalpara"><h5 class="formalpara" id="id965835">Configuring systems with multiple network interfaces</h5>
					The following <code class="computeroutput">host</code> declarations configure a single system, that has multiple network interfaces, so that each interface receives the same IP address. This configuration will not work if both network interfaces are connected to the same network at the same time:
				</div><div class="para">
				
<pre class="screen">host interface0 {
	hardware ethernet 00:1a:6b:6a:2e:0b;
	fixed-address 10.0.0.18;
}

host interface1 {
	hardware ethernet 00:1A:6B:6A:27:3A;
	fixed-address 10.0.0.18;
}</pre>

</div><div class="para">
				For this example, <code class="computeroutput">interface0</code> is the first network interface, and <code class="computeroutput">interface1</code> is the second interface. The different <code class="computeroutput">hardware ethernet</code> options identify each interface.
			</div><div class="para">
				If such a system connects to another network, add more <code class="computeroutput">host</code> declarations, remembering to:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						assign a valid <code class="computeroutput">fixed-address</code> for the network the host is connecting to.
					</div></li><li class="listitem"><div class="para">
						make the name in the <code class="computeroutput">host</code> declaration unique.
					</div></li></ul></div><div class="para">
				When a name given in a <code class="computeroutput">host</code> declaration is not unique, the DHCP daemon fails to start, and an error such as the following is logged to <code class="filename">/var/log/messages</code>:
			</div><div class="para">
				
<pre class="screen">dhcpd: /etc/dhcpd.conf line 31: host interface0: already exists
dhcpd: }
dhcpd: ^
dhcpd: Configuration file errors encountered -- exiting</pre>

</div><div class="para">
				This error was caused by having multiple <code class="computeroutput">host interface0</code> declarations defined in <code class="filename">/etc/dhcpd.conf</code>.
			</div></div></div><div class="section" id="s1-dhcp-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-dhcp-additional-resources">22.5. Additional Resources</h2></div></div></div><a id="id965955" class="indexterm"></a><div class="para">
			For additional configuration options, refer to the following resources.
		</div><div class="section" id="s2-dhcp-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-dhcp-installed-docs">22.5.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">dhcpd</code> man page — Describes how the DHCP daemon works.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">dhcpd.conf</code> man page — Explains how to configure the DHCP configuration file; includes some examples.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">dhcpd.leases</code> man page — Explains how to configure the DHCP leases file; includes some examples.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">dhcp-options</code> man page — Explains the syntax for declaring DHCP options in <code class="filename">dhcpd.conf</code>; includes some examples.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">dhcrelay</code> man page — Explains the DHCP Relay Agent and its configuration options.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/dhcp-&lt;<em class="replaceable"><code>version</code></em>&gt;/</code> — Contains sample files, README files, and release notes for current versions of the DHCP service.
					</div></li></ul></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><div class="para"><sup>[<a id="ftn.id961097" href="#id961097" class="para">8</a>] </sup>
				<span class="application"><strong>Kudzu</strong></span> is a hardware probing tool run at system boot time to determine what hardware has been added or removed from the system.
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-httpd" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 23. Apache HTTP Server</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-httpd-v2">23.1. Apache HTTP Server 2.2</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-httpd-v2-features">23.1.1. Features of Apache HTTP Server 2.2</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-httpd-mig">23.2. Migrating Apache HTTP Server Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-httpd-v22-mig">23.2.1. Migrating Apache HTTP Server 2.0 Configuration Files</a></span></dt><dt><span class="section"><a href="#s3-httpd-v2-mig">23.2.2. Migrating Apache HTTP Server 1.3 Configuration Files to 2.0</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-startstop">23.3. Starting and Stopping <code class="command">httpd</code></a></span></dt><dt><span class="section"><a href="#s1-apache-config-ui">23.4. Apache HTTP Server Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-httpd-basic-settings">23.4.1. Basic Settings</a></span></dt><dt><span class="section"><a href="#s2-httpd-default-settings">23.4.2. Default Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-config">23.5. Configuration Directives in <code class="filename">httpd.conf</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-apache-tips">23.5.1. General Configuration Tips</a></span></dt><dt><span class="section"><a href="#s2-apache-sslcommands">23.5.2. Configuration Directives for SSL</a></span></dt><dt><span class="section"><a href="#s2-apache-mpm-containers">23.5.3. MPM Specific Server-Pool Directives</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-addmods">23.6. Adding Modules</a></span></dt><dt><span class="section"><a href="#s1-apache-virtualhosts">23.7. Virtual Hosts</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-apache-settingupvhosts">23.7.1. Setting Up Virtual Hosts</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-httpd-secure-server">23.8. Apache HTTP Secure Server Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-secureserver-optionalpackages">23.8.1. An Overview of Security-Related Packages</a></span></dt><dt><span class="section"><a href="#s2-secureserver-overview-certs">23.8.2. An Overview of Certificates and Security</a></span></dt><dt><span class="section"><a href="#s1-secureserver-oldcert">23.8.3. Using Pre-Existing Keys and Certificates</a></span></dt><dt><span class="section"><a href="#s2-secureserver-certs">23.8.4. Types of Certificates</a></span></dt><dt><span class="section"><a href="#s2-secureserver-generatingkey">23.8.5. Generating a Key</a></span></dt><dt><span class="section"><a href="#s1-use-new-key">23.8.6. How to configure the server to use the new key</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-apache-additional-resources">23.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-apache-additional-resources-web">23.9.1. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id918548" class="indexterm"></a><a id="id1040369" class="indexterm"></a><div class="para">
		The Apache HTTP Server is a robust, commercial-grade open source Web server developed by the Apache Software Foundation (<a href="http://www.apache.org/">http://www.apache.org/</a>). Red Hat Enterprise Linux includes the Apache HTTP Server 2.2 as well as a number of server modules designed to enhance its functionality.
	</div><div class="para">
		The default configuration file installed with the Apache HTTP Server works without alteration for most situations. This chapter outlines many of the directives found within its configuration file (<code class="filename">/etc/httpd/conf/httpd.conf</code>) to aid those who require a custom configuration or need to convert a configuration file from the older Apache HTTP Server 1.3 format.
	</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
			If using the graphical <span class="application"><strong>HTTP Configuration Tool</strong></span> (<span class="emphasis"><em>system-config-httpd </em></span>), <span class="emphasis"><em>do not</em></span> hand edit the Apache HTTP Server's configuration file as the <span class="application"><strong>HTTP Configuration Tool</strong></span> regenerates this file whenever it is used.
		</div></div></div><div class="section" id="s1-httpd-v2"><div class="titlepage"><div><div><h2 class="title" id="s1-httpd-v2">23.1. Apache HTTP Server 2.2</h2></div></div></div><div class="para">
			There are important differences between the Apache HTTP Server 2.2 and version 2.0 (version 2.0 shipped with Red Hat Enterprise Linux 4 and earlier). This section reviews some of the features of Apache HTTP Server 2.2 and outlines important changes. If you are upgrading from version 1.3, you should also read the instructions on migrating from version 1.3 to version 2.0. For instructions on migrating a version 1.3 configuration file to the 2.0 format, refer to <a class="xref" href="#s3-httpd-v2-mig">Section 23.2.2, “Migrating Apache HTTP Server 1.3 Configuration Files to 2.0”</a>.
		</div><div class="section" id="s2-httpd-v2-features"><div class="titlepage"><div><div><h3 class="title" id="s2-httpd-v2-features">23.1.1. Features of Apache HTTP Server 2.2</h3></div></div></div><a id="id1039634" class="indexterm"></a><div class="para">
				Apache HTTP Server 2.2 features the following improvements over version 2.0 :
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Improved caching modules (mod_cache, mod_disk_cache, mod_mem_cache).
					</div></li><li class="listitem"><div class="para">
						A new structure for authentication and authorization support, replacing the authentication modules provided in previous versions.
					</div></li><li class="listitem"><div class="para">
						Support for proxy load balancing (mod_proxy_balancer)
					</div></li><li class="listitem"><div class="para">
						support for handling large files (namely, greater than 2GB) on 32-bit platforms
					</div></li></ul></div><div class="para">
				The following changes have been made to the default httpd configuration:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The mod_cern_meta and mod_asis modules are no longer loaded by default.
					</div></li><li class="listitem"><div class="para">
						The mod_ext_filter module is now loaded by default.
					</div></li></ul></div><div class="para">
				If upgrading from a previous release of Red Hat Enterprise Linux, the httpd configuration will need to be updated for httpd 2.2. For more information, refer to http://httpd.apache.org/docs/2.2/upgrading.html
			</div></div></div><div class="section" id="s1-httpd-mig"><div class="titlepage"><div><div><h2 class="title" id="s1-httpd-mig">23.2. Migrating Apache HTTP Server Configuration Files</h2></div></div></div><a id="id1072411" class="indexterm"></a><a id="id1072429" class="indexterm"></a><a id="id1072447" class="indexterm"></a><div class="section" id="s1-httpd-v22-mig"><div class="titlepage"><div><div><h3 class="title" id="s1-httpd-v22-mig">23.2.1. Migrating Apache HTTP Server 2.0 Configuration Files</h3></div></div></div><a id="id932005" class="indexterm"></a><div class="para">
				This section outlines migration from version 2.0 to 2.2. If you are migrating from version 1.3, please refer to <a class="xref" href="#s3-httpd-v2-mig">Section 23.2.2, “Migrating Apache HTTP Server 1.3 Configuration Files to 2.0”</a>.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Configuration files and startup scripts from version 2.0 need minor adjustments particularly in module names which may have changed. Third party modules which worked in version 2.0 can also work in version 2.2 but need to be recompiled before you load them. Key modules that need to be noted are authentication and authorization modules. For each of the modules which has been renamed the <a href="http://httpd.apache.org/docs/2.2/mod/mod_so.html#loadmodule"><code class="command">LoadModule</code></a> line will need to be updated.
					</div></li><li class="listitem"><div class="para">
						The <code class="command">mod_userdir</code> module will only act on requests if you provide a <code class="command">UserDir</code> directive indicating a directory name. If you wish to maintain the procedures used in version 2.0, add the directive <code class="command">UserDir public_html</code> in your configuration file.
					</div></li><li class="listitem"><div class="para">
						To enable SSL, edit the <code class="filename">httpd.conf</code> file adding the necessary <code class="command">mod_ssl</code> directives. Use <code class="command">apachectl start</code> as <code class="command">apachectl startssl</code> is unavailable in version 2.2. You can view an example of SSL configuration for httpd in <code class="filename">conf/extra/httpd-ssl.conf</code>.
					</div></li><li class="listitem"><div class="para">
						To test your configuration it is advisable to use <code class="command">service httpd configtest</code> which will detect configuration errors.
					</div></li></ul></div><div class="para">
				More information on upgrading from version 2.0 to 2.2 can be found on <a href="http://httpd.apache.org/docs/2.2/upgrading.html">http://httpd.apache.org/docs/2.2/upgrading.html</a>.
			</div></div><div class="section" id="s3-httpd-v2-mig"><div class="titlepage"><div><div><h3 class="title" id="s3-httpd-v2-mig">23.2.2. Migrating Apache HTTP Server 1.3 Configuration Files to 2.0</h3></div></div></div><a id="id957598" class="indexterm"></a><a id="id957616" class="indexterm"></a><a id="id957633" class="indexterm"></a><div class="para">
				This section details migrating an Apache HTTP Server 1.3 configuration file to be utilized by Apache HTTP Server 2.0.
			</div><div class="para">
				If upgrading to Red Hat Enterprise Linux 5 from Red Hat Enterprise Linux 2.1, note that the new stock configuration file for the Apache HTTP Server 2.0 package is installed as <code class="filename">/etc/httpd/conf/httpd.conf.rpmnew</code> and the original version 1.3 <code class="filename">httpd.conf</code> is left untouched. It is entirely up to you whether to use the new configuration file and migrate the old settings to it, or use the existing file as a base and modify it to suit; however, some parts of the file have changed more than others and a mixed approach is generally the best. The stock configuration files for both version 1.3 and 2.0 are divided into three sections.
			</div><div class="para">
				If the <code class="filename">/etc/httpd/conf/httpd.conf</code> file is a modified version of the newly installed default and a saved a copy of the original configuration file is available, it may be easiest to invoke the <code class="command">diff</code> command, as in the following example (logged in as root):
			</div><pre class="screen"><code class="command">diff -u httpd.conf.orig httpd.conf | less</code></pre><div class="para">
				This command highlights any modifications made. If a copy of the original file is not available, extract it from an RPM package using the <code class="command">rpm2cpio</code> and <code class="command">cpio</code> commands, as in the following example:
			</div><pre class="screen"><code class="command">rpm2cpio apache-<em class="replaceable"><code>&lt;version-number&gt;</code></em>.i386.rpm | cpio -i --make</code></pre><div class="para">
				In the above command, replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the version number for the <code class="filename">apache</code> package.
			</div><div class="para">
				Finally, it is useful to know that the Apache HTTP Server has a testing mode to check for configuration errors. To use access it, type the following command:
			</div><pre class="screen"><code class="command">apachectl configtest</code></pre><div class="section" id="s2-httpd-mig-global"><div class="titlepage"><div><div><h4 class="title" id="s2-httpd-mig-global">23.2.2.1. Global Environment Configuration</h4></div></div></div><div class="para">
					The global environment section of the configuration file contains directives which affect the overall operation of the Apache HTTP Server, such as the number of concurrent requests it can handle and the locations of the various files. This section requires a large number of changes and should be based on the Apache HTTP Server 2.0 configuration file, while migrating the old settings into it.
				</div><div class="section" id="s3-httpd-v2-mig-port"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-port">23.2.2.1.1. Interface and Port Binding</h5></div></div></div><a id="id1071511" class="indexterm"></a><div class="para">
						The <code class="command">BindAddress</code> and <code class="command">Port</code> directives no longer exist; their functionality is now provided by a more flexible <code class="command">Listen</code> directive.
					</div><div class="para">
						If <code class="command">Port 80</code> was set in the 1.3 version configuration file, change it to <code class="command">Listen 80</code> in the 2.0 configuration file. If <code class="command">Port</code> was set to some value <span class="emphasis"><em>other than 80</em></span>, then append the port number to the contents of the <code class="command">ServerName</code> directive.
					</div><div class="para">
						For example, the following is a sample Apache HTTP Server 1.3 directive:
					</div><pre class="screen">Port 123
ServerName www.example.com</pre><div class="para">
						To migrate this setting to Apache HTTP Server 2.0, use the following structure:
					</div><pre class="screen"><strong class="userinput"><code>Listen</code></strong> 123
ServerName www.example.com:<strong class="userinput"><code>123</code></strong></pre><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mpm_common.html#listen"><code class="command">http://httpd.apache.org/docs-2.0/mod/mpm_common.html#listen</code></a>
							</div></li><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/core.html#servername"><code class="command">http://httpd.apache.org/docs-2.0/mod/core.html#servername</code></a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-v2-mig-pool"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-pool">23.2.2.1.2. Server-Pool Size Regulation</h5></div></div></div><a id="id984552" class="indexterm"></a><a id="id984572" class="indexterm"></a><a id="id984592" class="indexterm"></a><a id="id984614" class="indexterm"></a><div class="para">
						When the Apache HTTP Server accepts requests, it dispatches child processes or threads to handle them. This group of child processes or threads is known as a <em class="firstterm">server-pool</em>. Under Apache HTTP Server 2.0, the responsibility for creating and maintaining these server-pools has been abstracted to a group of modules called <em class="firstterm">Multi-Processing Modules</em> (<em class="firstterm">MPMs</em>). Unlike other modules, only one module from the MPM group can be loaded by the Apache HTTP Server. There are three MPM modules that ship with 2.0: <code class="command">prefork</code>, <code class="command">worker</code>, and <code class="command">perchild</code>. Currently only the <code class="command">prefork</code> and <code class="command">worker</code> MPMs are available, although the <code class="command">perchild</code> MPM may be available at a later date.
					</div><div class="para">
						The original Apache HTTP Server 1.3 behavior has been moved into the <code class="command">prefork</code> MPM. The <code class="command">prefork</code> MPM accepts the same directives as Apache HTTP Server 1.3, so the following directives may be migrated directly:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">StartServers</code>
							</div></li><li class="listitem"><div class="para">
								<code class="command">MinSpareServers</code>
							</div></li><li class="listitem"><div class="para">
								<code class="command">MaxSpareServers</code>
							</div></li><li class="listitem"><div class="para">
								<code class="command">MaxClients</code>
							</div></li><li class="listitem"><div class="para">
								<code class="command">MaxRequestsPerChild</code>
							</div></li></ul></div><div class="para">
						The <code class="command">worker</code> MPM implements a multi-process, multi-threaded server providing greater scalability. When using this MPM, requests are handled by threads, conserving system resources and allowing large numbers of requests to be served efficiently. Although some of the directives accepted by the <code class="command">worker</code> MPM are the same as those accepted by the <code class="command">prefork</code> MPM, the values for those directives should not be transferred directly from an Apache HTTP Server 1.3 installation. It is best to instead use the default values as a guide, then experiment to determine what values work best.
					</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
							To use the <code class="command">worker</code> MPM, create the file <code class="filename">/etc/sysconfig/httpd</code> and add the following directive:
						</div><pre class="screen">HTTPD=/usr/sbin/httpd.worker</pre></div></div><div class="para">
						For more on the topic of MPMs, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mpm.html">http://httpd.apache.org/docs-2.0/mpm.html</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-v2-mig-dso"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-dso">23.2.2.1.3. Dynamic Shared Object (DSO) Support</h5></div></div></div><a id="id966274" class="indexterm"></a><div class="para">
						There are many changes required here, and it is highly recommended that anyone trying to modify an Apache HTTP Server 1.3 configuration to suit version 2.0 (as opposed to migrating the changes into the version 2.0 configuration) copy this section from the stock Apache HTTP Server 2.0 configuration file.
					</div><div class="para">
						Those who do not want to copy the section from the stock Apache HTTP Server 2.0 configuration should note the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								The <code class="command">AddModule</code> and <code class="command">ClearModuleList</code> directives no longer exist. These directives where used to ensure that modules could be enabled in the correct order. The Apache HTTP Server 2.0 API allows modules to specify their ordering, eliminating the need for these two directives.
							</div></li><li class="listitem"><div class="para">
								The order of the <code class="command">LoadModule</code> lines are no longer relevant in most cases.
							</div></li><li class="listitem"><div class="para">
								Many modules have been added, removed, renamed, split up, or incorporated into others.
							</div></li><li class="listitem"><div class="para">
								<code class="command">LoadModule</code> lines for modules packaged in their own RPMs (<code class="filename">mod_ssl</code>, <code class="filename">php</code>, <code class="filename">mod_perl</code>, and the like) are no longer necessary as they can be found in their relevant files within the <code class="filename">/etc/httpd/conf.d/</code> directory.
							</div></li><li class="listitem"><div class="para">
								The various <code class="command">HAVE_XXX</code> definitions are no longer defined.
							</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
							If modifying the original file, note that it is of paramount importance that the <code class="filename">httpd.conf</code> contains the following directive:
						</div><pre class="screen">Include conf.d/*.conf</pre><div class="para">
							Omission of this directive results in the failure of all modules packaged in their own RPMs (such as <code class="filename">mod_perl</code>, <code class="filename">php</code>, and <code class="filename">mod_ssl</code>).
						</div></div></div></div><div class="section" id="s3-httpd-v2-mig-other"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-other">23.2.2.1.4. Other Global Environment Changes</h5></div></div></div><a id="id966429" class="indexterm"></a><div class="para">
						The following directives have been removed from Apache HTTP Server 2.0's configuration:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<span class="emphasis"><em><code class="command">ServerType</code></em></span> — The Apache HTTP Server can only be run as <code class="command">ServerType standalone</code> making this directive irrelevant.
							</div></li><li class="listitem"><div class="para">
								<span class="emphasis"><em><code class="command">AccessConfig</code></em></span> and <span class="emphasis"><em><code class="command">ResourceConfig</code></em></span> — These directives have been removed as they mirror the functionality of the <code class="command">Include</code> directive. If the <code class="command">AccessConfig</code> and <code class="command">ResourceConfig</code> directives are set, replace them with <code class="command">Include</code> directives.
							</div><div class="para">
								To ensure that the files are read in the order implied by the older directives, the <code class="command">Include</code> directives should be placed at the end of the <code class="filename">httpd.conf</code>, with the one corresponding to <code class="command">ResourceConfig</code> preceding the one corresponding to <code class="command">AccessConfig</code>. If using the default values, include them explicitly as <code class="filename">conf/srm.conf</code> and <code class="filename">conf/access.conf</code> files.
							</div></li></ul></div></div></div><div class="section" id="s2-httpd-v2-mig-main"><div class="titlepage"><div><div><h4 class="title" id="s2-httpd-v2-mig-main">23.2.2.2. Main Server Configuration</h4></div></div></div><div class="para">
					The main server configuration section of the configuration file sets up the main server, which responds to any requests that are not handled by a virtual host defined within a <code class="command">&lt;VirtualHost&gt;</code> container. Values here also provide defaults for any <code class="command">&lt;VirtualHost&gt;</code> containers defined.
				</div><div class="para">
					The directives used in this section have changed little between Apache HTTP Server 1.3 and version 2.0. If the main server configuration is heavily customized, it may be easier to modify the existing configuration file to suit Apache HTTP Server 2.0. Users with only lightly customized main server sections should migrate their changes into the default 2.0 configuration.
				</div><div class="section" id="s3-httpd-mig-main-map"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-mig-main-map">23.2.2.2.1. <code class="command">UserDir</code> Mapping</h5></div></div></div><a id="id966574" class="indexterm"></a><div class="para">
						The <code class="command">UserDir</code> directive is used to enable URLs such as <code class="filename">http://example.com/~bob/</code> to map to a subdirectory within the home directory of the user <code class="command">bob</code>, such as <code class="filename">/home/bob/public_html/</code>. A side-effect of this feature allows a potential attacker to determine whether a given username is present on the system. For this reason, the default configuration for Apache HTTP Server 2.0 disables this directive.
					</div><div class="para">
						To enable <code class="command">UserDir</code> mapping, change the directive in <code class="filename">httpd.conf</code> from:
					</div><pre class="screen">UserDir disable</pre><div class="para">
						to the following:
					</div><pre class="screen">UserDir <strong class="userinput"><code>public_html</code></strong></pre><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_userdir.html#userdir">http://httpd.apache.org/docs-2.0/mod/mod_userdir.html#userdir</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-mig-main-log"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-mig-main-log">23.2.2.2.2. Logging</h5></div></div></div><a id="id933418" class="indexterm"></a><div class="para">
						The following logging directives have been removed:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">AgentLog</code>
							</div></li><li class="listitem"><div class="para">
								<code class="command">RefererLog</code>
							</div></li><li class="listitem"><div class="para">
								<code class="command">RefererIgnore</code>
							</div></li></ul></div><div class="para">
						However, agent and referrer logs are still available using the <code class="command">CustomLog</code> and <code class="command">LogFormat</code> directives.
					</div><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#customlog">http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#customlog</a>
							</div></li><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#logformat">http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#logformat</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-mig-main-dirindex"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-mig-main-dirindex">23.2.2.2.3. Directory Indexing</h5></div></div></div><a id="id933539" class="indexterm"></a><div class="para">
						The deprecated <code class="command">FancyIndexing</code> directive has now been removed. The same functionality is available through the <code class="command">FancyIndexing</code> <span class="emphasis"><em>option</em></span> within the <code class="command">IndexOptions</code> directive.
					</div><div class="para">
						The <code class="command">VersionSort</code> option to the <code class="command">IndexOptions</code> directive causes files containing version numbers to be sorted in a more natural way. For example, <code class="filename">httpd-2.0.6.tar</code> appears before <code class="filename">httpd-2.0.36.tar</code> in a directory index page.
					</div><div class="para">
						The defaults for the <code class="command">ReadmeName</code> and <code class="command">HeaderName</code> directives have changed from <code class="filename">README</code> and <code class="filename">HEADER</code> to <code class="filename">README.html</code> and <code class="filename">HEADER.html</code>.
					</div><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#indexoptions">http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#indexoptions</a>
							</div></li><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#readmename">http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#readmename</a>
							</div></li><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#headername">http://httpd.apache.org/docs-2.0/mod/mod_autoindex.html#headername</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-mig-main-cont"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-mig-main-cont">23.2.2.2.4. Content Negotiation</h5></div></div></div><a id="id933686" class="indexterm"></a><div class="para">
						The <code class="command">CacheNegotiatedDocs</code> directive now takes the argument <code class="option">on</code> or <code class="option">off</code>. Existing instances of <code class="command">CacheNegotiatedDocs</code> should be replaced with <code class="command">CacheNegotiatedDocs on</code>.
					</div><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_negotiation.html#cachenegotiateddocs">http://httpd.apache.org/docs-2.0/mod/mod_negotiation.html#cachenegotiateddocs</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-mig-main-error"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-mig-main-error">23.2.2.2.5. Error Documents</h5></div></div></div><a id="id933758" class="indexterm"></a><div class="para">
						To use a hard-coded message with the <code class="command">ErrorDocument</code> directive, the message should be enclosed in a pair of double quotation marks <code class="command">"</code>, rather than just preceded by a double quotation mark as required in Apache HTTP Server 1.3.
					</div><div class="para">
						For example, the following is a sample Apache HTTP Server 1.3 directive:
					</div><pre class="screen">ErrorDocument 404 "The document was not found</pre><div class="para">
						To migrate an <code class="command">ErrorDocument</code> setting to Apache HTTP Server 2.0, use the following structure:
					</div><pre class="screen">ErrorDocument 404 "The document was not found"</pre><div class="para">
						Note the trailing double quote in the previous <code class="command">ErrorDocument</code> directive example.
					</div><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/core.html#errordocument">http://httpd.apache.org/docs-2.0/mod/core.html#errordocument</a>
							</div></li></ul></div></div></div><div class="section" id="s2-httpd-v2-mig-virtual"><div class="titlepage"><div><div><h4 class="title" id="s2-httpd-v2-mig-virtual">23.2.2.3. Virtual Host Configuration</h4></div></div></div><a id="id933852" class="indexterm"></a><div class="para">
					The contents of all <code class="command">&lt;VirtualHost&gt;</code> containers should be migrated in the same way as the main server section as described in <a class="xref" href="#s2-httpd-v2-mig-main">Section 23.2.2.2, “Main Server Configuration”</a>.
				</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						Note that SSL/TLS virtual host configuration has been moved out of the main server configuration file and into <code class="filename">/etc/httpd/conf.d/ssl.conf</code>.
					</div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<a href="http://httpd.apache.org/docs-2.0/vhosts/">http://httpd.apache.org/docs-2.0/vhosts/</a>
						</div></li></ul></div></div><div class="section" id="s2-httpd-v2-mig-mod"><div class="titlepage"><div><div><h4 class="title" id="s2-httpd-v2-mig-mod">23.2.2.4. Modules and Apache HTTP Server 2.0</h4></div></div></div><a id="id933929" class="indexterm"></a><div class="para">
					In Apache HTTP Server 2.0, the module system has been changed to allow modules to be chained together or combined in new and interesting ways. <em class="firstterm">Common Gateway Interface</em> (<em class="firstterm">CGI</em>) scripts, for example, can generate server-parsed HTML documents which can then be processed by <code class="filename">mod_include</code>. This opens up a tremendous number of possibilities with regards to how modules can be combined to achieve a specific goal.
				</div><div class="para">
					The way this works is that each request is served by exactly one <em class="firstterm">handler</em> module followed by zero or more <em class="firstterm">filter</em> modules.
				</div><div class="para">
					Under Apache HTTP Server 1.3, for example, a Perl script would be handled in its entirety by the Perl module (<code class="filename">mod_perl</code>). Under Apache HTTP Server 2.0, the request is initially <span class="emphasis"><em>handled</em></span> by the core module — which serves static files — and is then <span class="emphasis"><em>filtered</em></span> by <code class="filename">mod_perl</code>.
				</div><div class="para">
					Exactly how to use this, and all other new features of Apache HTTP Server 2.0, is beyond the scope of this document; however, the change has ramifications if the <code class="command">PATH_INFO</code> directive is used for a document which is handled by a module that is now implemented as a filter, as each contains trailing path information after the true file name. The core module, which initially handles the request, does not by default understand <code class="command">PATH_INFO</code> and returns <code class="computeroutput">404 Not Found</code> errors for requests that contain such information. As an alternative, use the <code class="command">AcceptPathInfo</code> directive to coerce the core module into accepting requests with <code class="command">PATH_INFO</code>.
				</div><div class="para">
					The following is an example of this directive:
				</div><pre class="screen">AcceptPathInfo on</pre><div class="para">
					For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<a href="http://httpd.apache.org/docs-2.0/mod/core.html#acceptpathinfo">http://httpd.apache.org/docs-2.0/mod/core.html#acceptpathinfo</a>
						</div></li><li class="listitem"><div class="para">
							<a href="http://httpd.apache.org/docs-2.0/handler.html">http://httpd.apache.org/docs-2.0/handler.html</a>
						</div></li><li class="listitem"><div class="para">
							<a href="http://httpd.apache.org/docs-2.0/filter.html">http://httpd.apache.org/docs-2.0/filter.html</a>
						</div></li></ul></div><div class="section" id="s3-httpd-v2-mig-mod-suexec"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-mod-suexec">23.2.2.4.1. The <code class="filename">suexec</code> Module</h5></div></div></div><a id="id934100" class="indexterm"></a><a id="id934122" class="indexterm"></a><a id="id934138" class="indexterm"></a><div class="para">
						In Apache HTTP Server 2.0, the <code class="filename">mod_suexec</code> module uses the <code class="filename">SuexecUserGroup</code> directive, rather than the <code class="filename">User</code> and <code class="filename">Group</code> directives, which is used for configuring virtual hosts. The <code class="filename">User</code> and <code class="filename">Group</code> directives can still be used in general, but are deprecated for configuring virtual hosts.
					</div><div class="para">
						For example, the following is a sample Apache HTTP Server 1.3 directive:
					</div><pre class="screen">&lt;VirtualHost vhost.example.com:80&gt;
  User someone
  Group somegroup
&lt;/VirtualHost&gt;</pre><div class="para">
						To migrate this setting to Apache HTTP Server 2.0, use the following structure:
					</div><pre class="screen">&lt;VirtualHost vhost.example.com:80&gt;
  SuexecUserGroup someone somegroup
&lt;/VirtualHost&gt;</pre></div><div class="section" id="s3-httpd-v2-mig-mod-ssl"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-mod-ssl">23.2.2.4.2. The <code class="filename">mod_ssl</code> Module</h5></div></div></div><a id="id934215" class="indexterm"></a><div class="para">
						The configuration for <code class="filename">mod_ssl</code> has been moved from the <code class="filename">httpd.conf</code> file into the <code class="filename">/etc/httpd/conf.d/ssl.conf</code> file. For this file to be loaded, and for <code class="filename">mod_ssl</code> to work, the statement <code class="command">Include conf.d/*.conf</code> must be in the <code class="filename">httpd.conf</code> file as described in <a class="xref" href="#s3-httpd-v2-mig-dso">Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”</a>.
					</div><div class="para">
						<code class="command">ServerName</code> directives in SSL virtual hosts must explicitly specify the port number.
					</div><div class="para">
						For example, the following is a sample Apache HTTP Server 1.3 directive:
					</div><pre class="screen">&lt;VirtualHost _default_:443&gt;
  # General setup for the virtual host
  ServerName ssl.example.name
  ...
&lt;/VirtualHost&gt;</pre><div class="para">
						To migrate this setting to Apache HTTP Server 2.0, use the following structure:
					</div><pre class="screen">&lt;VirtualHost _default_:443&gt;
  # General setup for the virtual host
  ServerName ssl.host.name<strong class="userinput"><code>:443</code></strong>
  ...
&lt;/VirtualHost&gt;</pre><div class="para">
						It is also important to note that both the <code class="command">SSLLog</code> and <code class="command">SSLLogLevel</code> directives have been removed. The <code class="filename">mod_ssl</code> module now obeys the <code class="command">ErrorLog</code> and <code class="command">LogLevel</code> directives. Refer to <a class="xref" href="#s2-apache-errorlog">ErrorLog</a> and <a class="xref" href="#s2-apache-loglevel">LogLevel</a> for more information about these directives.
					</div><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_ssl.html">http://httpd.apache.org/docs-2.0/mod/mod_ssl.html</a>
							</div></li><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/vhosts/">http://httpd.apache.org/docs-2.0/vhosts/</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-v2-mig-mod-proxy"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-mod-proxy">23.2.2.4.3. The <code class="filename">mod_proxy</code> Module</h5></div></div></div><a id="id934382" class="indexterm"></a><div class="para">
						Proxy access control statements are now placed inside a <code class="command">&lt;Proxy&gt;</code> block rather than a <code class="command">&lt;Directory proxy:&gt;</code>.
					</div><div class="para">
						The caching functionality of the old <code class="filename">mod_proxy</code> has been split out into the following three modules:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="filename">mod_cache</code>
							</div></li><li class="listitem"><div class="para">
								<code class="filename">mod_disk_cache</code>
							</div></li><li class="listitem"><div class="para">
								<code class="filename">mod_mem_cache</code>
							</div></li></ul></div><div class="para">
						These generally use directives similar to the older versions of the <code class="filename">mod_proxy</code> module, but it is advisable to verify each directive before migrating any cache settings.
					</div><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_proxy.html">http://httpd.apache.org/docs-2.0/mod/mod_proxy.html</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-v2-mig-mod-include"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-mod-include">23.2.2.4.4. The <code class="filename">mod_include</code> Module</h5></div></div></div><a id="id934509" class="indexterm"></a><div class="para">
						The <code class="filename">mod_include</code> module is now implemented as a filter and is therefore enabled differently. Refer to <a class="xref" href="#s2-httpd-v2-mig-mod">Section 23.2.2.4, “Modules and Apache HTTP Server 2.0”</a> for more about filters.
					</div><div class="para">
						For example, the following is a sample Apache HTTP Server 1.3 directive:
					</div><pre class="screen">AddType text/html .shtml
AddHandler server-parsed .shtml</pre><div class="para">
						To migrate this setting to Apache HTTP Server 2.0, use the following structure:
					</div><pre class="screen">AddType text/html .shtml
<strong class="userinput"><code>AddOutputFilter INCLUDES</code></strong> .shtml</pre><div class="para">
						Note that the <code class="command">Options +Includes</code> directive is still required for the <code class="command">&lt;Directory&gt;</code> container or in a <code class="filename">.htaccess</code> file.
					</div><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_include.html">http://httpd.apache.org/docs-2.0/mod/mod_include.html</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-v2-mig-mod-dbm"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-mod-dbm">23.2.2.4.5. The <code class="filename">mod_auth_dbm</code> and <code class="filename">mod_auth_db</code> Modules</h5></div></div></div><a id="id819379" class="indexterm"></a><a id="id819400" class="indexterm"></a><div class="para">
						Apache HTTP Server 1.3 supported two authentication modules, <code class="filename">mod_auth_db</code> and <code class="filename">mod_auth_dbm</code>, which used Berkeley Databases and DBM databases respectively. These modules have been combined into a single module named <code class="filename">mod_auth_dbm</code> in Apache HTTP Server 2.0, which can access several different database formats. To migrate from <code class="filename">mod_auth_db</code>, configuration files should be adjusted by replacing <code class="command">AuthDBUserFile</code> and <code class="command">AuthDBGroupFile</code> with the <code class="filename">mod_auth_dbm</code> equivalents, <code class="command">AuthDBMUserFile</code> and <code class="command">AuthDBMGroupFile</code>. Also, the directive <code class="command">AuthDBMType DB</code> must be added to indicate the type of database file in use.
					</div><div class="para">
						The following example shows a sample <code class="filename">mod_auth_db</code> configuration for Apache HTTP Server 1.3:
					</div><pre class="screen">&lt;Location /private/&gt;
  AuthType Basic
  AuthName "My Private Files"
  AuthDBUserFile /var/www/authdb
  require valid-user
&lt;/Location&gt;</pre><div class="para">
						To migrate this setting to version 2.0 of Apache HTTP Server, use the following structure:
					</div><pre class="screen">&lt;Location /private/&gt;
  AuthType Basic
  AuthName "My Private Files"
  <strong class="userinput"><code>AuthDBMUserFile</code></strong> /var/www/authdb
  <strong class="userinput"><code>AuthDBMType DB</code></strong>
  require valid-user
&lt;/Location&gt;</pre><div class="para">
						Note that the <code class="command">AuthDBMUserFile</code> directive can also be used in <code class="filename">.htaccess</code> files.
					</div><div class="para">
						The <code class="command">dbmmanage</code> Perl script, used to manipulate username and password databases, has been replaced by <code class="command">htdbm</code> in Apache HTTP Server 2.0. The <code class="command">htdbm</code> program offers equivalent functionality and, like <code class="filename">mod_auth_dbm</code>, can operate a variety of database formats; the <code class="option">-T</code> option can be used on the command line to specify the format to use.
					</div><div class="para">
						<a class="xref" href="#table-htdbm">Table 23.1, “Migrating from <code class="command">dbmmanage</code> to <code class="command">htdbm</code>”</a> shows how to migrate from a DBM-format database to <code class="command">htdbm</code> format using <code class="command">dbmmanage</code>.
					</div><div class="table" id="table-htdbm"><h6>Table 23.1. Migrating from <code class="command">dbmmanage</code> to <code class="command">htdbm</code></h6><div class="table-contents"><table summary="Migrating from dbmmanage to htdbm" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
										Action
									</th><th>
										dbmmanage command (1.3)
									</th><th>
										Equivalent htdbm command (2.0)
									</th></tr></thead><tbody><tr><td>
										Add user to database (using given password)
									</td><td>
										<code class="command">dbmmanage authdb add username password</code>
									</td><td>
										<code class="command">htdbm -b -TDB authdb username password</code>
									</td></tr><tr><td>
										Add user to database (prompts for password)
									</td><td>
										<code class="command">dbmmanage authdb adduser username</code>
									</td><td>
										<code class="command">htdbm -TDB authdb username</code>
									</td></tr><tr><td>
										Remove user from database
									</td><td>
										<code class="command">dbmmanage authdb delete username</code>
									</td><td>
										<code class="command">htdbm -x -TDB authdb username</code>
									</td></tr><tr><td>
										List users in database
									</td><td>
										<code class="command">dbmmanage authdb view</code>
									</td><td>
										<code class="command">htdbm -l -TDB authdb</code>
									</td></tr><tr><td>
										Verify a password
									</td><td>
										<code class="command">dbmmanage authdb check username</code>
									</td><td>
										<code class="command">htdbm -v -TDB authdb username</code>
									</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
						The <code class="option">-m</code> and <code class="option">-s</code> options work with both <code class="command">dbmmanage</code> and <code class="command">htdbm</code>, enabling the use of the MD5 or SHA1 algorithms for hashing passwords, respectively.
					</div><div class="para">
						When creating a new database with <code class="command">htdbm</code>, the <code class="command">-c</code> option must be used.
					</div><div class="para">
						For more on this topic, refer to the following documentation on the Apache Software Foundation's website:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://httpd.apache.org/docs-2.0/mod/mod_auth_dbm.html">http://httpd.apache.org/docs-2.0/mod/mod_auth_dbm.html</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-v2-mig-mod-perl"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-mod-perl">23.2.2.4.6. The <code class="filename">mod_perl</code> Module</h5></div></div></div><a id="id819783" class="indexterm"></a><div class="para">
						The configuration for <code class="filename">mod_perl</code> has been moved from <code class="filename">httpd.conf</code> into the file <code class="filename">/etc/httpd/conf.d/perl.conf</code>. For this file to be loaded, and hence for <code class="filename">mod_perl</code> to work, the statement <code class="command">Include conf.d/*.conf</code> must be included in <code class="filename">httpd.conf</code> as described in <a class="xref" href="#s3-httpd-v2-mig-dso">Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”</a>.
					</div><div class="para">
						Occurrences of <code class="command">Apache::</code> in <code class="filename">httpd.conf</code> must be replaced with <code class="command">ModPerl::</code>. Additionally, the manner in which handlers are registered has been changed.
					</div><div class="para">
						This is a sample Apache HTTP Server 1.3 <code class="filename">mod_perl</code> configuration:
					</div><pre class="screen">&lt;Directory /var/www/perl&gt;
  SetHandler perl-script
  PerlHandler Apache::Registry
  Options +ExecCGI
&lt;/Directory&gt;</pre><div class="para">
						This is the equivalent <code class="filename">mod_perl</code> for Apache HTTP Server 2.0:
					</div><pre class="screen">&lt;Directory /var/www/perl&gt;
  SetHandler perl-script
  <strong class="userinput"><code>PerlResponseHandler ModPerl::Registry</code></strong>
  Options +ExecCGI
&lt;/Directory&gt;</pre><div class="para">
						Most modules for <code class="filename">mod_perl</code> 1.x should work without modification with <code class="filename">mod_perl</code> 2.x. XS modules require recompilation and may require minor Makefile modifications.
					</div></div><div class="section" id="s3-httpd-v2-mig-mod-python"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-mod-python">23.2.2.4.7. The <code class="filename">mod_python</code> Module</h5></div></div></div><div class="para">
						Configuration for <code class="filename">mod_python</code> has moved from <code class="filename">httpd.conf</code> to the <code class="filename">/etc/httpd/conf.d/python.conf</code> file. For this file to be loaded, and hence for <code class="filename">mod_python</code> to work, the statement <code class="command">Include conf.d/*.conf</code> must be in <code class="filename">httpd.conf</code> as described in <a class="xref" href="#s3-httpd-v2-mig-dso">Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”</a>.
					</div></div><div class="section" id="s3-httpd-v2-mig-mod-php"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-mod-php">23.2.2.4.8. PHP</h5></div></div></div><a id="id819948" class="indexterm"></a><div class="para">
						The configuration for PHP has been moved from <code class="filename">httpd.conf</code> into the file <code class="filename">/etc/httpd/conf.d/php.conf</code>. For this file to be loaded, the statement <code class="command">Include conf.d/*.conf</code> must be in <code class="filename">httpd.conf</code> as described in <a class="xref" href="#s3-httpd-v2-mig-dso">Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”</a>.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							Any PHP configuration directives used in Apache HTTP Server 1.3 are now fully compatible, when migrating to Apache HTTP Server 2.0 on Red Hat Enterprise Linux 5.
						</div></div></div><div class="para">
						In PHP version 4.2.0 and later the default set of predefined variables which are available in the global scope has changed. Individual input and server variables are, by default, no longer placed directly into the global scope. This change may cause scripts to break. Revert to the old behavior by setting <code class="command">register_globals</code> to <code class="command">On</code> in the file <code class="filename">/etc/php.ini</code>.
					</div><div class="para">
						For more on this topic, refer to the following URL for details concerning the global scope changes:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<a href="http://www.php.net/release_4_1_0.php">http://www.php.net/release_4_1_0.php</a>
							</div></li></ul></div></div><div class="section" id="s3-httpd-v2-mig-mod-ldapz"><div class="titlepage"><div><div><h5 class="title" id="s3-httpd-v2-mig-mod-ldapz">23.2.2.4.9. The <code class="filename">mod_authz_ldap</code> Module</h5></div></div></div><a id="id820060" class="indexterm"></a><div class="para">
						Red Hat Enterprise Linux ships with the <code class="filename">mod_authz_ldap</code> module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The <code class="filename">mod_ssl</code> module is required when using the <code class="filename">mod_authz_ldap</code> module.
					</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
							The <code class="filename">mod_authz_ldap</code> module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental <code class="filename">mod_auth_ldap</code> module. Refer to the <code class="filename">mod_auth_ldap</code> module documentation online at <a href="http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html">http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html</a> for details on the status of this module.
						</div></div></div><div class="para">
						The <code class="filename">/etc/httpd/conf.d/authz_ldap.conf</code> file configures the <code class="filename">mod_authz_ldap</code> module.
					</div><div class="para">
						Refer to <code class="filename">/usr/share/doc/mod_authz_ldap-<em class="replaceable"><code>&lt;version&gt;</code></em>/index.html</code> (replacing <em class="replaceable"><code>&lt;version&gt;</code></em> with the version number of the package) or <a href="http://authzldap.othello.ch/">http://authzldap.othello.ch/</a> for more information on configuring the <code class="filename">mod_authz_ldap</code> third party module.
					</div></div></div></div></div><div class="section" id="s1-apache-startstop"><div class="titlepage"><div><div><h2 class="title" id="s1-apache-startstop">23.3. Starting and Stopping <code class="command">httpd</code></h2></div></div></div><a id="id820183" class="indexterm"></a><a id="id820198" class="indexterm"></a><a id="id820212" class="indexterm"></a><a id="id820227" class="indexterm"></a><div class="para">
			After installing the <code class="filename">httpd</code> package, review the Apache HTTP Server's documentation available online at <a href="http://httpd.apache.org/docs/2.2/">http://httpd.apache.org/docs/2.2/</a>.
		</div><div class="para">
			The <code class="filename">httpd</code> RPM installs the <code class="filename">/etc/init.d/httpd</code> script, which can be accessed using the <code class="command">/sbin/service</code> command.
		</div><div class="para">
			Starting <code class="command">httpd</code> using the <code class="command">apachectl</code> control script sets the environmental variables in <code class="filename">/etc/sysconfig/httpd</code> and starts <code class="command">httpd</code>. You can also set the environment variables using the init script.
		</div><div class="para">
			To start the server using the <code class="command">apachectl</code> control script as root type:
		</div><pre class="screen"><code class="command">apachectl start</code></pre><div class="para">
			You can also start <code class="command">httpd</code> using <code class="command">/sbin/service httpd start</code>. This starts <code class="command">httpd</code> but does not set the environment variables. If you are using the default <code class="command">Listen</code> directive in <code class="command">httpd.conf</code>, which is port 80, you will need to have root privileges to start the apache server.
		</div><div class="para">
			To stop the server, as root type:
		</div><pre class="screen"><code class="command">apachectl stop</code></pre><div class="para">
			You can also stop <code class="command">httpd</code> using <code class="command">/sbin/service httpd stop</code>. The <code class="option">restart</code> option is a shorthand way of stopping and then starting the Apache HTTP Server.
		</div><div class="para">
			You can restart the server as root by typing:
		</div><pre class="screen"><code class="command">apachectl restart</code></pre><div class="para">
			or:
		</div><pre class="screen"><code class="command">service httpd restart</code></pre><div class="para">
			Apache will display a message on the console or in the <code class="filename">ErrorLog</code> if it encounters an error while starting.
		</div><div class="para">
			By default, the <code class="command">httpd</code> service does <span class="emphasis"><em>not</em></span> start automatically at boot time. If you would wish to have Apache startup at boot time, you will need to add a call to <code class="command">apachectl</code> in your startup files within the <code class="filename">rc.N</code> directory. A typical file used is <code class="filename">rc.local</code>. As this starts Apache as root, it is recommended to properly configure your security and authentication before adding this call.
		</div><div class="para">
			You can also configure the <code class="command">httpd</code> service to start up at boot time, using an initscript utility, such as <code class="command">/sbin/chkconfig</code>, <span class="application"><strong>/usr/sbin/ntsysv</strong></span>, or the <span class="application"><strong>Services Configuration Tool</strong></span> program.
		</div><div class="para">
			You can also display the status of your httpd server by typing:
		</div><pre class="screen"><code class="command">apachectl status</code></pre><div class="para">
			The status module <code class="command">mod_status</code> however needs to be enabled in your <code class="filename">httpd.conf</code> configuration file for this to work. For more details on <code class="command">mod_status</code> can be found on <a href="http://httpd.apache.org/docs/2.2/mod/mod_status.html">http://httpd.apache.org/docs/2.2/mod/mod_status.html</a>.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If running the Apache HTTP Server as a secure server, the secure server's password is required after the machine boots when using an encrypted private SSL key.
			</div><div class="para">
				You can find more information on <a href="http://httpd.apache.org/docs/2.2/ssl">http://httpd.apache.org/docs/2.2/ssl</a>
			</div></div></div></div><div class="section" id="s1-apache-config-ui"><div class="titlepage"><div><div><h2 class="title" id="s1-apache-config-ui">23.4. Apache HTTP Server Configuration</h2></div></div></div><a id="id820489" class="indexterm"></a><a id="id820502" class="indexterm"></a><div class="para">
			The <span class="application"><strong>HTTP Configuration Tool</strong></span> allows you to configure the <code class="filename">/etc/httpd/conf/httpd.conf</code> configuration file for the Apache HTTP Server. It does not use the old <code class="filename">srm.conf</code> or <code class="filename">access.conf</code> configuration files; leave them empty. Through the graphical interface, you can configure directives such as virtual hosts, logging attributes, and maximum number of connections. To start the HTTD Configuration Tool, click on <code class="filename">System &gt; Administration &gt; Server Settings &gt; HTTP</code>.
		</div><a id="id820544" class="indexterm"></a><div class="para">
			Only modules provided with Red Hat Enterprise Linux can be configured with the <span class="application"><strong>HTTP Configuration Tool</strong></span>. If additional modules are installed, they can not be configured using this tool.
		</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><a id="id820575" class="indexterm"></a><div class="para">
				Do not edit the <code class="filename">/etc/httpd/conf/httpd.conf</code> configuration file by hand if you wish to use this tool. The <span class="application"><strong>HTTP Configuration Tool</strong></span> generates this file after you save your changes and exit the program. If you want to add additional modules or configuration options that are not available in <span class="application"><strong>HTTP Configuration Tool</strong></span>, you cannot use this tool.
			</div></div></div><div class="para">
			The general steps for configuring the Apache HTTP Server using the <span class="application"><strong>HTTP Configuration Tool</strong></span> are as follows:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Configure the basic settings under the <span class="guilabel"><strong>Main</strong></span> tab.
				</div></li><li class="listitem"><div class="para">
					Click on the <span class="guilabel"><strong>Virtual Hosts</strong></span> tab and configure the default settings.
				</div></li><li class="listitem"><div class="para">
					Under the <span class="guilabel"><strong>Virtual Hosts</strong></span> tab, configure the Default Virtual Host.
				</div></li><li class="listitem"><div class="para">
					To serve more than one URL or virtual host, add any additional virtual hosts.
				</div></li><li class="listitem"><div class="para">
					Configure the server settings under the <span class="guilabel"><strong>Server</strong></span> tab.
				</div></li><li class="listitem"><div class="para">
					Configure the connections settings under the <span class="guilabel"><strong>Performance Tuning</strong></span> tab.
				</div></li><li class="listitem"><div class="para">
					Copy all necessary files to the <code class="filename">DocumentRoot</code> and <code class="filename">cgi-bin</code> directories.
				</div></li><li class="listitem"><div class="para">
					Exit the application and select to save your settings.
				</div></li></ol></div><div class="section" id="s2-httpd-basic-settings"><div class="titlepage"><div><div><h3 class="title" id="s2-httpd-basic-settings">23.4.1. Basic Settings</h3></div></div></div><div class="para">
				Use the <span class="guilabel"><strong>Main</strong></span> tab to configure the basic server settings.
			</div><div class="figure" id="httpd-main"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-main.png" alt="Basic Settings" /><div class="longdesc"><div class="para">
							Basic Settings
						</div></div></div></div><h6>Figure 23.1. Basic Settings</h6></div><br class="figure-break" /><a id="id820770" class="indexterm"></a><div class="para">
				Enter a fully qualified domain name that you have the right to use in the <span class="guilabel"><strong>Server Name</strong></span> text area. This option corresponds to the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#servername"><code class="command">ServerName</code></a> directive in <code class="filename">httpd.conf</code>. The <code class="command">ServerName</code> directive sets the hostname of the Web server. It is used when creating redirection URLs. If you do not define a server name, the Web server attempts to resolve it from the IP address of the system. The server name does not have to be the domain name resolved from the IP address of the server. For example, you might set the server name to www.example.com while the server's real DNS name is foo.example.com.
			</div><a id="id820814" class="indexterm"></a><div class="para">
				Enter the email address of the person who maintains the Web server in the <span class="guilabel"><strong>Webmaster email address</strong></span> text area. This option corresponds to the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#serveradmin"><code class="command">ServerAdmin</code></a> directive in <code class="filename">httpd.conf</code>. If you configure the server's error pages to contain an email address, this email address is used so that users can report a problem to the server's administrator. The default value is root@localhost.
			</div><a id="id820853" class="indexterm"></a><div class="para">
				Use the <span class="guilabel"><strong>Available Addresses</strong></span> area to define the ports on which the server accepts incoming requests. This option corresponds to the <a href="http://httpd.apache.org/docs/2.2/mod/mpm_common.html#listen"><code class="command">Listen</code></a> directive in <code class="filename">httpd.conf</code>. By default, Red Hat configures the Apache HTTP Server to listen to port 80 for non-secure Web communications.
			</div><div class="para">
				Click the <span class="guibutton"><strong>Add</strong></span> button to define additional ports on which to accept requests. A window as shown in <a class="xref" href="#httpd-listen">Figure 23.2, “Available Addresses”</a> appears. Either choose the <span class="guilabel"><strong>Listen to all addresses</strong></span> option to listen to all IP addresses on the defined port or specify a particular IP address over which the server accepts connections in the <span class="guilabel"><strong>Address</strong></span> field. Only specify one IP address per port number. To specify more than one IP address with the same port number, create an entry for each IP address. If at all possible, use an IP address instead of a domain name to prevent a DNS lookup failure. Refer to <a href="http://httpd.apache.org/docs/2.2/dns-caveats.html">http://httpd.apache.org/docs/2.2/dns-caveats.html</a> for more information about <em class="citetitle">Issues Regarding DNS and Apache</em>.
			</div><div class="para">
				Entering an asterisk (*) in the <span class="guilabel"><strong>Address</strong></span> field is the same as choosing <span class="guilabel"><strong>Listen to all addresses</strong></span>. Clicking the <span class="guibutton"><strong>Edit</strong></span> button in the <span class="guilabel"><strong>Available Addresses</strong></span> frame shows the same window as the <span class="guibutton"><strong>Add</strong></span> button except with the fields populated for the selected entry. To delete an entry, select it and click the <span class="guibutton"><strong>Delete</strong></span> button.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					If you set the server to listen to a port under 1024, you must be root to start it. For port 1024 and above, <code class="command">httpd</code> can be started as a regular user.
				</div></div></div><div class="figure" id="httpd-listen"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-listen.png" alt="Available Addresses" /><div class="longdesc"><div class="para">
							Available Addresses
						</div></div></div></div><h6>Figure 23.2. Available Addresses</h6></div><br class="figure-break" /></div><div class="section" id="s2-httpd-default-settings"><div class="titlepage"><div><div><h3 class="title" id="s2-httpd-default-settings">23.4.2. Default Settings</h3></div></div></div><div class="para">
				After defining the <span class="guilabel"><strong>Server Name</strong></span>, <span class="guilabel"><strong>Webmaster email address</strong></span>, and <span class="guilabel"><strong>Available Addresses</strong></span>, click the <span class="guilabel"><strong>Virtual Hosts</strong></span> tab. The figure below illustrates the <span class="guilabel"><strong>Virtual Hosts</strong></span> tab.
			</div><div class="figure" id="httpd-virtual-hosts"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-virtualhosts.png" alt="Virtual Hosts Tab" /><div class="longdesc"><div class="para">
							Virtual Hosts Tab
						</div></div></div></div><h6>Figure 23.3. Virtual Hosts Tab</h6></div><br class="figure-break" /><div class="para">
				Clicking on <span class="guilabel"><strong>Edit</strong></span> will display the <span class="guilabel"><strong>Virtual Host Properties</strong></span> window from which you can set your preferred settings. To add new settings, click on the <span class="guilabel"><strong>Add</strong></span> button which will also display the <span class="guilabel"><strong>Virtual Host Properties</strong></span> window. Clicking on the <span class="guilabel"><strong>Edit Default Settings</strong></span> button, displays the <span class="guilabel"><strong>Virtual Host Properties</strong></span> window without the <span class="guilabel"><strong>General Options</strong></span> tab.
			</div><div class="para">
				In the <span class="guilabel"><strong>General Options</strong></span> tab, you can change the hostname, the document root directory and also set the webmaster's email address. In the Host information, you can set the Virtual Host's IP Address and Host Name. The figure below illustrates the <span class="guilabel"><strong>General Options</strong></span> tab.
			</div><div class="figure" id="httpd-general-options"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-general-options.png" width="444" alt="General Options" /><div class="longdesc"><div class="para">
							General Options
						</div></div></div></div><h6>Figure 23.4. General Options</h6></div><br class="figure-break" /><div class="para">
				If you add a virtual host, the settings you configure for the virtual host take precedence for that virtual host. For a directive not defined within the virtual host settings, the default value is used.
			</div><div class="section" id="s3-httpd-site-config"><div class="titlepage"><div><div><h4 class="title" id="s3-httpd-site-config">23.4.2.1. Site Configuration</h4></div></div></div><div class="para">
					The figure below illustrates the <span class="guibutton"><strong>Page Options</strong></span>tab from which you can configure the <span class="guilabel"><strong>Directory Page Search List</strong></span> and <span class="guilabel"><strong>Error Pages</strong></span>. If you are unsure of these settings, do not modify them.
				</div><div class="figure" id="httpd-site-config-screen"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-siteconfig.png" width="444" alt="Site Configuration" /><div class="longdesc"><div class="para">
								Site Configuration
							</div></div></div></div><h6>Figure 23.5. Site Configuration</h6></div><br class="figure-break" /><a id="id821232" class="indexterm"></a><div class="para">
					The entries listed in the <span class="guilabel"><strong>Directory Page Search List</strong></span> define the <a href="http://httpd.apache.org/docs/2.2/mod/mod_dir.html#directoryindex"><code class="command">DirectoryIndex</code></a> directive. The <code class="command">DirectoryIndex</code> is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
				</div><div class="para">
					For example, when a user requests the page <code class="command">http://www.example.com/this_directory/</code>, they are going to get either the <code class="command">DirectoryIndex</code> page, if it exists, or a server-generated directory list. The server tries to find one of the files listed in the <code class="command">DirectoryIndex</code> directive and returns the first one it finds. 
					<a id="id821284" class="indexterm"></a>
					 If it does not find any of these files and if <code class="command">Options Indexes</code> is set for that directory, the server generates and returns a list, in HTML format, of the subdirectories and files in the directory.
				</div><a id="id821308" class="indexterm"></a><div class="para">
					Use the <span class="guilabel"><strong>Error Code</strong></span> section to configure Apache HTTP Server to redirect the client to a local or external URL in the event of a problem or error. This option corresponds to the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#errordocument"><code class="command">ErrorDocument</code></a> directive. If a problem or error occurs when a client tries to connect to the Apache HTTP Server, the default action is to display the short error message shown in the <span class="guilabel"><strong>Error Code</strong></span> column. To override this default configuration, select the error code and click the <span class="guilabel"><strong>Edit</strong></span> button. Choose <span class="guimenuitem"><strong>Default</strong></span> to display the default short error message. Choose <span class="guimenuitem"><strong>URL</strong></span> to redirect the client to an external URL and enter a complete URL, including the <code class="command">http://</code>, in the <span class="guilabel"><strong>Location</strong></span> field. Choose <span class="guimenuitem"><strong>File</strong></span> to redirect the client to an internal URL and enter a file location under the document root for the Web server. The location must begin the a slash (/) and be relative to the Document Root.
				</div><div class="para">
					For example, to redirect a 404 Not Found error code to a webpage that you created in a file called <code class="filename">404.html</code>, copy <code class="filename">404.html</code> to <code class="filename"><em class="replaceable"><code>DocumentRoot</code></em>/../error/404.html</code>. In this case, <em class="replaceable"><code>DocumentRoot</code></em> is the Document Root directory that you have defined (the default is <code class="filename">/var/www/html/</code>). If the Document Root is left as the default location, the file should be copied to <code class="filename">/var/www/error/404.html</code>. Then, choose <span class="guimenuitem"><strong>File</strong></span> as the Behavior for <span class="guilabel"><strong>404 - Not Found</strong></span> error code and enter <code class="filename">/error/404.html</code> as the <span class="guimenuitem"><strong>Location</strong></span>.
				</div><div class="para">
					From the <span class="guilabel"><strong>Default Error Page Footer</strong></span> menu, you can choose one of the following options:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Show footer with email address</strong></span> — Display the default footer at the bottom of all error pages along with the email address of the website maintainer specified by the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#serveradmin"><code class="command">ServerAdmin</code></a> directive.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Show footer</strong></span> — Display just the default footer at the bottom of error pages.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>No footer</strong></span> — Do not display a footer at the bottom of error pages.
						</div></li></ul></div></div><div class="section" id="s3-httpd-ssl-variables"><div class="titlepage"><div><div><h4 class="title" id="s3-httpd-ssl-variables">23.4.2.2. SSL Support</h4></div></div></div><div class="para">
					The <code class="command">mod_ssl</code> enables encryption of the HTTP protocol over SSL. SSL (Secure Sockets Layer) protocol is used for communication and encryption over TCP/IP networks. The SSL tab enables you to configure SSL for your server. To configure SSL you need to provide the path to your:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							Certificate file - equivalent to using the <code class="command">SSLCertificateFile</code> directive which points the path to the PEM (Privacy Enhanced Mail)-encoded server certificate file.
						</div></li><li class="listitem"><div class="para">
							Key file - equivalent to using the <code class="command">SSLCertificateKeyFile</code> directive which points the path to the PEM-encoded server private key file.
						</div></li><li class="listitem"><div class="para">
							Certificate chain file - equivalent to using the <code class="command">SSLCertificateChainFile</code> directive which points the path to the certificate file containing all the server's chain of certificates.
						</div></li><li class="listitem"><div class="para">
							Certificate authority file - is an encrypted file used to confirm the authenticity or identity of parties communicating with the server.
						</div></li></ul></div><div class="para">
					You can find out more about configuration directives for SSL on <a href="http://httpd.apache.org/docs/2.2/mod/directives.html#S"> http://httpd.apache.org/docs/2.2/mod/directives.html#S</a>. You also need to determine which SSL options to enable. These are equivalent to using the <code class="command">SSLOptions</code> with the following options:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							FakeBasicAuth - enables standard authentication methods used by Apache. This means that the Client X509 certificate's Subject Distinguished Name (DN) is translated into a basic HTTP username.
						</div></li><li class="listitem"><div class="para">
							ExportCertData - creates CGI environment variables in <code class="command">SSL_SERVER_CERT</code>, <code class="command">SSL_CLIENT_CERT</code> and <code class="command">SSL_CLIENT_CERT_CHAIN_n</code> where n is a number 0,1,2,3,4... These files are used for more certificate checks by CGI scripts.
						</div></li><li class="listitem"><div class="para">
							CompatEnvVars - enables backward compatibility for Apache SSL by adding CGI environment variables.
						</div></li><li class="listitem"><div class="para">
							StrictRequire - enables strict access which forces denial of access whenever the <code class="command">SSLRequireSSL</code> and <code class="command">SSLRequire</code> directives indicate access is forbidden.
						</div></li><li class="listitem"><div class="para">
							OptRenegotiate - enables avoidance of unnecessary handshakes by <code class="command">mod_ssl</code> which also performs safe parameter checks. It is recommended to enable OptRenegotiate on a per directory basis.
						</div></li></ul></div><div class="para">
					More information on the above SSL options can be found on <a href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions"> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions</a>. The figure below illustrates the SSL tab and the options discussed above.
				</div><div class="figure" id="httpd-virtualhosts-ssl"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-virtualhosts-ssl.png" width="444" alt="SSL" /><div class="longdesc"><div class="para">
								SSL
							</div></div></div></div><h6>Figure 23.6. SSL</h6></div><br class="figure-break" /></div><div class="section" id="s3-httpd-logging"><div class="titlepage"><div><div><h4 class="title" id="s3-httpd-logging">23.4.2.3. Logging</h4></div></div></div><a id="id1002002" class="indexterm"></a><a id="id1002020" class="indexterm"></a><div class="para">
					Use the <span class="guilabel"><strong>Logging</strong></span> tab to configure options for specific transfer and error logs.
				</div><div class="para">
					By default, the server writes the transfer log to the <code class="filename">/var/log/httpd/access_log</code> file and the error log to the <code class="filename">/var/log/httpd/error_log</code> file.
				</div><div class="para">
					The transfer log contains a list of all attempts to access the Web server. It records the IP address of the client that is attempting to connect, the date and time of the attempt, and the file on the Web server that it is trying to retrieve. Enter the name of the path and file in which to store this information. If the path and file name do not start with a slash (/), the path is relative to the server root directory as configured. This option corresponds to the <a href="http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#transferlog"><code class="command">TransferLog</code></a> directive.
				</div><div class="figure" id="httpd-logging-screen"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-logging.png" width="444" alt="Logging" /><div class="longdesc"><div class="para">
								Logging
							</div></div></div></div><h6>Figure 23.7. Logging</h6></div><br class="figure-break" /><a id="id1002112" class="indexterm"></a><a id="id1002130" class="indexterm"></a><div class="para">
					You can configure a custom log format by checking <span class="guilabel"><strong>Use custom logging facilities</strong></span> and entering a custom log string in the <span class="guilabel"><strong>Custom Log String</strong></span> field. This configures the <a href="http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat"><code class="command">LogFormat</code></a> directive. Refer to <a href="http://httpd.apache.org/docs-2.0/mod/mod_log_config.html#formats"> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#logformat</a> for details on the format of this directive.
				</div><a id="id1002174" class="indexterm"></a><div class="para">
					The error log contains a list of any server errors that occur. Enter the name of the path and file in which to store this information. If the path and file name do not start with a slash (/), the path is relative to the server root directory as configured. This option corresponds to the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#errorlog"><code class="command">ErrorLog</code></a> directive.
				</div><a id="id1002205" class="indexterm"></a><div class="para">
					Use the <span class="guilabel"><strong>Log Level</strong></span> menu to set the verbosity of the error messages in the error logs. It can be set (from least verbose to most verbose) to emerg, alert, crit, error, warn, notice, info or debug. This option corresponds to the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#loglevel"><code class="command">LogLevel</code></a> directive.
				</div><a id="id1002239" class="indexterm"></a><div class="para">
					The value chosen with the <span class="guilabel"><strong>Reverse DNS Lookup</strong></span> menu defines the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#hostnamelookups"><code class="command">HostnameLookups</code></a> directive. Choosing <span class="guilabel"><strong>No Reverse Lookup</strong></span> sets the value to off. Choosing <span class="guilabel"><strong>Reverse Lookup</strong></span> sets the value to on. Choosing <span class="guilabel"><strong>Double Reverse Lookup</strong></span> sets the value to double.
				</div><div class="para">
					If you choose <span class="guilabel"><strong>Reverse Lookup</strong></span>, your server automatically resolves the IP address for each connection which requests a document from your Web server. Resolving the IP address means that your server makes one or more connections to the DNS in order to find out the hostname that corresponds to a particular IP address.
				</div><div class="para">
					If you choose <span class="guilabel"><strong>Double Reverse Lookup</strong></span>, your server performs a double-reverse DNS. In other words, after a reverse lookup is performed, a forward lookup is performed on the result. At least one of the IP addresses in the forward lookup must match the address from the first reverse lookup.
				</div><div class="para">
					Generally, you should leave this option set to <span class="guilabel"><strong>No Reverse Lookup</strong></span>, because the DNS requests add a load to your server and may slow it down. If your server is busy, the effects of trying to perform these reverse lookups or double reverse lookups may be quite noticeable.
				</div><div class="para">
					Reverse lookups and double reverse lookups are also an issue for the Internet as a whole. Each individual connection made to look up each hostname adds up. Therefore, for your own Web server's benefit, as well as for the Internet's benefit, you should leave this option set to <span class="guilabel"><strong>No Reverse Lookup</strong></span>.
				</div></div><div class="section" id="s3-httpd-environment-variables"><div class="titlepage"><div><div><h4 class="title" id="s3-httpd-environment-variables">23.4.2.4. Environment Variables</h4></div></div></div><div class="para">
					Use the <span class="guilabel"><strong>Environment</strong></span> tab to configure options for specific variables to set, pass, or unset for CGI scripts.
				</div><div class="para">
					Sometimes it is necessary to modify environment variables for CGI scripts or server-side include (SSI) pages. The Apache HTTP Server can use the <code class="command">mod_env</code> module to configure the environment variables which are passed to CGI scripts and SSI pages. Use the <span class="guilabel"><strong>Environment Variables</strong></span> page to configure the directives for this module.
				</div><div class="para">
					Use the <span class="guilabel"><strong>Set for CGI Scripts</strong></span> section to set an environment variable that is passed to CGI scripts and SSI pages. For example, to set the environment variable <code class="filename">MAXNUM</code> to <code class="filename">50</code>, click the <span class="guibutton"><strong>Add</strong></span> button inside the <span class="guilabel"><strong>Set for CGI Script</strong></span> section, as shown in <a class="xref" href="#httpd-environment-variables-screen">Figure 23.8, “Environment Variables”</a>, and type <strong class="userinput"><code>MAXNUM</code></strong> in the <span class="guilabel"><strong>Environment Variable</strong></span> text field and <strong class="userinput"><code>50</code></strong> in the <span class="guilabel"><strong>Value to set</strong></span> text field. Click <span class="guibutton"><strong>OK</strong></span> to add it to the list. The <span class="guilabel"><strong>Set for CGI Scripts</strong></span> section configures the <a href="http://httpd.apache.org/docs/2.2/mod/mod_env.html#setenv"><code class="command">SetEnv</code></a> directive.
				</div><div class="para">
					Use the <span class="guilabel"><strong>Pass to CGI Scripts</strong></span> section to pass the value of an environment variable when the server is first started to CGI scripts. To see this environment variable, type the command <code class="command">env</code> at a shell prompt. Click the <span class="guibutton"><strong>Add</strong></span> button inside the <span class="guilabel"><strong>Pass to CGI Scripts</strong></span> section and enter the name of the environment variable in the resulting dialog box. Click <span class="guibutton"><strong>OK</strong></span> to add it to the list. The <span class="guilabel"><strong>Pass to CGI Scripts</strong></span> section configures the <a href="http://httpd.apache.org/docs/2.2/mod/mod_env.html#passenv"><code class="command">PassEnv</code> </a> directive.
				</div><div class="figure" id="httpd-environment-variables-screen"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-environment.png" width="444" alt="Environment Variables" /><div class="longdesc"><div class="para">
								Environment Variables
							</div></div></div></div><h6>Figure 23.8. Environment Variables</h6></div><br class="figure-break" /><div class="para">
					To remove an environment variable so that the value is not passed to CGI scripts and SSI pages, use the <span class="guilabel"><strong>Unset for CGI Scripts</strong></span> section. Click <span class="guibutton"><strong>Add</strong></span> in the <span class="guilabel"><strong>Unset for CGI Scripts</strong></span> section, and enter the name of the environment variable to unset. Click <span class="guibutton"><strong>OK</strong></span> to add it to the list. This corresponds to the <a href="http://httpd.apache.org/docs/2.2/mod/mod_env.html#unsetenv"><code class="command">UnsetEnv</code></a> directive.
				</div><div class="para">
					To edit any of these environment values, select it from the list and click the corresponding <span class="guibutton"><strong>Edit</strong></span> button. To delete any entry from the list, select it and click the corresponding <span class="guibutton"><strong>Delete</strong></span> button.
				</div><div class="para">
					To learn more about environment variables in the Apache HTTP Server, refer to the following: <a href="http://httpd.apache.org/docs/2.2/env.html">http://httpd.apache.org/docs/2.2/env.html</a>
				</div></div><div class="section" id="s3-httpd-directories"><div class="titlepage"><div><div><h4 class="title" id="s3-httpd-directories">23.4.2.5. Directories</h4></div></div></div><div class="para">
					Use the <span class="guilabel"><strong>Directories</strong></span> page in the <span class="guilabel"><strong>Performance</strong></span> tab to configure options for specific directories. This corresponds to the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#directory"><code class="command">&lt;Directory&gt;</code></a> directive.
				</div><div class="figure" id="httpd-directories-screen"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-directories.png" width="444" alt="Directories" /><div class="longdesc"><div class="para">
								Directories
							</div></div></div></div><h6>Figure 23.9. Directories</h6></div><br class="figure-break" /><div class="para">
					Click the <span class="guibutton"><strong>Edit</strong></span> button in the top right-hand corner to configure the <span class="guilabel"><strong>Default Directory Options</strong></span> for all directories that are not specified in the <span class="guilabel"><strong>Directory</strong></span> list below it. The options that you choose are listed as the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#options"><code class="command">Options</code></a> directive within the <a href="http://httpd.apache.org/docs/2.2/mod/core.html#directory"> <code class="command">&lt;Directory&gt;</code></a> directive. You can configure the following options:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="guilabel"><strong>ExecCGI</strong></span> — Allow execution of CGI scripts. CGI scripts are not executed if this option is not chosen.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>FollowSymLinks</strong></span> — Allow symbolic links to be followed.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Includes</strong></span> — Allow server-side includes.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>IncludesNOEXEC</strong></span> — Allow server-side includes, but disable the <code class="command">#exec</code> and <code class="command">#include</code> commands in CGI scripts.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Indexes</strong></span> — Display a formatted list of the directory's contents, if no <code class="command">DirectoryIndex</code> (such as <code class="filename">index.html</code>) exists in the requested directory.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Multiview</strong></span> — Support content-negotiated multiviews; this option is disabled by default.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>SymLinksIfOwnerMatch</strong></span> — Only follow symbolic links if the target file or directory has the same owner as the link.
						</div></li></ul></div><div class="para">
					To specify options for specific directories, click the <span class="guibutton"><strong>Add</strong></span> button beside the <span class="guilabel"><strong>Directory</strong></span> list box. A window as shown in <a class="xref" href="#httpd-directories-add">Figure 23.10, “Directory Settings”</a> appears. Enter the directory to configure in the <span class="guilabel"><strong>Directory</strong></span> text field at the bottom of the window. Select the options in the right-hand list and configure the <a href="http://httpd.apache.org/docs-2.0/mod/mod_access.html#order"><code class="command">Order</code></a> directive with the left-hand side options. The <code class="command">Order</code> directive controls the order in which allow and deny directives are evaluated. In the <span class="guilabel"><strong>Allow hosts from</strong></span> and <span class="guilabel"><strong>Deny hosts from</strong></span> text field, you can specify one of the following:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							Allow all hosts — Type <strong class="userinput"><code>all</code></strong> to allow access to all hosts.
						</div></li><li class="listitem"><div class="para">
							Partial domain name — Allow all hosts whose names match or end with the specified string.
						</div></li><li class="listitem"><div class="para">
							Full IP address — Allow access to a specific IP address.
						</div></li><li class="listitem"><div class="para">
							A subnet — Such as <strong class="userinput"><code>192.168.1.0/255.255.255.0</code></strong>
						</div></li><li class="listitem"><div class="para">
							A network CIDR specification — such as <strong class="userinput"><code>10.3.0.0/16</code></strong>
						</div></li></ul></div><div class="figure" id="httpd-directories-add"><div class="figure-contents"><div class="mediaobject"><img src="images/httpd-directories-add.png" width="444" alt="Directory Settings" /><div class="longdesc"><div class="para">
								Directory Settings
							</div></div></div></div><h6>Figure 23.10. Directory Settings</h6></div><br class="figure-break" /><div class="para">
					If you check the <span class="guilabel"><strong>Let .htaccess files override directory options</strong></span>, the configuration directives in the <code class="filename">.htaccess</code> file take precedence.
				</div></div></div></div><div class="section" id="s1-apache-config"><div class="titlepage"><div><div><h2 class="title" id="s1-apache-config">23.5. Configuration Directives in <code class="filename">httpd.conf</code></h2></div></div></div><a id="id1002919" class="indexterm"></a><a id="id1002933" class="indexterm"></a><a id="id1002948" class="indexterm"></a><a id="id1002962" class="indexterm"></a><a id="id1002983" class="indexterm"></a><div class="para">
			The Apache HTTP Server configuration file is <code class="filename">/etc/httpd/conf/httpd.conf</code>. The <code class="filename">httpd.conf</code> file is well-commented and mostly self-explanatory. The default configuration works for most situations; however, it is a good idea to become familiar some of the more important configuration options.
		</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				With the release of Apache HTTP Server 2.2, many configuration options have changed. If migrating from version 1.3 to 2.2, please firstly read <a class="xref" href="#s3-httpd-v2-mig">Section 23.2.2, “Migrating Apache HTTP Server 1.3 Configuration Files to 2.0”</a>.
			</div></div></div><div class="section" id="s2-apache-tips"><div class="titlepage"><div><div><h3 class="title" id="s2-apache-tips">23.5.1. General Configuration Tips</h3></div></div></div><div class="para">
				If configuring the Apache HTTP Server, edit <code class="filename">/etc/httpd/conf/httpd.conf</code> and then either reload, restart, or stop and start the <code class="command">httpd</code> process as outlined in <a class="xref" href="#s1-apache-startstop">Section 23.3, “Starting and Stopping <code class="command">httpd</code>”</a>.
			</div><div class="para">
				Before editing <code class="filename">httpd.conf</code>, make a copy the original file. Creating a backup makes it easier to recover from mistakes made while editing the configuration file.
			</div><div class="para">
				If a mistake is made and the Web server does not work correctly, first review recently edited passages in <code class="filename">httpd.conf</code> to verify there are no typos.
			</div><div class="para">
				Next look in the Web server's error log, <code class="filename">/var/log/httpd/error_log</code>. The error log may not be easy to interpret, depending on your level of expertise. However, the last entries in the error log should provide useful information.
			</div><div class="para">
				The following subsections contain a list of short descriptions for many of the directives included in <code class="filename">httpd.conf</code>. These descriptions are not exhaustive. For more information, refer to the Apache documentation online at <a href="http://httpd.apache.org/docs/2.2/">http://httpd.apache.org/docs/2.2/</a>.
			</div><div class="para">
				For more information about <code class="filename">mod_ssl</code> directives, refer to the documentation online at <a href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html">http://httpd.apache.org/docs/2.2/mod/mod_ssl.html</a>.
			</div><a id="id1003115" class="indexterm"></a><a id="id1003132" class="indexterm"></a><div class="formalpara" id="s2-apache-accessfilename"><h5 class="formalpara">AccessFileName</h5><a id="id1003157" class="indexterm"></a><a id="id1003174" class="indexterm"></a>
					<code class="command">AccessFileName</code> names the file which the server should use for access control information in each directory. The default is <code class="filename">.htaccess</code>.
				</div><div class="para">
				Immediately after the <code class="command">AccessFileName</code> directive, a set of <code class="command">Files</code> tags apply access control to any file beginning with a <code class="filename">.ht</code>. These directives deny Web access to any <code class="filename">.htaccess</code> files (or other files which begin with <code class="filename">.ht</code>) for security reasons.
			</div><div class="formalpara" id="s2-apache-action"><h5 class="formalpara">Action</h5><a id="id1003244" class="indexterm"></a><a id="id1003261" class="indexterm"></a>
					<code class="command">Action</code> specifies a MIME content type and CGI script pair, so that when a file of that media type is requested, a particular CGI script is executed.
				</div><div class="formalpara" id="s2-apache-adddescription"><h5 class="formalpara">AddDescription</h5><a id="id1003303" class="indexterm"></a><a id="id1003320" class="indexterm"></a>
					When using <code class="command">FancyIndexing</code> as an <code class="command">IndexOptions</code> parameter, the <code class="command">AddDescription</code> directive can be used to display user-specified descriptions for certain files or file types in a server generated directory listing. The <code class="command">AddDescription</code> directive supports listing specific files, wildcard expressions, or file extensions.
				</div><div class="formalpara" id="s2-apache-addencoding"><h5 class="formalpara">AddEncoding</h5><a id="id1003375" class="indexterm"></a><a id="id1003392" class="indexterm"></a>
					<code class="command">AddEncoding</code> names file name extensions which should specify a particular encoding type. <code class="command">AddEncoding</code> can also be used to instruct some browsers to uncompress certain files as they are downloaded.
				</div><div class="formalpara" id="s2-apache-addhandler"><h5 class="formalpara">AddHandler</h5><a id="id1003439" class="indexterm"></a><a id="id1003456" class="indexterm"></a><a id="id1003473" class="indexterm"></a>
					<code class="command">AddHandler</code> maps file extensions to specific handlers. For example, the <code class="command">cgi-script</code> handler can be matched with the extension <code class="filename">.cgi</code> to automatically treat a file ending with <code class="filename">.cgi</code> as a CGI script. The following is a sample <code class="command">AddHandler</code> directive for the <code class="filename">.cgi</code> extension.
				</div><pre class="screen">AddHandler cgi-script .cgi</pre><div class="para">
				This directive enables CGIs outside of the <code class="filename">cgi-bin</code> to function in any directory on the server which has the <code class="command">ExecCGI</code> option within the directories container. Refer to <a class="xref" href="#s2-apache-directory">Directory</a> for more information about setting the <code class="command">ExecCGI</code> option for a directory.
			</div><div class="para">
				In addition to CGI scripts, the <code class="command">AddHandler</code> directive is used to process server-parsed HTML and image-map files.
			</div><div class="formalpara" id="s2-apache-addicon"><h5 class="formalpara">AddIcon</h5><a id="id1003569" class="indexterm"></a><a id="id1003586" class="indexterm"></a>
					<code class="command">AddIcon</code> specifies which icon to show in server generated directory listings for files with certain extensions. For example, the Web server is set to show the icon <code class="filename">binary.gif</code> for files with <code class="filename">.bin</code> or <code class="filename">.exe</code> extensions.
				</div><div class="formalpara" id="s2-apache-addiconbyencoding"><h5 class="formalpara">AddIconByEncoding</h5><a id="id1003640" class="indexterm"></a><a id="id1003657" class="indexterm"></a>
					This directive names icons which are displayed by files with MIME encoding in server generated directory listings. For example, by default, the Web server shows the <code class="filename">compressed.gif</code> icon next to MIME encoded x-compress and x-gzip files in server generated directory listings.
				</div><div class="formalpara" id="s2-apache-addiconbytype"><h5 class="formalpara">AddIconByType</h5><a id="id1003701" class="indexterm"></a><a id="id1003718" class="indexterm"></a>
					This directive names icons which are displayed next to files with MIME types in server generated directory listings. For example, the server shows the icon <code class="filename">text.gif</code> next to files with a mime-type of <code class="computeroutput">text</code>, in server generated directory listings.
				</div><div class="formalpara" id="s2-apache-addlanguage"><h5 class="formalpara">AddLanguage</h5><a id="id1003765" class="indexterm"></a><a id="id1003782" class="indexterm"></a>
					<code class="command">AddLanguage</code> associates file name extensions with specific languages. This directive is useful for Apache HTTP Servers which serve content in multiple languages based on the client Web browser's language settings.
				</div><div class="formalpara" id="s2-apache-addtype"><h5 class="formalpara">AddType</h5><a id="id1003825" class="indexterm"></a><a id="id1003842" class="indexterm"></a><a id="id1003859" class="indexterm"></a><a id="id1003869" class="indexterm"></a>
					Use the <code class="command">AddType</code> directive to define or override a default MIME type and file extension pairs. The following example directive tells the Apache HTTP Server to recognize the <code class="command">.tgz</code> file extension:
				</div><pre class="screen">AddType application/x-tar .tgz</pre><div class="formalpara" id="s2-apache-alias"><h5 class="formalpara">Alias</h5><a id="id1003918" class="indexterm"></a><a id="id1003935" class="indexterm"></a>
					The <code class="command">Alias</code> setting allows directories outside the <code class="command">DocumentRoot</code> directory to be accessible. Any URL ending in the alias automatically resolves to the alias' path. By default, one alias for an <code class="filename">icons/</code> directory is already set up. An <code class="filename">icons/</code> directory can be accessed by the Web server, but the directory is not in the <code class="command"> DocumentRoot</code>.
				</div><div class="formalpara" id="s2-apache-allow"><h5 class="formalpara">Allow</h5><a id="id1003994" class="indexterm"></a><a id="id1004010" class="indexterm"></a>
					<code class="command">Allow</code> specifies which client can access a given directory. The client can be <code class="command">all</code>, a domain name, an IP address, a partial IP address, a network/netmask pair, and so on. The <code class="command">DocumentRoot</code> directory is configured to <code class="command">Allow</code> requests from <code class="command">all</code>, meaning everyone has access.
				</div><div class="formalpara" id="s2-apache-allowoverride"><h5 class="formalpara">AllowOverride</h5><a id="id1004069" class="indexterm"></a><a id="id1004086" class="indexterm"></a>
					The <code class="command">AllowOverride</code> directive sets whether any <code class="command">Options</code> can be overridden by the declarations in an <code class="filename">.htaccess</code> file. By default, both the root directory and the <code class="command">DocumentRoot</code> are set to allow no <code class="filename">.htaccess</code> overrides.
				</div><div class="formalpara" id="s2-apache-browsermatch"><h5 class="formalpara">BrowserMatch</h5><a id="id1004143" class="indexterm"></a><a id="id1004160" class="indexterm"></a>
					The <code class="command">BrowserMatch</code> directive allows the server to define environment variables and take appropriate actions based on the User-Agent HTTP header field — which identifies the client's Web browser type. By default, the Web server uses <code class="command">BrowserMatch</code> to deny connections to specific browsers with known problems and also to disable keepalives and HTTP header flushes for browsers that are known to have problems with those actions.
				</div><div class="formalpara" id="s2-apache-cachedirectives"><h5 class="formalpara">Cache Directives</h5><a id="id1004208" class="indexterm"></a><a id="id1004219" class="indexterm"></a><a id="id1004229" class="indexterm"></a>
					A number of commented cache directives are supplied by the default Apache HTTP Server configuration file. In most cases, uncommenting these lines by removing the hash mark (<code class="command">#</code>) from the beginning of the line is sufficient. The following, however, is a list of some of the more important cache-related directives.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">CacheEnable</code> — Specifies whether the cache is a disk, memory, or file descriptor cache. By default <code class="command">CacheEnable</code> configures a disk cache for URLs at or below <code class="filename">/</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">CacheRoot</code> — Specifies the name of the directory containing cached files. The default <code class="command">CacheRoot</code> is the <code class="filename">/var/httpd/proxy/</code> directory.
					</div></li><li class="listitem"><div class="para">
						<code class="command">CacheSize</code> — Specifies how much space the cache can use in kilobytes. The default <code class="command">CacheSize</code> is <code class="command">5</code> KB.
					</div></li></ul></div><div class="para">
				The following is a list of some of the other common cache-related directives.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">CacheMaxExpire</code> — Specifies how long HTML documents are retained (without a reload from the originating Web server) in the cache. The default is <code class="command">24</code> hours (<code class="command">86400</code> seconds).
					</div></li><li class="listitem"><div class="para">
						<code class="command">CacheLastModifiedFactor</code> — Specifies the creation of an expiry (expiration) date for a document which did not come from its originating server with its own expiry set. The default <code class="command">CacheLastModifiedFactor</code> is set to <code class="command">0.1</code>, meaning that the expiry date for such documents equals one-tenth of the amount of time since the document was last modified.
					</div></li><li class="listitem"><div class="para">
						<code class="command">CacheDefaultExpire</code> — Specifies the expiry time in hours for a document that was received using a protocol that does not support expiry times. The default is set to <code class="command">1</code> hour (<code class="command">3600</code> seconds).
					</div></li><li class="listitem"><div class="para">
						<code class="command">NoProxy</code> — Specifies a space-separated list of subnets, IP addresses, domains, or hosts whose content is not cached. This setting is most useful for Intranet sites.
					</div></li></ul></div><div class="formalpara" id="s2-apache-cachenegotiateddocs"><h5 class="formalpara">CacheNegotiatedDocs</h5><a id="id1004422" class="indexterm"></a><a id="id1004438" class="indexterm"></a>
					By default, the Web server asks proxy servers not to cache any documents which were negotiated on the basis of content (that is, they may change over time or because of the input from the requester). If <code class="command">CacheNegotiatedDocs</code> is set to <code class="option">on</code>, this function is disabled and proxy servers are allowed to cache such documents.
				</div><div class="formalpara" id="s2-apache-customlog"><h5 class="formalpara">CustomLog</h5><a id="id1004486" class="indexterm"></a><a id="id1004503" class="indexterm"></a><a id="id1004520" class="indexterm"></a>
					<code class="command">CustomLog</code> identifies the log file and the log file format. By default, the access log is recorded to the <code class="filename">/var/log/httpd/access_log</code> file while errors are recorded in the <code class="filename">/var/log/httpd/error_log</code> file.
				</div><div class="para">
				The default <code class="command">CustomLog</code> format is the <code class="option">combined</code> log file format, as illustrated here:
			</div><pre class="screen"><em class="replaceable"><code>remotehost rfc931 user date "request" status bytes referrer user-agent</code></em></pre><div class="formalpara" id="s2-apache-defaulticon"><h5 class="formalpara">DefaultIcon</h5><a id="id1004589" class="indexterm"></a><a id="id1004606" class="indexterm"></a>
					<code class="command">DefaultIcon</code> specifies the icon displayed in server generated directory listings for files which have no other icon specified. The <code class="filename">unknown.gif</code> image file is the default.
				</div><div class="formalpara" id="s2-apache-defaulttype"><h5 class="formalpara">DefaultType</h5><a id="id1004652" class="indexterm"></a><a id="id1004669" class="indexterm"></a>
					<code class="command">DefaultType</code> sets a default content type for the Web server to use for documents whose MIME types cannot be determined. The default is <code class="command"> text/plain</code>.
				</div><div class="formalpara" id="s2-apache-deny"><h5 class="formalpara">Deny</h5><a id="id1004716" class="indexterm"></a><a id="id1004733" class="indexterm"></a>
					<code class="command">Deny</code> works similar to <code class="command">Allow</code>, except it specifies who is denied access. The <code class="command">DocumentRoot</code> is not configured to <code class="command">Deny</code> requests from anyone by default.
				</div><div class="formalpara" id="s2-apache-directory"><h5 class="formalpara">Directory</h5><a id="id1004786" class="indexterm"></a><a id="id1004803" class="indexterm"></a>
					<code class="command">&lt;Directory /path/to/directory&gt;</code> and <code class="command">&lt;/Directory&gt;</code> tags create a container used to enclose a group of configuration directives which apply only to a specific directory and its subdirectories. Any directive which is applicable to a directory may be used within <code class="command">Directory</code> tags.
				</div><div class="para">
				By default, very restrictive parameters are applied to the root directory (<code class="filename">/</code>), using the <code class="command">Options</code> (refer to <a class="xref" href="#s2-apache-options">Options</a>) and <code class="command">AllowOverride</code> (refer to <a class="xref" href="#s2-apache-allowoverride">AllowOverride</a>) directives. Under this configuration, any directory on the system which needs more permissive settings has to be explicitly given those settings.
			</div><div class="para">
				In the default configuration, another <code class="command">Directory</code> container is configured for the <code class="command">DocumentRoot</code> which assigns less rigid parameters to the directory tree so that the Apache HTTP Server can access the files residing there.
			</div><a id="id1004879" class="indexterm"></a><div class="para">
				The <code class="command">Directory</code> container can be also be used to configure additional <code class="filename">cgi-bin</code> directories for server-side applications outside of the directory specified in the <code class="command">ScriptAlias</code> directive (refer to <a class="xref" href="#s2-apache-scriptalias">ScriptAlias</a> for more information).
			</div><div class="para">
				To accomplish this, the <code class="command">Directory</code> container must set the <code class="command">ExecCGI</code> option for that directory.
			</div><div class="para">
				For example, if CGI scripts are located in <code class="command">/home/my_cgi_directory</code>, add the following <code class="command">Directory</code> container to the <code class="filename">httpd.conf</code> file:
			</div><pre class="screen">&lt;Directory /home/my_cgi_directory&gt;
  Options +ExecCGI
&lt;/Directory&gt;</pre><div class="para">
				Next, the <code class="command">AddHandler</code> directive must be uncommented to identify files with the <code class="filename">.cgi</code> extension as CGI scripts. Refer to <a class="xref" href="#s2-apache-addhandler">AddHandler</a> for instructions on setting <code class="command">AddHandler</code>.
			</div><div class="para">
				For this to work, permissions for CGI scripts, and the entire path to the scripts, must be set to 0755.
			</div><div class="formalpara" id="s2-apache-directoryindex"><h5 class="formalpara">DirectoryIndex</h5><a id="id1004991" class="indexterm"></a><a id="id1005008" class="indexterm"></a>
					The <code class="command">DirectoryIndex</code> is the default page served by the server when a user requests an index of a directory by specifying a forward slash (/) at the end of the directory name.
				</div><div class="para">
				When a user requests the page http://<em class="replaceable"><code>example</code></em>/<em class="replaceable"><code>this_directory</code></em>/, they get either the <code class="command">DirectoryIndex</code> page, if it exists, or a server-generated directory list. The default for <code class="command">DirectoryIndex</code> is <code class="filename">index.html</code> and the <code class="filename">index.html.var</code> type map. The server tries to find either of these files and returns the first one it finds. If it does not find one of these files and <code class="command">Options Indexes</code> is set for that directory, the server generates and returns a listing, in HTML format, of the subdirectories and files within the directory, unless the directory listing feature is turned off.
			</div><div class="formalpara" id="s2-apache-documentroot"><h5 class="formalpara">DocumentRoot</h5><a id="id1005086" class="indexterm"></a><a id="id1005103" class="indexterm"></a>
					<code class="command">DocumentRoot</code> is the directory which contains most of the HTML files which are served in response to requests. The default <code class="command">DocumentRoot</code>, for both the non-secure and secure Web servers, is the <code class="filename">/var/www/html</code> directory. For example, the server might receive a request for the following document:
				</div><pre class="screen"><code class="systemitem">http://example.com/foo.html</code></pre><div class="para">
				The server looks for the following file in the default directory:
			</div><pre class="screen"><code class="filename">/var/www/html/foo.html</code></pre><div class="para">
				To change the <code class="command">DocumentRoot</code> so that it is not shared by the secure and the non-secure Web servers, refer to <a class="xref" href="#s1-apache-virtualhosts">Section 23.7, “Virtual Hosts”</a>.
			</div><div class="formalpara" id="s2-apache-errordocument"><h5 class="formalpara">ErrorDocument</h5><a id="id1005183" class="indexterm"></a><a id="id1005200" class="indexterm"></a>
					The <code class="command">ErrorDocument</code> directive associates an HTTP response code with a message or a URL to be sent back to the client. By default, the Web server outputs a simple and usually cryptic error message when an error occurs. The <code class="command">ErrorDocument</code> directive forces the Web server to instead output a customized message or page.
				</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					To be valid, the message <span class="emphasis"><em>must</em></span> be enclosed in a pair of double quotes <code class="command">"</code>.
				</div></div></div><div class="formalpara" id="s2-apache-errorlog"><h5 class="formalpara">ErrorLog</h5><a id="id1005268" class="indexterm"></a><a id="id1005283" class="indexterm"></a>
					<code class="command">ErrorLog</code> specifies the file where server errors are logged. By default, this directive is set to <code class="filename">/var/log/httpd/error_log</code>.
				</div><a id="id1005314" class="indexterm"></a><div class="formalpara" id="s2-apache-extendedstatus"><h5 class="formalpara">ExtendedStatus</h5><a id="id1005343" class="indexterm"></a><a id="id1005360" class="indexterm"></a>
					The <code class="command">ExtendedStatus</code> directive controls whether Apache generates basic (<code class="command">off</code>) or detailed server status information (<code class="command">on</code>), when the <code class="command">server-status</code> handler is called. The <code class="command">server-status</code> handler is called using <code class="command">Location</code> tags. More information on calling <code class="command">server-status</code> is included in <a class="xref" href="#s2-apache-location">Location</a>.
				</div><div class="formalpara" id="s2-apache-group"><h5 class="formalpara">Group</h5><a id="id1005430" class="indexterm"></a><a id="id1005447" class="indexterm"></a>
					Specifies the group name of the Apache HTTP Server processes.
				</div><div class="para">
				This directive has been deprecated for the configuration of virtual hosts.
			</div><div class="para">
				By default, <code class="command">Group</code> is set to <code class="command">apache</code>.
			</div><div class="formalpara" id="s2-apache-headername"><h5 class="formalpara">HeaderName</h5><a id="id1005502" class="indexterm"></a><a id="id1005519" class="indexterm"></a>
					<code class="command">HeaderName</code> names the file which, if it exists in the directory, is prepended to the start of server generated directory listings. Like <code class="command">ReadmeName</code>, the server tries to include it as an HTML document if possible or in plain text if not.
				</div><div class="formalpara" id="s2-apache-hostnamelookups"><h5 class="formalpara">HostnameLookups</h5><a id="id1005566" class="indexterm"></a><a id="id1005582" class="indexterm"></a><a id="id1005599" class="indexterm"></a>
					<code class="command">HostnameLookups</code> can be set to <code class="option">on</code>, <code class="option">off</code>, or <code class="option">double</code>. If <code class="command">HostnameLookups</code> is set to <code class="option">on</code>, the server automatically resolves the IP address for each connection. Resolving the IP address means that the server makes one or more connections to a DNS server, adding processing overhead. If <code class="command">HostnameLookups</code> is set to <code class="option">double</code>, the server performs a double-reverse DNS look up adding even more processing overhead.
				</div><div class="para">
				To conserve resources on the server, <code class="command">HostnameLookups</code> is set to <code class="option">off</code> by default.
			</div><div class="para">
				If hostnames are required in server log files, consider running one of the many log analyzer tools that perform the DNS lookups more efficiently and in bulk when rotating the Web server log files.
			</div><div class="formalpara" id="s2-apache-ifdefine"><h5 class="formalpara">IfDefine</h5><a id="id1005690" class="indexterm"></a><a id="id1005707" class="indexterm"></a>
					The <code class="command">IfDefine</code> tags surround configuration directives that are applied if the "test" stated in the <code class="command">IfDefine</code> tag is true. The directives are ignored if the test is false.
				</div><div class="para">
				The test in the <code class="command">IfDefine</code> tags is a parameter name (for example, <code class="command">HAVE_PERL</code>). If the parameter is defined, meaning that it is provided as an argument to the server's start-up command, then the test is true. In this case, when the Web server is started, the test is true and the directives contained in the <code class="command">IfDefine</code> tags are applied.
			</div><div class="formalpara" id="s2-apache-ifmodule"><h5 class="formalpara">IfModule</h5><a id="id1005771" class="indexterm"></a><a id="id1005788" class="indexterm"></a>
					<code class="command">&lt;IfModule&gt;</code> and <code class="command">&lt;/IfModule&gt;</code> tags create a conditional container which are only activated if the specified module is loaded. Directives within the <code class="command">IfModule</code> container are processed under one of two conditions. The directives are processed if the module contained within the starting <code class="command">&lt;IfModule&gt;</code> tag is loaded. Or, if an exclamation point <span class="keycap"><strong>!</strong></span> appears before the module name, the directives are processed only if the module specified in the <code class="command">&lt;IfModule&gt;</code> tag is <span class="emphasis"><em>not</em></span> loaded.
				</div><div class="para">
				For more information about Apache HTTP Server modules, refer to <a class="xref" href="#s1-apache-addmods">Section 23.6, “Adding Modules”</a>.
			</div><div class="formalpara" id="s2-apache-include"><h5 class="formalpara">Include</h5><a id="id1005866" class="indexterm"></a><a id="id1005883" class="indexterm"></a>
					<code class="command">Include</code> allows other configuration files to be included at runtime.
				</div><div class="para">
				The path to these configuration files can be absolute or relative to the <code class="command">ServerRoot</code>.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					For the server to use individually packaged modules, such as <code class="filename">mod_ssl</code>, <code class="filename">mod_perl</code>, and <code class="filename">php</code>, the following directive must be included in <code class="command">Section 1: Global Environment</code> of <code class="filename">httpd.conf</code>:
				</div><pre class="screen">Include conf.d/*.conf</pre></div></div><div class="formalpara" id="s2-apache-indexignore"><h5 class="formalpara">IndexIgnore</h5><a id="id1005969" class="indexterm"></a><a id="id1005986" class="indexterm"></a>
					<code class="command">IndexIgnore</code> lists file extensions, partial file names, wildcard expressions, or full file names. The Web server does not include any files which match any of those parameters in server generated directory listings.
				</div><div class="formalpara" id="s2-apache-indexoptions"><h5 class="formalpara">IndexOptions</h5><a id="id1006030" class="indexterm"></a><a id="id1006047" class="indexterm"></a>
					<code class="command">IndexOptions</code> controls the appearance of server generated directing listings, by adding icons, file descriptions, and so on. If <code class="command">Options Indexes</code> is set (refer to <a class="xref" href="#s2-apache-options">Options</a>), the Web server generates a directory listing when the Web server receives an HTTP request for a directory without an index.
				</div><div class="para">
				First, the Web server looks in the requested directory for a file matching the names listed in the <code class="command">DirectoryIndex</code> directive (usually, <code class="filename">index.html</code>). If an <code class="filename">index.html</code> file is not found, Apache HTTP Server creates an HTML directory listing of the requested directory. The appearance of this directory listing is controlled, in part, by the <code class="command">IndexOptions</code> directive.
			</div><div class="para">
				The default configuration turns on <code class="command">FancyIndexing</code>. This means that a user can re-sort a directory listing by clicking on column headers. Another click on the same header switches from ascending to descending order. <code class="command">FancyIndexing</code> also shows different icons for different files, based upon file extensions.
			</div><div class="para">
				The <code class="command">AddDescription</code> option, when used in conjunction with <code class="command">FancyIndexing</code>, presents a short description for the file in server generated directory listings.
			</div><div class="para">
				<code class="command">IndexOptions</code> has a number of other parameters which can be set to control the appearance of server generated directories. The <code class="command">IconHeight</code> and <code class="command">IconWidth</code> parameters require the server to include HTML <code class="command">HEIGHT</code> and <code class="command">WIDTH</code> tags for the icons in server generated webpages. The <code class="command">IconsAreLinks</code> parameter combines the graphical icon with the HTML link anchor, which contains the URL link target.
			</div><div class="formalpara" id="s2-apache-keepalive"><h5 class="formalpara">KeepAlive</h5><a id="id1006176" class="indexterm"></a><a id="id1006193" class="indexterm"></a><a id="id1006214" class="indexterm"></a><a id="id1006238" class="indexterm"></a>
					<code class="command">KeepAlive</code> sets whether the server allows more than one request per connection and can be used to prevent any one client from consuming too much of the server's resources.
				</div><div class="para">
				By default <code class="command">Keepalive</code> is set to <code class="command">off</code>. If <code class="command">Keepalive</code> is set to <code class="command">on</code> and the server becomes very busy, the server can quickly spawn the maximum number of child processes. In this situation, the server slows down significantly. If <code class="command">Keepalive</code> is enabled, it is a good idea to set the <code class="command">KeepAliveTimeout</code> low (refer to <a class="xref" href="#s2-apache-keepalivetimeout">KeepAliveTimeout</a> for more information about the <code class="command">KeepAliveTimeout</code> directive) and monitor the <code class="filename">/var/log/httpd/error_log</code> log file on the server. This log reports when the server is running out of child processes.
			</div><div class="formalpara" id="s2-apache-keepalivetimeout"><h5 class="formalpara">KeepAliveTimeout</h5><a id="id1006323" class="indexterm"></a><a id="id1006340" class="indexterm"></a>
					<code class="command">KeepAliveTimeout</code> sets the number of seconds the server waits after a request has been served before it closes the connection. Once the server receives a request, the <code class="command">Timeout</code> directive applies instead. The <code class="command">KeepAliveTimeout</code> directive is set to 15 seconds by default.
				</div><div class="formalpara" id="s2-apache-languagepriority"><h5 class="formalpara">LanguagePriority</h5><a id="id1006389" class="indexterm"></a><a id="id1006406" class="indexterm"></a>
					<code class="command">LanguagePriority</code> sets precedence for different languages in case the client Web browser has no language preference set.
				</div><div class="formalpara" id="s2-apache-listen"><h5 class="formalpara">Listen</h5><a id="id1006449" class="indexterm"></a><a id="id1006466" class="indexterm"></a>
					The <code class="command">Listen</code> command identifies the ports on which the Web server accepts incoming requests. By default, the Apache HTTP Server is set to listen to port 80 for non-secure Web communications and (in the <code class="filename">/etc/httpd/conf.d/ssl.conf</code> file which defines any secure servers) to port 443 for secure Web communications.
				</div><div class="para">
				If the Apache HTTP Server is configured to listen to a port under 1024, only the root user can start it. For port 1024 and above, <code class="command">httpd</code> can be started as a regular user.
			</div><div class="para">
				The <code class="command">Listen</code> directive can also be used to specify particular IP addresses over which the server accepts connections.
			</div><div class="formalpara" id="s2-apache-loadmodule"><h5 class="formalpara">LoadModule</h5><a id="id975389" class="indexterm"></a><a id="id975406" class="indexterm"></a>
					<code class="command">LoadModule</code> is used to load Dynamic Shared Object (DSO) modules. More information on the Apache HTTP Server's DSO support, including instructions for using the <code class="command">LoadModule</code> directive, can be found in <a class="xref" href="#s1-apache-addmods">Section 23.6, “Adding Modules”</a>. Note, the load order of the modules is <span class="emphasis"><em>no longer important</em></span> with Apache HTTP Server 2.0. Refer to <a class="xref" href="#s3-httpd-v2-mig-dso">Section 23.2.2.1.3, “Dynamic Shared Object (DSO) Support”</a> for more information about Apache HTTP Server 2.0 DSO support.
				</div><div class="formalpara" id="s2-apache-location"><h5 class="formalpara">Location</h5><a id="id975466" class="indexterm"></a><a id="id975483" class="indexterm"></a><a id="id975500" class="indexterm"></a>
					The <code class="command">&lt;Location&gt;</code> and <code class="command">&lt;/Location&gt;</code> tags create a container in which access control based on URL can be specified.
				</div><div class="para">
				For instance, to allow people connecting from within the server's domain to see status reports, use the following directives:
			</div><pre class="screen">&lt;Location /server-status&gt;
  SetHandler server-status
  Order deny,allow
  Deny from all
  Allow from <em class="replaceable"><code>&lt;.example.com&gt;</code></em>
&lt;/Location&gt;</pre><div class="para">
				Replace <em class="replaceable"><code>&lt;.example.com&gt;</code></em> with the second-level domain name for the Web server.
			</div><div class="para">
				To provide server configuration reports (including installed modules and configuration directives) to requests from inside the domain, use the following directives:
			</div><pre class="screen">&lt;Location /server-info&gt;
  SetHandler server-info
  Order deny,allow
  Deny from all
  Allow from <em class="replaceable"><code>&lt;.example.com&gt;</code></em>
&lt;/Location&gt;</pre><div class="para">
				Again, replace <em class="replaceable"><code>&lt;.example.com&gt;</code></em> with the second-level domain name for the Web server.
			</div><div class="formalpara" id="s2-apache-logformat"><h5 class="formalpara">LogFormat</h5><a id="id975588" class="indexterm"></a><a id="id975605" class="indexterm"></a><a id="id975626" class="indexterm"></a><a id="id975645" class="indexterm"></a>
					The <code class="command">LogFormat</code> directive configures the format of the various Web server log files. The actual <code class="command">LogFormat</code> used depends on the settings given in the <code class="command">CustomLog</code> directive (refer to <a class="xref" href="#s2-apache-customlog">CustomLog</a>).
				</div><div class="para">
				The following are the format options if the <code class="command">CustomLog</code> directive is set to <code class="command">combined</code>:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="command">%h</code> (remote host's IP address or hostname) </span></dt><dd><div class="para">
							Lists the remote IP address of the requesting client. If <code class="command">HostnameLookups</code> is set to <code class="option">on</code>, the client hostname is recorded unless it is not available from DNS.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">%l</code> (rfc931) </span></dt><dd><div class="para">
							Not used. A hyphen <span class="keycap"><strong>-</strong></span> appears in the log file for this field.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">%u</code> (authenticated user) </span></dt><dd><div class="para">
							Lists the username of the user recorded if authentication was required. Usually, this is not used, so a hyphen <span class="keycap"><strong>-</strong></span> appears in the log file for this field.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">%t</code> (date) </span></dt><dd><div class="para">
							Lists the date and time of the request.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">%r</code> (request string) </span></dt><dd><div class="para">
							Lists the request string exactly as it came from the browser or client.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">%s</code> (status) </span></dt><dd><div class="para">
							Lists the HTTP status code which was returned to the client host.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">%b</code> (bytes) </span></dt><dd><div class="para">
							Lists the size of the document.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">%\"%{Referer}i\"</code> (referrer) </span></dt><dd><div class="para">
							Lists the URL of the webpage which referred the client host to Web server.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">%\"%{User-Agent}i\"</code> (user-agent) </span></dt><dd><div class="para">
							Lists the type of Web browser making the request.
						</div></dd></dl></div><div class="formalpara" id="s2-apache-loglevel"><h5 class="formalpara">LogLevel</h5><a id="id975903" class="indexterm"></a><a id="id975920" class="indexterm"></a>
					<code class="command">LogLevel</code> sets how verbose the error messages in the error logs are. <code class="command">LogLevel</code> can be set (from least verbose to most verbose) to <code class="command">emerg</code>, <code class="command">alert</code>, <code class="command">crit</code>, <code class="command">error</code>, <code class="command">warn</code>, <code class="command">notice</code>, <code class="command">info</code>, or <code class="command">debug</code>. The default <code class="command">LogLevel</code> is <code class="command">warn</code>.
				</div><div class="formalpara" id="s2-apache-maxkeepaliverequests"><h5 class="formalpara">MaxKeepAliveRequests</h5><a id="id976005" class="indexterm"></a><a id="id976022" class="indexterm"></a>
					This directive sets the maximum number of requests allowed per persistent connection. The Apache Project recommends a high setting, which improves the server's performance. <code class="command">MaxKeepAliveRequests</code> is set to <code class="command">100</code> by default, which should be appropriate for most situations.
				</div><div class="formalpara" id="s2-apache-namevirtualhost"><h5 class="formalpara">NameVirtualHost</h5><a id="id976069" class="indexterm"></a><a id="id976086" class="indexterm"></a>
					The <code class="command">NameVirtualHost</code> directive associates an IP address and port number, if necessary, for any name-based virtual hosts. Name-based virtual hosting allows one Apache HTTP Server to serve different domains without using multiple IP addresses.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Name-based virtual hosts <span class="emphasis"><em>only</em></span> work with non-secure HTTP connections. If using virtual hosts with a secure server, use IP address-based virtual hosts instead.
				</div></div></div><div class="para">
				To enable name-based virtual hosting, uncomment the <code class="command">NameVirtualHost</code> configuration directive and add the correct IP address. Then add additional <code class="command">VirtualHost</code> containers for each virtual host as is necessary for your configuration.
			</div><div class="formalpara" id="s2-apache-options"><h5 class="formalpara">Options</h5><a id="id976160" class="indexterm"></a><a id="id976177" class="indexterm"></a><a id="id976194" class="indexterm"></a><a id="id976211" class="indexterm"></a>
					The <code class="command">Options</code> directive controls which server features are available in a particular directory. For example, under the restrictive parameters specified for the root directory, <code class="command">Options</code> is only set to the <code class="command">FollowSymLinks</code> directive. No features are enabled, except that the server is allowed to follow symbolic links in the root directory.
				</div><div class="para">
				By default, in the <code class="command">DocumentRoot</code> directory, <code class="command">Options</code> is set to include <code class="command">Indexes</code> and <code class="command">FollowSymLinks</code>. <code class="command">Indexes</code> permits the server to generate a directory listing for a directory if no <code class="command">DirectoryIndex</code> (for example, <code class="filename">index.html</code>) is specified. <code class="command">FollowSymLinks</code> allows the server to follow symbolic links in that directory.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					<code class="command">Options</code> statements from the main server configuration section need to be replicated to each <code class="command">VirtualHost</code> container individually. Refer to <a class="xref" href="#s2-apache-virtualhost">VirtualHost</a> for more information.
				</div></div></div><div class="formalpara" id="s2-apache-order"><h5 class="formalpara">Order</h5><a id="id976318" class="indexterm"></a><a id="id976335" class="indexterm"></a>
					The <code class="command">Order</code> directive controls the order in which <code class="command">allow</code> and <code class="command">deny</code> directives are evaluated. The server is configured to evaluate the <code class="command">Allow</code> directives before the <code class="command">Deny</code> directives for the <code class="command">DocumentRoot</code> directory.
				</div><div class="formalpara" id="s2-apache-pidfile"><h5 class="formalpara">PidFile</h5><a id="id976397" class="indexterm"></a><a id="id976414" class="indexterm"></a>
					<code class="command">PidFile</code> names the file where the server records its process ID (PID). By default the PID is listed in <code class="filename">/var/run/httpd.pid</code>.
				</div><div class="formalpara" id="s2-apache-proxy"><h5 class="formalpara">Proxy</h5><a id="id976461" class="indexterm"></a><a id="id976478" class="indexterm"></a>
					<code class="command">&lt;Proxy *&gt;</code> and <code class="command">&lt;/Proxy&gt;</code> tags create a container which encloses a group of configuration directives meant to apply only to the proxy server. Many directives which are allowed within a <code class="command">&lt;Directory&gt;</code> container may also be used within <code class="command">&lt;Proxy&gt;</code> container.
				</div><div class="formalpara" id="s2-apache-proxyrequests"><h5 class="formalpara">ProxyRequests</h5><a id="id976533" class="indexterm"></a><a id="id976550" class="indexterm"></a><a id="id976566" class="indexterm"></a>
					To configure the Apache HTTP Server to function as a proxy server, remove the hash mark (<code class="command">#</code>) from the beginning of the <code class="command">&lt;IfModule mod_proxy.c&gt;</code> line, the ProxyRequests, and each line in the <code class="command">&lt;Proxy&gt;</code> stanza. Set the <code class="command">ProxyRequests</code> directive to <code class="command">On</code>, and set which domains are allowed access to the server in the <code class="command">Allow from</code> directive of the <code class="command">&lt;Proxy&gt;</code> stanza.
				</div><div class="formalpara" id="s2-apache-readmename"><h5 class="formalpara">ReadmeName</h5><a id="id976626" class="indexterm"></a><a id="id976643" class="indexterm"></a>
					<code class="command">ReadmeName</code> names the file which, if it exists in the directory, is appended to the end of server generated directory listings. The Web server first tries to include the file as an HTML document and then tries to include it as plain text. By default, <code class="command">ReadmeName</code> is set to <code class="filename">README.html</code>.
				</div><div class="formalpara" id="s2-apache-redirect"><h5 class="formalpara">Redirect</h5><a id="id976695" class="indexterm"></a><a id="id976712" class="indexterm"></a>
					When a webpage is moved, <code class="command">Redirect</code> can be used to map the file location to a new URL. The format is as follows:
				</div><pre class="screen">Redirect /<em class="replaceable"><code>&lt;old-path&gt;</code></em>/<em class="replaceable"><code>&lt;file-name&gt;</code></em> http://<em class="replaceable"><code>&lt;current-domain&gt;</code></em>/<em class="replaceable"><code>&lt;current-path&gt;</code></em>/<em class="replaceable"><code>&lt;file-name&gt;</code></em></pre><div class="para">
				In this example, replace <em class="replaceable"><code>&lt;old-path&gt;</code></em> with the old path information for <em class="replaceable"><code>&lt;file-name&gt;</code></em> and <em class="replaceable"><code>&lt;current-domain&gt;</code></em> and <em class="replaceable"><code>&lt;current-path&gt;</code></em> with the current domain and path information for <em class="replaceable"><code>&lt;file-name&gt;</code></em>.
			</div><div class="para">
				In this example, any requests for <em class="replaceable"><code>&lt;file-name&gt;</code></em> at the old location is automatically redirected to the new location.
			</div><div class="para">
				For more advanced redirection techniques, use the <code class="command">mod_rewrite</code> module included with the Apache HTTP Server. For more information about configuring the <code class="command">mod_rewrite</code> module, refer to the Apache Software Foundation documentation online at <a href="http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html"> http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html</a>.
			</div><div class="formalpara" id="s2-apache-scriptalias"><h5 class="formalpara">ScriptAlias</h5><a id="id976827" class="indexterm"></a><a id="id976844" class="indexterm"></a>
					The <code class="command">ScriptAlias</code> directive defines where CGI scripts are located. Generally, it is not good practice to leave CGI scripts within the <code class="command">DocumentRoot</code>, where they can potentially be viewed as text documents. For this reason, a special directory outside of the <code class="command">DocumentRoot</code> directory containing server-side executables and scripts is designated by the <code class="command">ScriptAlias</code> directive. This directory is known as a <code class="filename">cgi-bin</code> and is set to <code class="filename">/var/www/cgi-bin/</code> by default.
				</div><div class="para">
				It is possible to establish directories for storing executables outside of the <code class="filename">cgi-bin/</code> directory. For instructions on doing so, refer to <a class="xref" href="#s2-apache-addhandler">AddHandler</a> and <a class="xref" href="#s2-apache-directory">Directory</a>.
			</div><div class="formalpara" id="s2-apache-serveradmin"><h5 class="formalpara">ServerAdmin</h5><a id="id976927" class="indexterm"></a><a id="id976944" class="indexterm"></a><a id="id976960" class="indexterm"></a>
					Sets the <code class="command">ServerAdmin</code> directive to the email address of the Web server administrator. This email address shows up in error messages on server-generated Web pages, so users can report a problem by sending email to the server administrator.
				</div><div class="para">
				By default, <code class="command">ServerAdmin</code> is set to <code class="command">root@localhost</code>.
			</div><div class="para">
				A common way to set up <code class="command">ServerAdmin</code> is to set it to <code class="command">webmaster@example.com</code>. Once set, alias <code class="command">webmaster</code> to the person responsible for the Web server in <code class="filename">/etc/aliases</code> and run <code class="command">/usr/bin/newaliases</code>.
			</div><div class="formalpara" id="s2-apache-servername"><h5 class="formalpara">ServerName</h5><a id="id977037" class="indexterm"></a><a id="id977054" class="indexterm"></a>
					<code class="command">ServerName</code> specifies a hostname and port number (matching the <code class="command">Listen</code> directive) for the server. The <code class="command">ServerName</code> does not need to match the machine's actual hostname. For example, the Web server may be <code class="computeroutput">www.example.com</code>, but the server's hostname is actually <code class="computeroutput">foo.example.com</code>. The value specified in <code class="command">ServerName</code> must be a valid Domain Name Service (DNS) name that can be resolved by the system — do not make something up.
				</div><div class="para">
				The following is a sample <code class="command">ServerName</code> directive:
			</div><pre class="screen">ServerName www.example.com:80</pre><div class="para">
				When specifying a <code class="command">ServerName</code>, be sure the IP address and server name pair are included in the <code class="filename">/etc/hosts</code> file.
			</div><div class="formalpara" id="s2-apache-serverroot"><h5 class="formalpara">ServerRoot</h5><a id="id977140" class="indexterm"></a><a id="id977157" class="indexterm"></a>
					The <code class="command">ServerRoot</code> directive specifies the top-level directory containing website content. By default, <code class="command">ServerRoot</code> is set to <code class="filename">"/etc/httpd"</code> for both secure and non-secure servers.
				</div><div class="formalpara" id="s2-apache-serversignature"><h5 class="formalpara">ServerSignature</h5><a id="id977206" class="indexterm"></a><a id="id977223" class="indexterm"></a>
					The <code class="command">ServerSignature</code> directive adds a line containing the Apache HTTP Server server version and the <code class="command">ServerName</code> to any server-generated documents, such as error messages sent back to clients. <code class="command">ServerSignature</code> is set to <code class="command">on</code> by default.
				</div><div class="para">
				<code class="command">ServerSignature</code> can be set to <code class="command">EMail</code> which adds a <code class="command">mailto:ServerAdmin</code> HTML tag to the signature line of auto-generated responses. <code class="command">ServerSignature</code> can also be set to <code class="command">Off</code> to stop Apache from sending out its version number and module information. Please also check the <code class="command">ServerTokens</code> settings.
			</div><div class="formalpara" id="s2-apache-servertoken"><h5 class="formalpara">ServerTokens</h5><a id="id977308" class="indexterm"></a><a id="id977324" class="indexterm"></a>
					The <code class="command">ServerTokens</code> directive determines if the Server response header field sent back to clients should include details of the Operating System type and information about compiled-in modules. By default, <code class="command">ServerTokens</code> is set to <code class="command">Full</code> which sends information about the Operating System type and compiled-in modules. Setting the <code class="command">ServerTokens</code> to <code class="command">Prod</code> sends the product name only and is recommended as many hackers check information in the Server header when scanning for vulnerabilities. You can also set the <code class="command">ServerTokens</code> to <code class="command">Min</code> (minimal) or to <code class="command">OS</code> (operating system).
				</div><div class="formalpara" id="s2-apache-suexecusergroup"><h5 class="formalpara">SuexecUserGroup</h5><a id="id977396" class="indexterm"></a><a id="id977418" class="indexterm"></a><a id="id977435" class="indexterm"></a>
					The <code class="command">SuexecUserGroup</code> directive, which originates from the <code class="command">mod_suexec</code> module, allows the specification of user and group execution privileges for CGI programs. Non-CGI requests are still processed with the user and group specified in the <code class="command">User</code> and <code class="command">Group</code> directives.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					From version 2.0, the <code class="command">SuexecUserGroup</code> directive replaced the Apache HTTP Server 1.3 configuration of using the <code class="command">User</code> and <code class="command">Group</code> directives inside the configuration of <code class="command">VirtualHosts</code> sections.
				</div></div></div><div class="formalpara" id="s2-apache-timeout"><h5 class="formalpara">Timeout</h5><a id="id977518" class="indexterm"></a><a id="id977534" class="indexterm"></a>
					<code class="command">Timeout</code> defines, in seconds, the amount of time that the server waits for receipts and transmissions during communications. <code class="command">Timeout</code> is set to <code class="command">300</code> seconds by default, which is appropriate for most situations.
				</div><div class="formalpara" id="s2-apache-typesconfig"><h5 class="formalpara">TypesConfig</h5><a id="id977586" class="indexterm"></a><a id="id977602" class="indexterm"></a>
					<code class="command">TypesConfig</code> names the file which sets the default list of MIME type mappings (file name extensions to content types). The default <code class="command"> TypesConfig</code> file is <code class="filename">/etc/mime.types</code>. Instead of editing <code class="filename">/etc/mime.types</code>, the recommended way to add MIME type mappings is to use the <code class="command"> AddType</code> directive.
				</div><div class="para">
				For more information about <code class="command">AddType</code>, refer to <a class="xref" href="#s2-apache-addtype">AddType</a>.
			</div><div class="formalpara" id="s2-apache-usecanonicalname"><h5 class="formalpara">UseCanonicalName</h5><a id="id977674" class="indexterm"></a><a id="id977691" class="indexterm"></a>
					When set to <code class="option">on</code>, this directive configures the Apache HTTP Server to reference itself using the value specified in the <code class="command">ServerName</code> and <code class="command">Port</code> directives. When <code class="command">UseCanonicalName</code> is set to <code class="option">off</code>, the server instead uses the value used by the requesting client when referring to itself.
				</div><div class="para">
				<code class="command">UseCanonicalName</code> is set to <code class="option">off</code> by default.
			</div><div class="formalpara" id="s2-apache-user"><h5 class="formalpara">User</h5><a id="id977762" class="indexterm"></a><a id="id977779" class="indexterm"></a>
					The <code class="command">User</code> directive sets the username of the server process and determines what files the server is allowed to access. Any files inaccessible to this user are also inaccessible to clients connecting to the Apache HTTP Server.
				</div><div class="para">
				By default <code class="command">User</code> is set to <code class="command">apache</code>.
			</div><div class="para">
				This directive has been deprecated for the configuration of virtual hosts.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					For security reasons, the Apache HTTP Server does not run as the root user.
				</div></div></div><div class="formalpara" id="s2-apache-userdir"><h5 class="formalpara">UserDir</h5><a id="id977852" class="indexterm"></a><a id="id977869" class="indexterm"></a><a id="id977886" class="indexterm"></a><a id="id977899" class="indexterm"></a>
					<code class="command">UserDir</code> is the subdirectory within each user's home directory where they should place personal HTML files which are served by the Web server. This directive is set to <code class="option"> disable</code> by default.
				</div><div class="para">
				The name for the subdirectory is set to <code class="filename">public_html</code> in the default configuration. For example, the server might receive the following request:
			</div><pre class="screen"><code class="systemitem">http://<em class="replaceable"><code>example.com</code></em>/~<em class="replaceable"><code>username</code></em>/foo.html</code></pre><div class="para">
				The server would look for the file:
			</div><pre class="screen"><code class="filename">/home/username/public_html/foo.html</code></pre><div class="para">
				In the above example, <code class="filename">/home/username/</code> is the user's home directory (note that the default path to users' home directories may vary).
			</div><div class="para">
				Make sure that the permissions on the users' home directories are set correctly. Users' home directories must be set to 0711. The read (r) and execute (x) bits must be set on the users' <code class="filename">public_html</code> directories (0755 also works). Files that are served in a users' <code class="filename">public_html</code> directories must be set to at least 0644.
			</div><div class="formalpara" id="s2-apache-virtualhost"><h5 class="formalpara">VirtualHost</h5><a id="id977996" class="indexterm"></a><a id="id978013" class="indexterm"></a>
					<code class="command">&lt;VirtualHost&gt;</code> and <code class="command">&lt;/VirtualHost&gt;</code> tags create a container outlining the characteristics of a virtual host. The <code class="command">VirtualHost</code> container accepts most configuration directives.
				</div><div class="para">
				A commented <code class="command">VirtualHost</code> container is provided in <code class="filename">httpd.conf</code>, which illustrates the minimum set of configuration directives necessary for each virtual host. Refer to <a class="xref" href="#s1-apache-virtualhosts">Section 23.7, “Virtual Hosts”</a> for more information about virtual hosts.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The default SSL virtual host container now resides in the file <code class="filename">/etc/httpd/conf.d/ssl.conf</code>.
				</div></div></div></div><div class="section" id="s2-apache-sslcommands"><div class="titlepage"><div><div><h3 class="title" id="s2-apache-sslcommands">23.5.2. Configuration Directives for SSL</h3></div></div></div><a id="id978094" class="indexterm"></a><a id="id978104" class="indexterm"></a><div class="para">
				The directives in <code class="filename">/etc/httpd/conf.d/ssl.conf</code> file can be configured to enable secure Web communications using SSL and TLS.
			</div><div class="formalpara" id="s3-apache-setenvif"><h5 class="formalpara">SetEnvIf</h5><a id="id978140" class="indexterm"></a><a id="id978157" class="indexterm"></a>
					<code class="command">SetEnvIf</code> sets environment variables based on the headers of incoming connections. It is <span class="emphasis"><em>not</em></span> solely an SSL directive, though it is present in the supplied <code class="filename">/etc/httpd/conf.d/ssl.conf</code> file. It's purpose in this context is to disable HTTP keepalive and to allow SSL to close the connection without a closing notification from the client browser. This setting is necessary for certain browsers that do not reliably shut down the SSL connection.
				</div><div class="para">
				For more information on other directives within the SSL configuration file, refer to the following URLs:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						http://localhost/manual/mod/mod_ssl.html
					</div></li><li class="listitem"><div class="para">
						<a href="http://httpd.apache.org/docs/2.2/mod/mod_ssl.html">http://httpd.apache.org/docs/2.2/mod/mod_ssl.html</a>
					</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					In most cases, SSL directives are configured appropriately during the installation of Red Hat Enterprise Linux. Be careful when altering Apache HTTP Secure Server directives, misconfiguration can lead to security vulnerabilities.
				</div></div></div></div><div class="section" id="s2-apache-mpm-containers"><div class="titlepage"><div><div><h3 class="title" id="s2-apache-mpm-containers">23.5.3. MPM Specific Server-Pool Directives</h3></div></div></div><a id="id978253" class="indexterm"></a><div class="para">
				As explained in <a class="xref" href="#s3-httpd-v2-mig-pool">Section 23.2.2.1.2, “Server-Pool Size Regulation”</a>, the responsibility for managing characteristics of the server-pool falls to a module group called MPMs under Apache HTTP Server 2.0. The characteristics of the server-pool differ depending upon which MPM is used. For this reason, an <code class="command">IfModule</code> container is necessary to define the server-pool for the MPM in use.
			</div><div class="para">
				By default, Apache HTTP Server 2.0 defines the server-pool for both the <code class="command">prefork</code> and <code class="command">worker</code> MPMs.
			</div><div class="para">
				The following section list directives found within the MPM-specific server-pool containers.
			</div><div class="formalpara" id="s3-apache-maxclients"><h5 class="formalpara">MaxClients</h5><a id="id978318" class="indexterm"></a><a id="id978334" class="indexterm"></a>
					<code class="command">MaxClients</code> sets a limit on the total number of server processes, or simultaneously connected clients, that can run at one time. The main purpose of this directive is to keep a runaway Apache HTTP Server from crashing the operating system. For busy servers this value should be set to a high value. The server's default is set to 150 regardless of the MPM in use. However, it is not recommended that the value for <code class="command">MaxClients</code> exceeds <code class="command">256</code> when using the <code class="command">prefork</code> MPM.
				</div><div class="formalpara" id="s3-apache-maxrequestsperchild"><h5 class="formalpara">MaxRequestsPerChild</h5><a id="id978391" class="indexterm"></a><a id="id978408" class="indexterm"></a>
					<code class="command">MaxRequestsPerChild</code> sets the total number of requests each child server process serves before the child dies. The main reason for setting <code class="command">MaxRequestsPerChild</code> is to avoid long-lived process induced memory leaks. The default <code class="command">MaxRequestsPerChild</code> for the <code class="command">prefork</code> MPM is <code class="command">4000</code> and for the <code class="command">worker</code> MPM is <code class="command">0</code>.
				</div><div class="formalpara" id="s3-apache-minmaxspareservers"><h5 class="formalpara">MinSpareServers and MaxSpareServers</h5><a id="id978474" class="indexterm"></a><a id="id978491" class="indexterm"></a><a id="id978508" class="indexterm"></a><a id="id978525" class="indexterm"></a>
					These values are only used with the <code class="command">prefork</code> MPM. They adjust how the Apache HTTP Server dynamically adapts to the perceived load by maintaining an appropriate number of spare server processes based on the number of incoming requests. The server checks the number of servers waiting for a request and kills some if there are more than <code class="command">MaxSpareServers</code> or creates some if the number of servers is less than <code class="command">MinSpareServers</code>.
				</div><div class="para">
				The default <code class="command">MinSpareServers</code> value is <code class="command">5</code>; the default <code class="command">MaxSpareServers</code> value is <code class="command">20</code>. These default settings should be appropriate for most situations. Be careful not to increase the <code class="command">MinSpareServers</code> to a large number as doing so creates a heavy processing load on the server even when traffic is light.
			</div><div class="formalpara" id="s3-apache-minmaxsparethreads"><h5 class="formalpara">MinSpareThreads and MaxSpareThreads</h5><a id="id978602" class="indexterm"></a><a id="id978619" class="indexterm"></a><a id="id978636" class="indexterm"></a><a id="id978653" class="indexterm"></a>
					These values are only used with the <code class="command">worker</code> MPM. They adjust how the Apache HTTP Server dynamically adapts to the perceived load by maintaining an appropriate number of spare server threads based on the number of incoming requests. The server checks the number of server threads waiting for a request and kills some if there are more than <code class="command">MaxSpareThreads</code> or creates some if the number of servers is less than <code class="command">MinSpareThreads</code>.
				</div><div class="para">
				The default <code class="command">MinSpareThreads</code> value is <code class="command">25</code>; the default <code class="command">MaxSpareThreads</code> value is <code class="command">75</code>. These default settings should be appropriate for most situations. The value for <code class="command">MaxSpareThreads</code> must be greater than or equal to the sum of <code class="command">MinSpareThreads</code> and <code class="command">ThreadsPerChild</code>, else the Apache HTTP Server automatically corrects it.
			</div><div class="formalpara" id="s3-apache-startservers"><h5 class="formalpara">StartServers</h5><a id="id978737" class="indexterm"></a><a id="id978754" class="indexterm"></a>
					The <code class="command">StartServers</code> directive sets how many server processes are created upon startup. Since the Web server dynamically kills and creates server processes based on traffic load, it is not necessary to change this parameter. The Web server is set to start <code class="command">8</code> server processes at startup for the <code class="command">prefork</code> MPM and <code class="command">2</code> for the <code class="command">worker</code> MPM.
				</div><div class="formalpara" id="s3-apache-threadsperchild"><h5 class="formalpara">ThreadsPerChild</h5><a id="id978813" class="indexterm"></a><a id="id978830" class="indexterm"></a>
					This value is only used with the <code class="command">worker</code> MPM. It sets the number of threads within each child process. The default value for this directive is <code class="command">25</code>.
				</div></div></div><div class="section" id="s1-apache-addmods"><div class="titlepage"><div><div><h2 class="title" id="s1-apache-addmods">23.6. Adding Modules</h2></div></div></div><a id="id978878" class="indexterm"></a><a id="id978897" class="indexterm"></a><a id="id978911" class="indexterm"></a><a id="id978926" class="indexterm"></a><a id="id978936" class="indexterm"></a><div class="para">
			The Apache HTTP Server is distributed with a number of modules. More information about Apache HTTP modules can be found on <a href="http://httpd.apache.org/docs/2.2/mod/">http://httpd.apache.org/docs/2.2/mod/</a>.
		</div><div class="para">
			The Apache HTTP Server supports <em class="firstterm">Dynamically Shared Objects</em> (<em class="firstterm">DSO</em>s), or modules, which can easily be loaded at runtime as necessary.
		</div><div class="para">
			The Apache Project provides complete DSO documentation online at <a href="http://httpd.apache.org/docs/2.2/dso.html">http://httpd.apache.org/docs/2.2/dso.html</a>. Or, if the <code class="filename">http-manual</code> package is installed, documentation about DSOs can be found online at <a href="http://localhost/manual/mod/">http://localhost/manual/mod/</a>.
		</div><div class="para">
			For the Apache HTTP Server to use a DSO, it must be specified in a <code class="command">LoadModule</code> directive within <code class="filename">/etc/httpd/conf/httpd.conf</code>. If the module is provided by a separate package, the line must appear within the modules configuration file in the <code class="filename">/etc/httpd/conf.d/</code> directory. Refer to <a class="xref" href="#s2-apache-loadmodule">LoadModule</a> for more information.
		</div><div class="para">
			If adding or deleting modules from <code class="filename">http.conf</code>, Apache HTTP Server must be reloaded or restarted, as referred to in <a class="xref" href="#s1-apache-startstop">Section 23.3, “Starting and Stopping <code class="command">httpd</code>”</a>.
		</div><div class="para">
			If creating a new module, first install the <code class="filename">httpd-devel</code> package which contains the include files, the header files, as well as the <em class="firstterm">APache eXtenSion</em> (<code class="command">/usr/sbin/apxs</code>) application, which uses the include files and the header files to compile DSOs.
		</div><div class="para">
			After writing a module, use <code class="command">/usr/sbin/apxs</code> to compile the module sources outside the Apache source tree. For more information about using the <code class="command">/usr/sbin/apxs</code> command, refer to the Apache documentation online at <a href="http://httpd.apache.org/docs/2.2/dso.html">http://httpd.apache.org/docs/2.2/dso.html</a> as well as the <code class="command">apxs</code> man page.
		</div><div class="para">
			Once compiled, put the module in the <code class="filename">/usr/lib/httpd/modules/</code> directory. For RHEL platforms using default-64-bit userspace (x86_64, ia64, ?) this path will be <code class="filename">/usr/lib64/httpd/modules/</code>. Then add a <code class="command">LoadModule</code> line to the <code class="filename">httpd.conf</code>, using the following structure:
		</div><pre class="screen">LoadModule <em class="replaceable"><code>&lt;module-name&gt; &lt;path/to/module.so&gt;</code></em></pre><div class="para">
			Where <em class="replaceable"><code>&lt;module-name&gt;</code></em> is the name of the module and <em class="replaceable"><code>&lt;path/to/module.so&gt;</code></em> is the path to the DSO.
		</div></div><div class="section" id="s1-apache-virtualhosts"><div class="titlepage"><div><div><h2 class="title" id="s1-apache-virtualhosts">23.7. Virtual Hosts</h2></div></div></div><a id="id979121" class="indexterm"></a><a id="id979135" class="indexterm"></a><a id="id979150" class="indexterm"></a><a id="id979164" class="indexterm"></a><a id="id979179" class="indexterm"></a><a id="id979196" class="indexterm"></a><div class="para">
			The Apache HTTP Server's built in virtual hosting allows the server to provide different information based on which IP address, hostname, or port is being requested. A complete guide to using virtual hosts is available online at <a href="http://httpd.apache.org/docs/2.2/vhosts/">http://httpd.apache.org/docs/2.2/vhosts/</a>.
		</div><div class="section" id="s2-apache-settingupvhosts"><div class="titlepage"><div><div><h3 class="title" id="s2-apache-settingupvhosts">23.7.1. Setting Up Virtual Hosts</h3></div></div></div><div class="para">
				To create a name-based virtual host, it is best to use the virtual host container provided in <code class="filename">httpd.conf</code> as an example.
			</div><div class="para">
				The virtual host example read as follows:
			</div><pre class="screen">#NameVirtualHost *:80
#
#&lt;VirtualHost *:80&gt;
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
# ServerName dummy-host.example.com
# ErrorLog logs/dummy-host.example.com-error_log
# CustomLog logs/dummy-host.example.com-access_log common #&lt;/VirtualHost&gt;</pre><div class="para">
				To activate name-based virtual hosting, uncomment the <code class="command">NameVirtualHost</code> line by removing the hash mark (<code class="command">#</code>) and replace the asterisk (<code class="command">*</code>) with the IP address assigned to the machine.
			</div><div class="para">
				Next, configure a virtual host by uncommenting and customizing the <code class="command">&lt;VirtualHost&gt;</code> container.
			</div><div class="para">
				On the <code class="command">&lt;VirtualHost&gt;</code> line, change the asterisk (<code class="command">*</code>) to the server's IP address. Change the <code class="command">ServerName</code> to a <span class="emphasis"><em>valid</em></span> DNS name assigned to the machine, and configure the other directives as necessary.
			</div><div class="para">
				The <code class="command">&lt;VirtualHost&gt;</code> container is highly customizable and accepts almost every directive available within the main server configuration.
			</div><a id="id979303" class="indexterm"></a><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					If configuring a virtual host to listen on a non-default port, that port must be added to the <code class="command">Listen</code> directive in the global settings section of <code class="filename">/etc/httpd/conf/httpd.conf</code> file.
				</div></div></div><div class="para">
				To activate a newly created virtual host, the Apache HTTP Server must be reloaded or restarted. Refer to <a class="xref" href="#s1-apache-startstop">Section 23.3, “Starting and Stopping <code class="command">httpd</code>”</a> for further instructions.
			</div><div class="para">
				Comprehensive information about creating and configuring both name-based and IP address-based virtual hosts is provided online at <a href="http://httpd.apache.org/docs/2.2/vhosts/">http://httpd.apache.org/docs/2.2/vhosts/</a>.
			</div></div></div><div class="section" id="s1-httpd-secure-server"><div class="titlepage"><div><div><h2 class="title" id="s1-httpd-secure-server">23.8. Apache HTTP Secure Server Configuration</h2></div></div></div><a id="id979373" class="indexterm"></a><div class="para">
			This section provides basic information on the Apache HTTP Server with the <code class="filename">mod_ssl</code> security module enabled to use the OpenSSL library and toolkit. The combination of these three components are referred to in this section as the secure Web server or just as the secure server.
		</div><div class="para">
			The <code class="filename">mod_ssl</code> module is a security module for the Apache HTTP Server. The <code class="filename">mod_ssl</code> module uses the tools provided by the OpenSSL Project to add a very important feature to the Apache HTTP Server — the ability to encrypt communications. In contrast, regular HTTP communications between a browser and a Web server are sent in plain text, which could be intercepted and read by someone along the route between the browser and the server.
		</div><div class="para">
			This section is not meant to be complete and exclusive documentation for any of these programs. When possible, this guide points to appropriate places where you can find more in-depth documentation on particular subjects.
		</div><div class="para">
			This section shows you how to install these programs. You can also learn the steps necessary to generate a private key and a certificate request, how to generate your own self-signed certificate, and how to install a certificate to use with your secure server.
		</div><div class="para">
			The <code class="filename">mod_ssl</code> configuration file is located at <code class="filename">/etc/httpd/conf.d/ssl.conf</code>. For this file to be loaded, and hence for <code class="filename">mod_ssl</code> to work, you must have the statement <code class="computeroutput">Include conf.d/*.conf</code> in the <code class="filename">/etc/httpd/conf/httpd.conf</code> file. This statement is included by default in the default Apache HTTP Server configuration file.
		</div><div class="section" id="s2-secureserver-optionalpackages"><div class="titlepage"><div><div><h3 class="title" id="s2-secureserver-optionalpackages">23.8.1. An Overview of Security-Related Packages</h3></div></div></div><a id="id979457" class="indexterm"></a><div class="para">
				To enable the secure server, you must have the following packages installed at a minimum:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="filename">httpd</code></span></dt><dd><div class="para">
							The <code class="filename">httpd</code> package contains the <code class="command">httpd</code> daemon and related utilities, configuration files, icons, Apache HTTP Server modules, man pages, and other files used by the Apache HTTP Server.
						</div></dd><dt class="varlistentry"><span class="term"><code class="filename">mod_ssl</code></span></dt><dd><div class="para">
							The <code class="filename">mod_ssl</code> package includes the <code class="filename">mod_ssl</code> module, which provides strong cryptography for the Apache HTTP Server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
						</div></dd><dt class="varlistentry"><span class="term"><code class="filename">openssl</code></span></dt><dd><div class="para">
							The <code class="filename">openssl</code> package contains the OpenSSL toolkit. The OpenSSL toolkit implements the SSL and TLS protocols, and also includes a general purpose cryptography library.
						</div></dd></dl></div><div class="para">
				Additionally, other software packages provide certain security functionalities (but are not required by the secure server to function):
			</div></div><div class="section" id="s2-secureserver-overview-certs"><div class="titlepage"><div><div><h3 class="title" id="s2-secureserver-overview-certs">23.8.2. An Overview of Certificates and Security</h3></div></div></div><a id="id979577" class="indexterm"></a><a id="id979592" class="indexterm"></a><a id="id979606" class="indexterm"></a><a id="id979620" class="indexterm"></a><div class="para">
				Your secure server provides security using a combination of the Secure Sockets Layer (SSL) protocol and (in most cases) a digital certificate from a Certificate Authority (CA). SSL handles the encrypted communications as well as the mutual authentication between browsers and your secure server. The CA-approved digital certificate provides authentication for your secure server (the CA puts its reputation behind its certification of your organization's identity). When your browser is communicating using SSL encryption, the <code class="computeroutput">https://</code> prefix is used at the beginning of the Uniform Resource Locator (URL) in the navigation bar.
			</div><div class="para">
				Encryption depends upon the use of keys (think of them as secret encoder/decoder rings in data format). In conventional or symmetric cryptography, both ends of the transaction have the same key, which they use to decode each other's transmissions. In public or asymmetric cryptography, two keys co-exist: a public key and a private key. A person or an organization keeps their private key a secret and publishes their public key. Data encoded with the public key can only be decoded with the private key; data encoded with the private key can only be decoded with the public key.
			</div><div class="para">
				To set up your secure server, use public cryptography to create a public and private key pair. In most cases, you send your certificate request (including your public key), proof of your company's identity, and payment to a CA. The CA verifies the certificate request and your identity, and then sends back a certificate for your secure server.
			</div><div class="para">
				A secure server uses a certificate to identify itself to Web browsers. You can generate your own certificate (called a "self-signed" certificate), or you can get a certificate from a CA. A certificate from a reputable CA guarantees that a website is associated with a particular company or organization.
			</div><div class="para">
				Alternatively, you can create your own self-signed certificate. Note, however, that self-signed certificates should not be used in most production environments. Self-signed certificates are not automatically accepted by a user's browser — users are prompted by the browser to accept the certificate and create the secure connection. Refer to <a class="xref" href="#s2-secureserver-certs">Section 23.8.4, “Types of Certificates”</a> for more information on the differences between self-signed and CA-signed certificates.
			</div><div class="para">
				Once you have a self-signed certificate or a signed certificate from the CA of your choice, you must install it on your secure server.
			</div></div><div class="section" id="s1-secureserver-oldcert"><div class="titlepage"><div><div><h3 class="title" id="s1-secureserver-oldcert">23.8.3. Using Pre-Existing Keys and Certificates</h3></div></div></div><a id="id979703" class="indexterm"></a><div class="para">
				If you already have an existing key and certificate (for example, if you are installing the secure server to replace another company's secure server product), you can probably use your existing key and certificate with the secure server. The following two situations provide instances where you are not able to use your existing key and certificate:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>If you are changing your IP address or domain name</em></span> — Certificates are issued for a particular IP address and domain name pair. You must get a new certificate if you are changing your IP address or domain name.
					</div></li><li class="listitem"><div class="para">
						<a id="id979749" class="indexterm"></a>
						 <span class="emphasis"><em>If you have a certificate from VeriSign and you are changing your server software</em></span> — VeriSign is a widely used CA. If you already have a VeriSign certificate for another purpose, you may have been considering using your existing VeriSign certificate with your new secure server. However, you are not be allowed to because VeriSign issues certificates for one specific server software and IP address/domain name combination.
					</div><div class="para">
						If you change either of those parameters (for example, if you previously used a different secure server product), the VeriSign certificate you obtained to use with the previous configuration will not work with the new configuration. You must obtain a new certificate.
					</div></li></ul></div><div class="para">
				If you have an existing key and certificate that you can use, you do not have to generate a new key and obtain a new certificate. However, you may need to move and rename the files which contain your key and certificate.
			</div><div class="para">
				Move your existing key file to:
			</div><pre class="screen"><code class="filename">/etc/pki/tls/private/server.key</code></pre><div class="para">
				Move your existing certificate file to:
			</div><pre class="screen"><code class="filename">/etc/pki/tls/certs/server.crt</code></pre><div class="para">
				<a id="id979807" class="indexterm"></a>
				 <a id="id979821" class="indexterm"></a>
				 If you are upgrading from the Red Hat Secure Web Server, your old key (<code class="filename">httpsd.key</code>) and certificate (<code class="filename">httpsd.crt</code>) are located in <code class="filename">/etc/httpd/conf/</code>. Move and rename your key and certificate so that the secure server can use them. Use the following two commands to move and rename your key and certificate files:
			</div><pre class="screen"><code class="command">mv /etc/httpd/conf/httpsd.key /etc/pki/tls/private/server.key</code>
<code class="command">mv /etc/httpd/conf/httpsd.crt /etc/pki/tls/certs/server.crt</code></pre><div class="para">
				Then, start your secure server with the command:
			</div><pre class="screen"><code class="command">service httpd start</code></pre></div><div class="section" id="s2-secureserver-certs"><div class="titlepage"><div><div><h3 class="title" id="s2-secureserver-certs">23.8.4. Types of Certificates</h3></div></div></div><a id="id979886" class="indexterm"></a><div class="para">
				If you installed your secure server from the RPM package provided by Red Hat, a randomly generated private key and a test certificate are generated and put into the appropriate directories. Before you begin using your secure server, however, you must generate your own key and obtain a certificate which correctly identifies your server.
			</div><div class="para">
				You need a key and a certificate to operate your secure server — which means that you can either generate a self-signed certificate or purchase a CA-signed certificate from a CA. What are the differences between the two?
			</div><div class="para">
				A CA-signed certificate provides two important capabilities for your server:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Browsers (usually) automatically recognize the certificate and allow a secure connection to be made, without prompting the user.
					</div></li><li class="listitem"><div class="para">
						When a CA issues a signed certificate, they are guaranteeing the identity of the organization that is providing the webpages to the browser.
					</div></li></ul></div><div class="para">
				If your secure server is being accessed by the public at large, your secure server needs a certificate signed by a CA so that people who visit your website know that the website is owned by the organization who claims to own it. Before signing a certificate, a CA verifies that the organization requesting the certificate was actually who they claimed to be.
			</div><div class="para">
				Most Web browsers that support SSL have a list of CAs whose certificates they automatically accept. If a browser encounters a certificate whose authorizing CA is not in the list, the browser asks the user to either accept or decline the connection.
			</div><div class="para">
				You can generate a self-signed certificate for your secure server, but be aware that a self-signed certificate does not provide the same functionality as a CA-signed certificate. A self-signed certificate is not automatically recognized by most Web browsers and does not provide any guarantee concerning the identity of the organization that is providing the website. A CA-signed certificate provides both of these important capabilities for a secure server. If your secure server is to be used in a production environment, a CA-signed certificate is recommended.
			</div><div class="para">
				The process of getting a certificate from a CA is fairly easy. A quick overview is as follows:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Create an encryption private and public key pair.
					</div></li><li class="listitem"><div class="para">
						Create a certificate request based on the public key. The certificate request contains information about your server and the company hosting it.
					</div></li><li class="listitem"><div class="para">
						<a id="id980000" class="indexterm"></a>
						 <a id="id980019" class="indexterm"></a>
						 <a id="id980033" class="indexterm"></a>
						 Send the certificate request, along with documents proving your identity, to a CA. Red Hat does not make recommendations on which certificate authority to choose. Your decision may be based on your past experiences, on the experiences of your friends or colleagues, or purely on monetary factors.
					</div><div class="para">
						Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certificate from them.
					</div></li><li class="listitem"><div class="para">
						When the CA is satisfied that you are indeed who you claim to be, they provide you with a digital certificate.
					</div></li><li class="listitem"><div class="para">
						Install this certificate on your secure server and begin handling secure transactions.
					</div></li></ol></div><div class="para">
				Whether you are getting a certificate from a CA or generating your own self-signed certificate, the first step is to generate a key. Refer to <a class="xref" href="#s2-secureserver-generatingkey">Section 23.8.5, “Generating a Key”</a> for instructions.
			</div></div><div class="section" id="s2-secureserver-generatingkey"><div class="titlepage"><div><div><h3 class="title" id="s2-secureserver-generatingkey">23.8.5. Generating a Key</h3></div></div></div><a id="id980101" class="indexterm"></a><div class="para">
				You must be root to generate a key.
			</div><div class="para">
				First, use the <code class="command">cd</code> command to change to the <code class="filename">/etc/pki/tls/</code> directory. Remove the fake key and certificate that were generated during the installation with the following commands:
			</div><pre class="screen"><code class="command">rm private/server.key</code>
<code class="command">rm certs/server.crt</code></pre><div class="para">
				The <code class="filename">crypto-utils</code> package contains the <code class="command">genkey</code> utility which you can use to generate keys as the name implies. To create your own private key, please ensure the <code class="filename">crypto-utils</code> package is installed. You can view more options by typing <code class="command">man genkey</code> in your terminal. Assuming you wish to generate keys for www.example.com using the <code class="command">genkey</code> utility, type in the following command in your terminal:
			</div><pre class="screen"><code class="command">genkey www.example.com</code></pre><div class="para">
				Please note that the <code class="command">make</code> based process is no longer shipped with RHEL 5. This will start the <code class="command">genkey</code> graphical user interface. The figure below illustrates the first screen. To navigate, use the keyboard arrow and tab keys. This windows indicates where your key will be stored and prompts you to proceed or cancel the operation. To proceed to the next step, select <span class="guilabel"><strong>Next</strong></span> and press the Return (Enter) key.
			</div><div class="figure" id="keypair-gen"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey1.png" width="444" alt="Keypair generation" /><div class="longdesc"><div class="para">
							Keypair generation
						</div></div></div></div><h6>Figure 23.11. Keypair generation</h6></div><br class="figure-break" /><div class="para">
				The next screen prompts you to choose the size of your key. As indicated, the smaller the size of your key, the faster will the response from your server be and the lesser your level of security. On selecting your preferred, key size using the arrow keys, select <span class="guilabel"><strong>Next</strong></span> to proceed to the next step. The figure below illustrates the key size selection screen.
			</div><div class="figure" id="keysize-choose"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey2.png" width="444" alt="Choose key size" /><div class="longdesc"><div class="para">
							Choose key size
						</div></div></div></div><h6>Figure 23.12. Choose key size</h6></div><br class="figure-break" /><div class="para">
				Selecting the next step will initiate the random bits generation process which may take some time depending on the size of your selected key. The larger the size of your key, the longer it will take to generate it.
			</div><div class="figure" id="random-bits"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey3.png" width="444" alt="Generating random bits" /><div class="longdesc"><div class="para">
							Generating random bits
						</div></div></div></div><h6>Figure 23.13. Generating random bits</h6></div><br class="figure-break" /><div class="para">
				On generating your key, you will be prompted to send a Certificate Request (CSR) to a Certificate Authority (CA).
			</div><div class="figure" id="generate-csr"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey4.png" width="444" alt="Generate CSR" /><div class="longdesc"><div class="para">
							Generate CSR
						</div></div></div></div><h6>Figure 23.14. Generate CSR</h6></div><br class="figure-break" /><div class="para">
				Selecting <span class="guilabel"><strong>Yes</strong></span> will prompt you to select the Certificate Authority you wish to send your request to. Selecting <span class="guilabel"><strong>No</strong></span> will allow you to generate a self-signed certificate. The next step for this is illustrated in <a class="xref" href="#private-signed-cert">Figure 23.17, “Generating a self signed certificate for your server”</a>.
			</div><div class="figure" id="choose-cert-auth"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey5.png" width="444" alt="Choose Certificate Authority (CA)" /><div class="longdesc"><div class="para">
							Choose Certificate Authority (CA)
						</div></div></div></div><h6>Figure 23.15. Choose Certificate Authority (CA)</h6></div><br class="figure-break" /><div class="para">
				On Selecting your preferred option, select <span class="guilabel"><strong>Next</strong></span> to proceed to the next step. The next screen allows you to enter the details of your certificate.
			</div><div class="figure" id="enter-cert-details"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey6.png" width="444" alt="Enter details for your certificate" /><div class="longdesc"><div class="para">
							Enter details for your certificate
						</div></div></div></div><h6>Figure 23.16. Enter details for your certificate</h6></div><br class="figure-break" /><div class="para">
				If you prefer to generate a self signed cert key pair, you should not generate a CSR. To do this, select <span class="guilabel"><strong>No</strong></span> as your preferred option in the Generate CSR screen. This will display the figure below from which you can enter your certificate details. Entering your certificate details and pressing the return key will display the <a class="xref" href="#protect-private-key">Figure 23.19, “Protecting your private key”</a> from which you can choose to encrypt your private key or not.
			</div><div class="figure" id="private-signed-cert"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey8.png" width="444" alt="Generating a self signed certificate for your server" /><div class="longdesc"><div class="para">
							Generating a self signed certificate for your server
						</div></div></div></div><h6>Figure 23.17. Generating a self signed certificate for your server</h6></div><br class="figure-break" /><div class="para">
				On entering the details of your certificate, select <span class="guilabel"><strong>Next</strong></span> to proceed. The figure below illustrates an example of a the next screen displayed after completing the details for a certificate to be sent to Equifax. Please note that if you are generating a self signed key, for your server, this screen is not displayed.
			</div><div class="figure" id="begin-cert-request"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey7.png" width="444" alt="Begin certificate request" /><div class="longdesc"><div class="para">
							Begin certificate request
						</div></div></div></div><h6>Figure 23.18. Begin certificate request</h6></div><br class="figure-break" /><div class="para">
				Pressing the return key, will display the next screen from which you can enable or disable the encryption of the private key. Use the spacebar to enable or disable this. When enabled, a [*] character will be displayed. On selecting your preferred option, select <span class="guilabel"><strong>Next</strong></span> to proceed to the next step.
			</div><div class="figure" id="protect-private-key"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey9.png" width="444" alt="Protecting your private key" /><div class="longdesc"><div class="para">
							Protecting your private key
						</div></div></div></div><h6>Figure 23.19. Protecting your private key</h6></div><br class="figure-break" /><div class="para">
				The next screen allows you to set your key passphrase. Please do not lose this passphrase as you will not be able to run the server without it. You will need to regenerate a new private or public key pair and request a new certificate from your CA as indicated. For security, the passphrase is not displayed as you type. On typing your preferred passphrase, select <span class="guilabel"><strong>Next</strong></span> to go back to your terminal.
			</div><div class="figure" id="set-passphrase"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey10.png" width="444" alt="Set passphrase" /><div class="longdesc"><div class="para">
							Set passphrase
						</div></div></div></div><h6>Figure 23.20. Set passphrase</h6></div><br class="figure-break" /><div class="para">
				If you attempt to run <code class="command">genkey www.example.com</code> on a server that already has an existing key pair for the particular hostname, an error message will be displayed as illustrated below. You need to delete your existing key file as indicated to generate a new key pair.
			</div><div class="figure" id="genkey-error"><div class="figure-contents"><div class="mediaobject"><img src="images/genkey11.png" width="444" alt="genkey error" /><div class="longdesc"><div class="para">
							genkey error
						</div></div></div></div><h6>Figure 23.21. genkey error</h6></div><br class="figure-break" /><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://httpd.apache.org/docs/2.2/ssl/">http://httpd.apache.org/docs/2.2/ssl/</a>
					</div></li><li class="listitem"><div class="para">
						<a href="http://httpd.apache.org/docs/2.2/vhosts/">http://httpd.apache.org/docs/2.2/vhosts/</a>
					</div></li></ul></div></div><div class="section" id="s1-use-new-key"><div class="titlepage"><div><div><h3 class="title" id="s1-use-new-key">23.8.6. How to configure the server to use the new key</h3></div></div></div><a id="id980778" class="indexterm"></a><div class="para">
				The steps to configure the Apache HTTP Server to use the new key are:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Obtain the signed certificate from the CA after submitting the CSR.
					</div></li><li class="listitem"><div class="para">
						Copy the certificate to the path, for example <code class="filename">/etc/pki/tls/certs/www.example.com.crt</code>
					</div></li><li class="listitem"><div class="para">
						Edit <code class="filename">/etc/httpd/conf.d/ssl.conf</code>. Change the SSLCertificateFile and SSLCertificateKey lines to be. 
<pre class="screen">SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key</pre>
						 Note that the <span class="quote">“<span class="quote">www.example.com</span>”</span> part should match the argument passed on the <code class="command">genkey</code> command.
					</div></li></ul></div></div></div><div class="section" id="s1-apache-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-apache-additional-resources">23.9. Additional Resources</h2></div></div></div><a id="id886666" class="indexterm"></a><div class="para">
			To learn more about the Apache HTTP Server, refer to the following resources.
		</div><div class="section" id="s2-apache-additional-resources-web"><div class="titlepage"><div><div><h3 class="title" id="s2-apache-additional-resources-web">23.9.1. Useful Websites</h3></div></div></div><a id="id886694" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://httpd.apache.org/">http://httpd.apache.org/</a> — The official website for the Apache HTTP Server with documentation on all the directives and default modules.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.modssl.org/">http://www.modssl.org/</a> — The official website for <code class="filename">mod_ssl</code>.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.apacheweek.com/">http://www.apacheweek.com/</a> — A comprehensive online weekly newsletter about all things Apache.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-ftp" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 24. FTP</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-ftp-protocol">24.1. The File Transfer Protocol</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-protocol-multiport">24.1.1. Multiple Ports, Multiple Modes</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ftp-servers">24.2. FTP Servers</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-servers-vsftpd">24.2.1. <code class="command">vsftpd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s2-ftp-vsftpd-conf">24.3. Files Installed with <code class="command">vsftpd</code></a></span></dt><dt><span class="section"><a href="#s1-ftp-vsftpd-start">24.4. Starting and Stopping <code class="command">vsftpd</code></a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-vsftpd-start-multi">24.4.1. Starting Multiple Copies of <code class="command">vsftpd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ftp-vsftpd-conf">24.5. <code class="command">vsftpd</code> Configuration Options</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-daemon">24.5.1. Daemon Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-login">24.5.2. Log In Options and Access Controls</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-anon">24.5.3. Anonymous User Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-usr">24.5.4. Local User Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-dir">24.5.5. Directory Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-file">24.5.6. File Transfer Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-log">24.5.7. Logging Options</a></span></dt><dt><span class="section"><a href="#s2-ftp-vsftpd-conf-opt-net">24.5.8. Network Options</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ftp-resources">24.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ftp-installed-documentation">24.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-ftp-useful-websites">24.6.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id786573" class="indexterm"></a><a id="id926000" class="indexterm"></a><div class="para">
		File Transfer Protocol (FTP) is one of the oldest and most commonly used protocols found on the Internet today. Its purpose is to reliably transfer files between computer hosts on a network without requiring the user to log directly into the remote host or have knowledge of how to use the remote system. It allows users to access files on remote systems using a standard set of simple commands.
	</div><div class="para">
		This chapter outlines the basics of the FTP protocol, as well as configuration options for the primary FTP server shipped with Red Hat Enterprise Linux, <code class="command">vsftpd</code>.
	</div><div class="section" id="s1-ftp-protocol"><div class="titlepage"><div><div><h2 class="title" id="s1-ftp-protocol">24.1. The File Transfer Protocol</h2></div></div></div><a id="id1044342" class="indexterm"></a><div class="para">
			However, because FTP is so prevalent on the Internet, it is often required to share files to the public. System administrators, therefore, should be aware of the FTP protocol's unique characteristics.
		</div><div class="section" id="s2-ftp-protocol-multiport"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-protocol-multiport">24.1.1. Multiple Ports, Multiple Modes</h3></div></div></div><a id="id777763" class="indexterm"></a><a id="id1041059" class="indexterm"></a><a id="id852436" class="indexterm"></a><a id="id984446" class="indexterm"></a><div class="para">
				Unlike most protocols used on the Internet, FTP requires multiple network ports to work properly. When an FTP client application initiates a connection to an FTP server, it opens port 21 on the server — known as the <em class="firstterm">command port</em>. This port is used to issue all commands to the server. Any data requested from the server is returned to the client via a <em class="firstterm">data port</em>. The port number for data connections, and the way in which data connections are initialized, vary depending upon whether the client requests the data in <em class="firstterm">active</em> or <em class="firstterm">passive</em> mode.
			</div><div class="para">
				The following defines these modes:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">active mode</span></dt><dd><div class="para">
							Active mode is the original method used by the FTP protocol for transferring data to the client application. When an active mode data transfer is initiated by the FTP client, the server opens a connection from port 20 on the server to the IP address and a random, unprivileged port (greater than 1024) specified by the client. This arrangement means that the client machine must be allowed to accept connections over any port above 1024. With the growth of insecure networks, such as the Internet, the use of firewalls to protect client machines is now prevalent. Because these client-side firewalls often deny incoming connections from active mode FTP servers, passive mode was devised.
						</div></dd><dt class="varlistentry"><span class="term">passive mode</span></dt><dd><div class="para">
							Passive mode, like active mode, is initiated by the FTP client application. When requesting data from the server, the FTP client indicates it wants to access the data in passive mode and the server provides the IP address and a random, unprivileged port (greater than 1024) on the server. The client then connects to that port on the server to download the requested information.
						</div><div class="para">
							While passive mode resolves issues for client-side firewall interference with data connections, it can complicate administration of the server-side firewall. You can reduce the number of open ports on a server by limiting the range of unprivileged ports on the FTP server. This also simplifies the process of configuring firewall rules for the server. Refer to <a class="xref" href="#s2-ftp-vsftpd-conf-opt-net">Section 24.5.8, “Network Options”</a> for more about limiting passive ports.
						</div></dd></dl></div></div></div><div class="section" id="s1-ftp-servers"><div class="titlepage"><div><div><h2 class="title" id="s1-ftp-servers">24.2. FTP Servers</h2></div></div></div><a id="id964976" class="indexterm"></a><a id="id963475" class="indexterm"></a><a id="id963495" class="indexterm"></a><a id="id963512" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux ships with two different FTP servers:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<span class="application"><strong>Red Hat Content Accelerator</strong></span> — A kernel-based Web server that delivers high performance Web server and FTP services. Since speed as its primary design goal, it has limited functionality and runs only as an anonymous FTP server. For more information about configuring and administering <span class="application"><strong>Red Hat Content Accelerator</strong></span>, consult the documentation available online at <a href="http://www.redhat.com/docs/manuals/tux/">http://www.redhat.com/docs/manuals/tux/</a>.
				</div></li><li class="listitem"><div class="para">
					<code class="command">vsftpd</code> — A fast, secure FTP daemon which is the preferred FTP server for Red Hat Enterprise Linux. The remainder of this chapter focuses on <code class="command">vsftpd</code>.
				</div></li></ul></div><div class="section" id="s2-ftp-servers-vsftpd"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-servers-vsftpd">24.2.1. <code class="command">vsftpd</code></h3></div></div></div><div class="para">
				The Very Secure FTP Daemon (<code class="command">vsftpd</code>) is designed from the ground up to be fast, stable, and, most importantly, secure. <code class="command">vsftpd</code> is the only stand-alone FTP server distributed with Red Hat Enterprise Linux, due to its ability to handle large numbers of connections efficiently and securely.
			</div><div class="para">
				The security model used by <code class="command">vsftpd</code> has three primary aspects:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Strong separation of privileged and non-privileged processes</em></span> — Separate processes handle different tasks, and each of these processes run with the minimal privileges required for the task.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Tasks requiring elevated privileges are handled by processes with the minimal privilege necessary</em></span> — By leveraging compatibilities found in the <code class="filename">libcap</code> library, tasks that usually require full root privileges can be executed more safely from a less privileged process.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Most processes run in a <code class="command">chroot</code> jail</em></span> — Whenever possible, processes are change-rooted to the directory being shared; this directory is then considered a <code class="command">chroot</code> jail. For example, if the directory <code class="command">/var/ftp/</code> is the primary shared directory, <code class="command">vsftpd</code> reassigns <code class="command">/var/ftp/</code> to the new root directory, known as <code class="command">/</code>. This disallows any potential malicious hacker activities for any directories not contained below the new root directory.
					</div></li></ul></div><div class="para">
				Use of these security practices has the following effect on how <code class="command">vsftpd</code> deals with requests:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>The parent process runs with the least privileges required</em></span> — The parent process dynamically calculates the level of privileges it requires to minimize the level of risk. Child processes handle direct interaction with the FTP clients and run with as close to no privileges as possible.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>All operations requiring elevated privileges are handled by a small parent process</em></span> — Much like the Apache HTTP Server, <code class="command">vsftpd</code> launches unprivileged child processes to handle incoming connections. This allows the privileged, parent process to be as small as possible and handle relatively few tasks.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>All requests from unprivileged child processes are distrusted by the parent process</em></span> — Communication with child processes are received over a socket, and the validity of any information from child processes is checked before being acted on.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Most interaction with FTP clients is handled by unprivileged child processes in a <code class="command">chroot</code> jail</em></span> — Because these child processes are unprivileged and only have access to the directory being shared, any crashed processes only allows the attacker access to the shared files.
					</div></li></ul></div></div></div><div class="section" id="s2-ftp-vsftpd-conf"><div class="titlepage"><div><div><h2 class="title" id="s2-ftp-vsftpd-conf">24.3. Files Installed with <code class="command">vsftpd</code></h2></div></div></div><a id="id965188" class="indexterm"></a><div class="para">
			The <code class="filename">vsftpd</code> RPM installs the daemon (<code class="filename">/usr/sbin/vsftpd</code>), its configuration and related files, as well as FTP directories onto the system. The following lists the files and directories related to <code class="command">vsftpd</code> configuration:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">/etc/rc.d/init.d/vsftpd</code> — The <span class="emphasis"><em>initialization script</em></span> (<em class="firstterm">initscript</em>) used by the <code class="command">/sbin/service</code> command to start, stop, or reload <code class="command">vsftpd</code>. Refer to <a class="xref" href="#s1-ftp-vsftpd-start">Section 24.4, “Starting and Stopping <code class="command">vsftpd</code>”</a> for more information about using this script.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/etc/pam.d/vsftpd</code> — The Pluggable Authentication Modules (PAM) configuration file for <code class="command">vsftpd</code>. This file specifies the requirements a user must meet to login to the FTP server. For more information, refer to <a class="xref" href="#ch-pam">Section 46.4, “Pluggable Authentication Modules (PAM)”</a>.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/etc/vsftpd/vsftpd.conf</code> — The configuration file for <code class="command">vsftpd</code>. Refer to <a class="xref" href="#s1-ftp-vsftpd-conf">Section 24.5, “<code class="command">vsftpd</code> Configuration Options”</a> for a list of important options contained within this file.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/etc/vsftpd.ftpusers</code> — A list of users not allowed to log into <code class="command">vsftpd</code>. By default, this list includes the <code class="command">root</code>, <code class="command">bin</code>, and <code class="command">daemon</code> users, among others.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/etc/vsftpd.user_list</code> — This file can be configured to either deny or allow access to the users listed, depending on whether the <code class="command">userlist_deny</code> directive is set to <code class="command">YES</code> (default) or <code class="command">NO</code> in <code class="filename">/etc/vsftpd/vsftpd.conf</code>. If <code class="filename">/etc/vsftpd.user_list</code> is used to grant access to users, the usernames listed must <span class="emphasis"><em>not</em></span> appear in <code class="filename">/etc/vsftpd.ftpusers</code>.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/var/ftp/</code> — The directory containing files served by <code class="command">vsftpd</code>. It also contains the <code class="filename">/var/ftp/pub/</code> directory for anonymous users. Both directories are world-readable, but writable only by the root user.
				</div></li></ul></div></div><div class="section" id="s1-ftp-vsftpd-start"><div class="titlepage"><div><div><h2 class="title" id="s1-ftp-vsftpd-start">24.4. Starting and Stopping <code class="command">vsftpd</code></h2></div></div></div><a id="id1060524" class="indexterm"></a><a id="id1060541" class="indexterm"></a><a id="id1060557" class="indexterm"></a><a id="id1060573" class="indexterm"></a><a id="id1060590" class="indexterm"></a><div class="para">
			The <code class="filename">vsftpd</code> RPM installs the <code class="filename">/etc/rc.d/init.d/vsftpd</code> script, which can be accessed using the <code class="command">/sbin/service</code> command.
		</div><div class="para">
			To start the server, as root type:
		</div><pre class="screen"><code class="command">service vsftpd start</code></pre><div class="para">
			To stop the server, as root type:
		</div><pre class="screen"><code class="command">service vsftpd stop</code></pre><div class="para">
			The <code class="option">restart</code> option is a shorthand way of stopping and then starting <code class="command">vsftpd</code>. This is the most efficient way to make configuration changes take effect after editing the configuration file for <code class="command">vsftpd</code>.
		</div><div class="para">
			To restart the server, as root type:
		</div><pre class="screen"><code class="command">service vsftpd restart</code></pre><div class="para">
			The <code class="option">condrestart</code> (<em class="firstterm">conditional restart</em>) option only starts <code class="command">vsftpd</code> if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running.
		</div><div class="para">
			To conditionally restart the server, as root type:
		</div><pre class="screen"><code class="command">service vsftpd condrestart</code></pre><div class="para">
			By default, the <code class="command">vsftpd</code> service does <span class="emphasis"><em>not</em></span> start automatically at boot time. To configure the <code class="command">vsftpd</code> service to start at boot time, use an initscript utility, such as <code class="command">/sbin/chkconfig</code>, <span class="application"><strong>/usr/sbin/ntsysv</strong></span>, or the <span class="application"><strong>Services Configuration Tool</strong></span> program. Refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a> for more information regarding these tools.
		</div><div class="section" id="s2-ftp-vsftpd-start-multi"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-vsftpd-start-multi">24.4.1. Starting Multiple Copies of <code class="command">vsftpd</code></h3></div></div></div><a id="id1060733" class="indexterm"></a><a id="id1060749" class="indexterm"></a><div class="para">
				Sometimes one computer is used to serve multiple FTP domains. This is a technique called <em class="firstterm">multihoming</em>. One way to multihome using <code class="command">vsftpd</code> is by running multiple copies of the daemon, each with its own configuration file.
			</div><div class="para">
				To do this, first assign all relevant IP addresses to network devices or alias network devices on the system. Refer to <a class="xref" href="#ch-network-config">Chapter 16, <em>Network Configuration</em></a> for more information about configuring network devices and device aliases. Additional information can be found about network configuration scripts in <a class="xref" href="#ch-networkscripts">Chapter 15, <em>Network Interfaces</em></a>.
			</div><div class="para">
				Next, the DNS server for the FTP domains must be configured to reference the correct machine. For information about BIND and its configuration files, refer to <a class="xref" href="#ch-bind">Chapter 18, <em>Berkeley Internet Name Domain (BIND)</em></a>.
			</div><div class="para">
				For <code class="command">vsftpd</code> to answer requests on different IP addresses, multiple copies of the daemon must be running. The first copy must be run using the <code class="command">vsftpd</code> initscripts, as outlined in <a class="xref" href="#s1-ftp-vsftpd-start">Section 24.4, “Starting and Stopping <code class="command">vsftpd</code>”</a>. This copy uses the standard configuration file, <code class="filename">/etc/vsftpd/vsftpd.conf</code>.
			</div><div class="para">
				Each additional FTP site must have a configuration file with a unique name in the <code class="filename">/etc/vsftpd/</code> directory, such as <code class="filename">/etc/vsftpd/vsftpd-site-2.conf</code>. Each configuration file must be readable and writable only by root. Within each configuration file for each FTP server listening on an IPv4 network, the following directive must be unique:
			</div><pre class="screen">listen_address=<em class="replaceable"><code>N.N.N.N</code></em></pre><div class="para">
				Replace <em class="replaceable"><code>N.N.N.N</code></em> with the <span class="emphasis"><em>unique</em></span> IP address for the FTP site being served. If the site is using IPv6, use the <code class="command">listen_address6</code> directive instead.
			</div><div class="para">
				Once each additional server has a configuration file, the <code class="command">vsftpd</code> daemon must be launched from a root shell prompt using the following command:
			</div><pre class="screen"><code class="command">vsftpd /etc/vsftpd/<em class="replaceable"><code>&lt;configuration-file&gt;</code></em></code> [amp   ]</pre><div class="para">
				In the above command, replace <em class="replaceable"><code>&lt;configuration-file&gt;</code></em> with the unique name for the server's configuration file, such as <code class="filename">/etc/vsftpd/vsftpd-site-2.conf</code>.
			</div><div class="para">
				Other directives to consider altering on a per-server basis are:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">anon_root</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">local_root</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">vsftpd_log_file</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">xferlog_file</code>
					</div></li></ul></div><div class="para">
				For a detailed list of directives available within <code class="command">vsftpd</code>'s configuration file, refer to <a class="xref" href="#s1-ftp-vsftpd-conf">Section 24.5, “<code class="command">vsftpd</code> Configuration Options”</a>.
			</div><div class="para">
				To configure any additional servers to start automatically at boot time, add the above command to the end of the <code class="filename">/etc/rc.local</code> file.
			</div></div></div><div class="section" id="s1-ftp-vsftpd-conf"><div class="titlepage"><div><div><h2 class="title" id="s1-ftp-vsftpd-conf">24.5. <code class="command">vsftpd</code> Configuration Options</h2></div></div></div><a id="id934803" class="indexterm"></a><a id="id934823" class="indexterm"></a><div class="para">
			Although <code class="command">vsftpd</code> may not offer the level of customization other widely available FTP servers have, it offers enough options to fill most administrator's needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.
		</div><div class="para">
			All configuration of <code class="command">vsftpd</code> is handled by its configuration file, <code class="filename">/etc/vsftpd/vsftpd.conf</code>. Each directive is on its own line within the file and follows the following format:
		</div><pre class="screen"><em class="replaceable"><code>&lt;directive&gt;</code></em>=<em class="replaceable"><code>&lt;value&gt;</code></em></pre><div class="para">
			For each directive, replace <em class="replaceable"><code>&lt;directive&gt;</code></em> with a valid directive and <em class="replaceable"><code>&lt;value&gt;</code></em> with a valid value.
		</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				There must not be any spaces between the <em class="replaceable"><code>&lt;directive&gt;</code></em>, equal symbol, and the <em class="replaceable"><code>&lt;value&gt;</code></em> in a directive.
			</div></div></div><div class="para">
			Comment lines must be preceded by a hash mark (<code class="command">#</code>) and are ignored by the daemon.
		</div><div class="para">
			For a complete list of all directives available, refer to the man page for <code class="filename">vsftpd.conf</code>.
		</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				For an overview of ways to secure <code class="command">vsftpd</code>, refer to <a class="xref" href="#ch-server">Section 46.2, “Server Security”</a>.
			</div></div></div><div class="para">
			The following is a list of some of the more important directives within <code class="filename">/etc/vsftpd/vsftpd.conf</code>. All directives not explicitly found within <code class="command">vsftpd</code>'s configuration file are set to their default value.
		</div><div class="section" id="s2-ftp-vsftpd-conf-opt-daemon"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-vsftpd-conf-opt-daemon">24.5.1. Daemon Options</h3></div></div></div><a id="id934962" class="indexterm"></a><div class="para">
				The following is a list of directives which control the overall behavior of the <code class="command">vsftpd</code> daemon.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">listen</code> — When enabled, <code class="command">vsftpd</code> runs in stand-alone mode. Red Hat Enterprise Linux sets this value to <code class="command">YES</code>. This directive cannot be used in conjunction with the <code class="command">listen_ipv6</code> directive.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">listen_ipv6</code> — When enabled, <code class="command">vsftpd</code> runs in stand-alone mode, but listens only to IPv6 sockets. This directive cannot be used in conjunction with the <code class="command">listen</code> directive.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">session_support</code> — When enabled, <code class="command">vsftpd</code> attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). Refer to <a class="xref" href="#ch-pam">Section 46.4, “Pluggable Authentication Modules (PAM)”</a> for more information. If session logging is not necessary, disabling this option allows <code class="command">vsftpd</code> to run with less processes and lower privileges.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div></li></ul></div></div><div class="section" id="s2-ftp-vsftpd-conf-opt-login"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-vsftpd-conf-opt-login">24.5.2. Log In Options and Access Controls</h3></div></div></div><a id="id935097" class="indexterm"></a><a id="id935117" class="indexterm"></a><div class="para">
				The following is a list of directives which control the login behavior and access control mechanisms.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">anonymous_enable</code> — When enabled, anonymous users are allowed to log in. The usernames <code class="computeroutput">anonymous</code> and <code class="computeroutput">ftp</code> are accepted.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div><div class="para">
						Refer to <a class="xref" href="#s2-ftp-vsftpd-conf-opt-anon">Section 24.5.3, “Anonymous User Options”</a> for a list of directives affecting anonymous users.
					</div></li><li class="listitem"><div class="para">
						<code class="command">banned_email_file</code> — If the <code class="command">deny_email_enable</code> directive is set to <code class="command">YES</code>, this directive specifies the file containing a list of anonymous email passwords which are not permitted access to the server.
					</div><div class="para">
						The default value is <code class="filename">/etc/vsftpd.banned_emails</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">banner_file</code> — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the <code class="command">ftpd_banner</code> directive.
					</div><div class="para">
						There is no default value for this directive.
					</div></li><li class="listitem"><div class="para">
						<code class="command">cmds_allowed</code> — Specifies a comma-delimited list of FTP commands allowed by the server. All other commands are rejected.
					</div><div class="para">
						There is no default value for this directive.
					</div></li><li class="listitem"><div class="para">
						<code class="command">deny_email_enable</code> — When enabled, any anonymous user utilizing email passwords specified in the <code class="filename">/etc/vsftpd.banned_emails</code> are denied access to the server. The name of the file referenced by this directive can be specified using the <code class="command">banned_email_file</code> directive.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">ftpd_banner</code> — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the <code class="command">banner_file</code> directive.
					</div><div class="para">
						By default <code class="command">vsftpd</code> displays its standard banner.
					</div></li><li class="listitem"><div class="para">
						<code class="command">local_enable</code> — When enabled, local users are allowed to log into the system.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div><div class="para">
						Refer to <a class="xref" href="#s2-ftp-vsftpd-conf-opt-usr">Section 24.5.4, “Local User Options”</a> for a list of directives affecting local users.
					</div></li><li class="listitem"><div class="para">
						<code class="command">pam_service_name</code> — Specifies the PAM service name for <code class="command">vsftpd</code>.
					</div><div class="para">
						The default value is <code class="command">ftp</code>. On Red Hat Enterprise Linux 5.8, this option is set to <code class="command">vsftpd</code> in the configuration file.
					</div></li><li class="listitem"><div class="para">
						<code class="command">tcp_wrappers</code> — When enabled, TCP wrappers are used to grant access to the server. If the FTP server is configured on multiple IP addresses, the <code class="command">VSFTPD_LOAD_CONF</code> option can be used to load different configuration files based on the IP address being requested by the client.
					</div><div class="para">
						The default value is <code class="command">NO</code>. On Red Hat Enterprise Linux 5.8, this option is set to <code class="command">YES</code> in the configuration file.
					</div><div class="para">
						Refer to <a class="xref" href="#ch-tcpwrappers">Section 46.5, “TCP Wrappers and xinetd”</a> for more information about TCP wrappers.
					</div></li><li class="listitem"><div class="para">
						<code class="command">userlist_deny</code> — When used in conjunction with the <code class="command">userlist_enable</code> directive and set to <code class="command">NO</code>, all local users are denied access unless the username is listed in the file specified by the <code class="command">userlist_file</code> directive. Because access is denied before the client is asked for a password, setting this directive to <code class="command">NO</code> prevents local users from submitting unencrypted passwords over the network.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">userlist_enable</code> — When enabled, the users listed in the file specified by the <code class="command">userlist_file</code> directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
					</div><div class="para">
						The default value is <code class="command">NO</code>. On Red Hat Enterprise Linux 5.8, this option is set to <code class="command">YES</code> in the configuration file.
					</div></li><li class="listitem"><div class="para">
						<code class="command">userlist_file</code> — Specifies the file referenced by <code class="command">vsftpd</code> when the <code class="command">userlist_enable</code> directive is enabled.
					</div><div class="para">
						The default value is <code class="command">/etc/vsftpd.user_list</code> and is created during installation.
					</div></li></ul></div></div><div class="section" id="s2-ftp-vsftpd-conf-opt-anon"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-vsftpd-conf-opt-anon">24.5.3. Anonymous User Options</h3></div></div></div><a id="id935501" class="indexterm"></a><div class="para">
				The following lists directives which control anonymous user access to the server. To use these options, the <code class="command">anonymous_enable</code> directive must be set to <code class="command">YES</code>.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">anon_mkdir_write_enable</code> — When enabled in conjunction with the <code class="command">write_enable</code> directive, anonymous users are allowed to create new directories within a parent directory which has write permissions.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">anon_root</code> — Specifies the directory <code class="command">vsftpd</code> changes to after an anonymous user logs in.
					</div><div class="para">
						There is no default value for this directive.
					</div></li><li class="listitem"><div class="para">
						<code class="command">anon_upload_enable</code> — When enabled in conjunction with the <code class="command">write_enable</code> directive, anonymous users are allowed to upload files within a parent directory which has write permissions.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">anon_world_readable_only</code> — When enabled, anonymous users are only allowed to download world-readable files.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">ftp_username</code> — Specifies the local user account (listed in <code class="filename">/etc/passwd</code>) used for the anonymous FTP user. The home directory specified in <code class="filename">/etc/passwd</code> for the user is the root directory of the anonymous FTP user.
					</div><div class="para">
						The default value is <code class="command">ftp</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">no_anon_password</code> — When enabled, the anonymous user is not asked for a password.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">secure_email_list_enable</code> — When enabled, only a specified list of email passwords for anonymous logins are accepted. This is a convenient way to offer limited security to public content without the need for virtual users.
					</div><div class="para">
						Anonymous logins are prevented unless the password provided is listed in <code class="command">/etc/vsftpd.email_passwords</code>. The file format is one password per line, with no trailing white spaces.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li></ul></div></div><div class="section" id="s2-ftp-vsftpd-conf-opt-usr"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-vsftpd-conf-opt-usr">24.5.4. Local User Options</h3></div></div></div><a id="id935711" class="indexterm"></a><div class="para">
				The following lists directives which characterize the way local users access the server. To use these options, the <code class="command">local_enable</code> directive must be set to <code class="command">YES</code>.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">chmod_enable</code> — When enabled, the FTP command <code class="command">SITE CHMOD</code> is allowed for local users. This command allows the users to change the permissions on files.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">chroot_list_enable</code> — When enabled, the local users listed in the file specified in the <code class="command">chroot_list_file</code> directive are placed in a <code class="command">chroot</code> jail upon log in.
					</div><div class="para">
						If enabled in conjunction with the <code class="command">chroot_local_user</code> directive, the local users listed in the file specified in the <code class="command">chroot_list_file</code> directive are <span class="emphasis"><em>not</em></span> placed in a <code class="command">chroot</code> jail upon log in.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">chroot_list_file</code> — Specifies the file containing a list of local users referenced when the <code class="command">chroot_list_enable</code> directive is set to <code class="command">YES</code>.
					</div><div class="para">
						The default value is <code class="command">/etc/vsftpd.chroot_list</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">chroot_local_user</code> — When enabled, local users are change-rooted to their home directories after logging in.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
							Enabling <code class="command">chroot_local_user</code> opens up a number of security issues, especially for users with upload privileges. For this reason, it is <span class="emphasis"><em>not</em></span> recommended.
						</div></div></div></li><li class="listitem"><div class="para">
						<code class="command">guest_enable</code> — When enabled, all non-anonymous users are logged in as the user <code class="command">guest</code>, which is the local user specified in the <code class="command">guest_username</code> directive.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">guest_username</code> — Specifies the username the <code class="command">guest</code> user is mapped to.
					</div><div class="para">
						The default value is <code class="command">ftp</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">local_root</code> — Specifies the directory <code class="command">vsftpd</code> changes to after a local user logs in.
					</div><div class="para">
						There is no default value for this directive.
					</div></li><li class="listitem"><div class="para">
						<code class="command">local_umask</code> — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a "0" prefix. Otherwise the value is treated as a base-10 integer.
					</div><div class="para">
						The default value is <code class="command">022</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">passwd_chroot_enable</code> — When enabled in conjunction with the <code class="command">chroot_local_user</code> directive, <code class="command">vsftpd</code> change-roots local users based on the occurrence of the <code class="command">/./</code> in the home directory field within <code class="filename">/etc/passwd</code>.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">user_config_dir</code> — Specifies the path to a directory containing configuration files bearing the name of local system users that contain specific setting for that user. Any directive in the user's configuration file overrides those found in <code class="filename">/etc/vsftpd/vsftpd.conf</code>.
					</div><div class="para">
						There is no default value for this directive.
					</div></li></ul></div></div><div class="section" id="s2-ftp-vsftpd-conf-opt-dir"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-vsftpd-conf-opt-dir">24.5.5. Directory Options</h3></div></div></div><a id="id955847" class="indexterm"></a><div class="para">
				The following lists directives which affect directories.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">dirlist_enable</code> — When enabled, users are allowed to view directory lists.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">dirmessage_enable</code> — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the <code class="command">message_file</code> directive and is <code class="filename">.message</code> by default.
					</div><div class="para">
						The default value is <code class="command">NO</code>. On Red Hat Enterprise Linux 5.8, this option is set to <code class="command">YES</code> in the configuration file.
					</div></li><li class="listitem"><div class="para">
						<code class="command">force_dot_files</code> — When enabled, files beginning with a dot (<code class="computeroutput">.</code>) are listed in directory listings, with the exception of the <code class="filename">.</code> and <code class="filename">..</code> files.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">hide_ids</code> — When enabled, all directory listings show <code class="computeroutput">ftp</code> as the user and group for each file.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">message_file</code> — Specifies the name of the message file when using the <code class="command">dirmessage_enable</code> directive.
					</div><div class="para">
						The default value is <code class="command">.message</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">text_userdb_names</code> — When enabled, text usernames and group names are used in place of UID and GID entries. Enabling this option may slow performance of the server.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">use_localtime</code> — When enabled, directory listings reveal the local time for the computer instead of GMT.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li></ul></div></div><div class="section" id="s2-ftp-vsftpd-conf-opt-file"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-vsftpd-conf-opt-file">24.5.6. File Transfer Options</h3></div></div></div><a id="id956058" class="indexterm"></a><div class="para">
				The following lists directives which affect directories.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">download_enable</code> — When enabled, file downloads are permitted.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">chown_uploads</code> — When enabled, all files uploaded by anonymous users are owned by the user specified in the <code class="command">chown_username</code> directive.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">chown_username</code> — Specifies the ownership of anonymously uploaded files if the <code class="command">chown_uploads</code> directive is enabled.
					</div><div class="para">
						The default value is <code class="command">root</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">write_enable</code> — When enabled, FTP commands which can change the file system are allowed, such as <code class="command">DELE</code>, <code class="command">RNFR</code>, and <code class="command">STOR</code>.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div></li></ul></div></div><div class="section" id="s2-ftp-vsftpd-conf-opt-log"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-vsftpd-conf-opt-log">24.5.7. Logging Options</h3></div></div></div><a id="id956197" class="indexterm"></a><div class="para">
				The following lists directives which affect <code class="command">vsftpd</code>'s logging behavior.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">dual_log_enable</code> — When enabled in conjunction with <code class="command">xferlog_enable</code>, <code class="command">vsftpd</code> writes two files simultaneously: a <code class="command">wu-ftpd</code>-compatible log to the file specified in the <code class="command">xferlog_file</code> directive (<code class="filename">/var/log/xferlog</code> by default) and a standard <code class="command">vsftpd</code> log file specified in the <code class="command">vsftpd_log_file</code> directive (<code class="filename">/var/log/vsftpd.log</code> by default).
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">log_ftp_protocol</code> — When enabled in conjunction with <code class="command">xferlog_enable</code> and with <code class="command">xferlog_std_format</code> set to <code class="command">NO</code>, all FTP commands and responses are logged. This directive is useful for debugging.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">syslog_enable</code> — When enabled in conjunction with <code class="command">xferlog_enable</code>, all logging normally written to the standard <code class="command">vsftpd</code> log file specified in the <code class="command">vsftpd_log_file</code> directive (<code class="filename">/var/log/vsftpd.log</code> by default) is sent to the system logger instead under the FTPD facility.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">vsftpd_log_file</code> — Specifies the <code class="command">vsftpd</code> log file. For this file to be used, <code class="command">xferlog_enable</code> must be enabled and <code class="command">xferlog_std_format</code> must either be set to <code class="command">NO</code> or, if <code class="command">xferlog_std_format</code> is set to <code class="command">YES</code>, <code class="command">dual_log_enable</code> must be enabled. It is important to note that if <code class="command">syslog_enable</code> is set to <code class="command">YES</code>, the system log is used instead of the file specified in this directive.
					</div><div class="para">
						The default value is <code class="filename">/var/log/vsftpd.log</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">xferlog_enable</code> — When enabled, <code class="command">vsftpd</code> logs connections (<code class="command">vsftpd</code> format only) and file transfer information to the log file specified in the <code class="command">vsftpd_log_file</code> directive (<code class="filename">/var/log/vsftpd.log</code> by default). If <code class="command">xferlog_std_format</code> is set to <code class="command">YES</code>, file transfer information is logged but connections are not, and the log file specified in <code class="command">xferlog_file</code> (<code class="filename">/var/log/xferlog</code> by default) is used instead. It is important to note that both log files and log formats are used if <code class="command">dual_log_enable</code> is set to <code class="command">YES</code>.
					</div><div class="para">
						The default value is <code class="command">NO</code>. On Red Hat Enterprise Linux 5.8, this option is set to <code class="command">YES</code> in the configuration file.
					</div></li><li class="listitem"><div class="para">
						<code class="command">xferlog_file</code> — Specifies the <code class="command">wu-ftpd</code>-compatible log file. For this file to be used, <code class="command">xferlog_enable</code> must be enabled and <code class="command">xferlog_std_format</code> must be set to <code class="command">YES</code>. It is also used if <code class="command">dual_log_enable</code> is set to <code class="command">YES</code>.
					</div><div class="para">
						The default value is <code class="filename">/var/log/xferlog</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">xferlog_std_format</code> — When enabled in conjunction with <code class="command">xferlog_enable</code>, only a <code class="command">wu-ftpd</code>-compatible file transfer log is written to the file specified in the <code class="command">xferlog_file</code> directive (<code class="filename">/var/log/xferlog</code> by default). It is important to note that this file only logs file transfers and does not log connections to the server.
					</div><div class="para">
						The default value is <code class="command">NO</code>. On Red Hat Enterprise Linux 5.8, this option is set to <code class="command">YES</code> in the configuration file.
					</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					To maintain compatibility with log files written by the older <code class="command">wu-ftpd</code> FTP server, the <code class="command">xferlog_std_format</code> directive is set to <code class="command">YES</code> under Red Hat Enterprise Linux. However, this setting means that connections to the server are not logged.
				</div><div class="para">
					To both log connections in <code class="command">vsftpd</code> format and maintain a <code class="command">wu-ftpd</code>-compatible file transfer log, set <code class="command">dual_log_enable</code> to <code class="command">YES</code>.
				</div><div class="para">
					If maintaining a <code class="command">wu-ftpd</code>-compatible file transfer log is not important, either set <code class="command">xferlog_std_format</code> to <code class="command">NO</code>, comment the line with a hash mark (<code class="command">#</code>), or delete the line entirely.
				</div></div></div></div><div class="section" id="s2-ftp-vsftpd-conf-opt-net"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-vsftpd-conf-opt-net">24.5.8. Network Options</h3></div></div></div><a id="id956626" class="indexterm"></a><div class="para">
				The following lists directives which affect how <code class="command">vsftpd</code> interacts with the network.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">accept_timeout</code> — Specifies the amount of time for a client using passive mode to establish a connection.
					</div><div class="para">
						The default value is <code class="command">60</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">anon_max_rate</code> — Specifies the maximum data transfer rate for anonymous users in bytes per second.
					</div><div class="para">
						The default value is <code class="command">0</code>, which does not limit the transfer rate.
					</div></li><li class="listitem"><div class="para">
						<code class="command">connect_from_port_20</code> When enabled, <code class="command">vsftpd</code> runs with enough privileges to open port 20 on the server during active mode data transfers. Disabling this option allows <code class="command">vsftpd</code> to run with less privileges, but may be incompatible with some FTP clients.
					</div><div class="para">
						The default value is <code class="command">NO</code>. On Red Hat Enterprise Linux 5.8, this option is set to <code class="command">YES</code> in the configuration file.
					</div></li><li class="listitem"><div class="para">
						<code class="command">connect_timeout</code> — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.
					</div><div class="para">
						The default value is <code class="command">60</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">data_connection_timeout</code> — Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.
					</div><div class="para">
						The default value is <code class="command">300</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">ftp_data_port</code> — Specifies the port used for active data connections when <code class="command">connect_from_port_20</code> is set to <code class="command">YES</code>.
					</div><div class="para">
						The default value is <code class="command">20</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">idle_session_timeout</code> — Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.
					</div><div class="para">
						The default value is <code class="command">300</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">listen_address</code> — Specifies the IP address on which <code class="command">vsftpd</code> listens for network connections.
					</div><div class="para">
						There is no default value for this directive.
					</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
							If running multiple copies of <code class="command">vsftpd</code> serving different IP addresses, the configuration file for each copy of the <code class="command">vsftpd</code> daemon must have a different value for this directive. Refer to <a class="xref" href="#s2-ftp-vsftpd-start-multi">Section 24.4.1, “Starting Multiple Copies of <code class="command">vsftpd</code>”</a> for more information about multihomed FTP servers.
						</div></div></div></li><li class="listitem"><div class="para">
						<code class="command">listen_address6</code> — Specifies the IPv6 address on which <code class="command">vsftpd</code> listens for network connections when <code class="command">listen_ipv6</code> is set to <code class="command">YES</code>.
					</div><div class="para">
						There is no default value for this directive.
					</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
							If running multiple copies of <code class="command">vsftpd</code> serving different IP addresses, the configuration file for each copy of the <code class="command">vsftpd</code> daemon must have a different value for this directive. Refer to <a class="xref" href="#s2-ftp-vsftpd-start-multi">Section 24.4.1, “Starting Multiple Copies of <code class="command">vsftpd</code>”</a> for more information about multihomed FTP servers.
						</div></div></div></li><li class="listitem"><div class="para">
						<code class="command">listen_port</code> — Specifies the port on which <code class="command">vsftpd</code> listens for network connections.
					</div><div class="para">
						The default value is <code class="command">21</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">local_max_rate</code> — Specifies the maximum rate data is transferred for local users logged into the server in bytes per second.
					</div><div class="para">
						The default value is <code class="command">0</code>, which does not limit the transfer rate.
					</div></li><li class="listitem"><div class="para">
						<code class="command">max_clients</code> — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.
					</div><div class="para">
						The default value is <code class="command">0</code>, which does not limit connections.
					</div></li><li class="listitem"><div class="para">
						<code class="command">max_per_ip</code> — Specifies the maximum of clients allowed to connected from the same source IP address.
					</div><div class="para">
						The default value is <code class="command">0</code>, which does not limit connections.
					</div></li><li class="listitem"><div class="para">
						<code class="command">pasv_address</code> — Specifies the IP address for the public facing IP address of the server for servers behind Network Address Translation (NAT) firewalls. This enables <code class="command">vsftpd</code> to hand out the correct return address for passive mode connections.
					</div><div class="para">
						There is no default value for this directive.
					</div></li><li class="listitem"><div class="para">
						<code class="command">pasv_enable</code> — When enabled, passive mode connects are allowed.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">pasv_max_port</code> — Specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
					</div><div class="para">
						The default value is <code class="command">0</code>, which does not limit the highest passive port range. The value must not exceed <code class="command">65535</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">pasv_min_port</code> — Specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
					</div><div class="para">
						The default value is <code class="command">0</code>, which does not limit the lowest passive port range. The value must not be lower <code class="command">1024</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">pasv_promiscuous</code> — When enabled, data connections are not checked to make sure they are originating from the same IP address. This setting is only useful for certain types of tunneling.
					</div><div class="para">
						The default value is <code class="command">NO</code>.
					</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
							Do not enable this option unless absolutely necessary as it disables an important security feature which verifies that passive mode connections originate from the same IP address as the control connection that initiates the data transfer.
						</div></div></div></li><li class="listitem"><div class="para">
						<code class="command">port_enable</code> — When enabled, active mode connects are allowed.
					</div><div class="para">
						The default value is <code class="command">YES</code>.
					</div></li></ul></div></div></div><div class="section" id="s1-ftp-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-ftp-resources">24.6. Additional Resources</h2></div></div></div><a id="id957164" class="indexterm"></a><div class="para">
			For more information about <code class="command">vsftpd</code>, refer to the following resources.
		</div><div class="section" id="s2-ftp-installed-documentation"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-installed-documentation">24.6.1. Installed Documentation</h3></div></div></div><a id="id957198" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The <code class="filename">/usr/share/doc/vsftpd-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/</code> directory — Replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the installed version of the <code class="filename">vsftpd</code> package. This directory contains a <code class="filename">README</code> with basic information about the software. The <code class="filename">TUNING</code> file contains basic performance tuning tips and the <code class="filename">SECURITY/</code> directory contains information about the security model employed by <code class="command">vsftpd</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">vsftpd</code> related man pages — There are a number of man pages for the daemon and configuration files. The following lists some of the more important man pages.
					</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Server Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man vsftpd</code> — Describes available command line options for <code class="command">vsftpd</code>.
										</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Configuration Files</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man vsftpd.conf</code> — Contains a detailed list of options available within the configuration file for <code class="command">vsftpd</code>.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man 5 hosts_access </code> — Describes the format and options available within the TCP wrappers configuration files: <code class="filename">hosts.allow</code> and <code class="filename">hosts.deny</code>.
										</div></li></ul></div></dd></dl></div></li></ul></div></div><div class="section" id="s2-ftp-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-ftp-useful-websites">24.6.2. Useful Websites</h3></div></div></div><a id="id957374" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://vsftpd.beasts.org/">http://vsftpd.beasts.org/</a> — The <code class="command">vsftpd</code> project page is a great place to locate the latest documentation and to contact the author of the software.
					</div></li><li class="listitem"><div class="para">
						<a href="http://slacksite.com/other/ftp.html">http://slacksite.com/other/ftp.html</a> — This website provides a concise explanation of the differences between active and passive mode FTP.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.ietf.org/rfc/rfc0959.txt">http://www.ietf.org/rfc/rfc0959.txt</a> — The original <em class="firstterm">Request for Comments</em> (<em class="firstterm">RFC</em>) of the FTP protocol from the IETF.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-email" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 25. Email</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-email-protocols">25.1. Email Protocols</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-protocols-send">25.1.1. Mail Transport Protocols</a></span></dt><dt><span class="section"><a href="#s2-email-protocols-client">25.1.2. Mail Access Protocols</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-types">25.2. Email Program Classifications</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-types-mta">25.2.1. Mail Transport Agent</a></span></dt><dt><span class="section"><a href="#s2-email-types-mda">25.2.2. Mail Delivery Agent</a></span></dt><dt><span class="section"><a href="#s2-email-types-mua">25.2.3. Mail User Agent</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-mta">25.3. Mail Transport Agents</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-mta-sendmail">25.3.1. Sendmail</a></span></dt><dt><span class="section"><a href="#s2-email-mta-postfix">25.3.2. Postfix</a></span></dt><dt><span class="section"><a href="#s2-email-mta-fetchmail">25.3.3. Fetchmail</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-switchmail">25.4. Mail Transport Agent (MTA) Configuration</a></span></dt><dt><span class="section"><a href="#s1-email-mda">25.5. Mail Delivery Agents</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-procmail-configuration">25.5.1. Procmail Configuration</a></span></dt><dt><span class="section"><a href="#s2-email-procmail-recipes">25.5.2. Procmail Recipes</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-mua">25.6. Mail User Agents</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-security">25.6.1. Securing Communication</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-email-additional-resources">25.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-email-installed-docs">25.7.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-email-useful-websites">25.7.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-email-related-books">25.7.3. Related Books</a></span></dt></dl></dd></dl></div><a id="id821444" class="indexterm"></a><div class="para">
		The birth of electronic mail (<em class="firstterm">email</em>) occurred in the early 1960s. The mailbox was a file in a user's home directory that was readable only by that user. Primitive mail applications appended new text messages to the bottom of the file, making the user wade through the constantly growing file to find any particular message. This system was only capable of sending messages to users on the same system.
	</div><div class="para">
		The first network transfer of an electronic mail message file took place in 1971 when a computer engineer named Ray Tomlinson sent a test message between two machines via ARPANET — the precursor to the Internet. Communication via email soon became very popular, comprising 75 percent of ARPANET's traffic in less than two years.
	</div><div class="para">
		Today, email systems based on standardized network protocols have evolved into some of the most widely used services on the Internet. Red Hat Enterprise Linux offers many advanced applications to serve and access email.
	</div><div class="para">
		This chapter reviews modern email protocols in use today and some of the programs designed to send and receive email.
	</div><div class="section" id="s1-email-protocols"><div class="titlepage"><div><div><h2 class="title" id="s1-email-protocols">25.1. Email Protocols</h2></div></div></div><a id="id1040710" class="indexterm"></a><div class="para">
			Today, email is delivered using a client/server architecture. An email message is created using a mail client program. This program then sends the message to a server. The server then forwards the message to the recipient's email server, where the message is then supplied to the recipient's email client.
		</div><div class="para">
			To enable this process, a variety of standard network protocols allow different machines, often running different operating systems and using different email programs, to send and receive email.
		</div><div class="para">
			The following protocols discussed are the most commonly used in the transfer of email.
		</div><div class="section" id="s2-email-protocols-send"><div class="titlepage"><div><div><h3 class="title" id="s2-email-protocols-send">25.1.1. Mail Transport Protocols</h3></div></div></div><div class="para">
				Mail delivery from a client application to the server, and from an originating server to the destination server, is handled by the <em class="firstterm">Simple Mail Transfer Protocol</em> (<em class="firstterm">SMTP</em>).
			</div><div class="section" id="s3-email-protocols-smtp"><div class="titlepage"><div><div><h4 class="title" id="s3-email-protocols-smtp">25.1.1.1. SMTP</h4></div></div></div><a id="id1061455" class="indexterm"></a><div class="para">
					The primary purpose of SMTP is to transfer email between mail servers. However, it is critical for email clients as well. To send email, the client sends the message to an outgoing mail server, which in turn contacts the destination mail server for delivery. For this reason, it is necessary to specify an SMTP server when configuring an email client.
				</div><div class="para">
					Under Red Hat Enterprise Linux, a user can configure an SMTP server on the local machine to handle mail delivery. However, it is also possible to configure remote SMTP servers for outgoing mail.
				</div><div class="para">
					One important point to make about the SMTP protocol is that it does not require authentication. This allows anyone on the Internet to send email to anyone else or even to large groups of people. It is this characteristic of SMTP that makes junk email or <em class="firstterm">spam</em> possible. Imposing relay restrictions limits random users on the Internet from sending email through your SMTP server, to other servers on the internet. Servers that do not impose such restrictions are called <em class="firstterm">open relay</em> servers.
				</div><div class="para">
					By default, Sendmail (<code class="command">/usr/sbin/sendmail</code>) is the default SMTP program under Red Hat Enterprise Linux. However, a simpler mail server application called Postfix (<code class="command">/usr/sbin/postfix</code>) is also available.
				</div></div></div><div class="section" id="s2-email-protocols-client"><div class="titlepage"><div><div><h3 class="title" id="s2-email-protocols-client">25.1.2. Mail Access Protocols</h3></div></div></div><div class="para">
				There are two primary protocols used by email client applications to retrieve email from mail servers: the <em class="firstterm">Post Office Protocol</em> (<em class="firstterm">POP</em>) and the <em class="firstterm">Internet Message Access Protocol</em> (<em class="firstterm">IMAP</em>).
			</div><div class="section" id="s3-email-protocols-pop"><div class="titlepage"><div><div><h4 class="title" id="s3-email-protocols-pop">25.1.2.1. POP</h4></div></div></div><a id="id821653" class="indexterm"></a><div class="para">
					The default POP server under Red Hat Enterprise Linux is <code class="command">/usr/lib/cyrus-imapd/pop3d</code> and is provided by the <code class="filename">cyrus-imapd</code> package. When using a POP server, email messages are downloaded by email client applications. By default, most POP email clients are automatically configured to delete the message on the email server after it has been successfully transferred, however this setting usually can be changed.
				</div><div class="para">
					POP is fully compatible with important Internet messaging standards, such as <em class="firstterm">Multipurpose Internet Mail Extensions</em> (<em class="firstterm">MIME</em>), which allow for email attachments.
				</div><div class="para">
					POP works best for users who have one system on which to read email. It also works well for users who do not have a persistent connection to the Internet or the network containing the mail server. Unfortunately for those with slow network connections, POP requires client programs upon authentication to download the entire content of each message. This can take a long time if any messages have large attachments.
				</div><div class="para">
					The most current version of the standard POP protocol is POP3.
				</div><div class="para">
					There are, however, a variety of lesser-used POP protocol variants:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="emphasis"><em>APOP</em></span> — POP3 with MDS authentication. An encoded hash of the user's password is sent from the email client to the server rather then sending an unencrypted password.
						</div></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>KPOP</em></span> — POP3 with Kerberos authentication. Refer to <a class="xref" href="#ch-kerberos">Section 46.6, “Kerberos”</a> for more information.
						</div></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>RPOP</em></span> — POP3 with RPOP authentication. This uses a per-user ID, similar to a password, to authenticate POP requests. However, this ID is not encrypted, so RPOP is no more secure than standard POP.
						</div></li></ul></div><div class="para">
					For added security, it is possible to use <em class="firstterm">Secure Socket Layer</em> (<em class="firstterm">SSL</em>) encryption for client authentication and data transfer sessions. This can be enabled by using the <code class="command">ipop3s</code> service or by using the <code class="command">/usr/sbin/stunnel</code> program. Refer to <a class="xref" href="#s2-email-security">Section 25.6.1, “Securing Communication”</a> for more information.
				</div></div><div class="section" id="s3-email-protocols-imap"><div class="titlepage"><div><div><h4 class="title" id="s3-email-protocols-imap">25.1.2.2. IMAP</h4></div></div></div><a id="id1061421" class="indexterm"></a><div class="para">
					The default IMAP server under Red Hat Enterprise Linux is <code class="command">/usr/lib/cyrus-imapd/imapd</code> and is provided by the <code class="filename">cyrus-imapd</code> package. When using an IMAP mail server, email messages remain on the server where users can read or delete them. IMAP also allows client applications to create, rename, or delete mail directories on the server to organize and store email.
				</div><div class="para">
					IMAP is particularly useful for those who access their email using multiple machines. The protocol is also convenient for users connecting to the mail server via a slow connection, because only the email header information is downloaded for messages until opened, saving bandwidth. The user also has the ability to delete messages without viewing or downloading them.
				</div><div class="para">
					For convenience, IMAP client applications are capable of caching copies of messages locally, so the user can browse previously read messages when not directly connected to the IMAP server.
				</div><div class="para">
					IMAP, like POP, is fully compatible with important Internet messaging standards, such as MIME, which allow for email attachments.
				</div><div class="para">
					For added security, it is possible to use <em class="firstterm">SSL</em> encryption for client authentication and data transfer sessions. This can be enabled by using the <code class="command">imaps</code> service, or by using the <code class="command">/usr/sbin/stunnel</code> program. Refer to <a class="xref" href="#s2-email-security">Section 25.6.1, “Securing Communication”</a> for more information.
				</div><div class="para">
					Other free, as well as commercial, IMAP clients and servers are available, many of which extend the IMAP protocol and provide additional functionality. A comprehensive list can be found online at <a href="http://www.imap.org/products/longlist.htm">http://www.imap.org/products/longlist.htm</a>.
				</div></div><div class="section" id="s3-email-protocols-dovecot"><div class="titlepage"><div><div><h4 class="title" id="s3-email-protocols-dovecot">25.1.2.3. Dovecot</h4></div></div></div><a id="id821393" class="indexterm"></a><div class="para">
					The <code class="literal">imap-login</code> and <code class="literal">pop3-login</code> daemons which implement the IMAP and POP3 protocols are included in the <code class="literal">dovecot</code> package. The use of IMAP and POP is configured through <code class="literal">dovecot</code>; by default <code class="literal">dovecot</code> runs only IMAP. To configure <code class="literal">dovecot</code> to use POP:
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Edit <code class="filename">/etc/dovecot.conf</code> to have the line:
						</div><pre class="screen">protocols = imap imaps pop3 pop3s</pre></li><li class="listitem"><div class="para">
							Make that change operational for the current session by running the command:
						</div><pre class="screen"><code class="command">service dovecot restart</code></pre></li><li class="listitem"><div class="para">
							Make that change operational after the next reboot by running the command:
						</div><pre class="screen"><code class="command">chkconfig dovecot on</code></pre><div class="para">
							Please note that <code class="filename">dovecot</code> only reports that it started the IMAP server, but also starts the POP3 server.
						</div></li></ol></div><div class="para">
					Unlike SMTP, both of these protocols require connecting clients to authenticate using a username and password. By default, passwords for both protocols are passed over the network unencrypted.
				</div><div class="para">
					To configure SSL on dovecot: 
					<div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Edit the <code class="filename">dovecot</code> configuration file <code class="filename">/etc/pki/dovecot/dovecot-openssl.conf</code> as you prefer. However in a typical installation, this file does not require modification.
							</div></li><li class="listitem"><div class="para">
								Rename, move or delete the files <code class="filename">/etc/pki/dovecot/certs/dovecot.pem</code> and <code class="filename">/etc/pki/dovecot/private/dovecot.pem</code>.
							</div></li><li class="listitem"><div class="para">
								Execute the <code class="filename">/usr/share/doc/dovecot-1.0/examples/mkcert.sh</code> script which creates the dovecot self signed certificates. The certificates are copied in the <code class="filename">/etc/pki/dovecot/certs</code> and <code class="filename">/etc/pki/dovecot/private</code> directories. To implement the changes, restart <code class="filename">dovecot</code> (<code class="command">/sbin/service dovecot restart</code>).
							</div></li></ul></div>
					 More details on <code class="filename">dovecot</code> can be found online at <a href="http://www.dovecot.org">http://www.dovecot.org</a>.
				</div></div></div></div><div class="section" id="s1-email-types"><div class="titlepage"><div><div><h2 class="title" id="s1-email-types">25.2. Email Program Classifications</h2></div></div></div><a id="id1058417" class="indexterm"></a><div class="para">
			In general, all email applications fall into at least one of three classifications. Each classification plays a specific role in the process of moving and managing email messages. While most users are only aware of the specific email program they use to receive and send messages, each one is important for ensuring that email arrives at the correct destination.
		</div><div class="section" id="s2-email-types-mta"><div class="titlepage"><div><div><h3 class="title" id="s2-email-types-mta">25.2.1. Mail Transport Agent</h3></div></div></div><a id="id1058440" class="indexterm"></a><a id="id1058454" class="indexterm"></a><a id="id1058465" class="indexterm"></a><div class="para">
				A <em class="firstterm">Mail Transport Agent</em> (<em class="firstterm">MTA</em>) transports email messages between hosts using SMTP. A message may involve several MTAs as it moves to its intended destination.
			</div><div class="para">
				While the delivery of messages between machines may seem rather straightforward, the entire process of deciding if a particular MTA can or should accept a message for delivery is quite complicated. In addition, due to problems from spam, use of a particular MTA is usually restricted by the MTA's configuration or the access configuration for the network on which the MTA resides.
			</div><div class="para">
				Many modern email client programs can act as an MTA when sending email. However, this action should not be confused with the role of a true MTA. The sole reason email client programs are capable of sending email like an MTA is because the host running the application does not have its own MTA. This is particularly true for email client programs on non-UNIX-based operating systems. However, these client programs only send outbound messages to an MTA they are authorized to use and do not directly deliver the message to the intended recipient's email server.
			</div><div class="para">
				Since Red Hat Enterprise Linux installs two MTAs, Sendmail and Postfix, email client programs are often not required to act as an MTA. Red Hat Enterprise Linux also includes a special purpose MTA called Fetchmail.
			</div><div class="para">
				For more information on Sendmail, Postfix, and Fetchmail, refer to <a class="xref" href="#s1-email-mta">Section 25.3, “Mail Transport Agents”</a>.
			</div></div><div class="section" id="s2-email-types-mda"><div class="titlepage"><div><div><h3 class="title" id="s2-email-types-mda">25.2.2. Mail Delivery Agent</h3></div></div></div><a id="id823470" class="indexterm"></a><a id="id823484" class="indexterm"></a><a id="id823494" class="indexterm"></a><div class="para">
				A <em class="firstterm">Mail Delivery Agent</em> (<em class="firstterm">MDA</em>) is invoked by the MTA to file incoming email in the proper user's mailbox. In many cases, the MDA is actually a <em class="firstterm">Local Delivery Agent</em> (<em class="firstterm">LDA</em>), such as <code class="command">mail</code> or Procmail.
			</div><div class="para">
				Any program that actually handles a message for delivery to the point where it can be read by an email client application can be considered an MDA. For this reason, some MTAs (such as Sendmail and Postfix) can fill the role of an MDA when they append new email messages to a local user's mail spool file. In general, MDAs do not transport messages between systems nor do they provide a user interface; MDAs distribute and sort messages on the local machine for an email client application to access.
			</div></div><div class="section" id="s2-email-types-mua"><div class="titlepage"><div><div><h3 class="title" id="s2-email-types-mua">25.2.3. Mail User Agent</h3></div></div></div><a id="id952480" class="indexterm"></a><a id="id952494" class="indexterm"></a><a id="id952504" class="indexterm"></a><div class="para">
				A <em class="firstterm">Mail User Agent</em> (<em class="firstterm">MUA</em>) is synonymous with an email client application. An MUA is a program that, at the very least, allows a user to read and compose email messages. Many MUAs are capable of retrieving messages via the POP or IMAP protocols, setting up mailboxes to store messages, and sending outbound messages to an MTA.
			</div><div class="para">
				MUAs may be graphical, such as Evolution, or have a very simple, text-based interface, such as <code class="command">mutt</code>.
			</div></div></div><div class="section" id="s1-email-mta"><div class="titlepage"><div><div><h2 class="title" id="s1-email-mta">25.3. Mail Transport Agents</h2></div></div></div><div class="para">
			Red Hat Enterprise Linux includes two primary MTAs, Sendmail and Postfix. Sendmail is configured as the default MTA, although it is easy to switch the default MTA to Postfix.
		</div><div class="section" id="s2-email-mta-sendmail"><div class="titlepage"><div><div><h3 class="title" id="s2-email-mta-sendmail">25.3.1. Sendmail</h3></div></div></div><a id="id952553" class="indexterm"></a><a id="id952567" class="indexterm"></a><div class="para">
				Sendmail's core purpose, like other MTAs, is to safely transfer email among hosts, usually using the SMTP protocol. However, Sendmail is highly configurable, allowing control over almost every aspect of how email is handled, including the protocol used. Many system administrators elect to use Sendmail as their MTA due to its power and scalability.
			</div><div class="section" id="s3-email-mta-sendmail-purpose"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mta-sendmail-purpose">25.3.1.1. Purpose and Limitations</h4></div></div></div><a id="id952591" class="indexterm"></a><a id="id967190" class="indexterm"></a><div class="para">
					It is important to be aware of what Sendmail is and what it can do, as opposed to what it is not. In these days of monolithic applications that fulfill multiple roles, Sendmail may seem like the only application needed to run an email server within an organization. Technically, this is true, as Sendmail can spool mail to each users' directory and deliver outbound mail for users. However, most users actually require much more than simple email delivery. Users usually want to interact with their email using an MUA, that uses POP or IMAP, to download their messages to their local machine. Or, they may prefer a Web interface to gain access to their mailbox. These other applications can work in conjunction with Sendmail, but they actually exist for different reasons and can operate separately from one another.
				</div><div class="para">
					It is beyond the scope of this section to go into all that Sendmail should or could be configured to do. With literally hundreds of different options and rule sets, entire volumes have been dedicated to helping explain everything that can be done and how to fix things that go wrong. Refer to the <a class="xref" href="#s1-email-additional-resources">Section 25.7, “Additional Resources”</a> for a list of Sendmail resources.
				</div><div class="para">
					This section reviews the files installed with Sendmail by default and reviews basic configuration changes, including how to stop unwanted email (spam) and how to extend Sendmail with the <em class="firstterm">Lightweight Directory Access Protocol (LDAP)</em>.
				</div></div><div class="section" id="s3-email-mta-sendmail-default"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mta-sendmail-default">25.3.1.2. The Default Sendmail Installation</h4></div></div></div><a id="id967243" class="indexterm"></a><div class="para">
					The Sendmail executable is <code class="filename">/usr/sbin/sendmail</code>.
				</div><div class="para">
					Sendmail's lengthy and detailed configuration file is <code class="filename">/etc/mail/sendmail.cf</code>. Avoid editing the <code class="filename">sendmail.cf</code> file directly. To make configuration changes to Sendmail, edit the <code class="filename">/etc/mail/sendmail.mc</code> file, back up the original <code class="filename">/etc/mail/sendmail.cf</code>, and use the following alternatives to generate a new configuration file: 
					<div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Use the included makefile in <code class="filename">/etc/mail</code> (<code class="command">make all -C /etc/mail</code>) to create a new <code class="filename">/etc/mail/sendmail.cf</code> configuration file. All other generated files in <code class="filename">/etc/mail</code> (db files) will be regenerated if needed. The old makemap commands are still usable. The make command will automatically be used by <code class="command">service sendmail start | restart | reload</code> if the <code class="filename">make</code> package is installed.
							</div></li><li class="listitem"><div class="para">
								Alternatively you may use the included <code class="command">m4</code> macro processor to create a new <code class="filename">/etc/mail/sendmail.cf</code>.
							</div></li></ul></div>
					 More information on configuring Sendmail can be found in <a class="xref" href="#s3-email-mta-sendmail-changes">Section 25.3.1.3, “Common Sendmail Configuration Changes”</a>.
				</div><div class="para">
					Various Sendmail configuration files are installed in the <code class="filename">/etc/mail/</code> directory including:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="filename">access</code> — Specifies which systems can use Sendmail for outbound email.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">domaintable</code> — Specifies domain name mapping.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">local-host-names</code> — Specifies aliases for the host.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">mailertable</code> — Specifies instructions that override routing for particular domains.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">virtusertable</code> — Specifies a domain-specific form of aliasing, allowing multiple virtual domains to be hosted on one machine.
						</div></li></ul></div><div class="para">
					Several of the configuration files in <code class="filename">/etc/mail/</code>, such as <code class="filename">access</code>, <code class="filename">domaintable</code>, <code class="filename">mailertable</code> and <code class="filename">virtusertable</code>, must actually store their information in database files before Sendmail can use any configuration changes. To include any changes made to these configurations in their database files, run the following command:
				</div><div class="para">
					<code class="command">makemap hash /etc/mail/<em class="replaceable"><code>&lt;name&gt;</code></em> &lt; /etc/mail/<em class="replaceable"><code>&lt;name&gt;</code></em> </code>
				</div><div class="para">
					where <em class="replaceable"><code>&lt;name&gt;</code></em> is replaced with the name of the configuration file to convert.
				</div><div class="para">
					For example, to have all emails addressed to the <code class="filename">example.com</code> domain delivered to <code class="email"><a class="email" href="mailto:bob@other-example.com">bob@other-example.com</a></code>
					, add the following line to the <code class="filename">virtusertable</code> file:
				</div><pre class="screen">@example.com     bob@other-example.com</pre><div class="para">
					To finalize the change, the <code class="filename">virtusertable.db</code> file must be updated using the following command as root:
				</div><pre class="screen"><code class="command">makemap hash /etc/mail/virtusertable &lt; /etc/mail/virtusertable</code></pre><div class="para">
					This creates an updated <code class="filename">virtusertable.db</code> file containing the new configuration.
				</div></div><div class="section" id="s3-email-mta-sendmail-changes"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mta-sendmail-changes">25.3.1.3. Common Sendmail Configuration Changes</h4></div></div></div><a id="id1060968" class="indexterm"></a><a id="id1060981" class="indexterm"></a><div class="para">
					When altering the Sendmail configuration file, it is best not to edit an existing file, but to generate an entirely new <code class="filename">/etc/mail/sendmail.cf</code> file.
				</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
						Before changing the <code class="filename">sendmail.cf</code> file, it is a good idea to create a backup copy.
					</div></div></div><div class="para">
					To add the desired functionality to Sendmail, edit the <code class="filename">/etc/mail/sendmail.mc</code> file as the root user. When finished, use the <code class="command">m4</code> macro processor to generate a new <code class="filename">sendmail.cf</code> by executing the following command:
				</div><pre class="screen"><code class="command">m4 /etc/mail/sendmail.mc &gt; /etc/mail/sendmail.cf</code></pre><div class="para">
					By default, the <code class="command">m4</code> macro processor is installed with Sendmail but is part of the <code class="filename">m4</code> package.
				</div><div class="para">
					After creating a new <code class="filename">/etc/mail/sendmail.cf</code> file, restart Sendmail for the changes to take effect. The easiest way to do this is to type the following command:
				</div><pre class="screen"><code class="command">service sendmail restart</code></pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						The default <code class="filename">sendmail.cf</code> file does not allow Sendmail to accept network connections from any host other than the local computer. To configure Sendmail as a server for other clients, edit the <code class="filename">/etc/mail/sendmail.mc</code> file, and either change the address specified in the <code class="command">Addr=</code> option of the <code class="command">DAEMON_OPTIONS</code> directive from <code class="command">127.0.0.1</code> to the IP address of an active network device or comment out the <code class="command">DAEMON_OPTIONS</code> directive all together by placing <code class="command">dnl</code> at the beginning of the line. When finished, regenerate <code class="filename">/etc/mail/sendmail.cf</code> by executing the following command:
					</div><pre class="screen"><code class="command">m4 /etc/mail/sendmail.mc &gt; /etc/mail/sendmail.cf</code></pre></div></div><div class="para">
					The default configuration which ships with Red Hat Enterprise Linux works for most SMTP-only sites. However, it does not work for UUCP (UNIX to UNIX Copy) sites. If using UUCP mail transfers, the <code class="filename">/etc/mail/sendmail.mc</code> file must be reconfigured and a new <code class="filename">/etc/mail/sendmail.cf</code> must be generated.
				</div><div class="para">
					Consult the <code class="filename">/usr/share/sendmail-cf/README</code> file before editing any files in the directories under the <code class="filename">/usr/share/sendmail-cf</code> directory, as they can affect the future configuration of <code class="filename">/etc/mail/sendmail.cf</code> files.
				</div></div><div class="section" id="s3-email-sendmail-changes-masquerading"><div class="titlepage"><div><div><h4 class="title" id="s3-email-sendmail-changes-masquerading">25.3.1.4. Masquerading</h4></div></div></div><a id="id1061151" class="indexterm"></a><a id="id1061165" class="indexterm"></a><div class="para">
					One common Sendmail configuration is to have a single machine act as a mail gateway for all machines on the network. For instance, a company may want to have a machine called <code class="computeroutput">mail.example.com</code> that handles all of their email and assigns a consistent return address to all outgoing mail.
				</div><div class="para">
					In this situation, the Sendmail server must masquerade the machine names on the company network so that their return address is <code class="computeroutput">user@example.com</code> instead of <code class="computeroutput">user@host.example.com</code>.
				</div><div class="para">
					To do this, add the following lines to <code class="filename">/etc/mail/sendmail.mc</code>:
				</div><pre class="screen">FEATURE(always_add_domain)dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`allmasquerade')dnl
MASQUERADE_AS(`bigcorp.com.')dnl
MASQUERADE_DOMAIN(`bigcorp.com.')dnl
MASQUERADE_AS(bigcorp.com)dnl</pre><div class="para">
					After generating a new <code class="filename">sendmail.cf</code> using <code class="command">m4</code>, this configuration makes all mail from inside the network appear as if it were sent from <code class="computeroutput">bigcorp.com</code>.
				</div></div><div class="section" id="s3-email-sendmail-stopping-spam"><div class="titlepage"><div><div><h4 class="title" id="s3-email-sendmail-stopping-spam">25.3.1.5. Stopping Spam</h4></div></div></div><a id="id1061239" class="indexterm"></a><div class="para">
					Email spam can be defined as unnecessary and unwanted email received by a user who never requested the communication. It is a disruptive, costly, and widespread abuse of Internet communication standards.
				</div><div class="para">
					Sendmail makes it relatively easy to block new spamming techniques being employed to send junk email. It even blocks many of the more usual spamming methods by default. Main anti-spam features available in sendmail are <em class="firstterm">header checks, relaying denial (default from version 8.9), access database and sender information checks.</em>
				</div><div class="para">
					For example, forwarding of SMTP messages, also called relaying, has been disabled by default since Sendmail version 8.9. Before this change occurred, Sendmail directed the mail host (<code class="filename">x.edu</code>) to accept messages from one party (<code class="filename">y.com</code>) and sent them to a different party (<code class="filename">z.net</code>). Now, however, Sendmail must be configured to permit any domain to relay mail through the server. To configure relay domains, edit the <code class="filename">/etc/mail/relay-domains</code> file and restart Sendmail.
				</div><div class="para">
					However, many times users are bombarded with spam from other servers throughout the Internet. In these instances, Sendmail's access control features available through the <code class="filename">/etc/mail/access</code> file can be used to prevent connections from unwanted hosts. The following example illustrates how this file can be used to both block and specifically allow access to the Sendmail server:
				</div><pre class="screen">badspammer.com       ERROR:550 "Go away and do not spam us anymore"
tux.badspammer.com   OK
10.0                 RELAY</pre><div class="para">
					This example shows that any email sent from <code class="filename">badspammer.com</code> is blocked with a 550 RFC-821 compliant error code, with a message sent back to the spammer. Email sent from the <code class="filename">tux.badspammer.com</code> sub-domain, is accepted. The last line shows that any email sent from the 10.0.*.* network can be relayed through the mail server.
				</div><div class="para">
					Because <code class="filename">/etc/mail/access.db</code> is a database, use <code class="command">makemap</code> to activate any changes. Do this using the following command as root:
				</div><pre class="screen"><code class="command">makemap hash /etc/mail/access &lt; /etc/mail/access</code></pre><div class="para">
					Message header analysis allows you to reject mail based on header contents. SMTP servers store information about an emails journey in the message header. As the message travels from one MTA to another, each puts in a "Received" header above all the other Received headers. It is however important to note that this information may be altered by spammers.
				</div><div class="para">
					The above examples only represent a small part of what Sendmail can do in terms of allowing or blocking access. Refer to the <code class="filename">/usr/share/sendmail-cf/README</code> for more information and examples.
				</div><div class="para">
					Since Sendmail calls the Procmail MDA when delivering mail, it is also possible to use a spam filtering program, such as SpamAssassin, to identify and file spam for users. Refer to <a class="xref" href="#s3-email-mda-spam">Section 25.5.2.6, “Spam Filters”</a> for more about using SpamAssassin.
				</div></div><div class="section" id="s3-email-mta-sendmail-ldap"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mta-sendmail-ldap">25.3.1.6. Using Sendmail with LDAP</h4></div></div></div><a id="id1061370" class="indexterm"></a><div class="para">
					Using the <em class="firstterm">Lightweight Directory Access Protocol (LDAP)</em> is a very quick and powerful way to find specific information about a particular user from a much larger group. For example, an LDAP server can be used to look up a particular email address from a common corporate directory by the user's last name. In this kind of implementation, LDAP is largely separate from Sendmail, with LDAP storing the hierarchical user information and Sendmail only being given the result of LDAP queries in pre-addressed email messages.
				</div><div class="para">
					However, Sendmail supports a much greater integration with LDAP, where it uses LDAP to replace separately maintained files, such as <code class="filename">aliases</code> and <code class="filename">virtusertables</code>, on different mail servers that work together to support a medium- to enterprise-level organization. In short, LDAP abstracts the mail routing level from Sendmail and its separate configuration files to a powerful LDAP cluster that can be leveraged by many different applications.
				</div><div class="para">
					The current version of Sendmail contains support for LDAP. To extend the Sendmail server using LDAP, first get an LDAP server, such as <span class="application"><strong>OpenLDAP</strong></span>, running and properly configured. Then edit the <code class="filename">/etc/mail/sendmail.mc</code> to include the following:
				</div><pre class="screen">LDAPROUTE_DOMAIN('<em class="replaceable"><code>yourdomain.com</code></em>')dnl
FEATURE('ldap_routing')dnl</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						This is only for a very basic configuration of Sendmail with LDAP. The configuration can differ greatly from this depending on the implementation of LDAP, especially when configuring several Sendmail machines to use a common LDAP server.
					</div><div class="para">
						Consult <code class="filename">/usr/share/sendmail-cf/README</code> for detailed LDAP routing configuration instructions and examples.
					</div></div></div><div class="para">
					Next, recreate the <code class="filename">/etc/mail/sendmail.cf</code> file by running <code class="command">m4</code> and restarting Sendmail. Refer to <a class="xref" href="#s3-email-mta-sendmail-changes">Section 25.3.1.3, “Common Sendmail Configuration Changes”</a> for instructions.
				</div><div class="para">
					For more information on LDAP, refer to <a class="xref" href="#ch-ldap">Chapter 26, <em>Lightweight Directory Access Protocol (LDAP)</em></a>.
				</div></div></div><div class="section" id="s2-email-mta-postfix"><div class="titlepage"><div><div><h3 class="title" id="s2-email-mta-postfix">25.3.2. Postfix</h3></div></div></div><a id="id936408" class="indexterm"></a><a id="id936421" class="indexterm"></a><div class="para">
				Originally developed at IBM by security expert and programmer Wietse Venema, Postfix is a Sendmail-compatible MTA that is designed to be secure, fast, and easy to configure.
			</div><div class="para">
				To improve security, Postfix uses a modular design, where small processes with limited privileges are launched by a <em class="firstterm">master</em> daemon. The smaller, less privileged processes perform very specific tasks related to the various stages of mail delivery and run in a change rooted environment to limit the effects of attacks.
			</div><div class="para">
				Configuring Postfix to accept network connections from hosts other than the local computer takes only a few minor changes in its configuration file. Yet for those with more complex needs, Postfix provides a variety of configuration options, as well as third party add ons that make it a very versatile and full-featured MTA.
			</div><div class="para">
				The configuration files for Postfix are human readable and support upward of 250 directives. Unlike Sendmail, no macro processing is required for changes to take effect and the majority of the most commonly used options are described in the heavily commented files.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Before using Postfix, the default MTA must be switched from Sendmail to Postfix.
				</div></div></div><div class="section" id="s3-email-mta-postfix-default"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mta-postfix-default">25.3.2.1. The Default Postfix Installation</h4></div></div></div><a id="id936479" class="indexterm"></a><div class="para">
					The Postfix executable is <code class="filename">/usr/sbin/postfix</code>. This daemon launches all related processes needed to handle mail delivery.
				</div><div class="para">
					Postfix stores its configuration files in the <code class="filename">/etc/postfix/</code> directory. The following is a list of the more commonly used files:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="filename">access</code> — Used for access control, this file specifies which hosts are allowed to connect to Postfix.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">aliases</code> — A configurable list required by the mail protocol.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">main.cf</code> — The global Postfix configuration file. The majority of configuration options are specified in this file.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">master.cf</code> — Specifies how Postfix interacts with various processes to accomplish mail delivery.
						</div></li><li class="listitem"><div class="para">
							<code class="filename">transport</code> — Maps email addresses to relay hosts.
						</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						The default <code class="filename">/etc/postfix/main.cf</code> file does not allow Postfix to accept network connections from a host other than the local computer. For instructions on configuring Postfix as a server for other clients, refer to <a class="xref" href="#s3-email-mta-postfix-conf">Section 25.3.2.2, “Basic Postfix Configuration”</a>.
					</div></div></div><div class="para">
					When changing some options within files in the <code class="filename">/etc/postfix/</code> directory, it may be necessary to restart the <code class="command">postfix</code> service for the changes to take effect. The easiest way to do this is to type the following command:
				</div><pre class="screen"><code class="command">service postfix restart</code></pre></div><div class="section" id="s3-email-mta-postfix-conf"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mta-postfix-conf">25.3.2.2. Basic Postfix Configuration</h4></div></div></div><div class="para">
					By default, Postfix does not accept network connections from any host other than the local host. Perform the following steps as root to enable mail delivery for other hosts on the network:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							Edit the <code class="filename">/etc/postfix/main.cf</code> file with a text editor, such as <code class="command">vi</code>.
						</div></li><li class="listitem"><div class="para">
							Uncomment the <code class="command">mydomain</code> line by removing the hash mark (<code class="command">#</code>), and replace <em class="replaceable"><code>domain.tld</code></em> with the domain the mail server is servicing, such as <code class="command">example.com</code>.
						</div></li><li class="listitem"><div class="para">
							Uncomment the <code class="command">myorigin = $mydomain</code> line.
						</div></li><li class="listitem"><div class="para">
							Uncomment the <code class="command">myhostname</code> line, and replace <em class="replaceable"><code>host.domain.tld</code></em> with the hostname for the machine.
						</div></li><li class="listitem"><div class="para">
							Uncomment the <code class="command">mydestination = $myhostname, localhost.$mydomain</code> line.
						</div></li><li class="listitem"><div class="para">
							Uncomment the <code class="command">mynetworks</code> line, and replace <em class="replaceable"><code>168.100.189.0/28</code></em> with a valid network setting for hosts that can connect to the server.
						</div></li><li class="listitem"><div class="para">
							Uncomment the <code class="command">inet_interfaces = all</code> line.
						</div></li><li class="listitem"><div class="para">
							Comment the <code class="command">inet_interfaces = localhost</code> line.
						</div></li><li class="listitem"><div class="para">
							Restart the <code class="command">postfix</code> service.
						</div></li></ul></div><div class="para">
					Once these steps are complete, the host accepts outside emails for delivery.
				</div><div class="para">
					Postfix has a large assortment of configuration options. One of the best ways to learn how to configure Postfix is to read the comments within <code class="filename">/etc/postfix/main.cf</code>. Additional resources including information about LDAP and SpamAssassin integration are available online at <a href="http://www.postfix.org/">http://www.postfix.org/</a>.
				</div></div></div><div class="section" id="s2-email-mta-fetchmail"><div class="titlepage"><div><div><h3 class="title" id="s2-email-mta-fetchmail">25.3.3. Fetchmail</h3></div></div></div><a id="id936789" class="indexterm"></a><a id="id936803" class="indexterm"></a><div class="para">
				Fetchmail is an MTA which retrieves email from remote servers and delivers it to the local MTA. Many users appreciate the ability to separate the process of downloading their messages located on a remote server from the process of reading and organizing their email in an MUA. Designed with the needs of dial-up users in mind, Fetchmail connects and quickly downloads all of the email messages to the mail spool file using any number of protocols, including POP3 and IMAP. It can even forward email messages to an SMTP server, if necessary.
			</div><div class="para">
				Fetchmail is configured for each user through the use of a <code class="filename">.fetchmailrc</code> file in the user's home directory.
			</div><div class="para">
				Using preferences in the <code class="filename">.fetchmailrc</code> file, Fetchmail checks for email on a remote server and downloads it. It then delivers it to port 25 on the local machine, using the local MTA to place the email in the correct user's spool file. If Procmail is available, it is launched to filter the email and place it in a mailbox so that it can be read by an MUA.
			</div><div class="section" id="s3-email-mda-fetchmail-configuration"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mda-fetchmail-configuration">25.3.3.1. Fetchmail Configuration Options</h4></div></div></div><a id="id936846" class="indexterm"></a><a id="id936860" class="indexterm"></a><div class="para">
					Although it is possible to pass all necessary options on the command line to check for email on a remote server when executing Fetchmail, using a <code class="filename">.fetchmailrc</code> file is much easier. Place any desired configuration options in the <code class="filename">.fetchmailrc</code> file for those options to be used each time the <code class="command">fetchmail</code> command is issued. It is possible to override these at the time Fetchmail is run by specifying that option on the command line.
				</div><div class="para">
					A user's <code class="filename">.fetchmailrc</code> file contains three classes of configuration options:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="emphasis"><em>global options</em></span> — Gives Fetchmail instructions that control the operation of the program or provide settings for every connection that checks for email.
						</div></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>server options</em></span> — Specifies necessary information about the server being polled, such as the hostname, as well as preferences for specific email servers, such as the port to check or number of seconds to wait before timing out. These options affect every user using that server.
						</div></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>user options</em></span> — Contains information, such as username and password, necessary to authenticate and check for email using a specified email server.
						</div></li></ul></div><div class="para">
					Global options appear at the top of the <code class="filename">.fetchmailrc</code> file, followed by one or more server options, each of which designate a different email server that Fetchmail should check. User options follow server options for each user account checking that email server. Like server options, multiple user options may be specified for use with a particular server as well as to check multiple email accounts on the same server.
				</div><div class="para">
					Server options are called into service in the <code class="filename">.fetchmailrc</code> file by the use of a special option verb, <code class="command">poll</code> or <code class="command">skip</code>, that precedes any of the server information. The <code class="command">poll</code> action tells Fetchmail to use this server option when it is run, which checks for email using the specified user options. Any server options after a <code class="command">skip</code> action, however, are not checked unless this server's hostname is specified when Fetchmail is invoked. The <code class="command">skip</code> option is useful when testing configurations in <code class="filename">.fetchmailrc</code> because it only checks skipped servers when specifically invoked, and does not affect any currently working configurations.
				</div><div class="para">
					A sample <code class="filename">.fetchmailrc</code> file looks similar to the following example:
				</div><pre class="screen">set postmaster "user1"
set bouncemail
 poll pop.domain.com proto pop3
 	user 'user1' there with password 'secret' is user1 here
 poll mail.domain2.com
 	user 'user5' there with password 'secret2' is user1 here
	user 'user7' there with password 'secret3' is user1 here</pre><div class="para">
					In this example, the global options specify that the user is sent email as a last resort (<code class="command">postmaster</code> option) and all email errors are sent to the postmaster instead of the sender (<code class="command">bouncemail</code> option). The <code class="command">set</code> action tells Fetchmail that this line contains a global option. Then, two email servers are specified, one set to check using POP3, the other for trying various protocols to find one that works. Two users are checked using the second server option, but all email found for any user is sent to <code class="command">user1</code>'s mail spool. This allows multiple mailboxes to be checked on multiple servers, while appearing in a single MUA inbox. Each user's specific information begins with the <code class="command">user</code> action.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						Users are not required to place their password in the <code class="filename">.fetchmailrc</code> file. Omitting the <code class="command">with password '&lt;password&gt;'</code> section causes Fetchmail to ask for a password when it is launched.
					</div></div></div><div class="para">
					Fetchmail has numerous global, server, and local options. Many of these options are rarely used or only apply to very specific situations. The <code class="filename">fetchmail</code> man page explains each option in detail, but the most common ones are listed here.
				</div></div><div class="section" id="s3-email-mda-fetchmail-configuration-global"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mda-fetchmail-configuration-global">25.3.3.2. Global Options</h4></div></div></div><a id="id899387" class="indexterm"></a><a id="id899405" class="indexterm"></a><div class="para">
					Each global option should be placed on a single line after a <code class="command">set</code> action.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">daemon <em class="replaceable"><code>&lt;seconds&gt;</code></em> </code> — Specifies daemon-mode, where Fetchmail stays in the background. Replace <em class="replaceable"><code>&lt;seconds&gt;</code></em> with the number of seconds Fetchmail is to wait before polling the server.
						</div></li><li class="listitem"><div class="para">
							<code class="command">postmaster</code> — Specifies a local user to send mail to in case of delivery problems.
						</div></li><li class="listitem"><div class="para">
							<code class="command">syslog</code> — Specifies the log file for errors and status messages. By default, this is <code class="filename">/var/log/maillog</code>.
						</div></li></ul></div></div><div class="section" id="s3-email-mda-fetchmail-configuration-server"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mda-fetchmail-configuration-server">25.3.3.3. Server Options</h4></div></div></div><a id="id899491" class="indexterm"></a><a id="id899508" class="indexterm"></a><div class="para">
					Server options must be placed on their own line in <code class="filename">.fetchmailrc</code> after a <code class="command">poll</code> or <code class="command">skip</code> action.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">auth <em class="replaceable"><code>&lt;auth-type&gt;</code></em> </code> — Replace <em class="replaceable"><code>&lt;auth-type&gt;</code></em> with the type of authentication to be used. By default, <code class="command">password</code> authentication is used, but some protocols support other types of authentication, including <code class="command">kerberos_v5</code>, <code class="command">kerberos_v4</code>, and <code class="command">ssh</code>. If the <code class="command">any</code> authentication type is used, Fetchmail first tries methods that do not require a password, then methods that mask the password, and finally attempts to send the password unencrypted to authenticate to the server.
						</div></li><li class="listitem"><div class="para">
							<code class="command">interval <em class="replaceable"><code>&lt;number&gt;</code></em> </code> — Polls the specified server every <code class="command"><em class="replaceable"><code>&lt;number&gt;</code></em> </code> of times that it checks for email on all configured servers. This option is generally used for email servers where the user rarely receives messages.
						</div></li><li class="listitem"><div class="para">
							<code class="command">port <em class="replaceable"><code>&lt;port-number&gt;</code></em> </code> — Replace <em class="replaceable"><code>&lt;port-number&gt;</code></em> with the port number. This value overrides the default port number for the specified protocol.
						</div></li><li class="listitem"><div class="para">
							<code class="command">proto <em class="replaceable"><code>&lt;protocol&gt;</code></em> </code> — Replace <em class="replaceable"><code>&lt;protocol&gt;</code></em> with the protocol, such as <code class="command">pop3</code> or <code class="command">imap</code>, to use when checking for messages on the server.
						</div></li><li class="listitem"><div class="para">
							<code class="command">timeout <em class="replaceable"><code>&lt;seconds&gt;</code></em> </code> — Replace <em class="replaceable"><code>&lt;seconds&gt;</code></em> with the number of seconds of server inactivity after which Fetchmail gives up on a connection attempt. If this value is not set, a default of <code class="command">300</code> seconds is assumed.
						</div></li></ul></div></div><div class="section" id="s3-email-fetchmail-configuration-user"><div class="titlepage"><div><div><h4 class="title" id="s3-email-fetchmail-configuration-user">25.3.3.4. User Options</h4></div></div></div><a id="id899692" class="indexterm"></a><a id="id899709" class="indexterm"></a><div class="para">
					User options may be placed on their own lines beneath a server option or on the same line as the server option. In either case, the defined options must follow the <code class="command">user</code> option (defined below).
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">fetchall</code> — Orders Fetchmail to download all messages in the queue, including messages that have already been viewed. By default, Fetchmail only pulls down new messages.
						</div></li><li class="listitem"><div class="para">
							<code class="command">fetchlimit <em class="replaceable"><code>&lt;number&gt;</code></em> </code> — Replace <em class="replaceable"><code>&lt;number&gt;</code></em> with the number of messages to be retrieved before stopping.
						</div></li><li class="listitem"><div class="para">
							<code class="command">flush</code> — Deletes all previously viewed messages in the queue before retrieving new messages.
						</div></li><li class="listitem"><div class="para">
							<code class="command">limit <em class="replaceable"><code>&lt;max-number-bytes&gt;</code></em> </code> — Replace <em class="replaceable"><code>&lt;max-number-bytes&gt;</code></em> with the maximum size in bytes that messages are allowed to be when retrieved by Fetchmail. This option is useful with slow network links, when a large message takes too long to download.
						</div></li><li class="listitem"><div class="para">
							<code class="command">password '<em class="replaceable"><code>&lt;password&gt;</code></em>'</code> — Replace <em class="replaceable"><code>&lt;password&gt;</code></em> with the user's password.
						</div></li><li class="listitem"><div class="para">
							<code class="command">preconnect "<em class="replaceable"><code>&lt;command&gt;</code></em>"</code> — Replace <em class="replaceable"><code>&lt;command&gt;</code></em> with a command to be executed before retrieving messages for the user.
						</div></li><li class="listitem"><div class="para">
							<code class="command">postconnect "<em class="replaceable"><code>&lt;command&gt;</code></em>"</code> — Replace <em class="replaceable"><code>&lt;command&gt;</code></em> with a command to be executed after retrieving messages for the user.
						</div></li><li class="listitem"><div class="para">
							<code class="command">ssl</code> — Activates SSL encryption.
						</div></li><li class="listitem"><div class="para">
							<code class="command">user "<em class="replaceable"><code>&lt;username&gt;</code></em>"</code> — Replace <em class="replaceable"><code>&lt;username&gt;</code></em> with the username used by Fetchmail to retrieve messages. <span class="emphasis"><em>This option must precede all other user options.</em></span>
						</div></li></ul></div></div><div class="section" id="s3-email-mda-fetchmail-commands"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mda-fetchmail-commands">25.3.3.5. Fetchmail Command Options</h4></div></div></div><a id="id821953" class="indexterm"></a><div class="para">
					Most Fetchmail options used on the command line when executing the <code class="command">fetchmail</code> command mirror the <code class="filename">.fetchmailrc</code> configuration options. In this way, Fetchmail may be used with or without a configuration file. These options are not used on the command line by most users because it is easier to leave them in the <code class="filename">.fetchmailrc</code> file.
				</div><div class="para">
					There may be times when it is desirable to run the <code class="command">fetchmail</code> command with other options for a particular purpose. It is possible to issue command options to temporarily override a <code class="filename">.fetchmailrc</code> setting that is causing an error, as any options specified at the command line override configuration file options.
				</div></div><div class="section" id="s3-email-mda-fetchmail-commands-info"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mda-fetchmail-commands-info">25.3.3.6. Informational or Debugging Options</h4></div></div></div><a id="id822007" class="indexterm"></a><div class="para">
					Certain options used after the <code class="command">fetchmail</code> command can supply important information.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">--configdump</code> — Displays every possible option based on information from <code class="filename">.fetchmailrc</code> and Fetchmail defaults. No email is retrieved for any users when using this option.
						</div></li><li class="listitem"><div class="para">
							<code class="command">-s</code> — Executes Fetchmail in silent mode, preventing any messages, other than errors, from appearing after the <code class="command">fetchmail</code> command.
						</div></li><li class="listitem"><div class="para">
							<code class="command">-v</code> — Executes Fetchmail in verbose mode, displaying every communication between Fetchmail and remote email servers.
						</div></li><li class="listitem"><div class="para">
							<code class="command">-V</code> — Displays detailed version information, lists its global options, and shows settings to be used with each user, including the email protocol and authentication method. No email is retrieved for any users when using this option.
						</div></li></ul></div></div><div class="section" id="s3-email-mda-fetchmail-commands-special"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mda-fetchmail-commands-special">25.3.3.7. Special Options</h4></div></div></div><a id="id822104" class="indexterm"></a><div class="para">
					These options are occasionally useful for overriding defaults often found in the <code class="filename">.fetchmailrc</code> file.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">-a</code> — Fetchmail downloads all messages from the remote email server, whether new or previously viewed. By default, Fetchmail only downloads new messages.
						</div></li><li class="listitem"><div class="para">
							<code class="command">-k</code> — Fetchmail leaves the messages on the remote email server after downloading them. This option overrides the default behavior of deleting messages after downloading them.
						</div></li><li class="listitem"><div class="para">
							<code class="command">-l <em class="replaceable"><code>&lt;max-number-bytes&gt;</code></em> </code> — Fetchmail does not download any messages over a particular size and leaves them on the remote email server.
						</div></li><li class="listitem"><div class="para">
							<code class="command">--quit</code> — Quits the Fetchmail daemon process.
						</div></li></ul></div><div class="para">
					More commands and <code class="filename">.fetchmailrc</code> options can be found in the <code class="command">fetchmail</code> man page.
				</div></div></div></div><div class="section" id="s1-email-switchmail"><div class="titlepage"><div><div><h2 class="title" id="s1-email-switchmail">25.4. Mail Transport Agent (MTA) Configuration</h2></div></div></div><a id="id822213" class="indexterm"></a><a id="id822226" class="indexterm"></a><a id="id822240" class="indexterm"></a><a id="id822257" class="indexterm"></a><a id="id822270" class="indexterm"></a><a id="id822292" class="indexterm"></a><a id="id822313" class="indexterm"></a><a id="id822323" class="indexterm"></a><div class="para">
			A <em class="firstterm">Mail Transport Agent</em> (MTA) is essential for sending email. A <em class="firstterm">Mail User Agent</em> (MUA) such as <span class="application"><strong>Evolution</strong></span>, <span class="application"><strong>Thunderbird</strong></span>, and <span class="application"><strong>Mutt</strong></span>, is used to read and compose email. When a user sends an email from an MUA, the message is handed off to the MTA, which sends the message through a series of MTAs until it reaches its destination.
		</div><div class="para">
			Even if a user does not plan to send email from the system, some automated tasks or system programs might use the <code class="command">/bin/mail</code> command to send email containing log messages to the root user of the local system.
		</div><a id="id822366" class="indexterm"></a><a id="id822376" class="indexterm"></a><a id="id822385" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux 5 provides three MTAs: Sendmail, Postfix, and Exim. If all three are installed, <code class="command">sendmail</code> is the default MTA. The <span class="application"><strong>Mail Transport Agent Switcher</strong></span> allows for the selection of either <code class="command">sendmail</code>, <code class="command">postfix</code>, or <code class="command">exim</code> as the default MTA for the system.
		</div><div class="para">
			The <code class="command">system-switch-mail</code> RPM package must be installed to use the text-based version of the <span class="application"><strong>Mail Transport Agent Switcher</strong></span> program. If you want to use the graphical version, the <code class="command">system-switch-mail-gnome</code> package must also be installed. <div class="note" xml:lang="en-US" lang="en-US"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
		For more information on installing RPM packages, refer to <a class="xref" href="#pt-pkg-management">Part II, “Package Management”</a>.
	</div></div></div>

</div><div class="para">
			To start the <span class="application"><strong>Mail Transport Agent Switcher</strong></span>, select <span class="guimenu"><strong>System</strong></span> (the main menu on the panel) &gt; <span class="guimenu"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>Mail Transport Agent Switcher</strong></span>, or type the command <code class="command">system-switch-mail</code> at a shell prompt (for example, in an XTerm or GNOME terminal).
		</div><a id="id822478" class="indexterm"></a><div class="para">
			The program automatically detects if the X Window System is running. If it is running, the program starts in graphical mode as shown in <a class="xref" href="#fig-switchmail">Figure 25.1, “ <span class="application">Mail Transport Agent Switcher</span> ”</a>. If X is not detected, it starts in text-mode. To force <span class="application"><strong>Mail Transport Agent Switcher</strong></span> to run in text-mode, use the command <code class="command">system-switch-mail-nox</code>.
		</div><div class="figure" id="fig-switchmail"><div class="figure-contents"><div class="mediaobject"><img src="images/switchmail-gui.png" alt="Mail Transport Agent Switcher" /><div class="longdesc"><div class="para">
						Screenshot of <span class="application"><strong>Mail Transport Agent Switcher</strong></span>
					</div></div></div></div><h6>Figure 25.1.  <span class="application">Mail Transport Agent Switcher</span> </h6></div><br class="figure-break" /><div class="para">
			If you select <span class="guibutton"><strong>OK</strong></span> to change the MTA, the selected mail daemon is enabled to start at boot time, and the unselected mail daemons are disabled so that they do not start at boot time. The selected mail daemon is started, and any other mail daemon is stopped; thus making the changes take place immediately.
		</div></div><div class="section" id="s1-email-mda"><div class="titlepage"><div><div><h2 class="title" id="s1-email-mda">25.5. Mail Delivery Agents</h2></div></div></div><div class="para">
			Red Hat Enterprise Linux includes two primary MDAs, Procmail and <code class="command">mail</code>. Both of the applications are considered LDAs and both move email from the MTA's spool file into the user's mailbox. However, Procmail provides a robust filtering system.
		</div><div class="para">
			This section details only Procmail. For information on the <code class="command">mail</code> command, consult its man page.
		</div><a id="id822590" class="indexterm"></a><a id="id822603" class="indexterm"></a><div class="para">
			Procmail delivers and filters email as it is placed in the mail spool file of the localhost. It is powerful, gentle on system resources, and widely used. Procmail can play a critical role in delivering email to be read by email client applications.
		</div><div class="para">
			Procmail can be invoked in several different ways. Whenever an MTA places an email into the mail spool file, Procmail is launched. Procmail then filters and files the email for the MUA and quits. Alternatively, the MUA can be configured to execute Procmail any time a message is received so that messages are moved into their correct mailboxes. By default, the presence of <code class="filename">/etc/procmailrc</code> or of a <code class="filename">.procmailrc</code> file (also called an <em class="firstterm">rc</em> file) in the user's home directory invokes Procmail whenever an MTA receives a new message.
		</div><div class="para">
			Whether Procmail acts upon an email message depends upon whether the message matches a specified set of conditions or <em class="firstterm">recipes</em> in the <code class="filename">rc</code> file. If a message matches a recipe, then the email is placed in a specified file, is deleted, or is otherwise processed.
		</div><div class="para">
			When Procmail starts, it reads the email message and separates the body from the header information. Next, Procmail looks for <code class="filename">/etc/procmailrc</code> and <code class="filename">rc</code> files in the <code class="filename">/etc/procmailrcs</code> directory for default, system-wide, Procmail environmental variables and recipes. Procmail then searches for a <code class="filename">.procmailrc</code> file in the user's home directory. Many users also create additional <code class="filename">rc</code> files for Procmail that are referred to within the <code class="filename">.procmailrc</code> file in their home directory.
		</div><div class="para">
			By default, no system-wide <code class="filename">rc</code> files exist in the <code class="filename">/etc/</code> directory and no <code class="filename">.procmailrc</code> files exist in any user's home directory. Therefore, to use Procmail, each user must construct a <code class="filename">.procmailrc</code> file with specific environment variables and rules.
		</div><div class="section" id="s2-email-procmail-configuration"><div class="titlepage"><div><div><h3 class="title" id="s2-email-procmail-configuration">25.5.1. Procmail Configuration</h3></div></div></div><a id="id883415" class="indexterm"></a><a id="id883429" class="indexterm"></a><div class="para">
				The Procmail configuration file contains important environmental variables. These variables specify things such as which messages to sort and what to do with the messages that do not match any recipes.
			</div><div class="para">
				These environmental variables usually appear at the beginning of <code class="filename">.procmailrc</code> in the following format:
			</div><pre class="screen"><em class="replaceable"><code>&lt;env-variable&gt;</code></em>="<em class="replaceable"><code>&lt;value&gt;</code></em>"</pre><div class="para">
				In this example, <code class="command"><em class="replaceable"><code>&lt;env-variable&gt;</code></em> </code> is the name of the variable and <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em> </code> defines the variable.
			</div><div class="para">
				There are many environment variables not used by most Procmail users and many of the more important environment variables are already defined by a default value. Most of the time, the following variables are used:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">DEFAULT</code> — Sets the default mailbox where messages that do not match any recipes are placed.
					</div><div class="para">
						The default <code class="command">DEFAULT</code> value is the same as <code class="command">$ORGMAIL</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">INCLUDERC</code> — Specifies additional <code class="filename">rc</code> files containing more recipes for messages to be checked against. This breaks up the Procmail recipe lists into individual files that fulfill different roles, such as blocking spam and managing email lists, that can then be turned off or on by using comment characters in the user's <code class="filename">.procmailrc</code> file.
					</div><div class="para">
						For example, lines in a user's <code class="filename">.procmailrc</code> file may look like this:
					</div><pre class="screen">MAILDIR=$HOME/Msgs
INCLUDERC=$MAILDIR/lists.rc
INCLUDERC=$MAILDIR/spam.rc</pre><div class="para">
						If the user wants to turn off Procmail filtering of their email lists but leave spam control in place, they would comment out the first <code class="command">INCLUDERC</code> line with a hash mark character (<code class="command">#</code>).
					</div></li><li class="listitem"><div class="para">
						<code class="command">LOCKSLEEP</code> — Sets the amount of time, in seconds, between attempts by Procmail to use a particular lockfile. The default is eight seconds.
					</div></li><li class="listitem"><div class="para">
						<code class="command">LOCKTIMEOUT</code> — Sets the amount of time, in seconds, that must pass after a lockfile was last modified before Procmail assumes that the lockfile is old and can be deleted. The default is 1024 seconds.
					</div></li><li class="listitem"><div class="para">
						<code class="command">LOGFILE</code> — The file to which any Procmail information or error messages are written.
					</div></li><li class="listitem"><div class="para">
						<code class="command">MAILDIR</code> — Sets the current working directory for Procmail. If set, all other Procmail paths are relative to this directory.
					</div></li><li class="listitem"><div class="para">
						<code class="command">ORGMAIL</code> — Specifies the original mailbox, or another place to put the messages if they cannot be placed in the default or recipe-required location.
					</div><div class="para">
						By default, a value of <code class="command">/var/spool/mail/$LOGNAME</code> is used.
					</div></li><li class="listitem"><div class="para">
						<code class="command">SUSPEND</code> — Sets the amount of time, in seconds, that Procmail pauses if a necessary resource, such as swap space, is not available.
					</div></li><li class="listitem"><div class="para">
						<code class="command">SWITCHRC</code> — Allows a user to specify an external file containing additional Procmail recipes, much like the <code class="command">INCLUDERC</code> option, except that recipe checking is actually stopped on the referring configuration file and only the recipes on the <code class="command">SWITCHRC</code>-specified file are used.
					</div></li><li class="listitem"><div class="para">
						<code class="command">VERBOSE</code> — Causes Procmail to log more information. This option is useful for debugging.
					</div></li></ul></div><div class="para">
				Other important environmental variables are pulled from the shell, such as <code class="command">LOGNAME</code>, which is the login name; <code class="command">HOME</code>, which is the location of the home directory; and <code class="command">SHELL</code>, which is the default shell.
			</div><div class="para">
				A comprehensive explanation of all environments variables, as well as their default values, is available in the <code class="filename">procmailrc</code> man page.
			</div></div><div class="section" id="s2-email-procmail-recipes"><div class="titlepage"><div><div><h3 class="title" id="s2-email-procmail-recipes">25.5.2. Procmail Recipes</h3></div></div></div><a id="id883712" class="indexterm"></a><div class="para">
				New users often find the construction of recipes the most difficult part of learning to use Procmail. To some extent, this is understandable, as recipes do their message matching using <em class="firstterm">regular expressions</em>, which is a particular format used to specify qualifications for a matching string. However, regular expressions are not very difficult to construct and even less difficult to understand when read. Additionally, the consistency of the way Procmail recipes are written, regardless of regular expressions, makes it easy to learn by example. To see example Procmail recipes, refer to <a class="xref" href="#s3-email-procmail-recipes-examples">Section 25.5.2.5, “Recipe Examples”</a>.
			</div><div class="para">
				Procmail recipes take the following form:
			</div><pre class="screen">:0<em class="replaceable"><code>&lt;flags&gt;: &lt;lockfile-name&gt;</code></em>
* <em class="replaceable"><code>&lt;special-condition-character&gt;</code></em>
				<em class="replaceable"><code>&lt;condition-1&gt;</code></em>
* <em class="replaceable"><code>&lt;special-condition-character&gt;</code></em>
				<em class="replaceable"><code>&lt;condition-2&gt;</code></em>
* <em class="replaceable"><code>&lt;special-condition-character&gt;</code></em>
				<em class="replaceable"><code>&lt;condition-N&gt;</code></em>
				<em class="replaceable"><code>&lt;special-action-character&gt;</code></em>
				<em class="replaceable"><code>&lt;action-to-perform&gt;</code></em>
</pre><div class="para">
				The first two characters in a Procmail recipe are a colon and a zero. Various flags can be placed after the zero to control how Procmail processes the recipe. A colon after the <code class="command"><em class="replaceable"><code>&lt;flags&gt;</code></em> </code> section specifies that a lockfile is created for this message. If a lockfile is created, the name can be specified by replacing <code class="command"><em class="replaceable"><code>&lt;lockfile-name&gt;</code></em> </code>.
			</div><div class="para">
				A recipe can contain several conditions to match against the message. If it has no conditions, every message matches the recipe. Regular expressions are placed in some conditions to facilitate message matching. If multiple conditions are used, they must all match for the action to be performed. Conditions are checked based on the flags set in the recipe's first line. Optional special characters placed after the <code class="command">*</code> character can further control the condition.
			</div><div class="para">
				The <code class="command"><em class="replaceable"><code>&lt;action-to-perform&gt;</code></em> </code> specifies the action taken when the message matches one of the conditions. There can only be one action per recipe. In many cases, the name of a mailbox is used here to direct matching messages into that file, effectively sorting the email. Special action characters may also be used before the action is specified. Refer to <a class="xref" href="#s3-email-procmail-recipes-special">Section 25.5.2.4, “Special Conditions and Actions”</a> for more information.
			</div><div class="section" id="s2-email-procmail-recipes-delivering"><div class="titlepage"><div><div><h4 class="title" id="s2-email-procmail-recipes-delivering">25.5.2.1. Delivering vs. Non-Delivering Recipes</h4></div></div></div><a id="id883840" class="indexterm"></a><a id="id883858" class="indexterm"></a><div class="para">
					The action used if the recipe matches a particular message determines whether it is considered a <em class="firstterm">delivering</em> or <em class="firstterm">non-delivering</em> recipe. A delivering recipe contains an action that writes the message to a file, sends the message to another program, or forwards the message to another email address. A non-delivering recipe covers any other actions, such as a <em class="firstterm">nesting block</em>. A nesting block is a set of actions, contained in braces <code class="command">{</code> <code class="command">}</code>, that are performed on messages which match the recipe's conditions. Nesting blocks can be nested inside one another, providing greater control for identifying and performing actions on messages.
				</div><div class="para">
					When messages match a delivering recipe, Procmail performs the specified action and stops comparing the message against any other recipes. Messages that match non-delivering recipes continue to be compared against other recipes.
				</div></div><div class="section" id="s3-email-procmail-recipes-flags"><div class="titlepage"><div><div><h4 class="title" id="s3-email-procmail-recipes-flags">25.5.2.2. Flags</h4></div></div></div><a id="id883917" class="indexterm"></a><div class="para">
					Flags are essential to determine how or if a recipe's conditions are compared to a message. The following flags are commonly used:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">A</code> — Specifies that this recipe is only used if the previous recipe without an <code class="command">A</code> or <code class="command">a</code> flag also matched this message.
						</div></li><li class="listitem"><div class="para">
							<code class="command">a</code> — Specifies that this recipe is only used if the previous recipe with an <code class="command">A</code> or <code class="command">a</code> flag also matched this message <span class="emphasis"><em>and</em></span> was successfully completed.
						</div></li><li class="listitem"><div class="para">
							<code class="command">B</code> — Parses the body of the message and looks for matching conditions.
						</div></li><li class="listitem"><div class="para">
							<code class="command">b</code> — Uses the body in any resulting action, such as writing the message to a file or forwarding it. This is the default behavior.
						</div></li><li class="listitem"><div class="para">
							<code class="command">c</code> — Generates a carbon copy of the email. This is useful with delivering recipes, since the required action can be performed on the message and a copy of the message can continue being processed in the <code class="filename">rc</code> files.
						</div></li><li class="listitem"><div class="para">
							<code class="command">D</code> — Makes the <code class="command">egrep</code> comparison case-sensitive. By default, the comparison process is not case-sensitive.
						</div></li><li class="listitem"><div class="para">
							<code class="command">E</code> — While similar to the <code class="command">A</code> flag, the conditions in the recipe are only compared to the message if the immediately preceding the recipe without an <code class="command">E</code> flag did not match. This is comparable to an <em class="wordasword">else</em> action.
						</div></li><li class="listitem"><div class="para">
							<code class="command">e</code> — The recipe is compared to the message only if the action specified in the immediately preceding recipe fails.
						</div></li><li class="listitem"><div class="para">
							<code class="command">f</code> — Uses the pipe as a filter.
						</div></li><li class="listitem"><div class="para">
							<code class="command">H</code> — Parses the header of the message and looks for matching conditions. This occurs by default.
						</div></li><li class="listitem"><div class="para">
							<code class="command">h</code> — Uses the header in a resulting action. This is the default behavior.
						</div></li><li class="listitem"><div class="para">
							<code class="command">w</code> — Tells Procmail to wait for the specified filter or program to finish, and reports whether or not it was successful before considering the message filtered.
						</div></li><li class="listitem"><div class="para">
							<code class="command">W</code> — Is identical to <code class="command">w</code> except that "Program failure" messages are suppressed.
						</div></li></ul></div><div class="para">
					For a detailed list of additional flags, refer to the <code class="filename">procmailrc</code> man page.
				</div></div><div class="section" id="s3-email-procmail-recipes-lockfile"><div class="titlepage"><div><div><h4 class="title" id="s3-email-procmail-recipes-lockfile">25.5.2.3. Specifying a Local Lockfile</h4></div></div></div><a id="id1058636" class="indexterm"></a><div class="para">
					Lockfiles are very useful with Procmail to ensure that more than one process does not try to alter a message simultaneously. Specify a local lockfile by placing a colon (<code class="command">:</code>) after any flags on a recipe's first line. This creates a local lockfile based on the destination file name plus whatever has been set in the <code class="command">LOCKEXT</code> global environment variable.
				</div><div class="para">
					Alternatively, specify the name of the local lockfile to be used with this recipe after the colon.
				</div></div><div class="section" id="s3-email-procmail-recipes-special"><div class="titlepage"><div><div><h4 class="title" id="s3-email-procmail-recipes-special">25.5.2.4. Special Conditions and Actions</h4></div></div></div><a id="id1058682" class="indexterm"></a><a id="id1058700" class="indexterm"></a><div class="para">
					Special characters used before Procmail recipe conditions and actions change the way they are interpreted.
				</div><div class="para">
					The following characters may be used after the <code class="command">*</code> character at the beginning of a recipe's condition line:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">!</code> — In the condition line, this character inverts the condition, causing a match to occur only if the condition does not match the message.
						</div></li><li class="listitem"><div class="para">
							<code class="command">&lt;</code> — Checks if the message is under a specified number of bytes.
						</div></li><li class="listitem"><div class="para">
							<code class="command">&gt;</code> — Checks if the message is over a specified number of bytes.
						</div></li></ul></div><div class="para">
					The following characters are used to perform special actions:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">!</code> — In the action line, this character tells Procmail to forward the message to the specified email addresses.
						</div></li><li class="listitem"><div class="para">
							<code class="command">$</code> — Refers to a variable set earlier in the <code class="filename">rc</code> file. This is often used to set a common mailbox that is referred to by various recipes.
						</div></li><li class="listitem"><div class="para">
							<code class="command">|</code> — Starts a specified program to process the message.
						</div></li><li class="listitem"><div class="para">
							<code class="command">{</code> and <code class="command">}</code> — Constructs a nesting block, used to contain additional recipes to apply to matching messages.
						</div></li></ul></div><div class="para">
					If no special character is used at the beginning of the action line, Procmail assumes that the action line is specifying the mailbox in which to write the message.
				</div></div><div class="section" id="s3-email-procmail-recipes-examples"><div class="titlepage"><div><div><h4 class="title" id="s3-email-procmail-recipes-examples">25.5.2.5. Recipe Examples</h4></div></div></div><a id="id1058849" class="indexterm"></a><div class="para">
					Procmail is an extremely flexible program, but as a result of this flexibility, composing Procmail recipes from scratch can be difficult for new users.
				</div><div class="para">
					The best way to develop the skills to build Procmail recipe conditions stems from a strong understanding of regular expressions combined with looking at many examples built by others. A thorough explanation of regular expressions is beyond the scope of this section. The structure of Procmail recipes and useful sample Procmail recipes can be found at various places on the Internet (such as <a href="http://www.iki.fi/era/procmail/links.html">http://www.iki.fi/era/procmail/links.html</a>). The proper use and adaptation of regular expressions can be derived by viewing these recipe examples. In addition, introductory information about basic regular expression rules can be found in the <code class="filename">grep</code> man page.
				</div><div class="para">
					The following simple examples demonstrate the basic structure of Procmail recipes and can provide the foundation for more intricate constructions.
				</div><div class="para">
					A basic recipe may not even contain conditions, as is illustrated in the following example:
				</div><pre class="screen">:0:
new-mail.spool</pre><div class="para">
					The first line specifies that a local lockfile is to be created but does not specify a name, so Procmail uses the destination file name and appends the value specified in the <code class="command">LOCKEXT</code> environment variable. No condition is specified, so every message matches this recipe and is placed in the single spool file called <code class="filename">new-mail.spool</code>, located within the directory specified by the <code class="command">MAILDIR</code> environment variable. An MUA can then view messages in this file.
				</div><div class="para">
					A basic recipe, such as this, can be placed at the end of all <code class="filename">rc</code> files to direct messages to a default location.
				</div><div class="para">
					The following example matched messages from a specific email address and throws them away.
				</div><pre class="screen">:0
* ^From: spammer@domain.com
/dev/null</pre><div class="para">
					With this example, any messages sent by <code class="computeroutput">spammer@domain.com</code> are sent to the <code class="filename">/dev/null</code> device, deleting them.
				</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
						Be certain that rules are working as intended before sending messages to <code class="filename">/dev/null</code> for permanent deletion. If a recipe inadvertently catches unintended messages, and those messages disappear, it becomes difficult to troubleshoot the rule.
					</div><div class="para">
						A better solution is to point the recipe's action to a special mailbox, which can be checked from time to time to look for false positives. Once satisfied that no messages are accidentally being matched, delete the mailbox and direct the action to send the messages to <code class="filename">/dev/null</code>.
					</div></div></div><div class="para">
					The following recipe grabs email sent from a particular mailing list and places it in a specified folder.
				</div><pre class="screen">:0:
* ^(From|CC|To).*tux-lug
tuxlug</pre><div class="para">
					Any messages sent from the <code class="computeroutput">tux-lug@domain.com</code> mailing list are placed in the <code class="filename">tuxlug</code> mailbox automatically for the MUA. Note that the condition in this example matches the message if it has the mailing list's email address on the <code class="computeroutput">From</code>, <code class="computeroutput">CC</code>, or <code class="computeroutput">To</code> lines.
				</div><div class="para">
					Consult the many Procmail online resources available in <a class="xref" href="#s1-email-additional-resources">Section 25.7, “Additional Resources”</a> for more detailed and powerful recipes.
				</div></div><div class="section" id="s3-email-mda-spam"><div class="titlepage"><div><div><h4 class="title" id="s3-email-mda-spam">25.5.2.6. Spam Filters</h4></div></div></div><a id="id1059027" class="indexterm"></a><a id="id1059044" class="indexterm"></a><a id="id1059058" class="indexterm"></a><div class="para">
					Because it is called by Sendmail, Postfix, and Fetchmail upon receiving new emails, Procmail can be used as a powerful tool for combating spam.
				</div><div class="para">
					This is particularly true when Procmail is used in conjunction with SpamAssassin. When used together, these two applications can quickly identify spam emails, and sort or destroy them.
				</div><div class="para">
					SpamAssassin uses header analysis, text analysis, blacklists, a spam-tracking database, and self-learning Bayesian spam analysis to quickly and accurately identify and tag spam.
				</div><div class="para">
					The easiest way for a local user to use SpamAssassin is to place the following line near the top of the <code class="filename">~/.procmailrc</code> file:
				</div><pre class="screen">INCLUDERC=/etc/mail/spamassassin/spamassassin-default.rc</pre><div class="para">
					The <code class="filename">/etc/mail/spamassassin/spamassassin-default.rc</code> contains a simple Procmail rule that activates SpamAssassin for all incoming email. If an email is determined to be spam, it is tagged in the header as such and the title is prepended with the following pattern:
				</div><pre class="screen">*****SPAM*****</pre><div class="para">
					The message body of the email is also prepended with a running tally of what elements caused it to be diagnosed as spam.
				</div><div class="para">
					To file email tagged as spam, a rule similar to the following can be used:
				</div><pre class="screen">:0 Hw
* ^X-Spam-Status: Yes
spam</pre><div class="para">
					This rule files all email tagged in the header as spam into a mailbox called <code class="filename">spam</code>.
				</div><div class="para">
					Since SpamAssassin is a Perl script, it may be necessary on busy servers to use the binary SpamAssassin daemon (<code class="command">spamd</code>) and client application (<code class="command">spamc</code>). Configuring SpamAssassin this way, however, requires root access to the host.
				</div><div class="para">
					To start the <code class="command">spamd</code> daemon, type the following command as root:
				</div><pre class="screen"><code class="command">service spamassassin start</code></pre><div class="para">
					To start the SpamAssassin daemon when the system is booted, use an initscript utility, such as the <span class="application"><strong>Services Configuration Tool</strong></span> (<code class="command">system-config-services</code>), to turn on the <code class="computeroutput">spamassassin</code> service. Refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a> for more information about initscript utilities.
				</div><div class="para">
					To configure Procmail to use the SpamAssassin client application instead of the Perl script, place the following line near the top of the <code class="filename">~/.procmailrc</code> file. For a system-wide configuration, place it in <code class="filename">/etc/procmailrc</code>:
				</div><pre class="screen">INCLUDERC=/etc/mail/spamassassin/spamassassin-spamc.rc</pre></div></div></div><div class="section" id="s1-email-mua"><div class="titlepage"><div><div><h2 class="title" id="s1-email-mua">25.6. Mail User Agents</h2></div></div></div><div class="para">
			There are scores of mail programs available under Red Hat Enterprise Linux. There are full-featured, graphical email client programs, such as <span class="application"><strong>Ximian Evolution</strong></span>, as well as text-based email programs such as <code class="command">mutt</code>.
		</div><div class="para">
			The remainder of this section focuses on securing communication between the client and server.
		</div><div class="section" id="s2-email-security"><div class="titlepage"><div><div><h3 class="title" id="s2-email-security">25.6.1. Securing Communication</h3></div></div></div><div class="para">
				Popular MUAs included with Red Hat Enterprise Linux, such as <span class="application"><strong>Ximian Evolution</strong></span> and <code class="command">mutt</code> offer SSL-encrypted email sessions.
			</div><a id="id1050900" class="indexterm"></a><div class="para">
				Like any other service that flows over a network unencrypted, important email information, such as usernames, passwords, and entire messages, may be intercepted and viewed by users on the network. Additionally, since the standard POP and IMAP protocols pass authentication information unencrypted, it is possible for an attacker to gain access to user accounts by collecting usernames and passwords as they are passed over the network.
			</div><div class="section" id="s3-email-security-clients"><div class="titlepage"><div><div><h4 class="title" id="s3-email-security-clients">25.6.1.1. Secure Email Clients</h4></div></div></div><a id="id1050929" class="indexterm"></a><div class="para">
					Most Linux MUAs designed to check email on remote servers support SSL encryption. To use SSL when retrieving email, it must be enabled on both the email client and server.
				</div><div class="para">
					SSL is easy to enable on the client-side, often done with the click of a button in the MUA's configuration window or via an option in the MUA's configuration file. Secure IMAP and POP have known port numbers (993 and 995, respectively) that the MUA uses to authenticate and download messages.
				</div></div><div class="section" id="s3-email-security-servers"><div class="titlepage"><div><div><h4 class="title" id="s3-email-security-servers">25.6.1.2. Securing Email Client Communications</h4></div></div></div><a id="id1050968" class="indexterm"></a><a id="id1050985" class="indexterm"></a><div class="para">
					Offering SSL encryption to IMAP and POP users on the email server is a simple matter.
				</div><div class="para">
					First, create an SSL certificate. This can be done two ways: by applying to a <em class="firstterm">Certificate Authority</em> (<em class="firstterm">CA</em>) for an SSL certificate or by creating a self-signed certificate.
				</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
						Self-signed certificates should be used for testing purposes only. Any server used in a production environment should use an SSL certificate granted by a CA.
					</div></div></div><div class="para">
					To create a self-signed SSL certificate for IMAP, change to the <code class="filename">/etc/pki/tls/certs/</code> directory and type the following commands as root:
				</div><pre class="screen"><code class="command">rm -f cyrus-imapd.pem make cyrus-imapd.pem</code></pre><div class="para">
					Answer all of the questions to complete the process.
				</div><div class="para">
					To create a self-signed SSL certificate for POP, change to the <code class="filename">/etc/pki/tls/certs/</code> directory, and type the following commands as root:
				</div><pre class="screen"><code class="command">rm -f ipop3d.pem make ipop3d.pem</code></pre><div class="para">
					Again, answer all of the questions to complete the process.
				</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						Please be sure to remove the default <code class="filename">imapd.pem</code> and <code class="filename">ipop3d.pem</code> files before issuing each <code class="command">make</code> command.
					</div></div></div><div class="para">
					Once finished, execute the <code class="command">/sbin/service xinetd restart</code> command to restart the <code class="command">xinetd</code> daemon which controls <code class="command">imapd</code> and <code class="command">ipop3d</code>.
				</div><div class="para">
					Alternatively, the <code class="command">stunnel</code> command can be used as an SSL encryption wrapper around the standard, non-secure daemons, <code class="command">imapd</code> or <code class="command">pop3d</code>.
				</div><div class="para">
					The <code class="command">stunnel</code> program uses external OpenSSL libraries included with Red Hat Enterprise Linux to provide strong cryptography and protect the connections. It is best to apply to a CA to obtain an SSL certificate, but it is also possible to create a self-signed certificate.
				</div><div class="para">
					To create a self-signed SSL certificate, change to the <code class="filename">/etc/pki/tls/certs/</code> directory, and type the following command:
				</div><pre class="screen"><code class="command">make stunnel.pem</code></pre><div class="para">
					Again, answer all of the questions to complete the process.
				</div><div class="para">
					Once the certificate is generated, it is possible to use the <code class="command">stunnel</code> command to start the <code class="command">imapd</code> mail daemon using the following command:
				</div><pre class="screen"><code class="command">/usr/sbin/stunnel -d 993 -l /usr/sbin/imapd imapd</code></pre><div class="para">
					Once this command is issued, it is possible to open an IMAP email client and connect to the email server using SSL encryption.
				</div><div class="para">
					To start the <code class="command">pop3d</code> using the <code class="command">stunnel</code> command, type the following command:
				</div><pre class="screen"><code class="command">/usr/sbin/stunnel -d 995 -l /usr/sbin/pop3d pop3d</code></pre><div class="para">
					For more information about how to use <code class="command">stunnel</code>, read the <code class="command">stunnel</code> man page or refer to the documents in the <code class="filename">/usr/share/doc/stunnel-<em class="replaceable"><code>&lt;version-number&gt;</code></em> </code>/ directory, where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number for <code class="command">stunnel</code>.
				</div></div></div></div><div class="section" id="s1-email-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-email-additional-resources">25.7. Additional Resources</h2></div></div></div><a id="id1051229" class="indexterm"></a><a id="id1051242" class="indexterm"></a><a id="id1051256" class="indexterm"></a><a id="id1051270" class="indexterm"></a><div class="para">
			The following is a list of additional documentation about email applications.
		</div><div class="section" id="s2-email-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-email-installed-docs">25.7.1. Installed Documentation</h3></div></div></div><a id="id1051296" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Information on configuring Sendmail is included with the <code class="filename">sendmail</code> and <code class="filename">sendmail-cf</code> packages.
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="filename">/usr/share/sendmail-cf/README</code> — Contains information on <code class="command">m4</code>, file locations for Sendmail, supported mailers, how to access enhanced features, and more.
							</div></li></ul></div><div class="para">
						In addition, the <code class="filename">sendmail</code> and <code class="filename">aliases</code> man pages contain helpful information covering various Sendmail options and the proper configuration of the Sendmail <code class="filename">/etc/mail/aliases</code> file.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/postfix-<em class="replaceable"><code>&lt;version-number&gt;</code></em> </code> — Contains a large amount of information about ways to configure Postfix. Replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the version number of Postfix.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/fetchmail-<em class="replaceable"><code>&lt;version-number&gt;</code></em> </code> — Contains a full list of Fetchmail features in the <code class="filename">FEATURES</code> file and an introductory <code class="filename">FAQ</code> document. Replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the version number of Fetchmail.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/procmail-<em class="replaceable"><code>&lt;version-number&gt;</code></em> </code> — Contains a <code class="filename">README</code> file that provides an overview of Procmail, a <code class="filename">FEATURES</code> file that explores every program feature, and an <code class="filename">FAQ</code> file with answers to many common configuration questions. Replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the version number of Procmail.
					</div><div class="para">
						When learning how Procmail works and creating new recipes, the following Procmail man pages are invaluable:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="filename">procmail</code> — Provides an overview of how Procmail works and the steps involved with filtering email.
							</div></li><li class="listitem"><div class="para">
								<code class="filename">procmailrc</code> — Explains the <code class="filename">rc</code> file format used to construct recipes.
							</div></li><li class="listitem"><div class="para">
								<code class="filename">procmailex</code> — Gives a number of useful, real-world examples of Procmail recipes.
							</div></li><li class="listitem"><div class="para">
								<code class="filename">procmailsc</code> — Explains the weighted scoring technique used by Procmail to match a particular recipe to a message.
							</div></li><li class="listitem"><div class="para">
								<code class="filename">/usr/share/doc/spamassassin-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/</code> — Contains a large amount of information pertaining to SpamAssassin. Replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the version number of the <code class="filename">spamassassin</code> package.
							</div></li></ul></div></li></ul></div></div><div class="section" id="s2-email-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-email-useful-websites">25.7.2. Useful Websites</h3></div></div></div><a id="id1051541" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.sendmail.org/">http://www.sendmail.org/</a> — Offers a thorough technical breakdown of Sendmail features, documentation and configuration examples.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.sendmail.com/">http://www.sendmail.com/</a> — Contains news, interviews and articles concerning Sendmail, including an expanded view of the many options available.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.postfix.org/">http://www.postfix.org/</a> — The Postfix project home page contains a wealth of information about Postfix. The mailing list is a particularly good place to look for information.
					</div></li><li class="listitem"><div class="para">
						<a href="http://fetchmail.berlios.de/">http://fetchmail.berlios.de/</a> — The home page for Fetchmail, featuring an online manual, and a thorough FAQ.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.procmail.org/">http://www.procmail.org/</a> — The home page for Procmail with links to assorted mailing lists dedicated to Procmail as well as various FAQ documents.
					</div></li><li class="listitem"><div class="para">
						<a href="http://partmaps.org/era/procmail/mini-faq.html">http://partmaps.org/era/procmail/mini-faq.html</a> — An excellent Procmail FAQ, offers troubleshooting tips, details about file locking, and the use of wildcard characters.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.uwasa.fi/~ts/info/proctips.html">http://www.uwasa.fi/~ts/info/proctips.html</a> — Contains dozens of tips that make using Procmail much easier. Includes instructions on how to test <code class="filename">.procmailrc</code> files and use Procmail scoring to decide if a particular action should be taken.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.spamassassin.org/">http://www.spamassassin.org/</a> — The official site of the SpamAssassin project.
					</div></li></ul></div></div><div class="section" id="s2-email-related-books"><div class="titlepage"><div><div><h3 class="title" id="s2-email-related-books">25.7.3. Related Books</h3></div></div></div><a id="id992723" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<em class="citetitle">Sendmail Milters: A Guide for Fighting Spam</em> by Bryan Costales and Marcia Flynt; Addison-Wesley — A good Sendmail guide that can help you customise your mail filters.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">Sendmail</em> by Bryan Costales with Eric Allman et al; O'Reilly &amp; Associates — A good Sendmail reference written with the assistance of the original creator of Delivermail and Sendmail.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">Removing the Spam: Email Processing and Filtering</em> by Geoff Mulligan; Addison-Wesley Publishing Company — A volume that looks at various methods used by email administrators using established tools, such as Sendmail and Procmail, to manage spam problems.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">Internet Email Protocols: A Developer's Guide</em> by Kevin Johnson; Addison-Wesley Publishing Company — Provides a very thorough review of major email protocols and the security they provide.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">Managing IMAP</em> by Dianna Mullet and Kevin Mullet; O'Reilly &amp; Associates — Details the steps required to configure an IMAP server.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-ldap" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 26. Lightweight Directory Access Protocol (LDAP)</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-ldap-adv">26.1. Why Use LDAP?</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-ldap-v3">26.1.1. OpenLDAP Features</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-terminology">26.2. LDAP Terminology</a></span></dt><dt><span class="section"><a href="#s1-ldap-daemonsutils">26.3. OpenLDAP Daemons and Utilities</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-pam-nss">26.3.1. NSS, PAM, and LDAP</a></span></dt><dt><span class="section"><a href="#s2-ldap-other-apps">26.3.2. PHP4, LDAP, and the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#s2-ldap-applications">26.3.3. LDAP Client Applications</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-files">26.4. OpenLDAP Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-ldap-files-schemas">26.5. The <code class="filename">/etc/openldap/schema/</code> Directory</a></span></dt><dt><span class="section"><a href="#s1-ldap-quickstart">26.6. OpenLDAP Setup Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-files-slapd-conf">26.6.1. Editing <code class="filename">/etc/openldap/slapd.conf</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-pam">26.7. Configuring a System to Authenticate Using OpenLDAP</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-pamd">26.7.1. PAM and LDAP</a></span></dt><dt><span class="section"><a href="#s2-ldap-migrate">26.7.2. Migrating Old Authentication Information to LDAP Format</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-ldap-migrate">26.8. Migrating Directories from Earlier Releases</a></span></dt><dt><span class="section"><a href="#s1-ldap-additional-resources">26.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-ldap-installed-docs">26.9.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-ldap-additional-resources-web">26.9.2. Useful Websites</a></span></dt><dt><span class="section"><a href="#s2-ldap-related-books">26.9.3. Related Books</a></span></dt></dl></dd></dl></div><a id="id834793" class="indexterm"></a><a id="id1068922" class="indexterm"></a><a id="id925916" class="indexterm"></a><a id="id853252" class="indexterm"></a><a id="id1041150" class="indexterm"></a><a id="id972015" class="indexterm"></a><a id="id828299" class="indexterm"></a><div class="para">
		The <em class="firstterm">Lightweight Directory Access Protocol</em> (<em class="firstterm">LDAP</em>) is a set of open protocols used to access centrally stored information over a network. It is based on the <em class="firstterm">X.500</em> standard for directory sharing, but is less complex and resource-intensive. For this reason, LDAP is sometimes referred to as "<em class="firstterm">X.500 Lite</em>." The X.500 standard is a directory that contains hierarchical and categorized information, which could include information such as names, addresses, and phone numbers.
	</div><div class="para">
		Like X.500, LDAP organizes information in a hierarchal manner using directories. These directories can store a variety of information and can even be used in a manner similar to the Network Information Service (NIS), enabling anyone to access their account from any machine on the LDAP enabled network.
	</div><div class="para">
		In many cases, LDAP is used as a virtual phone directory, allowing users to easily access contact information for other users. But LDAP is more flexible than a traditional phone directory, as it is capable of referring a querent to other LDAP servers throughout the world, providing an ad-hoc global repository of information. Currently, however, LDAP is more commonly used within individual organizations, like universities, government departments, and private companies.
	</div><div class="para">
		LDAP is a client/server system. The server can use a variety of databases to store a directory, each optimized for quick and copious read operations. When an LDAP client application connects to an LDAP server, it can either query a directory or attempt to modify it. In the event of a query, the server either answers the query locally, or it can refer the querent to an LDAP server which does have the answer. If the client application is attempting to modify information within an LDAP directory, the server verifies that the user has permission to make the change and then adds or updates the information.
	</div><div class="para">
		This chapter refers to the configuration and use of OpenLDAP 2.0, an open source implementation of the LDAPv2 and LDAPv3 protocols.
	</div><div class="section" id="s1-ldap-adv"><div class="titlepage"><div><div><h2 class="title" id="s1-ldap-adv">26.1. Why Use LDAP?</h2></div></div></div><a id="id874457" class="indexterm"></a><div class="para">
			The main benefit of using LDAP is that information for an entire organization can be consolidated into a central repository. For example, rather than managing user lists for each group within an organization, LDAP can be used as a central directory accessible from anywhere on the network. And because LDAP supports Secure Sockets Layer (SSL) and Transport Layer Security (TLS), sensitive data can be protected from prying eyes.
		</div><div class="para">
			LDAP also supports a number of back-end databases in which to store directories. This allows administrators the flexibility to deploy the database best suited for the type of information the server is to disseminate. Because LDAP also has a well-defined client Application Programming Interface (API), the number of LDAP-enabled applications are numerous and increasing in quantity and quality.
		</div><div class="section" id="s1-ldap-v3"><div class="titlepage"><div><div><h3 class="title" id="s1-ldap-v3">26.1.1. OpenLDAP Features</h3></div></div></div><a id="id934711" class="indexterm"></a><div class="para">
				OpenLDAP includes a number of important features.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>LDAPv3 Support</em></span> — OpenLDAP supports Simple Authentication and Security Layer (SASL), Transport Layer Security (TLS), and Secure Sockets Layer (SSL), among other improvements. Many of the changes in the protocol since LDAPv2 are designed to make LDAP more secure.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>IPv6 Support</em></span> — OpenLDAP supports the next generation Internet Protocol version 6.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>LDAP Over IPC</em></span> — OpenLDAP can communicate within a system using interprocess communication (IPC). This enhances security by eliminating the need to communicate over a network.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Updated C API</em></span> — Improves the way programmers can connect to and use LDAP directory servers.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>LDIFv1 Support</em></span> — Provides full compliance with the LDAP Data Interchange Format (LDIF) version 1.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Enhanced Stand-Alone LDAP Server</em></span> — Includes an updated access control system, thread pooling, better tools, and much more.
					</div></li></ul></div></div></div><div class="section" id="s1-ldap-terminology"><div class="titlepage"><div><div><h2 class="title" id="s1-ldap-terminology">26.2. LDAP Terminology</h2></div></div></div><a id="id984926" class="indexterm"></a><a id="id984940" class="indexterm"></a><div class="para">
			Any discussion of LDAP requires a basic understanding of a set of LDAP-specific terms:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<em class="firstterm">entry</em> — A single unit within an LDAP directory. Each entry is identified by its unique <em class="firstterm">Distinguished Name (DN)</em>.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">attributes</em> — Information directly associated with an entry. For example, an organization could be represented as an LDAP entry. Attributes associated with the organization might include a fax number, an address, and so on. People can also be represented as entries in an LDAP directory, with common attributes such as the person's telephone number and email address.
				</div><div class="para">
					Some attributes are required, while other attributes are optional. An <em class="firstterm">objectclass</em> definition sets which attributes are required for each entry. Objectclass definitions are found in various schema files, located in the <code class="filename">/etc/openldap/schema/</code> directory. For more information, refer to <a class="xref" href="#s1-ldap-files-schemas">Section 26.5, “The <code class="filename">/etc/openldap/schema/</code> Directory”</a>.
				</div><div class="para">
					The assertion of an attribute and its corresponding value is also referred to as a <em class="firstterm">Relative Distinguished Name</em> (RDN). An RDN is only unique per entry, whereas a DN is globally unique.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">LDIF</em> — The <em class="firstterm">LDAP Data Interchange Format</em> (LDIF) is an ASCII text representation of LDAP entries. Files used for importing data to LDAP servers must be in LDIF format. An LDIF entry looks similar to the following example:
				</div><pre class="screen">[&lt;<em class="replaceable"><code>id</code></em>&gt;] dn: &lt;<em class="replaceable"><code>distinguished name</code></em>&gt;
&lt;<em class="replaceable"><code>attrtype</code></em>&gt;: &lt;<em class="replaceable"><code>attrvalue</code></em>&gt;
&lt;<em class="replaceable"><code>attrtype</code></em>&gt;: &lt;<em class="replaceable"><code>attrvalue</code></em>&gt;
&lt;<em class="replaceable"><code>attrtype</code></em>&gt;: &lt;<em class="replaceable"><code>attrvalue</code></em>&gt;</pre><div class="para">
					Each entry can contain as many <code class="command">&lt;<em class="replaceable"><code>attrtype</code></em>&gt;: &lt;<em class="replaceable"><code>attrvalue</code></em>&gt;</code> pairs as needed. A blank line indicates the end of an entry.
				</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
						All <code class="command">&lt;<em class="replaceable"><code>attrtype</code></em>&gt;</code> and <code class="command">&lt;<em class="replaceable"><code>attrvalue</code></em>&gt;</code> pairs <span class="emphasis"><em>must</em></span> be defined in a corresponding schema file to use this information.
					</div></div></div><div class="para">
					Any value enclosed within a <code class="command">&lt;</code> and a <code class="command">&gt;</code> is a variable and can be set whenever a new LDAP entry is created. This rule does not apply, however, to <code class="command">&lt;<em class="replaceable"><code>id</code></em>&gt;</code>. The <code class="command">&lt;<em class="replaceable"><code>id</code></em>&gt;</code> is a number determined by the application used to edit the entry.
				</div></li></ul></div></div><div class="section" id="s1-ldap-daemonsutils"><div class="titlepage"><div><div><h2 class="title" id="s1-ldap-daemonsutils">26.3. OpenLDAP Daemons and Utilities</h2></div></div></div><a id="id963885" class="indexterm"></a><a id="id963898" class="indexterm"></a><a id="id963916" class="indexterm"></a><a id="id963934" class="indexterm"></a><a id="id963950" class="indexterm"></a><a id="id963970" class="indexterm"></a><a id="id963986" class="indexterm"></a><a id="id972491" class="indexterm"></a><a id="id972507" class="indexterm"></a><a id="id972527" class="indexterm"></a><a id="id972543" class="indexterm"></a><a id="id972564" class="indexterm"></a><a id="id972580" class="indexterm"></a><a id="id972600" class="indexterm"></a><a id="id972616" class="indexterm"></a><a id="id892451" class="indexterm"></a><a id="id892467" class="indexterm"></a><a id="id892487" class="indexterm"></a><a id="id892504" class="indexterm"></a><a id="id892524" class="indexterm"></a><a id="id892540" class="indexterm"></a><a id="id892560" class="indexterm"></a><a id="id892577" class="indexterm"></a><a id="id892597" class="indexterm"></a><a id="id892613" class="indexterm"></a><div class="para">
			The suite of OpenLDAP libraries and tools are included within the following packages:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">openldap</code> — Contains the libraries necessary to run the OpenLDAP server and client applications.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">openldap-clients</code> — Contains command line tools for viewing and modifying directories on an LDAP server.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">openldap-servers</code> — Contains the servers and other utilities necessary to configure and run an LDAP server.
				</div></li></ul></div><div class="para">
			There are two servers contained in the <code class="filename">openldap-servers</code> package: the <em class="firstterm">Standalone LDAP Daemon</em> (<code class="command">/usr/sbin/slapd</code>) and the <em class="firstterm">Standalone LDAP Update Replication Daemon</em> (<code class="command">/usr/sbin/slurpd</code>).
		</div><div class="para">
			The <code class="command">slapd</code> daemon is the standalone LDAP server while the <code class="command">slurpd</code> daemon is used to synchronize changes from one LDAP server to other LDAP servers on the network. The <code class="command">slurpd</code> daemon is only used when dealing with multiple LDAP servers.
		</div><div class="para">
			To perform administrative tasks, the <code class="filename">openldap-servers</code> package installs the following utilities into the <code class="filename">/usr/sbin/</code> directory:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">slapadd</code> — Adds entries from an LDIF file to an LDAP directory. For example, the command <code class="command">/usr/sbin/slapadd -l <em class="replaceable"><code>ldif-input</code></em></code> reads in the LDIF file, <code class="filename"><em class="replaceable"><code>ldif-input</code></em></code>, containing the new entries.
				</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						Only the root user may use <code class="command">/usr/sbin/slapadd</code>. However, the directory server runs as the <code class="filename">ldap</code> user. Therefore the directory server is unable to modify any files created by <code class="command">slapadd</code>. To correct this issue, after using <code class="command">slapadd</code>, type the following command:
					</div><pre class="screen"><code class="command">chown -R ldap /var/lib/ldap</code></pre></div></div></li><li class="listitem"><div class="para">
					<code class="command">slapcat</code> — Pulls entries from an LDAP directory in the default format, <em class="firstterm">Sleepycat Software's Berkeley DB</em> system, and saves them in an LDIF file. For example, the command <code class="command">/usr/sbin/slapcat -l <em class="replaceable"><code>ldif-output</code></em></code> outputs an LDIF file called <code class="filename"><em class="replaceable"><code>ldif-output</code></em></code> containing the entries from the LDAP directory.
				</div></li><li class="listitem"><div class="para">
					<code class="command">slapindex</code> — Re-indexes the <code class="command">slapd</code> directory based on the current content. This tool should be run whenever indexing options within <code class="filename">/etc/openldap/slapd.conf</code> are changed.
				</div></li><li class="listitem"><div class="para">
					<code class="command">slappasswd</code> — Generates an encrypted user password value for use with <code class="command">ldapmodify</code> or the <code class="command">rootpw</code> value in the <code class="command">slapd</code> configuration file, <code class="filename">/etc/openldap/slapd.conf</code>. Execute the <code class="command">/usr/sbin/slappasswd</code> command to create the password.
				</div></li></ul></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				You must stop <code class="command">slapd</code> by issuing the <code class="command">/sbin/service ldap stop</code> command before using <code class="command">slapadd</code>, <code class="command">slapcat</code> or <code class="command">slapindex</code>. Otherwise, the integrity of the LDAP directory is at risk.
			</div></div></div><div class="para">
			For more information on using these utilities, refer to their respective man pages.
		</div><div class="para">
			The <code class="filename">openldap-clients</code> package installs tools into <code class="filename">/usr/bin/</code> which are used to add, modify, and delete entries in an LDAP directory. These tools include the following:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">ldapadd</code> — Adds entries to an LDAP directory by accepting input via a file or standard input; <code class="command">ldapadd</code> is actually a hard link to <code class="command">ldapmodify -a</code>.
				</div></li><li class="listitem"><div class="para">
					<code class="command">ldapdelete</code> — Deletes entries from an LDAP directory by accepting user input at a shell prompt or via a file.
				</div></li><li class="listitem"><div class="para">
					<code class="command">ldapmodify</code> — Modifies entries in an LDAP directory, accepting input via a file or standard input.
				</div></li><li class="listitem"><div class="para">
					<code class="command">ldappasswd</code> — Sets the password for an LDAP user.
				</div></li><li class="listitem"><div class="para">
					<code class="command">ldapsearch</code> — Searches for entries in an LDAP directory using a shell prompt.
				</div></li><li class="listitem"><div class="para">
					<code class="command">ldapcompare</code> — Opens a connection to an LDAP server, binds, and performs a comparison using specified parameters.
				</div></li><li class="listitem"><div class="para">
					<code class="command">ldapwhoami</code> — Opens a connection to an LDAP server, binds, and performs a <code class="command">whoami</code> operation.
				</div></li><li class="listitem"><div class="para">
					<code class="command">ldapmodrdn</code> — Opens a connection to an LDAP server, binds, and modifies the RDNs of entries.
				</div></li></ul></div><div class="para">
			With the exception of <code class="command">ldapsearch</code>, each of these utilities is more easily used by referencing a file containing the changes to be made rather than typing a command for each entry to be changed within an LDAP directory. The format of such a file is outlined in the man page for each utility.
		</div><div class="section" id="s2-ldap-pam-nss"><div class="titlepage"><div><div><h3 class="title" id="s2-ldap-pam-nss">26.3.1. NSS, PAM, and LDAP</h3></div></div></div><a id="id893043" class="indexterm"></a><a id="id893057" class="indexterm"></a><div class="para">
				In addition to the OpenLDAP packages, Red Hat Enterprise Linux includes a package called <code class="filename">nss_ldap</code>, which enhances LDAP's ability to integrate into both Linux and other UNIX environments.
			</div><div class="para">
				The <code class="filename">nss_ldap</code> package provides the following modules (where <em class="replaceable"><code>&lt;version&gt;</code></em> refers to the version of <code class="filename">libnss_ldap</code> in use):
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/lib/libnss_ldap-<em class="replaceable"><code>&lt;version&gt;</code></em>.so</code>
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/lib/security/pam_ldap.so</code>
					</div></li></ul></div><div class="para">
				The <code class="filename">nss_ldap</code> package provides the following modules for Itanium or AMD64 architectures:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/lib64/libnss_ldap-<em class="replaceable"><code>&lt;version&gt;</code></em>.so</code>
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/lib64/security/pam_ldap.so</code>
					</div></li></ul></div><div class="para">
				The <code class="filename">libnss_ldap-<em class="replaceable"><code>&lt;version&gt;</code></em>.so</code> module allows applications to look up users, groups, hosts, and other information using an LDAP directory via the <em class="firstterm">Nameservice Switch</em> (NSS) interface of <code class="command">glibc</code>. NSS allows applications to authenticate using LDAP in conjunction with the NIS name service and flat authentication files.
			</div><div class="para">
				The <code class="filename">pam_ldap</code> module allows PAM-aware applications to authenticate users using information stored in an LDAP directory. PAM-aware applications include console login, POP and IMAP mail servers, and Samba. By deploying an LDAP server on a network, all of these applications can authenticate using the same user ID and password combination, greatly simplifying administration.
			</div><div class="para">
				For more about configuring PAM, refer to <a class="xref" href="#ch-pam">Section 46.4, “Pluggable Authentication Modules (PAM)”</a> and the PAM man pages.
			</div></div><div class="section" id="s2-ldap-other-apps"><div class="titlepage"><div><div><h3 class="title" id="s2-ldap-other-apps">26.3.2. PHP4, LDAP, and the Apache HTTP Server</h3></div></div></div><a id="id893223" class="indexterm"></a><a id="id893236" class="indexterm"></a><div class="para">
				Red Hat Enterprise Linux includes a package containing an LDAP module for the PHP server-side scripting language.
			</div><div class="para">
				The <code class="filename">php-ldap</code> package adds LDAP support to the PHP4 HTML-embedded scripting language via the <code class="filename">/usr/lib/php4/ldap.so</code> module. This module allows PHP4 scripts to access information stored in an LDAP directory.
			</div><div class="para">
				Red Hat Enterprise Linux ships with the <code class="filename">mod_authz_ldap</code> module for the Apache HTTP Server. This module uses the short form of the distinguished name for a subject and the issuer of the client SSL certificate to determine the distinguished name of the user within an LDAP directory. It is also capable of authorizing users based on attributes of that user's LDAP directory entry, determining access to assets based on the user and group privileges of the asset, and denying access for users with expired passwords. The <code class="filename">mod_ssl</code> module is required when using the <code class="filename">mod_authz_ldap</code> module.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					The <code class="filename">mod_authz_ldap</code> module does not authenticate a user to an LDAP directory using an encrypted password hash. This functionality is provided by the experimental <code class="filename">mod_auth_ldap</code> module, which is not included with Red Hat Enterprise Linux. Refer to the Apache Software Foundation website online at <a href="http://www.apache.org/">http://www.apache.org/</a> for details on the status of this module.
				</div></div></div></div><div class="section" id="s2-ldap-applications"><div class="titlepage"><div><div><h3 class="title" id="s2-ldap-applications">26.3.3. LDAP Client Applications</h3></div></div></div><a id="id893322" class="indexterm"></a><div class="para">
				There are graphical LDAP clients available which support creating and modifying directories, but they are <span class="emphasis"><em>not</em></span> included with Red Hat Enterprise Linux. One such application is <span class="application"><strong>LDAP Browser/Editor</strong></span> — A Java-based tool available online at <a href="http://www.iit.edu/~gawojar/ldap/">http://www.iit.edu/~gawojar/ldap/</a>.
			</div><div class="para">
				Other LDAP clients access directories as read-only, using them to reference, but not alter, organization-wide information. Some examples of such applications are Sendmail, <span class="application"><strong>Mozilla</strong></span>, <span class="application"><strong>Gnome Meeting</strong></span>, and <span class="application"><strong>Evolution</strong></span>.
			</div></div></div><div class="section" id="s1-ldap-files"><div class="titlepage"><div><div><h2 class="title" id="s1-ldap-files">26.4. OpenLDAP Configuration Files</h2></div></div></div><a id="id893382" class="indexterm"></a><a id="id893402" class="indexterm"></a><a id="id893422" class="indexterm"></a><a id="id893442" class="indexterm"></a><div class="para">
			OpenLDAP configuration files are installed into the <code class="filename">/etc/openldap/</code> directory. The following is a brief list highlighting the most important directories and files:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">/etc/openldap/ldap.conf</code> — This is the configuration file for all <span class="emphasis"><em>client</em></span> applications which use the OpenLDAP libraries such as <code class="command">ldapsearch</code>, <code class="command">ldapadd</code>, Sendmail, <span class="application"><strong>Evolution</strong></span>, and <span class="application"><strong>Gnome Meeting</strong></span>.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/etc/openldap/slapd.conf</code> — This is the configuration file for the <code class="command">slapd</code> daemon. Refer to <a class="xref" href="#s2-ldap-files-slapd-conf">Section 26.6.1, “Editing <code class="filename">/etc/openldap/slapd.conf</code>”</a> for more information.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/etc/openldap/schema/</code> directory — This subdirectory contains the schema used by the <code class="command">slapd</code> daemon. Refer to <a class="xref" href="#s1-ldap-files-schemas">Section 26.5, “The <code class="filename">/etc/openldap/schema/</code> Directory”</a> for more information.
				</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If the <code class="filename">nss_ldap</code> package is installed, it creates a file named <code class="filename">/etc/ldap.conf</code>. This file is used by the PAM and NSS modules supplied by the <code class="filename">nss_ldap</code> package. Refer to <a class="xref" href="#s1-ldap-pam">Section 26.7, “Configuring a System to Authenticate Using OpenLDAP”</a> for more information.
			</div></div></div></div><div class="section" id="s1-ldap-files-schemas"><div class="titlepage"><div><div><h2 class="title" id="s1-ldap-files-schemas">26.5. The <code class="filename">/etc/openldap/schema/</code> Directory</h2></div></div></div><a id="id893592" class="indexterm"></a><div class="para">
			The <code class="filename">/etc/openldap/schema/</code> directory holds LDAP definitions, previously located in the <code class="filename">slapd.at.conf</code> and <code class="filename">slapd.oc.conf</code> files. The <code class="filename">/etc/openldap/schema/redhat/</code> directory holds customized schemas distributed by Red Hat for Red Hat Enterprise Linux.
		</div><div class="para">
			All <em class="firstterm">attribute syntax definitions</em> and <em class="firstterm">objectclass definitions</em> are now located in the different schema files. The various schema files are referenced in <code class="filename">/etc/openldap/slapd.conf</code> using <code class="filename">include</code> lines, as shown in this example:
		</div><pre class="screen">include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/rfc822-MailMember.schema
include		/etc/openldap/schema/redhat/autofs.schema</pre><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
				Do not modify schema items defined in the schema files installed by OpenLDAP.
			</div></div></div><div class="para">
			It is possible to extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a <code class="filename">local.schema</code> file in the <code class="filename">/etc/openldap/schema/</code> directory. Reference this new schema within <code class="filename">slapd.conf</code> by adding the following line below the default <code class="filename">include</code> schema lines:
		</div><pre class="screen">include		/etc/openldap/schema/local.schema</pre><div class="para">
			Next, define new attribute types and object classes within the <code class="filename">local.schema</code> file. Many organizations use existing attribute types from the schema files installed by default and add new object classes to the <code class="filename">local.schema</code> file.
		</div><div class="para">
			Extending the schema to match certain specialized requirements is quite involved and beyond the scope of this chapter. Refer to <a href="http://www.openldap.org/doc/admin/schema.html">http://www.openldap.org/doc/admin/schema.html</a> for information.
		</div></div><div class="section" id="s1-ldap-quickstart"><div class="titlepage"><div><div><h2 class="title" id="s1-ldap-quickstart">26.6. OpenLDAP Setup Overview</h2></div></div></div><a id="id893730" class="indexterm"></a><div class="para">
			This section provides a quick overview for installing and configuring an OpenLDAP directory. For more details, refer to the following URLs:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<a href="http://www.openldap.org/doc/admin/quickstart.html">http://www.openldap.org/doc/admin/quickstart.html</a> — The <em class="citetitle">Quick-Start Guide</em> on the OpenLDAP website.
				</div></li><li class="listitem"><div class="para">
					<a href="http://www.tldp.org/HOWTO/LDAP-HOWTO/index.html">http://www.tldp.org/HOWTO/LDAP-HOWTO/index.html</a> — The <em class="citetitle">LDAP Linux HOWTO</em> from the Linux Documentation Project.
				</div></li></ul></div><div class="para">
			The basic steps for creating an LDAP server are as follows:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Install the <code class="filename">openldap</code>, <code class="filename">openldap-servers</code>, and <code class="filename">openldap-clients</code> RPMs.
				</div></li><li class="listitem"><div class="para">
					Edit the <code class="filename">/etc/openldap/slapd.conf</code> file to specify the LDAP domain and server. Refer to <a class="xref" href="#s2-ldap-files-slapd-conf">Section 26.6.1, “Editing <code class="filename">/etc/openldap/slapd.conf</code>”</a> for more information.
				</div></li><li class="listitem"><div class="para">
					Start <code class="command">slapd</code> with the command:
				</div><pre class="screen"><code class="command">service ldap start</code></pre><div class="para">
					After configuring LDAP, use <code class="command">chkconfig</code>, <code class="command">/usr/sbin/ntsysv</code>, or the <span class="application"><strong>Services Configuration Tool</strong></span> to configure LDAP to start at boot time. For more information about configuring services, refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a>.
				</div></li><li class="listitem"><div class="para">
					Add entries to an LDAP directory with <code class="command">ldapadd</code>.
				</div></li><li class="listitem"><div class="para">
					Use <code class="command">ldapsearch</code> to determine if <code class="command">slapd</code> is accessing the information correctly.
				</div></li><li class="listitem"><div class="para">
					At this point, the LDAP directory should be functioning properly and can be configured with LDAP-enabled applications.
				</div></li></ol></div><div class="section" id="s2-ldap-files-slapd-conf"><div class="titlepage"><div><div><h3 class="title" id="s2-ldap-files-slapd-conf">26.6.1. Editing <code class="filename">/etc/openldap/slapd.conf</code></h3></div></div></div><a id="id893929" class="indexterm"></a><div class="para">
				To use the <code class="command">slapd</code> LDAP server, modify its configuration file, <code class="filename">/etc/openldap/slapd.conf</code>, to specify the correct domain and server.
			</div><div class="para">
				The <code class="command">suffix</code> line names the domain for which the LDAP server provides information and should be changed from:
			</div><pre class="screen">suffix          "dc=your-domain,dc=com"</pre><div class="para">
				Edit it accordingly so that it reflects a fully qualified domain name. For example:
			</div><pre class="screen">suffix          "dc=example,dc=com"</pre><div class="para">
				The <code class="command">rootdn</code> entry is the Distinguished Name (DN) for a user who is unrestricted by access controls or administrative limit parameters set for operations on the LDAP directory. The <code class="command">rootdn</code> user can be thought of as the root user for the LDAP directory. In the configuration file, change the <code class="command">rootdn</code> line from its default value as in the following example:
			</div><pre class="screen">rootdn          "cn=root,dc=example,dc=com"</pre><div class="para">
				When populating an LDAP directory over a network, change the <code class="command">rootpw</code> line — replacing the default value with an encrypted password string. To create an encrypted password string, type the following command:
			</div><pre class="screen"><code class="command">slappasswd</code></pre><div class="para">
				When prompted, type and then re-type a password. The program prints the resulting encrypted password to the shell prompt.
			</div><div class="para">
				Next, copy the newly created encrypted password into the <code class="filename">/etc/openldap/slapd.conf</code> on one of the <code class="command">rootpw</code> lines and remove the hash mark (<code class="command">#</code>).
			</div><div class="para">
				When finished, the line should look similar to the following example:
			</div><pre class="screen">rootpw {SSHA}vv2y+i6V6esazrIv70xSSnNAJE18bb2u</pre><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					LDAP passwords, including the <code class="command">rootpw</code> directive specified in <code class="filename">/etc/openldap/slapd.conf</code>, are sent over the network <span class="emphasis"><em>unencrypted</em></span>, unless TLS encryption is enabled.
				</div><div class="para">
					To enable TLS encryption, review the comments in <code class="filename">/etc/openldap/slapd.conf</code> and refer to the man page for <code class="filename">slapd.conf</code>.
				</div></div></div><div class="para">
				For added security, the <code class="command">rootpw</code> directive should be commented out after populating the LDAP directory by preceding it with a hash mark (<code class="command">#</code>).
			</div><div class="para">
				When using the <code class="command">/usr/sbin/slapadd</code> command line tool locally to populate the LDAP directory, use of the <code class="command">rootpw</code> directive is not necessary.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Only the root user can use <code class="command">/usr/sbin/slapadd</code>. However, the directory server runs as the <code class="filename">ldap</code> user. Therefore, the directory server is unable to modify any files created by <code class="command">slapadd</code>. To correct this issue, after using <code class="command">slapadd</code>, type the following command:
				</div><pre class="screen"><code class="command">chown -R ldap /var/lib/ldap</code></pre></div></div></div></div><div class="section" id="s1-ldap-pam"><div class="titlepage"><div><div><h2 class="title" id="s1-ldap-pam">26.7. Configuring a System to Authenticate Using OpenLDAP</h2></div></div></div><a id="id894147" class="indexterm"></a><div class="para">
			This section provides a brief overview of how to configure OpenLDAP user authentication. Unless you are an OpenLDAP expert, more documentation than is provided here is necessary. Refer to the references provided in <a class="xref" href="#s1-ldap-additional-resources">Section 26.9, “Additional Resources”</a> for more information.
		</div><a id="id894172" class="indexterm"></a><a id="id894190" class="indexterm"></a><a id="id953242" class="indexterm"></a><a id="id953261" class="indexterm"></a><a id="id953283" class="indexterm"></a><a id="id953306" class="indexterm"></a><a id="id953327" class="indexterm"></a><a id="id953344" class="indexterm"></a><div class="formalpara"><h5 class="formalpara" id="id953369">Install the Necessary LDAP Packages.</h5>
				First, make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines. The LDAP server needs the <code class="filename">openldap-servers</code> package.
			</div><div class="para">
			The <code class="filename">openldap</code>, <code class="filename">openldap-clients</code>, and <code class="filename">nss_ldap</code> packages need to be installed on all LDAP client machines.
		</div><div class="formalpara"><h5 class="formalpara" id="id953401">Edit the Configuration Files.</h5>
				<div class="itemizedlist"><ul><li class="listitem"><div class="para">
							On the server, edit the <code class="filename">/etc/openldap/slapd.conf</code> file on the LDAP server to make sure it matches the specifics of the organization. Refer to <a class="xref" href="#s2-ldap-files-slapd-conf">Section 26.6.1, “Editing <code class="filename">/etc/openldap/slapd.conf</code>”</a> for instructions about editing <code class="filename">slapd.conf</code>.
						</div></li><li class="listitem"><div class="para">
							On the client machines, both <code class="filename">/etc/ldap.conf</code> and <code class="filename">/etc/openldap/ldap.conf</code> need to contain the proper server and search base information for the organization.
						</div><div class="para">
							To do this, run the graphical <span class="application"><strong>Authentication Configuration Tool</strong></span> (<code class="command">system-config-authentication</code>) and select <span class="guilabel"><strong>Enable LDAP Support</strong></span> under the <span class="guilabel"><strong>User Information</strong></span> tab.
						</div><div class="para">
							It is also possible to edit these files by hand.
						</div></li><li class="listitem"><div class="para">
							On the client machines, the <code class="filename">/etc/nsswitch.conf</code> must be edited to use LDAP.
						</div><div class="para">
							To do this, run the <span class="application"><strong>Authentication Configuration Tool</strong></span> (<code class="command">system-config-authentication</code>) and select <span class="guilabel"><strong>Enable LDAP Support</strong></span> under the <span class="guilabel"><strong>User Information</strong></span> tab.
						</div><div class="para">
							If editing <code class="filename">/etc/nsswitch.conf</code> by hand, add <code class="command">ldap</code> to the appropriate lines.
						</div><div class="para">
							For example:
						</div><pre class="screen">passwd: files ldap
shadow: files ldap
group: files ldap</pre></li></ul></div>

</div><div class="section" id="s2-ldap-pamd"><div class="titlepage"><div><div><h3 class="title" id="s2-ldap-pamd">26.7.1. PAM and LDAP</h3></div></div></div><a id="id953537" class="indexterm"></a><a id="id953555" class="indexterm"></a><div class="para">
				To have standard PAM-enabled applications use LDAP for authentication, run the <span class="application"><strong>Authentication Configuration Tool</strong></span> (<code class="command">system-config-authentication</code>) and select <span class="guilabel"><strong>Enable LDAP Support</strong></span> under the <span class="guilabel"><strong>Authentication</strong></span> tab. For more about configuring PAM, refer to <a class="xref" href="#ch-pam">Section 46.4, “Pluggable Authentication Modules (PAM)”</a> and the PAM man pages.
			</div></div><div class="section" id="s2-ldap-migrate"><div class="titlepage"><div><div><h3 class="title" id="s2-ldap-migrate">26.7.2. Migrating Old Authentication Information to LDAP Format</h3></div></div></div><div class="para">
				The <code class="filename">/usr/share/openldap/migration/</code> directory contains a set of shell and Perl scripts for migrating authentication information into an LDAP format.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Perl must be installed on the system to use these scripts.
				</div></div></div><div class="para">
				First, modify the <code class="filename">migrate_common.ph</code> file so that it reflects the correct domain. The default DNS domain should be changed from its default value to something like:
			</div><pre class="screen">$DEFAULT_MAIL_DOMAIN = "<em class="replaceable"><code>example</code></em>";</pre><div class="para">
				The default base should also be changed to something like:
			</div><pre class="screen">$DEFAULT_BASE = "dc=<em class="replaceable"><code>example</code></em>,dc=<em class="replaceable"><code>com</code></em>";</pre><div class="para">
				The job of migrating a user database into a format that is LDAP readable falls to a group of migration scripts installed in the same directory. Using <a class="xref" href="#tb-ldap-migratescripts">Table 26.1, “LDAP Migration Scripts”</a>, decide which script to run to migrate the user database.
			</div><div class="para">
				Run the appropriate script based on the existing name service.
			</div><div class="para">
				The <code class="filename">README</code> and the <code class="filename">migration-tools.txt</code> files in the <code class="filename">/usr/share/openldap/migration/</code> directory provide more details on how to migrate the information.
			</div><div class="table" id="tb-ldap-migratescripts"><h6>Table 26.1. LDAP Migration Scripts</h6><div class="table-contents"><table summary="LDAP Migration Scripts" border="1"><colgroup><col width="30%" class="existing" /><col width="20%" class="running" /><col width="50%" class="use" /></colgroup><thead><tr><th>
								Existing name service
							</th><th>
								Is LDAP running?
							</th><th>
								Script to Use
							</th></tr></thead><tbody><tr><td>
								<code class="filename">/etc</code> flat files
							</td><td>
								yes
							</td><td>
								<code class="filename">migrate_all_online.sh</code>
							</td></tr><tr><td>
								<code class="filename">/etc</code> flat files
							</td><td>
								no
							</td><td>
								<code class="filename">migrate_all_offline.sh</code>
							</td></tr><tr><td>
								NetInfo
							</td><td>
								yes
							</td><td>
								<code class="filename">migrate_all_netinfo_online.sh</code>
							</td></tr><tr><td>
								NetInfo
							</td><td>
								no
							</td><td>
								<code class="filename">migrate_all_netinfo_offline.sh</code>
							</td></tr><tr><td>
								NIS (YP)
							</td><td>
								yes
							</td><td>
								<code class="filename">migrate_all_nis_online.sh</code>
							</td></tr><tr><td>
								NIS (YP)
							</td><td>
								no
							</td><td>
								<code class="filename">migrate_all_nis_offline.sh</code>
							</td></tr></tbody></table></div></div><br class="table-break" /></div></div><div class="section" id="s1-ldap-migrate"><div class="titlepage"><div><div><h2 class="title" id="s1-ldap-migrate">26.8. Migrating Directories from Earlier Releases</h2></div></div></div><a id="id953902" class="indexterm"></a><a id="id953920" class="indexterm"></a><div class="para">
			With Red Hat Enterprise Linux, OpenLDAP uses Sleepycat Software's Berkeley DB system as its on-disk storage format for directories. Earlier versions of OpenLDAP used <em class="firstterm">GNU Database Manager</em> (<em class="firstterm">gdbm</em>). For this reason, before upgrading an LDAP implementation to Red Hat Enterprise Linux 5.8, original LDAP data should first be exported before the upgrade, and then reimported afterwards. This can be achieved by performing the following steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Before upgrading the operating system, run the command <code class="command">/usr/sbin/slapcat -l <em class="replaceable"><code>ldif-output</code></em></code>. This outputs an LDIF file called <code class="filename"><em class="replaceable"><code>ldif-output</code></em></code> containing the entries from the LDAP directory.
				</div></li><li class="listitem"><div class="para">
					Upgrade the operating system, being careful not to reformat the partition containing the LDIF file.
				</div></li><li class="listitem"><div class="para">
					Re-import the LDAP directory to the upgraded Berkeley DB format by executing the command <code class="command">/usr/sbin/slapadd -l <em class="replaceable"><code>ldif-output</code></em></code>.
				</div></li></ol></div></div><div class="section" id="s1-ldap-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-ldap-additional-resources">26.9. Additional Resources</h2></div></div></div><a id="id954013" class="indexterm"></a><div class="para">
			The following resources offer additional information on LDAP. It is highly recommended that you review these, especially the OpenLDAP website and the LDAP HOWTO, before configuring LDAP on your system(s).
		</div><div class="section" id="s2-ldap-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-ldap-installed-docs">26.9.1. Installed Documentation</h3></div></div></div><a id="id954043" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/usr/share/docs/openldap-<em class="replaceable"><code>&lt;versionnumber&gt;</code></em>/</code> directory — Contains a general <code class="filename">README</code> document and miscellaneous information.
					</div></li><li class="listitem"><div class="para">
						LDAP related man pages — There are a number of man pages for the various applications and configuration files involved with LDAP. The following is a list of some of the more important man pages.
					</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Client Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man ldapadd</code> — Describes how to add entries to an LDAP directory.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man ldapdelete</code> — Describes how to delete entries within an LDAP directory.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man ldapmodify</code> — Describes how to modify entries within an LDAP directory.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man ldapsearch</code> — Describes how to search for entries within an LDAP directory.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man ldappasswd</code> — Describes how to set or change the password of an LDAP user.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man ldapcompare</code> — Describes how to use the <code class="command">ldapcompare</code> tool.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man ldapwhoami</code> — Describes how to use the <code class="command">ldapwhoami</code> tool.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man ldapmodrdn</code> — Describes how to modify the RDNs of entries.
										</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Server Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man slapd</code> — Describes command line options for the LDAP server.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man slurpd</code> — Describes command line options for the LDAP replication server.
										</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Administrative Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man slapadd</code> — Describes command line options used to add entries to a <code class="command">slapd</code> database.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man slapcat</code> — Describes command line options used to generate an LDIF file from a <code class="command">slapd</code> database.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man slapindex</code> — Describes command line options used to regenerate an index based upon the contents of a <code class="command">slapd</code> database.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man slappasswd</code> — Describes command line options used to generate user passwords for LDAP directories.
										</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Configuration Files</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man ldap.conf</code> — Describes the format and options available within the configuration file for LDAP clients.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man slapd.conf</code> — Describes the format and options available within the configuration file referenced by both the LDAP server applications (<code class="command">slapd</code> and <code class="command">slurpd</code>) and the LDAP administrative tools (<code class="command">slapadd</code>, <code class="command">slapcat</code>, and <code class="command">slapindex</code>).
										</div></li></ul></div></dd></dl></div></li></ul></div></div><div class="section" id="s2-ldap-additional-resources-web"><div class="titlepage"><div><div><h3 class="title" id="s2-ldap-additional-resources-web">26.9.2. Useful Websites</h3></div></div></div><a id="id954410" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.openldap.org">http://www.openldap.org/</a> — Home of the OpenLDAP Project. This website contains a wealth of information about configuring OpenLDAP as well as a future roadmap and version changes.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.padl.com">http://www.padl.com/</a> — Developers of <code class="filename">nss_ldap</code> and <code class="filename">pam_ldap</code>, among other useful LDAP tools.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.kingsmountain.com/ldapRoadmap.shtml">http://www.kingsmountain.com/ldapRoadmap.shtml</a> — Jeff Hodges' LDAP Road Map contains links to several useful FAQs and emerging news concerning the LDAP protocol.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.ldapman.org/articles/">http://www.ldapman.org/articles/</a> — Articles that offer a good introduction to LDAP, including methods to design a directory tree and customizing directory structures.
					</div></li></ul></div></div><div class="section" id="s2-ldap-related-books"><div class="titlepage"><div><div><h3 class="title" id="s2-ldap-related-books">26.9.3. Related Books</h3></div></div></div><a id="id954521" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<em class="citetitle">OpenLDAP by Example</em> by John Terpstra and Benjamin Coles; Prentice Hall.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">Implementing LDAP</em> by Mark Wilcox; Wrox Press, Inc.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">Understanding and Deploying LDAP Directory Services</em> by Tim Howes et al.; Macmillan Technical Publishing.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-authconfig" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 27. Authentication Configuration</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-authconfig-user-info">27.1. User Information</a></span></dt><dt><span class="section"><a href="#s1-authconfig-auth">27.2. Authentication</a></span></dt><dt><span class="section"><a href="#authconfig-options">27.3. Options</a></span></dt><dt><span class="section"><a href="#s1-authconfig-command-line">27.4. Command Line Version</a></span></dt></dl></div><a id="id874988" class="indexterm"></a><a id="id872908" class="indexterm"></a><div class="para">
		When a user logs in to a Red Hat Enterprise Linux system, the username and password combination must be verified, or <em class="firstterm">authenticated</em>, as a valid and active user. Sometimes the information to verify the user is located on the local system, and other times the system defers the authentication to a user database on a remote system.
	</div><div class="para">
		The <span class="application"><strong>Authentication Configuration Tool</strong></span> provides a graphical interface for configuring user information retrieval from NIS, LDAP, and Hesiod servers. This tool also allows you to configure LDAP, Kerberos, and SMB as authentication protocols.
	</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
			If you configured a medium or high security level during installation (or with the <span class="application"><strong>Security Level Configuration Tool</strong></span>), then the firewall will prevent NIS (Network Information Service) authentication.
		</div></div></div><div class="para">
		This chapter does not explain each of the different authentication types in detail. Instead, it explains how to use the <span class="application"><strong>Authentication Configuration Tool</strong></span> to configure them.
	</div><a id="id918342" class="indexterm"></a><a id="id872715" class="indexterm"></a><div class="para">
		To start the graphical version of the <span class="application"><strong>Authentication Configuration Tool</strong></span> from the desktop, select the System (on the panel) &gt; <span class="guimenuitem"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>Authentication</strong></span> or type the command <code class="command">system-config-authentication</code> at a shell prompt (for example, in an <span class="application"><strong>XTerm</strong></span> or a <span class="application"><strong>GNOME</strong></span> terminal).
	</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
			After exiting the authentication program, the changes made take effect immediately.
		</div></div></div><div class="section" id="s1-authconfig-user-info"><div class="titlepage"><div><div><h2 class="title" id="s1-authconfig-user-info">27.1. User Information</h2></div></div></div><a id="id993626" class="indexterm"></a><div class="para">
			The <span class="guilabel"><strong>User Information</strong></span> tab allows you to configure how users should be authenticated, and has several options. To enable an option, click the empty checkbox beside it. To disable an option, click the checkbox beside it to clear the checkbox. Click <span class="guibutton"><strong>OK</strong></span> to exit the program and apply the changes.
		</div><div class="figure" id="fig-authconfig-user-info"><div class="figure-contents"><div class="mediaobject"><img src="images/authconfig-user-info.png" alt="User Information" /><div class="longdesc"><div class="para">
						User Information
					</div></div></div></div><h6>Figure 27.1. <span class="guilabel">User Information</span></h6></div><br class="figure-break" /><div class="para">
			The following list explains what each option configures:
		</div><div class="formalpara" id="authconfig-user-info-nis"><h5 class="formalpara">NIS</h5><a id="id886989" class="indexterm"></a><a id="id887009" class="indexterm"></a>
				The <span class="guilabel"><strong>Enable NIS Support</strong></span> option configures the system to connect to an NIS server (as an NIS client) for user and password authentication. Click the <span class="guibutton"><strong>Configure NIS...</strong></span> button to specify the NIS domain and NIS server. If the NIS server is not specified, the daemon attempts to find it via broadcast.
			</div><a id="id887137" class="indexterm"></a><div class="para">
			The <code class="filename">ypbind</code> package must be installed for this option to work. If NIS support is enabled, the <code class="command">portmap</code> and <code class="command">ypbind</code> services are started and are also enabled to start at boot time.
		</div><div class="para">
			For more information about NIS, refer to <a class="xref" href="#s1-server-nis">Section 46.2.3, “Securing NIS”</a>.
		</div><div class="formalpara" id="authconfig-user-info-ldap"><h5 class="formalpara">LDAP</h5><a id="id887180" class="indexterm"></a><a id="id963381" class="indexterm"></a><a id="id963393" class="indexterm"></a><a id="id963402" class="indexterm"></a>
				The <span class="guilabel"><strong>Enable LDAP Support</strong></span> option instructs the system to retrieve user information via LDAP. Click the <span class="guibutton"><strong>Configure LDAP...</strong></span> button to specify the following: 
				<div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="guilabel"><strong>LDAP Search Base DN</strong></span> — Specifies that user information should be retrieved using the listed Distinguished Name (DN).
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>LDAP Server</strong></span> — Specifies the IP address of the LDAP server.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Use TLS to encrypt connections</strong></span> — When enabled, Transport Layer Security will be used to encrypt passwords sent to the LDAP server. The <span class="guibutton"><strong>Download CA Certificate</strong></span> option allows you to specify a URL from which to download a valid <em class="firstterm">CA (Certificate Authority) Certificate</em>. A valid CA Certificate must be in PEM (Privacy Enhanced Mail) format.
						</div><div class="para">
							For more information about CA Certificates, refer to <a class="xref" href="#s2-secureserver-overview-certs">Section 23.8.2, “An Overview of Certificates and Security”</a>.
						</div></li></ul></div>

</div><div class="para">
			The <code class="filename">openldap-clients</code> package must be installed for this option to work.
		</div><div class="para">
			For more information about LDAP, refer to <a class="xref" href="#ch-ldap">Chapter 26, <em>Lightweight Directory Access Protocol (LDAP)</em></a>.
		</div><div class="formalpara" id="authconfig-user-info-hesiod"><h5 class="formalpara">Hesiod</h5><a id="id972383" class="indexterm"></a><a id="id972403" class="indexterm"></a>
				The <span class="guilabel"><strong>Enable Hesiod Support</strong></span> option configures the system to retrieve information (including user information) from a remote Hesiod database. Click the <span class="guibutton"><strong>Configure Hesiod...</strong></span> button to specify the following: 
				<div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Hesiod LHS</strong></span> — Specifies the domain prefix used for Hesiod queries.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Hesiod RHS</strong></span> — Specifies the default Hesiod domain.
						</div></li></ul></div>

</div><div class="para">
			The <code class="filename">hesiod</code> package must be installed for this option to work.
		</div><div class="para">
			For more information about Hesiod, refer to its man page using the command <code class="command">man hesiod</code>. You can also refer to the <code class="filename">hesiod.conf</code> man page (<code class="command">man hesiod.conf</code>) for more information on LHS and RHS.
		</div><div class="formalpara" id="authconfig-user-info-winbind"><h5 class="formalpara">Winbind</h5><a id="id972060" class="indexterm"></a>
				The <span class="guilabel"><strong>Enable Winbind Support</strong></span> option configures the system to connect to a Windows Active Directory or a Windows domain controller. User information from the specified directory or domain controller can then be accessed, and server authentication options can be configured. Click the <span class="guibutton"><strong>Configure Winbind...</strong></span> button to specify the following: 
				<div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Winbind Domain</strong></span> — Specifies the Windows Active Directory or domain controller to connect to.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Security Model</strong></span> — Allows you to select a security model, which configures how clients should respond to Samba. The drop-down list allows you select any of the following: 
							<div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<span class="guilabel"><strong>user</strong></span> — This is the default mode. With this level of security, a client must first log in with a valid username and password. Encrypted passwords can also be used in this security mode.
									</div></li><li class="listitem"><div class="para">
										<span class="guilabel"><strong>server</strong></span> — In this mode, Samba will attempt to validate the username/password by authenticating it through another SMB server (for example, a Windows NT Server). If the attempt fails, the <span class="guilabel"><strong>user</strong></span> mode will take effect instead.
									</div></li><li class="listitem"><div class="para">
										<span class="guilabel"><strong>domain</strong></span> — In this mode, Samba will attempt to validate the username/password by authenticating it through a Windows NT Primary or Backup Domain Controller, similar to how a Windows NT Server would.
									</div></li><li class="listitem"><div class="para">
										<span class="guilabel"><strong>ads</strong></span> — This mode instructs Samba to act as a domain member in an Active Directory Server (ADS) realm. To operate in this mode, the <code class="filename">krb5-server</code> package must be installed, and Kerberos must be configured properly.
									</div></li></ul></div>

</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Winbind ADS Realm</strong></span> — When the <span class="guilabel"><strong>ads</strong></span> Security Model is selected, this allows you to specify the ADS Realm the Samba server should act as a domain member of.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Winbind Domain Controllers</strong></span> — Use this option to specify which domain controller <code class="command">winbind</code> should use. For more information about domain controllers, please refer to <a class="xref" href="#s2-samba-domain-controller">Section 21.6.3, “Domain Controller”</a>.
						</div></li><li class="listitem"><div class="para">
							<span class="guilabel"><strong>Template Shell</strong></span> — When filling out the user information for a Windows NT user, the <code class="command">winbindd</code> daemon uses the value chosen here to to specify the login shell for that user.
						</div></li></ul></div>

</div><div class="para">
			For more information about the <code class="command">winbind</code> service, refer to <a class="xref" href="#s3-samba-daemon-winbindd"> <code class="command">winbindd</code> </a> under <a class="xref" href="#s1-samba-daemons">Section 21.2, “Samba Daemons and Related Services”</a>.
		</div></div><div class="section" id="s1-authconfig-auth"><div class="titlepage"><div><div><h2 class="title" id="s1-authconfig-auth">27.2. Authentication</h2></div></div></div><a id="id954702" class="indexterm"></a><div class="para">
			The <span class="guilabel"><strong>Authentication</strong></span> tab allows for the configuration of network authentication methods. To enable an option, click the empty checkbox beside it. To disable an option, click the checkbox beside it to clear the checkbox.
		</div><div class="figure" id="fig-authconfig-auth"><div class="figure-contents"><div class="mediaobject"><img src="images/authconfig-auth.png" alt="Authentication" /><div class="longdesc"><div class="para">
						Authentication
					</div></div></div></div><h6>Figure 27.2. <span class="guilabel">Authentication</span></h6></div><br class="figure-break" /><div class="para">
			The following explains what each option configures:
		</div><div class="formalpara" id="authconfig-auth-info-kerberos"><h5 class="formalpara">Kerberos</h5><a id="id954776" class="indexterm"></a><a id="id954796" class="indexterm"></a>
				The <span class="guilabel"><strong>Enable Kerberos Support</strong></span> option enables Kerberos authentication. Click the <span class="guibutton"><strong>Configure Kerberos...</strong></span> button to open the <span class="guimenu"><strong>Kerberos Settings</strong></span> dialogue and configure the following:
			</div><div class="para">
			<div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Realm</strong></span> — Configures the realm for the Kerberos server. The realm is the network that uses Kerberos, composed of one or more KDCs and a potentially large number of clients.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>KDC</strong></span> — Defines the Key Distribution Center (KDC), which is the server that issues Kerberos tickets.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Admin Servers</strong></span> — Specifies the administration server(s) running <code class="command">kadmind</code>.
					</div></li></ul></div>

</div><div class="para">
			The <span class="guimenu"><strong>Kerberos Settings</strong></span> dialogue also allows you to use DNS to resolve hosts to realms and locate KDCs for realms.
		</div><div class="para">
			The <code class="filename">krb5-libs</code> and <code class="filename">krb5-workstation</code> packages must be installed for this option to work. For more information about Kerberos, refer to <a class="xref" href="#ch-kerberos">Section 46.6, “Kerberos”</a>.
		</div><div class="formalpara" id="authconfig-auth-info-ldap"><h5 class="formalpara">LDAP</h5><a id="id954905" class="indexterm"></a><a id="id954925" class="indexterm"></a><a id="id954935" class="indexterm"></a>
				The <span class="guilabel"><strong>Enable LDAP Support</strong></span> option instructs standard PAM-enabled applications to use LDAP for authentication. The <span class="guibutton"><strong>Configure LDAP...</strong></span> button allows you to configure LDAP support with options identical to those present in <span class="guilabel"><strong>Configure LDAP...</strong></span> under the <span class="guimenu"><strong>User Information</strong></span> tab. For more information about these options, refer to <a class="xref" href="#s1-authconfig-user-info">Section 27.1, “User Information”</a>.
			</div><div class="para">
			The <code class="filename">openldap-clients</code> package must be installed for this option to work.
		</div><div class="formalpara" id="authconfig-auth-info-smartcard"><h5 class="formalpara">Smart Card</h5><a id="id955008" class="indexterm"></a><a id="id955028" class="indexterm"></a>
				The <span class="guilabel"><strong>Enable Smart Card Support</strong></span> option enables Smart Card authentication. This allows users to log in using a certificate and key associated stored on a smart card. Click the <span class="guibutton"><strong>Configure Smart Card...</strong></span> button for more options.
			</div><div class="para">
			The <code class="filename">pam_pkcs11</code> and <code class="filename">coolkey</code> packages must be installed for this option to work. For more information about smart cards, refer to <a class="xref" href="#sso-supported-cards">Section 46.3.1.3, “Supported Smart Cards”</a> under <a class="xref" href="#sso-ov">Section 46.3, “Single Sign-on (SSO)”</a>.
		</div><div class="formalpara"><h5 class="formalpara" id="id955072">SMB</h5><a id="id955079" class="indexterm"></a><a id="id955099" class="indexterm"></a>
				The <span class="guilabel"><strong>Enable SMB Support</strong></span> option configures PAM to use a Server Message Block (SMB) server to authenticate users. SMB refers to a client-server protocol used for cross-system communication; it is also the protocol used by Samba to appear as a Windows server to Windows clients. Click the <span class="guibutton"><strong>Configure SMB...</strong></span> button to specify the following:
			</div><div class="para">
			<div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Workgroup</strong></span> — Specifies the SMB workgroup to use.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Domain Controllers</strong></span> — Specifies the SMB domain controllers to use.
					</div></li></ul></div>

</div><div class="formalpara" id="authconfig-auth-info-winbind"><h5 class="formalpara">Winbind</h5><a id="id822654" class="indexterm"></a>
				The <span class="guilabel"><strong>Enable Winbind Support</strong></span> option configures the system to connect to a Windows Active Directory or a Windows domain controller. User information from the specified directory or domain controller can then be accessed, and server authentication options can be configured.
			</div><div class="para">
			The <span class="guibutton"><strong>Configure Winbind...</strong></span> options are identical to those in the <span class="guibutton"><strong>Configure Winbind...</strong></span> button on the <span class="guilabel"><strong>User Information</strong></span> tab. Please refer to <a class="xref" href="#authconfig-user-info-winbind">Winbind</a> (under <a class="xref" href="#s1-authconfig-user-info">Section 27.1, “User Information”</a>) for more information.
		</div></div><div class="section" id="authconfig-options"><div class="titlepage"><div><div><h2 class="title" id="authconfig-options">27.3. Options</h2></div></div></div><a id="id822733" class="indexterm"></a><div class="para">
			This tab allows other configuration options, as listed below.
		</div><div class="figure" id="fig-authconfig-options"><div class="figure-contents"><div class="mediaobject"><img src="images/authconfig-options.png" alt="Options" /><div class="longdesc"><div class="para">
						Options
					</div></div></div></div><h6>Figure 27.3. <span class="guilabel">Options</span></h6></div><br class="figure-break" /><div class="formalpara"><h5 class="formalpara" id="id822787"><span class="guilabel"><strong>Cache User Information</strong></span></h5><a id="id822795" class="indexterm"></a>
				Select this option to enable the name service cache daemon (<code class="command">nscd</code>) and configure it to start at boot time.
			</div><div class="para">
			The <code class="command">nscd</code> package must be installed for this option to work. For more information about <code class="command">nscd</code>, refer to its man page using the command <code class="command">man nscd</code>.
		</div><div class="formalpara"><h5 class="formalpara" id="id822839"><span class="guilabel"><strong>Use Shadow Passwords</strong></span></h5><a id="id822847" class="indexterm"></a><a id="id822868" class="indexterm"></a>
				Select this option to store passwords in shadow password format in the <code class="filename">/etc/shadow</code> file instead of <code class="filename">/etc/passwd</code>. Shadow passwords are enabled by default during installation and are highly recommended to increase the security of the system.
			</div><div class="para">
			The <code class="command">shadow-utils</code> package must be installed for this option to work. For more information about shadow passwords, refer to <a class="xref" href="#s1-users-groups-shadow-utilities">Section 35.6, “Shadow Passwords”</a>.
		</div><div class="formalpara"><h5 class="formalpara" id="id822906"><span class="guilabel"><strong>Use MD5 Passwords</strong></span></h5><a id="id822914" class="indexterm"></a><a id="id822935" class="indexterm"></a>
				Select this option to enable MD5 passwords, which allows passwords to be up to 256 characters instead of eight characters or less. It is selected by default during installation and is highly recommended for increased security.
			</div><div class="formalpara"><h5 class="formalpara" id="id822953"><span class="guilabel"><strong>Local authorization is sufficient for local users</strong></span></h5><a id="id822961" class="indexterm"></a><a id="id822982" class="indexterm"></a>
				When this option is enabled, the system will not check authorization from network services (such as LDAP or Kerberos) for user accounts maintained in its <code class="filename">/etc/passwd</code> file.
			</div><div class="formalpara"><h5 class="formalpara" id="id823001"><span class="guilabel"><strong>Authenticate system accounts by network services</strong></span></h5><a id="id823009" class="indexterm"></a><a id="id823029" class="indexterm"></a>
				Enabling this option configures the system to allow network services (such as LDAP or Kerberos) to authenticate system accounts (including root) in the machine.
			</div></div><div class="section" id="s1-authconfig-command-line"><div class="titlepage"><div><div><h2 class="title" id="s1-authconfig-command-line">27.4. Command Line Version</h2></div></div></div><a id="id823056" class="indexterm"></a><div class="para">
			The <span class="application"><strong>Authentication Configuration Tool</strong></span> can also be run as a command line tool with no interface. The command line version can be used in a configuration script or a kickstart script. The authentication options are summarized in <a class="xref" href="#tb-authconfig-cmd-line">Table 27.1, “Command Line Options”</a>.
		</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				These options can also be found in the <code class="command">authconfig</code> man page or by typing <code class="command">authconfig --help</code> at a shell prompt.
			</div></div></div><div class="table" id="tb-authconfig-cmd-line"><h6>Table 27.1. Command Line Options</h6><div class="table-contents"><table summary="Command Line Options" border="1"><colgroup><col width="60%" class="option" /><col width="40%" class="description" /></colgroup><thead><tr><th>
							Option
						</th><th>
							Description
						</th></tr></thead><tbody><tr><td>
							<code class="command">--enableshadow</code>
						</td><td>
							Enable shadow passwords
						</td></tr><tr><td>
							<code class="command">--disableshadow</code>
						</td><td>
							Disable shadow passwords
						</td></tr><tr><td>
							<code class="command">--enablemd5</code>
						</td><td>
							Enable MD5 passwords
						</td></tr><tr><td>
							<code class="command">--disablemd5</code>
						</td><td>
							Disable MD5 passwords
						</td></tr><tr><td>
							<code class="command">--enablenis</code>
						</td><td>
							Enable NIS
						</td></tr><tr><td>
							<code class="command">--disablenis</code>
						</td><td>
							Disable NIS
						</td></tr><tr><td>
							<code class="command">--nisdomain=<em class="replaceable"><code>&lt;domain&gt;</code></em></code>
						</td><td>
							Specify NIS domain
						</td></tr><tr><td>
							<code class="command">--nisserver=<em class="replaceable"><code>&lt;server&gt;</code></em></code>
						</td><td>
							Specify NIS server
						</td></tr><tr><td>
							<code class="command">--enableldap</code>
						</td><td>
							Enable LDAP for user information
						</td></tr><tr><td>
							<code class="command">--disableldap</code>
						</td><td>
							Disable LDAP for user information
						</td></tr><tr><td>
							<code class="command">--enableldaptls</code>
						</td><td>
							Enable use of TLS with LDAP
						</td></tr><tr><td>
							<code class="command">--disableldaptls</code>
						</td><td>
							Disable use of TLS with LDAP
						</td></tr><tr><td>
							<code class="command">--enableldapauth</code>
						</td><td>
							Enable LDAP for authentication
						</td></tr><tr><td>
							<code class="command">--disableldapauth</code>
						</td><td>
							Disable LDAP for authentication
						</td></tr><tr><td>
							<code class="command">--ldapserver=<em class="replaceable"><code>&lt;server&gt;</code></em></code>
						</td><td>
							Specify LDAP server
						</td></tr><tr><td>
							<code class="command">--ldapbasedn=<em class="replaceable"><code>&lt;dn&gt;</code></em></code>
						</td><td>
							Specify LDAP base DN
						</td></tr><tr><td>
							<code class="command">--enablekrb5</code>
						</td><td>
							Enable Kerberos
						</td></tr><tr><td>
							<code class="command">--disablekrb5</code>
						</td><td>
							Disable Kerberos
						</td></tr><tr><td>
							<code class="command">--krb5kdc=<em class="replaceable"><code>&lt;kdc&gt;</code></em></code>
						</td><td>
							Specify Kerberos KDC
						</td></tr><tr><td>
							<code class="command">--krb5adminserver=<em class="replaceable"><code>&lt;server&gt;</code></em></code>
						</td><td>
							Specify Kerberos administration server
						</td></tr><tr><td>
							<code class="command">--krb5realm=<em class="replaceable"><code>&lt;realm&gt;</code></em></code>
						</td><td>
							Specify Kerberos realm
						</td></tr><tr><td>
							<code class="command">--enablekrb5kdcdns</code>
						</td><td>
							Enable use of DNS to find Kerberos KDCs
						</td></tr><tr><td>
							<code class="command">--disablekrb5kdcdns</code>
						</td><td>
							Disable use of DNS to find Kerberos KDCs
						</td></tr><tr><td>
							<code class="command">--enablekrb5realmdns</code>
						</td><td>
							Enable use of DNS to find Kerberos realms
						</td></tr><tr><td>
							<code class="command">--disablekrb5realmdns</code>
						</td><td>
							Disable use of DNS to find Kerberos realms
						</td></tr><tr><td>
							<code class="command">--enablesmbauth</code>
						</td><td>
							Enable SMB
						</td></tr><tr><td>
							<code class="command">--disablesmbauth</code>
						</td><td>
							Disable SMB
						</td></tr><tr><td>
							<code class="command">--smbworkgroup=<em class="replaceable"><code>&lt;workgroup&gt;</code></em></code>
						</td><td>
							Specify SMB workgroup
						</td></tr><tr><td>
							<code class="command">--smbservers=<em class="replaceable"><code>&lt;server&gt;</code></em></code>
						</td><td>
							Specify SMB servers
						</td></tr><tr><td>
							<code class="command">--enablewinbind</code>
						</td><td>
							Enable winbind for user information by default
						</td></tr><tr><td>
							<code class="command">--disablewinbind</code>
						</td><td>
							Disable winbind for user information by default
						</td></tr><tr><td>
							<code class="command">--enablewinbindauth</code>
						</td><td>
							Enable winbindauth for authentication by default
						</td></tr><tr><td>
							<code class="command">--disablewinbindauth</code>
						</td><td>
							Disable winbindauth for authentication by default
						</td></tr><tr><td>
							<code class="command">--smbsecurity=<em class="replaceable"><code>&lt;user|server|domain|ads&gt;</code></em></code>
						</td><td>
							Security mode to use for Samba and winbind
						</td></tr><tr><td>
							<code class="command">--smbrealm=<em class="replaceable"><code>&lt;STRING&gt;</code></em></code>
						</td><td>
							Default realm for Samba and winbind when <code class="command">security=ads</code>
						</td></tr><tr><td>
							<code class="command">--smbidmapuid=<em class="replaceable"><code>&lt;lowest-highest&gt;</code></em></code>
						</td><td>
							UID range winbind assigns to domain or ADS users
						</td></tr><tr><td>
							<code class="command">--smbidmapgid=<em class="replaceable"><code>&lt;lowest-highest&gt;</code></em></code>
						</td><td>
							GID range winbind assigns to domain or ADS users
						</td></tr><tr><td>
							<code class="command">--winbindseparator=<em class="replaceable"><code>&lt;\&gt;</code></em></code>
						</td><td>
							Character used to separate the domain and user part of winbind usernames if <code class="command">winbindusedefaultdomain</code> is not enabled
						</td></tr><tr><td>
							<code class="command">--winbindtemplatehomedir=<em class="replaceable"><code>&lt;/home/%D/%U&gt;</code></em></code>
						</td><td>
							Directory that winbind users have as their home
						</td></tr><tr><td>
							<code class="command">--winbindtemplateprimarygroup=<em class="replaceable"><code>&lt;nobody&gt;</code></em></code>
						</td><td>
							Group that winbind users have as their primary group
						</td></tr><tr><td>
							<code class="command">--winbindtemplateshell=<em class="replaceable"><code>&lt;/bin/false&gt;</code></em></code>
						</td><td>
							Shell that winbind users have as their default login shell
						</td></tr><tr><td>
							<code class="command">--enablewinbindusedefaultdomain</code>
						</td><td>
							Configures winbind to assume that users with no domain in their usernames are domain users
						</td></tr><tr><td>
							<code class="command">--disablewinbindusedefaultdomain</code>
						</td><td>
							Configures winbind to assume that users with no domain in their usernames are not domain users
						</td></tr><tr><td>
							<code class="command">--winbindjoin=<em class="replaceable"><code>&lt;Administrator&gt;</code></em></code>
						</td><td>
							Joins the winbind domain or ADS realm now as this administrator
						</td></tr><tr><td>
							<code class="command">--enablewins</code>
						</td><td>
							Enable WINS for hostname resolution
						</td></tr><tr><td>
							<code class="command">--disablewins</code>
						</td><td>
							Disable WINS for hostname resolution
						</td></tr><tr><td>
							<code class="command">--enablehesiod</code>
						</td><td>
							Enable Hesiod
						</td></tr><tr><td>
							<code class="command">--disablehesiod</code>
						</td><td>
							Disable Hesiod
						</td></tr><tr><td>
							<code class="command">--hesiodlhs=<em class="replaceable"><code>&lt;lhs&gt;</code></em></code>
						</td><td>
							Specify Hesiod LHS
						</td></tr><tr><td>
							<code class="command">--hesiodrhs=<em class="replaceable"><code>&lt;rhs&gt;</code></em></code>
						</td><td>
							Specify Hesiod RHS
						</td></tr><tr><td>
							<code class="command">--enablecache</code>
						</td><td>
							Enable <code class="command">nscd</code>
						</td></tr><tr><td>
							<code class="command">--disablecache</code>
						</td><td>
							Disable <code class="command">nscd</code>
						</td></tr><tr><td>
							<code class="command">--nostart</code>
						</td><td>
							Do not start or stop the <code class="command">portmap</code>, <code class="command">ypbind</code>, or <code class="command">nscd</code> services even if they are configured
						</td></tr><tr><td>
							<code class="command">--kickstart</code>
						</td><td>
							Do not display the user interface
						</td></tr><tr><td>
							<code class="command">--probe</code>
						</td><td>
							Probe and display network defaults
						</td></tr></tbody></table></div></div><br class="table-break" /></div></div><div xml:lang="en-US" class="chapter" id="SSSD" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 28. Using and Caching Credentials with SSSD</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-sssd">28.1. About the sssd.conf File</a></span></dt><dt><span class="section"><a href="#Installing_SSSD-Starting_and_Stopping_SSSD">28.2. Starting and Stopping SSSD</a></span></dt><dt><span class="section"><a href="#Configuring_Services">28.3. Configuring Services</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuration_Options-NSS_Configuration_Options">28.3.1. Configuring the NSS Service</a></span></dt><dt><span class="section"><a href="#Configuration_Options-PAM_Configuration_Options">28.3.2. Configuring the PAM Service</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Domains">28.4. Creating Domains</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_Domains-Domain_Configuration_Options">28.4.1. General Rules and Options for Configuring a Domain</a></span></dt><dt><span class="section"><a href="#Configuring_Domains-Configuring_a_Native_LDAP_Domain">28.4.2. Configuring an LDAP Domain</a></span></dt><dt><span class="section"><a href="#Configuring_Domains-Setting_up_Kerberos_Authentication">28.4.3. Configuring Kerberos Authentication with a Domain</a></span></dt><dt><span class="section"><a href="#Domain_Configuration_Options-Configuring_a_Proxy_Domain">28.4.4. Configuring a Proxy Domain</a></span></dt></dl></dd><dt><span class="section"><a href="#config-sssd-domain-access">28.5. Configuring Access Control for SSSD Domains</a></span></dt><dd><dl><dt><span class="section"><a href="#id973609">28.5.1. Using the Simple Access Provider</a></span></dt><dt><span class="section"><a href="#id973729">28.5.2. Using the LDAP Access Filter</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Failover">28.6. Configuring Domain Failover</a></span></dt><dd><dl><dt><span class="section"><a href="#config-failover">28.6.1. Configuring Failover</a></span></dt><dt><span class="section"><a href="#Using_SRV_Records_with_Failover">28.6.2. Using SRV Records with Failover</a></span></dt></dl></dd><dt><span class="section"><a href="#sssd-cache">28.7. Deleting Domain Cache Files</a></span></dt><dt><span class="section"><a href="#usingnscd-sssd">28.8. Using NSCD with SSSD</a></span></dt><dt><span class="section"><a href="#SSSD-Troubleshooting">28.9. Troubleshooting SSSD</a></span></dt><dd><dl><dt><span class="section"><a href="#Troubleshooting-Using_SSSD_Log_Files">28.9.1. Using SSSD Log Files</a></span></dt><dt><span class="section"><a href="#Troubleshooting-Problems_with_SSSD_Configuration">28.9.2. Problems with SSSD Configuration</a></span></dt></dl></dd></dl></div><div class="para">
		The System Security Services Daemon (SSSD) provides access to different identity and authentication providers. SSSD is an intermediary between local clients and any configured data store. The local clients connect to SSSD and then SSSD contacts the external providers. This brings a number of benefits for administrators:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				<span class="emphasis"><em>Reducing the load on identification/authentication servers.</em></span> Rather than having every client service attempt to contact the identification server directly, all of the local clients can contact SSSD which can connect to the identification server or check its cache.
			</div></li><li class="listitem"><div class="para">
				<span class="emphasis"><em>Permitting offline authentication.</em></span> SSSD can optionally keep a cache of user identities and credentials that it retrieves from remote services. This allows users to authenticate to resources successfully, even if the remote identification server is offline or the local machine is offline.
			</div></li><li class="listitem"><div class="para">
				<span class="emphasis"><em>Using a single user account.</em></span> Remote users frequently have two (or even more) user accounts, such as one for their local system and one for the organizational system. This is necessary to connect to a virtual private network (VPN). Because SSSD supports caching and offline authentication, remote users can connect to network resources simply by authenticating to their local machine and then SSSD maintains their network credentials.
			</div></li></ul></div><div class="para">
		The System Security Services Daemon does not require any additional configuration or tuning to work with the Authentication Configuration Tool. However, SSSD can work with other applications, and the daemon may require configuration changes to improve the performance of those applications.
	</div><div class="section" id="about-sssd"><div class="titlepage"><div><div><h2 class="title" id="about-sssd">28.1. About the sssd.conf File</h2></div></div></div><div class="para">
			SSSD services and domains are configured in a <code class="filename">.conf</code> file. The default file is <code class="filename">/etc/sssd/sssd.conf</code>, although alternative files can be passed to SSSD by using the <code class="option">-c</code> option with the <code class="command">sssd</code> command:
		</div><pre class="screen"># sssd -c /etc/sssd/customfile.conf</pre><div class="para">
			Both services and domains are configured individually, in separate sections on the configuration identified by <span class="emphasis"><em>[type/name]</em></span> divisions, such as <code class="command">[domain/LDAP]</code>. The configuration file uses simple <span class="emphasis"><em>key = value</em></span> lines to set the configuration. Comment lines are set by either a hash sign (#) or a semicolon (;)
		</div><div class="para">
			For example:
		</div><pre class="programlisting">[section]
# Comment line
key1 = val1
key10 = val1,val2
</pre></div><div class="section" id="Installing_SSSD-Starting_and_Stopping_SSSD"><div class="titlepage"><div><div><h2 class="title" id="Installing_SSSD-Starting_and_Stopping_SSSD">28.2. Starting and Stopping SSSD</h2></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Configure at least one domain before starting SSSD for the first time. See <a class="xref" href="#Configuring_Domains">Section 28.4, “Creating Domains”</a>.
			</div></div></div><div class="para">
			Either the <code class="command">service</code> command or the <code class="filename">/etc/init.d/sssd</code> script can start SSSD. For example:
		</div><pre class="screen"># service sssd start</pre><div class="para">
			By default, SSSD is configured not to start automatically. To change this behavior, use the <code class="command">chkconfig</code> command:
		</div><pre class="screen">[root@server ~]# chkconfig sssd on</pre></div><div class="section" id="Configuring_Services"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Services">28.3. Configuring Services</h2></div></div></div><div class="para">
			SSSD worked with specialized services that run in tandem with the SSSD process itself. SSSD and its associated services are configured in the <code class="filename">sssd.conf</code> file. on sections. The <code class="literal">[sssd]</code> section also lists the services that are active and should be started when <code class="systemitem">sssd</code> starts within the <code class="command">services</code> directive.
		</div><div class="para">
			SSSD currently provides several services:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					An NSS provider service that answers NSS requests from the <code class="systemitem">sssd_nss</code> module. This is configured in the <code class="command">[nss]</code> section of the configuration.
				</div></li><li class="listitem"><div class="para">
					A PAM provider service that manages a PAM conversation through the <code class="systemitem">sssd_pam</code> PAM module. This is configured in the <code class="command">[pam]</code> section of the configuration.
				</div></li><li class="listitem"><div class="para">
					<code class="systemitem">monitor</code>, a special service that monitors and starts or restarts all other SSSD services. Its options are specified in the <code class="literal">[sssd]</code> section of the <code class="filename">/etc/sssd/sssd.conf</code> configuration file.
				</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If a DNS lookup fails to return an IPv4 address for a hostname, SSSD attempts to look up an IPv6 address before returning a failure. This only ensures that the asynchronous resolver identifies the correct address.
			</div><div class="para">
				The hostname resolution behavior is configured in the <em class="parameter"><code>lookup family order</code></em> option in the <code class="filename">sssd.conf</code> configuration file.
			</div></div></div><div class="section" id="Configuration_Options-NSS_Configuration_Options"><div class="titlepage"><div><div><h3 class="title" id="Configuration_Options-NSS_Configuration_Options">28.3.1. Configuring the NSS Service</h3></div></div></div><div class="para">
				SSSD provides an NSS module, <code class="systemitem">sssd_nss</code>, which instructs the system to use SSSD to retrieve user information. The NSS configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with NSS.
			</div><div class="para">
				To configure the NSS service:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Open the <code class="filename">sssd.conf</code> file.
					</div><pre class="screen"># vim /etc/sssd/sssd.conf</pre></li><li class="listitem"><div class="para">
						Make sure that NSS is listed as one of the services that works with SSSD.
					</div><pre class="screen">[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = <strong class="userinput"><code>nss</code></strong>, pam</pre></li><li class="listitem"><div class="para">
						In the <code class="command">[nss]</code> section, change any of the NSS parameters. These are listed in <a class="xref" href="#tab.nss-sssd">Table 28.1, “SSSD [nss] Configuration Parameters”</a>.
					</div><pre class="screen">[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75</pre></li><li class="listitem"><div class="para">
						Restart SSSD.
					</div><pre class="screen">service sssd restart</pre></li></ol></div><div class="table" id="tab.nss-sssd"><h6>Table 28.1. SSSD [nss] Configuration Parameters</h6><div class="table-contents"><table summary="SSSD [nss] Configuration Parameters" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
								Parameter
							</th><th>
								Value Format
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								enum_cache_timeout
							</td><td>
								integer
							</td><td>
								Specifies how long, in seconds, <span class="package">sssd_nss</span> should cache requests for information about all users (enumerations).
							</td></tr><tr><td>
								entry_cache_nowait_percentage
							</td><td>
								integer
							</td><td>
								Specifies how long <span class="package">sssd_nss</span> should return cached entries before refreshing the cache. Setting this to zero (<code class="literal">0</code>) disables the entry cache refresh. 
								<div class="para">
									This configures the entry cache to update entries in the background automatically if they are requested if the time before the next update is a certain percentage of the next interval. For example, if the interval is 300 seconds and the cache percentage is 75, then the entry cache will begin refreshing when a request comes in at 225 seconds — 75% of the interval.
								</div>
								 <div class="para">
									The allowed values for this option are 0 to 99, which sets the percentage based on the <code class="option">entry_cache_timeout</code> value. The default value is 50%.
								</div>

</td></tr><tr><td>
								entry_negative_timeout
							</td><td>
								integer
							</td><td>
								Specifies how long, in seconds, <span class="package">sssd_nss</span> should cache <span class="emphasis"><em>negative</em></span> cache hits. A negative cache hit is a query for an invalid database entries, including non-existent entries.
							</td></tr><tr><td>
								filter_users, filter_groups
							</td><td>
								string
							</td><td>
								Tells SSSD to exclude certain users from being fetched from the NSS database. This is particularly useful for system accounts such as <code class="systemitem">root</code>.
							</td></tr><tr><td>
								filter_users_in_groups
							</td><td>
								Boolean
							</td><td>
								Sets whether users listed in the <code class="option">filter_users</code> list appear in group memberships when performing group lookups. If set to <code class="literal">FALSE</code>, group lookups return all users that are members of that group. If not specified, this value defaults to <code class="literal">TRUE</code>, which filters the group member lists.
							</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="Configuration_Options-PAM_Configuration_Options"><div class="titlepage"><div><div><h3 class="title" id="Configuration_Options-PAM_Configuration_Options">28.3.2. Configuring the PAM Service</h3></div></div></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					A mistake in the PAM configuration file can lock users out of the system completely. Always back up the configuration files before performing any changes, and keep a session open so that any changes can be reverted.
				</div></div></div><div class="para">
				SSSD provides a PAM module, <code class="systemitem">sssd_pam</code>, which instructs the system to use SSSD to retrieve user information. The PAM configuration must include a reference to the SSSD module, and then the SSSD configuration sets how SSSD interacts with PAM.
			</div><div class="para">
				To configure the PAM service:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						The Authentication Configuration tool automatically writes to the <code class="filename">/etc/pam.d/system-auth-ac</code> file, which is symlinked to <code class="filename">/etc/pam.d/system-auth</code>. Any changes made to <code class="filename">/etc/pam.d/system-auth</code> are overwritten the next time that <code class="command">authconfig</code> is run.
					</div><div class="para">
						So, remove the <code class="filename">/etc/pam.d/system-auth</code> symlink.
					</div><pre class="screen">[root@server ~]# rm /etc/pam.d/system-auth
rm: remove symbolic link `/etc/pam.d/system-auth'? y</pre></li><li class="listitem"><div class="para">
						Create a new <code class="filename">/etc/pam.d/system-auth-local</code> file. One easy way to do this is simply to copy the <code class="filename">/etc/pam.d/system-auth-ac</code> file.
					</div><pre class="screen">[root@server ~]# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-local</pre></li><li class="listitem"><div class="para">
						Create a new symlink between the <code class="filename">/etc/pam.d/system-auth-local</code> file and <code class="filename">/etc/pam.d/system-auth</code>.
					</div><pre class="screen">[root@server ~]# ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth</pre></li><li class="listitem"><div class="para">
						Edit the <code class="filename">/etc/pam.d/system-auth-local</code> file, and add all of the SSSD modules to the PAM configuration:
					</div><pre class="programlisting"><span class="perl_Others">#%PAM-1.0</span><span class="perl_Others"></span>
<span class="perl_Others"></span>...
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

...
account [<span class="perl_Keyword">default</span>=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

...
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

...
session     sufficient    pam_sss.so
session     required      pam_unix.so</pre><div class="para">
						These modules can be set to <code class="literal">include</code> statements, as necessary.
					</div></li><li class="listitem"><div class="para">
						Open the <code class="filename">sssd.conf</code> file.
					</div><pre class="screen"># vim /etc/sssd/sssd.conf</pre></li><li class="listitem"><div class="para">
						Make sure that PAM is listed as one of the services that works with SSSD.
					</div><pre class="screen">[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, <strong class="userinput"><code>pam</code></strong></pre></li><li class="listitem"><div class="para">
						In the <code class="command">[pam]</code> section, change any of the PAM parameters. These are listed in <a class="xref" href="#tab.pam-sssd">Table 28.2, “SSSD [pam] Configuration Parameters”</a>.
					</div><pre class="screen">[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5</pre></li><li class="listitem"><div class="para">
						Restart SSSD.
					</div><pre class="screen">service sssd restart</pre></li></ol></div><div class="table" id="tab.pam-sssd"><h6>Table 28.2. SSSD [pam] Configuration Parameters</h6><div class="table-contents"><table summary="SSSD [pam] Configuration Parameters" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
								Parameter
							</th><th>
								Value Format
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								offline_credentials_expiration
							</td><td>
								integer
							</td><td>
								Sets how long, in days, to allow cached logins if the authentication provider is offline. This value is measured from the last successful online login. If not specified, this defaults to zero (<code class="literal">0</code>), which is unlimited.
							</td></tr><tr><td>
								offline_failed_login_attempts
							</td><td>
								integer
							</td><td>
								Sets how many failed login attempts are allowed if the authentication provider is offline. If not specified, this defaults to zero (<code class="literal">0</code>), which is unlimited.
							</td></tr><tr><td>
								offline_failed_login_delay
							</td><td>
								integer
							</td><td>
								Sets how long to prevent login attempts if a user hits the failed login attempt limit. If set to zero (<code class="literal">0</code>), the user cannot authenticate while the provider is offline once he hits the failed attempt limit. Only a successful online authentication can re-enable offline authentication. If not specified, this defaults to five (5).
							</td></tr></tbody></table></div></div><br class="table-break" /></div></div><div class="section" id="Configuring_Domains"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Domains">28.4. Creating Domains</h2></div></div></div><div class="para">
			SSSD recognizes <span class="emphasis"><em>domains</em></span>, which are associated with the different identity servers. Domains are a combination of an identity provider and an authentication method. SSSD works with LDAP identity providers (including OpenLDAP, Red Hat Directory Server, and Microsoft Active Directory) and can use native LDAP authentication or Kerberos authentication.
		</div><div class="para">
			As long as they belong to different domains, SSSD can recognize different users with the same username. For example, SSSD can successfully authenticate both <code class="systemitem">jsmith</code> in the <code class="systemitem">ldap.example.com</code> domain and <code class="systemitem">jsmith</code> in the <code class="systemitem">ldap.otherexample.com</code> domain. SSSD allows requests using fully-qualified domain names, so requesting information for <code class="systemitem">jsmith@ldap.example.com</code> returns the the proper user account. Specifying only the username returns the user for whichever domain comes first in the lookup order.
		</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				SSSD has a <code class="option">filter_users</code> option, which excludes the specified users from being returned in a search.
			</div></div></div><div class="para">
			Configuring a domain defines both <span class="emphasis"><em>where</em></span> user information is stored and <span class="emphasis"><em>how</em></span> those users are allowed to authenticate to the system. The possible combinations are listed in <a class="xref" href="#tab.domain-combo">Table 28.3, “Identity Store and Authentication Type Combinations”</a>.
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<a class="xref" href="#Configuring_Domains-Domain_Configuration_Options">Section 28.4.1, “General Rules and Options for Configuring a Domain”</a>
				</div></li><li class="listitem"><div class="para">
					<a class="xref" href="#Configuring_Domains-Configuring_a_Native_LDAP_Domain">Section 28.4.2, “Configuring an LDAP Domain”</a>
				</div></li><li class="listitem"><div class="para">
					<a class="xref" href="#Configuring_Domains-Setting_up_Kerberos_Authentication">Section 28.4.3, “Configuring Kerberos Authentication with a Domain”</a>
				</div></li><li class="listitem"><div class="para">
					<a class="xref" href="#Domain_Configuration_Options-Configuring_a_Proxy_Domain">Section 28.4.4, “Configuring a Proxy Domain”</a>
				</div></li></ul></div><div class="table" id="tab.domain-combo"><h6>Table 28.3. Identity Store and Authentication Type Combinations</h6><div class="table-contents"><table summary="Identity Store and Authentication Type Combinations" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
							Identification Provider
						</th><th>
							Authentication Provider
						</th></tr></thead><tbody><tr><td>
							LDAP
						</td><td>
							LDAP
						</td></tr><tr><td>
							LDAP
						</td><td>
							Kerberos
						</td></tr><tr><td>
							proxy
						</td><td>
							LDAP
						</td></tr><tr><td>
							proxy
						</td><td>
							Kerberos
						</td></tr><tr><td>
							proxy
						</td><td>
							proxy
						</td></tr></tbody></table></div></div><br class="table-break" /><div class="section" id="Configuring_Domains-Domain_Configuration_Options"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Domains-Domain_Configuration_Options">28.4.1. General Rules and Options for Configuring a Domain</h3></div></div></div><div class="para">
				A domain configuration defines the <span class="emphasis"><em>identity provider</em></span>, the <span class="emphasis"><em>authentication provider</em></span>, and any specific configuration to access the information in those providers. There are two types of identity providers — LDAP and proxy —three types of authentication providers — LDAP, Kerberos, and proxy. The identity and authentication providers can be configured in any combination in a domain entry.
			</div><div class="para">
				Along with the domain entry itself, the domain name must be added to the list of domains that SSSD will query. For example:
			</div><pre class="screen">domains = LOCAL,<em class="replaceable"><code>Name</code></em>

[domain/<em class="replaceable"><code>Name</code></em>]
id_provider = <em class="replaceable"><code>type</code></em>
auth_provider = <em class="replaceable"><code>type</code></em>
<em class="replaceable"><code>provider_specific = value</code></em>
<em class="replaceable"><code>global = value</code></em></pre><div class="para">
				<span class="emphasis"><em>global</em></span> attributes are available to any type of domain, such as cache and time out settings. Each identity and authentication provider has its own set of required and optional configuration parameters.
			</div><div class="table" id="tab.sss-general-config"><h6>Table 28.4. General [domain] Configuration Parameters</h6><div class="table-contents"><table summary="General [domain] Configuration Parameters" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
								Parameter
							</th><th>
								Value Format
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								id_provider
							</td><td>
								string
							</td><td>
								Specifies the data provider identity backend to use for this domain. The supported identity backends are: 
								<div class="itemizedlist"><ul><li class="listitem"><div class="para">
											ldap
										</div></li><li class="listitem"><div class="para">
											ipa, compatible with FreeIPA version 2.x and Identity Management in Red Hat Enterprise Linux
										</div></li><li class="listitem"><div class="para">
											proxy for a legacy NSS provider, such as <code class="systemitem">nss_nis</code>. Using a proxy ID provider also requires specifying the legacy NSS library to load to start successfully, set in the <code class="option">proxy_lib_name</code> option.
										</div></li><li class="listitem"><div class="para">
											local, the SSSD internal local provider
										</div></li></ul></div>

</td></tr><tr><td>
								auth_provider
							</td><td>
								string
							</td><td>
								Sets the authentication provider used for the domain. The default value for this option is the value of <code class="option">id_provider</code>. The supported authentication providers are ldap, ipa, krb5 (Kerberos), proxy, and none.
							</td></tr><tr><td>
								min_id,max_id
							</td><td>
								integer
							</td><td>
								<span class="emphasis"><em>Optional.</em></span> Specifies the UID and GID range for the domain. If a domain contains entries that are outside that range, they are ignored. The default value for <code class="option">min_id</code> is <code class="literal">1</code>; the default value for <code class="option">max_id</code> is <code class="literal">0</code>, which is unlimited. 
								<div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
										The default <code class="option">min_id</code> value is the same for all types of identity provider. If LDAP directories are using UID numbers that start at one, it could cause conflicts with users in the local <code class="filename">/etc/passwd</code> file. To avoid these conflicts, set <code class="option">min_id</code> to <code class="literal">1000</code> or higher as possible.
									</div></div></div>

</td></tr><tr><td>
								enumerate
							</td><td>
								Boolean
							</td><td>
								<span class="emphasis"><em>Optional.</em></span> Specifies whether to list the users and groups of a domain. Enumeration means that the entire set of available users and groups on the remote source is cached on the local machine. When enumeration is disabled, users and groups are only cached as they are requested. 
								<div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
										When enumeration is enabled, reinitializing a client results in a complete refresh of the entire set of available users and groups from the remote source. Similarly, when SSSD is connected to a new server, the entire set of available users and groups from the remote source is pulled and cached on the local machine. In a domain with a large number of clients connected to a remote source, this refresh process can harm the network performance because of frequent queries from the clients. If the set of available users and groups is large enough, it degrades client performance as well.
									</div></div></div>
								 The default value for this parameter is <code class="literal">false</code>, which disables enumeration.
							</td></tr><tr><td>
								cache_credentials
							</td><td>
								Boolean
							</td><td>
								<span class="emphasis"><em>Optional.</em></span> Specifies whether to store user credentials in the local SSSD domain database cache. The default value for this parameter is <code class="literal">false</code>. Set this value to <code class="literal">true</code> for domains other than the LOCAL domain to enable offline authentication.
							</td></tr><tr><td>
								entry_cache_timeout
							</td><td>
								integer
							</td><td>
								<span class="emphasis"><em>Optional.</em></span> Specifies how long, in seconds, SSSD should cache <span class="emphasis"><em>positive</em></span> cache hits. A positive cache hit is a successful query.
							</td></tr><tr><td>
								use_fully_qualified_names
							</td><td>
								Boolean
							</td><td>
								<span class="emphasis"><em>Optional.</em></span> Specifies whether requests to this domain require fully-qualified domain names. If set to <code class="literal">true</code>, all requests to this domain must use fully-qualified domain names. It also means that the output from the request displays the fully-qualified name. Restricting requests to fully-qualified user names allows SSSD to differentiate between domains with users with conflicting usernames. 
								<div class="para">
									If <em class="parameter"><code>use_fully_qualified_names</code></em> is set to <code class="literal">false</code>, it is possible to use the fully-qualified name in the requests, but only the simplified version is displayed in the output.
								</div>
								 <div class="para">
									SSSD can only parse names based on the domain name, not the realm name. The same name can be used for both domains and realms, however.
								</div>

</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="Configuring_Domains-Configuring_a_Native_LDAP_Domain"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Domains-Configuring_a_Native_LDAP_Domain">28.4.2. Configuring an LDAP Domain</h3></div></div></div><a id="id885976" class="indexterm"></a><div class="para">
				An LDAP domain simply means that SSSD uses an LDAP directory as the identity provider (and, optionally, also as an authentication provider). SSSD supports several major directory services:
			</div><a id="id885993" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Red Hat Directory Server
					</div></li><li class="listitem"><div class="para">
						OpenLDAP
					</div></li><li class="listitem"><div class="para">
						Microsoft Active Directory 2003 and 2003R2, with Services for UNIX
					</div></li><li class="listitem"><div class="para">
						Microsoft Active Directory 2003 and 2003R2, with Subsystem for UNIX-based Applications
					</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					DNS service discovery allows the LDAP backend to find the appropriate DNS servers to connect to automatically using a special DNS query.
				</div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a class="xref" href="#ldap-domain-param">Section 28.4.2.1, “Parameters for Configuring an LDAP Domain”</a>
					</div></li><li class="listitem"><div class="para">
						<a class="xref" href="#ldap-domain-example">Section 28.4.2.2, “LDAP Domain Examples”</a>
					</div></li><li class="listitem"><div class="para">
						<a class="xref" href="#sssd-ldap-domain-ip">Section 28.4.2.3, “Using IP Addresses in Certificate Subject Names”</a>
					</div></li></ul></div><div class="section" id="ldap-domain-param"><div class="titlepage"><div><div><h4 class="title" id="ldap-domain-param">28.4.2.1. Parameters for Configuring an LDAP Domain</h4></div></div></div><div class="para">
					An LDAP directory can function as both an identity provider and an authentication provider. The configuration requires enough information to identify and connect to the user directory in the LDAP server. Other options are available to provide more fine-grained control, like specifying a user account to use to connect to the LDAP server or using different LDAP servers for password operations. The most common options are listed in <a class="xref" href="#tab.sss-ldap-config">Table 28.5, “LDAP Domain Configuration Parameters”</a>. All of the options listed in <a class="xref" href="#Configuring_Domains-Domain_Configuration_Options">Section 28.4.1, “General Rules and Options for Configuring a Domain”</a> are also available for LDAP domains.
				</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
						Many other options are listed in the man page for LDAP domain configuration, <code class="filename">sssd-ldap(5)</code>.
					</div></div></div><div class="table" id="tab.sss-ldap-config"><h6>Table 28.5. LDAP Domain Configuration Parameters</h6><div class="table-contents"><table summary="LDAP Domain Configuration Parameters" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
									Parameter
								</th><th>
									Description
								</th></tr></thead><tbody><tr><td>
									ldap_uri
								</td><td>
									Gives a comma-separated list of the URIs of the LDAP servers to which SSSD will connect. The list is given in order of preference, so the first server in the list is tried first. Listing additional servers provides failover protection. This can be detected from the DNS SRV records if it is not given.
								</td></tr><tr><td>
									ldap_search_base
								</td><td>
									Gives the base DN to use for performing LDAP user operations.
								</td></tr><tr><td>
									ldap_tls_reqcert
								</td><td>
									Specifies how to check for SSL server certificates in a TLS session. There are four options: 
									<div class="itemizedlist"><ul><li class="listitem"><div class="para">
												<span class="emphasis"><em>never</em></span> disables requests for certificates.
											</div></li><li class="listitem"><div class="para">
												<span class="emphasis"><em>allow</em></span> requests a certificate, but proceeds normally even if no certificate is given or a bad certificate is given.
											</div></li><li class="listitem"><div class="para">
												<span class="emphasis"><em>try</em></span> requests a certificate and proceeds normally if no certificate is given, If a bad certificate is given, the session terminates.
											</div></li><li class="listitem"><div class="para">
												<span class="emphasis"><em>demand</em></span> and <span class="emphasis"><em>hard</em></span> are the same option. This requires a valid certificate or the session is terminated.
											</div></li></ul></div>
									 The default is <span class="emphasis"><em>hard</em></span>.
								</td></tr><tr><td>
									ldap_tls_cacert
								</td><td>
									Gives the full path and file name to the file that contains the CA certificates for all of the CAs that SSSD recognizes. SSSD will accept any certificate issued by these CAs. 
									<div class="para">
										This uses the OpenLDAP system defaults if it is not given explicitly.
									</div>

</td></tr><tr><td>
									ldap_referrals
								</td><td>
									Sets whether SSSD will use LDAP referrals, meaning forwarding queries from one LDAP database to another. SSSD supports database-level and subtree referrals. For referrals within the same LDAP server, SSSD will adjust the DN of the entry being queried. For referrals that go to different LDAP servers, SSSD does an exact match on the DN. Setting this value to <code class="literal">true</code> enables referrals; by default, referrals are enabled.
								</td></tr><tr><td>
									ldap_schema
								</td><td>
									Sets what version of schema to use when searching for user entries. This can be either <code class="literal">rfc2307</code> or <code class="literal">rfc2307bis</code>. The default is <code class="literal">rfc2307</code>. 
									<div class="para">
										In RFC 2307, group objects use a multi-valued attribute, <em class="parameter"><code>memberuid</code></em>, which lists the names of the users that belong to that group. In RFC 2307bis, group objects use the <em class="parameter"><code>member</code></em> attribute, which contains the full distinguished name (DN) of a user or group entry. RFC 2307bis allows nested groups usning the <em class="parameter"><code>member</code></em> attribute. Because these different schema use different definitions for group membership, using the wrong LDAP schema with SSSD can affect both viewing and managing network resources, even if the appropriate permissions are in place.
									</div>
									 <div class="para">
										For example, with RFC 2307bis, all groups are returned when using nested groups or primary/secondary groups.
									</div>
									 
<pre class="screen">$ id
uid=500(myserver) gid=500(myserver) groups=500(myserver),510(myothergroup)
</pre>
									 <div class="para">
										If SSSD is using RFC 2307 schema, only the primary group is returned.
									</div>
									 <div class="para">
										This setting only affects how SSSD determines the group members. It does not change the actual user data.
									</div>

</td></tr><tr><td>
									ldap_search_timeout
								</td><td>
									Sets the time, in seconds, that LDAP searches are allowed to run before they are canceled and cached results are returned. This defaults to five when the <code class="option">enumerate</code> value is false and defaults to 30 when <code class="option">enumerate</code> is true. 
									<div class="para">
										When an LDAP search times out, SSSD automatically switches to offline mode.
									</div>

</td></tr><tr><td>
									ldap_network_timeout
								</td><td>
									Sets the time, in seconds, SSSD attempts to poll an LDAP server after a connection attempt fails. The default is six seconds.
								</td></tr><tr><td>
									ldap_opt_timeout
								</td><td>
									Sets the time, in seconds, to wait before aborting synchronous LDAP operations if no response is received from the server. This option also controls the timeout when communicating with the KDC in case of a SASL bind. The default is five seconds.
								</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="ldap-domain-example"><div class="titlepage"><div><div><h4 class="title" id="ldap-domain-example">28.4.2.2. LDAP Domain Examples</h4></div></div></div><div class="para">
					The LDAP configuration is very flexible, depending on your specific environment and how general or specific you need the SSSD behavior to be. These are some common examples of an LDAP domain, but the SSSD configuration is not limited to these examples.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						Along with creating the domain entry, add the new domain to the list of domains for SSSD to query in the <code class="filename">sssd.conf</code> file. For example:
					</div><pre class="screen">domains = LOCAL,LDAP1,AD,PROXYNIS</pre></div></div><div class="example" id="ex.basic-ldap-domain"><h6>Example 28.1. A Basic LDAP Domain Configuration</h6><div class="example-contents"><div class="para">
						An LDAP domain requires three things:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								An LDAP server
							</div></li><li class="listitem"><div class="para">
								The search base
							</div></li><li class="listitem"><div class="para">
								A way to establish a secure connection
							</div></li></ul></div><div class="para">
						The last item depends on the LDAP environment. SSSD requires a secure connection since it handles sensitive information. This connection can be a dedicated TLS/SSL connection or it can use Start TLS.
					</div><div class="para">
						Using a dedicated TLS/SSL connection simply uses an LDAPS connection to connect to the server and is therefore set as part of the <code class="option">ldap_uri</code> option:
					</div><pre class="screen"># An LDAP domain
[domain/LDAP]
enumerate = false
cache_credentials = TRUE

id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://ldap.example.com:636
ldap_search_base = dc=example,dc=com
</pre><div class="para">
						Using Start TLS requires a way to input the certificate information to establish a secure connection dynamically over an insecure port. This is done using the <code class="option">ldap_id_use_start_tls</code> option to use Start TLS and then <code class="option">ldap_tls_cacert</code> to identify the CA certificate which issued the SSL server certificates.
					</div><pre class="screen"># An LDAP domain
[domain/LDAP]
enumerate = false
cache_credentials = TRUE

id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
</pre></div></div><br class="example-break" /><a id="id972645" class="indexterm"></a><div class="para">
					To configure any Active Directory server as an LDAP domain requires two things:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							Installing Windows Services for UNIX (2003 and 2003 R2) or the Subsystem for UNIX-based Applications (2008).
						</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
								Services for Unix is not supported on 64-bit operating systems.
							</div></div></div></li><li class="listitem"><div class="para">
							Running the <code class="function">cacertdir_rehash</code> function to create the appropriate symlinks.
						</div></li></ul></div><div class="example" id="Configuring_Domains-Configuring_a_Microsoft_Active_Directory_Domain-Configuring_AD_2003"><h6>Example 28.2. An Active Directory 2003 Domain</h6><div class="example-contents"><div class="para">
						As with an OpenLDAP or Directory Server domain, Active Directory requires the search base and the LDAP URI of the Active Directory server, but SSSD requires more information about directory entries and the user account to use to connect because of the differences between an Active Directory-style database and an OpenLDAP/Directory Server-style database.
					</div><div class="para">
						These options are described in the man page for LDAP domain configuration, <code class="filename">sssd-ldap(5)</code>.
					</div><pre class="screen"># Example LDAP domain where the LDAP server is an Active Directory 2003 server.

[domain/AD]
description = LDAP domain with AD server
enumerate = false
;
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://your.ad.server.com
ldap_schema = rfc2307bis
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = secret
ldap_user_object_class = person
ldap_user_name = msSFU30Name
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = msSFU30Name
ldap_group_gid_number = msSFU30GidNumber</pre></div></div><br class="example-break" /><div class="example" id="ex.microstof2008-domain"><h6>Example 28.3. A Basic Active Directory 2003 R2 or 2008 Domain</h6><div class="example-contents"><div class="para">
						Configuring a Microsoft Active Directory 2003 R2 or 2008 domain is similar, but not identical, to configuring an Active Directory 2003 domain. Using later Active Directory servers requires less group configuration information.
					</div><div class="para">
						These options are described in the man page for LDAP domain configuration, <code class="filename">sssd-ldap(5)</code>.
					</div><pre class="screen"># Example LDAP domain where the LDAP server is an Active Directory 2003 R2 or an Active Directory 2008 server.

[domain/AD]
description = LDAP domain with AD server
; debug_level = 9
enumerate = false

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://your.ad.server.com
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/test.cer
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = secret
ldap_pwd_policy = none
ldap_user_object_class = user
ldap_group_object_class = group</pre></div></div><br class="example-break" /></div><div class="section" id="sssd-ldap-domain-ip"><div class="titlepage"><div><div><h4 class="title" id="sssd-ldap-domain-ip">28.4.2.3. Using IP Addresses in Certificate Subject Names</h4></div></div></div><div class="para">
					Using an IP address in the <code class="option">ldap_uri</code> option instead of the server name may cause the TLS/SSL connection to fail. TLS/SSL certificates contain the server name, not the IP address. However, the <span class="emphasis"><em>subject alternative name</em></span> field in the certificate can be used to include the IP address of the server, which allows a successful secure connection using an IP address.
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Convert an existing certificate into a certificate request. The signing key (<code class="option">-signkey</code>) is the key of the issuer of whatever CA originally issued the certificate. If this is done by an external CA, it requires a separate PEM file; if the certificate is self-signed, then this is the certificate itself. For example:
						</div><pre class="screen">openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey key.pem</pre><div class="para">
							With a self-signed certificate:
						</div><pre class="screen">openssl x509 -x509toreq -in old_cert.pem -out req.pem -signkey old_cert.pem</pre></li><li class="listitem"><div class="para">
							Edit the <code class="filename">/etc/pki/tls/openssl.cnf</code> configuration file to include the server's IP address under the <em class="parameter"><code>[ v3_ca ]</code></em> section:
						</div><pre class="screen">subjectAltName = IP:10.0.0.10</pre></li><li class="listitem"><div class="para">
							Use the generated certificate request to generate a new self-signed certificate with the specified IP address:
						</div><pre class="screen">openssl x509 -req -in req.pem -out new_cert.pem -extfile ./openssl.cnf -extensions v3_ca -signkey old_cert.pem</pre><div class="para">
							The <code class="option">-extensions</code> option sets which extensions to use with the certificate. For this, it should be v3_ca to load the appropriate section.
						</div></li><li class="listitem"><div class="para">
							Copy the private key block from the <code class="filename">old_cert.pem</code> file into the <code class="filename">new_cert.pem</code> file to keep all relevant information in one file.
						</div></li></ol></div><div class="para">
					When creating a certificate through the <span class="application"><strong>certutil</strong></span> utility provided by the <span class="package">nss-utils</span> package, note that <span class="application"><strong>certutil</strong></span> supports DNS subject alternative names for certificate creation only.
				</div></div></div><div class="section" id="Configuring_Domains-Setting_up_Kerberos_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Domains-Setting_up_Kerberos_Authentication">28.4.3. Configuring Kerberos Authentication with a Domain</h3></div></div></div><a id="id972900" class="indexterm"></a><div class="para">
				Both LDAP and proxy identity providers can use a separate Kerberos domain to supply authentication. Configuring a Kerberos authentication provider requires the <em class="firstterm">key distribution center</em> (KDC) and the Kerberos domain. All of the principal names must be available in the specified identity provider; if they are not, SSSD constructs the principals using the format <span class="emphasis"><em>username@REALM</em></span>.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Kerberos can only provide authentication; it cannot provide an identity database.
				</div></div></div><div class="para">
				SSSD assumes that the Kerberos KDC is also a Kerberos kadmin server. However, production environments commonly have multiple, read-only replicas of the KDC and only a single kadmin server. Use the <code class="option">krb5_kpasswd</code> option to specify where the password changing service is running or if it is running on a non-default port. If the <code class="option">krb5_kpasswd</code> option is not defined, SSSD tries to use the Kerberos KDC to change the password.
			</div><div class="para">
				The basic Kerberos configuration options are listed in <a class="xref" href="#tab.sssd-krb-params">Table 28.6, “Kerberos Authentication Configuration Parameters”</a>. The <em class="citetitle">sssd-krb5(5)</em> man page has more information about Kerberos configuration options.
			</div><div class="example" id="ex.sssd-krbauth"><h6>Example 28.4. Basic Kerberos Authentication</h6><div class="example-contents"><pre class="screen"># A domain with identities provided by LDAP and authentication by Kerberos
[domain/KRBDOMAIN]
enumerate = false
id_provider = ldap
chpass_provider = krb5
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap-tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

auth_provider = krb5
krb5_server = 192.168.1.1, kerberos.example.com
krb5_realm = EXAMPLE.COM
krb5_kpasswd = kerveros.admin.example.com
krb5_auth_timeout = 15
</pre></div></div><br class="example-break" /><div class="table" id="tab.sssd-krb-params"><h6>Table 28.6. Kerberos Authentication Configuration Parameters</h6><div class="table-contents"><table summary="Kerberos Authentication Configuration Parameters" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
								Parameter
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								chpass_provider
							</td><td>
								Specifies which service to use for password change operations. This is assumed to be the same as the authentication provider. To use Kerberos, set this to <span class="emphasis"><em>krb5</em></span>.
							</td></tr><tr><td>
								krb5_server
							</td><td>
								Gives a comma-separated list of IP addresses or hostnames of Kerberos servers to which SSSD will connect. The list is given in order of preference, so the first server in the list is tried first. Listing additional servers provides failover protection. 
								<div class="para">
									When using service discovery for KDC or kpasswd servers, SSSD first searches for DNS entries that specify UDP as the connection protocol, and then falls back to TCP.
								</div>

</td></tr><tr><td>
								krb5_realm
							</td><td>
								Identies the Kerberos realm served by the KDC.
							</td></tr><tr><td>
								krb5_lifetime
							</td><td>
								Requests a Kerberos ticket with the specified lifetime in seconds (s), minutes (m), hours (h) or days (d).
							</td></tr><tr><td>
								krb5_renewable_lifetime
							</td><td>
								Requests a renewable Kerberos ticket with a total lifetime that is specified in seconds (s), minutes (m), hours (h) or days (d).
							</td></tr><tr><td>
								krb5_renew_interval
							</td><td>
								Sets the time, in seconds, for SSSD to check if tickets should be renewed. Tickets are renewed automatically once they exceed half their lifetime. If this option is missing or set to zero, then automatic ticket renewal is disabled.
							</td></tr><tr><td>
								krb5_store_password_if_offline
							</td><td>
								Sets whether to store user passwords if the Kerberos authentication provider is offline, and then to use that cache to request tickets when the provider is back online. The default is <code class="command">false</code>, which does not store passwords.
							</td></tr><tr><td>
								krb5_kpasswd
							</td><td>
								Lists alternate Kerberos kadmin servers to use if the change password service is not running on the KDC.
							</td></tr><tr><td>
								krb5_ccname_template
							</td><td>
								Gives the directory to use to store the user's credential cache. This can be templatized, and the following tokens are supported: 
								<div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<span class="emphasis"><em>%u</em></span>, the user's login name
										</div></li><li class="listitem"><div class="para">
											<span class="emphasis"><em>%U</em></span>, the user's login UID
										</div></li><li class="listitem"><div class="para">
											<span class="emphasis"><em>%p</em></span>, the user's principal name
										</div></li><li class="listitem"><div class="para">
											<span class="emphasis"><em>%r</em></span>, the realm name
										</div></li><li class="listitem"><div class="para">
											<span class="emphasis"><em>%h</em></span>, the user's home directory
										</div></li><li class="listitem"><div class="para">
											<span class="emphasis"><em>%d</em></span>, the value of the <code class="option">krb5ccache_dir</code> parameter
										</div></li><li class="listitem"><div class="para">
											<span class="emphasis"><em>%P</em></span>, the process ID of the SSSD client.
										</div></li><li class="listitem"><div class="para">
											<span class="emphasis"><em>%%</em></span>, a literal percent sign (%)
										</div></li><li class="listitem"><div class="para">
											<span class="emphasis"><em>XXXXXX</em></span>, a string at the end of the template which instructs SSSD to create a unique filename safely
										</div></li></ul></div>
								 For example: 
<pre class="screen">krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX</pre>

</td></tr><tr><td>
								krb5_ccachedir
							</td><td>
								Specifies the directory to store credential caches. This can be templatized, using the same tokens as <code class="option">krb5_ccname_template</code>, except for <code class="option">%d</code> and <code class="option">%P</code>. If <code class="option">%u</code>, <code class="option">%U</code>, <code class="option">%p</code>, or <code class="option">%h</code> are used, then SSSD creates a private directory for each user; otherwise, it creates a public directory.
							</td></tr><tr><td>
								krb5_auth_timeout
							</td><td>
								Gives the time, in seconds, before an online authentication or change password request is aborted. If possible, the authentication request is continued offline. The default is 15 seconds.
							</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="Domain_Configuration_Options-Configuring_a_Proxy_Domain"><div class="titlepage"><div><div><h3 class="title" id="Domain_Configuration_Options-Configuring_a_Proxy_Domain">28.4.4. Configuring a Proxy Domain</h3></div></div></div><a id="id973324" class="indexterm"></a><div class="para">
				A proxy with SSSD is just a relay, an intermediary configuration. SSSD connects to its proxy service, and then that proxy loads the specified libraries. This allows SSSD to use some resources that it otherwise would not be able to use. For example, SSSD only supports LDAP and Kerberos as authentication providers, but using a proxy allows SSSD to use alternative authentication methods like a fingerprint scanner or smart card.
			</div><div class="table" id="tab.sss-proxy-config"><h6>Table 28.7. Proxy Domain Configuration Parameters</h6><div class="table-contents"><table summary="Proxy Domain Configuration Parameters" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
								Parameter
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								proxy_pam_target
							</td><td>
								Specifies the target to which PAM must proxy as an authentication provider.. The PAM target is a file containing PAM stack information in the default PAM directory, <code class="filename">/etc/pam.d/</code>. 
								<div class="para">
									This is used to proxy an authentication provider.
								</div>
								 <div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
										Ensure that the proxy PAM stack does <span class="emphasis"><em>not</em></span> recursively include <code class="filename">pam_sss.so</code>.
									</div></div></div>

</td></tr><tr><td>
								proxy_lib_name
							</td><td>
								Specifies which existing NSS library to proxy identity requests through. 
								<div class="para">
									This is used to proxy an identity provider.
								</div>

</td></tr></tbody></table></div></div><br class="table-break" /><div class="example" id="sect-SSSD-proxy-krb5"><h6>Example 28.5. Proxy Identity and Kerberos Authentication</h6><div class="example-contents"><div class="para">
					The proxy library is loaded using the <code class="option">proxy_lib_name</code> parameter. This library can be anything as long as it is compatible with the given authentication service. For a Kerberos authentication provider, it must be a Kerberos-compatible library, like NIS.
				</div><pre class="screen">
[domain/PROXY_KRB5]
auth_provider = krb5
krb5_server = 192.168.1.1
krb5_realm = EXAMPLE.COM

id_provider = proxy
proxy_lib_name = nis
enumerate = true
cache_credentials = true</pre></div></div><br class="example-break" /><div class="example" id="sect-SSSD-LDAP-proxy"><h6>Example 28.6. LDAP Identity and Proxy Authentication</h6><div class="example-contents"><div class="para">
					The proxy library is loaded using the <code class="option">proxy_pam_target</code> parameter. This library must be a PAM module that is compatible with the given identity provider. For example, this uses a PAM fingerprint module with LDAP:
				</div><pre class="screen">
[domain/LDAP_PROXY]
id_provider = ldap
ldap_uri = ldap://example.com
ldap_search_base = dc=example,dc=com

auth_provider = proxy
proxy_pam_target = sssdpamproxy
enumerate = true
cache_credentials = true
</pre><div class="para">
					After the SSSD domain is configured, make sure that the specified PAM files are configured. In this, the target is <code class="command">sssdpamproxy</code>, so create a <code class="filename">/etc/pam.d/sssdpamproxy</code> file and load the PAM/LDAP modules:
				</div><pre class="screen">
auth          required      pam_frprint.so
account       required      pam_frprint.so
password      required      pam_frprint.so
session       required      pam_frprint.so</pre></div></div><br class="example-break" /><div class="example" id="sect-SSSD-proxy-proxy"><h6>Example 28.7. Proxy Identity and Authentication</h6><div class="example-contents"><div class="para">
					SSSD can have a domain with both identity and authentication proxies. The only configuration given then are the proxy settings, <code class="option">proxy_pam_target</code> for the authentication PAM module and <code class="option">proxy_lib_name</code> for the service, like NIS or LDAP.
				</div><div class="para">
					<span class="emphasis"><em>This example illustrates a possible configuration, but this is not a realistic configuration. If LDAP is used for identity and authentication, then both the identity and authentication providers should be set to the LDAP configuration, not a proxy.</em></span>
				</div><pre class="screen">
[domain/PROXY_PROXY]
auth_provider = proxy
id_provider = proxy
proxy_lib_name = ldap
proxy_pam_target = sssdproxyldap
enumerate = true 
cache_credentials = true
</pre><div class="para">
					Once the SSSD domain is added, then update the system settings to configure the proxy service:
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							Create a <code class="filename">/etc/pam.d/sssdproxyldap</code> file which requires the <code class="command">pam_ldap.so</code> module:
						</div><pre class="screen">
auth          required      pam_ldap.so
account       required      pam_ldap.so
password      required      pam_ldap.so
session       required      pam_ldap.so</pre></li><li class="listitem"><div class="para">
							Edit the <code class="filename">/etc/nslcd.conf</code> file, the configuration file for the LDAP name service daemon, to contain the information for the LDAP directory:
						</div><pre class="screen">
uid nslcd
gid ldap
uri ldaps://ldap.example.com:636
base dc=example,dc=com
ssl on
tls_cacertdir /etc/openldap/cacerts</pre></li></ol></div></div></div><br class="example-break" /></div></div><div class="section" id="config-sssd-domain-access"><div class="titlepage"><div><div><h2 class="title" id="config-sssd-domain-access">28.5. Configuring Access Control for SSSD Domains</h2></div></div></div><a id="id973592" class="indexterm"></a><div class="para">
			SSSD provides a rudimentary access control for domain configuration, allowing either simple user allow/deny lists or using the LDAP backend itself.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id973609">28.5.1. Using the Simple Access Provider</h3></div></div></div><div class="para">
				The <em class="firstterm">Simple Access Provider</em> allows or denies access based on a list of usernames or groups.
			</div><div class="para">
				The Simple Access Provider is a way to restrict access to certain, specific machines. For example, if a company uses laptops, the Simple Access Provider can be used to restrict access to only a specific user or a specific group, even if a different user authenticated successfully against the same authentication provider.
			</div><div class="para">
				The most common options are <code class="option">simple_allow_users</code> and <code class="option">simple_allow_groups</code>, which grant access explicitly to specific users (either the given users or group members) and deny access to everyone else. It is also possible to create deny lists (which deny access only to explicit people and implicitly allow everyone else access).
			</div><a id="id973644" class="indexterm"></a><div class="para">
				The Simple Access Provider adheres to the following three rules to determine which users should or should not be granted access:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						If both the allow and deny lists are empty, access is granted.
					</div></li><li class="listitem"><div class="para">
						If any list is provided, allow rules are evaluated first, and then deny rules. Practically, this means that deny rules supersede allow rules.
					</div></li><li class="listitem"><div class="para">
						If an allowed list is provided, then all users are denied access unless they are in the list.
					</div></li><li class="listitem"><div class="para">
						If only deny lists are provided, then all users are allowed access unless they are in the list.
					</div></li></ul></div><div class="para">
				For example, this grants access to two users and anyone who belongs to the IT group; implicitly, all other users are denied.
			</div><pre class="screen">[domain/example.com]
access_provider = simple
simple_allow_users = jsmith,bjensen
simple_allow_groups = itgroup</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The LOCAL domain in SSSD does not support <code class="option">simple</code> as an access provider.
				</div></div></div><div class="para">
				Other options are listed in the <span class="emphasis"><em>sssd-simple</em></span> man page, but these are rarely used.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id973729">28.5.2. Using the LDAP Access Filter</h3></div></div></div><div class="para">
				The LDAP server itself can provide the access control rules. The associated filter option (<code class="option">ldap_access_filter</code>) specifies which users are granted access to the specified host. The user filter must be used or all users are denied access.
			</div><div class="para">
				For example:
			</div><pre class="screen">[domain/example.com]
access_provider = ldap
ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Offline caching for LDAP access providers is limited to determining whether the user's last online login attempt was successful. Users that were granted access during their last login will continue to be granted access while offline.
				</div></div></div><div class="para">
				SSSD can also check results by the account expiration policy and the <em class="parameter"><code>authorizedService</code></em> attribute.
			</div></div></div><div class="section" id="Configuring_Failover"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Failover">28.6. Configuring Domain Failover</h2></div></div></div><div class="para">
			SSSD attempts to connect to machines and to services separately.
		</div><div class="para">
			When SSSD tries to connect to one of its domain backends, it first tries to resolve the hostname of a given machine. If this resolution attempt fails, the machine is considered offline, and SSSD no longer attempts to connect to this machine for any other service.
		</div><div class="para">
			If the resolution attempt succeeds, the backend tries to connect to a service on this machine. If the service connection attempt fails, then only this particular service is considered offline and the backend automatically switches over to the next service. The machine is still considered online and might still be tried for another service.
		</div><div class="para">
			SSSD only tries the first IP address given in the DNS A record. To find multiple servers with a single request, SSSD relies on SRV records.
		</div><div class="para">
			Connections are retried to offline machines or services every 30 seconds, until SSSD can successfully connect to the backend.
		</div><div class="section" id="config-failover"><div class="titlepage"><div><div><h3 class="title" id="config-failover">28.6.1. Configuring Failover</h3></div></div></div><div class="para">
				Configuring failover allows SSSD to switch automatically to a different server if the primary server fails. These servers are entered as a case-insensitive, comma-separated list in the <span class="emphasis"><em>[domain/Name]</em></span> sections of the <code class="filename">/etc/sssd/sssd.conf</code> file. The servers are listed in order of preference. This list can contain any number of servers.
			</div><div class="para">
				For example, for a native LDAP domain:
			</div><pre class="screen">ldap_uri = ldap://ldap0.example.com, ldap://ldap1.example.com, ldap://ldap2.example.com</pre><div class="para">
				The first entry, <code class="uri">ldap://ldap0.example.com</code>, is the primary server. If this server fails, SSSD first attempts to connect to <code class="uri">ldap1.example.com</code> and then <code class="uri">ldap2.example.com</code>.
			</div><div class="para">
				If the server parameter is not specified, then SSSD uses service discovery to try to find another server on the network.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					The failover servers must be entered as a comma-separated list of values for a single key. If there are multiple keys, SSSD only recognizes the last entry.
				</div></div></div></div><div class="section" id="Using_SRV_Records_with_Failover"><div class="titlepage"><div><div><h3 class="title" id="Using_SRV_Records_with_Failover">28.6.2. Using SRV Records with Failover</h3></div></div></div><div class="para">
				SSSD supports SRV records in its failover configuration. The SSSD configuration can specify a server that is later resolved into a list of specific servers using SRV requests.
			</div><div class="para">
				For every service with which to use service discovery, add a special DNS record to the DNS server:
			</div><pre class="screen">_<em class="replaceable"><code>service</code></em>._<em class="replaceable"><code>protocol</code></em>._<em class="replaceable"><code>domain TTL priority weight port hostname</code></em></pre><div class="para">
				The <span class="emphasis"><em>priority</em></span> and <span class="emphasis"><em>weight</em></span> attributes of SRV records provide fine-grained control over which servers to contact first if the primary server fails.
			</div><div class="para">
				A typical configuration contains multiple such records, each with a different priority for failover and different weights for load balancing.
			</div><div class="para">
				For more information on SRV records, see <a href="http://tools.ietf.org/html/rfc2782">RFC 2782</a>.
			</div></div></div><div class="section" id="sssd-cache"><div class="titlepage"><div><div><h2 class="title" id="sssd-cache">28.7. Deleting Domain Cache Files</h2></div></div></div><a id="id1047968" class="indexterm"></a><div class="para">
			SSSD can define multiple domains of the same type and different types of domain. SSSD maintains a separate database file for each domain, meaning each domain has its own cache. These cache files are stored in the <code class="filename">/var/lib/sss/db/</code> directory.
		</div><div class="para">
			If there is ever a problem with a domain, it is easy to purge the cache by stopping SSSD and deleting the cache file for that domain.
		</div><div class="para">
			All cache files are named for the domain. For example, for a domain named <code class="command">exampleldap</code>, the cache file is named <code class="filename">cache_exampleldap.ldb</code>.
		</div><a id="id1048006" class="indexterm"></a><div class="para">
			<span class="bold bold"><strong>Be careful when you delete a cache file.</strong></span> This operation has significant effects:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Deleting the cache file deletes all user data, both identification and cached credentials. Consequently, do delete a cache file unless the system is online and can authenticate with a username against the domain's servers. Without a credentials cache, offline authentication will fail.
				</div></li><li class="listitem"><div class="para">
					If the configuration is changed to reference a different identity provider, SSSD will recognize users from both providers until the cached entries from the original provider time out.
				</div><div class="para">
					It is possible to avoid this by purging the cache, but the better option is to use a different domain name for the new provider. When SSSD is restarted, it creates a new cache file with the new name and the old file is ignored.
				</div></li></ul></div></div><div class="section" id="usingnscd-sssd"><div class="titlepage"><div><div><h2 class="title" id="usingnscd-sssd">28.8. Using NSCD with SSSD</h2></div></div></div><a id="id1048069" class="indexterm"></a><a id="id1048081" class="indexterm"></a><div class="para">
			SSSD is not designed to be used with the NSCD daemon. Even though SSSD does not directly conflict with NSCD, using both services can result in unexpected behavior, especially with how long entries are cached.
		</div><div class="para">
			The most common evidence of a problem is conflicts with NFS. When using Network Manager to manage network connections, it may take several minutes for the network interface to come up. During this time, various services attempt to start. If these services start before the network is up and the DNS servers are available, these services fail to identify the forward or reverse DNS entries they need. These services will read an incorrect or possibly empty <code class="filename">resolv.conf</code> file. This file is typically only read once, and so any changes made to this file are not automatically applied. This can cause NFS locking to fail on the machine where the NSCD service is running, unless that service is manually restarted.
		</div><div class="para">
			To avoid this problem, enable caching for hosts and services in the <code class="filename">/etc/nscd.conf</code> file and rely on the SSSD cache for the <code class="systemitem">passwd</code>, <code class="systemitem">group</code>, and <code class="systemitem">netgroup</code> entries.
		</div><div class="para">
			Change the <code class="filename">/etc/nscd.conf</code> file:
		</div><pre class="screen">enable-cache hosts yes
enable-cache passwd no
enable-cache group no
enable-cache netgroup no
</pre><div class="para">
			With NSCD answering hosts requests, these entries will be cached by NSCD and returned by NSCD during the boot process. All other entries are handled by SSSD.
		</div></div><div class="section" id="SSSD-Troubleshooting"><div class="titlepage"><div><div><h2 class="title" id="SSSD-Troubleshooting">28.9. Troubleshooting SSSD</h2></div></div></div><div class="section" id="Troubleshooting-Using_SSSD_Log_Files"><div class="titlepage"><div><div><h3 class="title" id="Troubleshooting-Using_SSSD_Log_Files">28.9.1. Using SSSD Log Files</h3></div></div></div><div class="para">
				SSSD uses a number of log files to report information about its operation, located in the <code class="filename">/var/log/sssd/</code> directory. SSSD produces a log file for each domain, as well as an <code class="filename">sssd_pam.log</code> and an <code class="filename">sssd_nss.log</code> file.
			</div><div class="para">
				Additionally, the <code class="filename">/var/log/secure</code> file logs authentication failures and the reason for the failure.
			</div><div class="para">
				Increasing the log level can provide more information about problems with SSSD. To change the log level, set the <em class="parameter"><code>debug_level</code></em> parameter for each section in the <code class="filename">sssd.conf</code> file for which to product extra logs. For example:
			</div><pre class="screen">[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
<strong class="userinput"><code>debug_level = 9</code></strong></pre></div><div class="section" id="Troubleshooting-Problems_with_SSSD_Configuration"><div class="titlepage"><div><div><h3 class="title" id="Troubleshooting-Problems_with_SSSD_Configuration">28.9.2. Problems with SSSD Configuration</h3></div></div></div><div class="formalpara"><h5 class="formalpara" id="id1048222">SSSD fails to start</h5>
					SSSD requires that the configuration file be properly set up, with all the required entries, before the daemon will start.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						SSSD requires at least one properly configured domain before the service will start. Without a domain, attempting to start SSSD returns an error that no domains are configured:
					</div><pre class="screen"># sssd -d4

[sssd] [ldb] (3): server_sort:Unable to register control with rootdse!
[sssd] [confdb_get_domains] (0): No domains configured, fatal error!
[sssd] [get_monitor_config] (0): No domains configured.
</pre><div class="para">
						Edit the <code class="filename">/etc/sssd/sssd.conf</code> file and create at least one domain.
					</div></li><li class="listitem"><div class="para">
						SSSD also requires at least one available service provider before it will start. If the problem is with the service provider configuration, the error message indicates that there are no services configured:
					</div><pre class="screen">[sssd] [get_monitor_config] (0): No services configured!
</pre><div class="para">
						Edit the <code class="filename">/etc/sssd/sssd.conf</code> file and configure at least one service provider.
					</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
							SSSD requires that service providers be configured as a comma-separated list in a single <em class="parameter"><code>services</code></em> entry in the <code class="filename">/etc/sssd/sssd.conf</code> file. If services are listed in multiple entries, only the last entry is recognized by SSSD.
						</div></div></div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="id1048302">NSS fails to return user information</h5>
					This usually means that SSSD cannot connect to the NSS service.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Ensure that NSS is running:
					</div><pre class="screen"># service sssd status</pre></li><li class="listitem"><div class="para">
						If NSS is running, make sure that the provider is properly configured in the <code class="literal">[nss]</code> section of the <code class="filename">/etc/sssd/sssd.conf</code> file. Especially check the <em class="parameter"><code>filter_users</code></em> and <em class="parameter"><code>filter_groups</code></em> attributes.
					</div></li><li class="listitem"><div class="para">
						Make sure that NSS is included in the list of services that SSSD uses.
					</div></li><li class="listitem"><div class="para">
						Check the configuration in the <code class="filename">/etc/nsswitch.conf</code> file.
					</div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="id1048373">NSS returns incorrect user information </h5>
					If searches are returning the incorrect user information, check that there are not conflicting usernames in separate domains. When there are multiple domains, set the <em class="parameter"><code>use_fully_qualified_domains</code></em> attribute to <code class="literal">TRUE</code> in the <code class="filename">/etc/sssd/sssd.conf</code> file. This differentiates between different users in different domains with the same name.
				</div><div class="formalpara"><h5 class="formalpara" id="id1048399">Setting the password for the local SSSD user prompts twice for the password</h5>
					When attempting to change a local SSSD user's password, it may prompt for the password twice:
				</div><pre class="screen">[root@clientF11 tmp]# passwd user1000
Changing password for user user1000.
New password:
Retype new password:
New Password:
Reenter new Password:
passwd: all authentication tokens updated successfully.
</pre><div class="para">
				This is the result of an incorrect PAM configuration. Ensure that the <em class="parameter"><code>use_authtok</code></em> option is correctly configured in your <code class="filename">/etc/pam.d/system-auth</code> file.
			</div></div></div></div></div><div class="part" id="pt-sysconfig"><div class="titlepage"><div><div><h1 class="title">Part IV. System Configuration</h1></div></div></div><div class="partintro" id="id634021"><div></div><div class="para">
				Part of a system administrator's job is configuring the system for various tasks, types of users, and hardware configurations. This section explains how to configure a Red Hat Enterprise Linux system.
			</div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="chapter"><a href="#ch-console-access">29. Console Access</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-access-console-ctrlaltdel">29.1. Disabling Shutdown Via <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Del</strong></span></a></span></dt><dt><span class="section"><a href="#s1-access-console-program">29.2. Disabling Console Program Access</a></span></dt><dt><span class="section"><a href="#s1-access-console-define">29.3. Defining the Console</a></span></dt><dt><span class="section"><a href="#s1-access-console-files">29.4. Making Files Accessible From the Console</a></span></dt><dt><span class="section"><a href="#s1-access-console-enable">29.5. Enabling Console Access for Other Applications</a></span></dt><dt><span class="section"><a href="#s1-access-floppy">29.6. The <code class="filename">floppy</code> Group</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-sysconfig">30. The <code class="filename">sysconfig</code> Directory</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-sysconfig-files">30.1. Files in the <code class="filename">/etc/sysconfig/</code> Directory</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-sysconfig-files-amd">30.1.1. <code class="filename">/etc/sysconfig/amd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-apmd">30.1.2. <code class="filename">/etc/sysconfig/apmd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-arpwatch">30.1.3. <code class="filename">/etc/sysconfig/arpwatch</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-authconfig">30.1.4. <code class="filename">/etc/sysconfig/authconfig</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-autofs">30.1.5. <code class="filename">/etc/sysconfig/autofs</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-clock">30.1.6. <code class="filename">/etc/sysconfig/clock</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-desktop">30.1.7. <code class="filename">/etc/sysconfig/desktop</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-dhcpd">30.1.8. <code class="filename">/etc/sysconfig/dhcpd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-exim">30.1.9. <code class="filename">/etc/sysconfig/exim</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-firewall">30.1.10. <code class="filename">/etc/sysconfig/firstboot</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-gpm">30.1.11. <code class="filename">/etc/sysconfig/gpm</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-hwconf">30.1.12. <code class="filename">/etc/sysconfig/hwconf</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-i18n">30.1.13. <code class="filename">/etc/sysconfig/i18n</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-init">30.1.14. <code class="filename">/etc/sysconfig/init</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-ip6tables">30.1.15. <code class="filename">/etc/sysconfig/ip6tables-config</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-iptables">30.1.16. <code class="filename">/etc/sysconfig/iptables-config</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-irda">30.1.17. <code class="filename">/etc/sysconfig/irda</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-kybd">30.1.18. <code class="filename">/etc/sysconfig/keyboard</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-kudzu">30.1.19. <code class="filename">/etc/sysconfig/kudzu</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-named">30.1.20. <code class="filename">/etc/sysconfig/named</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-network">30.1.21. <code class="filename">/etc/sysconfig/network</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-nfs">30.1.22. <code class="filename">/etc/sysconfig/nfs</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-ntpd">30.1.23. <code class="filename">/etc/sysconfig/ntpd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-radvd">30.1.24. <code class="filename">/etc/sysconfig/radvd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-samba">30.1.25. <code class="filename">/etc/sysconfig/samba</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-selinux">30.1.26. <code class="filename">/etc/sysconfig/selinux</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-sendmail">30.1.27. <code class="filename">/etc/sysconfig/sendmail</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-spamd">30.1.28. <code class="filename">/etc/sysconfig/spamassassin</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-squid">30.1.29. <code class="filename">/etc/sysconfig/squid</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-sec-level">30.1.30. <code class="filename">/etc/sysconfig/system-config-securitylevel</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-selinuxtool">30.1.31. <code class="filename">/etc/sysconfig/system-config-selinux</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-rcu">30.1.32. <code class="filename">/etc/sysconfig/system-config-users</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-rlv">30.1.33. <code class="filename">/etc/sysconfig/system-logviewer</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-tux">30.1.34. <code class="filename">/etc/sysconfig/tux</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-vncservers">30.1.35. <code class="filename">/etc/sysconfig/vncservers</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-xinetd">30.1.36. <code class="filename">/etc/sysconfig/xinetd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-sysconfig-etcsysconf-dir">30.2. Directories in the <code class="filename">/etc/sysconfig/</code> Directory</a></span></dt><dt><span class="section"><a href="#s1-sysconfig-additional-resources">30.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-sysconfig-installed-documentation">30.3.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-dateconfig">31. Date and Time Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-dateconfig-time-date">31.1. Time and Date Properties</a></span></dt><dt><span class="section"><a href="#s1-dateconfig-ntp">31.2. Network Time Protocol (NTP) Properties</a></span></dt><dt><span class="section"><a href="#s1-dateconfig-time-zone">31.3. Time Zone Configuration</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-keyboardconfig">32. Keyboard Configuration</a></span></dt><dt><span class="chapter"><a href="#ch-x">33. The X Window System</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-x-server">33.1. The X11R7.1 Release</a></span></dt><dt><span class="section"><a href="#s1-x-clients">33.2. Desktop Environments and Window Managers</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-clients-desktop">33.2.1. Desktop Environments</a></span></dt><dt><span class="section"><a href="#s2-x-clients-winmanagers">33.2.2. Window Managers</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-server-configuration">33.3. X Server Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-server-config-xorg.conf">33.3.1. <code class="filename">xorg.conf</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-fonts">33.4. Fonts</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-fonts-fontconfig">33.4.1. Fontconfig</a></span></dt><dt><span class="section"><a href="#s2-x-fonts-core">33.4.2. Core X Font System</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-runlevels">33.5. Runlevels and X</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-runlevels-3">33.5.1. Runlevel 3</a></span></dt><dt><span class="section"><a href="#s2-x-runlevels-5">33.5.2. Runlevel 5</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-additional-resources">33.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-installed-documentation">33.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-x-useful-websites">33.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-xconfig">34. X Window System Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-xconfig-display">34.1. Display Settings</a></span></dt><dt><span class="section"><a href="#s1-xconfig-advanced">34.2. Display Hardware Settings</a></span></dt><dt><span class="section"><a href="#s1-xconfig-dualhead">34.3. Dual Head Display Settings</a></span></dt></dl></dd><dt><span class="chapter"><a href="#ch-users-groups">35. Users and Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-users-configui">35.1. User and Group Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-redhat-config-users-user-new">35.1.1. Adding a New User</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-user-properties">35.1.2. Modifying User Properties</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-group-new">35.1.3. Adding a New Group</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-group-properties">35.1.4. Modifying Group Properties</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-users-tools">35.2. User and Group Management Tools</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-users-cmd-line">35.2.1. Command Line Configuration</a></span></dt><dt><span class="section"><a href="#s2-users-add">35.2.2. Adding a User</a></span></dt><dt><span class="section"><a href="#s2-groups-add">35.2.3. Adding a Group</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-passwd-aging">35.2.4. Password Aging</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-process">35.2.5. Explaining the Process</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-users-groups-standard-users">35.3. Standard Users</a></span></dt><dt><span class="section"><a href="#s1-users-groups-standard-groups">35.4. Standard Groups</a></span></dt><dt><span class="section"><a href="#s1-users-groups-private-groups">35.5. User Private Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-users-groups-rationale">35.5.1. Group Directories</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-users-groups-shadow-utilities">35.6. Shadow Passwords</a></span></dt><dt><span class="section"><a href="#s1-users-groups-additional-resources">35.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-users-groups-documentation">35.7.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-printing">36. Printer Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-printing-local-printer">36.1. Adding a Local Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-ipp-printer">36.2. Adding an IPP Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-smb-printer">36.3. Adding a Samba (SMB) Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-jetdirect-printer">36.4. Adding a JetDirect Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-select-model">36.5. Selecting the Printer Model and Finishing</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-printing-confirm">36.5.1. Confirming Printer Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-printing-test-page">36.6. Printing a Test Page</a></span></dt><dt><span class="section"><a href="#s1-printing-edit">36.7. Modifying Existing Printers</a></span></dt><dd><dl><dt><span class="section"><a href="#id1051845">36.7.1. The <span class="guilabel"><strong>Settings</strong></span> Tab</a></span></dt><dt><span class="section"><a href="#id1051913">36.7.2. The <span class="guilabel"><strong>Policies</strong></span> Tab</a></span></dt><dt><span class="section"><a href="#id1052010">36.7.3. The <span class="guilabel"><strong>Access Control</strong></span> Tab</a></span></dt><dt><span class="section"><a href="#id1052078">36.7.4. The <span class="guilabel"><strong>Printer</strong></span> and <span class="guilabel"><strong>Job Options</strong></span>Tab</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-printing-managing">36.8. Managing Print Jobs</a></span></dt><dt><span class="section"><a href="#s1-printing-additional-resources">36.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-printing-installed-docs">36.9.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-printing-useful-websites">36.9.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-autotasks">37. Automated Tasks</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-autotasks-cron">37.1. Cron</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-autotasks-cron-configuring">37.1.1. Configuring Cron Tasks</a></span></dt><dt><span class="section"><a href="#s2-autotasks-cron-access">37.1.2. Controlling Access to Cron</a></span></dt><dt><span class="section"><a href="#s2-autotasks-cron-service">37.1.3. Starting and Stopping the Service</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-autotasks-at-batch">37.2. At and Batch</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-autotasks-at-configuring">37.2.1. Configuring At Jobs</a></span></dt><dt><span class="section"><a href="#s2-autotasks-batch-configuring">37.2.2. Configuring Batch Jobs</a></span></dt><dt><span class="section"><a href="#s2-autotasks-at-batch-viewing">37.2.3. Viewing Pending Jobs</a></span></dt><dt><span class="section"><a href="#s2-autotasks-commandline-options">37.2.4. Additional Command Line Options</a></span></dt><dt><span class="section"><a href="#s2-autotasks-at-batch-controlling-access">37.2.5. Controlling Access to At and Batch</a></span></dt><dt><span class="section"><a href="#s2-autotasks-at-batch-service">37.2.6. Starting and Stopping the Service</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-autotasks-additional-resources">37.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-autotasks-installed-docs">37.3.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-logfiles">38. Log Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-logfiles-locating">38.1. Locating Log Files</a></span></dt><dt><span class="section"><a href="#s1-logfiles-viewing">38.2. Viewing Log Files</a></span></dt><dt><span class="section"><a href="#s1-logfiles-adding">38.3. Adding a Log File</a></span></dt><dt><span class="section"><a href="#s1-logfiles-examining">38.4. Monitoring Log Files</a></span></dt></dl></dd></dl></div></div><div xml:lang="en-US" class="chapter" id="ch-console-access" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 29. Console Access</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-access-console-ctrlaltdel">29.1. Disabling Shutdown Via <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Del</strong></span></a></span></dt><dt><span class="section"><a href="#s1-access-console-program">29.2. Disabling Console Program Access</a></span></dt><dt><span class="section"><a href="#s1-access-console-define">29.3. Defining the Console</a></span></dt><dt><span class="section"><a href="#s1-access-console-files">29.4. Making Files Accessible From the Console</a></span></dt><dt><span class="section"><a href="#s1-access-console-enable">29.5. Enabling Console Access for Other Applications</a></span></dt><dt><span class="section"><a href="#s1-access-floppy">29.6. The <code class="filename">floppy</code> Group</a></span></dt></dl></div><a id="id787593" class="indexterm"></a><a id="id786457" class="indexterm"></a><div class="para">
		When normal (non-root) users log into a computer locally, they are given two types of special permissions:
	</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
				They can run certain programs that they would otherwise be unable to run.
			</div></li><li class="listitem"><div class="para">
				They can access certain files (normally special device files used to access diskettes, CD-ROMs, and so on) that they would otherwise be unable to access.
			</div></li></ol></div><div class="para">
		Since there are multiple consoles on a single computer and multiple users can be logged into the computer locally at the same time, one of the users has to essentially win the race to access the files. The first user to log in at the console owns those files. Once the first user logs out, the next user who logs in owns the files.
	</div><div class="para">
		In contrast, <span class="emphasis"><em>every</em></span> user who logs in at the console is allowed to run programs that accomplish tasks normally restricted to the root user. If X is running, these actions can be included as menu items in a graphical user interface. As shipped, these console-accessible programs include <code class="command">halt</code>, <code class="command">poweroff</code>, and <code class="command">reboot</code>.
	</div><div class="section" id="s1-access-console-ctrlaltdel"><div class="titlepage"><div><div><h2 class="title" id="s1-access-console-ctrlaltdel">29.1. Disabling Shutdown Via <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Del</strong></span></h2></div></div></div><a id="id860646" class="indexterm"></a><a id="id813770" class="indexterm"></a><div class="para">
			By default, <code class="filename">/etc/inittab</code> specifies that your system is set to shutdown and reboot in response to a <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Del</strong></span> key combination used at the console. To completely disable this ability, comment out the following line in <code class="filename">/etc/inittab</code> by putting a hash mark (<code class="computeroutput">#</code>) in front of it:
		</div><pre class="screen">ca::ctrlaltdel:/sbin/shutdown -t3 -r now</pre><div class="para">
			Alternatively, you may want to allow certain non-root users the right to shutdown or reboot the system from the console using <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Del</strong></span> . You can restrict this privilege to certain users, by taking the following steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Add the <code class="command">-a</code> option to the <code class="filename">/etc/inittab</code> line shown above, so that it reads:
				</div><pre class="screen">ca::ctrlaltdel:/sbin/shutdown -a -t3 -r now</pre><div class="para">
					The <code class="command">-a</code> flag tells <code class="command">shutdown</code> to look for the <code class="filename">/etc/shutdown.allow</code> file.
				</div></li><li class="listitem"><div class="para">
					Create a file named <code class="filename">shutdown.allow</code> in <code class="filename">/etc</code>. The <code class="filename">shutdown.allow</code> file should list the usernames of any users who are allowed to shutdown the system using <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Del</strong></span> . The format of the <code class="filename">shutdown.allow</code> file is a list of usernames, one per line, like the following:
				</div><pre class="screen">stephen
jack
sophie</pre></li></ol></div><div class="para">
			According to this example <code class="filename">shutdown.allow</code> file, the users <code class="command">stephen</code>, <code class="command">jack</code>, and <code class="command">sophie</code> are allowed to shutdown the system from the console using <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Del</strong></span> . When that key combination is used, the <code class="filename">shutdown -a</code> command in <code class="filename">/etc/inittab</code> checks to see if any of the users in <code class="filename">/etc/shutdown.allow</code> (or root) are logged in on a virtual console. If one of them is, the shutdown of the system continues; if not, an error message is written to the system console instead.
		</div><div class="para">
			For more information on <code class="filename">shutdown.allow</code>, refer to the <code class="command">shutdown</code> man page.
		</div></div><div class="section" id="s1-access-console-program"><div class="titlepage"><div><div><h2 class="title" id="s1-access-console-program">29.2. Disabling Console Program Access</h2></div></div></div><a id="id952381" class="indexterm"></a><div class="para">
			To disable access by users to console programs, run the following command as root:
		</div><pre class="screen"><code class="command">rm -f /etc/security/console.apps/*</code></pre><div class="para">
			In environments where the console is otherwise secured (BIOS and boot loader passwords are set, <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Delete</strong></span> is disabled, the power and reset switches are disabled, and so forth), you may not want to allow any user at the console to run <code class="command">poweroff</code>, <code class="command">halt</code>, and <code class="command">reboot</code>, which are accessible from the console by default.
		</div><div class="para">
			To disable these abilities, run the following commands as root:
		</div><pre class="screen"><code class="command">rm -f /etc/security/console.apps/poweroff</code>
<code class="command">rm -f /etc/security/console.apps/halt</code>
<code class="command">rm -f /etc/security/console.apps/reboot</code></pre></div><div class="section" id="s1-access-console-define"><div class="titlepage"><div><div><h2 class="title" id="s1-access-console-define">29.3. Defining the Console</h2></div></div></div><a id="id993290" class="indexterm"></a><div class="para">
			The <code class="filename">pam_console.so</code> module uses the <code class="filename">/etc/security/console.perms</code> file to determine the permissions for users at the system console. The syntax of the file is very flexible; you can edit the file so that these instructions no longer apply. However, the default file has a line that looks like this:
		</div><pre class="screen">&lt;console&gt;=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9]</pre><div class="para">
			When users log in, they are attached to some sort of named terminal, which can be either an X server with a name like <code class="command">:0</code> or <code class="command">mymachine.example.com:1.0</code>, or a device like <code class="filename">/dev/ttyS0</code> or <code class="filename">/dev/pts/2</code>. The default is to define that local virtual consoles and local X servers are considered local, but if you want to consider the serial terminal next to you on port <code class="filename">/dev/ttyS1</code> to also be local, you can change that line to read:
		</div><pre class="screen">&lt;console&gt;=tty[0-9][0-9]* vc/[0-9][0-9]* :[0-9]\.[0-9] :[0-9] /dev/ttyS1</pre></div><div class="section" id="s1-access-console-files"><div class="titlepage"><div><div><h2 class="title" id="s1-access-console-files">29.4. Making Files Accessible From the Console</h2></div></div></div><a id="id993361" class="indexterm"></a><div class="para">
			The default settings for individual device classes and permission definitions are defined in <code class="filename">/etc/security/console.perms.d/50-default.perms</code>. To edit file and device permissions, it is advisable to create a new default file in <code class="filename">/etc/security/console.perms.d/</code> containing your preferred settings for a specified set of files or devices. The name of the new default file must begin with a number higher than 50 (for example, <code class="filename">51-default.perms</code>) in order to override <code class="filename">50-default.perms</code>.
		</div><div class="para">
			To do this, create a new file named <code class="filename">51-default.perms</code> in <code class="filename">/etc/security/console.perms.d/</code>: 
<pre class="screen"><code class="command">touch /etc/security/console.perms.d/51-default.perms</code></pre>

</div><div class="para">
			Open the original default <code class="filename">perms</code> file, <code class="filename">50-default.perms</code>. The first section defines <em class="firstterm">device classes</em>, with lines similar to the following:
		</div><pre class="screen">&lt;floppy&gt;=/dev/fd[0-1]* \
          /dev/floppy/* /mnt/floppy*
&lt;sound&gt;=/dev/dsp* /dev/audio* /dev/midi* \ 
	  /dev/mixer* /dev/sequencer \ 
	  /dev/sound/* /dev/beep \ 
	  /dev/snd/*
&lt;cdrom&gt;=/dev/cdrom* /dev/cdroms/* /dev/cdwriter* /mnt/cdrom*</pre><div class="para">
			Items enclosed in brackets name the device; in the above example, <code class="computeroutput">&lt;cdrom&gt;</code> refers to the CD-ROM drive. To add a new device, do not define it in the default <code class="filename">50-default.perms</code> file; instead, define it in <code class="filename">51-default.perms</code>. For example, to define a scanner, add the following line to <code class="filename">51-default.perms</code>:
		</div><pre class="screen">&lt;scanner&gt;=/dev/scanner /dev/usb/scanner*</pre><div class="para">
			Of course, you must use the appropriate name for the device. Ensure that <code class="filename">/dev/scanner</code> is really your scanner and not some other device, such as your hard drive.
		</div><div class="para">
			Once you have properly defined a device or file, the second step is to specify its <em class="firstterm">permission definitions</em>. The second section of <code class="filename">/etc/security/console.perms.d/50-default.perms</code> defines this, with lines similar to the following:
		</div><pre class="screen">&lt;console&gt; 0660 &lt;floppy&gt; 0660 root.floppy
&lt;console&gt; 0600 &lt;sound&gt;  0640 root
&lt;console&gt; 0600 &lt;cdrom&gt;  0600 root.disk</pre><div class="para">
			To define permissions for a scanner, add a line similar to the following in <code class="filename">51-default.perms</code>:
		</div><pre class="screen">&lt;console&gt; 0600 &lt;scanner&gt; 0600 root</pre><div class="para">
			Then, when you log in at the console, you are given ownership of the <code class="filename">/dev/scanner</code> device with the permissions of 0600 (readable and writable by you only). When you log out, the device is owned by root, and still has the permissions 0600 (now readable and writable by root only).
		</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				You must <span class="emphasis"><em>never</em></span> edit the default <code class="filename">50-default.perms</code> file. To edit permissions for a device already defined in <code class="filename">50-default.perms</code>, add the desired permission definition for that device in <code class="filename">51-default.perms</code>. This will override whatever permissions are defined in <code class="filename">50-default.perms</code>.
			</div></div></div></div><div class="section" id="s1-access-console-enable"><div class="titlepage"><div><div><h2 class="title" id="s1-access-console-enable">29.5. Enabling Console Access for Other Applications</h2></div></div></div><a id="id968056" class="indexterm"></a><div class="para">
			To make other applications accessible to console users, a bit more work is required.
		</div><div class="para">
			First of all, console access <span class="emphasis"><em>only</em></span> works for applications which reside in <code class="filename">/sbin/</code> or <code class="filename">/usr/sbin/</code>, so the application that you wish to run must be there. After verifying that, perform the following steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Create a link from the name of your application, such as our sample <code class="filename">foo</code> program, to the <code class="command">/usr/bin/consolehelper</code> application:
				</div><pre class="screen"><code class="command">cd /usr/bin</code>
<code class="command">ln -s consolehelper foo</code></pre></li><li class="listitem"><div class="para">
					Create the file <code class="filename">/etc/security/console.apps/foo</code>:
				</div><pre class="screen"><code class="command">touch /etc/security/console.apps/foo</code></pre></li><li class="listitem"><div class="para">
					Create a PAM configuration file for the <code class="filename">foo</code> service in <code class="filename">/etc/pam.d/</code>. An easy way to do this is to copy the PAM configuration file of the <code class="command">halt</code> service, and then modify the copy if you want to change the behavior:
				</div><pre class="screen"><code class="command">cp /etc/pam.d/halt /etc/pam.d/foo</code></pre></li></ol></div><div class="para">
			Now, when <code class="command">/usr/bin/<em class="replaceable"><code>foo</code></em></code> is executed, <code class="command">consolehelper</code> is called, which authenticates the user with the help of <code class="command">/usr/sbin/userhelper</code>. To authenticate the user, <code class="command">consolehelper</code> asks for the user's password if <code class="filename">/etc/pam.d/<em class="replaceable"><code>foo</code></em></code> is a copy of <code class="filename">/etc/pam.d/halt</code> (otherwise, it does precisely what is specified in <code class="filename">/etc/pam.d/<em class="replaceable"><code>foo</code></em></code>) and then runs <code class="filename">/usr/sbin/<em class="replaceable"><code>foo</code></em></code> with root permissions.
		</div><a id="id973878" class="indexterm"></a><div class="para">
			In the PAM configuration file, an application can be configured to use the <em class="firstterm">pam_timestamp</em> module to remember (or cache) a successful authentication attempt. When an application is started and proper authentication is provided (the root password), a timestamp file is created. By default, a successful authentication is cached for five minutes. During this time, any other application that is configured to use <code class="filename">pam_timestamp</code> and run from the same session is automatically authenticated for the user — the user does not have to enter the root password again.
		</div><div class="para">
			This module is included in the <code class="filename">pam</code> package. To enable this feature, add the following lines to your PAM configuration file in <code class="filename">etc/pam.d/</code>:
		</div><pre class="screen">auth            include         config-util
account         include         config-util
session         include         config-util</pre><div class="para">
			These lines can be copied from any of the <code class="filename">/etc/pam.d/system-config-<em class="replaceable"><code>*</code></em></code> configuration files. Note that these lines must be added <span class="emphasis"><em>below</em></span> any other <code class="computeroutput">auth sufficient</code> <code class="computeroutput">session optional</code> lines in your PAM configuration file.
		</div><div class="para">
			If an application configured to use <code class="filename">pam_timestamp</code> is successfully authenticated from the Applications (the main menu on the panel), the 
			<span class="inlinemediaobject"><img src="images/pam-icon.png" /></span>
			 icon is displayed in the notification area of the panel if you are running the <span class="application"><strong>GNOME</strong></span> or <span class="application"><strong>KDE</strong></span> desktop environment. After the authentication expires (the default is five minutes), the icon disappears.
		</div><div class="para">
			The user can select to forget the cached authentication by clicking on the icon and selecting the option to forget authentication.
		</div></div><div class="section" id="s1-access-floppy"><div class="titlepage"><div><div><h2 class="title" id="s1-access-floppy">29.6. The <code class="filename">floppy</code> Group</h2></div></div></div><a id="id974010" class="indexterm"></a><a id="id974023" class="indexterm"></a><div class="para">
			If, for whatever reason, console access is not appropriate for you and your non-root users require access to your system's diskette drive, this can be done using the <code class="filename">floppy</code> group. Add the user(s) to the <code class="filename">floppy</code> group using the tool of your choice. For example, the <code class="command">gpasswd</code> command can be used to add user <code class="command">fred</code> to the <code class="filename">floppy</code> group:
		</div><pre class="screen"><code class="command">gpasswd -a fred floppy</code></pre><div class="para">
			Now, user <code class="command">fred</code> is able to access the system's diskette drive from the console.
		</div></div></div><div xml:lang="en-US" class="chapter" id="ch-sysconfig" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 30. The <code class="filename">sysconfig</code> Directory</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-sysconfig-files">30.1. Files in the <code class="filename">/etc/sysconfig/</code> Directory</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-sysconfig-files-amd">30.1.1. <code class="filename">/etc/sysconfig/amd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-apmd">30.1.2. <code class="filename">/etc/sysconfig/apmd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-arpwatch">30.1.3. <code class="filename">/etc/sysconfig/arpwatch</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-authconfig">30.1.4. <code class="filename">/etc/sysconfig/authconfig</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-autofs">30.1.5. <code class="filename">/etc/sysconfig/autofs</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-clock">30.1.6. <code class="filename">/etc/sysconfig/clock</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-desktop">30.1.7. <code class="filename">/etc/sysconfig/desktop</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-dhcpd">30.1.8. <code class="filename">/etc/sysconfig/dhcpd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-exim">30.1.9. <code class="filename">/etc/sysconfig/exim</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-firewall">30.1.10. <code class="filename">/etc/sysconfig/firstboot</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-gpm">30.1.11. <code class="filename">/etc/sysconfig/gpm</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-hwconf">30.1.12. <code class="filename">/etc/sysconfig/hwconf</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-i18n">30.1.13. <code class="filename">/etc/sysconfig/i18n</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-init">30.1.14. <code class="filename">/etc/sysconfig/init</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-ip6tables">30.1.15. <code class="filename">/etc/sysconfig/ip6tables-config</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-iptables">30.1.16. <code class="filename">/etc/sysconfig/iptables-config</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-irda">30.1.17. <code class="filename">/etc/sysconfig/irda</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-kybd">30.1.18. <code class="filename">/etc/sysconfig/keyboard</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-kudzu">30.1.19. <code class="filename">/etc/sysconfig/kudzu</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-named">30.1.20. <code class="filename">/etc/sysconfig/named</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-network">30.1.21. <code class="filename">/etc/sysconfig/network</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-nfs">30.1.22. <code class="filename">/etc/sysconfig/nfs</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-ntpd">30.1.23. <code class="filename">/etc/sysconfig/ntpd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-radvd">30.1.24. <code class="filename">/etc/sysconfig/radvd</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-samba">30.1.25. <code class="filename">/etc/sysconfig/samba</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-selinux">30.1.26. <code class="filename">/etc/sysconfig/selinux</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-sendmail">30.1.27. <code class="filename">/etc/sysconfig/sendmail</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-spamd">30.1.28. <code class="filename">/etc/sysconfig/spamassassin</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-squid">30.1.29. <code class="filename">/etc/sysconfig/squid</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-sec-level">30.1.30. <code class="filename">/etc/sysconfig/system-config-securitylevel</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-selinuxtool">30.1.31. <code class="filename">/etc/sysconfig/system-config-selinux</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-rcu">30.1.32. <code class="filename">/etc/sysconfig/system-config-users</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-rlv">30.1.33. <code class="filename">/etc/sysconfig/system-logviewer</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-tux">30.1.34. <code class="filename">/etc/sysconfig/tux</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-vncservers">30.1.35. <code class="filename">/etc/sysconfig/vncservers</code></a></span></dt><dt><span class="section"><a href="#s2-sysconfig-xinetd">30.1.36. <code class="filename">/etc/sysconfig/xinetd</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-sysconfig-etcsysconf-dir">30.2. Directories in the <code class="filename">/etc/sysconfig/</code> Directory</a></span></dt><dt><span class="section"><a href="#s1-sysconfig-additional-resources">30.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-sysconfig-installed-documentation">30.3.1. Installed Documentation</a></span></dt></dl></dd></dl></div><a id="id1045653" class="indexterm"></a><a id="id870232" class="indexterm"></a><div class="para">
		The <code class="filename">/etc/sysconfig/</code> directory contains a variety of system configuration files for Red Hat Enterprise Linux.
	</div><div class="para">
		This chapter outlines some of the files found in the <code class="filename">/etc/sysconfig/</code> directory, their function, and their contents. The information in this chapter is not intended to be complete, as many of these files have a variety of options that are only used in very specific or rare circumstances.
	</div><div class="section" id="s1-sysconfig-files"><div class="titlepage"><div><div><h2 class="title" id="s1-sysconfig-files">30.1. Files in the <code class="filename">/etc/sysconfig/</code> Directory</h2></div></div></div><a id="id1064992" class="indexterm"></a><div class="para">
			The following sections offer descriptions of files normally found in the <code class="filename">/etc/sysconfig/</code> directory. Files not listed here, as well as extra file options, are found in the <code class="filename">/usr/share/doc/initscripts-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/sysconfig.txt</code> file (replace <em class="replaceable"><code>&lt;version-number&gt;</code></em> with the version of the <code class="filename">initscripts</code> package). Alternatively, looking through the initscripts in the <code class="filename">/etc/rc.d/</code> directory can prove helpful.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If some of the files listed here are not present in the <code class="filename">/etc/sysconfig/</code> directory, then the corresponding program may not be installed.
			</div></div></div><div class="section" id="s2-sysconfig-files-amd"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-files-amd">30.1.1. <code class="filename">/etc/sysconfig/amd</code></h3></div></div></div><a id="id842035" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/amd</code> file contains various parameters used by <code class="command">amd</code>; these parameters allow for the automatic mounting and unmounting of file systems.
			</div></div><div class="section" id="s2-sysconfig-apmd"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-apmd">30.1.2. <code class="filename">/etc/sysconfig/apmd</code></h3></div></div></div><a id="id967889" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/apmd</code> file is used by <code class="command">apmd</code> to configure what power settings to start/stop/change on suspend or resume. This file configures how <code class="command">apmd</code> functions at boot time, depending on whether the hardware supports <em class="firstterm">Advanced Power Management</em> (<em class="firstterm">APM</em>) or whether the user has configured the system to use it. The <code class="command">apm</code> daemon is a monitoring program that works with power management code within the Linux kernel. It is capable of alerting users to low battery power on laptops and other power-related settings.
			</div></div><div class="section" id="s2-sysconfig-arpwatch"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-arpwatch">30.1.3. <code class="filename">/etc/sysconfig/arpwatch</code></h3></div></div></div><a id="id936159" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/arpwatch</code> file is used to pass arguments to the <code class="command">arpwatch</code> daemon at boot time. The <code class="command">arpwatch</code> daemon maintains a table of Ethernet MAC addresses and their IP address pairings. By default, this file sets the owner of the <code class="command">arpwatch</code> process to the user <code class="computeroutput">pcap</code> and sends any messages to the <code class="command">root</code> mail queue. For more information regarding available parameters for this file, refer to the <code class="command">arpwatch</code> man page.
			</div></div><div class="section" id="s2-sysconfig-authconfig"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-authconfig">30.1.4. <code class="filename">/etc/sysconfig/authconfig</code></h3></div></div></div><a id="id965049" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/authconfig</code> file sets the authorization to be used on the host. It contains one or more of the following lines:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">USEMD5=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — MD5 is used for authentication.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — MD5 is not used for authentication.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">USEKERBEROS=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — Kerberos is used for authentication.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — Kerberos is not used for authentication.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">USELDAPAUTH=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — LDAP is used for authentication.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — LDAP is not used for authentication.
							</div></li></ul></div></li></ul></div></div><div class="section" id="s2-sysconfig-autofs"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-autofs">30.1.5. <code class="filename">/etc/sysconfig/autofs</code></h3></div></div></div><a id="id971416" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/autofs</code> file defines custom options for the automatic mounting of devices. This file controls the operation of the automount daemons, which automatically mount file systems when you use them and unmount them after a period of inactivity. File systems can include network file systems, CD-ROMs, diskettes, and other media.
			</div><div class="para">
				The <code class="filename">/etc/sysconfig/autofs</code> file may contain the following:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">LOCALOPTIONS="<em class="replaceable"><code>&lt;value&gt;</code></em>"</code>, where <em class="replaceable"><code>&lt;value&gt;</code></em> is a string for defining machine-specific automount rules. The default value is an empty string (<code class="command">""</code>).
					</div></li><li class="listitem"><div class="para">
						<code class="command">DAEMONOPTIONS="<em class="replaceable"><code>&lt;value&gt;</code></em>"</code>, where <em class="replaceable"><code>&lt;value&gt;</code></em> is the timeout length in seconds before unmounting the device. The default value is 60 seconds (<code class="command">"--timeout=60"</code>).
					</div></li><li class="listitem"><div class="para">
						<code class="command">UNDERSCORETODOT=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <em class="replaceable"><code>&lt;value&gt;</code></em> is a binary value that controls whether to convert underscores in file names into dots. For example, <code class="command">auto_home</code> to <code class="command">auto.home</code> and <code class="command">auto_mnt</code> to <code class="command">auto.mnt</code>. The default value is 1 (true).
					</div></li><li class="listitem"><div class="para">
						<code class="command">DISABLE_DIRECT=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <em class="replaceable"><code>&lt;value&gt;</code></em> is a binary value that controls whether to disable direct mount support, as the Linux implementation does not conform to the Sun Microsystems' automounter behavior. The default value is 1 (true), and allows for compatibility with the Sun automounter options specification syntax.
					</div></li></ul></div></div><div class="section" id="s2-sysconfig-clock"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-clock">30.1.6. <code class="filename">/etc/sysconfig/clock</code></h3></div></div></div><a id="id884541" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/clock</code> file controls the interpretation of values read from the system hardware clock.
			</div><div class="para">
				The correct values are:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">UTC=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following boolean values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">true</code> or <code class="command">yes</code> — The hardware clock is set to Universal Time.
							</div></li><li class="listitem"><div class="para">
								<code class="command">false</code> or <code class="command">no</code> — The hardware clock is set to local time.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">ARC=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is the following: 
						<div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">false</code> or <code class="command">no</code> — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux.
								</div></li></ul></div>

</div></li><li class="listitem"><div class="para">
						<code class="command">SRM=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is the following: 
						<div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">false</code> or <code class="command">no</code> — This value indicates that the normal UNIX epoch is in use. Other values are used by systems not supported by Red Hat Enterprise Linux.
								</div></li></ul></div>

</div></li><li class="listitem"><div class="para">
						<code class="command">ZONE=<code class="filename"><em class="replaceable"><code>&lt;filename&gt;</code></em> </code></code> — The time zone file under <code class="filename">/usr/share/zoneinfo</code> that <code class="filename">/etc/localtime</code> is a copy of. The file contains information such as:
					</div><pre class="screen">ZONE="America/New York"</pre><div class="para">
						Note that the <code class="command">ZONE</code> parameter is read by the <span class="application"><strong>Time and Date Properties Tool</strong></span> (<code class="command">system-config-date</code>), and manually editing it does not change the system timezone.
					</div></li></ul></div><div class="para">
				Earlier releases of Red Hat Enterprise Linux used the following values (which are deprecated):
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">CLOCKMODE=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">GMT</code> — The clock is set to Universal Time (Greenwich Mean Time).
							</div></li><li class="listitem"><div class="para">
								<code class="command">ARC</code> — The ARC console's 42-year time offset is in effect (for Alpha-based systems only).
							</div></li></ul></div></li></ul></div></div><div class="section" id="s2-sysconfig-desktop"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-desktop">30.1.7. <code class="filename">/etc/sysconfig/desktop</code></h3></div></div></div><a id="id884833" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/desktop</code> file specifies the desktop for new users and the display manager to run when entering runlevel 5.
			</div><div class="para">
				Correct values are:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">DESKTOP="<em class="replaceable"><code>&lt;value&gt;</code></em>"</code>, where <code class="command">"<em class="replaceable"><code>&lt;value&gt;</code></em>"</code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">GNOME</code> — Selects the <span class="application"><strong>GNOME</strong></span> desktop environment.
							</div></li><li class="listitem"><div class="para">
								<code class="command">KDE</code> — Selects the <span class="application"><strong>KDE</strong></span> desktop environment.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">DISPLAYMANAGER="<em class="replaceable"><code>&lt;value&gt;</code></em>"</code>, where <code class="command">"<em class="replaceable"><code>&lt;value&gt;</code></em>"</code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">GNOME</code> — Selects the <span class="application"><strong>GNOME Display Manager</strong></span>.
							</div></li><li class="listitem"><div class="para">
								<code class="command">KDE</code> — Selects the <span class="application"><strong>KDE Display Manager</strong></span>.
							</div></li><li class="listitem"><div class="para">
								<code class="command">XDM</code> — Selects the <span class="application"><strong>X Display Manager</strong></span>.
							</div></li></ul></div></li></ul></div><div class="para">
				For more information, refer to <a class="xref" href="#ch-x">Chapter 33, <em>The X Window System</em></a>.
			</div></div><div class="section" id="s2-sysconfig-dhcpd"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-dhcpd">30.1.8. <code class="filename">/etc/sysconfig/dhcpd</code></h3></div></div></div><a id="id885022" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/dhcpd</code> file is used to pass arguments to the <code class="command">dhcpd</code> daemon at boot time. The <code class="command">dhcpd</code> daemon implements the Dynamic Host Configuration Protocol (DHCP) and the Internet Bootstrap Protocol (BOOTP). DHCP and BOOTP assign hostnames to machines on the network. For more information about what parameters are available in this file, refer to the <code class="command">dhcpd</code> man page.
			</div></div><div class="section" id="s2-sysconfig-exim"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-exim">30.1.9. <code class="filename">/etc/sysconfig/exim</code></h3></div></div></div><a id="id1048434" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/exim</code> file allows messages to be sent to one or more clients, routing the messages over whatever networks are necessary. The file sets the default values for exim to run. Its default values are set to run as a background daemon and to check its queue each hour in case something has backed up.
			</div><div class="para">
				The values include:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">DAEMON=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — <code class="filename">exim</code> should be configured to listen to port 25 for incoming mail. <code class="command">yes</code> implies the use of the Exim's <code class="command">-bd</code> options.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — <code class="filename">exim</code> should not be configured to listen to port 25 for incoming mail.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">QUEUE=1h</code> which is given to <code class="filename">exim</code> as <code class="command">-q$QUEUE</code>. The <code class="command">-q</code> option is not given to <code class="filename">exim</code> if <code class="filename">/etc/sysconfig/exim</code> exists and <code class="filename">QUEUE</code> is empty or undefined.
					</div></li></ul></div></div><div class="section" id="s2-sysconfig-firewall"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-firewall">30.1.10. <code class="filename">/etc/sysconfig/firstboot</code></h3></div></div></div><a id="id1048581" class="indexterm"></a><div class="para">
				The first time the system boots, the <code class="command">/sbin/init</code> program calls the <code class="filename">etc/rc.d/init.d/firstboot</code> script, which in turn launches the <span class="application"><strong> Setup Agent</strong></span>. This application allows the user to install the latest updates as well as additional applications and documentation.
			</div><div class="para">
				The <code class="filename">/etc/sysconfig/firstboot</code> file tells the <span class="application"><strong> Setup Agent</strong></span> application not to run on subsequent reboots. To run it the next time the system boots, remove <code class="filename">/etc/sysconfig/firstboot</code> and execute <code class="command">chkconfig --level 5 firstboot on</code>.
			</div></div><div class="section" id="s2-sysconfig-gpm"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-gpm">30.1.11. <code class="filename">/etc/sysconfig/gpm</code></h3></div></div></div><a id="id1048646" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/gpm</code> file is used to pass arguments to the <code class="command">gpm</code> daemon at boot time. The <code class="command">gpm</code> daemon is the mouse server which allows mouse acceleration and middle-click pasting. For more information about what parameters are available for this file, refer to the <code class="command">gpm</code> man page. By default, the <code class="command">DEVICE</code> directive is set to <code class="filename">/dev/input/mice</code>.
			</div></div><div class="section" id="s2-sysconfig-hwconf"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-hwconf">30.1.12. <code class="filename">/etc/sysconfig/hwconf</code></h3></div></div></div><a id="id1048727" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/hwconf</code> file lists all the hardware that <code class="command">kudzu</code> detected on the system, as well as the drivers used, vendor ID, and device ID information. The <code class="command">kudzu</code> program detects and configures new and/or changed hardware on a system. The <code class="filename">/etc/sysconfig/hwconf</code> file is not meant to be manually edited. If edited, devices could suddenly show up as being added or removed.
			</div></div><div class="section" id="s2-sysconfig-i18n"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-i18n">30.1.13. <code class="filename">/etc/sysconfig/i18n</code></h3></div></div></div><div class="para">
				The <code class="filename">/etc/sysconfig/i18n</code> file sets the default language, any supported languages, and the default system font. For example:
			</div><pre class="screen">LANG="en_US.UTF-8"
SUPPORTED="en_US.UTF-8:en_US:en"
SYSFONT="latarcyrheb-sun16"</pre></div><div class="section" id="s2-sysconfig-init"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-init">30.1.14. <code class="filename">/etc/sysconfig/init</code></h3></div></div></div><a id="id1048800" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/init</code> file controls how the system appears and functions during the boot process.
			</div><div class="para">
				The following values may be used:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">BOOTUP=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">color</code> — The standard color boot display, where the success or failure of devices and services starting up is shown in different colors.
							</div></li><li class="listitem"><div class="para">
								<code class="command">verbose</code> — An old style display which provides more information than purely a message of success or failure.
							</div></li><li class="listitem"><div class="para">
								Anything else means a new display, but without ANSI-formatting.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">RES_COL=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is the number of the column of the screen to start status labels. The default is set to 60.
					</div></li><li class="listitem"><div class="para">
						<code class="command">MOVE_TO_COL=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> moves the cursor to the value in the <code class="filename">RES_COL</code> line via the <code class="command">echo -en</code> command.
					</div></li><li class="listitem"><div class="para">
						<code class="command">SETCOLOR_SUCCESS=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> sets the success color via the <code class="command">echo -en</code> command. The default color is set to green.
					</div></li><li class="listitem"><div class="para">
						<code class="command">SETCOLOR_FAILURE=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> sets the failure color via the <code class="command">echo -en</code> command. The default color is set to red.
					</div></li><li class="listitem"><div class="para">
						<code class="command">SETCOLOR_WARNING=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> sets the warning color via the <code class="command">echo -en</code> command. The default color is set to yellow.
					</div></li><li class="listitem"><div class="para">
						<code class="command">SETCOLOR_NORMAL=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> resets the color to "normal" via the <code class="command">echo -en</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">LOGLEVEL=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> sets the initial console logging level for the kernel. The default is 3; 8 means everything (including debugging), while 1 means only kernel panics. The <code class="command">syslogd</code> daemon overrides this setting once started.
					</div></li><li class="listitem"><div class="para">
						<code class="command">PROMPT=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following boolean values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — Enables the key check for interactive mode.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — Disables the key check for interactive mode.
							</div></li></ul></div></li></ul></div></div><div class="section" id="s2-sysconfig-ip6tables"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-ip6tables">30.1.15. <code class="filename">/etc/sysconfig/ip6tables-config</code></h3></div></div></div><a id="id1049117" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/ip6tables-config</code> file stores information used by the kernel to set up IPv6 packet filtering at boot time or whenever the <code class="command">ip6tables</code> service is started.
			</div><div class="para">
				Do not modify this file by hand unless familiar with how to construct <code class="command">ip6tables</code> rules. Rules also can be created manually using the <code class="command">/sbin/ip6tables</code> command. Once created, add the rules to the <code class="filename">/etc/sysconfig/ip6tables</code> file by typing the following command:
			</div><pre class="screen"><code class="command">service ip6tables save</code></pre><div class="para">
				Once this file exists, any firewall rules saved in it persists through a system reboot or a service restart.
			</div><div class="para">
				For more information on <code class="command">ip6tables</code>, refer to <a class="xref" href="#ch-iptables">Section 46.9, “IPTables”</a>.
			</div></div><div class="section" id="s2-sysconfig-iptables"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-iptables">30.1.16. <code class="filename">/etc/sysconfig/iptables-config</code></h3></div></div></div><a id="id1049196" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/iptables-config</code> file stores information used by the kernel to set up packet filtering services at boot time or whenever the service is started.
			</div><div class="para">
				Do not modify this file by hand unless you are familiar with constructing <code class="command">iptables</code> rules. The easiest way to add rules is to use the <span class="application"><strong>Security Level Configuration Tool</strong></span> (<code class="command">system-config-securitylevel</code>) application to create a firewall. These applications automatically edit this file at the end of the process.
			</div><div class="para">
				Rules can also be created manually using the <code class="command">/sbin/iptables</code> command. Once created, add the rule(s) to the <code class="filename">/etc/sysconfig/iptables</code> file by typing the following command:
			</div><pre class="screen"><code class="command">service iptables save</code></pre><div class="para">
				Once this file exists, any firewall rules saved in it persists through a system reboot or a service restart.
			</div><div class="para">
				For more information on <code class="command">iptables</code>, refer to <a class="xref" href="#ch-iptables">Section 46.9, “IPTables”</a>.
			</div></div><div class="section" id="s2-sysconfig-irda"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-irda">30.1.17. <code class="filename">/etc/sysconfig/irda</code></h3></div></div></div><a id="id1049284" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/irda</code> file controls how infrared devices on the system are configured at startup.
			</div><div class="para">
				The following values may be used:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">IRDA=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following boolean values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — <code class="command">irattach</code> runs and periodically checks to see if anything is trying to connect to the infrared port, such as another notebook computer trying to make a network connection. For infrared devices to work on the system, this line must be set to <code class="command">yes</code>.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — <code class="command">irattach</code> does not run, preventing infrared device communication.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">DEVICE=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is the device (usually a serial port) that handles infrared connections. A sample serial device entry could be <code class="filename">/dev/ttyS2</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">DONGLE=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> specifies the type of dongle being used for infrared communication. This setting exists for people who use serial dongles rather than real infrared ports. A dongle is a device that is attached to a traditional serial port to communicate via infrared. This line is commented out by default because notebooks with real infrared ports are far more common than computers with add-on dongles. A sample dongle entry could be <code class="filename">actisys+</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">DISCOVERY=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following boolean values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — Starts <code class="command">irattach</code> in discovery mode, meaning it actively checks for other infrared devices. This must be turned on for the machine to actively look for an infrared connection (meaning the peer that does not initiate the connection).
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — Does not start <code class="command">irattach</code> in discovery mode.
							</div></li></ul></div></li></ul></div></div><div class="section" id="s2-sysconfig-kybd"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-kybd">30.1.18. <code class="filename">/etc/sysconfig/keyboard</code></h3></div></div></div><a id="id1049500" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/keyboard</code> file controls the behavior of the keyboard. The following values may be used:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">KEYBOARDTYPE="sun|pc"</code> where <code class="command">sun</code> means a Sun keyboard is attached on <code class="filename">/dev/kbd</code>, or <code class="command">pc</code> means a PS/2 keyboard connected to a PS/2 port.
					</div></li><li class="listitem"><div class="para">
						<code class="command">KEYTABLE="<em class="replaceable"><code>&lt;file&gt;</code></em>"</code>, where <code class="command"><em class="replaceable"><code>&lt;file&gt;</code></em></code> is the name of a keytable file.
					</div><div class="para">
						For example: <code class="command">KEYTABLE="us"</code>. The files that can be used as keytables start in <code class="filename">/lib/kbd/keymaps/i386</code> and branch into different keyboard layouts from there, all labeled <code class="filename"><em class="replaceable"><code>&lt;file&gt;</code></em>.kmap.gz</code>. The first file found beneath <code class="filename">/lib/kbd/keymaps/i386</code> that matches the <code class="command">KEYTABLE</code> setting is used.
					</div></li></ul></div></div><div class="section" id="s2-sysconfig-kudzu"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-kudzu">30.1.19. <code class="filename">/etc/sysconfig/kudzu</code></h3></div></div></div><a id="id1049613" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/kuzdu</code> file triggers a safe probe of the system hardware by <code class="command">kudzu</code> at boot time. A safe probe is one that disables serial port probing.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">SAFE=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — <code class="command">kuzdu</code> does a safe probe.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — <code class="command">kuzdu</code> does a normal probe.
							</div></li></ul></div></li></ul></div></div><div class="section" id="s2-sysconfig-named"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-named">30.1.20. <code class="filename">/etc/sysconfig/named</code></h3></div></div></div><a id="id902145" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/named</code> file is used to pass arguments to the <code class="command">named</code> daemon at boot time. The <code class="command">named</code> daemon is a <em class="firstterm">Domain Name System</em> (<em class="firstterm">DNS</em>) server which implements the <em class="firstterm">Berkeley Internet Name Domain</em> (<em class="firstterm">BIND</em>) version 9 distribution. This server maintains a table of which hostnames are associated with IP addresses on the network.
			</div><div class="para">
				Currently, only the following values may be used:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">ROOTDIR=<em class="replaceable"><code>"&lt;/some/where&gt;"</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;/some/where&gt;</code></em></code> refers to the full directory path of a configured chroot environment under which <code class="command">named</code> runs. This chroot environment must first be configured. Type <code class="command">info chroot</code> for more information.
					</div></li><li class="listitem"><div class="para">
						<code class="command">OPTIONS=<em class="replaceable"><code>"&lt;value&gt;"</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is any option listed in the man page for <code class="command">named</code> except <code class="option">-t</code>. In place of <code class="option">-t</code>, use the <code class="command">ROOTDIR</code> line above.
					</div></li></ul></div><div class="para">
				For more information about available parameters for this file, refer to the <code class="command">named</code> man page. For detailed information on how to configure a BIND DNS server, refer to <a class="xref" href="#ch-bind">Chapter 18, <em>Berkeley Internet Name Domain (BIND)</em></a>. By default, the file contains no parameters.
			</div></div><div class="section" id="s2-sysconfig-network"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-network">30.1.21. <code class="filename">/etc/sysconfig/network</code></h3></div></div></div><a id="id902299" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/network</code> file is used to specify information about the desired network configuration. The following values may be used:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">NETWORKING=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following boolean values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — Networking should be configured.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — Networking should not be configured.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">HOSTNAME=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> should be the <em class="firstterm">Fully Qualified Domain Name</em> (<em class="firstterm">FQDN</em>), such as <code class="filename">hostname.expample.com</code>, but can be whatever hostname is necessary.
					</div></li><li class="listitem"><div class="para">
						<code class="command">GATEWAY=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is the IP address of the network's gateway.
					</div></li><li class="listitem"><div class="para">
						<code class="command">GATEWAYDEV=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is the gateway device, such as <code class="filename">eth0</code>. Configure this option if you have multiple interfaces on the same subnet, and require one of those interfaces to be the preferred route to the default gateway.
					</div></li><li class="listitem"><div class="para">
						<code class="command">NISDOMAIN=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is the NIS domain name.
					</div></li><li class="listitem"><div class="para">
						<code class="command">NOZEROCONF=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where setting <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> to <code class="command">true</code> disables the zeroconf route.
					</div><div class="para">
						By default, the zeroconf route (169.254.0.0) is enabled when the system boots. For more information about zeroconf, refer to <a href="http://www.zeroconf.org/">http://www.zeroconf.org/</a>.
					</div></li></ul></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					Do not use custom initscripts to configure network settings. When performing a post-boot network service restart, custom initscripts configuring network settings that are run outside of the network init script lead to unpredictable results.
				</div></div></div></div><div class="section" id="s2-sysconfig-nfs"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-nfs">30.1.22. <code class="filename">/etc/sysconfig/nfs</code></h3></div></div></div><a id="id902540" class="indexterm"></a><div class="para">
				NFS requires portmap, which dynamically assigns ports for RPC services. This causes problems for configuring firewall rules. To overcome this problem, use the <code class="filename">/etc/sysconfig/nfs</code> file to control which ports the required RPC services run on.
			</div><div class="para">
				The <code class="filename">/etc/sysconfig/nfs</code> may not exist by default on all systems. If it does not exist, create it and add the following variables (alternatively, if the file exists, un-comment and change the default entries as required):
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="computeroutput">MOUNTD_PORT=<em class="replaceable"><code>x</code></em></code></span></dt><dd><div class="para">
							control which TCP and UDP port mountd (rpc.mountd) uses. Replace <em class="replaceable"><code>x</code></em> with an unused port number.
						</div></dd><dt class="varlistentry"><span class="term"><code class="computeroutput">STATD_PORT=<em class="replaceable"><code>x</code></em></code></span></dt><dd><div class="para">
							control which TCP and UDP port status (rpc.statd) uses. Replace <em class="replaceable"><code>x</code></em> with an unused port number.
						</div></dd><dt class="varlistentry"><span class="term"><code class="computeroutput">LOCKD_TCPPORT=<em class="replaceable"><code>x</code></em></code></span></dt><dd><div class="para">
							control which TCP port nlockmgr (rpc.lockd) uses. Replace <em class="replaceable"><code>x</code></em> with an unused port number.
						</div></dd><dt class="varlistentry"><span class="term"><code class="computeroutput">LOCKD_UDPPORT=<em class="replaceable"><code>x</code></em></code></span></dt><dd><div class="para">
							control which UDP port nlockmgr (rpc.lockd) uses. Replace <em class="replaceable"><code>x</code></em> with an unused port number.
						</div></dd></dl></div><div class="para">
				If NFS fails to start, check <code class="filename">/var/log/messages</code>. Normally, NFS will fail to start if you specify a port number that is already in use. After editing <code class="filename">/etc/sysconfig/nfs</code> restart the NFS service by running the <code class="command">service nfs restart</code> command. Run the <code class="command">rpcinfo -p</code> command to confirm the changes.
			</div><div class="para">
				To configure a firewall to allow NFS:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Allow TCP and UDP port 2049 for NFS.
					</div></li><li class="listitem"><div class="para">
						Allow TCP and UDP port 111 (portmap/sunrpc).
					</div></li><li class="listitem"><div class="para">
						Allow the TCP and UDP port specified with <code class="computeroutput">MOUNTD_PORT="<em class="replaceable"><code>x</code></em>"</code>
					</div></li><li class="listitem"><div class="para">
						Allow the TCP and UDP port specified with <code class="computeroutput">STATD_PORT="<em class="replaceable"><code>x</code></em>"</code>
					</div></li><li class="listitem"><div class="para">
						Allow the TCP port specified with <code class="computeroutput">LOCKD_TCPPORT="<em class="replaceable"><code>x</code></em>"</code>
					</div></li><li class="listitem"><div class="para">
						Allow the UDP port specified with <code class="computeroutput">LOCKD_UDPPORT="<em class="replaceable"><code>x</code></em>"</code>
					</div></li></ol></div></div><div class="section" id="s2-sysconfig-ntpd"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-ntpd">30.1.23. <code class="filename">/etc/sysconfig/ntpd</code></h3></div></div></div><a id="id902794" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/ntpd</code> file is used to pass arguments to the <code class="command">ntpd</code> daemon at boot time. The <code class="command">ntpd</code> daemon sets and maintains the system clock to synchronize with an Internet standard time server. It implements version 4 of the Network Time Protocol (NTP). For more information about what parameters are available for this file, use a Web browser to view the following file: <code class="filename">/usr/share/doc/ntp-<em class="replaceable"><code>&lt;version&gt;</code></em>/ntpd.htm</code> (where <em class="replaceable"><code>&lt;version&gt;</code></em> is the version number of <code class="command">ntpd</code>). By default, this file sets the owner of the <code class="command">ntpd</code> process to the user <code class="computeroutput">ntp</code>.
			</div></div><div class="section" id="s2-sysconfig-radvd"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-radvd">30.1.24. <code class="filename">/etc/sysconfig/radvd</code></h3></div></div></div><a id="id902890" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/radvd</code> file is used to pass arguments to the <code class="command">radvd</code> daemon at boot time. The <code class="command">radvd</code> daemon listens for router requests and sends router advertisements for the IP version 6 protocol. This service allows hosts on a network to dynamically change their default routers based on these router advertisements. For more information about available parameters for this file, refer to the <code class="command">radvd</code> man page. By default, this file sets the owner of the <code class="command">radvd</code> process to the user <code class="computeroutput">radvd</code>.
			</div></div><div class="section" id="s2-sysconfig-samba"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-samba">30.1.25. <code class="filename">/etc/sysconfig/samba</code></h3></div></div></div><a id="id902960" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/samba</code> file is used to pass arguments to the <code class="command">smbd</code> and the <code class="command">nmbd</code> daemons at boot time. The <code class="command">smbd</code> daemon offers file sharing connectivity for Windows clients on the network. The <code class="command">nmbd</code> daemon offers NetBIOS over IP naming services. For more information about what parameters are available for this file, refer to the <code class="command">smbd</code> man page. By default, this file sets <code class="command">smbd</code> and <code class="command">nmbd</code> to run in daemon mode.
			</div></div><div class="section" id="s2-sysconfig-selinux"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-selinux">30.1.26. <code class="filename">/etc/sysconfig/selinux</code></h3></div></div></div><a id="id903027" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/selinux</code> file contains the basic configuration options for SELinux. This file is a symbolic link to <code class="filename">/etc/selinux/config</code>.
			</div></div><div class="section" id="s2-sysconfig-sendmail"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-sendmail">30.1.27. <code class="filename">/etc/sysconfig/sendmail</code></h3></div></div></div><a id="id903072" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/sendmail</code> file allows messages to be sent to one or more clients, routing the messages over whatever networks are necessary. The file sets the default values for the <span class="application"><strong>Sendmail</strong></span> application to run. Its default values are set to run as a background daemon and to check its queue each hour in case something has backed up.
			</div><div class="para">
				Values include:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">DAEMON=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is one of the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — <span class="application"><strong>Sendmail</strong></span> should be configured to listen to port 25 for incoming mail. <code class="command">yes</code> implies the use of <span class="application"><strong>Sendmail</strong></span>'s <code class="command">-bd</code> options.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — <span class="application"><strong>Sendmail</strong></span> should not be configured to listen to port 25 for incoming mail.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">QUEUE=1h</code> which is given to <span class="application"><strong>Sendmail</strong></span> as <code class="command">-q$QUEUE</code>. The <code class="command">-q</code> option is not given to <span class="application"><strong>Sendmail</strong></span> if <code class="filename">/etc/sysconfig/sendmail</code> exists and <code class="filename">QUEUE</code> is empty or undefined.
					</div></li></ul></div></div><div class="section" id="s2-sysconfig-spamd"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-spamd">30.1.28. <code class="filename">/etc/sysconfig/spamassassin</code></h3></div></div></div><a id="id903230" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/spamassassin</code> file is used to pass arguments to the <code class="command">spamd</code> daemon (a daemonized version of <span class="application"><strong>Spamassassin</strong></span>) at boot time. <span class="application"><strong>Spamassassin</strong></span> is an email spam filter application. For a list of available options, refer to the <code class="command">spamd</code> man page. By default, it configures <code class="command">spamd</code> to run in daemon mode, create user preferences, and auto-create whitelists (allowed bulk senders).
			</div><div class="para">
				For more information about <span class="application"><strong>Spamassassin</strong></span>, refer to <a class="xref" href="#s3-email-mda-spam">Section 25.5.2.6, “Spam Filters”</a>.
			</div></div><div class="section" id="s2-sysconfig-squid"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-squid">30.1.29. <code class="filename">/etc/sysconfig/squid</code></h3></div></div></div><a id="id903302" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/squid</code> file is used to pass arguments to the <code class="command">squid</code> daemon at boot time. The <code class="command">squid</code> daemon is a proxy caching server for Web client applications. For more information on configuring a <code class="command">squid</code> proxy server, use a Web browser to open the <code class="filename">/usr/share/doc/squid-<em class="replaceable"><code>&lt;version&gt;</code></em>/</code> directory (replace <em class="replaceable"><code>&lt;version&gt;</code></em> with the <code class="command">squid</code> version number installed on the system). By default, this file sets <code class="command">squid</code> to start in daemon mode and sets the amount of time before it shuts itself down.
			</div></div><div class="section" id="s2-sysconfig-sec-level"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-sec-level">30.1.30. <code class="filename">/etc/sysconfig/system-config-securitylevel</code></h3></div></div></div><a id="id571903" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/system-config-securitylevel</code> file contains all options chosen by the user the last time the <span class="application"><strong>Security Level Configuration Tool</strong></span> (<code class="command">system-config-securitylevel</code>) was run. Users should not modify this file by hand. For more information about the <span class="application"><strong>Security Level Configuration Tool</strong></span>, refer to <a class="xref" href="#s1-basic-firewall">Section 46.8.2, “Basic Firewall Configuration”</a>.
			</div></div><div class="section" id="s2-sysconfig-selinuxtool"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-selinuxtool">30.1.31. <code class="filename">/etc/sysconfig/system-config-selinux</code></h3></div></div></div><a id="id571957" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/system-config-selinux</code> file contains all options chosen by the user the last time the <span class="application"><strong>SELinux Administration Tool</strong></span> (<code class="command">system-config-selinux</code>) was run. Users should not modify this file by hand. For more information about the <span class="application"><strong>SELinux Administration Tool</strong></span> and SELinux in general, refer to <a class="xref" href="#ch-selinux">Section 47.2, “Introduction to SELinux”</a>.
			</div></div><div class="section" id="s2-sysconfig-rcu"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-rcu">30.1.32. <code class="filename">/etc/sysconfig/system-config-users</code></h3></div></div></div><a id="id903381" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/system-config-users</code> file is the configuration file for the graphical application, <span class="application"><strong> User Manager</strong></span>. This file is used to filter out system users such as <code class="command">root</code>, <code class="command">daemon</code>, or <code class="command">lp</code>. This file is edited by the <span class="guimenu"><strong>Preferences</strong></span> &gt; <span class="guimenuitem"><strong>Filter system users and groups</strong></span> pull-down menu in the <span class="application"><strong> User Manager</strong></span> application and should never be edited by hand. For more information on using this application, refer to <a class="xref" href="#s1-users-configui">Section 35.1, “User and Group Configuration”</a>.
			</div></div><div class="section" id="s2-sysconfig-rlv"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-rlv">30.1.33. <code class="filename">/etc/sysconfig/system-logviewer</code></h3></div></div></div><a id="id903454" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/system-logviewer</code> file is the configuration file for the graphical, interactive log viewing application, <span class="application"><strong>Log Viewer</strong></span>. This file is edited by the <span class="guimenu"><strong>Edit</strong></span> &gt; <span class="guimenuitem"><strong>Preferences</strong></span> pull-down menu in the <span class="application"><strong>Log Viewer</strong></span> application and should not be edited by hand. For more information on using this application, refer to <a class="xref" href="#ch-logfiles">Chapter 38, <em>Log Files</em></a>.
			</div></div><div class="section" id="s2-sysconfig-tux"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-tux">30.1.34. <code class="filename">/etc/sysconfig/tux</code></h3></div></div></div><a id="id903516" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/tux</code> file is the configuration file for the Red Hat Content Accelerator (formerly known as <span class="application"><strong>TUX</strong></span>), the kernel-based Web server. For more information on configuring the Red Hat Content Accelerator, use a Web browser to open the <code class="filename">/usr/share/doc/tux-<em class="replaceable"><code>&lt;version&gt;</code></em>/tux/index.html</code> file (replace <em class="replaceable"><code>&lt;version&gt;</code></em> with the version number of <span class="application"><strong>TUX</strong></span> installed on the system). The parameters available for this file are listed in <code class="filename">/usr/share/doc/tux-<em class="replaceable"><code>&lt;version&gt;</code></em>/tux/parameters.html</code>.
			</div></div><div class="section" id="s2-sysconfig-vncservers"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-vncservers">30.1.35. <code class="filename">/etc/sysconfig/vncservers</code></h3></div></div></div><a id="id903585" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/vncservers</code> file configures the way the <em class="firstterm">Virtual Network Computing</em> (<em class="firstterm">VNC</em>) server starts up.
			</div><div class="para">
				VNC is a remote display system which allows users to view the desktop environment not only on the machine where it is running but across different networks on a variety of architectures.
			</div><div class="para">
				It may contain the following:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">VNCSERVERS=<em class="replaceable"><code>&lt;value&gt;</code></em></code>, where <code class="command"><em class="replaceable"><code>&lt;value&gt;</code></em></code> is set to something like <code class="command">"1:fred"</code>, to indicate that a VNC server should be started for user fred on display :1. User fred must have set a VNC password using the <code class="command">vncpasswd</code> command before attempting to connect to the remote VNC server.
					</div></li></ul></div></div><div class="section" id="s2-sysconfig-xinetd"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-xinetd">30.1.36. <code class="filename">/etc/sysconfig/xinetd</code></h3></div></div></div><a id="id903679" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/sysconfig/xinetd</code> file is used to pass arguments to the <code class="command">xinetd</code> daemon at boot time. The <code class="command">xinetd</code> daemon starts programs that provide Internet services when a request to the port for that service is received. For more information about available parameters for this file, refer to the <code class="command">xinetd</code> man page. For more information on the <code class="command">xinetd</code> service, refer to <a class="xref" href="#s1-tcpwrappers-xinetd">Section 46.5.3, “xinetd”</a>.
			</div></div></div><div class="section" id="s1-sysconfig-etcsysconf-dir"><div class="titlepage"><div><div><h2 class="title" id="s1-sysconfig-etcsysconf-dir">30.2. Directories in the <code class="filename">/etc/sysconfig/</code> Directory</h2></div></div></div><a id="id903744" class="indexterm"></a><div class="para">
			The following directories are normally found in <code class="filename">/etc/sysconfig/</code>.
		</div><a id="id903769" class="indexterm"></a><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="filename">apm-scripts/</code></span></dt><dd><div class="para">
						This directory contains the APM suspend/resume script. Do not edit the files directly. If customization is necessary, create a file called <code class="filename">/etc/sysconfig/apm-scripts/apmcontinue</code> which is called at the end of the script. It is also possible to control the script by editing <code class="filename">/etc/sysconfig/apmd</code>.
					</div></dd><dt class="varlistentry"><span class="term"><code class="filename">cbq/</code></span></dt><dd><div class="para">
						<a id="id903834" class="indexterm"></a>
						 This directory contains the configuration files needed to do <em class="firstterm">Class Based Queuing</em> for bandwidth management on network interfaces. CBQ divides user traffic into a hierarchy of classes based on any combination of IP addresses, protocols, and application types.
					</div></dd><dt class="varlistentry"><span class="term"><code class="filename">networking/</code></span></dt><dd><div class="para">
						<a id="id903877" class="indexterm"></a>
						 This directory is used by the <span class="application"><strong>Network Administration Tool</strong></span> (<code class="command">system-config-network</code>), and its contents should not be edited manually. For more information about configuring network interfaces using the <span class="application"><strong>Network Administration Tool</strong></span>, refer to <a class="xref" href="#ch-network-config">Chapter 16, <em>Network Configuration</em></a>.
					</div></dd><dt class="varlistentry"><span class="term"><code class="filename">network-scripts/</code></span></dt><dd><div class="para">
						<a id="id903931" class="indexterm"></a>
						 This directory contains the following network-related configuration files:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Network configuration files for each configured network interface, such as <code class="filename">ifcfg-eth0</code> for the <code class="filename">eth0</code> Ethernet interface.
							</div></li><li class="listitem"><div class="para">
								Scripts used to bring network interfaces up and down, such as <code class="command">ifup</code> and <code class="command">ifdown</code>.
							</div></li><li class="listitem"><div class="para">
								Scripts used to bring ISDN interfaces up and down, such as <code class="command">ifup-isdn</code> and <code class="command">ifdown-isdn</code>.
							</div></li><li class="listitem"><div class="para">
								Various shared network function scripts which should not be edited directly.
							</div></li></ul></div><div class="para">
						For more information on the <code class="filename">network-scripts</code> directory, refer to <a class="xref" href="#ch-networkscripts">Chapter 15, <em>Network Interfaces</em></a>.
					</div></dd><dt class="varlistentry"><span class="term"><code class="filename">rhn/</code></span></dt><dd><div class="para">
						<a id="id904046" class="indexterm"></a>
						 <span class="emphasis"><em>Deprecated.</em></span> This directory contains the configuration files and GPG keys used by the RHN Classic content service. No files in this directory should be edited by hand.
					</div><div class="para">
						This directory is available for legacy systems which are still managed by RHN Classic. Systems which are registered against the Certificate-Based Red Hat Network do not use this directory.
					</div></dd></dl></div></div><div class="section" id="s1-sysconfig-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-sysconfig-additional-resources">30.3. Additional Resources</h2></div></div></div><a id="id881055" class="indexterm"></a><div class="para">
			This chapter is only intended as an introduction to the files in the <code class="filename">/etc/sysconfig/</code> directory. The following source contains more comprehensive information.
		</div><div class="section" id="s2-sysconfig-installed-documentation"><div class="titlepage"><div><div><h3 class="title" id="s2-sysconfig-installed-documentation">30.3.1. Installed Documentation</h3></div></div></div><a id="id881088" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/initscripts-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/sysconfig.txt</code> — This file contains a more authoritative listing of the files found in the <code class="filename">/etc/sysconfig/</code> directory and the configuration options available for them. The <em class="replaceable"><code>&lt;version-number&gt;</code></em> in the path to this file corresponds to the version of the <code class="command">initscripts</code> package installed.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-dateconfig" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 31. Date and Time Configuration</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-dateconfig-time-date">31.1. Time and Date Properties</a></span></dt><dt><span class="section"><a href="#s1-dateconfig-ntp">31.2. Network Time Protocol (NTP) Properties</a></span></dt><dt><span class="section"><a href="#s1-dateconfig-time-zone">31.3. Time Zone Configuration</a></span></dt></dl></div><a id="id924065" class="indexterm"></a><div class="para">
		The <span class="application"><strong>Time and Date Properties Tool</strong></span> allows the user to change the system date and time, to configure the time zone used by the system, and to setup the Network Time Protocol (NTP) daemon to synchronize the system clock with a time server.
	</div><a id="id1042444" class="indexterm"></a><a id="id777749" class="indexterm"></a><a id="id786107" class="indexterm"></a><div class="para">
		You must be running the <span class="application"><strong>X</strong></span> Window System and have root privileges to use the tool. There are three ways to start the application:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				From the desktop, go to Applications (the main menu on the panel) &gt; <span class="guimenu"><strong>System Settings</strong></span> &gt; <span class="guimenuitem"><strong>Date &amp; Time</strong></span>
			</div></li><li class="listitem"><div class="para">
				From the desktop, right-click on the time in the toolbar and select <span class="guimenu"><strong>Adjust Date and Time</strong></span>.
			</div></li><li class="listitem"><div class="para">
				Type the command <code class="command">system-config-date</code>, <code class="command">system-config-time</code>, or <code class="command">dateconfig</code> at a shell prompt (for example, in an <span class="application"><strong>XTerm</strong></span> or a <span class="application"><strong>GNOME</strong></span> terminal).
			</div></li></ul></div><div class="section" id="s1-dateconfig-time-date"><div class="titlepage"><div><div><h2 class="title" id="s1-dateconfig-time-date">31.1. Time and Date Properties</h2></div></div></div><a id="id1039968" class="indexterm"></a><a id="id813916" class="indexterm"></a><div class="para">
			As shown in <a class="xref" href="#dateconfig-time-date">Figure 31.1, “Time and Date Properties”</a>, the first tabbed window that appears is for configuring the system date and time.
		</div><div class="figure" id="dateconfig-time-date"><div class="figure-contents"><div class="mediaobject"><img src="images/date-time.png" width="444" alt="Time and Date Properties" /><div class="longdesc"><div class="para">
						Time and Date Properties
					</div></div></div></div><h6>Figure 31.1. Time and Date Properties</h6></div><br class="figure-break" /><div class="para">
			To change the date, use the arrows to the left and right of the month to change the month, use the arrows to the left and right of the year to change the year, and click on the day of the week to change the day of the week.
		</div><div class="para">
			To change the time, use the up and down arrow buttons beside the <span class="guilabel"><strong>Hour</strong></span>, <span class="guilabel"><strong>Minute</strong></span>, and <span class="guilabel"><strong>Second</strong></span> in the <span class="guilabel"><strong>Time</strong></span> section.
		</div><div class="para">
			Clicking the <span class="guibutton"><strong>OK</strong></span> button applies any changes made to the date and time, the NTP daemon settings, and the time zone settings. It also exits the program.
		</div></div><div class="section" id="s1-dateconfig-ntp"><div class="titlepage"><div><div><h2 class="title" id="s1-dateconfig-ntp">31.2. Network Time Protocol (NTP) Properties</h2></div></div></div><a id="id955229" class="indexterm"></a><a id="id955242" class="indexterm"></a><a id="id955256" class="indexterm"></a><a id="id955269" class="indexterm"></a><a id="id955286" class="indexterm"></a><div class="para">
			As shown in <a class="xref" href="#dateconfig-ntp">Figure 31.2, “NTP Properties”</a>, the second tabbed window that appears is for configuring NTP.
		</div><div class="figure" id="dateconfig-ntp"><div class="figure-contents"><div class="mediaobject"><img src="images/date-time-ntp.png" width="444" alt="NTP Properties" /><div class="longdesc"><div class="para">
						NTP Properties
					</div></div></div></div><h6>Figure 31.2. NTP Properties</h6></div><br class="figure-break" /><div class="para">
			The Network Time Protocol (NTP) daemon synchronizes the system clock with a remote time server or time source. The application allows you to configure an NTP daemon to synchronize your system clock with a remote server. To enable this feature, select <span class="guibutton"><strong>Enable Network Time Protocol</strong></span>. This enables the <span class="guilabel"><strong>NTP Servers</strong></span> list and other options. You can choose one of the predefined servers, edit a predefined server by clicking the <span class="guibutton"><strong>Edit</strong></span> or add a new server name by clicking <span class="guibutton"><strong>Add</strong></span>. Your system does not start synchronizing with the NTP server until you click <span class="guibutton"><strong>OK</strong></span>. After clicking <span class="guibutton"><strong>OK</strong></span>, the configuration is saved and the NTP daemon is started (or restarted if it is already running).
		</div><div class="para">
			Clicking the <span class="guibutton"><strong>OK</strong></span> button applies any changes made to the date and time, the NTP daemon settings, and the time zone settings. It also exits the program.
		</div></div><div class="section" id="s1-dateconfig-time-zone"><div class="titlepage"><div><div><h2 class="title" id="s1-dateconfig-time-zone">31.3. Time Zone Configuration</h2></div></div></div><a id="id885457" class="indexterm"></a><div class="para">
			As shown in <a class="xref" href="#dateconfig-timezone">Figure 31.3, “Timezone Properties”</a>, the third tabbed window that appears is for configuring the system time zone.
		</div><div class="para">
			To configure the system time zone, click the <span class="guilabel"><strong>Time Zone</strong></span> tab. The time zone can be changed by either using the interactive map or by choosing the desired time zone from the list below the map. To use the map, click on the desired region. The map zooms into the region selected, after which you may choose the city specific to your time zone. A red <span class="guilabel"><strong>X</strong></span> appears and the time zone selection changes in the list below the map.
		</div><div class="para">
			Alternatively, you can also use the list below the map. In the same way that the map lets you choose a region before choosing a city, the list of time zones is now a treelist, with cities and countries grouped within their specific continents. Non-geographic time zones have also been added to address needs in the scientific community.
		</div><div class="para">
			Click <span class="guibutton"><strong>OK</strong></span> to apply the changes and exit the program.
		</div><div class="figure" id="dateconfig-timezone"><div class="figure-contents"><div class="mediaobject"><img src="images/timezone.png" width="444" alt="Timezone Properties" /><div class="longdesc"><div class="para">
						Timezone Properties
					</div></div></div></div><h6>Figure 31.3. Timezone Properties</h6></div><br class="figure-break" /><div class="para">
			If your system clock is set to use UTC, select the <span class="guibutton"><strong>System clock uses UTC</strong></span> option. UTC stands for the <em class="firstterm">Universal Time, Coordinated</em>, also known as Greenwich Mean Time (GMT). Other time zones are determined by adding or subtracting from the UTC time.
		</div></div></div><div xml:lang="en-US" class="chapter" id="ch-keyboardconfig" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 32. Keyboard Configuration</h2></div></div></div><a id="id1064616" class="indexterm"></a><a id="id839862" class="indexterm"></a><a id="id1043226" class="indexterm"></a><a id="id835672" class="indexterm"></a><a id="id832077" class="indexterm"></a><div class="para">
		The installation program allows you to configure a keyboard layout for your system. To configure a different keyboard layout after installation, use the <span class="application"><strong>Keyboard Configuration Tool</strong></span>.
	</div><div class="para">
		To start the <span class="application"><strong>Keyboard Configuration Tool</strong></span>, select System (on the panel) &gt; <span class="guimenu"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>Keyboard</strong></span>, or type the command <code class="command">system-config-keyboard</code> at a shell prompt.
	</div><div class="figure" id="fig-keyboard-config"><div class="figure-contents"><div class="mediaobject"><img src="images/keyboardconfig.png" alt="Keyboard Configuration Tool" /><div class="longdesc"><div class="para">
					<span class="application"><strong>Keyboard Configuration Tool</strong></span>
				</div></div></div></div><h6>Figure 32.1. <span class="application">Keyboard Configuration Tool</span></h6></div><br class="figure-break" /><div class="para">
		Select a keyboard layout from the list (for example, <span class="guilabel"><strong>U.S. English</strong></span>) and click <span class="guibutton"><strong>OK</strong></span>.
	</div><div class="para">
		Changes take effect immediately.
	</div></div><div xml:lang="en-US" class="chapter" id="ch-x" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 33. The X Window System</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-x-server">33.1. The X11R7.1 Release</a></span></dt><dt><span class="section"><a href="#s1-x-clients">33.2. Desktop Environments and Window Managers</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-clients-desktop">33.2.1. Desktop Environments</a></span></dt><dt><span class="section"><a href="#s2-x-clients-winmanagers">33.2.2. Window Managers</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-server-configuration">33.3. X Server Configuration Files</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-server-config-xorg.conf">33.3.1. <code class="filename">xorg.conf</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-fonts">33.4. Fonts</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-fonts-fontconfig">33.4.1. Fontconfig</a></span></dt><dt><span class="section"><a href="#s2-x-fonts-core">33.4.2. Core X Font System</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-runlevels">33.5. Runlevels and X</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-runlevels-3">33.5.1. Runlevel 3</a></span></dt><dt><span class="section"><a href="#s2-x-runlevels-5">33.5.2. Runlevel 5</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-x-additional-resources">33.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-x-installed-documentation">33.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-x-useful-websites">33.6.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id870158" class="indexterm"></a><a id="id842207" class="indexterm"></a><a id="id1045637" class="indexterm"></a><a id="id854525" class="indexterm"></a><a id="id857170" class="indexterm"></a><div class="para">
		While the heart of Red Hat Enterprise Linux is the kernel, for many users, the face of the operating system is the graphical environment provided by the <em class="firstterm">X Window System</em>, also called <em class="firstterm">X</em>.
	</div><div class="para">
		Other windowing environments have existed in the UNIX world, including some that predate the release of the X Window System in June 1984. Nonetheless, X has been the default graphical environment for most UNIX-like operating systems, including Red Hat Enterprise Linux, for many years.
	</div><div class="para">
		The graphical environment for Red Hat Enterprise Linux is supplied by the <em class="firstterm">X.Org Foundation</em>, an open source organization created to manage development and strategy for the X Window System and related technologies. X.Org is a large-scale, rapidly developing project with hundreds of developers around the world. It features a wide degree of support for a variety of hardware devices and architectures, and can run on a variety of different operating systems and platforms. This release for Red Hat Enterprise Linux specifically includes the X11R7.1 release of the X Window System.
	</div><div class="para">
		The X Window System uses a client-server architecture. The <em class="firstterm">X server</em> (the <code class="command">Xorg</code> binary) listens for connections from <em class="firstterm">X client</em> applications via a network or local loopback interface. The server communicates with the hardware, such as the video card, monitor, keyboard, and mouse. X client applications exist in the user-space, creating a <em class="firstterm">graphical user interface</em> (<em class="firstterm">GUI</em>) for the user and passing user requests to the X server.
	</div><div class="section" id="s1-x-server"><div class="titlepage"><div><div><h2 class="title" id="s1-x-server">33.1. The X11R7.1 Release</h2></div></div></div><a id="id1049998" class="indexterm"></a><a id="id898841" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux 5.8 now uses the X11R7.1 release as the base X Window System, which includes several video driver, EXA, and platform support enhancements over the previous release, among others. In addition, this release also includes several automatic configuration features for the X server.
		</div><div class="para">
			X11R7.1 is the first release to take specific advantage of the modularization of the X Window System. This modularization, which splits X into logically distinct modules, makes it easier for open source developers to contribute code to the system.
		</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				Red Hat Enterprise Linux no longer provides the <span class="trademark">XFree86</span>™ server packages. Before upgrading a system to the latest version of Red Hat Enterprise Linux, be sure that the system's video card is compatible with the X11R7.1 release by checking the Red Hat Hardware Compatibility List located online at <a href="http://hardware.redhat.com/">http://hardware.redhat.com/</a>.
			</div></div></div><div class="para">
			In the X11R7.1 release, all libraries, headers, and binaries now live under <code class="filename">/usr/</code> instead of <code class="filename">/usr/X11R6</code>. The <code class="filename">/etc/X11/</code> directory contains configuration files for X client and server applications. This includes configuration files for the X server itself, the <code class="command">xfs</code> font server, the X display managers, and many other base components.
		</div><div class="para">
			The configuration file for the newer Fontconfig-based font architecture is still <code class="filename">/etc/fonts/fonts.conf</code>. For more on configuring and adding fonts, refer to <a class="xref" href="#s1-x-fonts">Section 33.4, “Fonts”</a>.
		</div><div class="para">
			Because the X server performs advanced tasks on a wide array of hardware, it requires detailed information about the hardware it works on. The X server automatically detects some of this information; other details must be configured.
		</div><div class="para">
			The installation program installs and configures X automatically, unless the X11R7.1 release packages are not selected for installation. However, if there are any changes to the monitor, video card or other devices managed by the X server, X must be reconfigured. The best way to do this is to use the <span class="application"><strong>X Configuration Tool</strong></span> (<code class="command">system-config-display</code>), particularly for devices that are not detected manually.
		</div><div class="para">
			In Red Hat Enterprise Linux's default graphical environment, the <span class="application"><strong>X Configuration Tool</strong></span> is available at System (on the panel) &gt; <span class="guimenu"><strong>Administration</strong></span> &gt; <span class="guimenu"><strong>Display</strong></span>.
		</div><div class="para">
			Changes made with the <span class="application"><strong>X Configuration Tool</strong></span> take effect after logging out and logging back in.
		</div><div class="para">
			For more information about <span class="application"><strong>X Configuration Tool</strong></span>, refer to <a class="xref" href="#ch-xconfig">Chapter 34, <em>X Window System Configuration</em></a>.
		</div><div class="para">
			In some situations, reconfiguring the X server may require manually editing its configuration file, <code class="filename">/etc/X11/xorg.conf</code>. For information about the structure of this file, refer to <a class="xref" href="#s1-x-server-configuration">Section 33.3, “X Server Configuration Files”</a>.
		</div></div><div class="section" id="s1-x-clients"><div class="titlepage"><div><div><h2 class="title" id="s1-x-clients">33.2. Desktop Environments and Window Managers</h2></div></div></div><a id="id1050257" class="indexterm"></a><div class="para">
			Once an X server is running, X client applications can connect to it and create a GUI for the user. A range of GUIs are possible with Red Hat Enterprise Linux, from the rudimentary <em class="firstterm">Tab Window Manager</em> to the highly developed and interactive <em class="firstterm">GNOME</em> desktop environment that most Red Hat Enterprise Linux users are familiar with.
		</div><div class="para">
			To create the latter, more comprehensive GUI, two main classes of X client application must connect to the X server: a <em class="firstterm">desktop environment</em> and a <em class="firstterm">window manager</em>.
		</div><div class="section" id="s2-x-clients-desktop"><div class="titlepage"><div><div><h3 class="title" id="s2-x-clients-desktop">33.2.1. Desktop Environments</h3></div></div></div><a id="id1050305" class="indexterm"></a><a id="id1050323" class="indexterm"></a><a id="id1050336" class="indexterm"></a><a id="id1050350" class="indexterm"></a><a id="id882566" class="indexterm"></a><a id="id882584" class="indexterm"></a><div class="para">
				A desktop environment integrates various X clients to create a common graphical user environment and development platform.
			</div><div class="para">
				Desktop environments have advanced features allowing X clients and other running processes to communicate with one another, while also allowing all applications written to work in that environment to perform advanced tasks, such as drag and drop operations.
			</div><div class="para">
				Red Hat Enterprise Linux provides two desktop environments:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>GNOME</em></span> — The default desktop environment for Red Hat Enterprise Linux based on the GTK+ 2 graphical toolkit.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em><em class="firstterm">KDE</em></em></span> — An alternative desktop environment based on the Qt 3 graphical toolkit.
					</div></li></ul></div><div class="para">
				Both GNOME and KDE have advanced productivity applications, such as word processors, spreadsheets, and Web browsers; both also provide tools to customize the look and feel of the GUI. Additionally, if both the GTK+ 2 and the Qt libraries are present, KDE applications can run in GNOME and vice-versa.
			</div></div><div class="section" id="s2-x-clients-winmanagers"><div class="titlepage"><div><div><h3 class="title" id="s2-x-clients-winmanagers">33.2.2. Window Managers</h3></div></div></div><a id="id882666" class="indexterm"></a><a id="id882680" class="indexterm"></a><a id="id971169" class="indexterm"></a><a id="id971189" class="indexterm"></a><a id="id971209" class="indexterm"></a><a id="id971229" class="indexterm"></a><a id="id971250" class="indexterm"></a><a id="id971266" class="indexterm"></a><a id="id971282" class="indexterm"></a><a id="id971298" class="indexterm"></a><div class="para">
				<em class="firstterm">Window managers</em> are X client programs which are either part of a desktop environment or, in some cases, stand-alone. Their primary purpose is to control the way graphical windows are positioned, resized, or moved. Window managers also control title bars, window focus behavior, and user-specified key and mouse button bindings.
			</div><div class="para">
				Four window managers are included with Red Hat Enterprise Linux:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="command">kwin</code></span></dt><dd><div class="para">
							The <em class="firstterm">KWin</em> window manager is the default window manager for KDE. It is an efficient window manager which supports custom themes.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">metacity</code></span></dt><dd><div class="para">
							The <em class="firstterm">Metacity</em> window manager is the default window manager for GNOME. It is a simple and efficient window manager which also supports custom themes. To run this window manager, you need to install the <code class="filename">metacity</code> package.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">mwm</code></span></dt><dd><div class="para">
							The <em class="firstterm">Motif Window Manager</em> (<code class="command">mwm</code>) is a basic, stand-alone window manager. Since it is designed to be a stand-alone window manager, it should not be used in conjunction with GNOME or KDE. To run this window manager, you need to install the <code class="filename">openmotif</code> package.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">twm</code></span></dt><dd><div class="para">
							The minimalist <em class="firstterm">Tab Window Manager</em> (<code class="command">twm</code>, which provides the most basic tool set of any of the window managers, can be used either as a stand-alone or with a desktop environment. It is installed as part of the X11R7.1 release.
						</div></dd></dl></div><div class="para">
				To run any of the aforementioned window managers, you will first need to boot into Runlevel 3. For instructions on how to do this, refer to <a class="xref" href="#s1-services-runlevels">Section 17.1, “Runlevels”</a>.
			</div><div class="para">
				Once you are logged in to Runlevel 3, you will be presented with a terminal prompt, not a graphical environment. To start a window manager, type <code class="command">xinit -e <em class="replaceable"><code>&lt;path-to-window-manager&gt;</code></em></code> at the prompt.
			</div><div class="para">
				<code class="command"><em class="replaceable"><code>&lt;path-to-window-manager&gt;</code></em></code> is the location of the window manager binary file. The binary file can be located by typing <code class="command">which <em class="replaceable"><code>window-manager-name</code></em></code>, where <code class="command"><em class="replaceable"><code>window-manager-name</code></em></code> is the name of the window manager you want to run.
			</div><div class="para">
				For example: 
<pre class="screen">~]# <code class="command">which twm</code>
/usr/bin/twm
~]# <code class="command">xinit -e /usr/bin/twm</code></pre>

</div><div class="para">
				The first command above returns the absolute path to the <code class="command">twm</code> window manager, the second command starts <code class="command">twm</code>.
			</div><div class="para">
				To exit a window manager, close the last window or press <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Backspace</strong></span>. Once you have exited the window manager, you can log back into Runlevel 5 by typing <code class="command">startx</code> at the prompt.
			</div></div></div><div class="section" id="s1-x-server-configuration"><div class="titlepage"><div><div><h2 class="title" id="s1-x-server-configuration">33.3. X Server Configuration Files</h2></div></div></div><a id="id899124" class="indexterm"></a><a id="id899144" class="indexterm"></a><div class="para">
			The X server is a single binary executable (<code class="filename">/usr/bin/Xorg</code>). Associated configuration files are stored in the <code class="filename">/etc/X11/</code> directory (as is a symbolic link — X — which points to <code class="filename">/usr/bin/Xorg</code>). The configuration file for the X server is <code class="filename">/etc/X11/xorg.conf</code>.
		</div><div class="para">
			The directory <code class="filename">/usr/lib/xorg/modules/</code> contains X server modules that can be loaded dynamically at runtime. By default, only some modules in <code class="filename">/usr/lib/xorg/modules/</code> are automatically loaded by the X server.
		</div><div class="para">
			To load optional modules, they must be specified in the X server configuration file, <code class="filename">/etc/X11/xorg.conf</code>. For more information about loading modules, refer to <a class="xref" href="#s3-x-server-config-xorg.conf-modules">Section 33.3.1.5, “<code class="command">Module</code>”</a>.
		</div><div class="para">
			When Red Hat Enterprise Linux 5.8 is installed, the configuration files for X are created using information gathered about the system hardware during the installation process.
		</div><div class="section" id="s2-x-server-config-xorg.conf"><div class="titlepage"><div><div><h3 class="title" id="s2-x-server-config-xorg.conf">33.3.1. <code class="filename">xorg.conf</code></h3></div></div></div><a id="id899228" class="indexterm"></a><a id="id899248" class="indexterm"></a><a id="id901444" class="indexterm"></a><div class="para">
				While there is rarely a need to manually edit the <code class="filename">/etc/X11/xorg.conf</code> file, it is useful to understand the various sections and optional parameters available, especially when troubleshooting.
			</div><div class="section" id="s3-x-server-config-xorg.conf-struct"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-struct">33.3.1.1. The Structure</h4></div></div></div><a id="id901481" class="indexterm"></a><a id="id901501" class="indexterm"></a><a id="id901524" class="indexterm"></a><div class="para">
					The <code class="filename">/etc/X11/xorg.conf</code> file is comprised of many different sections which address specific aspects of the system hardware.
				</div><div class="para">
					Each section begins with a <code class="command">Section "<em class="replaceable"><code>&lt;section-name&gt;</code></em>"</code> line (where <em class="replaceable"><code>&lt;section-name&gt;</code></em> is the title for the section) and ends with an <code class="command">EndSection</code> line. Each section contains lines that include option names and one or more option values. These are sometimes enclosed in double quotes (<code class="command">"</code>).
				</div><div class="para">
					Lines beginning with a hash mark (<code class="command">#</code>) are not read by the X server and are used for human-readable comments.
				</div><div class="para">
					Some options within the <code class="filename">/etc/X11/xorg.conf</code> file accept a boolean switch which turns the feature on or off. Acceptable boolean values are:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">1</code>, <code class="command">on</code>, <code class="command">true</code>, or <code class="command">yes</code> — Turns the option on.
						</div></li><li class="listitem"><div class="para">
							<code class="command">0</code>, <code class="command">off</code>, <code class="command">false</code>, or <code class="command">no</code> — Turns the option off.
						</div></li></ul></div><div class="para">
					The following are some of the more important sections in the order in which they appear in a typical <code class="filename">/etc/X11/xorg.conf</code> file. More detailed information about the X server configuration file can be found in the <code class="filename">xorg.conf</code> man page.
				</div></div><div class="section" id="s3-x-server-config-xorg.conf-serverf"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-serverf">33.3.1.2. <code class="command">ServerFlags</code></h4></div></div></div><a id="id901674" class="indexterm"></a><div class="para">
					The optional <code class="command">ServerFlags</code> section contains miscellaneous global X server settings. Any settings in this section may be overridden by options placed in the <code class="command">ServerLayout</code> section (refer to <a class="xref" href="#s3-x-server-config-xorg.conf-serverl">Section 33.3.1.3, “<code class="command">ServerLayout</code>”</a> for details).
				</div><div class="para">
					Each entry within the <code class="command">ServerFlags</code> section is on its own line and begins with the term <code class="command">Option</code> followed by an option enclosed in double quotation marks (<code class="command">"</code>).
				</div><div class="para">
					The following is a sample <code class="command">ServerFlags</code> section:
				</div><pre class="screen">Section "ServerFlags"
	Option "DontZap" "true"
EndSection</pre><div class="para">
					The following lists some of the most useful options:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">"DontZap" "<em class="replaceable"><code>&lt;boolean&gt;</code></em>"</code> — When the value of <em class="replaceable"><code>&lt;boolean&gt;</code></em> is set to true, this setting prevents the use of the <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Backspace</strong></span> key combination to immediately terminate the X server.
						</div></li><li class="listitem"><div class="para">
							<code class="command">"DontZoom" "<em class="replaceable"><code>&lt;boolean&gt;</code></em>"</code> — When the value of <em class="replaceable"><code>&lt;boolean&gt;</code></em> is set to true, this setting prevents cycling through configured video resolutions using the <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Keypad-Plus</strong></span> and <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>Alt</strong></span>+<span class="keycap"><strong>Keypad-Minus</strong></span> key combinations.
						</div></li></ul></div></div><div class="section" id="s3-x-server-config-xorg.conf-serverl"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-serverl">33.3.1.3. <code class="command">ServerLayout</code></h4></div></div></div><a id="id901834" class="indexterm"></a><div class="para">
					The <code class="command">ServerLayout</code> section binds together the input and output devices controlled by the X server. At a minimum, this section must specify one output device and one input device. By default, a monitor (output device) and keyboard (input device) are specified.
				</div><div class="para">
					The following example illustrates a typical <code class="command">ServerLayout</code> section:
				</div><pre class="screen">Section  "ServerLayout"
	Identifier     "Default Layout"
	Screen      0  "Screen0" 0 0
	InputDevice    "Mouse0" "CorePointer"
	InputDevice    "Keyboard0" "CoreKeyboard"
EndSection</pre><div class="para">
					The following entries are commonly used in the <code class="command">ServerLayout</code> section:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">Identifier</code> — Specifies a unique name for this <code class="command">ServerLayout</code> section.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Screen</code> — Specifies the name of a <code class="command">Screen</code> section to be used with the X server. More than one <code class="command">Screen</code> option may be present.
						</div><div class="para">
							The following is an example of a typical <code class="command">Screen</code> entry:
						</div><pre class="screen">Screen      0  "Screen0" 0 0</pre><div class="para">
							The first number in this example <code class="command">Screen</code> entry (<code class="command">0</code>) indicates that the first monitor connector or <em class="firstterm">head</em> on the video card uses the configuration specified in the <code class="command">Screen</code> section with the identifier <code class="command">"Screen0"</code>.
						</div><div class="para">
							An example of a <code class="command">Screen</code> section with the identifier <code class="command">"Screen0"</code> can be found in <a class="xref" href="#s3-x-server-config-xorg.conf-screen">Section 33.3.1.9, “<code class="command">Screen</code>”</a>.
						</div><div class="para">
							If the video card has more than one head, another <code class="command">Screen</code> entry with a different number and a different <code class="command">Screen</code> section identifier is necessary .
						</div><div class="para">
							The numbers to the right of <code class="command">"Screen0"</code> give the absolute X and Y coordinates for the upper-left corner of the screen (<code class="command">0 0</code> by default).
						</div></li><li class="listitem"><div class="para">
							<code class="command">InputDevice</code> — Specifies the name of an <code class="command">InputDevice</code> section to be used with the X server.
						</div><div class="para">
							It is advisable that there be at least two <code class="command">InputDevice</code> entries: one for the default mouse and one for the default keyboard. The options <code class="command">CorePointer</code> and <code class="command">CoreKeyboard</code> indicate that these are the primary mouse and keyboard.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Option "<em class="replaceable"><code>&lt;option-name&gt;</code></em>"</code> — An optional entry which specifies extra parameters for the section. Any options listed here override those listed in the <code class="command">ServerFlags</code> section.
						</div><div class="para">
							Replace <em class="replaceable"><code>&lt;option-name&gt;</code></em> with a valid option listed for this section in the <code class="filename">xorg.conf</code> man page.
						</div></li></ul></div><div class="para">
					It is possible to put more than one <code class="command">ServerLayout</code> section in the <code class="filename">/etc/X11/xorg.conf</code> file. By default, the server only reads the first one it encounters, however.
				</div><div class="para">
					If there is an alternative <code class="command">ServerLayout</code> section, it can be specified as a command line argument when starting an X session.
				</div></div><div class="section" id="s3-x-server-config-xorg.conf-files"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-files">33.3.1.4. <code class="command">Files</code></h4></div></div></div><a id="id881283" class="indexterm"></a><div class="para">
					The <code class="command">Files</code> section sets paths for services vital to the X server, such as the font path. This is an optional section, these paths are normally detected automatically. This section may be used to override any automatically detected defaults.
				</div><div class="para">
					The following example illustrates a typical <code class="command">Files</code> section:
				</div><pre class="screen">Section "Files"
	RgbPath      "/usr/share/X11/rgb.txt"
	FontPath     "unix/:7100"
EndSection</pre><div class="para">
					The following entries are commonly used in the <code class="command">Files</code> section:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">RgbPath</code> — Specifies the location of the RGB color database. This database defines all valid color names in X and ties them to specific RGB values.
						</div></li><li class="listitem"><div class="para">
							<code class="command">FontPath</code> — Specifies where the X server must connect to obtain fonts from the <code class="command">xfs</code> font server.
						</div><div class="para">
							By default, the <code class="command">FontPath</code> is <code class="command">unix/:7100</code>. This tells the X server to obtain font information using UNIX-domain sockets for inter-process communication (IPC) on port 7100.
						</div><div class="para">
							Refer to <a class="xref" href="#s1-x-fonts">Section 33.4, “Fonts”</a> for more information concerning X and fonts.
						</div></li><li class="listitem"><div class="para">
							<code class="command">ModulePath</code> — An optional parameter which specifies alternate directories which store X server modules.
						</div></li></ul></div></div><div class="section" id="s3-x-server-config-xorg.conf-modules"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-modules">33.3.1.5. <code class="command">Module</code></h4></div></div></div><a id="id881413" class="indexterm"></a><div class="para">
					By default, the X server automatically loads the following modules from the <code class="filename">/usr/lib/xorg/modules/</code> directory: 
					<div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="filename">extmod</code>
							</div></li><li class="listitem"><div class="para">
								<code class="filename">dbe</code>
							</div></li><li class="listitem"><div class="para">
								<code class="filename">glx</code>
							</div></li><li class="listitem"><div class="para">
								<code class="filename">freetype</code>
							</div></li><li class="listitem"><div class="para">
								<code class="filename">type1</code>
							</div></li><li class="listitem"><div class="para">
								<code class="filename">record</code>
							</div></li><li class="listitem"><div class="para">
								<code class="filename">dri</code>
							</div></li></ul></div>

</div><div class="para">
					The default directory for loading these modules can be changed by specifying a different directory with the optional <code class="command">ModulePath</code> parameter in the <code class="command">Files</code> section. Refer to <a class="xref" href="#s3-x-server-config-xorg.conf-files">Section 33.3.1.4, “<code class="command">Files</code>”</a> for more information on this section.
				</div><div class="para">
					Adding a <code class="command">Module</code> section to <code class="filename">/etc/X11/xorg.conf</code> instructs the X server to load the modules listed in this section <span class="emphasis"><em>instead</em></span> of the default modules.
				</div><div class="para">
					For example, the following typical <code class="command">Module</code> section: 
<pre class="screen">Section "Module"
	Load  "fbdevhw"
EndSection</pre>
					 instructs the X server to load the <code class="filename">fbdevhw</code> instead of the default modules.
				</div><div class="para">
					As such, if you add a <code class="command">Module</code> section to <code class="filename">/etc/X11/xorg.conf</code>, you will need to specify any default modules you want to load as well as any extra modules.
				</div></div><div class="section" id="s3-x-server-config-xorg.conf-inputd"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-inputd">33.3.1.6. <code class="command">InputDevice</code></h4></div></div></div><a id="id881621" class="indexterm"></a><div class="para">
					Each <code class="command">InputDevice</code> section configures one input device for the X server. Systems typically have at least one <code class="command">InputDevice</code> section for the keyboard. It is perfectly normal to have no entry for a mouse, as most mouse settings are automatically detected.
				</div><div class="para">
					The following example illustrates a typical <code class="command">InputDevice</code> section for a keyboard:
				</div><pre class="screen">Section "InputDevice"
        Identifier  "Keyboard0"
        Driver      "kbd"
        Option      "XkbModel" "pc105"
        Option      "XkbLayout" "us"
EndSection</pre><div class="para">
					The following entries are commonly used in the <code class="command">InputDevice</code> section:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">Identifier</code> — Specifies a unique name for this <code class="command">InputDevice</code> section. This is a required entry.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Driver</code> — Specifies the name of the device driver X must load for the device.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Option</code> — Specifies necessary options pertaining to the device.
						</div><div class="para">
							A mouse may also be specified to override any autodetected defaults for the device. The following options are typically included when adding a mouse in the <code class="filename">xorg.conf</code>:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="command">Protocol</code> — Specifies the protocol used by the mouse, such as <code class="command">IMPS/2</code>.
								</div></li><li class="listitem"><div class="para">
									<code class="command">Device</code> — Specifies the location of the physical device.
								</div></li><li class="listitem"><div class="para">
									<code class="command">Emulate3Buttons</code> — Specifies whether to allow a two-button mouse to act like a three-button mouse when both mouse buttons are pressed simultaneously.
								</div></li></ul></div><div class="para">
							Consult the <code class="filename">xorg.conf</code> man page for a list of valid options for this section.
						</div></li></ul></div></div><div class="section" id="s3-x-server-config-xorg.conf-monitor"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-monitor">33.3.1.7. <code class="command">Monitor</code></h4></div></div></div><a id="id881812" class="indexterm"></a><div class="para">
					Each <code class="command">Monitor</code> section configures one type of monitor used by the system. This is an optional entry as well, as most monitors are now automatically detected.
				</div><div class="para">
					The easiest way to configure a monitor is to configure X during the installation process or by using the <span class="application"><strong>X Configuration Tool</strong></span>. For more information about using the <span class="application"><strong>X Configuration Tool</strong></span>, refer to <a class="xref" href="#ch-xconfig">Chapter 34, <em>X Window System Configuration</em></a>.
				</div><div class="para">
					This example illustrates a typical <code class="command">Monitor</code> section for a monitor:
				</div><pre class="screen">Section "Monitor"
	Identifier   "Monitor0"
	VendorName   "Monitor Vendor"
	ModelName    "DDC Probed Monitor - ViewSonic G773-2"
	DisplaySize  320	240
	HorizSync    30.0 - 70.0
	VertRefresh  50.0 - 180.0
EndSection</pre><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
						Be careful when manually editing values in the <code class="command">Monitor</code> section of <code class="filename">/etc/X11/xorg.conf</code>. Inappropriate values can damage or destroy a monitor. Consult the monitor's documentation for a listing of safe operating parameters.
					</div></div></div><div class="para">
					The following are commonly entries used in the <code class="command">Monitor</code> section:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">Identifier</code> — Specifies a unique name for this <code class="command">Monitor</code> section. This is a required entry.
						</div></li><li class="listitem"><div class="para">
							<code class="command">VendorName</code> — An optional parameter which specifies the vendor of the monitor.
						</div></li><li class="listitem"><div class="para">
							<code class="command">ModelName</code> — An optional parameter which specifies the monitor's model name.
						</div></li><li class="listitem"><div class="para">
							<code class="command">DisplaySize</code> — An optional parameter which specifies, in millimeters, the physical size of the monitor's picture area.
						</div></li><li class="listitem"><div class="para">
							<code class="command">HorizSync</code> — Specifies the range of horizontal sync frequencies compatible with the monitor in kHz. These values help the X server determine the validity of built-in or specified <code class="command">Modeline</code> entries for the monitor.
						</div></li><li class="listitem"><div class="para">
							<code class="command">VertRefresh</code> — Specifies the range of vertical refresh frequencies supported by the monitor, in kHz. These values help the X server determine the validity of built in or specified <code class="command">Modeline</code> entries for the monitor.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Modeline</code> — An optional parameter which specifies additional video modes for the monitor at particular resolutions, with certain horizontal sync and vertical refresh resolutions. Refer to the <code class="filename">xorg.conf</code> man page for a more detailed explanation of <code class="command">Modeline</code> entries.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Option "<em class="replaceable"><code>&lt;option-name&gt;</code></em>"</code> — An optional entry which specifies extra parameters for the section. Replace <em class="replaceable"><code>&lt;option-name&gt;</code></em> with a valid option listed for this section in the <code class="filename">xorg.conf</code> man page.
						</div></li></ul></div></div><div class="section" id="s3-x-server-config-xorg.conf-device"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-device">33.3.1.8. <code class="command">Device</code></h4></div></div></div><a id="id882050" class="indexterm"></a><div class="para">
					Each <code class="command">Device</code> section configures one video card on the system. While one <code class="command">Device</code> section is the minimum, additional instances may occur for each video card installed on the machine.
				</div><div class="para">
					The best way to configure a video card is to configure X during the installation process or by using the <span class="application"><strong>X Configuration Tool</strong></span>. For more about using the <span class="application"><strong>X Configuration Tool</strong></span>, refer to <a class="xref" href="#ch-xconfig">Chapter 34, <em>X Window System Configuration</em></a>.
				</div><div class="para">
					The following example illustrates a typical <code class="command">Device</code> section for a video card:
				</div><pre class="screen">Section "Device"
	Identifier  "Videocard0"
	Driver      "mga"
	VendorName  "Videocard vendor"
	BoardName   "Matrox Millennium G200"
	VideoRam    8192
	Option      "dpms"
EndSection</pre><div class="para">
					The following entries are commonly used in the <code class="command">Device</code> section:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">Identifier</code> — Specifies a unique name for this <code class="command">Device</code> section. This is a required entry.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Driver</code> — Specifies which driver the X server must load to utilize the video card. A list of drivers can be found in <code class="filename">/usr/share/hwdata/videodrivers</code>, which is installed with the <code class="filename">hwdata</code> package.
						</div></li><li class="listitem"><div class="para">
							<code class="command">VendorName</code> — An optional parameter which specifies the vendor of the video card.
						</div></li><li class="listitem"><div class="para">
							<code class="command">BoardName</code> — An optional parameter which specifies the name of the video card.
						</div></li><li class="listitem"><div class="para">
							<code class="command">VideoRam</code> — An optional parameter which specifies the amount of RAM available on the video card in kilobytes. This setting is only necessary for video cards the X server cannot probe to detect the amount of video RAM.
						</div></li><li class="listitem"><div class="para">
							<code class="command">BusID</code> — An entry which specifies the bus location of the video card. On systems with only one video card a <code class="command">BusID</code> entry is optional and may not even be present in the default <code class="filename">/etc/X11/xorg.conf</code> file. On systems with more than one video card, however, a <code class="command">BusID</code> entry must be present.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Screen</code> — An optional entry which specifies which monitor connector or head on the video card the <code class="command">Device</code> section configures. This option is only useful for video cards with multiple heads.
						</div><div class="para">
							If multiple monitors are connected to different heads on the same video card, separate <code class="command">Device</code> sections must exist and each of these sections must have a different <code class="command">Screen</code> value.
						</div><div class="para">
							Values for the <code class="command">Screen</code> entry must be an integer. The first head on the video card has a value of <code class="command">0</code>. The value for each additional head increments this value by one.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Option "<em class="replaceable"><code>&lt;option-name&gt;</code></em>"</code> — An optional entry which specifies extra parameters for the section. Replace <em class="replaceable"><code>&lt;option-name&gt;</code></em> with a valid option listed for this section in the <code class="filename">xorg.conf</code> man page.
						</div><div class="para">
							One of the more common options is <code class="command">"dpms"</code> (for Display Power Management Signaling, a VESA standard), which activates the Service Star energy compliance setting for the monitor.
						</div></li></ul></div></div><div class="section" id="s3-x-server-config-xorg.conf-screen"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-screen">33.3.1.9. <code class="command">Screen</code></h4></div></div></div><a id="id882318" class="indexterm"></a><div class="para">
					Each <code class="command">Screen</code> section binds one video card (or video card head) to one monitor by referencing the <code class="command">Device</code> section and the <code class="command">Monitor</code> section for each. While one <code class="command">Screen</code> section is the minimum, additional instances may occur for each video card and monitor combination present on the machine.
				</div><div class="para">
					The following example illustrates a typical <code class="command">Screen</code> section:
				</div><pre class="screen">Section "Screen"
	Identifier "Screen0"
	Device     "Videocard0"
	Monitor    "Monitor0"
	DefaultDepth     16
	SubSection "Display"
		Depth     24
		Modes    "1280x1024" "1280x960" "1152x864" "1024x768" "800x600" "640x480"
	EndSubSection
	SubSection "Display"
		Depth     16
		Modes    "1152x864" "1024x768" "800x600" "640x480"
	EndSubSection
EndSection</pre><div class="para">
					The following entries are commonly used in the <code class="command">Screen</code> section:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">Identifier</code> — Specifies a unique name for this <code class="command">Screen</code> section. This is a required entry.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Device</code> — Specifies the unique name of a <code class="command">Device</code> section. This is a required entry.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Monitor</code> — Specifies the unique name of a <code class="command">Monitor</code> section. This is only required if a specific <code class="command">Monitor</code> section is defined in the <code class="filename">xorg.conf</code> file. Normally, monitors are automatically detected.
						</div></li><li class="listitem"><div class="para">
							<code class="command">DefaultDepth</code> — Specifies the default color depth in bits. In the previous example, <code class="command">16</code> (which provides thousands of colors) is the default. Only one <code class="command">DefaultDepth</code> is permitted, although this can be overridden with the Xorg command line option <code class="command">-depth <em class="replaceable"><code>&lt;n&gt;</code></em></code>,where <code class="command"><em class="replaceable"><code>&lt;n&gt;</code></em></code> is any additional depth specified.
						</div></li><li class="listitem"><div class="para">
							<code class="command">SubSection "Display"</code> — Specifies the screen modes available at a particular color depth. The <code class="command">Screen</code> section can have multiple <code class="command">Display</code> subsections, which are entirely optional since screen modes are automatically detected.
						</div><div class="para">
							This subsection is normally used to override autodetected modes.
						</div></li><li class="listitem"><div class="para">
							<code class="command">Option "<em class="replaceable"><code>&lt;option-name&gt;</code></em>"</code> — An optional entry which specifies extra parameters for the section. Replace <em class="replaceable"><code>&lt;option-name&gt;</code></em> with a valid option listed for this section in the <code class="filename">xorg.conf</code> man page.
						</div></li></ul></div></div><div class="section" id="s3-x-server-config-xorg.conf-dri"><div class="titlepage"><div><div><h4 class="title" id="s3-x-server-config-xorg.conf-dri">33.3.1.10. <code class="command">DRI</code></h4></div></div></div><a id="id895340" class="indexterm"></a><div class="para">
					The optional <code class="command">DRI</code> section specifies parameters for the <em class="firstterm">Direct Rendering Infrastructure</em> (<em class="firstterm">DRI</em>). DRI is an interface which allows 3D software applications to take advantage of 3D hardware acceleration capabilities built into most modern video hardware. In addition, DRI can improve 2D performance via hardware acceleration, if supported by the video card driver.
				</div><div class="para">
					This section rarely appears, as the DRI Group and Mode are automatically initialized to default values. If a different Group or Mode is desired, then adding this section to the <code class="filename">xorg.conf</code> file will override those defaults.
				</div><div class="para">
					The following example illustrates a typical <code class="command">DRI</code> section:
				</div><pre class="screen">Section "DRI"
	Group        0
	Mode         0666
EndSection</pre><div class="para">
					Since different video cards use DRI in different ways, do not add to this section without first referring to <a href="http://dri.sourceforge.net/">http://dri.sourceforge.net/</a>.
				</div></div></div></div><div class="section" id="s1-x-fonts"><div class="titlepage"><div><div><h2 class="title" id="s1-x-fonts">33.4. Fonts</h2></div></div></div><a id="id895434" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux uses two subsystems to manage and display fonts under X: <em class="firstterm">Fontconfig</em> and <code class="command">xfs</code>.
		</div><div class="para">
			The newer Fontconfig font subsystem simplifies font management and provides advanced display features, such as anti-aliasing. This system is used automatically for applications programmed using the Qt 3 or GTK+ 2 graphical toolkit.
		</div><div class="para">
			For compatibility, Red Hat Enterprise Linux includes the original font subsystem, called the core X font subsystem. This system, which is over 15 years old, is based around the <em class="firstterm">X Font Server</em> (<em class="firstterm">xfs</em>).
		</div><div class="para">
			This section discusses how to configure fonts for X using both systems.
		</div><div class="section" id="s2-x-fonts-fontconfig"><div class="titlepage"><div><div><h3 class="title" id="s2-x-fonts-fontconfig">33.4.1. Fontconfig</h3></div></div></div><a id="id895497" class="indexterm"></a><a id="id895515" class="indexterm"></a><a id="id895534" class="indexterm"></a><a id="id895552" class="indexterm"></a><div class="para">
				The Fontconfig font subsystem allows applications to directly access fonts on the system and use Xft or other rendering mechanisms to render Fontconfig fonts with advanced anti-aliasing. Graphical applications can use the Xft library with Fontconfig to draw text to the screen.
			</div><div class="para">
				Over time, the Fontconfig/Xft font subsystem replaces the core X font subsystem.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					The Fontconfig font subsystem does not yet work for <span class="application"><strong>OpenOffice.org</strong></span>, which uses its own font rendering technology.
				</div></div></div><div class="para">
				It is important to note that Fontconfig uses the <code class="filename">/etc/fonts/fonts.conf</code> configuration file, which should not be edited by hand.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					Due to the transition to the new font system, GTK+ 1.2 applications are not affected by any changes made via the <span class="application"><strong>Font Preferences</strong></span> dialog (accessed by selecting System (on the panel) &gt; <span class="guimenuitem"><strong>Preferences</strong></span> &gt; <span class="guimenuitem"><strong>Fonts</strong></span>). For these applications, a font can be configured by adding the following lines to the file <code class="filename">~/.gtkrc.mine</code>:
				</div><pre class="screen">style "user-font" {
	fontset = "<em class="replaceable"><code>&lt;font-specification&gt;</code></em>"
}

widget_class "*" style "user-font"</pre><div class="para">
					Replace <em class="replaceable"><code>&lt;font-specification&gt;</code></em> with a font specification in the style used by traditional X applications, such as <code class="command">-adobe-helvetica-medium-r-normal--*-120-*-*-*-*-*-*</code>. A full list of core fonts can be obtained by running <code class="command">xlsfonts</code> or created interactively using the <code class="command">xfontsel</code> command.
				</div></div></div><div class="section" id="s3-x-fonts-fontconfig-add"><div class="titlepage"><div><div><h4 class="title" id="s3-x-fonts-fontconfig-add">33.4.1.1. Adding Fonts to Fontconfig</h4></div></div></div><a id="id895670" class="indexterm"></a><div class="para">
					Adding new fonts to the Fontconfig subsystem is a straightforward process.
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							To add fonts system-wide, copy the new fonts into the <code class="filename">/usr/share/fonts/</code> directory. It is a good idea to create a new subdirectory, such as <code class="filename">local/</code> or similar, to help distinguish between user-installed and default fonts.
						</div><div class="para">
							To add fonts for an individual user, copy the new fonts into the <code class="filename">.fonts/</code> directory in the user's home directory.
						</div></li><li class="listitem"><div class="para">
							Use the <code class="command">fc-cache</code> command to update the font information cache, as in the following example:
						</div><pre class="screen"><code class="command">fc-cache <em class="replaceable"><code>&lt;path-to-font-directory&gt;</code></em></code></pre><div class="para">
							In this command, replace <em class="replaceable"><code>&lt;path-to-font-directory&gt;</code></em> with the directory containing the new fonts (either <code class="filename">/usr/share/fonts/local/</code> or <code class="filename">/home/<em class="replaceable"><code>&lt;user&gt;</code></em>/.fonts/</code>).
						</div></li></ol></div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
						Individual users may also install fonts graphically, by typing <code class="filename">fonts:///</code> into the <span class="application"><strong>Nautilus</strong></span> address bar, and dragging the new font files there.
					</div></div></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						If the font file name ends with a <code class="filename">.gz</code> extension, it is compressed and cannot be used until uncompressed. To do this, use the <code class="command">gunzip</code> command or double-click the file and drag the font to a directory in <span class="application"><strong>Nautilus</strong></span>.
					</div></div></div></div></div><div class="section" id="s2-x-fonts-core"><div class="titlepage"><div><div><h3 class="title" id="s2-x-fonts-core">33.4.2. Core X Font System</h3></div></div></div><a id="id895822" class="indexterm"></a><a id="id895843" class="indexterm"></a><a id="id895862" class="indexterm"></a><div class="para">
				For compatibility, Red Hat Enterprise Linux provides the core X font subsystem, which uses the X Font Server (<code class="command">xfs</code>) to provide fonts to X client applications.
			</div><div class="para">
				The X server looks for a font server specified in the <code class="command">FontPath</code> directive within the <code class="command">Files</code> section of the <code class="filename">/etc/X11/xorg.conf</code> configuration file. Refer to <a class="xref" href="#s3-x-server-config-xorg.conf-files">Section 33.3.1.4, “<code class="command">Files</code>”</a> for more information about the <code class="command">FontPath</code> entry.
			</div><div class="para">
				The X server connects to the <code class="command">xfs</code> server on a specified port to acquire font information. For this reason, the <code class="command">xfs</code> service must be running for X to start. For more about configuring services for a particular runlevel, refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a>.
			</div><div class="section" id="s3-x-fonts-xfs-config"><div class="titlepage"><div><div><h4 class="title" id="s3-x-fonts-xfs-config">33.4.2.1. <code class="command">xfs</code> Configuration</h4></div></div></div><a id="id895944" class="indexterm"></a><div class="para">
					The <code class="filename">/etc/rc.d/init.d/xfs</code> script starts the <code class="command">xfs</code> server. Several options can be configured within its configuration file, <code class="filename">/etc/X11/fs/config</code>.
				</div><div class="para">
					The following lists common options:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">alternate-servers</code> — Specifies a list of alternate font servers to be used if this font server is not available. A comma must separate each font server in a list.
						</div></li><li class="listitem"><div class="para">
							<code class="command">catalogue</code> — Specifies an ordered list of font paths to use. A comma must separate each font path in a list.
						</div><div class="para">
							Use the string <code class="command">:unscaled</code> immediately after the font path to make the unscaled fonts in that path load first. Then specify the entire path again, so that other scaled fonts are also loaded.
						</div></li><li class="listitem"><div class="para">
							<code class="command">client-limit</code> — Specifies the maximum number of clients the font server services. The default is <code class="command">10</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="command">clone-self</code> — Allows the font server to clone a new version of itself when the <code class="command">client-limit</code> is hit. By default, this option is <code class="command">on</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="command">default-point-size</code> — Specifies the default point size for any font that does not specify this value. The value for this option is set in decipoints. The default of <code class="command">120</code> corresponds to a 12 point font.
						</div></li><li class="listitem"><div class="para">
							<code class="command">default-resolutions</code> — Specifies a list of resolutions supported by the X server. Each resolution in the list must be separated by a comma.
						</div></li><li class="listitem"><div class="para">
							<code class="command">deferglyphs</code> — Specifies whether to defer loading <em class="firstterm">glyphs</em> (the graphic used to visually represent a font). To disable this feature use <code class="command">none</code>, to enable this feature for all fonts use <code class="command">all</code>, or to turn this feature on only for 16-bit fonts use <code class="command">16</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="command">error-file</code> — Specifies the path and file name of a location where <code class="command">xfs</code> errors are logged.
						</div></li><li class="listitem"><div class="para">
							<code class="command">no-listen</code> — Prevents <code class="command">xfs</code> from listening to particular protocols. By default, this option is set to <code class="command">tcp</code> to prevent <code class="command">xfs</code> from listening on TCP ports for security reasons.
						</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
								If <code class="command">xfs</code> is used to serve fonts over the network, remove this line.
							</div></div></div></li><li class="listitem"><div class="para">
							<code class="command">port</code> — Specifies the TCP port that <code class="command">xfs</code> listens on if <code class="command">no-listen</code> does not exist or is commented out.
						</div></li><li class="listitem"><div class="para">
							<code class="command">use-syslog</code> — Specifies whether to use the system error log.
						</div></li></ul></div></div><div class="section" id="s2-x-fonts-xfs-add"><div class="titlepage"><div><div><h4 class="title" id="s2-x-fonts-xfs-add">33.4.2.2. Adding Fonts to <code class="command">xfs</code></h4></div></div></div><a id="id896218" class="indexterm"></a><div class="para">
					To add fonts to the core X font subsystem (<code class="command">xfs</code>), follow these steps:
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							If it does not already exist, create a directory called <code class="filename">/usr/share/fonts/local/</code> using the following command as root:
						</div><pre class="screen"><code class="command">mkdir /usr/share/fonts/local/</code></pre><div class="para">
							If creating the <code class="filename">/usr/share/fonts/local/</code> directory is necessary, it must be added to the <code class="command">xfs</code> path using the following command as root:
						</div><pre class="screen"><code class="command">chkfontpath --add /usr/share/fonts/local/</code></pre></li><li class="listitem"><div class="para">
							Copy the new font file into the <code class="filename">/usr/share/fonts/local/</code> directory
						</div></li><li class="listitem"><div class="para">
							Update the font information by issuing the following command as root:
						</div><pre class="screen"><code class="command">ttmkfdir -d /usr/share/fonts/local/ -o /usr/share/fonts/local/fonts.scale</code></pre></li><li class="listitem"><div class="para">
							Reload the <code class="command">xfs</code> font server configuration file by issuing the following command as root:
						</div><pre class="screen"><code class="command">service xfs reload</code></pre></li></ol></div></div></div></div><div class="section" id="s1-x-runlevels"><div class="titlepage"><div><div><h2 class="title" id="s1-x-runlevels">33.5. Runlevels and X</h2></div></div></div><a id="id896345" class="indexterm"></a><div class="para">
			In most cases, the Red Hat Enterprise Linux installer configures a machine to boot into a graphical login environment, known as <em class="firstterm">Runlevel 5</em>. It is possible, however, to boot into a text-only multi-user mode called <em class="firstterm">Runlevel 3</em> and begin an X session from there.
		</div><div class="para">
			For more information about runlevels, refer to <a class="xref" href="#s1-services-runlevels">Section 17.1, “Runlevels”</a>.
		</div><div class="para">
			The following subsections review how X starts up in both runlevel 3 and runlevel 5.
		</div><div class="section" id="s2-x-runlevels-3"><div class="titlepage"><div><div><h3 class="title" id="s2-x-runlevels-3">33.5.1. Runlevel 3</h3></div></div></div><a id="id896400" class="indexterm"></a><a id="id896419" class="indexterm"></a><a id="id896436" class="indexterm"></a><a id="id896457" class="indexterm"></a><a id="id896475" class="indexterm"></a><a id="id896496" class="indexterm"></a><div class="para">
				When in runlevel 3, the best way to start an X session is to log in and type <code class="command">startx</code>. The <code class="command">startx</code> command is a front-end to the <code class="command">xinit</code> command, which launches the X server (<code class="filename">Xorg</code>) and connects X client applications to it. Because the user is already logged into the system at runlevel 3, <code class="command">startx</code> does not launch a display manager or authenticate users. Refer to <a class="xref" href="#s2-x-runlevels-5">Section 33.5.2, “Runlevel 5”</a> for more information about display managers.
			</div><div class="para">
				When the <code class="command">startx</code> command is executed, it searches for the <code class="filename">.xinitrc</code> file in the user's home directory to define the desktop environment and possibly other X client applications to run. If no <code class="filename">.xinitrc</code> file is present, it uses the system default <code class="filename">/etc/X11/xinit/xinitrc</code> file instead.
			</div><div class="para">
				The default <code class="command">xinitrc</code> script then searches for user-defined files and default system files, including <code class="filename">.Xresources</code>, <code class="filename">.Xmodmap</code>, and <code class="filename">.Xkbmap</code> in the user's home directory, and <code class="filename">Xresources</code>, <code class="filename">Xmodmap</code>, and <code class="filename">Xkbmap</code> in the <code class="filename">/etc/X11/</code> directory. The <code class="filename">Xmodmap</code> and <code class="filename">Xkbmap</code> files, if they exist, are used by the <code class="command">xmodmap</code> utility to configure the keyboard. The <code class="filename">Xresources</code> file is read to assign specific preference values to applications.
			</div><div class="para">
				After setting these options, the <code class="command">xinitrc</code> script executes all scripts located in the <code class="filename">/etc/X11/xinit/xinitrc.d/</code> directory. One important script in this directory is <code class="filename">xinput.sh</code>, which configures settings such as the default language.
			</div><div class="para">
				Next, the <code class="command">xinitrc</code> script attempts to execute <code class="filename">.Xclients</code> in the user's home directory and turns to <code class="filename">/etc/X11/xinit/Xclients</code> if it cannot be found. The purpose of the <code class="filename">Xclients</code> file is to start the desktop environment or, possibly, just a basic window manager. The <code class="filename">.Xclients</code> script in the user's home directory starts the user-specified desktop environment in the <code class="filename">.Xclients-default</code> file. If <code class="filename">.Xclients</code> does not exist in the user's home directory, the standard <code class="filename">/etc/X11/xinit/Xclients</code> script attempts to start another desktop environment, trying GNOME first and then KDE followed by <code class="command">twm</code>.
			</div><div class="para">
				When in runlevel 3, the user is returned to a text mode user session after ending an X session.
			</div></div><div class="section" id="s2-x-runlevels-5"><div class="titlepage"><div><div><h3 class="title" id="s2-x-runlevels-5">33.5.2. Runlevel 5</h3></div></div></div><a id="id896692" class="indexterm"></a><a id="id896711" class="indexterm"></a><a id="id896728" class="indexterm"></a><a id="id896746" class="indexterm"></a><a id="id896768" class="indexterm"></a><a id="id896789" class="indexterm"></a><a id="id896810" class="indexterm"></a><a id="id896828" class="indexterm"></a><a id="id896850" class="indexterm"></a><div class="para">
				When the system boots into runlevel 5, a special X client application called a <em class="firstterm">display manager</em> is launched. A user must authenticate using the display manager before any desktop environment or window managers are launched.
			</div><div class="para">
				Depending on the desktop environments installed on the system, three different display managers are available to handle user authentication.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">GNOME</code> — The default display manager for Red Hat Enterprise Linux, <code class="command">GNOME</code> allows the user to configure language settings, shutdown, restart or log in to the system.
					</div></li><li class="listitem"><div class="para">
						<code class="command">KDE</code> — KDE's display manager which allows the user to shutdown, restart or log in to the system.
					</div></li><li class="listitem"><div class="para">
						<code class="command">xdm</code> — A very basic display manager which only lets the user log in to the system.
					</div></li></ul></div><div class="para">
				When booting into runlevel 5, the <code class="command">prefdm</code> script determines the preferred display manager by referencing the <code class="filename">/etc/sysconfig/desktop</code> file. A list of options for this file is available in this file:
			</div><pre class="screen"><code class="filename">/usr/share/doc/initscripts-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/sysconfig.txt</code></pre><div class="para">
				where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number of the <code class="filename">initscripts</code> package.
			</div><div class="para">
				Each of the display managers reference the <code class="filename">/etc/X11/xdm/Xsetup_0</code> file to set up the login screen. Once the user logs into the system, the <code class="filename">/etc/X11/xdm/GiveConsole</code> script runs to assign ownership of the console to the user. Then, the <code class="filename">/etc/X11/xdm/Xsession</code> script runs to accomplish many of the tasks normally performed by the <code class="command">xinitrc</code> script when starting X from runlevel 3, including setting system and user resources, as well as running the scripts in the <code class="filename">/etc/X11/xinit/xinitrc.d/</code> directory.
			</div><div class="para">
				Users can specify which desktop environment they want to utilize when they authenticate using the <code class="command">GNOME</code> or <code class="command">KDE</code> display managers by selecting it from the <span class="guimenu"><strong>Sessions</strong></span> menu item (accessed by selecting System (on the panel) &gt; <span class="guimenuitem"><strong>Preferences</strong></span> &gt; <span class="guimenuitem"><strong>More Preferences</strong></span> &gt; <span class="guimenuitem"><strong>Sessions</strong></span>). If the desktop environment is not specified in the display manager, the <code class="filename">/etc/X11/xdm/Xsession</code> script checks the <code class="filename">.xsession</code> and <code class="filename">.Xclients</code> files in the user's home directory to decide which desktop environment to load. As a last resort, the <code class="filename">/etc/X11/xinit/Xclients</code> file is used to select a desktop environment or window manager to use in the same way as runlevel 3.
			</div><div class="para">
				When the user finishes an X session on the default display (<code class="computeroutput">:0</code>) and logs out, the <code class="filename">/etc/X11/xdm/TakeConsole</code> script runs and reassigns ownership of the console to the root user. The original display manager, which continues running after the user logged in, takes control by spawning a new display manager. This restarts the X server, displays a new login window, and starts the entire process over again.
			</div><div class="para">
				The user is returned to the display manager after logging out of X from runlevel 5.
			</div><div class="para">
				For more information on how display managers control user authentication, refer to the <code class="filename">/usr/share/doc/gdm-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/README</code> (where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number for the <code class="filename">gdm</code> package installed) and the <code class="command">xdm</code> man page.
			</div></div></div><div class="section" id="s1-x-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-x-additional-resources">33.6. Additional Resources</h2></div></div></div><a id="id897086" class="indexterm"></a><div class="para">
			There is a large amount of detailed information available about the X server, the clients that connect to it, and the assorted desktop environments and window managers.
		</div><div class="section" id="s2-x-installed-documentation"><div class="titlepage"><div><div><h3 class="title" id="s2-x-installed-documentation">33.6.1. Installed Documentation</h3></div></div></div><a id="id897114" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/usr/share/X11/doc/</code> — contains detailed documentation on the X Window System architecture, as well as how to get additional information about the Xorg project as a new user.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man xorg.conf</code> — Contains information about the <code class="filename">xorg.conf</code> configuration files, including the meaning and syntax for the different sections within the files.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man Xorg</code> — Describes the <code class="command">Xorg</code> display server.
					</div></li></ul></div></div><div class="section" id="s2-x-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-x-useful-websites">33.6.2. Useful Websites</h3></div></div></div><a id="id887234" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.X.org/">http://www.X.org/</a> — Home page of the X.Org Foundation, which produces the X11R7.1 release of the X Window System. The X11R7.1 release is bundled with Red Hat Enterprise Linux to control the necessary hardware and provide a GUI environment.
					</div></li><li class="listitem"><div class="para">
						<a href="http://dri.sourceforge.net/">http://dri.sourceforge.net/</a> — Home page of the DRI (Direct Rendering Infrastructure) project. The DRI is the core hardware 3D acceleration component of X.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.gnome.org">http://www.gnome.org/</a> — Home of the GNOME project.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.kde.org">http://www.kde.org/</a> — Home of the KDE desktop environment.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-xconfig" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 34. X Window System Configuration</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-xconfig-display">34.1. Display Settings</a></span></dt><dt><span class="section"><a href="#s1-xconfig-advanced">34.2. Display Hardware Settings</a></span></dt><dt><span class="section"><a href="#s1-xconfig-dualhead">34.3. Dual Head Display Settings</a></span></dt></dl></div><a id="id874532" class="indexterm"></a><a id="id832880" class="indexterm"></a><div class="para">
		During installation, the system's monitor, video card, and display settings are configured. To change any of these settings after installation, use the <span class="application"><strong>X Configuration Tool</strong></span>.
	</div><div class="para">
		To start the <span class="application"><strong>X Configuration Tool</strong></span>, go to System (on the panel) &gt; <span class="guimenu"><strong>Administration</strong></span> &gt; <span class="guimenu"><strong>Display</strong></span>, or type the command <code class="command">system-config-display</code> at a shell prompt (for example, in an XTerm or GNOME terminal). If the X Window System is not running, a small version of X is started to run the program.
	</div><div class="para">
		After changing any of the settings, log out of the graphical desktop and log back in to enable the changes.
	</div><div class="section" id="s1-xconfig-display"><div class="titlepage"><div><div><h2 class="title" id="s1-xconfig-display">34.1. Display Settings</h2></div></div></div><a id="id1040346" class="indexterm"></a><a id="id1045304" class="indexterm"></a><a id="id872524" class="indexterm"></a><a id="id791103" class="indexterm"></a><a id="id1043394" class="indexterm"></a><div class="para">
			The <span class="guilabel"><strong>Settings</strong></span> tab allows users to change the <em class="firstterm">resolution</em> and <em class="firstterm">color depth</em>. The display of a monitor consists of tiny dots called <em class="firstterm">pixels</em>. The number of pixels displayed at one time is called the resolution. For example, the resolution 1024x768 means that 1024 horizontal pixels and 768 vertical pixels are used. The higher the resolution values, the more images the monitor can display at one time.
		</div><div class="para">
			The color depth of the display determines how many possible colors are displayed. A higher color depth means more contrast between colors.
		</div><div class="figure" id="fig-xconfig-display"><div class="figure-contents"><div class="mediaobject"><img src="images/display-settings.png" width="444" alt="Display Settings" /><div class="longdesc"><div class="para">
						Display Settings
					</div></div></div></div><h6>Figure 34.1. Display Settings</h6></div><br class="figure-break" /></div><div class="section" id="s1-xconfig-advanced"><div class="titlepage"><div><div><h2 class="title" id="s1-xconfig-advanced">34.2. Display Hardware Settings</h2></div></div></div><a id="id1070878" class="indexterm"></a><a id="id901973" class="indexterm"></a><a id="id901987" class="indexterm"></a><div class="para">
			When the <span class="application"><strong>X Configuration Tool</strong></span> is started, it probes the monitor and video card. If the hardware is probed properly, the information for it is shown on the <span class="guilabel"><strong>Hardware</strong></span> tab as shown in <a class="xref" href="#fig-xconfig-hardware">Figure 34.2, “Display Hardware Settings”</a>.
		</div><div class="figure" id="fig-xconfig-hardware"><div class="figure-contents"><div class="mediaobject"><img src="images/display-hardware.png" width="444" alt="Display Hardware Settings" /><div class="longdesc"><div class="para">
						Display Hardware Settings
					</div></div></div></div><h6>Figure 34.2. Display Hardware Settings</h6></div><br class="figure-break" /><div class="para">
			To change the monitor type or any of its settings, click the corresponding <span class="guibutton"><strong>Configure</strong></span> button. To change the video card type or any of its settings, click the <span class="guibutton"><strong>Configure</strong></span> button beside its settings.
		</div></div><div class="section" id="s1-xconfig-dualhead"><div class="titlepage"><div><div><h2 class="title" id="s1-xconfig-dualhead">34.3. Dual Head Display Settings</h2></div></div></div><a id="id898754" class="indexterm"></a><a id="id898767" class="indexterm"></a><a id="id967768" class="indexterm"></a><div class="para">
			If multiple video cards are installed on the system, dual head monitor support is available and is configured via the <span class="guilabel"><strong>Dual head</strong></span> tab, as shown in <a class="xref" href="#fig-xconfig-dualhead">Figure 34.3, “Dual Head Display Settings”</a>.
		</div><div class="figure" id="fig-xconfig-dualhead"><div class="figure-contents"><div class="mediaobject"><img src="images/display-dualhead.png" width="444" alt="Dual Head Display Settings" /><div class="longdesc"><div class="para">
						Dual Head Display Settings
					</div></div></div></div><h6>Figure 34.3. Dual Head Display Settings</h6></div><br class="figure-break" /><div class="para">
			To enable use of Dual head, check the <span class="guibutton"><strong>Use dual head</strong></span> checkbox.
		</div><div class="para">
			To configure the second monitor type, click the corresponding <span class="guibutton"><strong>Configure</strong></span> button. You can also configure the other Dual head settings by using the corresponding drop-down list.
		</div><div class="para">
			For the <span class="guibutton"><strong>Desktop layout</strong></span> option, selecting <span class="guibutton"><strong>Spanning Desktops</strong></span> allows both monitors to use an enlarged usable workspace. Selecting <span class="guibutton"><strong>Individual Desktops</strong></span> shares the mouse and keyboard among the displays, but restricts windows to a single display.
		</div></div></div><div xml:lang="en-US" class="chapter" id="ch-users-groups" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 35. Users and Groups</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-users-configui">35.1. User and Group Configuration</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-redhat-config-users-user-new">35.1.1. Adding a New User</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-user-properties">35.1.2. Modifying User Properties</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-group-new">35.1.3. Adding a New Group</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-group-properties">35.1.4. Modifying Group Properties</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-users-tools">35.2. User and Group Management Tools</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-users-cmd-line">35.2.1. Command Line Configuration</a></span></dt><dt><span class="section"><a href="#s2-users-add">35.2.2. Adding a User</a></span></dt><dt><span class="section"><a href="#s2-groups-add">35.2.3. Adding a Group</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-passwd-aging">35.2.4. Password Aging</a></span></dt><dt><span class="section"><a href="#s2-redhat-config-users-process">35.2.5. Explaining the Process</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-users-groups-standard-users">35.3. Standard Users</a></span></dt><dt><span class="section"><a href="#s1-users-groups-standard-groups">35.4. Standard Groups</a></span></dt><dt><span class="section"><a href="#s1-users-groups-private-groups">35.5. User Private Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-users-groups-rationale">35.5.1. Group Directories</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-users-groups-shadow-utilities">35.6. Shadow Passwords</a></span></dt><dt><span class="section"><a href="#s1-users-groups-additional-resources">35.7. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-users-groups-documentation">35.7.1. Installed Documentation</a></span></dt></dl></dd></dl></div><a id="id1046129" class="indexterm"></a><a id="id781503" class="indexterm"></a><a id="id1046775" class="indexterm"></a><a id="id1047145" class="indexterm"></a><div class="para">
		The control of <em class="firstterm">users</em> and <em class="firstterm">groups</em> is a core element of Red Hat Enterprise Linux system administration.
	</div><div class="para">
		<em class="firstterm">Users</em> can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use.
	</div><div class="para">
		<em class="firstterm">Groups</em> are logical expressions of organization, tying users together for a common purpose. Users within a group can read, write, or execute files owned by that group.
	</div><div class="para">
		Each user and group has a unique numerical identification number called a <em class="firstterm">userid</em> (<em class="firstterm">UID</em>) and a <em class="firstterm">groupid</em> (<em class="firstterm">GID</em>), respectively.
	</div><div class="para">
		A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by the root user, and access permissions can be changed by both the root user and file owner.
	</div><div class="para">
		Red Hat Enterprise Linux also supports <em class="firstterm">access control lists</em> (<em class="firstterm">ACLs</em>) for files and directories which allow permissions for specific users outside of the owner to be set. For more information about ACLs, refer to <a class="xref" href="#ch-acls">Chapter 9, <em>Access Control Lists</em></a>.
	</div><div class="section" id="s1-users-configui"><div class="titlepage"><div><div><h2 class="title" id="s1-users-configui">35.1. User and Group Configuration</h2></div></div></div><a id="id1047759" class="indexterm"></a><a id="id873728" class="indexterm"></a><a id="id926217" class="indexterm"></a><a id="id926233" class="indexterm"></a><a id="id780631" class="indexterm"></a><a id="id780645" class="indexterm"></a><div class="para">
			The <span class="application"><strong>User Manager</strong></span> allows you to view, modify, add, and delete local users and groups.
		</div><div class="para">
			To use the <span class="application"><strong>User Manager</strong></span>, you must be running the X Window System, have root privileges, and have the <code class="filename">system-config-users</code> RPM package installed. To start the <span class="application"><strong>User Manager</strong></span> from the desktop, go to System (on the panel) &gt; <span class="guimenuitem"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>Users &amp; Groups</strong></span>. You can also type the command <code class="command">system-config-users</code> at a shell prompt (for example, in an XTerm or a GNOME terminal).
		</div><div class="figure" id="figs-users"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-config-users.png" width="444" alt="User Manager" /><div class="longdesc"><div class="para">
						User Manager
					</div></div></div></div><h6>Figure 35.1. User Manager</h6></div><br class="figure-break" /><a id="id936052" class="indexterm"></a><a id="id936066" class="indexterm"></a><div class="para">
			To view a list of local users on the system, click the <span class="guilabel"><strong>Users</strong></span> tab. To view a list of local groups on the system, click the <span class="guilabel"><strong>Groups</strong></span> tab.
		</div><div class="para">
			To find a specific user or group, type the first few letters of the name in the <span class="guilabel"><strong>Search filter</strong></span> field. Press <span class="keycap"><strong>Enter</strong></span> or click the <span class="guibutton"><strong>Apply filter</strong></span> button. The filtered list is displayed.
		</div><div class="para">
			To sort the users or groups, click on the column name. The users or groups are sorted according to the value of that column.
		</div><div class="para">
			Red Hat Enterprise Linux reserves user IDs below 500 for system users. By default, <span class="application"><strong>User Manager</strong></span> does not display system users. To view all users, including the system users, go to <span class="guimenuitem"><strong>Edit</strong></span> &gt; <span class="guimenuitem"><strong>Preferences</strong></span> and uncheck <span class="guimenuitem"><strong>Hide system users and groups</strong></span> from the dialog box.
		</div><div class="section" id="s2-redhat-config-users-user-new"><div class="titlepage"><div><div><h3 class="title" id="s2-redhat-config-users-user-new">35.1.1. Adding a New User</h3></div></div></div><a id="id883277" class="indexterm"></a><div class="para">
				To add a new user, click the <span class="guibutton"><strong>Add User</strong></span> button. A window as shown in <a class="xref" href="#user-new-fig">Figure 35.2, “New User”</a> appears. Type the username and full name for the new user in the appropriate fields. Type the user's password in the <span class="guilabel"><strong>Password</strong></span> and <span class="guilabel"><strong>Confirm Password</strong></span> fields. The password must be at least six characters.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					It is advisable to use a much longer password, as this makes it more difficult for an intruder to guess it and access the account without permission. It is also recommended that the password not be based on a dictionary term; use a combination of letters, numbers and special characters.
				</div></div></div><div class="para">
				Select a login shell. If you are not sure which shell to select, accept the default value of <code class="computeroutput">/bin/bash</code>. The default home directory is <code class="filename">/home/<em class="replaceable"><code>&lt;username&gt;</code></em>/</code>. You can change the home directory that is created for the user, or you can choose not to create the home directory by unselecting <span class="guilabel"><strong>Create home directory</strong></span>.
			</div><div class="para">
				If you select to create the home directory, default configuration files are copied from the <code class="filename">/etc/skel/</code> directory into the new home directory.
			</div><div class="para">
				Red Hat Enterprise Linux uses a <em class="firstterm">user private group</em> (UPG) scheme. The UPG scheme does not add or change anything in the standard UNIX way of handling groups; it offers a new convention. Whenever you create a new user, by default, a unique group with the same name as the user is created. If you do not want to create this group, unselect <span class="guilabel"><strong>Create a private group for the user</strong></span>.
			</div><div class="para">
				To specify a user ID for the user, select <span class="guibutton"><strong>Specify user ID manually</strong></span>. If the option is not selected, the next available user ID above 500 is assigned to the new user. Because Red Hat Enterprise Linux reserves user IDs below 500 for system users, it is not advisable to manually assign user IDs 1-499.
			</div><div class="para">
				Click <span class="guibutton"><strong>OK</strong></span> to create the user.
			</div><div class="figure" id="user-new-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/user-new.png" alt="New User" /><div class="longdesc"><div class="para">
							Creating a new user
						</div></div></div></div><h6>Figure 35.2. New User</h6></div><br class="figure-break" /><div class="para">
				To configure more advanced user properties, such as password expiration, modify the user's properties after adding the user. Refer to <a class="xref" href="#s2-redhat-config-users-user-properties">Section 35.1.2, “Modifying User Properties”</a> for more information.
			</div></div><div class="section" id="s2-redhat-config-users-user-properties"><div class="titlepage"><div><div><h3 class="title" id="s2-redhat-config-users-user-properties">35.1.2. Modifying User Properties</h3></div></div></div><a id="id1049705" class="indexterm"></a><a id="id1049719" class="indexterm"></a><div class="para">
				To view the properties of an existing user, click on the <span class="guilabel"><strong>Users</strong></span> tab, select the user from the user list, and click <span class="guibutton"><strong>Properties</strong></span> from the menu (or choose <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Properties</strong></span> from the pulldown menu). A window similar to <a class="xref" href="#user-properties-fig">Figure 35.3, “User Properties”</a> appears.
			</div><div class="figure" id="user-properties-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/user-properties.png" width="444" alt="User Properties" /><div class="longdesc"><div class="para">
							Modifying user properties
						</div></div></div></div><h6>Figure 35.3. User Properties</h6></div><br class="figure-break" /><div class="para">
				The <span class="guilabel"><strong>User Properties</strong></span> window is divided into multiple tabbed pages:
			</div><a id="id1049798" class="indexterm"></a><a id="id1049812" class="indexterm"></a><a id="id974074" class="indexterm"></a><a id="id974088" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="guilabel"><strong>User Data</strong></span> — Shows the basic user information configured when you added the user. Use this tab to change the user's full name, password, home directory, or login shell.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Account Info</strong></span> — 
						<a id="id974127" class="indexterm"></a>
						 Select <span class="guibutton"><strong>Enable account expiration</strong></span> if you want the account to expire on a certain date. Enter the date in the provided fields. 
						<a id="id974144" class="indexterm"></a>
						 Select <span class="guilabel"><strong>Local password is locked</strong></span> to lock the user account and prevent the user from logging into the system.
					</div></li><li class="listitem"><a id="id974166" class="indexterm"></a><div class="para">
						<span class="guilabel"><strong>Password Info</strong></span> — Displays the date that the user's password last changed. To force the user to change passwords after a certain number of days, select <span class="guilabel"><strong>Enable password expiration</strong></span> and enter a desired value in the <span class="guilabel"><strong>Days before change required:</strong></span> field. The number of days before the user's password expires, the number of days before the user is warned to change passwords, and days before the account becomes inactive can also be changed.
					</div></li><li class="listitem"><div class="para">
						<a id="id974204" class="indexterm"></a>
						 <span class="guilabel"><strong>Groups</strong></span> — Allows you to view and configure the Primary Group of the user, as well as other groups that you want the user to be a member of.
					</div></li></ul></div></div><div class="section" id="s2-redhat-config-users-group-new"><div class="titlepage"><div><div><h3 class="title" id="s2-redhat-config-users-group-new">35.1.3. Adding a New Group</h3></div></div></div><a id="id974236" class="indexterm"></a><div class="para">
				To add a new user group, click the <span class="guibutton"><strong>Add Group</strong></span> button. A window similar to <a class="xref" href="#group-new-fig">Figure 35.4, “New Group”</a> appears. Type the name of the new group to create. To specify a group ID for the new group, select <span class="guibutton"><strong>Specify group ID manually</strong></span> and select the GID. Note that Red Hat Enterprise Linux also reserves group IDs lower than 500 for system groups.
			</div><div class="figure" id="group-new-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/group-new.png" alt="New Group" /><div class="longdesc"><div class="para">
							Creating a new group
						</div></div></div></div><h6>Figure 35.4. New Group</h6></div><br class="figure-break" /><div class="para">
				Click <span class="guibutton"><strong>OK</strong></span> to create the group. The new group appears in the group list.
			</div></div><div class="section" id="s2-redhat-config-users-group-properties"><div class="titlepage"><div><div><h3 class="title" id="s2-redhat-config-users-group-properties">35.1.4. Modifying Group Properties</h3></div></div></div><a id="id974316" class="indexterm"></a><div class="para">
				To view the properties of an existing group, select the group from the group list and click <span class="guibutton"><strong>Properties</strong></span> from the menu (or choose <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Properties</strong></span> from the pulldown menu). A window similar to <a class="xref" href="#group-properties-fig">Figure 35.5, “Group Properties”</a> appears.
			</div><div class="figure" id="group-properties-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/group-properties.png" alt="Group Properties" /><div class="longdesc"><div class="para">
							Modifying group properties
						</div></div></div></div><h6>Figure 35.5. Group Properties</h6></div><br class="figure-break" /><a id="id974383" class="indexterm"></a><div class="para">
				The <span class="guilabel"><strong>Group Users</strong></span> tab displays which users are members of the group. Use this tab to add or remove users from the group. Click <span class="guibutton"><strong>OK</strong></span> to save your changes.
			</div></div></div><div class="section" id="s1-users-tools"><div class="titlepage"><div><div><h2 class="title" id="s1-users-tools">35.2. User and Group Management Tools</h2></div></div></div><a id="id974422" class="indexterm"></a><a id="id974443" class="indexterm"></a><a id="id974464" class="indexterm"></a><a id="id974485" class="indexterm"></a><div class="para">
			Managing users and groups can be a tedious task; this is why Red Hat Enterprise Linux provides tools and conventions to make them easier to manage.
		</div><div class="para">
			The easiest way to manage users and groups is through the graphical application, <span class="application"><strong>User Manager</strong></span> (<code class="command">system-config-users</code>). For more information on <span class="application"><strong>User Manager</strong></span>, refer to <a class="xref" href="#s1-users-configui">Section 35.1, “User and Group Configuration”</a>.
		</div><div class="para">
			The following command line tools can also be used to manage users and groups:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">useradd</code>, <code class="command">usermod</code>, and <code class="command">userdel</code> — Industry-standard methods of adding, deleting and modifying user accounts
				</div></li><li class="listitem"><div class="para">
					<code class="command">groupadd</code>, <code class="command">groupmod</code>, and <code class="command">groupdel</code> — Industry-standard methods of adding, deleting, and modifying user groups
				</div></li><li class="listitem"><div class="para">
					<code class="command">gpasswd</code> — Industry-standard method of administering the <code class="filename">/etc/group</code> file
				</div></li><li class="listitem"><div class="para">
					<code class="command">pwck</code>, <code class="command">grpck</code> — Tools used for the verification of the password, group, and associated shadow files
				</div></li><li class="listitem"><div class="para">
					<code class="command">pwconv</code>, <code class="command">pwunconv</code> — Tools used for the conversion of passwords to shadow passwords and back to standard passwords
				</div></li></ul></div><div class="section" id="s2-users-cmd-line"><div class="titlepage"><div><div><h3 class="title" id="s2-users-cmd-line">35.2.1. Command Line Configuration</h3></div></div></div><a id="id897241" class="indexterm"></a><a id="id897255" class="indexterm"></a><a id="id897272" class="indexterm"></a><div class="para">
				If you prefer command line tools or do not have the X Window System installed, use this section to configure users and groups.
			</div></div><div class="section" id="s2-users-add"><div class="titlepage"><div><div><h3 class="title" id="s2-users-add">35.2.2. Adding a User</h3></div></div></div><div class="para">
				To add a user to the system:
			</div><a id="id897306" class="indexterm"></a><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Issue the <code class="command">useradd</code> command to create a locked user account:
					</div><pre class="screen"><code class="command">useradd <em class="replaceable"><code>&lt;username&gt;</code></em></code></pre></li><li class="listitem"><div class="para">
						<a id="id897360" class="indexterm"></a>
						 Unlock the account by issuing the <code class="command">passwd</code> command to assign a password and set password aging guidelines:
					</div><pre class="screen"><code class="command">passwd <em class="replaceable"><code>&lt;username&gt;</code></em></code></pre></li></ol></div><div class="para">
				Command line options for <code class="command">useradd</code> are detailed in <a class="xref" href="#table-useradd-options">Table 35.1, “<code class="command">useradd</code> Command Line Options”</a>.
			</div><div class="table" id="table-useradd-options"><h6>Table 35.1. <code class="command">useradd</code> Command Line Options</h6><div class="table-contents"><table summary="useradd Command Line Options" border="1"><colgroup><col width="29%" class="option" /><col width="71%" class="description" /></colgroup><thead><tr><th>
								Option
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								<code class="option">-c</code> '<em class="replaceable"><code>&lt;comment&gt;</code></em>'
							</td><td>
								<em class="replaceable"><code>&lt;comment&gt;</code></em> can be replaced with any string. This option is generally used to specify the full name of a user.
							</td></tr><tr><td>
								<code class="option">-d</code> <em class="replaceable"><code>&lt;home-dir&gt;</code></em>
							</td><td>
								Home directory to be used instead of default <code class="filename">/home/<em class="replaceable"><code>&lt;username&gt;</code></em>/</code>
							</td></tr><tr><td>
								<code class="option">-e</code> <em class="replaceable"><code>&lt;date&gt;</code></em>
							</td><td>
								Date for the account to be disabled in the format YYYY-MM-DD
							</td></tr><tr><td>
								<code class="option">-f</code> <em class="replaceable"><code>&lt;days&gt;</code></em>
							</td><td>
								Number of days after the password expires until the account is disabled. If <strong class="userinput"><code>0</code></strong> is specified, the account is disabled immediately after the password expires. If <strong class="userinput"><code>-1</code></strong> is specified, the account is not be disabled after the password expires.
							</td></tr><tr><td>
								<code class="option">-g</code> <em class="replaceable"><code>&lt;group-name&gt;</code></em>
							</td><td>
								Group name or group number for the user's default group. The group must exist prior to being specified here.
							</td></tr><tr><td>
								<code class="option">-G</code> <em class="replaceable"><code>&lt;group-list&gt;</code></em>
							</td><td>
								List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. The groups must exist prior to being specified here.
							</td></tr><tr><td>
								<code class="option">-m</code>
							</td><td>
								Create the home directory if it does not exist.
							</td></tr><tr><td>
								<code class="option">-M</code>
							</td><td>
								Do not create the home directory.
							</td></tr><tr><td>
								<code class="option">-n</code>
							</td><td>
								Do not create a user private group for the user.
							</td></tr><tr><td>
								<code class="option">-r</code>
							</td><td>
								Create a system account with a UID less than 500 and without a home directory
							</td></tr><tr><td>
								<code class="option">-p</code> <em class="replaceable"><code>&lt;password&gt;</code></em>
							</td><td>
								The password encrypted with <code class="command">crypt</code>
							</td></tr><tr><td>
								<code class="option">-s</code>
							</td><td>
								User's login shell, which defaults to <code class="filename">/bin/bash</code>
							</td></tr><tr><td>
								<code class="option">-u</code> <em class="replaceable"><code>&lt;uid&gt;</code></em>
							</td><td>
								User ID for the user, which must be unique and greater than 499
							</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s2-groups-add"><div class="titlepage"><div><div><h3 class="title" id="s2-groups-add">35.2.3. Adding a Group</h3></div></div></div><a id="id897750" class="indexterm"></a><a id="id897767" class="indexterm"></a><div class="para">
				To add a group to the system, use the command <code class="command">groupadd</code>:
			</div><pre class="screen"><code class="command">groupadd <em class="replaceable"><code>&lt;group-name&gt;</code></em></code></pre><div class="para">
				Command line options for <code class="command">groupadd</code> are detailed in <a class="xref" href="#table-groupadd-options">Table 35.2, “<code class="command">groupadd</code> Command Line Options”</a>.
			</div><div class="table" id="table-groupadd-options"><h6>Table 35.2. <code class="command">groupadd</code> Command Line Options</h6><div class="table-contents"><table summary="groupadd Command Line Options" border="1"><colgroup><col width="29%" class="option" /><col width="71%" class="description" /></colgroup><thead><tr><th>
								Option
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								<code class="option">-g</code> <em class="replaceable"><code>&lt;gid&gt;</code></em>
							</td><td>
								Group ID for the group, which must be unique and greater than 499
							</td></tr><tr><td>
								<code class="option">-r</code>
							</td><td>
								Create a system group with a GID less than 500
							</td></tr><tr><td>
								<code class="option">-f</code>
							</td><td>
								When used with <code class="option">-g</code> <em class="replaceable"><code>&lt;gid&gt;</code></em> and <em class="replaceable"><code>&lt;gid&gt;</code></em> already exists, <code class="command">groupadd</code> will choose another unique <em class="replaceable"><code>&lt;gid&gt;</code></em> for the group.
							</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s2-redhat-config-users-passwd-aging"><div class="titlepage"><div><div><h3 class="title" id="s2-redhat-config-users-passwd-aging">35.2.4. Password Aging</h3></div></div></div><a id="id897952" class="indexterm"></a><a id="id897967" class="indexterm"></a><a id="id897981" class="indexterm"></a><a id="id897991" class="indexterm"></a><a id="id898008" class="indexterm"></a><div class="para">
				For security reasons, it is advisable to require users to change their passwords periodically. This can be done when adding or editing a user on the <span class="guilabel"><strong>Password Info</strong></span> tab of the <span class="application"><strong>User Manager</strong></span>.
			</div><div class="para">
				To configure password expiration for a user from a shell prompt, use the <code class="command">chage</code> command with an option from <a class="xref" href="#table-chage-options">Table 35.3, “<code class="command">chage</code> Command Line Options”</a>, followed by the username.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Shadow passwords must be enabled to use the <code class="command">chage</code> command. For more information, see <a class="xref" href="#s1-users-groups-shadow-utilities">Section 35.6, “Shadow Passwords”</a>.
				</div></div></div><div class="table" id="table-chage-options"><h6>Table 35.3. <code class="command">chage</code> Command Line Options</h6><div class="table-contents"><table summary="chage Command Line Options" border="1"><colgroup><col width="29%" class="option" /><col width="71%" class="description" /></colgroup><thead><tr><th>
								Option
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								<code class="option">-m</code> <em class="replaceable"><code>&lt;days&gt;</code></em>
							</td><td>
								Specifies the minimum number of days between which the user must change passwords. If the value is 0, the password does not expire.
							</td></tr><tr><td>
								<code class="option">-M</code> <em class="replaceable"><code>&lt;days&gt;</code></em>
							</td><td>
								Specifies the maximum number of days for which the password is valid. When the number of days specified by this option plus the number of days specified with the <code class="option">-d</code> option is less than the current day, the user must change passwords before using the account.
							</td></tr><tr><td>
								<code class="option">-d</code> <em class="replaceable"><code>&lt;days&gt;</code></em>
							</td><td>
								Specifies the number of days since January 1, 1970 the password was changed
							</td></tr><tr><td>
								<code class="option">-I</code> <em class="replaceable"><code>&lt;days&gt;</code></em>
							</td><td>
								Specifies the number of inactive days after the password expiration before locking the account. If the value is 0, the account is not locked after the password expires.
							</td></tr><tr><td>
								<code class="option">-E</code> <em class="replaceable"><code>&lt;date&gt;</code></em>
							</td><td>
								Specifies the date on which the account is locked, in the format YYYY-MM-DD. Instead of the date, the number of days since January 1, 1970 can also be used.
							</td></tr><tr><td>
								<code class="option">-W</code> <em class="replaceable"><code>&lt;days&gt;</code></em>
							</td><td>
								Specifies the number of days before the password expiration date to warn the user.
							</td></tr><tr><td>
								<code class="option">-l</code>
							</td><td>
								Lists current account aging settings.
							</td></tr></tbody></table></div></div><br class="table-break" /><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					If the <code class="command">chage</code> command is followed directly by a username (with no options), it displays the current password aging values and allows them to be changed interactively.
				</div></div></div><div class="para">
				You can configure a password to expire the first time a user logs in. This forces users to change passwords immediately.
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						<span class="emphasis"><em>Set up an initial password</em></span> — There are two common approaches to this step. The administrator can assign a default password or assign a null password.
					</div><div class="para">
						To assign a default password, use the following steps:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Start the command line Python interpreter with the <code class="command">python</code> command. It displays the following:
							</div><pre class="screen">Python 2.4.3 (#1, Jul 21 2006, 08:46:09)
[GCC 4.1.1 20060718 (Red Hat 4.1.1-9)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
&gt;&gt;&gt;</pre></li><li class="listitem"><div class="para">
								At the prompt, type the following commands. Replace <em class="replaceable"><code>&lt;password&gt;</code></em> with the password to encrypt and <em class="replaceable"><code>&lt;salt&gt;</code></em> with a random combination of at least 2 of the following: any alphanumeric character, the slash (/) character or a dot (.):
							</div><pre class="screen"><code class="command">import crypt</code>
<code class="command">print crypt.crypt("<em class="replaceable"><code>&lt;password&gt;</code></em>","<em class="replaceable"><code>&lt;salt&gt;</code></em>")</code></pre><div class="para">
								The output is the encrypted password, similar to <code class="computeroutput">'12CsGd8FRcMSM'</code>.
							</div></li><li class="listitem"><div class="para">
								Press <span class="keycap"><strong>Ctrl</strong></span>-<span class="keycap"><strong>D</strong></span> to exit the Python interpreter.
							</div></li><li class="listitem"><div class="para">
								At the shell, enter the following command (replacing <em class="replaceable"><code>&lt;encrypted-password&gt;</code></em> with the encrypted output of the Python interpreter):
							</div><pre class="screen"><code class="command">usermod -p "<em class="replaceable"><code>&lt;encrypted-password&gt;</code></em>" <em class="replaceable"><code>&lt;username&gt;</code></em></code></pre></li></ul></div><div class="para">
						Alternatively, you can assign a null password instead of an initial password. To do this, use the following command:
					</div><pre class="screen"><code class="command">usermod -p "" <em class="replaceable"><code>username</code></em></code></pre><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
							Using a null password, while convenient, is a highly unsecure practice, as any third party can log in first an access the system using the unsecure username. Always make sure that the user is ready to log in before unlocking an account with a null password.
						</div></div></div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Force immediate password expiration</em></span> — Type the following command:
					</div><pre class="screen"><code class="command">chage -d 0 <em class="replaceable"><code>username</code></em></code></pre><div class="para">
						This command sets the value for the date the password was last changed to the epoch (January 1, 1970). This value forces immediate password expiration no matter what password aging policy, if any, is in place.
					</div></li></ol></div><div class="para">
				Upon the initial log in, the user is now prompted for a new password.
			</div></div><div class="section" id="s2-redhat-config-users-process"><div class="titlepage"><div><div><h3 class="title" id="s2-redhat-config-users-process">35.2.5. Explaining the Process</h3></div></div></div><div class="para">
				The following steps illustrate what happens if the command <code class="command">useradd juan</code> is issued on a system that has shadow passwords enabled:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						A new line for <code class="computeroutput">juan</code> is created in <code class="filename">/etc/passwd</code>. The line has the following characteristics:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								It begins with the username <code class="computeroutput">juan</code>.
							</div></li><li class="listitem"><div class="para">
								There is an <code class="computeroutput">x</code> for the password field indicating that the system is using shadow passwords.
							</div></li><li class="listitem"><div class="para">
								A UID greater than 499 is created. (Under Red Hat Enterprise Linux, UIDs and GIDs below 500 are reserved for system use.)
							</div></li><li class="listitem"><div class="para">
								A GID greater than 499 is created.
							</div></li><li class="listitem"><div class="para">
								The optional GECOS information is left blank.
							</div></li><li class="listitem"><div class="para">
								The home directory for <code class="computeroutput">juan</code> is set to <code class="filename">/home/juan/</code>.
							</div></li><li class="listitem"><div class="para">
								The default shell is set to <code class="command">/bin/bash</code>.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						A new line for <code class="computeroutput">juan</code> is created in <code class="filename">/etc/shadow</code>. The line has the following characteristics:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								It begins with the username <code class="computeroutput">juan</code>.
							</div></li><li class="listitem"><div class="para">
								Two exclamation points (<code class="computeroutput">!!</code>) appear in the password field of the <code class="filename">/etc/shadow</code> file, which locks the account.
							</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
									If an encrypted password is passed using the <code class="option">-p</code> flag, it is placed in the <code class="filename">/etc/shadow</code> file on the new line for the user.
								</div></div></div></li><li class="listitem"><div class="para">
								The password is set to never expire.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						A new line for a group named <code class="computeroutput">juan</code> is created in <code class="filename">/etc/group</code>. A group with the same name as a user is called a <em class="firstterm">user private group</em>. For more information on user private groups, refer to <a class="xref" href="#s2-redhat-config-users-user-new">Section 35.1.1, “Adding a New User”</a>.
					</div><div class="para">
						The line created in <code class="filename">/etc/group</code> has the following characteristics:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								It begins with the group name <code class="computeroutput">juan</code>.
							</div></li><li class="listitem"><div class="para">
								An <code class="computeroutput">x</code> appears in the password field indicating that the system is using shadow group passwords.
							</div></li><li class="listitem"><div class="para">
								The GID matches the one listed for user <code class="computeroutput">juan</code> in <code class="filename">/etc/passwd</code>.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						A new line for a group named <code class="computeroutput">juan</code> is created in <code class="filename">/etc/gshadow</code>. The line has the following characteristics:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								It begins with the group name <code class="computeroutput">juan</code>.
							</div></li><li class="listitem"><div class="para">
								An exclamation point (<code class="computeroutput">!</code>) appears in the password field of the <code class="filename">/etc/gshadow</code> file, which locks the group.
							</div></li><li class="listitem"><div class="para">
								All other fields are blank.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						A directory for user <code class="computeroutput">juan</code> is created in the <code class="filename">/home/</code> directory. This directory is owned by user <code class="computeroutput">juan</code> and group <code class="computeroutput">juan</code>. However, it has read, write, and execute privileges <span class="emphasis"><em>only</em></span> for the user <code class="computeroutput">juan</code>. All other permissions are denied.
					</div></li><li class="listitem"><div class="para">
						The files within the <code class="filename">/etc/skel/</code> directory (which contain default user settings) are copied into the new <code class="filename">/home/juan/</code> directory.
					</div></li></ol></div><div class="para">
				At this point, a locked account called <code class="computeroutput">juan</code> exists on the system. To activate it, the administrator must next assign a password to the account using the <code class="command">passwd</code> command and, optionally, set password aging guidelines.
			</div></div></div><div class="section" id="s1-users-groups-standard-users"><div class="titlepage"><div><div><h2 class="title" id="s1-users-groups-standard-users">35.3. Standard Users</h2></div></div></div><a id="id887794" class="indexterm"></a><a id="id887809" class="indexterm"></a><div class="para">
			<a class="xref" href="#tb-users-groups-group-use">Table 35.4, “Standard Users”</a> lists the standard users configured in the <code class="filename">/etc/passwd</code> file by an <span class="guilabel"><strong>Everything</strong></span> installation. The groupid (GID) in this table is the <span class="emphasis"><em>primary group</em></span> for the user. See <a class="xref" href="#s1-users-groups-standard-groups">Section 35.4, “Standard Groups”</a> for a listing of standard groups.
		</div><div class="table" id="tb-users-groups-group-use"><h6>Table 35.4. Standard Users</h6><div class="table-contents"><table summary="Standard Users" border="1"><colgroup><col width="29%" class="user" /><col width="10%" class="uid" /><col width="10%" class="gid" /><col width="30%" class="homedirectory" /><col width="21%" class="shell" /></colgroup><thead><tr><th>
							User
						</th><th>
							UID
						</th><th>
							GID
						</th><th>
							Home Directory
						</th><th>
							Shell
						</th></tr></thead><tbody><tr><td>
							root
						</td><td>
							0
						</td><td>
							0
						</td><td>
							<code class="filename">/root</code>
						</td><td>
							<code class="command">/bin/bash</code>
						</td></tr><tr><td>
							bin
						</td><td>
							1
						</td><td>
							1
						</td><td>
							<code class="filename">/bin</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							daemon
						</td><td>
							2
						</td><td>
							2
						</td><td>
							<code class="filename">/sbin</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							adm
						</td><td>
							3
						</td><td>
							4
						</td><td>
							<code class="filename">/var/adm</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							lp
						</td><td>
							4
						</td><td>
							7
						</td><td>
							<code class="filename">/var/spool/lpd</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							sync
						</td><td>
							5
						</td><td>
							0
						</td><td>
							<code class="filename">/sbin</code>
						</td><td>
							<code class="filename">/bin/sync</code>
						</td></tr><tr><td>
							shutdown
						</td><td>
							6
						</td><td>
							0
						</td><td>
							<code class="filename">/sbin</code>
						</td><td>
							<code class="filename">/sbin/shutdown</code>
						</td></tr><tr><td>
							halt
						</td><td>
							7
						</td><td>
							0
						</td><td>
							<code class="filename">/sbin</code>
						</td><td>
							<code class="filename">/sbin/halt</code>
						</td></tr><tr><td>
							mail
						</td><td>
							8
						</td><td>
							12
						</td><td>
							<code class="filename">/var/spool/mail</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							news
						</td><td>
							9
						</td><td>
							13
						</td><td>
							<code class="filename">/etc/news</code>
						</td><td>
						</td></tr><tr><td>
							uucp
						</td><td>
							10
						</td><td>
							14
						</td><td>
							<code class="filename">/var/spool/uucp</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							operator
						</td><td>
							11
						</td><td>
							0
						</td><td>
							<code class="filename">/root</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							games
						</td><td>
							12
						</td><td>
							100
						</td><td>
							<code class="filename">/usr/games</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							gopher
						</td><td>
							13
						</td><td>
							30
						</td><td>
							<code class="filename">/var/gopher</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							ftp
						</td><td>
							14
						</td><td>
							50
						</td><td>
							<code class="filename">/var/ftp</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							nobody
						</td><td>
							99
						</td><td>
							99
						</td><td>
							<code class="filename">/</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							rpm
						</td><td>
							37
						</td><td>
							37
						</td><td>
							<code class="filename">/var/lib/rpm</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							vcsa
						</td><td>
							69
						</td><td>
							69
						</td><td>
							<code class="filename">/dev</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							dbus
						</td><td>
							81
						</td><td>
							81
						</td><td>
							<code class="filename">/</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							ntp
						</td><td>
							38
						</td><td>
							38
						</td><td>
							<code class="filename">/etc/ntp</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							canna
						</td><td>
							39
						</td><td>
							39
						</td><td>
							<code class="filename">/var/lib/canna</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							nscd
						</td><td>
							28
						</td><td>
							28
						</td><td>
							<code class="filename">/</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							rpc
						</td><td>
							32
						</td><td>
							32
						</td><td>
							<code class="filename">/</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							postfix
						</td><td>
							89
						</td><td>
							89
						</td><td>
							<code class="filename">/var/spool/postfix</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							mailman
						</td><td>
							41
						</td><td>
							41
						</td><td>
							<code class="filename">/var/mailman</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							named
						</td><td>
							25
						</td><td>
							25
						</td><td>
							<code class="filename">/var/named</code>
						</td><td>
							<code class="command">/bin/false</code>
						</td></tr><tr><td>
							amanda
						</td><td>
							33
						</td><td>
							6
						</td><td>
							<code class="filename">var/lib/amanda/</code>
						</td><td>
							<code class="command">/bin/bash</code>
						</td></tr><tr><td>
							postgres
						</td><td>
							26
						</td><td>
							26
						</td><td>
							<code class="filename">/var/lib/pgsql</code>
						</td><td>
							<code class="command">/bin/bash</code>
						</td></tr><tr><td>
							exim
						</td><td>
							93
						</td><td>
							93
						</td><td>
							<code class="filename">/var/spool/exim</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							sshd
						</td><td>
							74
						</td><td>
							74
						</td><td>
							<code class="filename">/var/empty/sshd</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							rpcuser
						</td><td>
							29
						</td><td>
							29
						</td><td>
							<code class="filename">/var/lib/nfs</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							nsfnobody
						</td><td>
							65534
						</td><td>
							65534
						</td><td>
							<code class="filename">/var/lib/nfs</code>
						</td><td>
							<code class="filename">/sbin/nologin</code>
						</td></tr><tr><td>
							pvm
						</td><td>
							24
						</td><td>
							24
						</td><td>
							<code class="filename">/usr/share/pvm3</code>
						</td><td>
							<code class="command">/bin/bash</code>
						</td></tr><tr><td>
							apache
						</td><td>
							48
						</td><td>
							48
						</td><td>
							<code class="filename">/var/www</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							xfs
						</td><td>
							43
						</td><td>
							43
						</td><td>
							<code class="filename">/etc/X11/fs</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							gdm
						</td><td>
							42
						</td><td>
							42
						</td><td>
							<code class="filename">/var/gdm</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							htt
						</td><td>
							100
						</td><td>
							101
						</td><td>
							<code class="filename">/usr/lib/im</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							mysql
						</td><td>
							27
						</td><td>
							27
						</td><td>
							<code class="filename">/var/lib/mysql</code>
						</td><td>
							<code class="command">/bin/bash</code>
						</td></tr><tr><td>
							webalizer
						</td><td>
							67
						</td><td>
							67
						</td><td>
							<code class="filename">/var/www/usage</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							mailnull
						</td><td>
							47
						</td><td>
							47
						</td><td>
							<code class="filename">/var/spool/mqueue</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							smmsp
						</td><td>
							51
						</td><td>
							51
						</td><td>
							<code class="filename">/var/spool/mqueue</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							squid
						</td><td>
							23
						</td><td>
							23
						</td><td>
							<code class="filename">/var/spool/squid</code>
						</td><td>
							<code class="filename">/sbin/nologin</code>
						</td></tr><tr><td>
							ldap
						</td><td>
							55
						</td><td>
							55
						</td><td>
							<code class="filename">/var/lib/ldap</code>
						</td><td>
							<code class="command">/bin/false</code>
						</td></tr><tr><td>
							netdump
						</td><td>
							34
						</td><td>
							34
						</td><td>
							<code class="filename">/var/crash</code>
						</td><td>
							<code class="command">/bin/bash</code>
						</td></tr><tr><td>
							pcap
						</td><td>
							77
						</td><td>
							77
						</td><td>
							<code class="filename">/var/arpwatch</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							radiusd
						</td><td>
							95
						</td><td>
							95
						</td><td>
							<code class="filename">/</code>
						</td><td>
							<code class="command">/bin/false</code>
						</td></tr><tr><td>
							radvd
						</td><td>
							75
						</td><td>
							75
						</td><td>
							<code class="filename">/</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							quagga
						</td><td>
							92
						</td><td>
							92
						</td><td>
							<code class="filename">/var/run/quagga</code>
						</td><td>
							<code class="command">/sbin/login</code>
						</td></tr><tr><td>
							wnn
						</td><td>
							49
						</td><td>
							49
						</td><td>
							<code class="filename">/var/lib/wnn</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr><tr><td>
							dovecot
						</td><td>
							97
						</td><td>
							97
						</td><td>
							<code class="filename">/usr/libexec/dovecot</code>
						</td><td>
							<code class="command">/sbin/nologin</code>
						</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s1-users-groups-standard-groups"><div class="titlepage"><div><div><h2 class="title" id="s1-users-groups-standard-groups">35.4. Standard Groups</h2></div></div></div><a id="id1053481" class="indexterm"></a><div class="para">
			<a class="xref" href="#tb-users-groups-group-etc">Table 35.5, “Standard Groups”</a> lists the standard groups configured by an <span class="guilabel"><strong>Everything</strong></span> installation. Groups are stored in the <code class="filename">/etc/group</code> file.
		</div><div class="table" id="tb-users-groups-group-etc"><h6>Table 35.5. Standard Groups</h6><div class="table-contents"><table summary="Standard Groups" border="1"><colgroup><col class="group" width="33%" /><col class="gid" width="33%" /><col class="members" width="33%" /></colgroup><thead><tr><th>
							Group
						</th><th>
							GID
						</th><th>
							Members
						</th></tr></thead><tbody><tr><td>
							root
						</td><td>
							0
						</td><td>
							root
						</td></tr><tr><td>
							bin
						</td><td>
							1
						</td><td>
							root, bin, daemon
						</td></tr><tr><td>
							daemon
						</td><td>
							2
						</td><td>
							root, bin, daemon
						</td></tr><tr><td>
							sys
						</td><td>
							3
						</td><td>
							root, bin, adm
						</td></tr><tr><td>
							adm
						</td><td>
							4
						</td><td>
							root, adm, daemon
						</td></tr><tr><td>
							tty
						</td><td>
							5
						</td><td>
						</td></tr><tr><td>
							disk
						</td><td>
							6
						</td><td>
							root
						</td></tr><tr><td>
							lp
						</td><td>
							7
						</td><td>
							daemon, lp
						</td></tr><tr><td>
							mem
						</td><td>
							8
						</td><td>
						</td></tr><tr><td>
							kmem
						</td><td>
							9
						</td><td>
						</td></tr><tr><td>
							wheel
						</td><td>
							10
						</td><td>
							root
						</td></tr><tr><td>
							mail
						</td><td>
							12
						</td><td>
							mail, postfix, exim
						</td></tr><tr><td>
							news
						</td><td>
							13
						</td><td>
							news
						</td></tr><tr><td>
							uucp
						</td><td>
							14
						</td><td>
							uucp
						</td></tr><tr><td>
							man
						</td><td>
							15
						</td><td>
						</td></tr><tr><td>
							games
						</td><td>
							20
						</td><td>
						</td></tr><tr><td>
							gopher
						</td><td>
							30
						</td><td>
						</td></tr><tr><td>
							dip
						</td><td>
							40
						</td><td>
						</td></tr><tr><td>
							ftp
						</td><td>
							50
						</td><td>
						</td></tr><tr><td>
							lock
						</td><td>
							54
						</td><td>
						</td></tr><tr><td>
							nobody
						</td><td>
							99
						</td><td>
						</td></tr><tr><td>
							users
						</td><td>
							100
						</td><td>
						</td></tr><tr><td>
							rpm
						</td><td>
							37
						</td><td>
						</td></tr><tr><td>
							utmp
						</td><td>
							22
						</td><td>
						</td></tr><tr><td>
							floppy
						</td><td>
							19
						</td><td>
						</td></tr><tr><td>
							vcsa
						</td><td>
							69
						</td><td>
						</td></tr><tr><td>
							dbus
						</td><td>
							81
						</td><td>
						</td></tr><tr><td>
							ntp
						</td><td>
							38
						</td><td>
						</td></tr><tr><td>
							canna
						</td><td>
							39
						</td><td>
						</td></tr><tr><td>
							nscd
						</td><td>
							28
						</td><td>
						</td></tr><tr><td>
							rpc
						</td><td>
							32
						</td><td>
						</td></tr><tr><td>
							postdrop
						</td><td>
							90
						</td><td>
						</td></tr><tr><td>
							postfix
						</td><td>
							89
						</td><td>
						</td></tr><tr><td>
							mailman
						</td><td>
							41
						</td><td>
						</td></tr><tr><td>
							exim
						</td><td>
							93
						</td><td>
						</td></tr><tr><td>
							named
						</td><td>
							25
						</td><td>
						</td></tr><tr><td>
							postgres
						</td><td>
							26
						</td><td>
						</td></tr><tr><td>
							sshd
						</td><td>
							74
						</td><td>
						</td></tr><tr><td>
							rpcuser
						</td><td>
							29
						</td><td>
						</td></tr><tr><td>
							nfsnobody
						</td><td>
							65534
						</td><td>
						</td></tr><tr><td>
							pvm
						</td><td>
							24
						</td><td>
						</td></tr><tr><td>
							apache
						</td><td>
							48
						</td><td>
						</td></tr><tr><td>
							xfs
						</td><td>
							43
						</td><td>
						</td></tr><tr><td>
							gdm
						</td><td>
							42
						</td><td>
						</td></tr><tr><td>
							htt
						</td><td>
							101
						</td><td>
						</td></tr><tr><td>
							mysql
						</td><td>
							27
						</td><td>
						</td></tr><tr><td>
							webalizer
						</td><td>
							67
						</td><td>
						</td></tr><tr><td>
							mailnull
						</td><td>
							47
						</td><td>
						</td></tr><tr><td>
							smmsp
						</td><td>
							51
						</td><td>
						</td></tr><tr><td>
							squid
						</td><td>
							23
						</td><td>
						</td></tr><tr><td>
							ldap
						</td><td>
							55
						</td><td>
						</td></tr><tr><td>
							netdump
						</td><td>
							34
						</td><td>
						</td></tr><tr><td>
							pcap
						</td><td>
							77
						</td><td>
						</td></tr><tr><td>
							quaggavt
						</td><td>
							102
						</td><td>
						</td></tr><tr><td>
							quagga
						</td><td>
							92
						</td><td>
						</td></tr><tr><td>
							radvd
						</td><td>
							75
						</td><td>
						</td></tr><tr><td>
							slocate
						</td><td>
							21
						</td><td>
						</td></tr><tr><td>
							wnn
						</td><td>
							49
						</td><td>
						</td></tr><tr><td>
							dovecot
						</td><td>
							97
						</td><td>
						</td></tr><tr><td>
							radiusd
						</td><td>
							95
						</td><td>
						</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s1-users-groups-private-groups"><div class="titlepage"><div><div><h2 class="title" id="s1-users-groups-private-groups">35.5. User Private Groups</h2></div></div></div><a id="id1054544" class="indexterm"></a><a id="id1054558" class="indexterm"></a><a id="id1054573" class="indexterm"></a><a id="id1054594" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux uses a <em class="firstterm">user private group</em> (<em class="firstterm">UPG</em>) scheme, which makes UNIX groups easier to manage.
		</div><div class="para">
			A UPG is created whenever a new user is added to the system. A UPG has the same name as the user for which it was created and that user is the only member of the UPG.
		</div><div class="para">
			UPGs make it safe to set default permissions for a newly created file or directory, allowing both the user and <span class="emphasis"><em>the group of that user</em></span> to make modifications to the file or directory.
		</div><div class="para">
			The setting which determines what permissions are applied to a newly created file or directory is called a <em class="firstterm">umask</em> and is configured in the <code class="filename">/etc/bashrc</code> file. Traditionally on UNIX systems, the <code class="command">umask</code> is set to <code class="command">022</code>, which allows only the user who created the file or directory to make modifications. Under this scheme, all other users, <span class="emphasis"><em>including members of the creator's group</em></span>, are not allowed to make any modifications. However, under the UPG scheme, this "group protection" is not necessary since every user has their own private group.
		</div><div class="section" id="s2-users-groups-rationale"><div class="titlepage"><div><div><h3 class="title" id="s2-users-groups-rationale">35.5.1. Group Directories</h3></div></div></div><a id="id1054676" class="indexterm"></a><a id="id1054690" class="indexterm"></a><div class="para">
				Many IT organizations like to create a group for each major project and then assign people to the group if they need to access that project's files. Using this traditional scheme, managing files has been difficult; when someone creates a file, it is associated with the primary group to which they belong. When a single person works on multiple projects, it is difficult to associate the right files with the right group. Using the UPG scheme, however, groups are automatically assigned to files created within a directory with the <em class="firstterm">setgid</em> bit set. The setgid bit makes managing group projects that share a common directory very simple because any files a user creates within the directory are owned by the group which owns the directory.
			</div><div class="para">
				Let us say, for example, that a group of people need to work on files in the <code class="filename">/usr/share/emacs/site-lisp/</code> directory. Some people are trusted to modify the directory, but certainly not everyone is trusted. First create an <code class="computeroutput">emacs</code> group, as in the following command:
			</div><pre class="screen"><code class="command">groupadd emacs</code></pre><div class="para">
				To associate the contents of the directory with the <code class="computeroutput">emacs</code> group, type:
			</div><pre class="screen"><code class="command">chown -R root.emacs <code class="filename">/usr/share/emacs/site-lisp</code></code></pre><div class="para">
				Now, it is possible to add the proper users to the group with the <code class="command">gpasswd</code> command:
			</div><pre class="screen"><code class="command">gpasswd -a <em class="replaceable"><code>&lt;username&gt;</code></em> emacs</code></pre><div class="para">
				To allow users to create files within the directory, use the following command:
			</div><pre class="screen"><code class="command">chmod 775 <code class="filename">/usr/share/emacs/site-lisp</code></code></pre><div class="para">
				When a user creates a new file, it is assigned the group of the user's default private group. Next, set the setgid bit, which assigns everything created in the directory the same group permission as the directory itself (<code class="computeroutput">emacs</code>). Use the following command:
			</div><pre class="screen"><code class="command">chmod 2775 /usr/share/emacs/site-lisp</code></pre><div class="para">
				At this point, because the default umask of each user is 002, all members of the <code class="computeroutput">emacs</code> group can create and edit files in the <code class="filename">/usr/share/emacs/site-lisp/</code> directory without the administrator having to change file permissions every time users write new files.
			</div></div></div><div class="section" id="s1-users-groups-shadow-utilities"><div class="titlepage"><div><div><h2 class="title" id="s1-users-groups-shadow-utilities">35.6. Shadow Passwords</h2></div></div></div><a id="id1054821" class="indexterm"></a><a id="id1054835" class="indexterm"></a><div class="para">
			In multiuser environments it is very important to use <em class="firstterm">shadow passwords</em> (provided by the <code class="filename">shadow-utils</code> package). Doing so enhances the security of system authentication files. For this reason, the installation program enables shadow passwords by default.
		</div><div class="para">
			The following lists the advantages pf shadow passwords have over the traditional way of storing passwords on UNIX-based systems:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Improves system security by moving encrypted password hashes from the world-readable <code class="filename">/etc/passwd</code> file to <code class="filename">/etc/shadow</code>, which is readable only by the root user.
				</div></li><li class="listitem"><div class="para">
					Stores information about password aging.
				</div></li><li class="listitem"><div class="para">
					Allows the use the <code class="filename">/etc/login.defs</code> file to enforce security policies.
				</div></li></ul></div><div class="para">
			Most utilities provided by the <code class="filename">shadow-utils</code> package work properly whether or not shadow passwords are enabled. However, since password aging information is stored exclusively in the <code class="filename">/etc/shadow</code> file, any commands which create or modify password aging information do not work.
		</div><div class="para">
			The following is a list of commands which do not work without first enabling shadow passwords:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">chage</code>
				</div></li><li class="listitem"><div class="para">
					<code class="command">gpasswd</code>
				</div></li><li class="listitem"><div class="para">
					<code class="command">/usr/sbin/usermod</code> <code class="option">-e</code> or <code class="option">-f</code> options
				</div></li><li class="listitem"><div class="para">
					<code class="command">/usr/sbin/useradd</code> <code class="option">-e</code> or <code class="option">-f</code> options
				</div></li></ul></div></div><div class="section" id="s1-users-groups-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-users-groups-additional-resources">35.7. Additional Resources</h2></div></div></div><a id="id1055003" class="indexterm"></a><a id="id1055018" class="indexterm"></a><div class="para">
			For more information about users and groups, and tools to manage them, refer to the following resources.
		</div><div class="section" id="s2-users-groups-documentation"><div class="titlepage"><div><div><h3 class="title" id="s2-users-groups-documentation">35.7.1. Installed Documentation</h3></div></div></div><a id="id1055046" class="indexterm"></a><a id="id1055065" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Related man pages — There are a number of man pages for the various applications and configuration files involved with managing users and groups. Some of the more important man pages have been listed here:
					</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">User and Group Administrative Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man chage</code> — A command to modify password aging policies and account expiration.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man gpasswd</code> — A command to administer the <code class="filename">/etc/group</code> file.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man groupadd</code> — A command to add groups.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man grpck</code> — A command to verify the <code class="filename">/etc/group</code> file.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man groupdel</code> — A command to remove groups.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man groupmod</code> — A command to modify group membership.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man pwck</code> — A command to verify the <code class="filename">/etc/passwd</code> and <code class="filename">/etc/shadow</code> files.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man pwconv</code> — A tool to convert standard passwords to shadow passwords.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man pwunconv</code> — A tool to convert shadow passwords to standard passwords.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man useradd</code> — A command to add users.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man userdel</code> — A command to remove users.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man usermod</code> — A command to modify users.
										</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Configuration Files</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man 5 group</code> — The file containing group information for the system.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man 5 passwd</code> — The file containing user information for the system.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man 5 shadow</code> — The file containing passwords and account expiration information for the system.
										</div></li></ul></div></dd></dl></div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-printing" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 36. Printer Configuration</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-printing-local-printer">36.1. Adding a Local Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-ipp-printer">36.2. Adding an IPP Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-smb-printer">36.3. Adding a Samba (SMB) Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-jetdirect-printer">36.4. Adding a JetDirect Printer</a></span></dt><dt><span class="section"><a href="#s1-printing-select-model">36.5. Selecting the Printer Model and Finishing</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-printing-confirm">36.5.1. Confirming Printer Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-printing-test-page">36.6. Printing a Test Page</a></span></dt><dt><span class="section"><a href="#s1-printing-edit">36.7. Modifying Existing Printers</a></span></dt><dd><dl><dt><span class="section"><a href="#id1051845">36.7.1. The <span class="guilabel"><strong>Settings</strong></span> Tab</a></span></dt><dt><span class="section"><a href="#id1051913">36.7.2. The <span class="guilabel"><strong>Policies</strong></span> Tab</a></span></dt><dt><span class="section"><a href="#id1052010">36.7.3. The <span class="guilabel"><strong>Access Control</strong></span> Tab</a></span></dt><dt><span class="section"><a href="#id1052078">36.7.4. The <span class="guilabel"><strong>Printer</strong></span> and <span class="guilabel"><strong>Job Options</strong></span>Tab</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-printing-managing">36.8. Managing Print Jobs</a></span></dt><dt><span class="section"><a href="#s1-printing-additional-resources">36.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-printing-installed-docs">36.9.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-printing-useful-websites">36.9.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id816027" class="indexterm"></a><a id="id852257" class="indexterm"></a><a id="id1047704" class="indexterm"></a><a id="id816309" class="indexterm"></a><a id="id838355" class="indexterm"></a><div class="para">
		<span class="application"><strong>Printer Configuration Tool</strong></span> allows users to configure a printer. This tool helps maintain the printer configuration file, print spool directories, print filters, and printer classes.
	</div><a id="id838579" class="indexterm"></a><a id="id1064865" class="indexterm"></a><div class="para">
		Red Hat Enterprise Linux 5.8 uses the Common Unix Printing System (<acronym class="acronym">CUPS</acronym>). If a system was upgraded from a previous Red Hat Enterprise Linux version that used CUPS, the upgrade process preserves the configured queues.
	</div><div class="para">
		Using <span class="application"><strong>Printer Configuration Tool</strong></span> requires root privileges. To start the application, select System (on the panel) &gt; <span class="guimenu"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>Printing</strong></span>, or type the command <code class="command">system-config-printer</code> at a shell prompt.
	</div><div class="figure" id="fig-printconf-main"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-main.png" width="444" alt="Printer Configuration Tool" /><div class="longdesc"><div class="para">
					Main window
				</div></div></div></div><h6>Figure 36.1. <span class="application">Printer Configuration Tool</span></h6></div><br class="figure-break" /><div class="para">
		The following types of print queues can be configured:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				<span class="guimenuitem"><strong>AppSocket/HP JetDirect</strong></span> — a printer connected directly to the network through HP JetDirect or Appsocket interface instead of a computer.
			</div></li><li class="listitem"><div class="para">
				<span class="guimenuitem"><strong>Internet Printing Protocol (IPP)</strong></span> — a printer that can be accessed over a TCP/IP network via the Internet Printing Protocol (for example, a printer attached to another Red Hat Enterprise Linux system running CUPS on the network).
			</div></li><li class="listitem"><div class="para">
				<span class="guimenuitem"><strong>LPD/LPR Host or Printer</strong></span> — a printer attached to a different UNIX system that can be accessed over a TCP/IP network (for example, a printer attached to another Red Hat Enterprise Linux system running LPD on the network).
			</div></li><li class="listitem"><div class="para">
				<span class="guimenuitem"><strong>Networked Windows (SMB)</strong></span> — a printer attached to a different system which is sharing a printer over an SMB network (for example, a printer attached to a Microsoft <span class="trademark">Windows</span>™ machine).
			</div></li><li class="listitem"><div class="para">
				<span class="guimenuitem"><strong>Networked JetDirect</strong></span> — a printer connected directly to the network through HP JetDirect instead of a computer.
			</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><a id="id1050495" class="indexterm"></a><div class="para">
			If you add a new print queue or modify an existing one, you must apply the changes for them to take effect.
		</div></div></div><div class="para">
		Clicking the <span class="guibutton"><strong>Apply</strong></span> button prompts the printer daemon to restart with the changes you have configured.
	</div><div class="para">
		Clicking the <span class="guibutton"><strong>Revert</strong></span> button discards unapplied changes.
	</div><div class="section" id="s1-printing-local-printer"><div class="titlepage"><div><div><h2 class="title" id="s1-printing-local-printer">36.1. Adding a Local Printer</h2></div></div></div><a id="id1050537" class="indexterm"></a><a id="id1050550" class="indexterm"></a><div class="para">
			To add a local printer, such as one attached through a parallel port or USB port on your computer, click the <span class="guibutton"><strong>New Printer</strong></span> button in the main <span class="application"><strong>Printer Configuration Tool</strong></span> window to display the window in <a class="xref" href="#fig-printconf-add">Figure 36.2, “<span class="application">Adding a Printer</span>”</a>.
		</div><div class="figure" id="fig-printconf-add"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-add-printer.png" width="444" alt="Adding a Printer" /><div class="longdesc"><div class="para">
						Adding a printer
					</div></div></div></div><h6>Figure 36.2. <span class="application">Adding a Printer</span></h6></div><br class="figure-break" /><div class="para">
			Click <span class="guibutton"><strong>Forward</strong></span> to proceed.
		</div><div class="para">
			Enter a unique name for the printer in the <span class="guilabel"><strong>Printer Name</strong></span> field. The printer name can contain letters, numbers, dashes (-), and underscores (_); it <span class="emphasis"><em>must not</em></span> contain any spaces.
		</div><div class="para">
			You can also use the <span class="guilabel"><strong>Description</strong></span> and <span class="guilabel"><strong>Location</strong></span> fields to further distinguish this printer from others that may be configured on your system. Both of these fields are optional, and may contain spaces.
		</div><div class="para">
			Click <span class="guibutton"><strong>Forward</strong></span> to open the <span class="guilabel"><strong>New Printer</strong></span> dialogue (refer to <a class="xref" href="#fig-printconf-local">Figure 36.3, “Adding a Local Printer”</a>). If the printer has been automatically detected, the printer model appears in <span class="guilabel"><strong>Select Connection</strong></span>. Select the printer model and click <span class="guibutton"><strong>Forward</strong></span> to continue.
		</div><div class="para">
			If the device does not automatically appear, select the device to which the printer is connected (such as <span class="guilabel"><strong>LPT #1</strong></span> or <span class="guilabel"><strong>Serial Port #1</strong></span>) in <span class="guilabel"><strong>Select Connection</strong></span>.
		</div><div class="figure" id="fig-printconf-local"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-local.png" width="444" alt="Adding a Local Printer" /><div class="longdesc"><div class="para">
						Adding a local printer
					</div></div></div></div><h6>Figure 36.3. Adding a Local Printer</h6></div><br class="figure-break" /><div class="para">
			Next, select the printer type. Refer to <a class="xref" href="#s1-printing-select-model">Section 36.5, “Selecting the Printer Model and Finishing”</a> for details.
		</div></div><div class="section" id="s1-printing-ipp-printer"><div class="titlepage"><div><div><h2 class="title" id="s1-printing-ipp-printer">36.2. Adding an IPP Printer</h2></div></div></div><a id="id900027" class="indexterm"></a><a id="id974622" class="indexterm"></a><a id="id974636" class="indexterm"></a><a id="id974653" class="indexterm"></a><div class="para">
			An IPP printer is a printer attached to a different system on the same TCP/IP network. The system this printer is attached to may either be running CUPS or simply configured to use IPP.
		</div><div class="para">
			If a firewall is enabled on the printer server, then the firewall should be configured to allow send / receive connections on the incoming UDP port 631. If a firewall is enabled on the client (the system sending the print request) then the firewall should be configured to allow accept and create connections through port 631.
		</div><div class="para">
			You can add a networked IPP printer by clicking the <span class="guibutton"><strong>New Printer</strong></span> button in the main <span class="application"><strong> Printer Configuration Tool</strong></span> window to display the window in <a class="xref" href="#fig-printconf-add">Figure 36.2, “<span class="application">Adding a Printer</span>”</a>. Enter the <span class="guilabel"><strong>Printer Name</strong></span> (printer names cannot contain spaces and may contain letters, numbers, dashes (-), and underscores (_)), <span class="guilabel"><strong>Description</strong></span>, and <span class="guilabel"><strong>Location</strong></span> to distinguish this printer from others that you may configure on your system. Click <span class="guibutton"><strong>Forward</strong></span> to proceed.
		</div><div class="para">
			In the window shown in <a class="xref" href="#fig-printconf-ipp">Figure 36.4, “Adding an IPP Printer”</a>, enter the hostname of the IPP printer in the <span class="guilabel"><strong>Hostname</strong></span> field as well as a unique name for the printer in the <span class="guilabel"><strong>Printername</strong></span> field.
		</div><div class="figure" id="fig-printconf-ipp"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-ipp.png" width="444" alt="Adding an IPP Printer" /><div class="longdesc"><div class="para">
						Networked IPP Printer
					</div></div></div></div><h6>Figure 36.4. Adding an IPP Printer</h6></div><br class="figure-break" /><div class="para">
			Click <span class="guibutton"><strong>Forward</strong></span> to continue.
		</div><div class="para">
			Next, select the printer type. Refer to <a class="xref" href="#s1-printing-select-model">Section 36.5, “Selecting the Printer Model and Finishing”</a> for details.
		</div></div><div class="section" id="s1-printing-smb-printer"><div class="titlepage"><div><div><h2 class="title" id="s1-printing-smb-printer">36.3. Adding a Samba (SMB) Printer</h2></div></div></div><a id="id894378" class="indexterm"></a><a id="id894392" class="indexterm"></a><div class="para">
			You can add a Samba (SMB) based printer share by clicking the <span class="guibutton"><strong>New Printer</strong></span> button in the main <span class="application"><strong> Printer Configuration Tool</strong></span> window to display the window in <a class="xref" href="#fig-printconf-add">Figure 36.2, “<span class="application">Adding a Printer</span>”</a>. Enter a unique name for the printer in the <span class="guilabel"><strong>Printer Name</strong></span> field. The printer name can contain letters, numbers, dashes (-), and underscores (_); it <span class="emphasis"><em>must not</em></span> contain any spaces.
		</div><div class="para">
			You can also use the <span class="guilabel"><strong>Description</strong></span> and <span class="guilabel"><strong>Location</strong></span> fields to further distinguish this printer from others that may be configured on your system. Both of these fields are optional, and may contain spaces.
		</div><div class="figure" id="fig-printconf-smb"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-smb.png" width="444" alt="Adding a SMB Printer" /><div class="longdesc"><div class="para">
						SMB Printer
					</div></div></div></div><h6>Figure 36.5. Adding a SMB Printer</h6></div><br class="figure-break" /><div class="para">
			As shown in <a class="xref" href="#fig-printconf-smb">Figure 36.5, “Adding a SMB Printer”</a>, available SMB shares are automatically detected and listed in the <span class="guilabel"><strong>Share</strong></span> column. Click the arrow ( 
			<span class="inlinemediaobject"><img src="images/arrow.png" /></span>
			 ) beside a Workgroup to expand it. From the expanded list, select a printer.
		</div><div class="para">
			If the printer you are looking for does not appear in the list, enter the SMB address in the <span class="guilabel"><strong>smb://</strong></span> field. Use the format <em class="replaceable"><code>computer name/printer share</code></em>. In <a class="xref" href="#fig-printconf-smb">Figure 36.5, “Adding a SMB Printer”</a>, the <em class="replaceable"><code>computer name</code></em> is <code class="command">dellbox</code>, while the <em class="replaceable"><code>printer share</code></em> is <code class="command">r2</code>.
		</div><div class="para">
			In the <span class="guilabel"><strong>Username</strong></span> field, enter the username to access the printer. This user must exist on the SMB system, and the user must have permission to access the printer. The default user name is typically <strong class="userinput"><code>guest</code></strong> for Windows servers, or <strong class="userinput"><code>nobody</code></strong> for Samba servers.
		</div><div class="para">
			Enter the <span class="guilabel"><strong>Password</strong></span> (if required) for the user specified in the <span class="guilabel"><strong>Username</strong></span> field.
		</div><div class="para">
			You can then test the connection by clicking <span class="guibutton"><strong>Verify</strong></span>. Upon successful verification, a dialog box appears confirming printer share accessibility.
		</div><div class="para">
			Next, select the printer type. Refer to <a class="xref" href="#s1-printing-select-model">Section 36.5, “Selecting the Printer Model and Finishing”</a> for details.
		</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				Samba printer usernames and passwords are stored in the printer server as unencrypted files readable by root and lpd. Thus, other users that have root access to the printer server can view the username and password you use to access the Samba printer.
			</div><div class="para">
				As such, when you choose a username and password to access a Samba printer, it is advisable that you choose a password that is different from what you use to access your local Red Hat Enterprise Linux system.
			</div><div class="para">
				If there are files shared on the Samba print server, it is recommended that they also use a password different from what is used by the print queue.
			</div></div></div></div><div class="section" id="s1-printing-jetdirect-printer"><div class="titlepage"><div><div><h2 class="title" id="s1-printing-jetdirect-printer">36.4. Adding a JetDirect Printer</h2></div></div></div><a id="id894615" class="indexterm"></a><a id="id894629" class="indexterm"></a><div class="para">
			To add a JetDirect or AppSocket connected printer share, click the <span class="guibutton"><strong>New Printer</strong></span> button in the main <span class="application"><strong> Printer Configuration Tool</strong></span> window to display the window in <a class="xref" href="#fig-printconf-add">Figure 36.2, “<span class="application">Adding a Printer</span>”</a>. Enter a unique name for the printer in the <span class="guilabel"><strong>Printer Name</strong></span> field. The printer name can contain letters, numbers, dashes (-), and underscores (_); it <span class="emphasis"><em>must not</em></span> contain any spaces.
		</div><div class="para">
			You can also use the <span class="guilabel"><strong>Description</strong></span> and <span class="guilabel"><strong>Location</strong></span> fields to further distinguish this printer from others that may be configured on your system. Both of these fields are optional, and may contain spaces.
		</div><div class="figure" id="fig-printconf-jetdirect"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-jetdirect.png" width="444" alt="Adding a JetDirect Printer" /><div class="longdesc"><div class="para">
						Adding a JetDirect Printer
					</div></div></div></div><h6>Figure 36.6. Adding a JetDirect Printer</h6></div><br class="figure-break" /><div class="para">
			Click <span class="guibutton"><strong>Forward</strong></span> to continue.
		</div><div class="para">
			Text fields for the following options appear:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<span class="guilabel"><strong>Hostname</strong></span> — The hostname or IP address of the JetDirect printer.
				</div></li><li class="listitem"><div class="para">
					<span class="guilabel"><strong>Port Number</strong></span> — The port on the JetDirect printer that is listening for print jobs. The default port is 9100.
				</div></li></ul></div><div class="para">
			Next, select the printer type. Refer to <a class="xref" href="#s1-printing-select-model">Section 36.5, “Selecting the Printer Model and Finishing”</a> for details.
		</div></div><div class="section" id="s1-printing-select-model"><div class="titlepage"><div><div><h2 class="title" id="s1-printing-select-model">36.5. Selecting the Printer Model and Finishing</h2></div></div></div><div class="para">
			Once you have properly selected a printer queue type, you can choose either option:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Select a Printer from database - If you select this option, choose the make of your printer from the list of <span class="guilabel"><strong>Makes</strong></span>. If your printer make is not listed, choose <span class="guilabel"><strong>Generic</strong></span>.
				</div></li><li class="listitem"><div class="para">
					Provide PPD file - A PostScript Printer Description (PPD) file may also be provided with your printer. This file is normally provided by the manufacturer. If you are provided with a PPD file, you can choose this option and use the browser bar below the option description to select the PPD file.
				</div></li></ul></div><div class="para">
			Refer to <a class="xref" href="#fig-printconf-select-model">Figure 36.7, “Selecting a Printer Model”</a>.
		</div><div class="figure" id="fig-printconf-select-model"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-select-model.png" width="444" alt="Selecting a Printer Model" /><div class="longdesc"><div class="para">
						Selecting a Printer Model
					</div></div></div></div><h6>Figure 36.7. Selecting a Printer Model</h6></div><br class="figure-break" /><div class="para">
			After choosing an option, click <span class="guibutton"><strong>Forward</strong></span> to continue. <a class="xref" href="#fig-printconf-select-model">Figure 36.7, “Selecting a Printer Model”</a> appears. You now have to choose the corresponding model and driver for the printer.
		</div><div class="para">
			The recommended printed driver is automatically selected based on the printer model you chose. The print driver processes the data that you want to print into a format the printer can understand. Since a local printer is attached directly to your computer, you need a printer driver to process the data that is sent to the printer.
		</div><div class="para">
			If you have a PPD file for the device (usually provided by the manufacturer), you can select it by choosing <span class="guilabel"><strong>Provide PPD file</strong></span>. You can then browse the filesystem for the PPD file by clicking <span class="guibutton"><strong>Browse</strong></span>.
		</div><div class="section" id="s2-printing-confirm"><div class="titlepage"><div><div><h3 class="title" id="s2-printing-confirm">36.5.1. Confirming Printer Configuration</h3></div></div></div><div class="para">
				The last step is to confirm your printer configuration. Click <span class="guibutton"><strong>Apply</strong></span> to add the print queue if the settings are correct. Click <span class="guibutton"><strong>Back</strong></span> to modify the printer configuration.
			</div><div class="para">
				After applying the changes, print a test page to ensure the configuration is correct. Refer to <a class="xref" href="#s1-printing-test-page">Section 36.6, “Printing a Test Page”</a> for details.
			</div></div></div><div class="section" id="s1-printing-test-page"><div class="titlepage"><div><div><h2 class="title" id="s1-printing-test-page">36.6. Printing a Test Page</h2></div></div></div><a id="id1051751" class="indexterm"></a><div class="para">
			After you have configured your printer, you should print a test page to make sure the printer is functioning properly. To print a test page, select the printer that you want to try out from the printer list, then click <span class="guibutton"><strong>Print Test Page</strong></span> from the printer's <span class="guilabel"><strong>Settings</strong></span> tab.
		</div><div class="para">
			If you change the print driver or modify the driver options, you should print a test page to test the different configuration.
		</div></div><div class="section" id="s1-printing-edit"><div class="titlepage"><div><div><h2 class="title" id="s1-printing-edit">36.7. Modifying Existing Printers</h2></div></div></div><a id="id1051795" class="indexterm"></a><div class="para">
			To delete an existing printer, select the printer and click the <span class="guibutton"><strong>Delete</strong></span> button on the toolbar. The printer is removed from the printer list once you confirm deletion of the printer configuration.
		</div><a id="id1051818" class="indexterm"></a><div class="para">
			To set the default printer, select the printer from the printer list and click the <span class="guibutton"><strong>Make Default Printer</strong></span> button in the <span class="guilabel"><strong>Settings</strong></span> tab.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1051845">36.7.1. The <span class="guilabel"><strong>Settings</strong></span> Tab</h3></div></div></div><div class="para">
				To change printer driver configuration, click the corresponding name in the <span class="guilabel"><strong>Printer</strong></span> list and click the <span class="guilabel"><strong>Settings</strong></span> tab.
			</div><div class="para">
				You can modify printer settings such as make and model, make a printer the default, print a test page, change the device location (URI), and more.
			</div><div class="figure" id="fig-printconf-config1"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-config1.png" width="444" alt="Settings Tab" /><div class="longdesc"><div class="para">
							Settings Tab
						</div></div></div></div><h6>Figure 36.8. Settings Tab</h6></div><br class="figure-break" /></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1051913">36.7.2. The <span class="guilabel"><strong>Policies</strong></span> Tab</h3></div></div></div><div class="para">
				To change settings in print output, click the <span class="guilabel"><strong>Policies</strong></span> tab.
			</div><div class="para">
				For example, to create a <em class="firstterm">banner page</em> (a page that describes aspects of the print job such as the originating printer, the username from the which the job originated, and the security status of the document being printed) click the <span class="guilabel"><strong>Starting Banner </strong></span> or <span class="guilabel"><strong>Ending Banner</strong></span> drop-menu and choose the option that best describes the nature of the print jobs (such as <span class="guilabel"><strong>topsecret</strong></span>, <span class="guilabel"><strong>classified</strong></span>, or <span class="guilabel"><strong>confidential</strong></span>).
			</div><div class="figure" id="fig-printconf-config2"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-config2.png" width="444" alt="Policies Tab" /><div class="longdesc"><div class="para">
							Policies Tab
						</div></div></div></div><h6>Figure 36.9. Policies Tab</h6></div><br class="figure-break" /><div class="para">
				You can also configure the <span class="guilabel"><strong>Error Policy</strong></span> of the printer, by choosing an option from the drop-down menu. You can choose to abort the print job, retry, or stop it.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1052010">36.7.3. The <span class="guilabel"><strong>Access Control</strong></span> Tab</h3></div></div></div><div class="para">
				You can change user-level access to the configured printer by clicking the <span class="guilabel"><strong>Access Control</strong></span> tab.
			</div><div class="para">
				Add users using the text box and click the <span class="guibutton"><strong>Add</strong></span> button beside it. You can then choose to only allow use of the printer to that subset of users or deny use to those users.
			</div><div class="figure" id="fig-printconf-config3"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-config3.png" width="444" alt="Access Control Tab" /><div class="longdesc"><div class="para">
							Access Control Tab
						</div></div></div></div><h6>Figure 36.10. Access Control Tab</h6></div><br class="figure-break" /></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1052078">36.7.4. The <span class="guilabel"><strong>Printer</strong></span> and <span class="guilabel"><strong>Job Options</strong></span>Tab</h3></div></div></div><div class="para">
				The <span class="guilabel"><strong>Printer Options</strong></span> tab contains various configuration options for the printer media and output.
			</div><div class="figure" id="fig-printconf-config4"><div class="figure-contents"><div class="mediaobject"><img src="images/printconf-config4.png" width="444" alt="Printer Options Tab" /><div class="longdesc"><div class="para">
							Printer Jobs Tab
						</div></div></div></div><h6>Figure 36.11. Printer Options Tab</h6></div><br class="figure-break" /><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Page Size</strong></span> — Allows the paper size to be selected. The options include US Letter, US Legal, A3, and A4
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Media Source</strong></span> — set to <span class="guilabel"><strong>Automatic</strong></span> by default. Change this option to use paper from a different tray.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Media Type</strong></span> — Allows you to change paper type. Options include: Plain, thick, bond, and transparency.
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Resolution</strong></span> — Configure the quality and detail of the printout. Default is 300 dots per inch (dpi).
					</div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Toner Saving</strong></span> — Choose whether the printer uses less toner to conserve resources.
					</div></li></ul></div><div class="para">
				You can also configure printer job options using the <span class="guilabel"><strong>Job Options</strong></span> tab. Use the drop-menu and choose the job options you wish to use, such as <span class="guilabel"><strong>Landscape</strong></span> modes (horizontal or vertical printout), <span class="guilabel"><strong>copies</strong></span>, or <span class="guilabel"><strong>scaling</strong></span> (increase or decrease the size of the printable area, which can be used to fit an oversize print area onto a smaller physical sheet of print medium).
			</div></div></div><div class="section" id="s1-printing-managing"><div class="titlepage"><div><div><h2 class="title" id="s1-printing-managing">36.8. Managing Print Jobs</h2></div></div></div><a id="id1052242" class="indexterm"></a><div class="para">
			When you send a print job to the printer daemon, such as printing a text file from <span class="application"><strong>Emacs</strong></span> or printing an image from <span class="application"><strong>The GIMP</strong></span>, the print job is added to the print spool queue. The print spool queue is a list of print jobs that have been sent to the printer and information about each print request, such as the status of the request, the job number, and more.
		</div><div class="para">
			During the printing process, the Printer Status icon appears in the <span class="application"><strong>Notification Area</strong></span> on the panel. To check the status of a print job, double click the Printer Status, which displays a window similar to <a class="xref" href="#fig-gnome-print-manager-list">Figure 36.12, “GNOME Print Status”</a>.
		</div><div class="figure" id="fig-gnome-print-manager-list"><div class="figure-contents"><div class="mediaobject"><img src="images/gnome-print-queue.png" width="444" alt="GNOME Print Status" /><div class="longdesc"><div class="para">
						GNOME Print Status
					</div></div></div></div><h6>Figure 36.12. GNOME Print Status</h6></div><br class="figure-break" /><div class="para">
			To cancel a specific print job listed in the <span class="application"><strong>GNOME Print Status</strong></span>, select it from the list and select <span class="guimenu"><strong>Edit</strong></span> &gt; <span class="guimenuitem"><strong>Cancel Documents</strong></span> from the pulldown menu.
		</div><a id="id1052337" class="indexterm"></a><div class="para">
			To view the list of print jobs in the print spool from a shell prompt, type the command <code class="command">lpq</code>. The last few lines look similar to the following:
		</div><div class="example" id="lpq-example"><h6>Example 36.1. Example of <code class="command">lpq</code> output</h6><div class="example-contents"><pre class="screen">Rank   Owner/ID              Class  Job Files       Size Time 
active user@localhost+902    A      902 sample.txt  2050 01:20:46</pre></div></div><br class="example-break" /><a id="id1052380" class="indexterm"></a><div class="para">
			If you want to cancel a print job, find the job number of the request with the command <code class="command">lpq</code> and then use the command <code class="command">lprm <em class="replaceable"><code>job number</code></em></code>. For example, <code class="command">lprm 902</code> would cancel the print job in <a class="xref" href="#lpq-example">Example 36.1, “Example of <code class="command">lpq</code> output”</a>. You must have proper permissions to cancel a print job. You can not cancel print jobs that were started by other users unless you are logged in as root on the machine to which the printer is attached.
		</div><a id="id1052420" class="indexterm"></a><a id="id1052434" class="indexterm"></a><div class="para">
			You can also print a file directly from a shell prompt. For example, the command <code class="command">lpr sample.txt</code> prints the text file <code class="filename">sample.txt</code>. The print filter determines what type of file it is and converts it into a format the printer can understand.
		</div></div><div class="section" id="s1-printing-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-printing-additional-resources">36.9. Additional Resources</h2></div></div></div><div class="para">
			To learn more about printing on Red Hat Enterprise Linux, refer to the following resources.
		</div><div class="section" id="s2-printing-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-printing-installed-docs">36.9.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">map lpr</code> — The manual page for the <code class="command">lpr</code> command that allows you to print files from the command line.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man lprm</code> — The manual page for the command line utility to remove print jobs from the print queue.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man mpage</code> — The manual page for the command line utility to print multiple pages on one sheet of paper.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man cupsd</code> — The manual page for the CUPS printer daemon.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man cupsd.conf</code> — The manual page for the CUPS printer daemon configuration file.
					</div></li><li class="listitem"><div class="para">
						<code class="command">man classes.conf</code> — The manual page for the class configuration file for CUPS.
					</div></li></ul></div></div><div class="section" id="s2-printing-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-printing-useful-websites">36.9.2. Useful Websites</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.linuxprinting.org">http://www.linuxprinting.org</a> — <em class="citetitle">GNU/Linux Printing</em> contains a large amount of information about printing in Linux.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.cups.org/">http://www.cups.org/</a> — Documentation, FAQs, and newsgroups about CUPS.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-autotasks" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 37. Automated Tasks</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-autotasks-cron">37.1. Cron</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-autotasks-cron-configuring">37.1.1. Configuring Cron Tasks</a></span></dt><dt><span class="section"><a href="#s2-autotasks-cron-access">37.1.2. Controlling Access to Cron</a></span></dt><dt><span class="section"><a href="#s2-autotasks-cron-service">37.1.3. Starting and Stopping the Service</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-autotasks-at-batch">37.2. At and Batch</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-autotasks-at-configuring">37.2.1. Configuring At Jobs</a></span></dt><dt><span class="section"><a href="#s2-autotasks-batch-configuring">37.2.2. Configuring Batch Jobs</a></span></dt><dt><span class="section"><a href="#s2-autotasks-at-batch-viewing">37.2.3. Viewing Pending Jobs</a></span></dt><dt><span class="section"><a href="#s2-autotasks-commandline-options">37.2.4. Additional Command Line Options</a></span></dt><dt><span class="section"><a href="#s2-autotasks-at-batch-controlling-access">37.2.5. Controlling Access to At and Batch</a></span></dt><dt><span class="section"><a href="#s2-autotasks-at-batch-service">37.2.6. Starting and Stopping the Service</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-autotasks-additional-resources">37.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-autotasks-installed-docs">37.3.1. Installed Documentation</a></span></dt></dl></dd></dl></div><a id="id915725" class="indexterm"></a><div class="para">
		In Linux, tasks can be configured to run automatically within a specified period of time, on a specified date, or when the system load average is below a specified number. Red Hat Enterprise Linux is pre-configured to run important system tasks to keep the system updated. For example, the slocate database used by the <code class="command">locate</code> command is updated daily. A system administrator can use automated tasks to perform periodic backups, monitor the system, run custom scripts, and more.
	</div><div class="para">
		Red Hat Enterprise Linux comes with several automated tasks utilities: <code class="command">cron</code>, <code class="command">at</code>, and <code class="command">batch</code>.
	</div><a id="id1073435" class="indexterm"></a><div class="section" id="s1-autotasks-cron"><div class="titlepage"><div><div><h2 class="title" id="s1-autotasks-cron">37.1. Cron</h2></div></div></div><div class="para">
			Cron is a daemon that can be used to schedule the execution of recurring tasks according to a combination of the time, day of the month, month, day of the week, and week.
		</div><div class="para">
			Cron assumes that the system is on continuously. If the system is not on when a task is scheduled, it is not executed. To schedule one-time tasks, refer to <a class="xref" href="#s1-autotasks-at-batch">Section 37.2, “At and Batch”</a>.
		</div><div class="para">
			To use the cron service, the <code class="filename">vixie-cron</code> RPM package must be installed and the <code class="command">crond</code> service must be running. To determine if the package is installed, use the <code class="command">rpm -q vixie-cron</code> command. To determine if the service is running, use the command <code class="command">/sbin/service crond status</code>.
		</div><div class="section" id="s2-autotasks-cron-configuring"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-cron-configuring">37.1.1. Configuring Cron Tasks</h3></div></div></div><a id="id1043992" class="indexterm"></a><a id="id925980" class="indexterm"></a><div class="para">
				The main configuration file for cron, <code class="filename">/etc/crontab</code>, contains the following lines:
			</div><pre class="screen">SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly</pre><div class="para">
				The first four lines are variables used to configure the environment in which the cron tasks are run. The <code class="computeroutput">SHELL</code> variable tells the system which shell environment to use (in this example the bash shell), while the <code class="computeroutput">PATH</code> variable defines the path used to execute commands. The output of the cron tasks are emailed to the username defined with the <code class="computeroutput">MAILTO</code> variable. If the <code class="computeroutput">MAILTO</code> variable is defined as an empty string (<code class="computeroutput">MAILTO=""</code>), email is not sent. The <code class="computeroutput">HOME</code> variable can be used to set the home directory to use when executing commands or scripts.
			</div><div class="para">
				Each line in the <code class="filename">/etc/crontab</code> file represents a task and has the following format:
			</div><pre class="screen">minute   hour   day   month   dayofweek   command</pre><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">minute</code> — any integer from 0 to 59
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">hour</code> — any integer from 0 to 23
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">day</code> — any integer from 1 to 31 (must be a valid day if a month is specified)
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">month</code> — any integer from 1 to 12 (or the short name of the month such as jan or feb)
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">dayofweek</code> — any integer from 0 to 7, where 0 or 7 represents Sunday (or the short name of the week such as sun or mon)
					</div></li><li class="listitem"><div class="para">
						<code class="computeroutput">command</code> — the command to execute (the command can either be a command such as <code class="command">ls /proc &gt;&gt; /tmp/proc</code> or the command to execute a custom script)
					</div></li></ul></div><div class="para">
				For any of the above values, an asterisk (*) can be used to specify all valid values. For example, an asterisk for the month value means execute the command every month within the constraints of the other values.
			</div><div class="para">
				A hyphen (-) between integers specifies a range of integers. For example, <strong class="userinput"><code>1-4</code></strong> means the integers 1, 2, 3, and 4.
			</div><div class="para">
				A list of values separated by commas (,) specifies a list. For example, <strong class="userinput"><code>3, 4, 6, 8</code></strong> indicates those four specific integers.
			</div><div class="para">
				The forward slash (/) can be used to specify step values. The value of an integer can be skipped within a range by following the range with <strong class="userinput"><code>/&lt;<em class="replaceable"><code>integer</code></em>&gt;</code></strong>. For example, <strong class="userinput"><code>0-59/2</code></strong> can be used to define every other minute in the minute field. Step values can also be used with an asterisk. For instance, the value <strong class="userinput"><code>*/3</code></strong> can be used in the month field to run the task every third month.
			</div><div class="para">
				Any lines that begin with a hash mark (#) are comments and are not processed.
			</div><div class="para">
				As shown in the <code class="filename">/etc/crontab</code> file, the <code class="command">run-parts</code> script executes the scripts in the <code class="filename">/etc/cron.hourly/</code>, <code class="filename">/etc/cron.daily/</code>, <code class="filename">/etc/cron.weekly/</code>, and <code class="filename">/etc/cron.monthly/</code> directories on an hourly, daily, weekly, or monthly basis respectively. The files in these directories should be shell scripts.
			</div><div class="para">
				If a cron task is required to be executed on a schedule other than hourly, daily, weekly, or monthly, it can be added to the <code class="filename">/etc/cron.d/</code> directory. All files in this directory use the same syntax as <code class="filename">/etc/crontab</code>. Refer to <a class="xref" href="#crontab-examples">Example 37.1, “Crontab Examples”</a> for examples.
			</div><a id="id901022" class="indexterm"></a><div class="example" id="crontab-examples"><h6>Example 37.1. Crontab Examples</h6><div class="example-contents"><pre class="screen"># record the memory usage of the system every monday
# at 3:30AM in the file /tmp/meminfo
30 3 * * mon cat /proc/meminfo &gt;&gt; /tmp/meminfo
# run custom script the first day of every month at 4:10AM
10 4 1 * * /root/scripts/backup.sh</pre></div></div><br class="example-break" /><a id="id894884" class="indexterm"></a><a id="id894897" class="indexterm"></a><div class="para">
				Users other than root can configure cron tasks by using the <code class="command">crontab</code> utility. All user-defined crontabs are stored in the <code class="filename">/var/spool/cron/</code> directory and are executed using the usernames of the users that created them. To create a crontab as a user, login as that user and type the command <code class="command">crontab -e</code> to edit the user's crontab using the editor specified by the <code class="computeroutput">VISUAL</code> or <code class="computeroutput">EDITOR</code> environment variable. The file uses the same format as <code class="filename">/etc/crontab</code>. When the changes to the crontab are saved, the crontab is stored according to username and written to the file <code class="filename">/var/spool/cron/<em class="replaceable"><code>username</code></em></code>.
			</div><div class="para">
				The cron daemon checks the <code class="filename">/etc/crontab</code> file, the <code class="filename">/etc/cron.d/</code> directory, and the <code class="filename">/var/spool/cron/</code> directory every minute for any changes. If any changes are found, they are loaded into memory. Thus, the daemon does not need to be restarted if a crontab file is changed.
			</div></div><div class="section" id="s2-autotasks-cron-access"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-cron-access">37.1.2. Controlling Access to Cron</h3></div></div></div><div class="para">
				The <code class="filename">/etc/cron.allow</code> and <code class="filename">/etc/cron.deny</code> files are used to restrict access to cron. The format of both access control files is one username on each line. Whitespace is not permitted in either file. The cron daemon (<code class="command">crond</code>) does not have to be restarted if the access control files are modified. The access control files are read each time a user tries to add or delete a cron task.
			</div><div class="para">
				The root user can always use cron, regardless of the usernames listed in the access control files.
			</div><div class="para">
				If the file <code class="filename">cron.allow</code> exists, only users listed in it are allowed to use cron, and the <code class="filename">cron.deny</code> file is ignored.
			</div><div class="para">
				If <code class="filename">cron.allow</code> does not exist, users listed in <code class="filename">cron.deny</code> are not allowed to use cron.
			</div></div><div class="section" id="s2-autotasks-cron-service"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-cron-service">37.1.3. Starting and Stopping the Service</h3></div></div></div><div class="para">
				To start the cron service, use the command <code class="command">/sbin/service crond start</code>. To stop the service, use the command <code class="command">/sbin/service crond stop</code>. It is recommended that you start the service at boot time. Refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a> for details on starting the cron service automatically at boot time.
			</div></div></div><div class="section" id="s1-autotasks-at-batch"><div class="titlepage"><div><div><h2 class="title" id="s1-autotasks-at-batch">37.2. At and Batch</h2></div></div></div><a id="id889437" class="indexterm"></a><a id="id889449" class="indexterm"></a><div class="para">
			While cron is used to schedule recurring tasks, the <code class="command">at</code> command is used to schedule a one-time task at a specific time and the <code class="command">batch</code> command is used to schedule a one-time task to be executed when the systems load average drops below 0.8.
		</div><div class="para">
			To use <code class="command">at</code> or <code class="command">batch</code>, the <code class="filename">at</code> RPM package must be installed, and the <code class="command">atd</code> service must be running. To determine if the package is installed, use the <code class="command">rpm -q at</code> command. To determine if the service is running, use the command <code class="command">/sbin/service atd status</code>.
		</div><div class="section" id="s2-autotasks-at-configuring"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-at-configuring">37.2.1. Configuring At Jobs</h3></div></div></div><div class="para">
				To schedule a one-time job at a specific time, type the command <code class="command">at <em class="replaceable"><code>time</code></em></code>, where <code class="command"><em class="replaceable"><code>time</code></em></code> is the time to execute the command.
			</div><div class="para">
				The argument <em class="replaceable"><code>time</code></em> can be one of the following:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						HH:MM format — For example, 04:00 specifies 4:00 a.m. If the time is already past, it is executed at the specified time the next day.
					</div></li><li class="listitem"><div class="para">
						midnight — Specifies 12:00 a.m.
					</div></li><li class="listitem"><div class="para">
						noon — Specifies 12:00 p.m.
					</div></li><li class="listitem"><div class="para">
						teatime — Specifies 4:00 p.m.
					</div></li><li class="listitem"><div class="para">
						month-name day year format — For example, January 15 2002 specifies the 15th day of January in the year 2002. The year is optional.
					</div></li><li class="listitem"><div class="para">
						MMDDYY, MM/DD/YY, or MM.DD.YY formats — For example, 011502 for the 15th day of January in the year 2002.
					</div></li><li class="listitem"><div class="para">
						now + time — time is in minutes, hours, days, or weeks. For example, now + 5 days specifies that the command should be executed at the same time five days from now.
					</div></li></ul></div><div class="para">
				The time must be specified first, followed by the optional date. For more information about the time format, read the <code class="filename">/usr/share/doc/at-<em class="replaceable"><code>&lt;version&gt;</code></em>/timespec</code> text file.
			</div><div class="para">
				After typing the <code class="command">at</code> command with the time argument, the <code class="prompt">at&gt;</code> prompt is displayed. Type the command to execute, press <span class="keycap"><strong>Enter</strong></span>, and type <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>D</strong></span> . Multiple commands can be specified by typing each command followed by the <span class="keycap"><strong>Enter</strong></span> key. After typing all the commands, press <span class="keycap"><strong>Enter</strong></span> to go to a blank line and type <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>D</strong></span> . Alternatively, a shell script can be entered at the prompt, pressing <span class="keycap"><strong>Enter</strong></span> after each line in the script, and typing <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>D</strong></span> on a blank line to exit. If a script is entered, the shell used is the shell set in the user's <code class="envar">SHELL</code> environment, the user's login shell, or <code class="command">/bin/sh</code> (whichever is found first).
			</div><div class="para">
				If the set of commands or script tries to display information to standard out, the output is emailed to the user.
			</div><div class="para">
				Use the command <code class="command">atq</code> to view pending jobs. Refer to <a class="xref" href="#s2-autotasks-at-batch-viewing">Section 37.2.3, “Viewing Pending Jobs”</a> for more information.
			</div><div class="para">
				Usage of the <code class="command">at</code> command can be restricted. For more information, refer to <a class="xref" href="#s2-autotasks-at-batch-controlling-access">Section 37.2.5, “Controlling Access to At and Batch”</a> for details.
			</div></div><div class="section" id="s2-autotasks-batch-configuring"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-batch-configuring">37.2.2. Configuring Batch Jobs</h3></div></div></div><div class="para">
				To execute a one-time task when the load average is below 0.8, use the <code class="command">batch</code> command.
			</div><div class="para">
				After typing the <code class="command">batch</code> command, the <code class="prompt">at&gt;</code> prompt is displayed. Type the command to execute, press <span class="keycap"><strong>Enter</strong></span>, and type <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>D</strong></span> . Multiple commands can be specified by typing each command followed by the <span class="keycap"><strong>Enter</strong></span> key. After typing all the commands, press <span class="keycap"><strong>Enter</strong></span> to go to a blank line and type <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>D</strong></span> . Alternatively, a shell script can be entered at the prompt, pressing <span class="keycap"><strong>Enter</strong></span> after each line in the script, and typing <span class="keycap"><strong>Ctrl</strong></span>+<span class="keycap"><strong>D</strong></span> on a blank line to exit. If a script is entered, the shell used is the shell set in the user's <code class="envar">SHELL</code> environment, the user's login shell, or <code class="command">/bin/sh</code> (whichever is found first). As soon as the load average is below 0.8, the set of commands or script is executed.
			</div><div class="para">
				If the set of commands or script tries to display information to standard out, the output is emailed to the user.
			</div><div class="para">
				Use the command <code class="command">atq</code> to view pending jobs. Refer to <a class="xref" href="#s2-autotasks-at-batch-viewing">Section 37.2.3, “Viewing Pending Jobs”</a> for more information.
			</div><div class="para">
				Usage of the <code class="command">batch</code> command can be restricted. For more information, refer to <a class="xref" href="#s2-autotasks-at-batch-controlling-access">Section 37.2.5, “Controlling Access to At and Batch”</a> for details.
			</div></div><div class="section" id="s2-autotasks-at-batch-viewing"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-at-batch-viewing">37.2.3. Viewing Pending Jobs</h3></div></div></div><div class="para">
				To view pending <code class="command">at</code> and <code class="command">batch</code> jobs, use the <code class="command">atq</code> command. The <code class="command">atq</code> command displays a list of pending jobs, with each job on a line. Each line follows the job number, date, hour, job class, and username format. Users can only view their own jobs. If the root user executes the <code class="command">atq</code> command, all jobs for all users are displayed.
			</div></div><div class="section" id="s2-autotasks-commandline-options"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-commandline-options">37.2.4. Additional Command Line Options</h3></div></div></div><div class="para">
				Additional command line options for <code class="command">at</code> and <code class="command">batch</code> include:
			</div><div class="table" id="tb-at-command-line-options"><h6>Table 37.1. <code class="command">at</code> and <code class="command">batch</code> Command Line Options</h6><div class="table-contents"><table summary="at and batch Command Line Options" border="1"><colgroup><col width="29%" class="option" /><col width="71%" class="description" /></colgroup><thead><tr><th>
								Option
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								<code class="option">-f</code>
							</td><td>
								Read the commands or shell script from a file instead of specifying them at the prompt.
							</td></tr><tr><td>
								<code class="option">-m</code>
							</td><td>
								Send email to the user when the job has been completed.
							</td></tr><tr><td>
								<code class="option">-v</code>
							</td><td>
								Display the time that the job is executed.
							</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s2-autotasks-at-batch-controlling-access"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-at-batch-controlling-access">37.2.5. Controlling Access to At and Batch</h3></div></div></div><div class="para">
				The <code class="filename">/etc/at.allow</code> and <code class="filename">/etc/at.deny</code> files can be used to restrict access to the <code class="command">at</code> and <code class="command">batch</code> commands. The format of both access control files is one username on each line. Whitespace is not permitted in either file. The <code class="command">at</code> daemon (<code class="command">atd</code>) does not have to be restarted if the access control files are modified. The access control files are read each time a user tries to execute the <code class="command">at</code> or <code class="command">batch</code> commands.
			</div><div class="para">
				The root user can always execute <code class="command">at</code> and <code class="command">batch</code> commands, regardless of the access control files.
			</div><div class="para">
				If the file <code class="filename">at.allow</code> exists, only users listed in it are allowed to use <code class="command">at</code> or <code class="command">batch</code>, and the <code class="filename">at.deny</code> file is ignored.
			</div><div class="para">
				If <code class="filename">at.allow</code> does not exist, users listed in <code class="filename">at.deny</code> are not allowed to use <code class="command">at</code> or <code class="command">batch</code>.
			</div></div><div class="section" id="s2-autotasks-at-batch-service"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-at-batch-service">37.2.6. Starting and Stopping the Service</h3></div></div></div><div class="para">
				To start the <code class="command">at</code> service, use the command <code class="command">/sbin/service atd start</code>. To stop the service, use the command <code class="command">/sbin/service atd stop</code>. It is recommended that you start the service at boot time. Refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a> for details on starting the cron service automatically at boot time.
			</div></div></div><div class="section" id="s1-autotasks-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-autotasks-additional-resources">37.3. Additional Resources</h2></div></div></div><a id="id1055448" class="indexterm"></a><a id="id1055461" class="indexterm"></a><a id="id1055475" class="indexterm"></a><div class="para">
			To learn more about configuring automated tasks, refer to the following resources.
		</div><div class="section" id="s2-autotasks-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-autotasks-installed-docs">37.3.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">cron</code> man page — overview of cron.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">crontab</code> man pages in sections 1 and 5 — The man page in section 1 contains an overview of the <code class="filename">crontab</code> file. The man page in section 5 contains the format for the file and some example entries.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/at-<em class="replaceable"><code>&lt;version&gt;</code></em>/timespec</code> contains more detailed information about the times that can be specified for cron jobs.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">at</code> man page — description of <code class="command">at</code> and <code class="command">batch</code> and their command line options.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-logfiles" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 38. Log Files</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-logfiles-locating">38.1. Locating Log Files</a></span></dt><dt><span class="section"><a href="#s1-logfiles-viewing">38.2. Viewing Log Files</a></span></dt><dt><span class="section"><a href="#s1-logfiles-adding">38.3. Adding a Log File</a></span></dt><dt><span class="section"><a href="#s1-logfiles-examining">38.4. Monitoring Log Files</a></span></dt></dl></div><a id="id870837" class="indexterm"></a><a id="id854824" class="indexterm"></a><div class="para">
		<em class="firstterm">Log files</em> are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.
	</div><div class="para">
		Log files can be very useful when trying to troubleshoot a problem with the system such as trying to load a kernel driver or when looking for unauthorized log in attempts to the system. This chapter discusses where to find log files, how to view log files, and what to look for in log files.
	</div><a id="id786136" class="indexterm"></a><a id="id838403" class="indexterm"></a><div class="para">
		Some log files are controlled by a daemon called <code class="command">syslogd</code>. A list of log messages maintained by <code class="command">syslogd</code> can be found in the <code class="filename">/etc/syslog.conf</code> configuration file.
	</div><div class="section" id="s1-logfiles-locating"><div class="titlepage"><div><div><h2 class="title" id="s1-logfiles-locating">38.1. Locating Log Files</h2></div></div></div><a id="id860711" class="indexterm"></a><div class="para">
			Most log files are located in the <code class="filename">/var/log/</code> directory. Some applications such as <code class="command">httpd</code> and <code class="command">samba</code> have a directory within <code class="filename">/var/log/</code> for their log files.
		</div><a id="id1065311" class="indexterm"></a><a id="id1040500" class="indexterm"></a><div class="para">
			You may notice multiple files in the log file directory with numbers after them. These are created when the log files are rotated. Log files are rotated so their file sizes do not become too large. The <code class="filename">logrotate</code> package contains a cron task that automatically rotates log files according to the <code class="filename">/etc/logrotate.conf</code> configuration file and the configuration files in the <code class="filename">/etc/logrotate.d/</code> directory. By default, it is configured to rotate every week and keep four weeks worth of previous log files.
		</div></div><div class="section" id="s1-logfiles-viewing"><div class="titlepage"><div><div><h2 class="title" id="s1-logfiles-viewing">38.2. Viewing Log Files</h2></div></div></div><a id="id885203" class="indexterm"></a><div class="para">
			Most log files are in plain text format. You can view them with any text editor such as <code class="command">Vi</code> or <span class="application"><strong>Emacs</strong></span>. Some log files are readable by all users on the system; however, root privileges are required to read most log files.
		</div><a id="id885230" class="indexterm"></a><div class="para">
			To view system log files in an interactive, real-time application, use the <span class="application"><strong>System Log Viewer</strong></span>. To start the application, go to <span class="guimenu"><strong>Applications</strong></span> (the main menu on the panel) &gt; <span class="guimenuitem"><strong>System</strong></span> &gt; <span class="guimenuitem"><strong>System Logs</strong></span>, or type the command <code class="command">gnome-system-log</code> at a shell prompt.
		</div><div class="para">
			The application only displays log files that exist; thus, the list might differ from the one shown in <a class="xref" href="#fig-redhat-logviewer">Figure 38.1, “<span class="application">System Log Viewer</span>”</a>.
		</div><a id="id1052976" class="indexterm"></a><a id="id1052992" class="indexterm"></a><div class="figure" id="fig-redhat-logviewer"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-logviewer.png" width="444" alt="System Log Viewer" /><div class="longdesc"><div class="para">
						System Log Viewer
					</div></div></div></div><h6>Figure 38.1. <span class="application">System Log Viewer</span></h6></div><br class="figure-break" /><a id="id900177" class="indexterm"></a><div class="para">
			To filter the contents of the selected log file, click on <span class="guimenuitem"><strong>View</strong></span> from the menu and select <span class="guimenuitem"><strong>Filter</strong></span> as illustrated below.
		</div><div class="figure" id="fig-redhat-logviewer-prefs"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-logviewer-prefs.png" width="444" alt="System Log Viewer - View Menu" /><div class="longdesc"><div class="para">
						System Log Viewer - View Menu
					</div></div></div></div><h6>Figure 38.2. <span class="application">System Log Viewer - View Menu</span></h6></div><br class="figure-break" /><a id="id1053197" class="indexterm"></a><div class="para">
			Selecting the <span class="guilabel"><strong>Filter</strong></span> menu item will display the <span class="guilabel"><strong>Filter</strong></span> text field where you can type the keywords you wish to use for your filter. To clear your filter click on the <span class="guibutton"><strong>Clear</strong></span> button.The figure below illustrates a sample filter.
		</div><div class="figure" id="fig-redhat-logviewer-sample"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-logviewer-sample.png" width="444" alt="System Log Viewer - Filter" /><div class="longdesc"><div class="para">
						System Log Viewer - Filter
					</div></div></div></div><h6>Figure 38.3. <span class="application">System Log Viewer - Filter</span></h6></div><br class="figure-break" /><a id="id1053264" class="indexterm"></a></div><div class="section" id="s1-logfiles-adding"><div class="titlepage"><div><div><h2 class="title" id="s1-logfiles-adding">38.3. Adding a Log File</h2></div></div></div><div class="para">
			To add a log file you wish to view in the list, select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Open</strong></span>. This will display the <span class="guimenu"><strong>Open Log</strong></span> window where you can select the directory and filename of the log file you wish to view.The figure below illustrates the <span class="guimenu"><strong>Open Log</strong></span> window.
		</div><div class="figure" id="fig-redhat-logviewer-add"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-logviewer-add.png" width="444" alt="Adding a Log File" /><div class="longdesc"><div class="para">
						Adding a Log File
					</div></div></div></div><h6>Figure 38.4. Adding a Log File</h6></div><br class="figure-break" /><div class="para">
			Click on the <span class="guibutton"><strong>Open</strong></span> button to open the file. The file is immediately added to the viewing list where you can select it and view the contents.
		</div><div class="para">
			Please also note that the System Log Viewer also allows you to open zipped logs whose filenames end in ".gz".
		</div></div><div class="section" id="s1-logfiles-examining"><div class="titlepage"><div><div><h2 class="title" id="s1-logfiles-examining">38.4. Monitoring Log Files</h2></div></div></div><a id="id885615" class="indexterm"></a><a id="id885629" class="indexterm"></a><div class="para">
			<span class="application"><strong>System Log Viewer</strong></span> monitors all opened logs by default. If a new line is added to a monitored log file, the log name appears in bold in the log list. If the log file is selected or displayed, the new lines appear in bold at the bottom of the log file and after five seconds are displayed in normal format. This is illustrated in the figures below. The figure below illustrates a new alert in the <span class="guimenuitem"><strong>messages</strong></span> log file. The log file is listed in bold text.
		</div><div class="figure" id="fig-redhat-logviewer-monitoring1"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-logviewer-monitoring1.png" width="444" alt="Log File Alert" /><div class="longdesc"><div class="para">
						Log File Alert
					</div></div></div></div><h6>Figure 38.5. Log File Alert</h6></div><br class="figure-break" /><div class="para">
			Clicking on the <span class="guimenuitem"><strong>messages</strong></span> log file displays the logs in the file with the new lines in bold as illustrated below.
		</div><div class="figure" id="fig-redhat-logviewer-monitoring2"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-logviewer-monitoring2.png" width="444" alt="Log file contents" /><div class="longdesc"><div class="para">
						Log file contents
					</div></div></div></div><h6>Figure 38.6. Log file contents</h6></div><br class="figure-break" /><div class="para">
			The new lines are displayed in bold for five seconds after which they are displayed in normal font.
		</div><div class="figure" id="fig-redhat-logviewer-monitoring3"><div class="figure-contents"><div class="mediaobject"><img src="images/redhat-logviewer-monitoring3.png" width="444" alt="Log file contents after five seconds" /><div class="longdesc"><div class="para">
						Log file contents after five seconds
					</div></div></div></div><h6>Figure 38.7. Log file contents after five seconds</h6></div><br class="figure-break" /></div></div></div><div class="part" id="pt-system-monitoring"><div class="titlepage"><div><div><h1 class="title">Part V. System Monitoring</h1></div></div></div><div class="partintro" id="id606782"><div></div><div class="para">
				System administrators also monitor system performance. Red Hat Enterprise Linux contains tools to assist administrators with these tasks.
			</div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="chapter"><a href="#ch-systemtap">39. SystemTap</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-systemtap-intro">39.1. Introduction</a></span></dt><dt><span class="section"><a href="#s2-systemtap-implementation">39.2. Implementation</a></span></dt><dt><span class="section"><a href="#s3-systemtap-usingsystemtap">39.3. Using SystemTap</a></span></dt><dd><dl><dt><span class="section"><a href="#s3.1-systemtap-tracing">39.3.1.  Tracing </a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-sysinfo">40. Gathering System Information</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-sysinfo-system-processes">40.1. System Processes</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-memory-usage">40.2. Memory Usage</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-filesystems">40.3. File Systems</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-hardware">40.4. Hardware</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-additional-resources">40.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-sysinfo-installed-docs">40.5.1. Installed Documentation</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-oprofile">41. OProfile</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-oprofile-overview-tools">41.1. Overview of Tools</a></span></dt><dt><span class="section"><a href="#s1-oprofile-configuring">41.2. Configuring OProfile</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-oprofile-kernel">41.2.1. Specifying the Kernel</a></span></dt><dt><span class="section"><a href="#s2-oprofile-events">41.2.2. Setting Events to Monitor</a></span></dt><dt><span class="section"><a href="#s2-oprofile-starting-separate">41.2.3. Separating Kernel and User-space Profiles</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-oprofile-starting">41.3. Starting and Stopping OProfile</a></span></dt><dt><span class="section"><a href="#s1-oprofile-saving-data">41.4. Saving Data</a></span></dt><dt><span class="section"><a href="#s1-oprofile-analyzing-data">41.5. Analyzing the Data</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-oprofile-reading-opreport">41.5.1. Using <code class="command">opreport</code></a></span></dt><dt><span class="section"><a href="#s2-oprofile-reading-opreport-single">41.5.2. Using <code class="command">opreport</code> on a Single Executable</a></span></dt><dt><span class="section"><a href="#s2-oprofile-module-output">41.5.3. Getting more detailed output on the modules</a></span></dt><dt><span class="section"><a href="#s2-oprofile-reading-opannotate">41.5.4. Using <code class="command">opannotate</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-oprofile-dev-oprofile">41.6. Understanding <code class="filename">/dev/oprofile/</code></a></span></dt><dt><span class="section"><a href="#s1-oprofile-example-usage">41.7. Example Usage</a></span></dt><dt><span class="section"><a href="#s1-oprofile-gui">41.8. Graphical Interface</a></span></dt><dt><span class="section"><a href="#s1-oprofile-additional-resources">41.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-oprofile-installed-docs">41.9.1. Installed Docs</a></span></dt><dt><span class="section"><a href="#s2-oprofile-useful-websites">41.9.2. Useful Websites</a></span></dt></dl></dd></dl></dd></dl></div></div><div xml:lang="en-US" class="chapter" id="ch-systemtap" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 39. SystemTap</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-systemtap-intro">39.1. Introduction</a></span></dt><dt><span class="section"><a href="#s2-systemtap-implementation">39.2. Implementation</a></span></dt><dt><span class="section"><a href="#s3-systemtap-usingsystemtap">39.3. Using SystemTap</a></span></dt><dd><dl><dt><span class="section"><a href="#s3.1-systemtap-tracing">39.3.1.  Tracing </a></span></dt></dl></dd></dl></div><div xml:lang="en-US" class="section" id="s1-systemtap-intro" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="s1-systemtap-intro">39.1. Introduction</h2></div></div></div><div class="para">
		SystemTap provides a simple command line interface and scripting language to simplify the gathering of information about the running Linux kernel so that it can be further analyzed. Data may be extracted, filtered, and summarized quickly and safely, to enable diagnoses of complex performance or functional problems.
	</div><div class="para">
		SystemTap allows scripts to be written in the SystemTap scripting language, which are then compiled to C-code kernel modules and inserted into the kernel.
	</div><div class="para">
		The essential idea behind a systemtap script is to name events, and to give them handlers. Whenever a specified event occurs, the Linux kernel runs the handler as if it were a quick subroutine, then resumes. There are several kind of events, such as entering or exiting a function, a timer expiring, or the entire systemtap session starting or stopping. A handler is a series of script language statements that specify the work to be done whenever the event occurs. This work normally includes extracting data from the event context, storing them into internal variables, or printing results.
	</div></div><div class="section" id="s2-systemtap-implementation"><div class="titlepage"><div><div><h2 class="title" id="s2-systemtap-implementation">39.2. Implementation</h2></div></div></div><div class="para">
			SystemTap takes a compiler-oriented approach to generating instrumentation. Refer to <a class="xref" href="#fig-flow-of-data">Figure 39.1, “Flow of Data in SystemTap”</a> "Flow of data in SystemTap" for an overall diagram of SystemTap used in this discussion. In the upper right hand corner of the diagram is the probe.stp, the probe script the developer has written. This is parsed by the translator into parse trees. During this time the input is checked for syntax errors. The translator then performs elaboration, pulling in additional code from the script library and determining locations of probe points and variables from the debug information. After the elaboration is complete the translator can generate the probe.c, the kernel module in C.
		</div><div class="para">
			The probe.c file is compiled into a regular kernel module, probe.ko, using the GCC compiler. The compilation may pull in support code from the runtime libraries. After GCC has generated the probe.ko, the SystemTap daemon is started to collect the output of the instrumentation module. The instrumentation module is loaded into the kernel, and data collection is started. Data from the instrumentation module is transferred to user-space via relayfs and displayed by the daemon. When the user hits Control-C the daemon unloads the module, which also shuts down the data collection process.
		</div><div class="figure" id="fig-flow-of-data"><div class="figure-contents"><div class="mediaobject"><img src="images/flow-diagram.png" width="444" alt="Flow of Data in SystemTap" /><div class="longdesc"><div class="para">
						Flow of data in SystemTap.
					</div></div></div></div><h6>Figure 39.1. Flow of Data in SystemTap</h6></div><br class="figure-break" /></div><div class="section" id="s3-systemtap-usingsystemtap"><div class="titlepage"><div><div><h2 class="title" id="s3-systemtap-usingsystemtap">39.3. Using SystemTap</h2></div></div></div><div class="para">
			Systemtap works by translating a SystemTap script to C, running the system C compiler to create a kernel module from that. When the module is loaded, it activates all the probed events by hooking into the kernel. Then, as events occur on any processor, the compiled handlers run. Eventually, the session stops, the hooks are disconnected, and the module removed. This entire process is driven from a single command-line program, <code class="command">stap</code>.
		</div><div class="section" id="s3.1-systemtap-tracing"><div class="titlepage"><div><div><h3 class="title" id="s3.1-systemtap-tracing">39.3.1.  Tracing </h3></div></div></div><div class="para">
				The simplest kind of probe is simply to trace an event. This is the effect of inserting strategically located print statements into a program. This is often the first step of problem solving: explore by seeing a history of what has happened.
			</div><div class="para">
				This style of instrumentation is the simplest. It just asks systemtap to print something at each event. To express this in the script language, you need to say where to probe and what to print there.
			</div><div class="section" id="s3.1.1-systemtap-where"><div class="titlepage"><div><div><h4 class="title" id="s3.1.1-systemtap-where">39.3.1.1. Where to Probe</h4></div></div></div><div class="para">
					Systemtap supports a number of built-in events. The library of scripts that comes with systemtap, each called a "tapset", may define additional ones defined in terms of the built-in family. See the <code class="command">stapprobes</code> man page for details. All these events are named using a unified syntax that looks like dot-separated parameterized identifiers:
				</div><div class="table" id="table-systemtap-commands"><h6>Table 39.1. SystemTap Events</h6><div class="table-contents"><table summary="SystemTap Events" border="1"><colgroup><col width="50%" class="event" /><col width="50%" class="description" /></colgroup><thead><tr><th>
									Event
								</th><th>
									Description
								</th></tr></thead><tbody><tr><td>
									<code class="command">begin</code>
								</td><td>
									The startup of the systemtap session.
								</td></tr><tr><td>
									<code class="command">end</code>
								</td><td>
									The end of the systemtap session.
								</td></tr><tr><td>
									<code class="command">kernel.function("sys_open")</code>
								</td><td>
									The entry to the function named sys_open in the kernel.
								</td></tr><tr><td>
									<code class="command">syscall.close.return</code>
								</td><td>
									The return from the close system call..
								</td></tr><tr><td>
									<code class="command">module("ext3").statement(0xdeadbeef)</code>
								</td><td>
									The addressed instruction in the ext3 filesystem driver.
								</td></tr><tr><td>
									<code class="command">timer.ms(200)</code>
								</td><td>
									A timer that fires every 200 milliseconds.
								</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
					We will use as a demonstration case that you would like to trace all function entries and exits in a source file, for example <code class="command">net/socket.c</code> in the kernel. The <code class="command">kernel.function</code> probe point lets you express that easily, since systemtap examines the kernel's debugging information to relate object code to source code. It works like a debugger: if you can name or place it, you can probe it. Use <code class="command">kernel.function("*@net/socket.c")</code> for the function entries, and <code class="command"> kernel.function("*@net/socket.c").return</code> for the exits. Note the use of wildcards in the function name part, and the subsequent <code class="command">@FILENAME</code> part. You can also put wildcards into the file name, and even add a colon (:) and a line number, if you want to restrict the search that precisely. Since systemtap will put a separate probe in every place that matches a probe point, a few wildcards can expand to hundreds or thousands of probes, so be careful what you ask for.
				</div><div class="para">
					Once you identify the probe points, the skeleton of the systemtap script appears. The <code class="command">probe</code> keyword introduces a probe point, or a comma-separated list of them. The following { and } braces enclose the handler for all listed probe points.
				</div><div class="para">
					You can run this script as is, though with empty handlers there will be no output. Put the two lines into a new file. Run <code class="command">stap -v FILE</code>. Terminate it any time with <code class="command">^C</code>. (The <code class="command">-v</code> option tells systemtap to print more verbose messages during its processing. Try the <code class="command">-h</code> option to see more options.)
				</div></div><div class="section" id="s3.1.2-systemtap-what"><div class="titlepage"><div><div><h4 class="title" id="s3.1.2-systemtap-what">39.3.1.2. What to Print</h4></div></div></div><div class="para">
					Since you are interested in each function that was entered and exited, a line should be printed for each, containing the function name. In order to make that list easy to read, systemtap should indent the lines so that functions called by other traced functions are nested deeper. To tell each single process apart from any others that may be running concurrently, systemtap should also print the process ID in the line.
				</div></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-sysinfo" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 40. Gathering System Information</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-sysinfo-system-processes">40.1. System Processes</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-memory-usage">40.2. Memory Usage</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-filesystems">40.3. File Systems</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-hardware">40.4. Hardware</a></span></dt><dt><span class="section"><a href="#s1-sysinfo-additional-resources">40.5. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-sysinfo-installed-docs">40.5.1. Installed Documentation</a></span></dt></dl></dd></dl></div><a id="id834845" class="indexterm"></a><a id="id901106" class="indexterm"></a><div class="para">
		Before you learn how to configure your system, you should learn how to gather essential system information. For example, you should know how to find the amount of free memory, the amount of available hard drive space, how your hard drive is partitioned, and what processes are running. This chapter discusses how to retrieve this type of information from your Red Hat Enterprise Linux system using simple commands and a few simple programs.
	</div><div class="section" id="s1-sysinfo-system-processes"><div class="titlepage"><div><div><h2 class="title" id="s1-sysinfo-system-processes">40.1. System Processes</h2></div></div></div><a id="id874177" class="indexterm"></a><a id="id863269" class="indexterm"></a><a id="id1044698" class="indexterm"></a><div class="para">
			The <code class="command">ps ax</code> command displays a list of current system processes, including processes owned by other users. To display the owner alongside each process, use the <code class="command">ps aux</code> command. This list is a static list; in other words, it is a snapshot of what was running when you invoked the command. If you want a constantly updated list of running processes, use <code class="command">top</code> as described below.
		</div><div class="para">
			The <code class="command">ps</code> output can be long. To prevent it from scrolling off the screen, you can pipe it through less:
		</div><pre class="screen"><code class="command">ps aux | less</code></pre><div class="para">
			You can use the <code class="command">ps</code> command in combination with the <code class="command">grep</code> command to see if a process is running. For example, to determine if <span class="application"><strong>Emacs</strong></span> is running, use the following command:
		</div><pre class="screen"><code class="command">ps ax | grep emacs</code></pre><a id="id926361" class="indexterm"></a><a id="id1053119" class="indexterm"></a><div class="para">
			The <code class="command">top</code> command displays currently running processes and important information about them including their memory and CPU usage. The list is both real-time and interactive. An example of output from the <code class="command">top</code> command is provided as follows:
		</div><pre class="screen">top - 15:02:46 up 35 min,  4 users,  load average: 0.17, 0.65, 1.00
Tasks: 110 total,   1 running, 107 sleeping,   0 stopped,   2 zombie
Cpu(s): 41.1% us,  2.0% sy,  0.0% ni, 56.6% id,  0.0% wa,  0.3% hi,  0.0% si
Mem:    775024k total,   772028k used,     2996k free,    68468k buffers
Swap:  1048568k total,      176k used,  1048392k free,   441172k cached

PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 4624 root      15   0 40192  18m 7228 S 28.4  2.4   1:23.21 X
 4926 mhideo    15   0 55564  33m 9784 S 13.5  4.4   0:25.96 gnome-terminal
 6475 mhideo    16   0  3612  968  760 R  0.7  0.1   0:00.11 top
 4920 mhideo    15   0 20872  10m 7808 S  0.3  1.4   0:01.61 wnck-applet
    1 root      16   0  1732  548  472 S  0.0  0.1   0:00.23 init
    2 root      34  19     0    0    0 S  0.0  0.0   0:00.00 ksoftirqd/0
    3 root       5 -10     0    0    0 S  0.0  0.0   0:00.03 events/0
    4 root       6 -10     0    0    0 S  0.0  0.0   0:00.02 khelper
    5 root       5 -10     0    0    0 S  0.0  0.0   0:00.00 kacpid
   29 root       5 -10     0    0    0 S  0.0  0.0   0:00.00 kblockd/0
   47 root      16   0     0    0    0 S  0.0  0.0   0:01.74 pdflush
   50 root      11 -10     0    0    0 S  0.0  0.0   0:00.00 aio/0
   30 root      15   0     0    0    0 S  0.0  0.0   0:00.05 khubd
   49 root      16   0     0    0    0 S  0.0  0.0   0:01.44 kswapd0</pre><div class="para">
			To exit <code class="command">top</code>, press the <span class="keycap"><strong>q</strong></span> key.
		</div><div class="para">
			<a class="xref" href="#interactive-top-command">Table 40.1, “Interactive <code class="command">top</code> commands”</a> contains useful interactive commands that you can use with <code class="command">top</code>. For more information, refer to the <code class="command">top</code>(1) manual page.
		</div><div class="table" id="interactive-top-command"><h6>Table 40.1. Interactive <code class="command">top</code> commands</h6><div class="table-contents"><table summary="Interactive top commands" border="1"><colgroup><col class="command" width="50%" /><col class="description" width="50%" /></colgroup><thead><tr><th>
							Command
						</th><th>
							Description
						</th></tr></thead><tbody><tr><td>
							<span class="keycap"><strong>Space</strong></span>
						</td><td>
							Immediately refresh the display
						</td></tr><tr><td>
							<span class="keycap"><strong>h</strong></span>
						</td><td>
							Display a help screen
						</td></tr><tr><td>
							<span class="keycap"><strong>k</strong></span>
						</td><td>
							Kill a process. You are prompted for the process ID and the signal to send to it.
						</td></tr><tr><td>
							<span class="keycap"><strong>n</strong></span>
						</td><td>
							Change the number of processes displayed. You are prompted to enter the number.
						</td></tr><tr><td>
							<span class="keycap"><strong>u</strong></span>
						</td><td>
							Sort by user.
						</td></tr><tr><td>
							<span class="keycap"><strong>M</strong></span>
						</td><td>
							Sort by memory usage.
						</td></tr><tr><td>
							<span class="keycap"><strong>P</strong></span>
						</td><td>
							Sort by CPU usage.
						</td></tr></tbody></table></div></div><br class="table-break" /><a id="id892057" class="indexterm"></a><a id="id892069" class="indexterm"></a><div class="para">
			If you prefer a graphical interface for <code class="command">top</code>, you can use the <span class="application"><strong>GNOME System Monitor</strong></span>. To start it from the desktop, select <span class="guimenu"><strong>System</strong></span> &gt; <span class="guimenuitem"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>System Monitor</strong></span> or type <code class="command">gnome-system-monitor</code> at a shell prompt (such as an XTerm). Select the <span class="guilabel"><strong>Process Listing</strong></span> tab.
		</div><div class="para">
			The <span class="application"><strong>GNOME System Monitor</strong></span> allows you to search for a process in the list of running processes. Using the Gnome System Monitor, you can also view all processes, your processes, or active processes.
		</div><div class="para">
			The <span class="guimenuitem"><strong>Edit</strong></span> menu item allows you to:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Stop a process.
				</div></li><li class="listitem"><div class="para">
					Continue or start a process.
				</div></li><li class="listitem"><div class="para">
					End a processes.
				</div></li><li class="listitem"><div class="para">
					Kill a process.
				</div></li><li class="listitem"><div class="para">
					Change the priority of a selected process.
				</div></li><li class="listitem"><div class="para">
					Edit the System Monitor preferences. These include changing the interval seconds to refresh the list and selecting process fields to display in the System Monitor window.
				</div></li></ul></div><div class="para">
			The <span class="guimenuitem"><strong>View</strong></span> menu item allows you to:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					View only active processes.
				</div></li><li class="listitem"><div class="para">
					View all processes.
				</div></li><li class="listitem"><div class="para">
					View my processes.
				</div></li><li class="listitem"><div class="para">
					View process dependencies.
				</div></li><li class="listitem"><div class="para">
					Hide a process.
				</div></li><li class="listitem"><div class="para">
					View hidden processes.
				</div></li><li class="listitem"><div class="para">
					View memory maps.
				</div></li><li class="listitem"><div class="para">
					View the files opened by the selected process.
				</div></li></ul></div><div class="para">
			To stop a process, select it and click <span class="guibutton"><strong>End Process</strong></span>. Alternatively you can also stop a process by selecting it, clicking <span class="guimenuitem"><strong>Edit</strong></span> on your menu and selecting <span class="guimenuitem"><strong> Stop Process</strong></span>.
		</div><div class="para">
			To sort the information by a specific column, click on the name of the column. This sorts the information by the selected column in ascending order. Click on the name of the column again to toggle the sort between ascending and descending order.
		</div><div class="figure" id="fig-sysinfo-processes"><div class="figure-contents"><div class="mediaobject"><img src="images/gnome-system-monitor-processes.png" width="444" alt="GNOME System Monitor" /><div class="longdesc"><div class="para">
						Process Listing of GNOME System Monitor
					</div></div></div></div><h6>Figure 40.1. <span class="application">GNOME System Monitor</span></h6></div><br class="figure-break" /></div><div class="section" id="s1-sysinfo-memory-usage"><div class="titlepage"><div><div><h2 class="title" id="s1-sysinfo-memory-usage">40.2. Memory Usage</h2></div></div></div><a id="id1052662" class="indexterm"></a><a id="id1052675" class="indexterm"></a><a id="id1052685" class="indexterm"></a><a id="id1052694" class="indexterm"></a><div class="para">
			The <code class="command">free</code> command displays the total amount of physical memory and swap space for the system as well as the amount of memory that is used, free, shared, in kernel buffers, and cached.
		</div><pre class="screen">             total       used       free     shared    buffers     cached
 Mem:        645712     549720      95992          0     176248     224452
 -/+ buffers/cache:     149020     496692
 Swap:      1310712          0    1310712</pre><div class="para">
			The command <code class="command">free -m</code> shows the same information in megabytes, which are easier to read.
		</div><pre class="screen">             total       used       free     shared    buffers     cached
Mem:           630        536         93          0        172        219
-/+ buffers/cache:        145        485
Swap:         1279          0       1279</pre><div class="para">
			If you prefer a graphical interface for <code class="command">free</code>, you can use the <span class="application"><strong>GNOME System Monitor</strong></span>. To start it from the desktop, go to <span class="guimenu"><strong>System</strong></span> &gt; <span class="guimenuitem"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>System Monitor</strong></span> or type <code class="command">gnome-system-monitor</code> at a shell prompt (such as an XTerm). Click on the <span class="guilabel"><strong>Resources</strong></span> tab.
		</div><div class="figure" id="fig-sysinfo-memory"><div class="figure-contents"><div class="mediaobject"><img src="images/gnome-system-monitor-memory.png" width="444" alt="GNOME System Monitor - Resources tab" /><div class="longdesc"><div class="para">
						Resources tab of the gnome-system-monitor
					</div></div></div></div><h6>Figure 40.2. <span class="application">GNOME System Monitor - Resources tab</span></h6></div><br class="figure-break" /></div><div class="section" id="s1-sysinfo-filesystems"><div class="titlepage"><div><div><h2 class="title" id="s1-sysinfo-filesystems">40.3. File Systems</h2></div></div></div><a id="id1057235" class="indexterm"></a><a id="id1057249" class="indexterm"></a><a id="id1057258" class="indexterm"></a><div class="para">
			The <code class="command">df</code> command reports the system's disk space usage. If you type the command <code class="command">df</code> at a shell prompt, the output looks similar to the following:
		</div><pre class="screen">Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
                       11675568   6272120   4810348  57% / /dev/sda1
	                 100691      9281     86211  10% /boot
none                     322856         0    322856   0% /dev/shm</pre><div class="para">
			By default, this utility shows the partition size in 1 kilobyte blocks and the amount of used and available disk space in kilobytes. To view the information in megabytes and gigabytes, use the command <code class="command">df -h</code>. The <code class="command">-h</code> argument stands for human-readable format. The output looks similar to the following:
		</div><pre class="screen">Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
                        12G  6.0G  4.6G  57% / /dev/sda1
			99M  9.1M   85M  10% /boot
none 			316M     0  316M   0% /dev/shm</pre><a id="id1057307" class="indexterm"></a><a id="id1057328" class="indexterm"></a><div class="para">
			In the list of mounted partitions, there is an entry for <code class="filename">/dev/shm</code>. This entry represents the system's virtual memory file system.
		</div><a id="id1057347" class="indexterm"></a><div class="para">
			The <code class="command">du</code> command displays the estimated amount of space being used by files in a directory. If you type <code class="command">du</code> at a shell prompt, the disk usage for each of the subdirectories is displayed in a list. The grand total for the current directory and subdirectories are also shown as the last line in the list. If you do not want to see the totals for all the subdirectories, use the command <code class="command">du -hs</code> to see only the grand total for the directory in human-readable format. Use the <code class="command">du --help</code> command to see more options.
		</div><div class="para">
			To view the system's partitions and disk space usage in a graphical format, use the <span class="guilabel"><strong>Gnome System Monitor</strong></span> by clicking on <span class="guimenu"><strong>System</strong></span> &gt; <span class="guimenuitem"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>System Monitor</strong></span> or type <code class="command">gnome-system-monitor</code> at a shell prompt (such as an XTerm). Select the File Systems tab to view the system's partitions. The figure below illustrates the File Systems tab.
		</div><div class="figure" id="fig-sysinfo-filesystems"><div class="figure-contents"><div class="mediaobject"><img src="images/gnome-system-monitor-filesystems.png" width="444" alt="GNOME System Monitor - File Systems" /><div class="longdesc"><div class="para">
						File systems tab of the gnome-system-monitor
					</div></div></div></div><h6>Figure 40.3. <span class="application">GNOME System Monitor - File Systems</span></h6></div><br class="figure-break" /></div><div class="section" id="s1-sysinfo-hardware"><div class="titlepage"><div><div><h2 class="title" id="s1-sysinfo-hardware">40.4. Hardware</h2></div></div></div><a id="id1057452" class="indexterm"></a><a id="id1057465" class="indexterm"></a><a id="id1057479" class="indexterm"></a><a id="id1057491" class="indexterm"></a><div class="para">
			If you are having trouble configuring your hardware or just want to know what hardware is in your system, you can use the <span class="application"><strong>Hardware Browser</strong></span> application to display the hardware that can be probed. To start the program from the desktop, select <span class="guimenu"><strong>System</strong></span> (the main menu on the panel) &gt; <span class="guimenuitem"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>Hardware</strong></span> or type <code class="command">hwbrowser</code> at a shell prompt. As shown in <a class="xref" href="#sysinfo-hwbrowser-fig">Figure 40.4, “<span class="application">Hardware Browser</span>”</a>, it displays your CD-ROM devices, diskette drives, hard drives and their partitions, network devices, pointing devices, system devices, and video cards. Click on the category name in the left menu, and the information is displayed.
		</div><div class="figure" id="sysinfo-hwbrowser-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/hwbrowser.png" width="444" alt="Hardware Browser" /><div class="longdesc"><div class="para">
						hwbrowser
					</div></div></div></div><h6>Figure 40.4. <span class="application">Hardware Browser</span></h6></div><br class="figure-break" /><a id="id1057570" class="indexterm"></a><a id="id1057583" class="indexterm"></a><div class="para">
			The <span class="application"><strong>Device Manager</strong></span> application can also be used to display your system hardware. This application can be started by selecting <span class="guimenu"><strong>System</strong></span> (the main menu on the panel) &gt; <span class="guimenuitem"><strong>Administration</strong></span> &gt; <span class="guimenuitem"><strong>Hardware</strong></span> like the <span class="application"><strong>Hardware Browser</strong></span>. To start the application from a terminal, type <code class="command">hal-device-manager</code>. Depending on your installation preferences, the graphical menu above may start this application or the <span class="application"><strong>Hardware Browser</strong></span> when clicked. The figure below illustrates the <span class="application"><strong>Device Manager</strong></span> window.
		</div><div class="figure" id="sysinfo-devicemngr-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/devicemngr.png" width="444" alt="Device Manager" /><div class="longdesc"><div class="para">
						Device Manager
					</div></div></div></div><h6>Figure 40.5. <span class="application">Device Manager</span></h6></div><br class="figure-break" /><div class="para">
			You can also use the <code class="command">lspci</code> command to list all PCI devices. Use the command <code class="command">lspci -v</code> for more verbose information or <code class="command">lspci -vv</code> for very verbose output.
		</div><div class="para">
			For example, <code class="command">lspci</code> can be used to determine the manufacturer, model, and memory size of a system's video card:
		</div><pre class="screen">00:00.0 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06)
00:00.1 Host bridge: ServerWorks CNB20LE Host Bridge (rev 06)
00:01.0 VGA compatible controller: S3 Inc. Savage 4 (rev 04)
00:02.0 Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev 08)
00:0f.0 ISA bridge: ServerWorks OSB4 South Bridge (rev 50)
00:0f.1 IDE interface: ServerWorks OSB4 IDE Controller
00:0f.2 USB Controller: ServerWorks OSB4/CSB5 OHCI USB Controller (rev 04)
01:03.0 SCSI storage controller: Adaptec AIC-7892P U160/m (rev 02)
01:05.0 RAID bus controller: IBM ServeRAID Controller</pre><div class="para">
			The <code class="command">lspci</code> is also useful to determine the network card in your system if you do not know the manufacturer or model number.
		</div></div><div class="section" id="s1-sysinfo-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-sysinfo-additional-resources">40.5. Additional Resources</h2></div></div></div><div class="para">
			To learn more about gathering system information, refer to the following resources.
		</div><div class="section" id="s2-sysinfo-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-sysinfo-installed-docs">40.5.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">ps --help</code> — Displays a list of options that can be used with <code class="command">ps</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">top</code> manual page — Type <code class="command">man top</code> to learn more about <code class="command">top</code> and its many options.
					</div></li><li class="listitem"><div class="para">
						<code class="command">free</code> manual page — type <code class="command">man free</code> to learn more about <code class="command">free</code> and its many options.
					</div></li><li class="listitem"><div class="para">
						<code class="command">df</code> manual page — Type <code class="command">man df</code> to learn more about the <code class="command">df</code> command and its many options.
					</div></li><li class="listitem"><div class="para">
						<code class="command">du</code> manual page — Type <code class="command">man du</code> to learn more about the <code class="command">du</code> command and its many options.
					</div></li><li class="listitem"><div class="para">
						<code class="command">lspci</code> manual page — Type <code class="command">man lspci</code> to learn more about the <code class="command">lspci</code> command and its many options.
					</div></li><li class="listitem"><div class="para">
						<a id="id992201" class="indexterm"></a>
						 <code class="filename">/proc/</code> directory — The contents of the <code class="filename">/proc/</code> directory can also be used to gather more detailed system information.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-oprofile" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 41. OProfile</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-oprofile-overview-tools">41.1. Overview of Tools</a></span></dt><dt><span class="section"><a href="#s1-oprofile-configuring">41.2. Configuring OProfile</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-oprofile-kernel">41.2.1. Specifying the Kernel</a></span></dt><dt><span class="section"><a href="#s2-oprofile-events">41.2.2. Setting Events to Monitor</a></span></dt><dt><span class="section"><a href="#s2-oprofile-starting-separate">41.2.3. Separating Kernel and User-space Profiles</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-oprofile-starting">41.3. Starting and Stopping OProfile</a></span></dt><dt><span class="section"><a href="#s1-oprofile-saving-data">41.4. Saving Data</a></span></dt><dt><span class="section"><a href="#s1-oprofile-analyzing-data">41.5. Analyzing the Data</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-oprofile-reading-opreport">41.5.1. Using <code class="command">opreport</code></a></span></dt><dt><span class="section"><a href="#s2-oprofile-reading-opreport-single">41.5.2. Using <code class="command">opreport</code> on a Single Executable</a></span></dt><dt><span class="section"><a href="#s2-oprofile-module-output">41.5.3. Getting more detailed output on the modules</a></span></dt><dt><span class="section"><a href="#s2-oprofile-reading-opannotate">41.5.4. Using <code class="command">opannotate</code></a></span></dt></dl></dd><dt><span class="section"><a href="#s1-oprofile-dev-oprofile">41.6. Understanding <code class="filename">/dev/oprofile/</code></a></span></dt><dt><span class="section"><a href="#s1-oprofile-example-usage">41.7. Example Usage</a></span></dt><dt><span class="section"><a href="#s1-oprofile-gui">41.8. Graphical Interface</a></span></dt><dt><span class="section"><a href="#s1-oprofile-additional-resources">41.9. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-oprofile-installed-docs">41.9.1. Installed Docs</a></span></dt><dt><span class="section"><a href="#s2-oprofile-useful-websites">41.9.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id1075752" class="indexterm"></a><a id="id828814" class="indexterm"></a><div class="para">
		OProfile is a low overhead, system-wide performance monitoring tool. It uses the performance monitoring hardware on the processor to retrieve information about the kernel and executables on the system, such as when memory is referenced, the number of L2 cache requests, and the number of hardware interrupts received. On a Red Hat Enterprise Linux system, the <code class="filename">oprofile</code> RPM package must be installed to use this tool.
	</div><div class="para">
		Many processors include dedicated performance monitoring hardware. This hardware makes it possible to detect when certain events happen (such as the requested data not being in cache). The hardware normally takes the form of one or more <em class="firstterm">counters</em> that are incremented each time an event takes place. When the counter value, essentially rolls over, an interrupt is generated, making it possible to control the amount of detail (and therefore, overhead) produced by performance monitoring.
	</div><div class="para">
		OProfile uses this hardware (or a timer-based substitute in cases where performance monitoring hardware is not present) to collect <em class="firstterm">samples</em> of performance-related data each time a counter generates an interrupt. These samples are periodically written out to disk; later, the data contained in these samples can then be used to generate reports on system-level and application-level performance.
	</div><div class="para">
		OProfile is a useful tool, but be aware of some limitations when using it:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				<span class="emphasis"><em>Use of shared libraries</em></span> — Samples for code in shared libraries are not attributed to the particular application unless the <code class="option">--separate=library</code> option is used.
			</div></li><li class="listitem"><div class="para">
				<span class="emphasis"><em>Performance monitoring samples are inexact</em></span> — When a performance monitoring register triggers a sample, the interrupt handling is not precise like a divide by zero exception. Due to the out-of-order execution of instructions by the processor, the sample may be recorded on a nearby instruction.
			</div></li><li class="listitem"><div class="para">
				<span class="emphasis"><em><code class="command">opreport</code> does not associate samples for inline functions' properly</em></span> — <code class="command">opreport</code> uses a simple address range mechanism to determine which function an address is in. Inline function samples are not attributed to the inline function but rather to the function the inline function was inserted into.
			</div></li><li class="listitem"><div class="para">
				<span class="emphasis"><em>OProfile accumulates data from multiple runs</em></span> — OProfile is a system-wide profiler and expects processes to start up and shut down multiple times. Thus, samples from multiple runs accumulate. Use the command <code class="command">opcontrol --reset</code> to clear out the samples from previous runs.
			</div></li><li class="listitem"><div class="para">
				<span class="emphasis"><em>Non-CPU-limited performance problems</em></span> — OProfile is oriented to finding problems with CPU-limited processes. OProfile does not identify processes that are asleep because they are waiting on locks or for some other event to occur (for example an I/O device to finish an operation).
			</div></li></ul></div><div class="section" id="s1-oprofile-overview-tools"><div class="titlepage"><div><div><h2 class="title" id="s1-oprofile-overview-tools">41.1. Overview of Tools</h2></div></div></div><a id="id1058360" class="indexterm"></a><div class="para">
			<a class="xref" href="#tb-oprofile-tools">Table 41.1, “OProfile Commands”</a> provides a brief overview of the tools provided with the <code class="filename">oprofile</code> package.
		</div><div class="table" id="tb-oprofile-tools"><h6>Table 41.1. OProfile Commands</h6><div class="table-contents"><table summary="OProfile Commands" border="1"><colgroup><col width="29%" class="command" /><col width="71%" class="description" /></colgroup><thead><tr><th>
							Command
						</th><th>
							Description
						</th></tr></thead><tbody><tr><td>
							<code class="command">ophelp</code>
						</td><td>
							<div class="para">
								Displays available events for the system's processor along with a brief description of each.
							</div>

</td></tr><tr><td>
							<code class="command">opimport</code>
						</td><td>
							<div class="para">
								Converts sample database files from a foreign binary format to the native format for the system. Only use this option when analyzing a sample database from a different architecture.
							</div>

</td></tr><tr><td>
							<code class="command">opannotate</code>
						</td><td>
							Creates annotated source for an executable if the application was compiled with debugging symbols. Refer to <a class="xref" href="#s2-oprofile-reading-opannotate">Section 41.5.4, “Using <code class="command">opannotate</code>”</a> for details.
						</td></tr><tr><td>
							<code class="command">opcontrol</code>
						</td><td>
							<div class="para">
								Configures what data is collected. Refer to <a class="xref" href="#s1-oprofile-configuring">Section 41.2, “Configuring OProfile”</a> for details.
							</div>

</td></tr><tr><td>
							<code class="command">opreport</code>
						</td><td>
							<div class="para">
								Retrieves profile data. Refer to <a class="xref" href="#s2-oprofile-reading-opreport">Section 41.5.1, “Using <code class="command">opreport</code>”</a> for details.
							</div>

</td></tr><tr><td>
							<code class="command">oprofiled</code>
						</td><td>
							<div class="para">
								Runs as a daemon to periodically write sample data to disk.
							</div>

</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s1-oprofile-configuring"><div class="titlepage"><div><div><h2 class="title" id="s1-oprofile-configuring">41.2. Configuring OProfile</h2></div></div></div><a id="id900279" class="indexterm"></a><a id="id900293" class="indexterm"></a><a id="id900309" class="indexterm"></a><div class="para">
			Before OProfile can be run, it must be configured. At a minimum, selecting to monitor the kernel (or selecting not to monitor the kernel) is required. The following sections describe how to use the <code class="command">opcontrol</code> utility to configure OProfile. As the <code class="command">opcontrol</code> commands are executed, the setup options are saved to the <code class="filename">/root/.oprofile/daemonrc</code> file.
		</div><div class="section" id="s2-oprofile-kernel"><div class="titlepage"><div><div><h3 class="title" id="s2-oprofile-kernel">41.2.1. Specifying the Kernel</h3></div></div></div><a id="id900351" class="indexterm"></a><div class="para">
				First, configure whether OProfile should monitor the kernel. This is the only configuration option that is required before starting OProfile. All others are optional.
			</div><div class="para">
				To monitor the kernel, execute the following command as root:
			</div><a id="id900374" class="indexterm"></a><pre class="screen"><code class="command">opcontrol --setup --vmlinux=/usr/lib/debug/lib/modules/`uname -r`/vmlinux</code></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The <code class="command">debuginfo</code> package must be installed (which contains the uncompressed kernel) in order to monitor the kernel.
				</div></div></div><div class="para">
				To configure OProfile not to monitor the kernel, execute the following command as root:
			</div><a id="id1055579" class="indexterm"></a><pre class="screen"><code class="command">opcontrol --setup --no-vmlinux</code></pre><div class="para">
				This command also loads the <code class="computeroutput">oprofile</code> kernel module, if it is not already loaded, and creates the <code class="filename">/dev/oprofile/</code> directory, if it does not already exist. Refer to <a class="xref" href="#s1-oprofile-dev-oprofile">Section 41.6, “Understanding <code class="filename">/dev/oprofile/</code>”</a> for details about this directory.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Even if OProfile is configured not to profile the kernel, the SMP kernel still must be running so that the <code class="command">oprofile</code> module can be loaded from it.
				</div></div></div><div class="para">
				Setting whether samples should be collected within the kernel only changes what data is collected, not how or where the collected data is stored. To generate different sample files for the kernel and application libraries, refer to <a class="xref" href="#s2-oprofile-starting-separate">Section 41.2.3, “Separating Kernel and User-space Profiles”</a>.
			</div></div><div class="section" id="s2-oprofile-events"><div class="titlepage"><div><div><h3 class="title" id="s2-oprofile-events">41.2.2. Setting Events to Monitor</h3></div></div></div><a id="id1055658" class="indexterm"></a><div class="para">
				Most processors contain <em class="firstterm">counters</em>, which are used by OProfile to monitor specific events. As shown in <a class="xref" href="#tb-oprofile-processors">Table 41.2, “OProfile Processors and Counters”</a>, the number of counters available depends on the processor.
			</div><div class="table" id="tb-oprofile-processors"><h6>Table 41.2. OProfile Processors and Counters</h6><div class="table-contents"><table summary="OProfile Processors and Counters" border="1"><colgroup><col width="43%" class="option" /><col width="29%" class="description" /><col width="29%" class="description" /></colgroup><thead><tr><th>
								Processor
							</th><th>
								<code class="command">cpu_type</code>
							</th><th>
								Number of Counters
							</th></tr></thead><tbody><tr><td>
								Pentium Pro
							</td><td>
								i386/ppro
							</td><td>
								2
							</td></tr><tr><td>
								Pentium II
							</td><td>
								i386/pii
							</td><td>
								2
							</td></tr><tr><td>
								Pentium III
							</td><td>
								i386/piii
							</td><td>
								2
							</td></tr><tr><td>
								Pentium 4 (non-hyper-threaded)
							</td><td>
								i386/p4
							</td><td>
								8
							</td></tr><tr><td>
								Pentium 4 (hyper-threaded)
							</td><td>
								i386/p4-ht
							</td><td>
								4
							</td></tr><tr><td>
								Athlon
							</td><td>
								i386/athlon
							</td><td>
								4
							</td></tr><tr><td>
								AMD64
							</td><td>
								x86-64/hammer
							</td><td>
								4
							</td></tr><tr><td>
								Itanium
							</td><td>
								ia64/itanium
							</td><td>
								4
							</td></tr><tr><td>
								Itanium 2
							</td><td>
								ia64/itanium2
							</td><td>
								4
							</td></tr><tr><td>
								TIMER_INT
							</td><td>
								timer
							</td><td>
								1
							</td></tr><tr><td>
								IBM eServer iSeries and pSeries
							</td><td>
								timer
							</td><td>
								1
							</td></tr><tr><td>
							</td><td>
								ppc64/power4
							</td><td>
								8
							</td></tr><tr><td>
							</td><td>
								ppc64/power5
							</td><td>
								6
							</td></tr><tr><td>
							</td><td>
								ppc64/970
							</td><td>
								8
							</td></tr><tr><td>
								IBM eServer S/390 and S/390x
							</td><td>
								timer
							</td><td>
								1
							</td></tr><tr><td>
								IBM eServer zSeries
							</td><td>
								timer
							</td><td>
								1
							</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
				Use <a class="xref" href="#tb-oprofile-processors">Table 41.2, “OProfile Processors and Counters”</a> to verify that the correct processor type was detected and to determine the number of events that can be monitored simultaneously. <code class="computeroutput">timer</code> is used as the processor type if the processor does not have supported performance monitoring hardware.
			</div><div class="para">
				If <code class="computeroutput">timer</code> is used, events cannot be set for any processor because the hardware does not have support for hardware performance counters. Instead, the timer interrupt is used for profiling.
			</div><div class="para">
				If <code class="computeroutput">timer</code> is not used as the processor type, the events monitored can be changed, and counter 0 for the processor is set to a time-based event by default. If more than one counter exists on the processor, the counters other than counter 0 are not set to an event by default. The default events monitored are shown in <a class="xref" href="#tb-oprofile-default-events">Table 41.3, “Default Events”</a>.
			</div><div class="table" id="tb-oprofile-default-events"><h6>Table 41.3. Default Events</h6><div class="table-contents"><table summary="Default Events" border="1"><colgroup><col width="25%" class="option" /><col width="33%" class="description" /><col width="42%" class="description" /></colgroup><thead><tr><th>
								Processor
							</th><th>
								Default Event for Counter
							</th><th>
								Description
							</th></tr></thead><tbody><tr><td>
								Pentium Pro, Pentium II, Pentium III, Athlon, AMD64
							</td><td>
								CPU_CLK_UNHALTED
							</td><td>
								The processor's clock is not halted
							</td></tr><tr><td>
								Pentium 4 (HT and non-HT)
							</td><td>
								GLOBAL_POWER_EVENTS
							</td><td>
								The time during which the processor is not stopped
							</td></tr><tr><td>
								Itanium 2
							</td><td>
								CPU_CYCLES
							</td><td>
								CPU Cycles
							</td></tr><tr><td>
								TIMER_INT
							</td><td>
								(none)
							</td><td>
								Sample for each timer interrupt
							</td></tr><tr><td>
								ppc64/power4
							</td><td>
								CYCLES
							</td><td>
								Processor Cycles
							</td></tr><tr><td>
								ppc64/power5
							</td><td>
								CYCLES
							</td><td>
								Processor Cycles
							</td></tr><tr><td>
								ppc64/970
							</td><td>
								CYCLES
							</td><td>
								Processor Cycles
							</td></tr></tbody></table></div></div><br class="table-break" /><div class="para">
				The number of events that can be monitored at one time is determined by the number of counters for the processor. However, it is not a one-to-one correlation; on some processors, certain events must be mapped to specific counters. To determine the number of counters available, execute the following command:
			</div><pre class="screen"><code class="command">ls -d /dev/oprofile/[0-9]*</code></pre><div class="para">
				The events available vary depending on the processor type. To determine the events available for profiling, execute the following command as root (the list is specific to the system's processor type):
			</div><a id="id994302" class="indexterm"></a><a id="id868312" class="indexterm"></a><pre class="screen"><code class="command">ophelp</code></pre><div class="para">
				The events for each counter can be configured via the command line or with a graphical interface. For more information on the graphical interface, refer to <a class="xref" href="#s1-oprofile-gui">Section 41.8, “Graphical Interface”</a>. If the counter cannot be set to a specific event, an error message is displayed.
			</div><div class="para">
				To set the event for each configurable counter via the command line, use <code class="command">opcontrol</code>:
			</div><pre class="screen"><code class="command">opcontrol --event=<em class="replaceable"><code>&lt;event-name&gt;</code></em>:<em class="replaceable"><code>&lt;sample-rate&gt;</code></em></code></pre><div class="para">
				Replace <em class="replaceable"><code>&lt;event-name&gt;</code></em> with the exact name of the event from <code class="command">ophelp</code>, and replace <em class="replaceable"><code>&lt;sample-rate&gt;</code></em> with the number of events between samples.
			</div><div class="section" id="s3-oprofile-events-sampling"><div class="titlepage"><div><div><h4 class="title" id="s3-oprofile-events-sampling">41.2.2.1. Sampling Rate</h4></div></div></div><a id="id868382" class="indexterm"></a><div class="para">
					By default, a time-based event set is selected. It creates a sample every 100,000 clock cycles per processor. If the timer interrupt is used, the timer is set to whatever the jiffy rate is and is not user-settable. If the <code class="computeroutput">cpu_type</code> is not <code class="computeroutput">timer</code>, each event can have a <em class="firstterm">sampling rate</em> set for it. The sampling rate is the number of events between each sample snapshot.
				</div><div class="para">
					When setting the event for the counter, a sample rate can also be specified:
				</div><pre class="screen"><code class="command">opcontrol --event=<em class="replaceable"><code>&lt;event-name&gt;</code></em>:<em class="replaceable"><code>&lt;sample-rate&gt;</code></em></code></pre><div class="para">
					Replace <em class="replaceable"><code>&lt;sample-rate&gt;</code></em> with the number of events to wait before sampling again. The smaller the count, the more frequent the samples. For events that do not happen frequently, a lower count may be needed to capture the event instances.
				</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
						Be extremely careful when setting sampling rates. Sampling too frequently can overload the system, causing the system to appear as if it is frozen or causing the system to actually freeze.
					</div></div></div></div><div class="section" id="s3-oprofile-events-unit-masks"><div class="titlepage"><div><div><h4 class="title" id="s3-oprofile-events-unit-masks">41.2.2.2. Unit Masks</h4></div></div></div><a id="id868465" class="indexterm"></a><div class="para">
					Some user performance monitoring events may also require unit masks to further define the event.
				</div><div class="para">
					Unit masks for each event are listed with the <code class="command">ophelp</code> command. The values for each unit mask are listed in hexadecimal format. To specify more than one unit mask, the hexadecimal values must be combined using a bitwise <em class="firstterm">or</em> operation.
				</div><pre class="screen"><code class="command">opcontrol --event=<em class="replaceable"><code>&lt;event-name&gt;</code></em>:<em class="replaceable"><code>&lt;sample-rate&gt;</code></em>:<em class="replaceable"><code>&lt;unit-mask&gt;</code></em></code></pre></div></div><div class="section" id="s2-oprofile-starting-separate"><div class="titlepage"><div><div><h3 class="title" id="s2-oprofile-starting-separate">41.2.3. Separating Kernel and User-space Profiles</h3></div></div></div><a id="id868523" class="indexterm"></a><div class="para">
				By default, kernel mode and user mode information is gathered for each event. To configure OProfile to ignore events in kernel mode for a specific counter, execute the following command:
			</div><pre class="screen"><code class="command">opcontrol --event=<em class="replaceable"><code>&lt;event-name&gt;</code></em>:<em class="replaceable"><code>&lt;sample-rate&gt;</code></em>:<em class="replaceable"><code>&lt;unit-mask&gt;</code></em>:0</code></pre><div class="para">
				Execute the following command to start profiling kernel mode for the counter again:
			</div><pre class="screen"><code class="command">opcontrol --event=<em class="replaceable"><code>&lt;event-name&gt;</code></em>:<em class="replaceable"><code>&lt;sample-rate&gt;</code></em>:<em class="replaceable"><code>&lt;unit-mask&gt;</code></em>:1</code></pre><div class="para">
				To configure OProfile to ignore events in user mode for a specific counter, execute the following command:
			</div><pre class="screen"><code class="command">opcontrol --event=<em class="replaceable"><code>&lt;event-name&gt;</code></em>:<em class="replaceable"><code>&lt;sample-rate&gt;</code></em>:<em class="replaceable"><code>&lt;unit-mask&gt;</code></em>:<em class="replaceable"><code>&lt;kernel&gt;</code></em>:0</code></pre><div class="para">
				Execute the following command to start profiling user mode for the counter again:
			</div><pre class="screen"><code class="command">opcontrol --event=<em class="replaceable"><code>&lt;event-name&gt;</code></em>:<em class="replaceable"><code>&lt;sample-rate&gt;</code></em>:<em class="replaceable"><code>&lt;unit-mask&gt;</code></em>:<em class="replaceable"><code>&lt;kernel&gt;</code></em>:1</code></pre><div class="para">
				When the OProfile daemon writes the profile data to sample files, it can separate the kernel and library profile data into separate sample files. To configure how the daemon writes to sample files, execute the following command as root:
			</div><pre class="screen"><code class="command">opcontrol --separate=<em class="replaceable"><code>&lt;choice&gt;</code></em></code></pre><div class="para">
				<em class="replaceable"><code>&lt;choice&gt;</code></em> can be one of the following:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="computeroutput">none</code> — do not separate the profiles (default)
					</div></li><li class="listitem"><div class="para">
						<code class="command">library</code> — generate per-application profiles for libraries
					</div></li><li class="listitem"><div class="para">
						<code class="command">kernel</code> — generate per-application profiles for the kernel and kernel modules
					</div></li><li class="listitem"><div class="para">
						<code class="command">all</code> — generate per-application profiles for libraries and per-application profiles for the kernel and kernel modules
					</div></li></ul></div><div class="para">
				If <code class="option">--separate=library</code> is used, the sample file name includes the name of the executable as well as the name of the library.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					These configuration changes will take effect when <code class="command">oprofile</code> is restarted.
				</div></div></div></div></div><div class="section" id="s1-oprofile-starting"><div class="titlepage"><div><div><h2 class="title" id="s1-oprofile-starting">41.3. Starting and Stopping OProfile</h2></div></div></div><a id="id868745" class="indexterm"></a><div class="para">
			To start monitoring the system with OProfile, execute the following command as root:
		</div><a id="id868763" class="indexterm"></a><pre class="screen"><code class="command">opcontrol --start</code></pre><div class="para">
			Output similar to the following is displayed:
		</div><pre class="screen">Using log file /var/lib/oprofile/oprofiled.log Daemon started. Profiler running.</pre><div class="para">
			The settings in <code class="filename">/root/.oprofile/daemonrc</code> are used.
		</div><a id="id868808" class="indexterm"></a><a id="id868825" class="indexterm"></a><a id="id868842" class="indexterm"></a><div class="para">
			The OProfile daemon, <code class="command">oprofiled</code>, is started; it periodically writes the sample data to the <code class="filename">/var/lib/oprofile/samples/</code> directory. The log file for the daemon is located at <code class="filename">/var/lib/oprofile/oprofiled.log</code>.
		</div><div class="para">
			To stop the profiler, execute the following command as root:
		</div><pre class="screen"><code class="command">opcontrol --shutdown</code></pre></div><div class="section" id="s1-oprofile-saving-data"><div class="titlepage"><div><div><h2 class="title" id="s1-oprofile-saving-data">41.4. Saving Data</h2></div></div></div><a id="id868898" class="indexterm"></a><div class="para">
			Sometimes it is useful to save samples at a specific time. For example, when profiling an executable, it may be useful to gather different samples based on different input data sets. If the number of events to be monitored exceeds the number of counters available for the processor, multiple runs of OProfile can be used to collect data, saving the sample data to different files each time.
		</div><div class="para">
			To save the current set of sample files, execute the following command, replacing <em class="replaceable"><code>&lt;name&gt;</code></em> with a unique descriptive name for the current session.
		</div><pre class="screen"><code class="command">opcontrol --save=<em class="replaceable"><code>&lt;name&gt;</code></em></code></pre><div class="para">
			The directory <code class="filename">/var/lib/oprofile/samples/<em class="replaceable"><code>name</code></em>/</code> is created and the current sample files are copied to it.
		</div></div><div class="section" id="s1-oprofile-analyzing-data"><div class="titlepage"><div><div><h2 class="title" id="s1-oprofile-analyzing-data">41.5. Analyzing the Data</h2></div></div></div><a id="id868957" class="indexterm"></a><div class="para">
			Periodically, the OProfile daemon, <code class="command">oprofiled</code>, collects the samples and writes them to the <code class="filename">/var/lib/oprofile/samples/</code> directory. Before reading the data, make sure all data has been written to this directory by executing the following command as root:
		</div><pre class="screen"><code class="command">opcontrol --dump</code></pre><div class="para">
			Each sample file name is based on the name of the executable. For example, the samples for the default event on a Pentium III processor for <code class="command">/bin/bash</code> becomes:
		</div><pre class="screen">\{root\}/bin/bash/\{dep\}/\{root\}/bin/bash/CPU_CLK_UNHALTED.100000</pre><div class="para">
			The following tools are available to profile the sample data once it has been collected:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">opreport</code>
				</div></li><li class="listitem"><div class="para">
					<code class="command">opannotate</code>
				</div></li></ul></div><div class="para">
			Use these tools, along with the binaries profiled, to generate reports that can be further analyzed.
		</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				The executable being profiled must be used with these tools to analyze the data. If it must change after the data is collected, backup the executable used to create the samples as well as the sample files. Please note that the sample file and the binary have to agree. Making a backup isn't going to work if they do not match. <code class="command">oparchive</code> can be used to address this problem.
			</div></div></div><div class="para">
			Samples for each executable are written to a single sample file. Samples from each dynamically linked library are also written to a single sample file. While OProfile is running, if the executable being monitored changes and a sample file for the executable exists, the existing sample file is automatically deleted. Thus, if the existing sample file is needed, it must be backed up, along with the executable used to create it before replacing the executable with a new version. The oprofile analysis tools use the executable file that created the samples during analysis. If the executable changes the analysis tools will be unable to analyze the associated samples. Refer to <a class="xref" href="#s1-oprofile-saving-data">Section 41.4, “Saving Data”</a> for details on how to backup the sample file.
		</div><div class="section" id="s2-oprofile-reading-opreport"><div class="titlepage"><div><div><h3 class="title" id="s2-oprofile-reading-opreport">41.5.1. Using <code class="command">opreport</code></h3></div></div></div><a id="id869084" class="indexterm"></a><a id="id869101" class="indexterm"></a><div class="para">
				The <code class="command">opreport</code> tool provides an overview of all the executables being profiled.
			</div><div class="para">
				The following is part of a sample output:
			</div><pre class="screen">Profiling through timer interrupt
TIMER:0|
samples|      %|
------------------
25926 97.5212 no-vmlinux
359  1.3504 pi
65  0.2445 Xorg
62  0.2332 libvte.so.4.4.0
56  0.2106 libc-2.3.4.so
34  0.1279 libglib-2.0.so.0.400.7
19  0.0715 libXft.so.2.1.2
17  0.0639 bash
8  0.0301 ld-2.3.4.so
8  0.0301 libgdk-x11-2.0.so.0.400.13
6  0.0226 libgobject-2.0.so.0.400.7
5  0.0188 oprofiled
4  0.0150 libpthread-2.3.4.so
4  0.0150 libgtk-x11-2.0.so.0.400.13
3  0.0113 libXrender.so.1.2.2
3  0.0113 du
1  0.0038 libcrypto.so.0.9.7a
1  0.0038 libpam.so.0.77
1  0.0038 libtermcap.so.2.0.8
1  0.0038 libX11.so.6.2
1  0.0038 libgthread-2.0.so.0.400.7
1  0.0038 libwnck-1.so.4.9.0</pre><div class="para">
				Each executable is listed on its own line. The first column is the number of samples recorded for the executable. The second column is the percentage of samples relative to the total number of samples. The third column is the name of the executable.
			</div><div class="para">
				Refer to the <code class="command">opreport</code> man page for a list of available command line options, such as the <code class="option">-r</code> option used to sort the output from the executable with the smallest number of samples to the one with the largest number of samples.
			</div></div><div class="section" id="s2-oprofile-reading-opreport-single"><div class="titlepage"><div><div><h3 class="title" id="s2-oprofile-reading-opreport-single">41.5.2. Using <code class="command">opreport</code> on a Single Executable</h3></div></div></div><a id="id869172" class="indexterm"></a><a id="id869193" class="indexterm"></a><div class="para">
				To retrieve more detailed profiled information about a specific executable, use <code class="command">opreport</code>:
			</div><pre class="screen"><code class="command">opreport <em class="replaceable"><code>&lt;mode&gt;</code></em> <em class="replaceable"><code>&lt;executable&gt;</code></em></code></pre><div class="para">
				<em class="replaceable"><code>&lt;executable&gt;</code></em> must be the full path to the executable to be analyzed. <em class="replaceable"><code>&lt;mode&gt;</code></em> must be one of the following:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="option">-l</code></span></dt><dd><div class="para">
							List sample data by symbols. For example, the following is part of the output from running the command <code class="command">opreport -l /lib/tls/libc-<em class="replaceable"><code>&lt;version&gt;</code></em>.so</code>:
						</div><pre class="screen">samples  %        symbol name
12       21.4286  __gconv_transform_utf8_internal
5         8.9286  _int_malloc
4         7.1429  malloc
3         5.3571  __i686.get_pc_thunk.bx
3         5.3571  _dl_mcount_wrapper_check
3         5.3571  mbrtowc
3         5.3571  memcpy
2         3.5714  _int_realloc
2         3.5714  _nl_intern_locale_data
2         3.5714  free
2         3.5714  strcmp
1         1.7857  __ctype_get_mb_cur_max
1         1.7857  __unregister_atfork
1         1.7857  __write_nocancel
1         1.7857  _dl_addr
1         1.7857  _int_free
1         1.7857  _itoa_word
1         1.7857  calc_eclosure_iter
1         1.7857  fopen@@GLIBC_2.1
1         1.7857  getpid
1         1.7857  memmove
1         1.7857  msort_with_tmp
1         1.7857  strcpy
1         1.7857  strlen
1         1.7857  vfprintf
1         1.7857  write</pre><div class="para">
							The first column is the number of samples for the symbol, the second column is the percentage of samples for this symbol relative to the overall samples for the executable, and the third column is the symbol name.
						</div><div class="para">
							To sort the output from the largest number of samples to the smallest (reverse order), use <code class="option">-r</code> in conjunction with the <code class="option">-l</code> option.
						</div></dd><dt class="varlistentry"><span class="term"><code class="option">-i <em class="replaceable"><code>&lt;symbol-name&gt;</code></em></code></span></dt><dd><div class="para">
							List sample data specific to a symbol name. For example, the following output is from the command <code class="command">opreport -l -i __gconv_transform_utf8_internal /lib/tls/libc-<em class="replaceable"><code>&lt;version&gt;</code></em>.so</code>:
						</div><pre class="screen">samples  %        symbol name
12       100.000  __gconv_transform_utf8_internal</pre><div class="para">
							The first line is a summary for the symbol/executable combination.
						</div><div class="para">
							The first column is the number of samples for the memory symbol. The second column is the percentage of samples for the memory address relative to the total number of samples for the symbol. The third column is the symbol name.
						</div></dd><dt class="varlistentry"><span class="term"><code class="option">-d</code></span></dt><dd><div class="para">
							List sample data by symbols with more detail than <code class="option">-l</code>. For example, the following output is from the command <code class="command">opreport -l -d __gconv_transform_utf8_internal /lib/tls/libc-<em class="replaceable"><code>&lt;version&gt;</code></em>.so</code>:
						</div><pre class="screen">vma      samples  %        symbol name
00a98640 12       100.000  __gconv_transform_utf8_internal
00a98640 1         8.3333
00a9868c 2        16.6667
00a9869a 1         8.3333
00a986c1 1         8.3333
00a98720 1         8.3333
00a98749 1         8.3333
00a98753 1         8.3333
00a98789 1         8.3333
00a98864 1         8.3333
00a98869 1         8.3333
00a98b08 1         8.3333</pre><div class="para">
							The data is the same as the <code class="option">-l</code> option except that for each symbol, each virtual memory address used is shown. For each virtual memory address, the number of samples and percentage of samples relative to the number of samples for the symbol is displayed.
						</div></dd><dt class="varlistentry"><span class="term"><code class="option">-x</code><em class="replaceable"><code>&lt;symbol-name&gt;</code></em></span></dt><dd><div class="para">
							Exclude the comma-separated list of symbols from the output.
						</div></dd><dt class="varlistentry"><span class="term"><code class="option">session</code>:<em class="replaceable"><code>&lt;name&gt;</code></em></span></dt><dd><div class="para">
							Specify the full path to the session or a directory relative to the <code class="filename">/var/lib/oprofile/samples/</code> directory.
						</div></dd></dl></div></div><div class="section" id="s2-oprofile-module-output"><div class="titlepage"><div><div><h3 class="title" id="s2-oprofile-module-output">41.5.3. Getting more detailed output on the modules</h3></div></div></div><a id="id869442" class="indexterm"></a><a id="id869459" class="indexterm"></a><div class="para">
				OProfile collects data on a system-wide basis for kernel- and user-space code running on the machine. However, once a module is loaded into the kernel, the information about the origin of the kernel module is lost. The module could have come from the initrd file on boot up, the directory with the various kernel modules, or a locally created kernel module. As a result when OProfile records sample for a module, it just lists the samples for the modules for an executable in the root directory, but this is unlikely to be the place with the actual code for the module. You will need to take some steps to make sure that analysis tools get the executable.
			</div><div class="para">
				For example on an AMD64 machine the sampling is set up to record "Data cache accesses" and "Data cache misses" and assuming you would like to see the data for the ext3 module:
			</div><pre class="screen">~]$ <code class="command">opreport /ext3</code>
CPU: AMD64 processors, speed 797.948 MHz (estimated)
Counted DATA_CACHE_ACCESSES events (Data cache accesses) with a unit mask of 0x00 (No unit mask) count 500000
Counted DATA_CACHE_MISSES events (Data cache misses) with a unit mask of 0x00 (No unit mask) count 500000
DATA_CACHE_ACC...|DATA_CACHE_MIS...|
samples|      %|  samples|      %|
------------------------------------
148721 100.000      1493 100.000 ext3</pre><div class="para">
				To get a more detailed view of the actions of the module, you will need to either have the module unstripped (e.g. installed from a custom build) or have the debuginfo RPM installed for the kernel.
			</div><div class="para">
				Find out which kernel is running, "uname -a", get the appropriate debuginfo rpm, and install on the machine.
			</div><div class="para">
				Then make a symbolic link so oprofile finds the code for the module in the correct place: 
<pre class="screen">~]# <code class="command">ln -s /lib/modules/`uname -r`/kernel/fs/ext3/ext3.ko /ext3</code></pre>
				 Then the detailed information can be obtained with:
			</div><pre class="screen">~]# <code class="command">opreport image:/ext3 -l|more</code>
warning: could not check that the binary file /ext3 has not been modified since the profile was taken. Results may be inaccurate.
CPU: AMD64 processors, speed 797.948 MHz (estimated)
Counted DATA_CACHE_ACCESSES events (Data cache accesses) with a unit mask of 0x00 (No unit mask) count 500000
Counted DATA_CACHE_MISSES events (Data cache misses) with a unit mask of 0x00 (No unit mask) count 500000
samples  %        samples  %        symbol name
16728    11.2479  7         0.4689  ext3_group_sparse
16454    11.0637  4         0.2679  ext3_count_free_blocks
14583     9.8056  51        3.4159  ext3_fill_super
8281      5.5681  129       8.6403  ext3_ioctl
7810      5.2514  62        4.1527  ext3_write_info
7286      4.8991  67        4.4876  ext3_ordered_writepage
6509      4.3767  130       8.7073  ext3_new_inode
6378      4.2886  156      10.4488  ext3_new_block
5932      3.9887  87        5.8272  ext3_xattr_block_list
...</pre></div><div class="section" id="s2-oprofile-reading-opannotate"><div class="titlepage"><div><div><h3 class="title" id="s2-oprofile-reading-opannotate">41.5.4. Using <code class="command">opannotate</code></h3></div></div></div><a id="id889542" class="indexterm"></a><a id="id889559" class="indexterm"></a><div class="para">
				The <code class="command">opannotate</code> tool tries to match the samples for particular instructions to the corresponding lines in the source code. The resulting files generated should have the samples for the lines at the left. It also puts in a comment at the beginning of each function listing the total samples for the function.
			</div><div class="para">
				For this utility to work, the executable must be compiled with GCC's <code class="option">-g</code> option. By default, Red Hat Enterprise Linux packages are not compiled with this option.
			</div><div class="para">
				The general syntax for <code class="command">opannotate</code> is as follows:
			</div><pre class="screen"><code class="command">opannotate --search-dirs <em class="replaceable"><code>&lt;src-dir&gt;</code></em> --source <em class="replaceable"><code>&lt;executable&gt;</code></em></code></pre><div class="para">
				The directory containing the source code and the executable to be analyzed must be specified. Refer to the <code class="command">opannotate</code> man page for a list of additional command line options.
			</div></div></div><div class="section" id="s1-oprofile-dev-oprofile"><div class="titlepage"><div><div><h2 class="title" id="s1-oprofile-dev-oprofile">41.6. Understanding <code class="filename">/dev/oprofile/</code></h2></div></div></div><a id="id889638" class="indexterm"></a><a id="id889655" class="indexterm"></a><div class="para">
			The <code class="filename">/dev/oprofile/</code> directory contains the file system for OProfile. Use the <code class="command">cat</code> command to display the values of the virtual files in this file system. For example, the following command displays the type of processor OProfile detected:
		</div><pre class="screen"><code class="command">cat /dev/oprofile/cpu_type</code></pre><div class="para">
			A directory exists in <code class="filename">/dev/oprofile/</code> for each counter. For example, if there are 2 counters, the directories <code class="filename">/dev/oprofile/0/</code> and <code class="filename">dev/oprofile/1/</code> exist.
		</div><div class="para">
			Each directory for a counter contains the following files:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">count</code> — The interval between samples.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">enabled</code> — If 0, the counter is off and no samples are collected for it; if 1, the counter is on and samples are being collected for it.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">event</code> — The event to monitor.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">kernel</code> — If 0, samples are not collected for this counter event when the processor is in kernel-space; if 1, samples are collected even if the processor is in kernel-space.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">unit_mask</code> — Defines which unit masks are enabled for the counter.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">user</code> — If 0, samples are not collected for the counter event when the processor is in user-space; if 1, samples are collected even if the processor is in user-space.
				</div></li></ul></div><div class="para">
			The values of these files can be retrieved with the <code class="command">cat</code> command. For example:
		</div><pre class="screen"><code class="command">cat /dev/oprofile/0/count</code></pre></div><div class="section" id="s1-oprofile-example-usage"><div class="titlepage"><div><div><h2 class="title" id="s1-oprofile-example-usage">41.7. Example Usage</h2></div></div></div><div class="para">
			While OProfile can be used by developers to analyze application performance, it can also be used by system administrators to perform system analysis. For example:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<span class="emphasis"><em>Determine which applications and services are used the most on a system</em></span> — <code class="command">opreport</code> can be used to determine how much processor time an application or service uses. If the system is used for multiple services but is under performing, the services consuming the most processor time can be moved to dedicated systems.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Determine processor usage</em></span> — The <code class="computeroutput">CPU_CLK_UNHALTED</code> event can be monitored to determine the processor load over a given period of time. This data can then be used to determine if additional processors or a faster processor might improve system performance.
				</div></li></ul></div></div><div class="section" id="s1-oprofile-gui"><div class="titlepage"><div><div><h2 class="title" id="s1-oprofile-gui">41.8. Graphical Interface</h2></div></div></div><a id="id889863" class="indexterm"></a><div class="para">
			Some OProfile preferences can be set with a graphical interface. To start it, execute the <code class="command">oprof_start</code> command as root at a shell prompt. To use the graphical interface, you will need to have the <code class="filename">oprofile-gui</code> package installed.
		</div><div class="para">
			After changing any of the options, save them by clicking the <span class="guibutton"><strong>Save and quit</strong></span> button. The preferences are written to <code class="filename">/root/.oprofile/daemonrc</code>, and the application exits. Exiting the application does not stop OProfile from sampling.
		</div><div class="para">
			On the <span class="guilabel"><strong>Setup</strong></span> tab, to set events for the processor counters as discussed in <a class="xref" href="#s2-oprofile-events">Section 41.2.2, “Setting Events to Monitor”</a>, select the counter from the pulldown menu and select the event from the list. A brief description of the event appears in the text box below the list. Only events available for the specific counter and the specific architecture are displayed. The interface also displays whether the profiler is running and some brief statistics about it.
		</div><div class="figure" id="fig-oprofile-setup"><div class="figure-contents"><div class="mediaobject"><img src="images/oprof-start-setup.png" alt="OProfile Setup" /><div class="longdesc"><div class="para">
						<code class="command">oprof_start</code> interface
					</div></div></div></div><h6>Figure 41.1. OProfile Setup</h6></div><br class="figure-break" /><div class="para">
			On the right side of the tab, select the <span class="guilabel"><strong>Profile kernel</strong></span> option to count events in kernel mode for the currently selected event, as discussed in <a class="xref" href="#s2-oprofile-starting-separate">Section 41.2.3, “Separating Kernel and User-space Profiles”</a>. If this option is unselected, no samples are collected for the kernel.
		</div><div class="para">
			Select the <span class="guilabel"><strong>Profile user binaries</strong></span> option to count events in user mode for the currently selected event, as discussed in <a class="xref" href="#s2-oprofile-starting-separate">Section 41.2.3, “Separating Kernel and User-space Profiles”</a>. If this option is unselected, no samples are collected for user applications.
		</div><div class="para">
			Use the <span class="guilabel"><strong>Count</strong></span> text field to set the sampling rate for the currently selected event as discussed in <a class="xref" href="#s3-oprofile-events-sampling">Section 41.2.2.1, “Sampling Rate”</a>.
		</div><div class="para">
			If any unit masks are available for the currently selected event, as discussed in <a class="xref" href="#s3-oprofile-events-unit-masks">Section 41.2.2.2, “Unit Masks”</a>, they are displayed in the <span class="guilabel"><strong>Unit Masks</strong></span> area on the right side of the <span class="guilabel"><strong>Setup</strong></span> tab. Select the checkbox beside the unit mask to enable it for the event.
		</div><div class="para">
			On the <span class="guilabel"><strong>Configuration</strong></span> tab, to profile the kernel, enter the name and location of the <code class="filename">vmlinux</code> file for the kernel to monitor in the <span class="guilabel"><strong>Kernel image file</strong></span> text field. To configure OProfile not to monitor the kernel, select <span class="guilabel"><strong>No kernel image</strong></span>.
		</div><div class="figure" id="fig-oprofile-configuration"><div class="figure-contents"><div class="mediaobject"><img src="images/oprof-start-config.png" width="444" alt="OProfile Configuration" /><div class="longdesc"><div class="para">
						OProfile Configuration
					</div></div></div></div><h6>Figure 41.2. OProfile Configuration</h6></div><br class="figure-break" /><div class="para">
			If the <span class="guilabel"><strong>Verbose</strong></span> option is selected, the <code class="command">oprofiled</code> daemon log includes more information.
		</div><div class="para">
			If <span class="guilabel"><strong>Per-application kernel samples files</strong></span> is selected, OProfile generates per-application profiles for the kernel and kernel modules as discussed in <a class="xref" href="#s2-oprofile-starting-separate">Section 41.2.3, “Separating Kernel and User-space Profiles”</a>. This is equivalent to the <code class="command">opcontrol --separate=kernel</code> command. If <span class="guilabel"><strong>Per-application shared libs samples files</strong></span> is selected, OProfile generates per-application profiles for libraries. This is equivalent to the <code class="command">opcontrol --separate=library</code> command.
		</div><div class="para">
			To force data to be written to samples files as discussed in <a class="xref" href="#s1-oprofile-analyzing-data">Section 41.5, “Analyzing the Data”</a>, click the <span class="guibutton"><strong>Flush profiler data</strong></span> button. This is equivalent to the <code class="command">opcontrol --dump</code> command.
		</div><div class="para">
			To start OProfile from the graphical interface, click <span class="guibutton"><strong>Start profiler</strong></span>. To stop the profiler, click <span class="guibutton"><strong>Stop profiler</strong></span>. Exiting the application does not stop OProfile from sampling.
		</div></div><div class="section" id="s1-oprofile-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-oprofile-additional-resources">41.9. Additional Resources</h2></div></div></div><a id="id890149" class="indexterm"></a><div class="para">
			This chapter only highlights OProfile and how to configure and use it. To learn more, refer to the following resources.
		</div><div class="section" id="s1-oprofile-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s1-oprofile-installed-docs">41.9.1. Installed Docs</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/oprofile-<em class="replaceable"><code>&lt;version&gt;</code></em>/oprofile.html</code> — <em class="citetitle">OProfile Manual</em>
					</div></li><li class="listitem"><div class="para">
						<code class="command">oprofile</code> man page — Discusses <code class="command">opcontrol</code>, <code class="command">opreport</code>, <code class="command">opannotate</code>, and <code class="command">ophelp</code>
					</div></li></ul></div></div><div class="section" id="s2-oprofile-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-oprofile-useful-websites">41.9.2. Useful Websites</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://oprofile.sourceforge.net/">http://oprofile.sourceforge.net/</a> — Contains the latest documentation, mailing lists, IRC channels, and more.
					</div></li></ul></div></div></div></div></div><div class="part" id="pt-kernel-configuration"><div class="titlepage"><div><div><h1 class="title">Part VI. Kernel and Driver Configuration</h1></div></div></div><div class="partintro" id="id606820"><div></div><div class="para">
				System administrators can learn about and customize their kernels. Red Hat Enterprise Linux contains kernel tools to assist administrators with their customizations.
			</div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="chapter"><a href="#ch-kernel">42. Manually Upgrading the Kernel</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-kernel-packages">42.1. Overview of Kernel Packages</a></span></dt><dt><span class="section"><a href="#s1-kernel-preparing">42.2. Preparing to Upgrade</a></span></dt><dt><span class="section"><a href="#s1-kernel-download">42.3. Downloading the Upgraded Kernel</a></span></dt><dt><span class="section"><a href="#s1-kernel-perform-upgrade">42.4. Performing the Upgrade</a></span></dt><dt><span class="section"><a href="#s1-kernel-initrd">42.5. Verifying the Initial RAM Disk Image</a></span></dt><dt><span class="section"><a href="#s1-kernel-boot-loader">42.6. Verifying the Boot Loader</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kernel-boot-loader-x86">42.6.1. x86 Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-itanium">42.6.2. Itanium Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-s390">42.6.3. IBM S/390 and IBM System z Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-iseries">42.6.4. IBM eServer iSeries Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-pseries">42.6.5. IBM eServer pSeries Systems</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-modules">43. General Parameters and Modules</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-kernel-module-utils">43.1. Kernel Module Utilities</a></span></dt><dt><span class="section"><a href="#s1-kernel-modules-persistant">43.2. Persistent Module Loading</a></span></dt><dt><span class="section"><a href="#s1-modules-parameters-specifying">43.3. Specifying Module Parameters</a></span></dt><dt><span class="section"><a href="#s1-modules-scsi">43.4. Storage parameters</a></span></dt><dt><span class="section"><a href="#s1-modules-ethernet">43.5. Ethernet Parameters</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-modules-multiple-eth">43.5.1. Using Multiple Ethernet Cards</a></span></dt><dt><span class="section"><a href="#s2-modules-bonding">43.5.2. The Channel Bonding Module</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-kernel-modules-additional-resources">43.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kernel-modules-installed-docs">43.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-kernel-modules-useful-websites">43.6.2. Useful Websites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-kdump">44. The kdump Crash Recovery Service</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-kdump-configuration">44.1. Configuring the <code class="systemitem">kdump</code> Service</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kdump-configuration-firstboot">44.1.1. Configuring the kdump at First Boot</a></span></dt><dt><span class="section"><a href="#s2-kdump-configuration-gui">44.1.2. Using the Kernel Dump Configuration Utility</a></span></dt><dt><span class="section"><a href="#s2-kdump-configuration-cli">44.1.3. Configuring <code class="systemitem">kdump</code> on the Command Line</a></span></dt><dt><span class="section"><a href="#s2-kdump-configuration-testing">44.1.4. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-kdump-crash">44.2. Analyzing the Core Dump</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kdump-crash-log">44.2.1. Displaying the Message Buffer</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-backtrace">44.2.2. Displaying a Backtrace</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-processes">44.2.3. Displaying a Process Status</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-memory">44.2.4. Displaying Virtual Memory Information</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-files">44.2.5. Displaying Open Files</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-kdump-resources">44.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kdump-resources-installed">44.3.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-kdump-resources-online">44.3.2. Useful Websites</a></span></dt></dl></dd></dl></dd></dl></div></div><div xml:lang="en-US" class="chapter" id="ch-kernel" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 42. Manually Upgrading the Kernel</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-kernel-packages">42.1. Overview of Kernel Packages</a></span></dt><dt><span class="section"><a href="#s1-kernel-preparing">42.2. Preparing to Upgrade</a></span></dt><dt><span class="section"><a href="#s1-kernel-download">42.3. Downloading the Upgraded Kernel</a></span></dt><dt><span class="section"><a href="#s1-kernel-perform-upgrade">42.4. Performing the Upgrade</a></span></dt><dt><span class="section"><a href="#s1-kernel-initrd">42.5. Verifying the Initial RAM Disk Image</a></span></dt><dt><span class="section"><a href="#s1-kernel-boot-loader">42.6. Verifying the Boot Loader</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kernel-boot-loader-x86">42.6.1. x86 Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-itanium">42.6.2. Itanium Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-s390">42.6.3. IBM S/390 and IBM System z Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-iseries">42.6.4. IBM eServer iSeries Systems</a></span></dt><dt><span class="section"><a href="#s2-kernel-boot-loader-pseries">42.6.5. IBM eServer pSeries Systems</a></span></dt></dl></dd></dl></div><a id="id1044581" class="indexterm"></a><div class="para">
		The Red Hat Enterprise Linux kernel is custom built by the Red Hat Enterprise Linux kernel team to ensure its integrity and compatibility with supported hardware. Before Red Hat releases a kernel, it must first pass a rigorous set of quality assurance tests.
	</div><div class="para">
		Red Hat Enterprise Linux kernels are packaged in RPM format so that they are easy to upgrade and verify using the <span class="application"><strong>Package Management Tool</strong></span>, or the <code class="command">yum</code> command. The <span class="application"><strong>Package Management Tool</strong></span> automatically queries the Red Hat Enterprise Linux servers and determines which packages need to be updated on your machine, including the kernel. This chapter is <span class="emphasis"><em>only</em></span> useful for those individuals that require manual updating of kernel packages, without using the <code class="command">yum</code> command.
	</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
			Building a custom kernel is not supported by the Red Hat Global Services Support team, and therefore is not explored in this manual.
		</div></div></div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
			The use of <code class="command">yum</code> is <span class="emphasis"><em>highly</em></span> recommended by Red Hat for installing upgraded kernels.
		</div></div></div><div class="para">
		For more information on Red Hat Network, the <span class="application"><strong>Package Management Tool</strong></span>, and <code class="command">yum</code>, refer to <a class="xref" href="#entitlements">Chapter 14, <em>Product Subscriptions and Entitlements</em></a>.
	</div><div class="section" id="s1-kernel-packages"><div class="titlepage"><div><div><h2 class="title" id="s1-kernel-packages">42.1. Overview of Kernel Packages</h2></div></div></div><div class="para">
			Red Hat Enterprise Linux contains the following kernel packages (some may not apply to your architecture):
		</div><a id="id856391" class="indexterm"></a><a id="id1066501" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">kernel</code> — Contains the kernel for multi-processor systems. For x86 system, only the first 4GB of RAM is used. As such, x86 systems with over 4GB of RAM should use the <code class="filename">kernel-PAE</code>.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">kernel-devel</code> — Contains the kernel headers and makefiles sufficient to build modules against the <code class="command">kernel</code> package.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">kernel-PAE</code> (only for i686 systems) — This package offers the following key configuration option (in addition to the options already enabled for the <code class="filename">kernel</code> package):
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							PAE (Physical Address Extension) support for systems with more than 4GB of RAM, and reliably up to 16GB.
						</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
								Physical Address Extension allows x86 processors to address up to 64GB of physical RAM, but due to differences between the Red Hat Enterprise Linux 4 and 5 kernels, only Red Hat Enterprise Linux 4 (with the <code class="filename">kernel-hugemem</code> package) is able to reliably address all 64GB of memory. Additionally, the Red Hat Enterprise Linux 5 PAE variant does not allow 4GB of addressable memory per-process like the Red Hat Enterprise Linux 4 <code class="filename">kernel-hugemem</code> variant does. However, the x86_64 kernel does not suffer from any of these limitations, and is the suggested Red Hat Enterprise Linux 5 architecture to use with large-memory systems.
							</div></div></div></li></ul></div></li><li class="listitem"><div class="para">
					<code class="filename">kernel-PAE-devel</code> — Contains the kernel headers and makefiles required to build modules against the <code class="filename">kernel-PAE</code> package.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">kernel-doc</code> — Contains documentation files from the kernel source. Various portions of the Linux kernel and the device drivers shipped with it are documented in these files. Installation of this package provides a reference to the options that can be passed to Linux kernel modules at load time.
				</div><div class="para">
					By default, these files are placed in the <code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/</code> directory.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">kernel-headers</code> — Includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">kernel-xen</code> — Includes a version of the Linux kernel which is needed to run Virtualization.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">kernel-xen-devel</code> — Contains the kernel headers and makefiles required to build modules against the <code class="filename">kernel-xen</code> package
				</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				The <code class="filename">kernel-source</code> package has been removed and replaced with an RPM that can only be retrieved from Red Hat Network. This <code class="filename">*.src.rpm</code> package must then be rebuilt locally using the <code class="command">rpmbuild</code> command. For more information on obtaining and installing the kernel source package, refer to the latest updated Release Notes (including all updates) at <a href="http://www.redhat.com/docs/manuals/enterprise/">http://www.redhat.com/docs/manuals/enterprise/</a>
			</div></div></div></div><div class="section" id="s1-kernel-preparing"><div class="titlepage"><div><div><h2 class="title" id="s1-kernel-preparing">42.2. Preparing to Upgrade</h2></div></div></div><div class="para">
			Before upgrading the kernel, it is recommended that you take some precautionary steps. The first step is to make sure working boot media exists for the system in case a problem occurs. If the boot loader is not configured properly to boot the new kernel, the system cannot be booted into Red Hat Enterprise Linux without working boot media.
		</div><a id="id992330" class="indexterm"></a><div class="para">
			To create a boot diskette, login as root, and run the command <code class="command">/sbin/mkbootdisk `uname -r`</code> at a shell prompt.
		</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				Refer to the <code class="command">mkbootdisk</code> man page for more options. You can create bootable media via CD-Rs, CD-RWs, and USB flash drives, provided that your system BIOS also supports it.
			</div></div></div><div class="para">
			Reboot the machine with the boot media and verify that it works before continuing.
		</div><div class="para">
			To determine which kernel packages are installed, execute the command <code class="command">rpm -qa | grep kernel</code> at a shell prompt:
		</div><div class="para">
			The output contains some or all of the following packages, depending on the system's architecture (the version numbers and packages may differ):
		</div><pre class="screen">kernel-2.6.9-5.EL
kernel-devel-2.6.9-5.EL
kernel-utils-2.6.9-5.EL
kernel-doc-2.6.9-5.EL
kernel-smp-2.6.9-5.EL
kernel-smp-devel-2.6.9-5.EL
kernel-hugemem-devel-2.6.9-5.EL</pre><div class="para">
			From the output, determine which packages need to be download for the kernel upgrade. For a single processor system, the only required package is the <code class="filename">kernel</code> package. Refer to <a class="xref" href="#s1-kernel-packages">Section 42.1, “Overview of Kernel Packages”</a> for descriptions of the different packages.
		</div><div class="para">
			In the file name, each kernel package contains the architecture for which the package was built. The format is kernel-<em class="replaceable"><code>&lt;variant&gt;</code></em>-<em class="replaceable"><code>&lt;version&gt;</code></em>.<em class="replaceable"><code>&lt;arch&gt;</code></em>.rpm, where <em class="replaceable"><code>&lt;variant&gt;</code></em> is one of either <code class="filename">PAE</code>, <code class="filename">xen</code>, and so forth. The <em class="replaceable"><code>&lt;arch&gt;</code></em> is one of the following:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">x86_64</code> for the AMD64 and Intel EM64T architectures
				</div></li><li class="listitem"><div class="para">
					<code class="filename">ia64</code> for the <span class="trademark">Intel</span>® <span class="trademark">Itanium</span>™ architecture
				</div></li><li class="listitem"><div class="para">
					<code class="filename">ppc64</code> for the <span class="trademark">IBM</span>® <span class="trademark">eServer</span>™ <span class="trademark">pSeries</span>™ architecture
				</div></li><li class="listitem"><div class="para">
					<code class="filename">s390</code> for the <span class="trademark">IBM</span>® <span class="trademark">S/390</span>® architecture
				</div></li><li class="listitem"><div class="para">
					<code class="filename">s390x</code> for the <span class="trademark">IBM</span>® <span class="trademark">eServer</span>™ <span class="trademark">System z</span>® architecture
				</div></li><li class="listitem"><div class="para">
					<code class="filename">i686</code> for <span class="trademark">Intel</span>® <span class="trademark">Pentium</span>® II, <span class="trademark">Intel</span>® <span class="trademark">Pentium</span>® III, <span class="trademark">Intel</span>® <span class="trademark">Pentium</span>® 4, <span class="trademark">AMD Athlon</span>®, and <span class="trademark">AMD Duron</span>® systems
				</div></li></ul></div></div><div class="section" id="s1-kernel-download"><div class="titlepage"><div><div><h2 class="title" id="s1-kernel-download">42.3. Downloading the Upgraded Kernel</h2></div></div></div><a id="id863495" class="indexterm"></a><div class="para">
			There are several ways to determine if an updated kernel is available for the system.
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Security Errata — Refer to <a href="http://www.redhat.com/security/updates/">http://www.redhat.com/security/updates/</a> for information on security errata, including kernel upgrades that fix security issues.
				</div></li><li class="listitem"><div class="para">
					Via Red Hat Network — Download and install the kernel RPM packages. Red Hat Network can download the latest kernel, upgrade the kernel on the system, create an initial RAM disk image if needed, and configure the boot loader to boot the new kernel. For more information, refer to <a href="http://www.redhat.com/docs/manuals/RHNetwork/"> http://www.redhat.com/docs/manuals/RHNetwork/</a>.
				</div></li></ul></div><div class="para">
			If Red Hat Network was used to download and install the updated kernel, follow the instructions in <a class="xref" href="#s1-kernel-initrd">Section 42.5, “Verifying the Initial RAM Disk Image”</a> and <a class="xref" href="#s1-kernel-boot-loader">Section 42.6, “Verifying the Boot Loader”</a>, only <span class="emphasis"><em>do not</em></span> change the kernel to boot by default. Red Hat Network automatically changes the default kernel to the latest version. To install the kernel manually, continue to <a class="xref" href="#s1-kernel-perform-upgrade">Section 42.4, “Performing the Upgrade”</a>.
		</div></div><div class="section" id="s1-kernel-perform-upgrade"><div class="titlepage"><div><div><h2 class="title" id="s1-kernel-perform-upgrade">42.4. Performing the Upgrade</h2></div></div></div><div class="para">
			After retrieving all of the necessary packages, it is time to upgrade the existing kernel.
		</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				It is strongly recommended that you keep the old kernel in case there are problems with the new kernel.
			</div></div></div><div class="para">
			At a shell prompt, change to the directory that contains the kernel RPM packages. Use <code class="option">-i</code> argument with the <code class="command">rpm</code> command to keep the old kernel. Do <span class="emphasis"><em>not</em></span> use the <code class="option">-U</code> option, since it overwrites the currently installed kernel, which creates boot loader problems. For example:
		</div><div class="para">
			<code class="command">rpm -ivh kernel-<em class="replaceable"><code>&lt;kernel version&gt;</code></em>.<em class="replaceable"><code>&lt;arch&gt;</code></em>.rpm </code>
		</div><div class="para">
			The next step is to verify that the initial RAM disk image has been created. Refer to <a class="xref" href="#s1-kernel-initrd">Section 42.5, “Verifying the Initial RAM Disk Image”</a> for details.
		</div></div><div class="section" id="s1-kernel-initrd"><div class="titlepage"><div><div><h2 class="title" id="s1-kernel-initrd">42.5. Verifying the Initial RAM Disk Image</h2></div></div></div><div class="para">
			If the system uses the ext3 file system, a SCSI controller, or labels to reference partitions in <code class="filename">/etc/fstab</code>, an initial RAM disk is needed. The initial RAM disk allows a modular kernel to have access to modules that it might need to boot from before the kernel has access to the device where the modules normally reside.
		</div><div class="para">
			On architectures other than IBM eServer iSeries, the initial RAM disk can be created with the <code class="command">mkinitrd</code> command. However, this step is performed automatically if the kernel and its associated packages are installed or upgraded from the RPM packages distributed by Red Hat; in such cases, you do not need to create the initial RAM disk manually. To verify that an initial RAM disk already exists, use the command <code class="command">ls -l /boot</code> to make sure the <code class="filename">initrd-<em class="replaceable"><code>&lt;version&gt;</code></em>.img</code> file was created (the version should match the version of the kernel just installed).
		</div><div class="para">
			On iSeries systems, the initial RAM disk file and <code class="filename">vmlinux</code> file are combined into one file, which is created with the <code class="command">addRamDisk</code> command. This step is performed automatically if the kernel and its associated packages are installed or upgraded from the RPM packages distributed by Red Hat, Inc.; thus, it does not need to be executed manually. To verify that it was created, use the command <code class="command">ls -l /boot</code> to make sure the <code class="filename">/boot/vmlinitrd-<em class="replaceable"><code>&lt;kernel-version&gt;</code></em> </code> file already exists (the <code class="filename"><em class="replaceable"><code>&lt;kernel-version&gt;</code></em> </code> should match the version of the kernel just installed).
		</div><div class="para">
			The next step is to verify that the boot loader has been configured to boot the new kernel. Refer to <a class="xref" href="#s1-kernel-boot-loader">Section 42.6, “Verifying the Boot Loader”</a> for details.
		</div></div><div class="section" id="s1-kernel-boot-loader"><div class="titlepage"><div><div><h2 class="title" id="s1-kernel-boot-loader">42.6. Verifying the Boot Loader</h2></div></div></div><div class="para">
			The <code class="filename">kernel</code> RPM package configures the boot loader to boot the newly installed kernel (except for IBM eServer iSeries systems). However, it does not configure the boot loader to boot the new kernel by default.
		</div><div class="para">
			It is always a good idea to confirm that the boot loader has been configured correctly. This is a crucial step. If the boot loader is configured incorrectly, the system will not boot into Red Hat Enterprise Linux properly. If this happens, boot the system with the boot media created earlier and try configuring the boot loader again.
		</div><div class="section" id="s2-kernel-boot-loader-x86"><div class="titlepage"><div><div><h3 class="title" id="s2-kernel-boot-loader-x86">42.6.1. x86 Systems</h3></div></div></div><div class="para">
				All x86 systems (including all AMD64 systems) use GRUB as the boot loader.
			</div><div class="section" id="s3-kernel-boot-loader-grub"><div class="titlepage"><div><div><h4 class="title" id="s3-kernel-boot-loader-grub">42.6.1.1. GRUB</h4></div></div></div><div class="para">
					Confirm that the file <code class="filename">/boot/grub/grub.conf</code> contains a <code class="computeroutput">title</code> section with the same version as the <code class="filename">kernel</code> package just installed
				</div><pre class="screen"># Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/hda2
#          initrd /initrd-version.img
#boot=/dev/hda
default=1 timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Red Hat Enterprise Linux (2.6.9-5.EL)
         root (hd0,0)
	 kernel /vmlinuz-2.6.9-5.EL ro root=LABEL=/
	 initrd /initrd-2.6.9-5.EL.img
title Red Hat Enterprise Linux (2.6.9-1.906_EL)
         root (hd0,0)
	 kernel /vmlinuz-2.6.9-1.906_EL ro root=LABEL=/
	 initrd /initrd-2.6.9-1.906_EL.img</pre><div class="para">
					If a separate <code class="filename">/boot/</code> partition was created, the paths to the kernel and <code class="filename">initrd</code> image are relative to <code class="filename">/boot/</code>.
				</div><div class="para">
					Notice that the default is not set to the new kernel. To configure GRUB to boot the new kernel by default, change the value of the <code class="command">default</code> variable to the title section number for the title section that contains the new kernel. The count starts with 0. For example, if the new kernel is the first title section, set <code class="command">default</code> to <strong class="userinput"><code>0</code></strong>.
				</div><div class="para">
					Begin testing the new kernel by rebooting the computer and watching the messages to ensure that the hardware is detected properly.
				</div></div></div><div class="section" id="s2-kernel-boot-loader-itanium"><div class="titlepage"><div><div><h3 class="title" id="s2-kernel-boot-loader-itanium">42.6.2. Itanium Systems</h3></div></div></div><div class="para">
				Itanium systems use ELILO as the boot loader, which uses <code class="filename">/boot/efi/EFI/redhat/elilo.conf</code> as the configuration file. Confirm that this file contains an <code class="computeroutput">image</code> section with the same version as the <code class="filename">kernel</code> package just installed:
			</div><pre class="screen">prompt timeout=50 default=old  image=vmlinuz-2.6.9-5.EL
         label=linux
	 initrd=initrd-2.6.9-5.EL.img         read-only
	 append="root=LABEL=/" image=vmlinuz-2.6.9-1.906_EL
	 label=old
	 initrd=initrd-2.6.9-1.906.img         read-only
	 append="root=LABEL=/"</pre><div class="para">
				Notice that the default is not set to the new kernel. To configure ELILO to boot the new kernel, change the value of the <code class="computeroutput">default</code> variable to the value of the <code class="computeroutput">label</code> for the <code class="computeroutput">image</code> section that contains the new kernel.
			</div><div class="para">
				Begin testing the new kernel by rebooting the computer and watching the messages to ensure that the hardware is detected properly.
			</div></div><div class="section" id="s2-kernel-boot-loader-s390"><div class="titlepage"><div><div><h3 class="title" id="s2-kernel-boot-loader-s390">42.6.3. IBM S/390 and IBM System z Systems</h3></div></div></div><div class="para">
				The IBM S/390 and IBM System z systems use z/IPL as the boot loader, which uses <code class="filename">/etc/zipl.conf</code> as the configuration file. Confirm that the file contains a section with the same version as the kernel package just installed:
			</div><pre class="screen">[defaultboot] default=old target=/boot/
[linux]
         image=/boot/vmlinuz-2.6.9-5.EL
	 ramdisk=/boot/initrd-2.6.9-5.EL.img
	 parameters="root=LABEL=/"
[old]
         image=/boot/vmlinuz-2.6.9-1.906_EL
	 ramdisk=/boot/initrd-2.6.9-1.906_EL.img
	 parameters="root=LABEL=/"</pre><div class="para">
				Notice that the default is not set to the new kernel. To configure z/IPL to boot the new kernel by default, change the value of the <code class="computeroutput">default</code> variable to the name of the section that contains the new kernel. The first line of each section contains the name in brackets.
			</div><div class="para">
				After modifying the configuration file, run <code class="command">/sbin/zipl</code> as root to enable the changes.
			</div><div class="para">
				Begin testing the new kernel by rebooting the computer and watching the messages to ensure that the hardware is detected properly.
			</div></div><div class="section" id="s2-kernel-boot-loader-iseries"><div class="titlepage"><div><div><h3 class="title" id="s2-kernel-boot-loader-iseries">42.6.4. IBM eServer iSeries Systems</h3></div></div></div><div class="para">
				The <code class="filename">/boot/vmlinitrd-<em class="replaceable"><code>&lt;kernel-version&gt;</code></em> </code> file is installed when you upgrade the kernel. However, you must use the <code class="command">dd</code> command to configure the system to boot the new kernel:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						As root, issue the command <code class="command"> cat /proc/iSeries/mf/side</code> to determine the default side (either A, B, or C).
					</div></li><li class="listitem"><div class="para">
						As root, issue the following command, where <em class="replaceable"><code>&lt;kernel-version&gt;</code></em> is the version of the new kernel and <em class="replaceable"><code>&lt;side&gt;</code></em> is the side from the previous command:
					</div><div class="para">
						<code class="command">dd if=/boot/vmlinitrd-<em class="replaceable"><code>&lt;kernel-version&gt;</code></em> of=/proc/iSeries/mf/<em class="replaceable"><code>&lt;side&gt;</code></em>/vmlinux bs=8k</code>
					</div></li></ol></div><div class="para">
				Begin testing the new kernel by rebooting the computer and watching the messages to ensure that the hardware is detected properly.
			</div></div><div class="section" id="s2-kernel-boot-loader-pseries"><div class="titlepage"><div><div><h3 class="title" id="s2-kernel-boot-loader-pseries">42.6.5. IBM eServer pSeries Systems</h3></div></div></div><div class="para">
				IBM eServer pSeries systems use YABOOT as the boot loader, which uses <code class="filename">/etc/aboot.conf</code> as the configuration file. Confirm that the file contains an <code class="computeroutput">image</code> section with the same version as the <code class="filename">kernel</code> package just installed:
			</div><pre class="screen">boot=/dev/sda1 init-message=Welcome to Red Hat Enterprise Linux! Hit &lt;TAB&gt; for boot options
partition=2 timeout=30 install=/usr/lib/yaboot/yaboot delay=10 nonvram
image=/vmlinux--2.6.9-5.EL
         label=old
	 read-only
	 initrd=/initrd--2.6.9-5.EL.img
	 append="root=LABEL=/"
image=/vmlinux-2.6.9-5.EL
	 label=linux
	 read-only
	 initrd=/initrd-2.6.9-5.EL.img
	 append="root=LABEL=/"</pre><div class="para">
				Notice that the default is not set to the new kernel. The kernel in the first image is booted by default. To change the default kernel to boot either move its image stanza so that it is the first one listed or add the directive <code class="computeroutput">default</code> and set it to the <code class="computeroutput">label</code> of the image stanza that contains the new kernel.
			</div><div class="para">
				Begin testing the new kernel by rebooting the computer and watching the messages to ensure that the hardware is detected properly.
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-modules" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 43. General Parameters and Modules</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-kernel-module-utils">43.1. Kernel Module Utilities</a></span></dt><dt><span class="section"><a href="#s1-kernel-modules-persistant">43.2. Persistent Module Loading</a></span></dt><dt><span class="section"><a href="#s1-modules-parameters-specifying">43.3. Specifying Module Parameters</a></span></dt><dt><span class="section"><a href="#s1-modules-scsi">43.4. Storage parameters</a></span></dt><dt><span class="section"><a href="#s1-modules-ethernet">43.5. Ethernet Parameters</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-modules-multiple-eth">43.5.1. Using Multiple Ethernet Cards</a></span></dt><dt><span class="section"><a href="#s2-modules-bonding">43.5.2. The Channel Bonding Module</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-kernel-modules-additional-resources">43.6. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kernel-modules-installed-docs">43.6.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-kernel-modules-useful-websites">43.6.2. Useful Websites</a></span></dt></dl></dd></dl></div><a id="id873470" class="indexterm"></a><a id="id971665" class="indexterm"></a><a id="id1072310" class="indexterm"></a><a id="id1039530" class="indexterm"></a><div class="para">
		This chapter is provided to illustrate <span class="emphasis"><em>some</em></span> of the possible parameters available for common hardware device <em class="firstterm">drivers</em> <sup>[<a id="id790544" href="#ftn.id790544" class="footnote">9</a>]</sup>, which under Red Hat Enterprise Linux are called kernel <em class="firstterm">modules</em>. In most cases, the default parameters do work. However, there may be times when extra module parameters are necessary for a device to function properly or to override the module's default parameters for the device.
	</div><div class="para">
		During installation, Red Hat Enterprise Linux uses a limited subset of device drivers to create a stable installation environment. Although the installation program supports installation on many different types of hardware, some drivers (including those for SCSI adapters and network adapters) are not included in the installation kernel. Rather, they must be loaded as modules by the user at boot time.
	</div><div class="para">
		Once installation is completed, support exists for a large number of devices through kernel modules.
	</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
			Red Hat provides a large number of unsupported device drivers in groups of packages called <code class="filename">kernel-smp-unsupported-<em class="replaceable"><code>&lt;kernel-version&gt;</code></em> </code> and <code class="filename">kernel-hugemem-unsupported-<em class="replaceable"><code>&lt;kernel-version&gt;</code></em> </code>. Replace <em class="replaceable"><code>&lt;kernel-version&gt;</code></em> with the version of the kernel installed on the system. These packages are not installed by the Red Hat Enterprise Linux installation program, and the modules provided are not supported by Red Hat, Inc.
		</div></div></div><div class="section" id="s1-kernel-module-utils"><div class="titlepage"><div><div><h2 class="title" id="s1-kernel-module-utils">43.1. Kernel Module Utilities</h2></div></div></div><div class="para">
			A group of commands for managing kernel modules is available if the <code class="filename">module-init-tools</code> package is installed. Use these commands to determine if a module has been loaded successfully or when trying different modules for a piece of new hardware.
		</div><a id="id781445" class="indexterm"></a><a id="id1050003" class="indexterm"></a><div class="para">
			The command <code class="command">/sbin/lsmod</code> displays a list of currently loaded modules. For example:
		</div><pre class="screen">Module                  Size  Used by
tun                    11585  1
autofs4                21573  1
hidp                   16193  2
rfcomm                 37849  0
l2cap                  23873  10 hidp,rfcomm
bluetooth              50085  5 hidp,rfcomm,l2cap
sunrpc                153725  1
dm_mirror              29073  0
dm_mod                 57433  1 dm_mirror
video                  17221  0
sbs                    16257  0
i2c_ec                  5569  1 sbs
container               4801  0
button                  7249  0
battery                10565  0
asus_acpi              16857  0
ac                      5701  0
ipv6                  246113  12
lp                     13065  0
parport_pc             27493  1
parport                37001  2 lp,parport_pc
uhci_hcd               23885  0
floppy                 57317  1
sg                     34653  0
snd_ens1371            26721  1
gameport               16073  1 snd_ens1371
snd_rawmidi            24897  1 snd_ens1371
snd_ac97_codec         91360  1 snd_ens1371
snd_ac97_bus            2753  1 snd_ac97_codec
snd_seq_dummy           4293  0
snd_seq_oss            32705  0
serio_raw               7493  0
snd_seq_midi_event      8001  1 snd_seq_oss
snd_seq                51633  5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
snd_seq_device          8781  4 snd_rawmidi,snd_seq_dummy,snd_seq_oss,snd_seq
snd_pcm_oss            42849  0
snd_mixer_oss          16833  1 snd_pcm_oss
snd_pcm                76485  3 snd_ens1371,snd_ac97_codec,snd_pcm_oss
snd_timer              23237  2 snd_seq,snd_pcm
snd                    52933  12 snd_ens1371,snd_rawmidi,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer
soundcore              10145  1 snd
i2c_piix4               8909  0
ide_cd                 38625  3
snd_page_alloc         10569  1 snd_pcm
i2c_core               21697  2 i2c_ec,i2c_piix4
pcnet32                34117  0
cdrom                  34913  1 ide_cd
mii                     5825  1 pcnet32
pcspkr                  3521  0
ext3                  129737  2
jbd                    58473  1 ext3
mptspi                 17353  3
scsi_transport_spi     25025  1 mptspi
mptscsih               23361  1 mptspi
sd_mod                 20929  16
scsi_mod              134121  5 sg,mptspi,scsi_transport_spi,mptscsih,sd_mod
mptbase                52193  2 mptspi,mptscsih</pre><div class="para">
			For each line, the first column is the name of the module, the second column is the size of the module, and the third column is the use count.
		</div><div class="para">
			The <code class="command">/sbin/lsmod</code> output is less verbose and easier to read than the output from viewing <code class="filename">/proc/modules</code>.
		</div><a id="id1050072" class="indexterm"></a><a id="id1050086" class="indexterm"></a><div class="para">
			To load a kernel module, use the <code class="command">/sbin/modprobe</code> command followed by the kernel module name. By default, <code class="command">modprobe</code> attempts to load the module from the <code class="filename">/lib/modules/<em class="replaceable"><code>&lt;kernel-version&gt;</code></em>/kernel/drivers/</code> subdirectories. There is a subdirectory for each type of module, such as the <code class="filename">net/</code> subdirectory for network interface drivers. Some kernel modules have module dependencies, meaning that other modules must be loaded first for it to load. The <code class="command">/sbin/modprobe</code> command checks for these dependencies and loads the module dependencies before loading the specified module.
		</div><div class="para">
			For example, the command
		</div><pre class="screen"><code class="command">modprobe e100</code></pre><div class="para">
			loads any module dependencies and then the <code class="filename">e100</code> module.
		</div><div class="para">
			To print to the screen all commands as <code class="command">/sbin/modprobe</code> executes them, use the <code class="option">-v</code> option. For example:
		</div><pre class="screen"><code class="command">modprobe -v e100</code></pre><div class="para">
			Output similar to the following is displayed:
		</div><pre class="screen">insmod /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko
Using /lib/modules/2.6.9-5.EL/kernel/drivers/net/e100.ko
Symbol version prefix 'smp_'</pre><a id="id1057710" class="indexterm"></a><div class="para">
			The <code class="command">/sbin/insmod</code> command also exists to load kernel modules; however, it does not resolve dependencies. Thus, it is recommended that the <code class="command">/sbin/modprobe</code> command be used.
		</div><a id="id1057736" class="indexterm"></a><a id="id1057750" class="indexterm"></a><div class="para">
			To unload kernel modules, use the <code class="command">/sbin/rmmod</code> command followed by the module name. The <code class="command">rmmod</code> utility only unloads modules that are not in use and that are not a dependency of other modules in use.
		</div><div class="para">
			For example, the command
		</div><pre class="screen"><code class="command">rmmod e100</code></pre><div class="para">
			unloads the <code class="filename">e100</code> kernel module.
		</div><div class="para">
			Another useful kernel module utility is <code class="command">modinfo</code>. Use the command <code class="command">/sbin/modinfo</code> to display information about a kernel module. The general syntax is:
		</div><pre class="screen"><code class="command">modinfo <em class="replaceable"><code>[options]</code></em> <em class="replaceable"><code>&lt;module&gt;</code></em></code></pre><div class="para">
			Options include <code class="command">-d</code>, which displays a brief description of the module, and <code class="command">-p</code>, which lists the parameters the module supports. For a complete list of options, refer to the <code class="command">modinfo</code> man page (<code class="command">man modinfo</code>).
		</div></div><div class="section" id="s1-kernel-modules-persistant"><div class="titlepage"><div><div><h2 class="title" id="s1-kernel-modules-persistant">43.2. Persistent Module Loading</h2></div></div></div><a id="id869852" class="indexterm"></a><a id="id869866" class="indexterm"></a><div class="para">
			Kernel modules are usually loaded directly by the facility that requires them, which is given correct settings in the <code class="filename">/etc/modprobe.conf</code> file. However, it is sometimes necessary to explicitly force the loading of a module at boot time.
		</div><div class="para">
			Red Hat Enterprise Linux checks for the existence of the <code class="filename">/etc/rc.modules</code> file at boot time, which contains various commands to load modules. The <code class="filename">rc.modules</code> should be used, and <span class="emphasis"><em>not</em></span> <code class="filename">rc.local</code> because <code class="filename">rc.modules</code> is executed earlier in the boot process.
		</div><div class="para">
			For example, the following commands configure loading of the <code class="filename">foo</code> module at boot time (as root):
		</div><pre class="screen"><code class="command">echo modprobe foo &gt;&gt; /etc/rc.modules</code>
<code class="command">chmod +x /etc/rc.modules</code></pre><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				This approach is not necessary for network and SCSI interfaces because they have their own specific mechanisms.
			</div></div></div></div><div class="section" id="s1-modules-parameters-specifying"><div class="titlepage"><div><div><h2 class="title" id="s1-modules-parameters-specifying">43.3. Specifying Module Parameters</h2></div></div></div><a id="id891653" class="indexterm"></a><a id="id891670" class="indexterm"></a><a id="id891684" class="indexterm"></a><div class="para">
			In some situations, it may be necessary to supply parameters to a module as it is loaded for it to function properly.
		</div><div class="para">
			For instance, to enable full duplex at 100Mbps connection speed for an Intel Ether Express/100 card, load the <code class="filename">e100</code> driver with the <code class="option">e100_speed_duplex=4</code> option.
		</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
				When a parameter has commas, be sure <span class="emphasis"><em>not</em></span> to put a space after a comma.
			</div></div></div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				The <code class="command">modinfo</code> command is also useful for listing various information about a kernel module, such as version, dependencies, parameter options, and aliases.
			</div></div></div></div><div class="section" id="s1-modules-scsi"><div class="titlepage"><div><div><h2 class="title" id="s1-modules-scsi">43.4. Storage parameters</h2></div></div></div><a id="id994318" class="indexterm"></a><a id="id994331" class="indexterm"></a><div class="table" id="tb-modules-scsiparameters"><h6>Table 43.1. Storage Module Parameters</h6><div class="table-contents"><table summary="Storage Module Parameters" border="1"><colgroup><col class="hardware" width="33%" /><col class="module" width="33%" /><col class="parameters" width="33%" /></colgroup><thead><tr><th>
							Hardware
						</th><th>
							Module
						</th><th>
							Parameters
						</th></tr></thead><tbody><tr><td>
							3ware Storage Controller and 9000 series
						</td><td>
							<code class="filename">3w-xxxx.ko, 3w-9xxx.ko</code>
						</td><td>
						</td></tr><tr><td>
							Adaptec Advanced Raid Products, Dell PERC2, 2/Si, 3/Si, 3/Di, HP NetRAID-4M, IBM ServeRAID, and ICP SCSI driver
						</td><td>
							<code class="filename">aacraid.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>nondasd</code></em> — Control scanning of hba for nondasd devices. 0=off, 1=on
							</div>
							 <div class="para">
								<em class="parameter"><code>dacmode</code></em> — Control whether dma addressing is using 64 bit DAC. 0=off, 1=on
							</div>
							 <div class="para">
								<em class="parameter"><code>commit</code></em> — Control whether a COMMIT_CONFIG is issued to the adapter for foreign arrays. This is typically needed in systems that do not have a BIOS. 0=off, 1=on
							</div>
							 <div class="para">
								<em class="parameter"><code>startup_timeout</code></em> — The duration of time in seconds to wait for adapter to have it's kernel up and running. This is typically adjusted for large systems that do not have a BIOS
							</div>
							 <div class="para">
								<em class="parameter"><code>aif_timeout</code></em> — The duration of time in seconds to wait for applications to pick up AIFs before deregistering them. This is typically adjusted for heavily burdened systems.
							</div>
							 <div class="para">
								<em class="parameter"><code>numacb</code></em> — Request a limit to the number of adapter control blocks (FIB) allocated. Valid values are 512 and down. Default is to use suggestion from Firmware.
							</div>
							 <div class="para">
								<em class="parameter"><code>acbsize</code></em> — Request a specific adapter control block (FIB) size. Valid values are 512, 2048, 4096 and 8192. Default is to use suggestion from Firmware.
							</div>

</td></tr><tr><td>
							Adaptec 28xx, R9xx, 39xx AHA-284x, AHA-29xx, AHA-394x, AHA-398x, AHA-274x, AHA-274xT, AHA-2842, AHA-2910B, AHA-2920C, AHA-2930/U/U2, AHA-2940/W/U/UW/AU/, U2W/U2/U2B/, U2BOEM, AHA-2944D/WD/UD/UWD, AHA-2950U2/W/B, AHA-3940/U/W/UW/, AUW/U2W/U2B, AHA-3950U2D, AHA-3985/U/W/UW, AIC-777x, AIC-785x, AIC-786x, AIC-787x, AIC-788x , AIC-789x, AIC-3860
						</td><td>
							<code class="filename">aic7xxx.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>verbose</code></em> — Enable verbose/diagnostic logging
							</div>
							 <div class="para">
								<em class="parameter"><code>allow_memio</code></em> — Allow device registers to be memory mapped
							</div>
							 <div class="para">
								<em class="parameter"><code>debug</code></em> — Bitmask of debug values to enable
							</div>
							 <div class="para">
								<em class="parameter"><code>no_probe</code></em> — Toggle EISA/VLB controller probing
							</div>
							 <div class="para">
								<em class="parameter"><code>probe_eisa_vl</code></em> — Toggle EISA/VLB controller probing
							</div>
							 <div class="para">
								<em class="parameter"><code>no_reset</code></em> — Supress initial bus resets
							</div>
							 <div class="para">
								<em class="parameter"><code>extended</code></em> — Enable extended geometry on all controllers
							</div>
							 <div class="para">
								<em class="parameter"><code>periodic_otag</code></em> — Send an ordered tagged transaction periodically to prevent tag starvation. This may be required by some older disk drives or RAID arrays.
							</div>
							 <div class="para">
								<em class="parameter"><code>tag_info:&lt;tag_str&gt;</code></em> — Set per-target tag depth
							</div>
							 <div class="para">
								<em class="parameter"><code>global_tag_depth:&lt;int&gt;</code></em> — Global tag depth for every target on every bus
							</div>
							 <div class="para">
								<em class="parameter"><code>seltime:&lt;int&gt;</code></em> — Selection Timeout (0/256ms,1/128ms,2/64ms,3/32ms)
							</div>

</td></tr><tr><td>
							IBM ServeRAID
						</td><td>
							<code class="filename">ips.ko</code>
						</td><td>
						</td></tr><tr><td>
							LSI Logic MegaRAID Mailbox Driver
						</td><td>
							<code class="filename">megaraid_mbox.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>unconf_disks</code></em> — Set to expose unconfigured disks to kernel (default=0)
							</div>
							 <div class="para">
								<em class="parameter"><code>busy_wait</code></em> — Max wait for mailbox in microseconds if busy (default=10)
							</div>
							 <div class="para">
								<em class="parameter"><code>max_sectors</code></em> — Maximum number of sectors per IO command (default=128)
							</div>
							 <div class="para">
								<em class="parameter"><code>cmd_per_lun</code></em> — Maximum number of commands per logical unit (default=64)
							</div>
							 <div class="para">
								<em class="parameter"><code>fast_load</code></em> — Faster loading of the driver, skips physical devices! (default=0)
							</div>
							 <div class="para">
								<em class="parameter"><code>debug_level</code></em> — Debug level for driver (default=0)
							</div>

</td></tr><tr><td>
							Emulex LightPulse Fibre Channel SCSI driver
						</td><td>
							<code class="filename">lpfc.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>lpfc_poll</code></em> — FCP ring polling mode control: 0 - none, 1 - poll with interrupts enabled 3 - poll and disable FCP ring interrupts
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_log_verbose</code></em> — Verbose logging bit-mask
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_lun_queue_depth</code></em> — Max number of FCP commands we can queue to a specific LUN
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_hba_queue_depth</code></em> — Max number of FCP commands we can queue to a lpfc HBA
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_scan_down</code></em> — Start scanning for devices from highest ALPA to lowest
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_nodev_tmo</code></em> — Seconds driver will hold I/O waiting for a device to come back
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_topology</code></em> — Select Fibre Channel topology
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_link_speed</code></em> — Select link speed
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_fcp_class</code></em> — Select Fibre Channel class of service for FCP sequences
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_use_adisc</code></em> — Use ADISC on rediscovery to authenticate FCP devices
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_ack0</code></em> — Enable ACK0 support
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_cr_delay</code></em> — A count of milliseconds after which an interrupt response is generated
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_cr_count</code></em> — A count of I/O completions after which an interrupt response is generated
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_multi_ring_support</code></em> — Determines number of primary SLI rings to spread IOCB entries across
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_fdmi_on</code></em> — Enable FDMI support
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_discovery_threads</code></em> — Maximum number of ELS commands during discovery
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_max_luns</code></em> — Maximum allowed LUN
							</div>
							 <div class="para">
								<em class="parameter"><code>lpfc_poll_tmo</code></em> — Milliseconds driver will wait between polling FCP ring
							</div>

</td></tr><tr><td>
							HP Smart Array
						</td><td>
							cciss.ko
						</td><td>
						</td></tr><tr><td>
							LSI Logic MPT Fusion
						</td><td>
							mptbase.ko mptctl.ko mptfc.ko mptlan.ko mptsas.ko mptscsih.ko mptspi.ko
						</td><td>
							<div class="para">
								<em class="parameter"><code>mpt_msi_enable</code></em> — MSI Support Enable
							</div>
							 <div class="para">
								<em class="parameter"><code>mptfc_dev_loss_tmo</code></em> — Initial time the driver programs the transport to wait for an rport to return following a device loss event.
							</div>
							 <div class="para">
								<em class="parameter"><code>mpt_pt_clear</code></em> — Clear persistency table
							</div>
							 <div class="para">
								<em class="parameter"><code>mpt_saf_te</code></em> — Force enabling SEP Processor
							</div>

</td></tr><tr><td>
							QLogic Fibre Channel Driver
						</td><td>
							qla2xxx.ko
						</td><td>
							<div class="para">
								<em class="parameter"><code>ql2xlogintimeout</code></em> — Login timeout value in seconds.
							</div>
							 <div class="para">
								<em class="parameter"><code>qlport_down_retry</code></em> — Maximum number of command retries to a port that returns a PORT-DOWN status
							</div>
							 <div class="para">
								<em class="parameter"><code>ql2xplogiabsentdevice</code></em> — Option to enable PLOGI to devices that are not present after a Fabric scan.
							</div>
							 <div class="para">
								<em class="parameter"><code>ql2xloginretrycount</code></em> — Specify an alternate value for the NVRAM login retry count.
							</div>
							 <div class="para">
								<em class="parameter"><code>ql2xallocfwdump</code></em> — Option to enable allocation of memory for a firmware dump during HBA initialization. Default is 1 - allocate memory.
							</div>
							 <div class="para">
								<em class="parameter"><code>extended_error_logging</code></em> — Option to enable extended error logging.
							</div>
							 <div class="para">
								<em class="parameter"><code>ql2xfdmienable</code></em> — Enables FDMI registrations.
							</div>

</td></tr><tr><td>
							NCR, Symbios and LSI 8xx and 1010
						</td><td>
							sym53c8xx
						</td><td>
							<div class="para">
								<em class="parameter"><code>cmd_per_lun</code></em> — The maximum number of tags to use by default
							</div>
							 <div class="para">
								<em class="parameter"><code>tag_ctrl</code></em> — More detailed control over tags per LUN
							</div>
							 <div class="para">
								<em class="parameter"><code>burst</code></em> — Maximum burst. 0 to disable, 255 to read from registers
							</div>
							 <div class="para">
								<em class="parameter"><code>led</code></em> — Set to 1 to enable LED support
							</div>
							 <div class="para">
								<em class="parameter"><code>diff</code></em> — 0 for no differential mode, 1 for BIOS, 2 for always, 3 for not GPIO3
							</div>
							 <div class="para">
								<em class="parameter"><code>irqm</code></em> — 0 for open drain, 1 to leave alone, 2 for totem pole
							</div>
							 <div class="para">
								<em class="parameter"><code>buschk</code></em> — 0 to not check, 1 for detach on error, 2 for warn on error
							</div>
							 <div class="para">
								<em class="parameter"><code>hostid</code></em> — The SCSI ID to use for the host adapters
							</div>
							 <div class="para">
								<em class="parameter"><code>verb</code></em> — 0 for minimal verbosity, 1 for normal, 2 for excessive
							</div>
							 <div class="para">
								<em class="parameter"><code>debug</code></em> — Set bits to enable debugging
							</div>
							 <div class="para">
								<em class="parameter"><code>settle</code></em> — Settle delay in seconds. Default 3
							</div>
							 <div class="para">
								<em class="parameter"><code>nvram</code></em> — Option currently not used
							</div>
							 <div class="para">
								<em class="parameter"><code>excl</code></em> — List ioport addresses here to prevent controllers from being attached
							</div>
							 <div class="para">
								<em class="parameter"><code>safe</code></em> — Set other settings to a "safe mode"
							</div>

</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s1-modules-ethernet"><div class="titlepage"><div><div><h2 class="title" id="s1-modules-ethernet">43.5. Ethernet Parameters</h2></div></div></div><a id="id995143" class="indexterm"></a><a id="id995157" class="indexterm"></a><a id="id995174" class="indexterm"></a><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				Most modern Ethernet-based network interface cards (NICs), do not require module parameters to alter settings. Instead, they can be configured using <code class="command">ethtool</code> or <code class="command">mii-tool</code>. Only after these tools fail to work should module parameters be adjusted. Module parameters can be viewed using the <code class="command">modinfo</code> command.
			</div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				For information about using these tools, consult the man pages for <code class="command">ethtool</code>, <code class="command">mii-tool</code>, and <code class="command">modinfo</code>.
			</div></div></div><div class="table" id="tb-modules-ethernet"><h6>Table 43.2. Ethernet Module Parameters</h6><div class="table-contents"><table summary="Ethernet Module Parameters" border="1"><colgroup><col class="hardware" width="33%" /><col class="module" width="33%" /><col class="parameters" width="33%" /></colgroup><thead><tr><th>
							Hardware
						</th><th>
							Module
						</th><th>
							Parameters
						</th></tr></thead><tbody><tr><td>
							3Com EtherLink PCI III/XL Vortex (3c590, 3c592, 3c595, 3c597) Boomerang (3c900, 3c905, 3c595)
						</td><td>
							<code class="filename">3c59x.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>debug</code></em> — 3c59x debug level (0-6)
							</div>
							 <div class="para">
								<em class="parameter"><code>options</code></em> — 3c59x: Bits 0-3: media type, bit 4: bus mastering, bit 9: full duplex
							</div>
							 <div class="para">
								<em class="parameter"><code>global_options</code></em> — 3c59x: same as options, but applies to all NICs if options is unset
							</div>
							 <div class="para">
								<em class="parameter"><code>full_duplex</code></em> — 3c59x full duplex setting(s) (1)
							</div>
							 <div class="para">
								<em class="parameter"><code>global_full_duplex</code></em> — 3c59x: same as full_duplex, but applies to all NICs if full_duplex is unset
							</div>
							 <div class="para">
								<em class="parameter"><code>hw_checksums</code></em> — 3c59x Hardware checksum checking by adapter(s) (0-1)
							</div>
							 <div class="para">
								<em class="parameter"><code>flow_ctrl</code></em> — 3c59x 802.3x flow control usage (PAUSE only) (0-1)
							</div>
							 <div class="para">
								<em class="parameter"><code>enable_wol</code></em> — 3c59x: Turn on Wake-on-LAN for adapter(s) (0-1)
							</div>
							 <div class="para">
								<em class="parameter"><code>global_enable_wol</code></em> — 3c59x: same as enable_wol, but applies to all NICs if enable_wol is unset
							</div>
							 <div class="para">
								<em class="parameter"><code>rx_copybreak</code></em> — 3c59x copy breakpoint for copy-only-tiny-frames
							</div>
							 <div class="para">
								<em class="parameter"><code>max_interrupt_work</code></em> — 3c59x maximum events handled per interrupt
							</div>
							 <div class="para">
								<em class="parameter"><code>compaq_ioaddr</code></em> — 3c59x PCI I/O base address (Compaq BIOS problem workaround)
							</div>
							 <div class="para">
								<em class="parameter"><code>compaq_irq</code></em> — 3c59x PCI IRQ number (Compaq BIOS problem workaround)
							</div>
							 <div class="para">
								<em class="parameter"><code>compaq_device_id</code></em> — 3c59x PCI device ID (Compaq BIOS problem workaround)
							</div>
							 <div class="para">
								<em class="parameter"><code>watchdog</code></em> — 3c59x transmit timeout in milliseconds
							</div>
							 <div class="para">
								<em class="parameter"><code>global_use_mmio</code></em> — 3c59x: same as use_mmio, but applies to all NICs if options is unset
							</div>
							 <div class="para">
								<em class="parameter"><code>use_mmio</code></em> — 3c59x: use memory-mapped PCI I/O resource (0-1)
							</div>

</td></tr><tr><td>
							RTL8139, SMC EZ Card Fast Ethernet, RealTek cards using RTL8129, or RTL8139 Fast Ethernet chipsets
						</td><td>
							<code class="filename">8139too.ko</code>
						</td><td>
						</td></tr><tr><td>
							Broadcom 4400 10/100 PCI ethernet driver
						</td><td>
							<code class="filename">b44.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>b44_debug</code></em> — B44 bitmapped debugging message enable value
							</div>

</td></tr><tr><td>
							Broadcom NetXtreme II BCM5706/5708 Driver
						</td><td>
							<code class="filename">bnx2.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>disable_msi</code></em> — Disable Message Signaled Interrupt (MSI)
							</div>

</td></tr><tr><td>
							Intel Ether Express/100 driver
						</td><td>
							<code class="filename">e100.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>debug</code></em> — Debug level (0=none,...,16=all)
							</div>
							 <div class="para">
								<em class="parameter"><code>eeprom_bad_csum_allow</code></em> — Allow bad eeprom checksums
							</div>

</td></tr><tr><td>
							Intel EtherExpress/1000 Gigabit
						</td><td>
							<code class="filename">e1000.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>TxDescriptors</code></em> — Number of transmit descriptors
							</div>
							 <div class="para">
								<em class="parameter"><code>RxDescriptors</code></em> — Number of receive descriptors
							</div>
							 <div class="para">
								<em class="parameter"><code>Speed</code></em> — Speed setting
							</div>
							 <div class="para">
								<em class="parameter"><code>Duplex</code></em> — Duplex setting
							</div>
							 <div class="para">
								<em class="parameter"><code>AutoNeg</code></em> — Advertised auto-negotiation setting
							</div>
							 <div class="para">
								<em class="parameter"><code>FlowControl</code></em> — Flow Control setting
							</div>
							 <div class="para">
								<em class="parameter"><code>XsumRX</code></em> — Disable or enable Receive Checksum offload
							</div>
							 <div class="para">
								<em class="parameter"><code>TxIntDelay</code></em> — Transmit Interrupt Delay
							</div>
							 <div class="para">
								<em class="parameter"><code>TxAbsIntDelay</code></em> — Transmit Absolute Interrupt Delay
							</div>
							 <div class="para">
								<em class="parameter"><code>RxIntDelay</code></em> — Receive Interrupt Delay
							</div>
							 <div class="para">
								<em class="parameter"><code>RxAbsIntDelay</code></em> — Receive Absolute Interrupt Delay
							</div>
							 <div class="para">
								<em class="parameter"><code>InterruptThrottleRate</code></em> — Interrupt Throttling Rate
							</div>
							 <div class="para">
								<em class="parameter"><code>SmartPowerDownEnable</code></em> — Enable PHY smart power down
							</div>
							 <div class="para">
								<em class="parameter"><code>KumeranLockLoss</code></em> — Enable Kumeran lock loss workaround
							</div>

</td></tr><tr><td>
							Myricom 10G driver (10GbE)
						</td><td>
							<code class="filename">myri10ge.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>myri10ge_fw_name</code></em> — Firmware image name
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_ecrc_enable</code></em> — Enable Extended CRC on PCI-E
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_max_intr_slots</code></em> — Interrupt queue slots
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_small_bytes</code></em> — Threshold of small packets
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_msi</code></em> — Enable Message Signalled Interrupts
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_intr_coal_delay</code></em> — Interrupt coalescing delay
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_flow_control</code></em> — Pause parameter
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_deassert_wait</code></em> — Wait when deasserting legacy interrupts
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_force_firmware</code></em> — Force firmware to assume aligned completions
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_skb_cross_4k</code></em> — Can a small skb cross a 4KB boundary?
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_initial_mtu</code></em> — Initial MTU
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_napi_weight</code></em> — Set NAPI weight
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_watchdog_timeout</code></em> — Set watchdog timeout
							</div>
							 <div class="para">
								<em class="parameter"><code>myri10ge_max_irq_loops</code></em> — Set stuck legacy IRQ detection threshold
							</div>

</td></tr><tr><td>
							NatSemi DP83815 Fast Ethernet
						</td><td>
							<code class="filename">natsemi.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>mtu</code></em> — DP8381x MTU (all boards)
							</div>
							 <div class="para">
								<em class="parameter"><code>debug</code></em> — DP8381x default debug level
							</div>
							 <div class="para">
								<em class="parameter"><code>rx_copybreak</code></em> — DP8381x copy breakpoint for copy-only-tiny-frames
							</div>
							 <div class="para">
								<em class="parameter"><code>options</code></em> — DP8381x: Bits 0-3: media type, bit 17: full duplex
							</div>
							 <div class="para">
								<em class="parameter"><code>full_duplex</code></em> — DP8381x full duplex setting(s) (1)
							</div>

</td></tr><tr><td>
							AMD PCnet32 and AMD PCnetPCI
						</td><td>
							<code class="filename">pcnet32.ko</code>
						</td><td>
						</td></tr><tr><td>
							PCnet32 and PCnetPCI
						</td><td>
							<code class="filename">pcnet32.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>debug</code></em> — pcnet32 debug level
							</div>
							 <div class="para">
								<em class="parameter"><code>max_interrupt_work</code></em> — pcnet32 maximum events handled per interrupt
							</div>
							 <div class="para">
								<em class="parameter"><code>rx_copybreak</code></em> — pcnet32 copy breakpoint for copy-only-tiny-frames
							</div>
							 <div class="para">
								<em class="parameter"><code>tx_start_pt</code></em> — pcnet32 transmit start point (0-3)
							</div>
							 <div class="para">
								<em class="parameter"><code>pcnet32vlb</code></em> — pcnet32 Vesa local bus (VLB) support (0/1)
							</div>
							 <div class="para">
								<em class="parameter"><code>options</code></em> — pcnet32 initial option setting(s) (0-15)
							</div>
							 <div class="para">
								<em class="parameter"><code>full_duplex</code></em> — pcnet32 full duplex setting(s) (1)
							</div>
							 <div class="para">
								<em class="parameter"><code>homepna</code></em> — pcnet32 mode for 79C978 cards (1 for HomePNA, 0 for Ethernet, default Ethernet
							</div>

</td></tr><tr><td>
							RealTek RTL-8169 Gigabit Ethernet driver
						</td><td>
							<code class="filename">r8169.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>media</code></em> — force phy operation. Deprecated by ethtool (8).
							</div>
							 <div class="para">
								<em class="parameter"><code>rx_copybreak</code></em> — Copy breakpoint for copy-only-tiny-frames
							</div>
							 <div class="para">
								<em class="parameter"><code>use_dac</code></em> — Enable PCI DAC. Unsafe on 32 bit PCI slot.
							</div>
							 <div class="para">
								<em class="parameter"><code>debug</code></em> — Debug verbosity level (0=none, ..., 16=all)
							</div>

</td></tr><tr><td>
							Neterion Xframe 10GbE Server Adapter
						</td><td>
							<code class="filename">s2io.ko</code>
						</td><td>
						</td></tr><tr><td>
							SIS 900/701G PCI Fast Ethernet
						</td><td>
							<code class="filename">sis900.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>multicast_filter_limit</code></em> — SiS 900/7016 maximum number of filtered multicast addresses
							</div>
							 <div class="para">
								<em class="parameter"><code>max_interrupt_work</code></em> — SiS 900/7016 maximum events handled per interrupt
							</div>
							 <div class="para">
								<em class="parameter"><code>sis900_debug</code></em> — SiS 900/7016 bitmapped debugging message level
							</div>

</td></tr><tr><td>
							Adaptec Starfire Ethernet driver
						</td><td>
							<code class="filename">starfire.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>max_interrupt_work</code></em> — Maximum events handled per interrupt
							</div>
							 <div class="para">
								<em class="parameter"><code>mtu</code></em> — MTU (all boards)
							</div>
							 <div class="para">
								<em class="parameter"><code>debug</code></em> — Debug level (0-6)
							</div>
							 <div class="para">
								<em class="parameter"><code>rx_copybreak</code></em> — Copy breakpoint for copy-only-tiny-frames
							</div>
							 <div class="para">
								<em class="parameter"><code>intr_latency</code></em> — Maximum interrupt latency, in microseconds
							</div>
							 <div class="para">
								<em class="parameter"><code>small_frames</code></em> — Maximum size of receive frames that bypass interrupt latency (0,64,128,256,512)
							</div>
							 <div class="para">
								<em class="parameter"><code>options</code></em> — Deprecated: Bits 0-3: media type, bit 17: full duplex
							</div>
							 <div class="para">
								<em class="parameter"><code>full_duplex</code></em> — Deprecated: Forced full-duplex setting (0/1)
							</div>
							 <div class="para">
								<em class="parameter"><code>enable_hw_cksum</code></em> — Enable/disable hardware cksum support (0/1)
							</div>

</td></tr><tr><td>
							Broadcom Tigon3
						</td><td>
							<code class="filename">tg3.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>tg3_debug</code></em> — Tigon3 bitmapped debugging message enable value
							</div>

</td></tr><tr><td>
							ThunderLAN PCI
						</td><td>
							<code class="filename">tlan.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>aui</code></em> — ThunderLAN use AUI port(s) (0-1)
							</div>
							 <div class="para">
								<em class="parameter"><code>duplex</code></em> — ThunderLAN duplex setting(s) (0-default, 1-half, 2-full)
							</div>
							 <div class="para">
								<em class="parameter"><code>speed</code></em> — ThunderLAN port speen setting(s) (0,10,100)
							</div>
							 <div class="para">
								<em class="parameter"><code>debug</code></em> — ThunderLAN debug mask
							</div>
							 <div class="para">
								<em class="parameter"><code>bbuf</code></em> — ThunderLAN use big buffer (0-1)
							</div>

</td></tr><tr><td>
							Digital 21x4x Tulip PCI Ethernet cards SMC EtherPower 10 PCI(8432T/8432BT) SMC EtherPower 10/100 PCI(9332DST) DEC EtherWorks 100/10 PCI(DE500-XA) DEC EtherWorks 10 PCI(DE450) DEC QSILVER's, Znyx 312 etherarray Allied Telesis LA100PCI-T Danpex EN-9400, Cogent EM110
						</td><td>
							<code class="filename">tulip.ko</code>
						</td><td>
							<em class="parameter"><code>io</code></em> <em class="replaceable"><code>io_port</code></em>
						</td></tr><tr><td>
							VIA Rhine PCI Fast Ethernet cards with either the VIA VT86c100A Rhine-II PCI or 3043 Rhine-I D-Link DFE-930-TX PCI 10/100
						</td><td>
							<code class="filename">via-rhine.ko</code>
						</td><td>
							<div class="para">
								<em class="parameter"><code>max_interrupt_work</code></em> — VIA Rhine maximum events handled per interrupt
							</div>
							 <div class="para">
								<em class="parameter"><code>debug</code></em> — VIA Rhine debug level (0-7)
							</div>
							 <div class="para">
								<em class="parameter"><code>rx_copybreak</code></em> — VIA Rhine copy breakpoint for copy-only-tiny-frames
							</div>
							 <div class="para">
								<em class="parameter"><code>avoid_D3</code></em> — Avoid power state D3 (work-around for broken BIOSes)
							</div>

</td></tr></tbody></table></div></div><br class="table-break" /><div class="section" id="s2-modules-multiple-eth"><div class="titlepage"><div><div><h3 class="title" id="s2-modules-multiple-eth">43.5.1. Using Multiple Ethernet Cards</h3></div></div></div><a id="id864884" class="indexterm"></a><div class="para">
				It is possible to use multiple Ethernet cards on a single machine. For each card there must be an <code class="command">alias</code> and, possibly, <code class="command">options</code> lines for each card in <code class="filename">/etc/modprobe.conf</code>.
			</div><div class="para">
				For additional information about using multiple Ethernet cards, refer to the <em class="citetitle">Linux Ethernet-HOWTO</em> online at <a href="http://www.redhat.com/mirrors/LDP/HOWTO/Ethernet-HOWTO.html">http://www.redhat.com/mirrors/LDP/HOWTO/Ethernet-HOWTO.html</a>.
			</div></div><div class="section" id="s2-modules-bonding"><div class="titlepage"><div><div><h3 class="title" id="s2-modules-bonding">43.5.2. The Channel Bonding Module</h3></div></div></div><a id="id864940" class="indexterm"></a><div class="para">
				Red Hat Enterprise Linux allows administrators to bind NICs together into a single channel using the <code class="filename">bonding</code> kernel module and a special network interface, called a <em class="firstterm">channel bonding interface</em>. Channel bonding enables two or more network interfaces to act as one, simultaneously increasing the bandwidth and providing redundancy.
			</div><div class="para">
				To channel bond multiple network interfaces, the administrator must perform the following steps:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Add the following line to <code class="filename">/etc/modprobe.conf</code>:
					</div><pre class="screen">alias bond<em class="replaceable"><code>&lt;N&gt;</code></em> bonding</pre><div class="para">
						Replace <em class="replaceable"><code>&lt;N&gt;</code></em> with the interface number, such as <code class="command">0</code>. For each configured channel bonding interface, there must be a corresponding entry in <code class="filename">/etc/modprobe.conf</code>.
					</div></li><li class="listitem"><div class="para">
						Configure a channel bonding interface as outlined in <a class="xref" href="#s2-networkscripts-interfaces-chan">Section 15.2.3, “Channel Bonding Interfaces”</a>.
					</div></li><li class="listitem"><div class="para">
						To enhance performance, adjust available module options to ascertain what combination works best. Pay particular attention to the <code class="command">miimon</code> or <code class="command">arp_interval</code> and the <code class="command">arp_ip_target</code> parameters. Refer to <a class="xref" href="#s3-modules-bonding-directives">Section 43.5.2.1, “bonding Module Directives”</a> for a list of available options and how to quickly determine the best ones for your bonded interface.
					</div></li></ol></div><div class="section" id="s3-modules-bonding-directives"><div class="titlepage"><div><div><h4 class="title" id="s3-modules-bonding-directives">43.5.2.1. bonding Module Directives</h4></div></div></div><a id="id865061" class="indexterm"></a><div class="para">
					It is a good idea to test which channel bonding module parameters work best for your bonded interfaces before adding them to the <em class="parameter"><code>BONDING_OPTS="<em class="replaceable"><code>&lt;bonding parameters&gt;</code></em>"</code></em> directive in your bonding interface configuration file (<code class="filename">ifcfg-bond0</code> for example). Parameters to bonded interfaces can be configured without unloading (and reloading) the bonding module by manipulating files in the <code class="systemitem">sysfs</code> file system.
				</div><div class="para">
					<code class="systemitem">sysfs</code> is a virtual file system that represents kernel objects as directories, files and symbolic links. <code class="systemitem">sysfs</code> can be used to query for information about kernel objects, and can also manipulate those objects through the use of normal file system commands. The <code class="systemitem">sysfs</code> virtual file system has a line in <code class="filename">/etc/fstab</code>, and is mounted under <code class="filename">/sys</code>. All bonded interfaces can be configured dynamically by interacting with and manipulating files under the <code class="filename">/sys/class/net/</code> directory.
				</div><div class="para">
					After you have created a channel bonding interface file such as <code class="filename">ifcfg-bond0</code> and inserted <em class="parameter"><code>SLAVE=yes</code></em> and <em class="parameter"><code>MASTER=bond0</code></em> directives in the bonded interfaces following the instructions in <a class="xref" href="#s2-networkscripts-interfaces-chan">Section 15.2.3, “Channel Bonding Interfaces”</a>, you can proceed to testing and determining the best parameters for your bonded interface.
				</div><div class="para">
					First, bring up the bond you created by running <code class="command">ifconfig <code class="option">bond<em class="replaceable"><code>&lt;N&gt;</code></em> </code> <code class="option">up</code> </code> as root:
				</div><pre class="screen"><code class="command">ifconfig bond0 up</code></pre><div class="para">
					If you have correctly created the <code class="filename">ifcfg-bond0</code> bonding interface file, you will be able to see <code class="computeroutput">bond0</code> listed in the output of running <code class="command">ifconfig</code> (without any options):
				</div><pre class="screen">~]# <code class="command">ifconfig</code>
bond0     Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING MASTER MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
eth0      Link encap:Ethernet  HWaddr 52:54:00:26:9E:F1
          inet addr:192.168.122.251  Bcast:192.168.122.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fe26:9ef1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:207 errors:0 dropped:0 overruns:0 frame:0
          TX packets:205 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:70374 (68.7 KiB)  TX bytes:25298 (24.7 KiB)
<span class="emphasis"><em>[output truncated]</em></span></pre><div class="para">
					To view all existing bonds, even if they are not up, run:
				</div><pre class="screen">~]# <code class="command">cat /sys/class/net/bonding_masters</code>
bond0</pre><div class="para">
					You can configure each bond individually by manipulating the files located in the <code class="filename">/sys/class/net/bond<em class="replaceable"><code>&lt;N&gt;</code></em>/bonding/</code> directory. First, the bond you are configuring must be taken down:
				</div><pre class="screen"><code class="command">ifconfig bond0 down</code></pre><div class="para">
					As an example, to enable MII monitoring on bond0 with a 1 second interval, you could run (as root):
				</div><pre class="screen"><code class="command">echo 1000 &gt; /sys/class/net/bond0/bonding/miimon</code></pre><div class="para">
					To configure bond0 for <em class="parameter"><code>balance-alb</code></em> mode, you could run either:
				</div><pre class="screen"><code class="command">echo 6 &gt; /sys/class/net/bond0/bonding/mode</code></pre><div class="para">
					...or, using the name of the mode:
				</div><pre class="screen"><code class="command">echo balance-alb &gt; /sys/class/net/bond0/bonding/mode</code></pre><div class="para">
					After configuring some options for the bond in question, you can bring it up and test it by running <code class="command">ifconfig bond<em class="replaceable"><code>&lt;N&gt;</code></em> <code class="option">up</code> </code>. If you decide to change the options, take the interface down, modify its parameters using <code class="systemitem">sysfs</code>, bring it back up, and re-test.
				</div><div class="para">
					Once you have determined the best set of parameters for your bond, add those parameters as a space-separated list to the <em class="parameter"><code>BONDING_OPTS=</code></em> directive of the <code class="filename">/etc/sysconfig/network-scripts/ifcfg-bond<em class="replaceable"><code>&lt;N&gt;</code></em> </code> file for the bonded interface you are configuring. Whenever that bond is brought up (for example, by the system during the boot sequence if the <em class="parameter"><code>ONBOOT=yes</code></em> directive is set), the bonding options specified in the <em class="parameter"><code>BONDING_OPTS</code></em> will take effect for that bond. For more information on configuring bonded interfaces (and <em class="parameter"><code>BONDING_OPTS</code></em>), refer to <a class="xref" href="#s2-networkscripts-interfaces-chan">Section 15.2.3, “Channel Bonding Interfaces”</a>.
				</div><div class="para">
					The following is a list of available channel bonding module parameters for the <code class="filename">bonding</code> module. For more in-depth information on configuring channel bonding and the exhaustive list of bonding module parameters, install the <span class="package">kernel-doc</span> package and then locating and opening the included <code class="filename">bonding.txt</code> file:
				</div><pre class="screen"><code class="command">yum -y install kernel-doc</code>
<code class="command">nano -w $(rpm -ql kernel-doc | grep bonding.txt)</code></pre><div class="variablelist"><h6>Bonding Interface Parameters</h6><dl><dt class="varlistentry"><span class="term"> <code class="literal">arp_interval=<em class="replaceable"><code>&lt;time_in_milliseconds&gt;</code></em> </code> </span></dt><dd><div class="para">
								Specifies (in milliseconds) how often ARP monitoring occurs.
							</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
									It is essential that both <code class="literal">arp_interval</code> and <code class="literal">arp_ip_target</code> parameters are specified, or, alternatively, the <code class="literal">miimon</code> parameter is specified. Failure to do so can cause degradation of network performance in the event that a link fails.
								</div></div></div><div class="para">
								If using this setting while in <code class="literal">mode=0</code> or <code class="literal">mode=1</code> (the two load-balancing modes), the network switch must be configured to distribute packets evenly across the NICs. For more information on how to accomplish this, refer to <code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;kernel_version&gt;</code></em>/Documentation/networking/bonding.txt</code>
							</div><div class="para">
								The value is set to <strong class="userinput"><code>0</code></strong> by default, which disables it.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="literal">arp_ip_target=<em class="replaceable"><code>&lt;ip_address&gt;</code></em> [<span class="optional">,<em class="replaceable"><code>&lt;ip_address_2&gt;</code></em>,...<em class="replaceable"><code>&lt;ip_address_16&gt;</code></em> </span>] </code> </span></dt><dd><div class="para">
								Specifies the target IP address of ARP requests when the <code class="literal">arp_interval</code> parameter is enabled. Up to 16 IP addresses can be specified in a comma separated list.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="literal">arp_validate=<em class="replaceable"><code>&lt;value&gt;</code></em> </code> </span></dt><dd><div class="para">
								Validate source/distribution of ARP probes; default is <strong class="userinput"><code>none</code></strong>. Other valid values are <strong class="userinput"><code>active</code></strong>, <strong class="userinput"><code>backup</code></strong>, and <strong class="userinput"><code>all</code></strong>.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="literal">debug=<em class="replaceable"><code>&lt;number&gt;</code></em> </code> </span></dt><dd><div class="para">
								Enables debug messages. Possible values are:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<strong class="userinput"><code>0</code></strong> — Debug messages are disabled. This is the default.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>1</code></strong> — Debug messages are enabled.
									</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="literal">downdelay=<em class="replaceable"><code>&lt;time_in_milliseconds&gt;</code></em> </code> </span></dt><dd><div class="para">
								Specifies (in milliseconds) how long to wait after link failure before disabling the link. The value must be a multiple of the value specified in the <code class="literal">miimon</code> parameter. The value is set to <strong class="userinput"><code>0</code></strong> by default, which disables it.
							</div></dd><dt class="varlistentry"><span class="term">lacp_rate=<em class="replaceable"><code>&lt;value&gt;</code></em> </span></dt><dd><div class="para">
								Specifies the rate at which link partners should transmit LACPDU packets in 802.3ad mode. Possible values are:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<strong class="userinput"><code>slow</code></strong> or <strong class="userinput"><code>0</code></strong> — Default setting. This specifies that partners should transmit LACPDUs every 30 seconds.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>fast</code></strong> or <strong class="userinput"><code>1</code></strong> — Specifies that partners should transmit LACPDUs every 1 second.
									</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="literal">miimon=<em class="replaceable"><code>&lt;time_in_milliseconds&gt;</code></em> </code> </span></dt><dd><div class="para">
								Specifies (in milliseconds) how often MII link monitoring occurs. This is useful if high availability is required because MII is used to verify that the NIC is active. To verify that the driver for a particular NIC supports the MII tool, type the following command as root:
							</div><pre class="screen"><code class="command">ethtool <em class="replaceable"><code>&lt;interface_name&gt;</code></em> | grep "Link detected:"</code></pre><div class="para">
								In this command, replace <em class="replaceable"><code>&lt;interface_name</code></em>&gt; with the name of the device interface, such as <strong class="userinput"><code>eth0</code></strong>, not the bond interface. If MII is supported, the command returns:
							</div><pre class="screen">Link detected: yes</pre><div class="para">
								If using a bonded interface for high availability, the module for each NIC must support MII. Setting the value to <strong class="userinput"><code>0</code></strong> (the default), turns this feature off. When configuring this setting, a good starting point for this parameter is <strong class="userinput"><code>100</code></strong>.
							</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
									It is essential that both <code class="literal">arp_interval</code> and <code class="literal">arp_ip_target</code> parameters are specified, or, alternatively, the <code class="literal">miimon</code> parameter is specified. Failure to do so can cause degradation of network performance in the event that a link fails.
								</div></div></div></dd><dt class="varlistentry"><span class="term"> <code class="literal">mode=<em class="replaceable"><code>&lt;value&gt;</code></em> </code> </span></dt><dd><div class="para">
								...where <em class="replaceable"><code>&lt;value&gt;</code></em> is one of:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<strong class="userinput"><code>balance-rr</code></strong> or <strong class="userinput"><code>0</code></strong> — Sets a round-robin policy for fault tolerance and load balancing. Transmissions are received and sent out sequentially on each bonded slave interface beginning with the first one available.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>active-backup</code></strong> or <strong class="userinput"><code>1</code></strong> — Sets an active-backup policy for fault tolerance. Transmissions are received and sent out via the first available bonded slave interface. Another bonded slave interface is only used if the active bonded slave interface fails.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>balance-xor</code></strong> or <strong class="userinput"><code>2</code></strong> — Sets an XOR (exclusive-or) policy for fault tolerance and load balancing. Using this method, the interface matches up the incoming request's MAC address with the MAC address for one of the slave NICs. Once this link is established, transmissions are sent out sequentially beginning with the first available interface.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>broadcast</code></strong> or <strong class="userinput"><code>3</code></strong> — Sets a broadcast policy for fault tolerance. All transmissions are sent on all slave interfaces.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>802.3ad</code></strong> or <strong class="userinput"><code>4</code></strong> — Sets an IEEE 802.3ad dynamic link aggregation policy. Creates aggregation groups that share the same speed and duplex settings. Transmits and receives on all slaves in the active aggregator. Requires a switch that is 802.3ad compliant.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>balance-tlb</code></strong> or <strong class="userinput"><code>5</code></strong> — Sets a Transmit Load Balancing (TLB) policy for fault tolerance and load balancing. The outgoing traffic is distributed according to the current load on each slave interface. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed slave.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>balance-alb</code></strong> or <strong class="userinput"><code>6</code></strong> — Sets an Active Load Balancing (ALB) policy for fault tolerance and load balancing. Includes transmit and receive load balancing for IPV4 traffic. Receive load balancing is achieved through ARP negotiation.
									</div></li></ul></div></dd><dt class="varlistentry"><span class="term"> <code class="literal">num_unsol_na=<em class="replaceable"><code>&lt;number&gt;</code></em> </code> </span></dt><dd><div class="para">
								Specifies the number of unsolicited IPv6 Neighbor Advertisements to be issued after a failover event. One unsolicited NA is issued immediately after the failover.
							</div><div class="para">
								The valid range is <strong class="userinput"><code>0 - 255</code></strong>; the default value is <strong class="userinput"><code>1</code></strong>. This option affects only the active-backup mode.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="literal">primary=<em class="replaceable"><code>&lt;interface_name&gt;</code></em> </code> </span></dt><dd><div class="para">
								Specifies the interface name, such as <strong class="userinput"><code>eth0</code></strong>, of the primary device. The <code class="literal">primary</code> device is the first of the bonding interfaces to be used and is not abandoned unless it fails. This setting is particularly useful when one NIC in the bonding interface is faster and, therefore, able to handle a bigger load.
							</div><div class="para">
								This setting is only valid when the bonding interface is in <strong class="userinput"><code>active-backup</code></strong> mode. Refer to <code class="filename"> /usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;kernel-version&gt;</code></em>/Documentation/networking/bonding.txt</code> for more information.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="literal">primary_reselect=<em class="replaceable"><code>&lt;value&gt;</code></em> </code> </span></dt><dd><div class="para">
								Specifies the reselection policy for the primary slave. This affects how the primary slave is chosen to become the active slave when failure of the active slave or recovery of the primary slave occurs. This option is designed to prevent flip-flopping between the primary slave and other slaves. Possible values are:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<strong class="userinput"><code>always</code></strong> or <strong class="userinput"><code>0</code></strong> (default) — The primary slave becomes the active slave whenever it comes back up.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>better</code></strong> or <strong class="userinput"><code>1</code></strong> — The primary slave becomes the active slave when it comes back up, if the speed and duplex of the primary slave is better than the speed and duplex of the current active slave.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>failure</code></strong> or <strong class="userinput"><code>2</code></strong> — The primary slave becomes the active slave only if the current active slave fails and the primary slave is up.
									</div></li></ul></div><div class="para">
								The <code class="literal">primary_reselect</code> setting is ignored in two cases:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										If no slaves are active, the first slave to recover is made the active slave.
									</div></li><li class="listitem"><div class="para">
										When initially enslaved, the primary slave is always made the active slave.
									</div></li></ul></div><div class="para">
								Changing the <code class="literal">primary_reselect</code> policy via <code class="systemitem">sysfs</code> will cause an immediate selection of the best active slave according to the new policy. This may or may not result in a change of the active slave, depending upon the circumstances
							</div></dd><dt class="varlistentry"><span class="term"> <code class="literal">updelay=<em class="replaceable"><code>&lt;time_in_milliseconds&gt;</code></em> </code> </span></dt><dd><div class="para">
								Specifies (in milliseconds) how long to wait before enabling a link. The value must be a multiple of the value specified in the <code class="literal">miimon</code> parameter. The value is set to <strong class="userinput"><code>0</code></strong> by default, which disables it.
							</div></dd><dt class="varlistentry"><span class="term"> <code class="literal">use_carrier=<em class="replaceable"><code>&lt;number&gt;</code></em> </code> </span></dt><dd><div class="para">
								Specifies whether or not <code class="literal">miimon</code> should use MII/ETHTOOL ioctls or <code class="function">netif_carrier_ok()</code> to determine the link state. The <code class="function">netif_carrier_ok()</code> function relies on the device driver to maintains its state with <code class="literal">netif_carrier_<em class="replaceable"><code>on/off</code></em> </code>; most device drivers support this function.
							</div><div class="para">
								The MII/ETHROOL ioctls tools utilize a deprecated calling sequence within the kernel. However, this is still configurable in case your device driver does not support <code class="literal">netif_carrier_<em class="replaceable"><code>on/off</code></em> </code>.
							</div><div class="para">
								Valid values are:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<strong class="userinput"><code>1</code></strong> — Default setting. Enables the use of <code class="function">netif_carrier_ok()</code>.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>0</code></strong> — Enables the use of MII/ETHTOOL ioctls.
									</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
									If the bonding interface insists that the link is up when it should not be, it is possible that your network device driver does not support <code class="literal">netif_carrier_<em class="replaceable"><code>on/off</code></em> </code>.
								</div></div></div></dd><dt class="varlistentry"><span class="term"> <code class="literal">xmit_hash_policy=<em class="replaceable"><code>&lt;value&gt;</code></em> </code> </span></dt><dd><div class="para">
								Selects the transmit hash policy used for slave selection in <strong class="userinput"><code>balance-xor</code></strong> and <strong class="userinput"><code>802.3ad</code></strong> modes. Possible values are:
							</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<strong class="userinput"><code>0</code></strong> or <strong class="userinput"><code>layer2</code></strong> — Default setting. This option uses the XOR of hardware MAC addresses to generate the hash. The formula used is:
									</div><pre class="screen">(<em class="replaceable"><code>&lt;source_MAC_address&gt;</code></em> XOR <em class="replaceable"><code>&lt;destination_MAC&gt;</code></em>) MODULO <em class="replaceable"><code>&lt;slave_count&gt;</code></em></pre><div class="para">
										This algorithm will place all traffic to a particular network peer on the same slave, and is 802.3ad compliant.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>1</code></strong> or <strong class="userinput"><code>layer3+4</code></strong> — Uses upper layer protocol information (when available) to generate the hash. This allows for traffic to a particular network peer to span multiple slaves, although a single connection will not span multiple slaves.
									</div><div class="para">
										The formula for unfragmented TCP and UDP packets used is:
									</div><pre class="screen">((<em class="replaceable"><code>&lt;source_port&gt;</code></em> XOR <em class="replaceable"><code>&lt;dest_port&gt;</code></em>) XOR
  ((<em class="replaceable"><code>&lt;source_IP&gt;</code></em> XOR <em class="replaceable"><code>&lt;dest_IP&gt;</code></em>) AND <code class="constant">0xffff</code>)
    MODULO <em class="replaceable"><code>&lt;slave_count&gt;</code></em></pre><div class="para">
										For fragmented TCP or UDP packets and all other IP protocol traffic, the source and destination port information is omitted. For non-IP traffic, the formula is the same as the <code class="command">layer2</code> transmit hash policy.
									</div><div class="para">
										This policy intends to mimic the behavior of certain switches; particularly, Cisco switches with PFC2 as well as some Foundry and IBM products.
									</div><div class="para">
										The algorithm used by this policy is not 802.3ad compliant.
									</div></li><li class="listitem"><div class="para">
										<strong class="userinput"><code>2</code></strong> or <strong class="userinput"><code>layer2+3</code></strong> — Uses a combination of layer2 and layer3 protocol information to generate the hash.
									</div><div class="para">
										Uses XOR of hardware MAC addresses and IP addresses to generate the hash. The formula is:
									</div><pre class="screen">(((<em class="replaceable"><code>&lt;source_IP&gt;</code></em> XOR <em class="replaceable"><code>&lt;dest_IP&gt;</code></em>) AND <code class="constant">0xffff</code>) XOR
  ( <em class="replaceable"><code>&lt;source_MAC&gt;</code></em> XOR <em class="replaceable"><code>&lt;destination_MAC&gt;</code></em> ))
    MODULO <em class="replaceable"><code>&lt;slave_count&gt;</code></em></pre><div class="para">
										This algorithm will place all traffic to a particular network peer on the same slave. For non-IP traffic, the formula is the same as for the layer2 transmit hash policy.
									</div><div class="para">
										This policy is intended to provide a more balanced distribution of traffic than layer2 alone, especially in environments where a layer3 gateway device is required to reach most destinations.
									</div><div class="para">
										This algorithm is 802.3ad compliant.
									</div></li></ul></div></dd></dl></div></div></div></div><div class="section" id="s1-kernel-modules-additional-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-kernel-modules-additional-resources">43.6. Additional Resources</h2></div></div></div><div class="para">
			For more information on kernel modules and their utilities, refer to the following resources.
		</div><div class="section" id="s2-kernel-modules-installed-docs"><div class="titlepage"><div><div><h3 class="title" id="s2-kernel-modules-installed-docs">43.6.1. Installed Documentation</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">lsmod</code> man page — description and explanation of its output.
					</div></li><li class="listitem"><div class="para">
						<code class="command">insmod</code> man page — description and list of command line options.
					</div></li><li class="listitem"><div class="para">
						<code class="command">modprobe</code> man page — description and list of command line options.
					</div></li><li class="listitem"><div class="para">
						<code class="command">rmmod</code> man page — description and list of command line options.
					</div></li><li class="listitem"><div class="para">
						<code class="command">modinfo</code> man page — description and list of command line options.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/kernel-doc-<em class="replaceable"><code>&lt;version&gt;</code></em>/Documentation/kbuild/modules.txt</code> — how to compile and use kernel modules. Note you must have the <code class="filename">kernel-doc</code> package installed to read this file.
					</div></li></ul></div></div><div class="section" id="s2-kernel-modules-useful-websites"><div class="titlepage"><div><div><h3 class="title" id="s2-kernel-modules-useful-websites">43.6.2. Useful Websites</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://tldp.org/HOWTO/Module-HOWTO/">http://tldp.org/HOWTO/Module-HOWTO/</a> — <em class="citetitle">Linux Loadable Kernel Module HOWTO</em> from the Linux Documentation Project.
					</div></li></ul></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><div class="para"><sup>[<a id="ftn.id790544" href="#id790544" class="para">9</a>] </sup>
			A driver is software which enables Linux to use a particular hardware device. Without a driver, the kernel cannot communicate with attached devices.
		</div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-kdump" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 44. The kdump Crash Recovery Service</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#s1-kdump-configuration">44.1. Configuring the <code class="systemitem">kdump</code> Service</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kdump-configuration-firstboot">44.1.1. Configuring the kdump at First Boot</a></span></dt><dt><span class="section"><a href="#s2-kdump-configuration-gui">44.1.2. Using the Kernel Dump Configuration Utility</a></span></dt><dt><span class="section"><a href="#s2-kdump-configuration-cli">44.1.3. Configuring <code class="systemitem">kdump</code> on the Command Line</a></span></dt><dt><span class="section"><a href="#s2-kdump-configuration-testing">44.1.4. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-kdump-crash">44.2. Analyzing the Core Dump</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kdump-crash-log">44.2.1. Displaying the Message Buffer</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-backtrace">44.2.2. Displaying a Backtrace</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-processes">44.2.3. Displaying a Process Status</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-memory">44.2.4. Displaying Virtual Memory Information</a></span></dt><dt><span class="section"><a href="#s2-kdump-crash-files">44.2.5. Displaying Open Files</a></span></dt></dl></dd><dt><span class="section"><a href="#s1-kdump-resources">44.3. Additional Resources</a></span></dt><dd><dl><dt><span class="section"><a href="#s2-kdump-resources-installed">44.3.1. Installed Documentation</a></span></dt><dt><span class="section"><a href="#s2-kdump-resources-online">44.3.2. Useful Websites</a></span></dt></dl></dd></dl></div><div class="para">
		<code class="systemitem">kdump</code> is an advanced crash dumping mechanism. When enabled, the system is booted from the context of another kernel. This second kernel reserves a small amount of memory, and its only purpose is to capture the core dump image in case the system crashes. Since being able to analyze the core dump helps significantly to determine the exact cause of the system failure, it is strongly recommended to have this feature enabled.
	</div><div class="para">
		This chapter explains how to configure, test, and use the <code class="systemitem">kdump</code> service in Red Hat Enterprise Linux, and provides a brief overview of how to analyze the resulting core dump using the <span class="application"><strong>crash</strong></span> debugging utility.
	</div><div class="section" id="s1-kdump-configuration"><div class="titlepage"><div><div><h2 class="title" id="s1-kdump-configuration">44.1. Configuring the <code class="systemitem">kdump</code> Service</h2></div></div></div><a id="id832288" class="indexterm"></a><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				To use the <code class="systemitem">kdump</code> service, you must have the <span class="package">kexec-tools</span> package installed. Refer to <a class="xref" href="#pt-pkg-management">Part II, “Package Management”</a> for more information on how to install new packages in Red Hat Enterprise Linux.
			</div></div></div><div class="para">
			This section covers three common means of configuring the <code class="systemitem">kdump</code> service: at the first boot, using the <span class="application"><strong>Kernel Dump Configuration</strong></span> graphical utility, and doing so manually on the command line. It also describes how to test the configuration to verify that everything works as expected.
		</div><div class="section" id="s2-kdump-configuration-firstboot"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-configuration-firstboot">44.1.1. Configuring the kdump at First Boot</h3></div></div></div><div class="para">
				When the system boots for the first time, a <span class="application"><strong>firstboot</strong></span> application is launched allowing you to perform a basic configuration. This includes the <code class="systemitem">kdump</code> service.
			</div><div class="figure" id="fig-kdump-firstboot"><div class="figure-contents"><div class="mediaobject"><img src="images/kdump-firstboot.png" alt="The kdump configuration screen" /><div class="longdesc"><div class="para">
							The <code class="systemitem">kdump</code> configuration screen
						</div></div></div></div><h6>Figure 44.1. The kdump configuration screen</h6></div><br class="figure-break" /><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Unless the system has enough memory, this option will not be available. For the information on minimum memory requirements, refer to the <em class="citetitle">Required minimums</em> section of the <a href="http://www.redhat.com/rhel/compare/"><em class="citetitle">Red Hat Enterprise Linux</em> comparison chart</a>. Note that when the <code class="systemitem">kdump</code> crash recovery is enabled, the minimum memory requirements increase by the amount of memory reserved for it. This value is determined by a user, and defaults to 128 MB.
				</div></div></div><div class="section" id="s3-kdump-configuration-firstboot-enable"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-firstboot-enable">44.1.1.1. Enabling the Service</h4></div></div></div><a id="id1052830" class="indexterm"></a><div class="para">
					To start the <code class="systemitem">kdump</code> daemon at boot time, select the <span class="guilabel"><strong>Enable kdump?</strong></span> check box. This will enable the service for runlevels <code class="literal">2</code>, <code class="literal">3</code>, <code class="literal">4</code>, and <code class="literal">5</code>, and start it for the current session. Similarly, unselecting the check box will disable it for all runlevels and stop the service immediately.
				</div></div><div class="section" id="s3-kdump-configuration-firstboot-memory"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-firstboot-memory">44.1.1.2. Configuring the Memory Usage</h4></div></div></div><a id="id863961" class="indexterm"></a><div class="para">
					To configure the amount of memory that is reserved for the <code class="systemitem">kdump</code> kernel, click the up and down arrow buttons next to the <span class="guilabel"><strong>Kdump Memory</strong></span> field to increase or decrease the value. Notice that the <span class="guilabel"><strong>Usable System Memory</strong></span> field changes accordingly showing you the remaining memory that will be available to the system.
				</div></div></div><div class="section" id="s2-kdump-configuration-gui"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-configuration-gui">44.1.2. Using the Kernel Dump Configuration Utility</h3></div></div></div><a id="id864005" class="indexterm"></a><a id="id900577" class="indexterm"></a><div class="para">
				To start the <span class="application"><strong>Kernel Dump Configuration</strong></span> utility, select <span class="guimenu"><strong>Applications</strong></span> → <span class="guisubmenu"><strong>System Tools</strong></span> → <span class="guimenuitem"><strong>Kdump</strong></span> from the panel, or type <code class="command">system-config-kdump</code> at a shell prompt (for example, <span class="emphasis"><em>xterm</em></span> or <span class="emphasis"><em>GNOME Terminal</em></span>). Unless you are already authenticated, you will be prompted to enter the superuser password.
			</div><div class="figure" id="fig-kdump-kernel_dump_configuration"><div class="figure-contents"><div class="mediaobject"><img src="images/kdump-kernel_dump_configuration.png" alt="The Kernel Dump Configuration utility" /><div class="longdesc"><div class="para">
							<span class="application"><strong>Kernel Dump Configuration</strong></span>
						</div></div></div></div><h6>Figure 44.2. The Kernel Dump Configuration utility</h6></div><br class="figure-break" /><div class="para">
				The utility allows you to configure <code class="systemitem">kdump</code> as well as to enable or disable starting the service at boot time. When you are done, click <span class="guibutton"><strong>OK</strong></span> to save the changes. The system reboot will be requested.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Unless the system has enough memory, the utility will not start, and you will be presented with an error message. For the information on minimum memory requirements, refer to the <em class="citetitle">Required minimums</em> section of the <a href="http://www.redhat.com/rhel/compare/"><em class="citetitle">Red Hat Enterprise Linux</em> comparison chart</a>. Note that when the <code class="systemitem">kdump</code> crash recovery is enabled, the minimum memory requirements increase by the amount of memory reserved for it. This value is determined by a user, and defaults to 128 MB.
				</div></div></div><div class="section" id="s3-kdump-configuration-gui-enable"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-gui-enable">44.1.2.1. Enabling the Service</h4></div></div></div><a id="id1057031" class="indexterm"></a><div class="para">
					To start the <code class="systemitem">kdump</code> daemon at boot time, select the <span class="guilabel"><strong>Enable kdump</strong></span> check box. This will enable the service for runlevels <code class="literal">2</code>, <code class="literal">3</code>, <code class="literal">4</code>, and <code class="literal">5</code>, and start it for the current session. Similarly, unselecting the check box will disable it for all runlevels and stop the service immediately.
				</div></div><div class="section" id="s3-kdump-configuration-gui-memory"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-gui-memory">44.1.2.2. Configuring the Memory Usage</h4></div></div></div><a id="id1057085" class="indexterm"></a><div class="para">
					To configure the amount of memory that is reserved for the <code class="systemitem">kdump</code> kernel, click the up and down arrow buttons next to the <span class="guilabel"><strong>New kdump Memory</strong></span> field to increase or decrease the value. Notice that the <span class="guilabel"><strong>Usable Memory</strong></span> field changes accordingly showing you the remaining memory that will be available to the system.
				</div></div><div class="section" id="s3-kdump-configuration-gui-target"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-gui-target">44.1.2.3. Configuring the Target Type</h4></div></div></div><a id="id1056283" class="indexterm"></a><div class="para">
					When a kernel crash is captured, the core dump can be either stored as a file in a local file system, written directly to a device, or sent over a network using the NFS (Network File System) or SSH (Secure Shell) protocol. To change this, click the <span class="guibutton"><strong>Edit Location</strong></span> button, and select a location type as described below.
				</div><div class="figure" id="fig-kdump-kernel_dump_configuration-edit_location"><div class="figure-contents"><div class="mediaobject"><img src="images/kdump-kernel_dump_configuration-edit_location.png" alt="The Edit Location dialog" /><div class="longdesc"><div class="para">
								<span class="guilabel"><strong>Edit Location</strong></span>
							</div></div></div></div><h6>Figure 44.3. The Edit Location dialog</h6></div><br class="figure-break" /><div class="para">
					To save the dump to the local file system, select <span class="guimenuitem"><strong>file</strong></span> from the pulldown list. Optionally, if you wish to write the file to a different partition, select <span class="guimenuitem"><strong>ext3</strong></span> or <span class="guimenuitem"><strong>ext2</strong></span> from the pulldown list according to the file system you are using, and enter a valid device name to the <span class="guilabel"><strong>Enter location</strong></span> field. Note that after clicking <span class="guibutton"><strong>OK</strong></span>, you can then customize the destination directory by changing the value in the <span class="guilabel"><strong>Path</strong></span> field at the bottom.
				</div><div class="para">
					To write the dump directly to a device, select <span class="guimenuitem"><strong>raw</strong></span> from the pulldown list, and enter a valid device name (for example, <code class="literal">/dev/sdb1</code>). When you are done, click <span class="guibutton"><strong>OK</strong></span> to confirm your choice.
				</div><div class="para">
					To store the dump to a remote machine using the NFS protocol, select <span class="guimenuitem"><strong>nfs</strong></span> from the pulldown list, and enter a valid target in the <em class="replaceable"><code>hostname:directory</code></em> form (for example, <code class="literal">penguin.example.com:/export</code>). Clicking the <span class="guibutton"><strong>OK</strong></span> button will confirm your changes. Finally, edit the value of the <span class="guilabel"><strong>Path</strong></span> field to customize the destination directory (for instance, <code class="literal">cores</code>).
				</div><div class="para">
					To store the dump to a remote machine using the SSH protocol, select <span class="guimenuitem"><strong>ssh</strong></span> from the pulldown list, and enter a valid username and hostname in the <em class="replaceable"><code>username@hostname</code></em> form (for example, <code class="literal">john@penguin.example.com</code>). Clicking the <span class="guibutton"><strong>OK</strong></span> button will confirm your changes. Finally, edit the value of the <span class="guilabel"><strong>Path</strong></span> field to customize the destination directory (for instance, <code class="literal">/export/cores</code>).
				</div><div class="para">
					Refer to <a class="xref" href="#ch-openssh">Chapter 19, <em>OpenSSH</em></a> for information on how to configure an SSH server, and how to set up a key-based authentication.
				</div></div><div class="section" id="s3-kdump-configuration-gui-filtering"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-gui-filtering">44.1.2.4. Configuring the Core Collector</h4></div></div></div><div class="para">
					To reduce the size of the <code class="filename">vmcore</code> dump file, <code class="systemitem">kdump</code> allows you to specify an external application (that is, a core collector) to compress the data, and optionally leave out all irrelevant information. Currently, the only fully supported core collector is <code class="command">makedumpfile</code>.
				</div><a id="id866736" class="indexterm"></a><div class="para">
					To enable the dump file compression, make sure the <code class="option">-c</code> parameter is listed after the <code class="command">makedumpfile</code> command in the <span class="guilabel"><strong>Core Collector</strong></span> field (for example, <code class="literal">makedumpfile -c</code>).
				</div><a id="id866775" class="indexterm"></a><div class="para">
					To remove certain pages from the dump, add the <code class="option">-d <em class="replaceable"><code>value</code></em></code> parameter after the <code class="command">makedumpfile</code> command in the <span class="guilabel"><strong>Core Collector</strong></span> field. The <em class="replaceable"><code>value</code></em> is a sum of values of pages you want to omit as described in <a class="xref" href="#table-kdump-configuration-cli-filtering-makedumpfile">Table 44.1, “Supported filtering levels”</a>. For example, to remove both zero and free pages, use <code class="literal">makedumpfile -d 17</code>.
				</div><div class="para">
					Refer to the manual page for <code class="command">makedumpfile</code> for a complete list of available options.
				</div></div><div class="section" id="s3-kdump-configuration-gui-action"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-gui-action">44.1.2.5. Changing the Default Action</h4></div></div></div><div class="para">
					To choose what action to perform when <code class="systemitem">kdump</code> fails to create a core dump, select the appropriate option from the <span class="guilabel"><strong>Default Action</strong></span> pulldown list. Available options are <span class="guimenuitem"><strong>mount rootfs and run /sbin/init</strong></span> (the default action), <span class="guimenuitem"><strong>reboot</strong></span> (to reboot the system), <span class="guimenuitem"><strong>shell</strong></span> (to present a user with an interactive shell prompt), and <span class="guimenuitem"><strong>halt</strong></span> (to halt the system).
				</div></div></div><div class="section" id="s2-kdump-configuration-cli"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-configuration-cli">44.1.3. Configuring <code class="systemitem">kdump</code> on the Command Line</h3></div></div></div><div class="para">
				To perform actions described in this section, you have to be logged in as a superuser:
			</div><pre class="screen">~]$ <code class="command">su -</code>
Password:</pre><div class="section" id="s3-kdump-configuration-cli-memory"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-cli-memory">44.1.3.1. Configuring the Memory Usage</h4></div></div></div><a id="id866910" class="indexterm"></a><div class="para">
					To configure the amount of memory that is reserved for the <code class="systemitem">kdump</code> kernel, open the <code class="filename">/boot/grub/grub.conf</code> file in a text editor and add the <code class="option">crashkernel=<em class="replaceable"><code>&lt;size&gt;</code></em>M@16M</code> parameter to the list of kernel options as shown in <a class="xref" href="#ex-kdump-configuration-cli-memory-grub">Example 44.1, “A sample <code class="filename">/boot/grub/grub.conf</code> file”</a>.
				</div><a id="id866954" class="indexterm"></a><a id="id866974" class="indexterm"></a><a id="id866994" class="indexterm"></a><div class="example" id="ex-kdump-configuration-cli-memory-grub"><h6>Example 44.1. A sample <code class="filename">/boot/grub/grub.conf</code> file</h6><div class="example-contents"><pre class="screen"># grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/sda3
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-274.3.1.el5)
        root (hd0,0)
        kernel /vmlinuz-2.6.18-274.3.1.el5 ro root=/dev/sda3 crashkernel=128M@16M
        initrd /initrd-2.6.18-274.3.1.el5.img</pre></div></div><br class="example-break" /><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						When the <code class="systemitem">kdump</code> crash recovery is enabled, the minimum memory requirements increase by the amount of memory reserved for it. This value is determined by a user, and defaults to 128 MB, as lower values proved to be unreliable. For more information on minimum memory requirements for Red Hat Enterprise Linux, refer to the <em class="citetitle">Required minimums</em> section of the <a href="http://www.redhat.com/rhel/compare/">Red Hat Enterprise Linux comparison chart</a>.
					</div></div></div></div><div class="section" id="s3-kdump-configuration-cli-target"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-cli-target">44.1.3.2. Configuring the Target Type</h4></div></div></div><a id="id867081" class="indexterm"></a><div class="para">
					When a kernel crash is captured, the core dump can be either stored as a file in a local file system, written directly to a device, or sent over a network using the NFS (Network File System) or SSH (Secure Shell) protocol. Note that only one of these options can be set at the moment. The default option is to store the <code class="filename">vmcore</code> file in the <code class="filename">/var/crash/</code> directory of the local file system. To change this, open the <code class="filename">/etc/kdump.conf</code> configuration file in a text editor and edit the options as described below.
				</div><div class="para">
					To change the local directory in which the core dump is to be saved, remove the hash sign (<span class="quote">“<span class="quote">#</span>”</span>) from the beginning of the <code class="literal">#path /var/crash</code> line, and replace the value with a desired directory path. Optionally, if you wish to write the file to a different partition, follow the same procedure with the <code class="literal">#ext3 /dev/sda3</code> line as well, and change both the file system type and the device (a device name, a file system label, and UUID are all supported) accordingly. For example:
				</div><pre class="screen">ext3 /dev/sda4
path /usr/local/cores</pre><div class="para">
					To write the dump directly to a device, remove the hash sign (<span class="quote">“<span class="quote">#</span>”</span>) from the beginning of the <code class="literal">#raw /dev/sda5</code> line, and replace the value with a desired device name. For example:
				</div><pre class="screen">raw /dev/sdb1</pre><div class="para">
					To store the dump to a remote machine using the NFS protocol, remove the hash sign (<span class="quote">“<span class="quote">#</span>”</span>) from the beginning of the <code class="literal">#net my.server.com:/export/tmp</code> line, and replace the value with a valid hostname and directory path. For example:
				</div><pre class="screen">net penguin.example.com:/export/cores</pre><div class="para">
					To store the dump to a remote machine using the SSH protocol, remove the hash sign (<span class="quote">“<span class="quote">#</span>”</span>) from the beginning of the <code class="literal">#net user@my.server.com</code> line, and replace the value with a valid username and hostname. For example:
				</div><pre class="screen">net john@penguin.example.com</pre><div class="para">
					Refer to <a class="xref" href="#ch-openssh">Chapter 19, <em>OpenSSH</em></a> for information on how to configure an SSH server, and how to set up a key-based authentication.
				</div></div><div class="section" id="s3-kdump-configuration-cli-filtering"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-cli-filtering">44.1.3.3. Configuring the Core Collector</h4></div></div></div><div class="para">
					To reduce the size of the <code class="filename">vmcore</code> dump file, <code class="systemitem">kdump</code> allows you to specify an external application (that is, a core collector) to compress the data, and optionally leave out all irrelevant information. Currently, the only fully supported core collector is <code class="command">makedumpfile</code>.
				</div><div class="para">
					To enable the core collector, open the <code class="filename">/etc/kdump.conf</code> configuration file in a text editor, remove the hash sign (<span class="quote">“<span class="quote">#</span>”</span>) from the beginning of the <code class="literal">#core_collector makedumpfile -c --message-level 1</code> line, and edit the command line options as described below.
				</div><a id="id1000602" class="indexterm"></a><div class="para">
					To enable the dump file compression, add the <code class="option">-c</code> parameter. For example:
				</div><pre class="screen">core_collector makedumpfile -c</pre><a id="id1000633" class="indexterm"></a><div class="para">
					To remove certain pages from the dump, add the <code class="option">-d <em class="replaceable"><code>value</code></em></code> parameter, where <em class="replaceable"><code>value</code></em> is a sum of values of pages you want to omit as described in <a class="xref" href="#table-kdump-configuration-cli-filtering-makedumpfile">Table 44.1, “Supported filtering levels”</a>. For example, to remove both zero and free pages, use the following:
				</div><pre class="screen">core_collector makedumpfile -d 17 -c</pre><div class="para">
					Refer to the manual page for <code class="command">makedumpfile</code> for a complete list of available options.
				</div><div class="table" id="table-kdump-configuration-cli-filtering-makedumpfile"><h6>Table 44.1. Supported filtering levels</h6><div class="table-contents"><table summary="Supported filtering levels" border="1"><colgroup><col width="25%" class="option" /><col width="75%" class="description" /></colgroup><thead><tr><th>
									Option
								</th><th>
									Description
								</th></tr></thead><tbody><tr><td>
									<code class="option">1</code>
								</td><td>
									Zero pages
								</td></tr><tr><td>
									<code class="option">2</code>
								</td><td>
									Cache pages
								</td></tr><tr><td>
									<code class="option">4</code>
								</td><td>
									Cache private
								</td></tr><tr><td>
									<code class="option">8</code>
								</td><td>
									User pages
								</td></tr><tr><td>
									<code class="option">16</code>
								</td><td>
									Free pages
								</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s3-kdump-configuration-cli-action"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-cli-action">44.1.3.4. Changing the Default Action</h4></div></div></div><a id="id1000828" class="indexterm"></a><div class="para">
					By default, when <code class="systemitem">kdump</code> fails to create a core dump, the root file system is mounted and <code class="command">/sbin/init</code> is run. To change this behavior, open the <code class="filename">/etc/kdump.conf</code> configuration file in a text editor, remove the hash sign (<span class="quote">“<span class="quote">#</span>”</span>) from the beginning of the <code class="literal">#default shell</code> line, and replace the value with a desired action as described in <a class="xref" href="#table-kdump-configuration-cli-action-actions">Table 44.2, “Supported actions”</a>. For example:
				</div><pre class="screen">default halt</pre><div class="table" id="table-kdump-configuration-cli-action-actions"><h6>Table 44.2. Supported actions</h6><div class="table-contents"><table summary="Supported actions" border="1"><colgroup><col width="25%" class="option" /><col width="75%" class="action" /></colgroup><thead><tr><th>
									Option
								</th><th>
									Action
								</th></tr></thead><tbody><tr><td>
									<code class="option">reboot</code>
								</td><td>
									Reboot the system, losing the core in the process.
								</td></tr><tr><td>
									<code class="option">halt</code>
								</td><td>
									After failing to capture a core, halt the system.
								</td></tr><tr><td>
									<code class="option">shell</code>
								</td><td>
									Run the <span class="application"><strong>msh</strong></span> session from within the initramfs, allowing a user to record the core manually.
								</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="s3-kdump-configuration-cli-enable"><div class="titlepage"><div><div><h4 class="title" id="s3-kdump-configuration-cli-enable">44.1.3.5. Enabling the Service</h4></div></div></div><a id="id1001002" class="indexterm"></a><div class="para">
					To start the <code class="systemitem">kdump</code> daemon at boot time, type the following at a shell prompt:
				</div><pre class="screen">~]# <code class="command">chkconfig kdump on</code></pre><div class="para">
					This will enable the service for runlevels <code class="literal">2</code>, <code class="literal">3</code>, <code class="literal">4</code>, and <code class="literal">5</code>. Similarly, typing <code class="command">chkconfig kdump off</code> will disable it for all runlevels. To start the service in the current session, use the following command:
				</div><a id="id1001060" class="indexterm"></a><pre class="screen">~]# <code class="command">service kdump start</code>
No kdump initial ramdisk found.                            [WARNING]
Rebuilding /boot/initrd-2.6.18-194.8.1.el5kdump.img
Starting kdump:                                            [  OK  ]</pre><div class="para">
					For more information on runlevels and configuring services in general, refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a>.
				</div></div></div><div class="section" id="s2-kdump-configuration-testing"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-configuration-testing">44.1.4. Testing the Configuration</h3></div></div></div><a id="id1001106" class="indexterm"></a><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
					The commands below will cause the kernel to crash. Use caution when following these steps, and by no means use them on a production machine.
				</div></div></div><div class="para">
				To test the configuration, reboot the system with <code class="systemitem">kdump</code> enabled, and make sure that the service is running:
			</div><pre class="screen">~]# <code class="command">service kdump status</code>
Kdump is operational</pre><div class="para">
				Then type the following commands at a shell prompt:
			</div><pre class="screen">~]# <code class="command">echo 1 &gt; /proc/sys/kernel/sysrq</code>
~]# <code class="command">echo c &gt; /proc/sysrq-trigger</code></pre><div class="para">
				This will force the Linux kernel to crash, and the <code class="filename"><em class="replaceable"><code>YYYY-MM-DD</code></em>-<em class="replaceable"><code>HH:MM</code></em>/vmcore</code> file will be copied to the location you have selected in the configuration (that is, to <code class="filename">/var/crash/</code> by default).
			</div></div></div><div class="section" id="s1-kdump-crash"><div class="titlepage"><div><div><h2 class="title" id="s1-kdump-crash">44.2. Analyzing the Core Dump</h2></div></div></div><a id="id1001203" class="indexterm"></a><a id="id1001224" class="indexterm"></a><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				To analyze the <code class="filename">vmcore</code> dump file, you must have the <span class="package">crash</span> and <span class="package">kernel-debuginfo</span> packages installed. To do so, type the following at a shell prompt:
			</div><pre class="screen">~]# <code class="command">yum install --enablerepo=rhel-debuginfo crash kernel-debuginfo</code></pre><div class="para">
				Refer to <a class="xref" href="#pt-pkg-management">Part II, “Package Management”</a> for more information on how to install new packages in Red Hat Enterprise Linux.
			</div></div></div><div class="para">
			To determine the cause of the system crash, you can use the <span class="application"><strong>crash</strong></span> utility. This utility allows you to interactively analyze a running Linux system as well as a core dump created by <code class="systemitem">netdump</code>, <code class="systemitem">diskdump</code>, <code class="systemitem">xendump</code>, or <code class="systemitem">kdump</code>. When started, it presents you with an interactive prompt very similar to the GNU Debugger (GDB).
		</div><a id="id1001302" class="indexterm"></a><div class="para">
			To start the utility, type the command in the following form at a shell prompt:
		</div><pre class="screen"><code class="command">crash /var/crash/<em class="replaceable"><code>timestamp</code></em>/vmcore /usr/lib/debug/lib/modules/<em class="replaceable"><code>kernel</code></em>/vmlinux</code></pre><div class="para">
			Note that the <em class="replaceable"><code>kernel</code></em> version should be the same as the one that was captured by <code class="systemitem">kdump</code>. To find out which kernel you are currently running, use the <code class="command">uname -r</code> command.
		</div><div class="example" id="ex-kdump-crash-running"><h6>Example 44.2. Running the <code class="command">crash</code> utility</h6><div class="example-contents"><pre class="screen">~]# <code class="command">crash /var/crash/2010-08-04-17\:55/vmcore \</code>
<code class="command">/usr/lib/debug/lib/modules/2.6.18-194.8.1.el5/vmlinux</code>

crash 4.1.2-4.el5_5.1
Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009  Red Hat, Inc.
Copyright (C) 2004, 2005, 2006  IBM Corporation
Copyright (C) 1999-2006  Hewlett-Packard Co
Copyright (C) 2005, 2006  Fujitsu Limited
Copyright (C) 2006, 2007  VA Linux Systems Japan K.K.
Copyright (C) 2005  NEC Corporation
Copyright (C) 1999, 2002, 2007  Silicon Graphics, Inc.
Copyright (C) 1999, 2000, 2001, 2002  Mission Critical Linux, Inc.
This program is free software, covered by the GNU General Public License,
and you are welcome to change it and/or distribute copies of it under
certain conditions.  Enter "help copying" to see the conditions.
This program has absolutely no warranty.  Enter "help warranty" for details.
 
GNU gdb 6.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...

KERNEL: /usr/lib/debug/lib/modules/2.6.18-194.8.1.el5/vmlinux
    DUMPFILE: /var/crash/2010-08-04-17:55/vmcore
        CPUS: 1
        DATE: Wed Aug  4 17:50:41 2010
      UPTIME: 00:56:53
LOAD AVERAGE: 0.47, 0.47, 0.55
       TASKS: 128
    NODENAME: localhost.localdomain
     RELEASE: 2.6.18-194.el5
     VERSION: #1 SMP Tue Mar 16 21:52:43 EDT 2010
     MACHINE: i686  (2702 Mhz)
      MEMORY: 1 GB
       PANIC: "SysRq : Trigger a crashdump"
         PID: 6042
     COMMAND: "bash"
        TASK: f09c7000  [THREAD_INFO: e1ba9000]
         CPU: 0
       STATE: TASK_RUNNING (SYSRQ)

crash&gt;</pre></div></div><br class="example-break" /><div class="para">
			To exit the interactive prompt and terminate <span class="application"><strong>crash</strong></span>, type <code class="command">exit</code>.
		</div><div class="section" id="s2-kdump-crash-log"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-crash-log">44.2.1. Displaying the Message Buffer</h3></div></div></div><a id="id1001414" class="indexterm"></a><div class="para">
				To display the kernel message buffer, type the <code class="command">log</code> command at the interactive prompt.
			</div><div class="example" id="ex-kdump-crash-log"><h6>Example 44.3. Displaying the kernel message buffer</h6><div class="example-contents"><pre class="screen">crash&gt; <code class="command">log</code>
Linux version 2.6.18-194.el5 (mockbuild@x86-007.build.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Tue Mar 16 21:52:43 EDT 2010
BIOS-provided physical RAM map:
 BIOS-e820: 0000000000010000 - 000000000009fc00 (usable)
 BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
 BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
 BIOS-e820: 0000000000100000 - 000000003fff0000 (usable)
 BIOS-e820: 000000003fff0000 - 0000000040000000 (ACPI data)
 BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved)
127MB HIGHMEM available.
896MB LOWMEM available.
Using x86 segment limits to approximate NX protection
On node 0 totalpages: 262128
  DMA zone: 4096 pages, LIFO batch:0
  Normal zone: 225280 pages, LIFO batch:31
  HighMem zone: 32752 pages, LIFO batch:7
DMI 2.5 present.
Using APIC driver default
<span class="emphasis"><em>... several lines omitted ...</em></span>
SysRq : Trigger a crashdump</pre></div></div><br class="example-break" /><div class="para">
				Type <code class="command">help log</code> for more information on the command usage.
			</div></div><div class="section" id="s2-kdump-crash-backtrace"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-crash-backtrace">44.2.2. Displaying a Backtrace</h3></div></div></div><a id="id1001486" class="indexterm"></a><div class="para">
				To display the kernel stack trace, type the <code class="command">bt</code> command at the interactive prompt. You can use <code class="command">bt <em class="replaceable"><code>pid</code></em></code> to display the backtrace of the selected process.
			</div><div class="example" id="ex-kdump-crash-backtrace"><h6>Example 44.4. Displaying the kernel stack trace</h6><div class="example-contents"><pre class="screen">crash&gt; <code class="command">bt</code>
PID: 6042   TASK: f09c7000  CPU: 0   COMMAND: "bash"
 #0 [e1ba9d10] schedule at c061c738
 #1 [e1ba9d28] netlink_getsockopt at c05d50bb
 #2 [e1ba9d34] netlink_queue_skip at c05d40d5
 #3 [e1ba9d40] netlink_sock_destruct at c05d506d
 #4 [e1ba9d84] sock_recvmsg at c05b6cc8
 #5 [e1ba9dd4] enqueue_task at c041eed5
 #6 [e1ba9dec] try_to_wake_up at c041f798
 #7 [e1ba9e10] vsnprintf at c04efef2
 #8 [e1ba9ec0] machine_kexec at c0419bf0
 #9 [e1ba9f04] sys_kexec_load at c04448a1
#10 [e1ba9f4c] tty_audit_exit at c0549f06
#11 [e1ba9f50] tty_audit_add_data at c0549d5d
#12 [e1ba9f84] do_readv_writev at c0476055
#13 [e1ba9fb8] system_call at c0404f10
    EAX: ffffffda  EBX: 00000001  ECX: b7f7f000  EDX: 00000002 
    DS:  007b      ESI: 00000002  ES:  007b      EDI: b7f7f000
    SS:  007b      ESP: bf83f478  EBP: bf83f498
    CS:  0073      EIP: 009ac402  ERR: 00000004  EFLAGS: 00000246</pre></div></div><br class="example-break" /><div class="para">
				Type <code class="command">help bt</code> for more information on the command usage.
			</div></div><div class="section" id="s2-kdump-crash-processes"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-crash-processes">44.2.3. Displaying a Process Status</h3></div></div></div><a id="id890287" class="indexterm"></a><div class="para">
				To display a status of processes in the system, type the <code class="command">ps</code> command at the interactive prompt. You can use <code class="command">ps <em class="replaceable"><code>pid</code></em></code> to display the status of the selected process.
			</div><div class="example" id="ex-kdump-crash-processes"><h6>Example 44.5. Displaying status of processes in the system</h6><div class="example-contents"><pre class="screen">crash&gt; <code class="command">ps</code>
   PID    PPID  CPU   TASK    ST  %MEM     VSZ    RSS  COMM
      0      0   0  c068a3c0  RU   0.0       0      0  [swapper]
      1      0   0  f7c81aa0  IN   0.1    2152    616  init
<span class="emphasis"><em>... several lines omitted ...</em></span>
   6017      1   0  e39f6550  IN   1.2   40200  13000  gnome-terminal
   6019   6017   0  e39f6000  IN   0.1    2568    708  gnome-pty-helpe
   6020   6017   0  f0421550  IN   0.1    4620   1480  bash
   6021      1   0  f7f69aa0  ??   1.2   40200  13000  gnome-terminal
   6039   6020   0  e7e84aa0  IN   0.1    5004   1300  su
&gt;  6042   6039   0  f09c7000  RU   0.1    4620   1464  bash</pre></div></div><br class="example-break" /><div class="para">
				Type <code class="command">help ps</code> for more information on the command usage.
			</div></div><div class="section" id="s2-kdump-crash-memory"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-crash-memory">44.2.4. Displaying Virtual Memory Information</h3></div></div></div><a id="id890364" class="indexterm"></a><div class="para">
				To display basic virtual memory information, type the <code class="command">vm</code> command at the interactive prompt. You can use <code class="command">vm <em class="replaceable"><code>pid</code></em></code> to display information on the selected process.
			</div><div class="example" id="ex-kdump-crash-memory"><h6>Example 44.6. Displaying virtual memory information of the current context</h6><div class="example-contents"><pre class="screen">crash&gt; <code class="command">vm</code>
PID: 6042   TASK: f09c7000  CPU: 0   COMMAND: "bash"
   MM       PGD      RSS    TOTAL_VM
e275ee40  e2b08000  1464k    4620k  
  VMA       START      END    FLAGS  FILE
e315d764    1fe000    201000     75  /lib/libtermcap.so.2.0.8
e315de9c    201000    202000 100073  /lib/libtermcap.so.2.0.8
c9b040d4    318000    46a000     75  /lib/libc-2.5.so
e315da04    46a000    46c000 100071  /lib/libc-2.5.so
e315d7b8    46c000    46d000 100073  /lib/libc-2.5.so
e315de48    46d000    470000 100073  
e315dba8    9ac000    9ad000 8040075  
c9b04a04    a2f000    a4a000    875  /lib/ld-2.5.so
c9b04374    a4a000    a4b000 100871  /lib/ld-2.5.so
e315d6bc    a4b000    a4c000 100873  /lib/ld-2.5.so
e315d908    fa1000    fa4000     75  /lib/libdl-2.5.so
e315db00    fa4000    fa5000 100071  /lib/libdl-2.5.so
e315df44    fa5000    fa6000 100073  /lib/libdl-2.5.so
e315d320    ff0000    ffa000     75  /lib/libnss_files-2.5.so
e315d668    ffa000    ffb000 100071  /lib/libnss_files-2.5.so
e315def0    ffb000    ffc000 100073  /lib/libnss_files-2.5.so
e315d374   8048000   80f5000   1875  /bin/bash
c9b045c0   80f5000   80fa000 101873  /bin/bash
<span class="emphasis"><em>... several lines omitted ...</em></span></pre></div></div><br class="example-break" /><div class="para">
				Type <code class="command">help vm</code> for more information on the command usage.
			</div></div><div class="section" id="s2-kdump-crash-files"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-crash-files">44.2.5. Displaying Open Files</h3></div></div></div><a id="id890442" class="indexterm"></a><div class="para">
				To display information about open files, type the <code class="command">files</code> command at the interactive prompt. You can use <code class="command">files <em class="replaceable"><code>pid</code></em></code> to display files opened by the selected process.
			</div><div class="example" id="ex-kdump-crash-files"><h6>Example 44.7. Displaying information about open files of the current context</h6><div class="example-contents"><pre class="screen">crash&gt; <code class="command">files</code>
PID: 6042   TASK: f09c7000  CPU: 0   COMMAND: "bash"
ROOT: /    CWD: /root
 FD    FILE     DENTRY    INODE    TYPE  PATH
  0  e33be480  e609bf70  f0e1d880  CHR   /dev/pts/1
  1  e424d8c0  d637add8  f7809b78  REG   /proc/sysrq-trigger
  2  e33be480  e609bf70  f0e1d880  CHR   /dev/pts/1
 10  e33be480  e609bf70  f0e1d880  CHR   /dev/pts/1
255  e33be480  e609bf70  f0e1d880  CHR   /dev/pts/1</pre></div></div><br class="example-break" /><div class="para">
				Type <code class="command">help files</code> for more information on the command usage.
			</div></div></div><div class="section" id="s1-kdump-resources"><div class="titlepage"><div><div><h2 class="title" id="s1-kdump-resources">44.3. Additional Resources</h2></div></div></div><div class="section" id="s2-kdump-resources-installed"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-resources-installed">44.3.1. Installed Documentation</h3></div></div></div><a id="id890525" class="indexterm"></a><a id="id890544" class="indexterm"></a><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="command">man kdump.conf</code></span></dt><dd><div class="para">
							The manual page for the <code class="filename">/etc/kdump.conf</code> configuration file containing the full documentation of available options.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">man kexec</code></span></dt><dd><div class="para">
							The manual page for <code class="command">kexec</code> containing the full documentation on its usage.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">man crash</code></span></dt><dd><div class="para">
							The manual page for the <span class="application"><strong>crash</strong></span> utility containing the full documentation on its usage.
						</div></dd><dt class="varlistentry"><span class="term"><code class="filename">/usr/share/doc/kexec-tools-<em class="replaceable"><code>version</code></em>/kexec-kdump-howto.txt</code></span></dt><dd><div class="para">
							An overview of the <code class="systemitem">kdump</code> and <code class="command">kexec</code> installation and usage.
						</div></dd></dl></div></div><div class="section" id="s2-kdump-resources-online"><div class="titlepage"><div><div><h3 class="title" id="s2-kdump-resources-online">44.3.2. Useful Websites</h3></div></div></div><a id="id890673" class="indexterm"></a><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><a href="https://access.redhat.com/kb/docs/DOC-6039">https://access.redhat.com/kb/docs/DOC-6039</a></span></dt><dd><div class="para">
							The Red Hat Knowledgebase article about the <code class="command">kexec</code> and <code class="systemitem">kdump</code> configuration.
						</div></dd><dt class="varlistentry"><span class="term"><a href="http://people.redhat.com/anderson/">http://people.redhat.com/anderson/</a></span></dt><dd><div class="para">
							The <span class="application"><strong>crash</strong></span> utility homepage.
						</div></dd></dl></div></div></div></div></div><div class="part" id="pt-security"><div class="titlepage"><div><div><h1 class="title">Part VII. Security And Authentication</h1></div></div></div><div class="partintro" id="id606862"><div></div><div class="para">
				Whether system administrators need to secure their mission-critical systems, services, or data, Red Hat Enterprise Linux provides a range of tools and methods to serve as part of a comprehensive security strategy.
			</div><div class="para">
				This chapter provides a general introduction to security, and from the perspective of Red Hat Enterprise Linux in particular. It provides conceptual information in the areas of security assessment, common exploits, and intrusion and incident response. It also provides conceptual and specific configuration information on how to use SELinux to harden Workstation, Server, VPN, firewall and other implementations.
			</div><div class="para">
				This chapter assumes a basic knowledge of IT security, and consequently provides only minimal coverage of common security practices such as controlling physical access, sound account-keeping policies and procedures, auditing, etc. Where appropriate, reference is made to external resources for this and related information.
			</div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="chapter"><a href="#ch-sgs-ov">45. Security Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#ch-sgs-intro">45.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-sgs-ov-cs">45.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#s1-sgs-ov-controls">45.1.2. Security Controls</a></span></dt><dt><span class="section"><a href="#s1-sgs-ov-concl">45.1.3. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-sec-access">45.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-vuln-think">45.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#s1-vuln-defn">45.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#s1-vuln-tools">45.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-risk">45.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-risk-hackcrack">45.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#s1-risk-net">45.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#s1-risk-serv">45.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#s1-risk-wspc">45.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-exploits">45.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#ch-security-updates">45.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-security-updates">45.5.1. Updating Packages</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#ch-sec-network">46. Securing Your Network</a></span></dt><dd><dl><dt><span class="section"><a href="#ch-wstation">46.1. Workstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-wstation-eval">46.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#s1-wstation-boot-sec">46.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#s1-wstation-pass">46.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#s1-wstation-privileges">46.1.4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#s1-wstation-service">46.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#s1-wstation-firewall">46.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#s1-wstation-sec-tools">46.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-server">46.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-server-tcpw-xinetd">46.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#s1-server-port">46.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#s1-server-nis">46.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#s1-server-nfs">46.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#s1-server-http">46.2.5. Securing the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#s1-server-ftp">46.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#s1-server-mail">46.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#s1-server-ports">46.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sso-ov">46.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sso-intro">46.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sso-sc-config">46.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sso-sc-enrol-concept">46.3.3. How Smart Card Enrollment Works</a></span></dt><dt><span class="section"><a href="#sso-sc-login-concept">46.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sso-config-firefox">46.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-pam">46.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-pam-advantages">46.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#s1-pam-config-files">46.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-pam-format">46.4.3. PAM Configuration File Format</a></span></dt><dt><span class="section"><a href="#s1-pam-sample-simple">46.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-pam-modules-add">46.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#s1-pam-timestamp">46.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#s1-pam-console">46.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#s1-pam-additional-resources">46.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-tcpwrappers">46.5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-tcpwrappers-purpose">46.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-access">46.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-xinetd">46.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-xinetd-config">46.5.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-additional-resources">46.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-kerberos">46.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-kerberos-definition">46.6.1. What is Kerberos?</a></span></dt><dt><span class="section"><a href="#s1-kerberos-terminology">46.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#s1-kerberos-works">46.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#s1-kerberos-pam">46.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#s1-kerberos-server">46.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#s1-kerberos-clients">46.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sec-kerberos-client2">46.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sec-kerberos-server2">46.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="section"><a href="#sec-kerberos-crossrealm">46.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sec-kerberos-additional-resources">46.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-vpn">46.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#vpn-how-it-works">46.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#s1-vpn-rhl">46.7.2. VPNs and Red Hat Enterprise Linux</a></span></dt><dt><span class="section"><a href="#s1-vpn-ipsec">46.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#vpn-create-ipsec-connection">46.7.4. Creating an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt><dt><span class="section"><a href="#s1-ipsec-generalconf">46.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#s1-ipsec-host2host">46.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#s1-ipsec-net2net">46.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#s1-network-config-ipsec-start">46.7.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-fw">46.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-firewall-ipt">46.8.1. Netfilter and IPTables</a></span></dt><dt><span class="section"><a href="#s1-basic-firewall">46.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#s1-fireall-ipt-act">46.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#s1-firewall-ipt-basic">46.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#s1-firewall-ipt-fwd">46.8.5. <code class="computeroutput">FORWARD</code> and <acronym class="acronym">NAT</acronym> Rules</a></span></dt><dt><span class="section"><a href="#s1-firewall-ipt-rule">46.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#s1-firewall-state">46.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a href="#s1-firewall-ip6t">46.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#s1-firewall-moreinfo">46.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-iptables">46.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-iptables-packetfiltering">46.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#s1-iptables-differences">46.9.2. Differences Between IPTables and IPChains</a></span></dt><dt><span class="section"><a href="#s1-iptables-options">46.9.3. Command Options for IPTables</a></span></dt><dt><span class="section"><a href="#s1-iptables-saving">46.9.4. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#s1-iptables-init">46.9.5. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#s1-ip6tables">46.9.6. IPTables and IPv6</a></span></dt><dt><span class="section"><a href="#s1-iptables-additional-resources">46.9.7. Additional Resources</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#selg-overview">47. Security and SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-acm-ov">47.1. Access Control Mechanisms (ACMs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-dac-intro1">47.1.1. Discretionary Access Control (DAC)</a></span></dt><dt><span class="section"><a href="#sec-acl-intro1">47.1.2. Access Control Lists (ACLs)</a></span></dt><dt><span class="section"><a href="#sec-mac-intro1">47.1.3. Mandatory Access Control (MAC)</a></span></dt><dt><span class="section"><a href="#sec-rbac-intro1">47.1.4. Role-based Access Control (RBAC)</a></span></dt><dt><span class="section"><a href="#sec-mls-intro1">47.1.5. Multi-Level Security (MLS)</a></span></dt><dt><span class="section"><a href="#sec-mcs-intro1">47.1.6. Multi-Category Security (MCS)</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-selinux">47.2. Introduction to SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-SELinux-overview">47.2.1. SELinux Overview</a></span></dt><dt><span class="section"><a href="#s1-SELinux-files">47.2.2. Files Related to SELinux</a></span></dt><dt><span class="section"><a href="#s1-SELinux-resources">47.2.3. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#rhlcommon-appendix-0005">47.3. Brief Background and History of SELinux</a></span></dt><dt><span class="section"><a href="#sec-mcs-ov">47.4. Multi-Category Security (MCS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-mcs-intro">47.4.1. Introduction</a></span></dt><dt><span class="section"><a href="#sec-mcs-apps">47.4.2. Applications for Multi-Category Security</a></span></dt><dt><span class="section"><a href="#sec-selinux-security-contexts">47.4.3. SELinux Security Contexts</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-mcs-getstarted">47.5. Getting Started with Multi-Category Security (MCS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-mcs-getstarted-intro">47.5.1. Introduction</a></span></dt><dt><span class="section"><a href="#sec-mcs-comp-userid">47.5.2. Comparing SELinux and Standard Linux User Identities</a></span></dt><dt><span class="section"><a href="#sec-mcs-config-categories">47.5.3. Configuring Categories</a></span></dt><dt><span class="section"><a href="#sec-mcs-assign-cat2users">47.5.4. Assigning Categories to Users</a></span></dt><dt><span class="section"><a href="#sec-mcs-assign-cat2files">47.5.5. Assigning Categories to Files</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-mls-ov">47.6. Multi-Level Security (MLS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-mls-multilevel">47.6.1. Why Multi-Level?</a></span></dt><dt><span class="section"><a href="#sec-mls-seclevels">47.6.2. Security Levels, Objects and Subjects</a></span></dt><dt><span class="section"><a href="#sec-mls-policy">47.6.3. MLS Policy</a></span></dt><dt><span class="section"><a href="#sec-mls-lspp-cert">47.6.4. LSPP Certification</a></span></dt></dl></dd><dt><span class="section"><a href="#rhlcommon-chapter-0001">47.7. SELinux Policy Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#rhlcommon-section-0056">47.7.1. What is the SELinux Policy?</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0091">47.7.2. Where is the Policy?</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0016">47.7.3. The Role of Policy in the Boot Process</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0049">47.7.4. Object Classes and Permissions</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-policy-targeted-oview">47.8. Targeted Policy Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#rhlcommon-section-0003">47.8.1. What is the Targeted Policy?</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0010">47.8.2. Files and Directories of the Targeted Policy</a></span></dt><dt><span class="section"><a href="#sec-selinux-policy-targeted-rolesandusers">47.8.3. Understanding the Users and Roles in the Targeted Policy</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#rhlcommon-chapter-0017">48. Working With SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-usercontrol">48.1. End User Control of SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-selinux-files-moving">48.1.1. Moving and Copying Files</a></span></dt><dt><span class="section"><a href="#sec-sel-context-checking-processanduser">48.1.2. Checking the Security Context of a Process, User, or File Object</a></span></dt><dt><span class="section"><a href="#sec-sel-file-relabel">48.1.3. Relabeling a File or Directory</a></span></dt><dt><span class="section"><a href="#sec-sel-backup-maintain-context">48.1.4. Creating Archives That Retain Security Contexts</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-admincontrol">48.2. Administrator Control of SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-selinux-status-viewing">48.2.1. Viewing the Status of SELinux</a></span></dt><dt><span class="section"><a href="#sec-sel-fsrelabel">48.2.2. Relabeling a File System</a></span></dt><dt><span class="section"><a href="#id1104143">48.2.3. Managing NFS Home Directories</a></span></dt><dt><span class="section"><a href="#sec-sel-grant-dir-access">48.2.4. Granting Access to a Directory or a Tree</a></span></dt><dt><span class="section"><a href="#sec-sel-backup-restore-system">48.2.5. Backing Up and Restoring the System</a></span></dt><dt><span class="section"><a href="#sec-sel-enable-disable-enforcement">48.2.6. Enabling or Disabling Enforcement</a></span></dt><dt><span class="section"><a href="#sec-sel-enable-disable">48.2.7. Enable or Disable SELinux</a></span></dt><dt><span class="section"><a href="#sec-sel-policy-changing">48.2.8. Changing the Policy</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0097">48.2.9. Specifying the Security Context of Entire File Systems</a></span></dt><dt><span class="section"><a href="#sec-sel-category-changing">48.2.10. Changing the Security Category of a File or User</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0085">48.2.11. Running a Command in a Specific Security Context</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0086">48.2.12. Useful Commands for Scripts</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0087">48.2.13. Changing to a Different Role</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0088">48.2.14. When to Reboot</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-analystcontrol">48.3. Analyst Control of SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#rhlcommon-section-0081">48.3.1. Enabling Kernel Auditing</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0092">48.3.2. Dumping and Viewing Logs</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#sec-sel-policy-customizing">49. Customizing SELinux Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-policy-customizing-intro">49.1. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-policy-customizing-modpolicy">49.1.1. Modular Policy</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-building-policy-module">49.2. Building a Local Policy Module</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-use-audit2allow">49.2.1. Using audit2allow to Build a Local Policy Module</a></span></dt><dt><span class="section"><a href="#sec-sel-analyze-te">49.2.2. Analyzing the Type Enforcement (TE) File</a></span></dt><dt><span class="section"><a href="#sec-sel-load-policy-package">49.2.3. Loading the Policy Package</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#selg-chapter-0054">50. References</a></span></dt></dl></div></div><div xml:lang="en-US" class="chapter" id="ch-sgs-ov" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 45. Security Overview</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#ch-sgs-intro">45.1. Introduction to Security</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-sgs-ov-cs">45.1.1. What is Computer Security?</a></span></dt><dt><span class="section"><a href="#s1-sgs-ov-controls">45.1.2. Security Controls</a></span></dt><dt><span class="section"><a href="#s1-sgs-ov-concl">45.1.3. Conclusion</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-sec-access">45.2. Vulnerability Assessment</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-vuln-think">45.2.1. Thinking Like the Enemy</a></span></dt><dt><span class="section"><a href="#s1-vuln-defn">45.2.2. Defining Assessment and Testing</a></span></dt><dt><span class="section"><a href="#s1-vuln-tools">45.2.3. Evaluating the Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-risk">45.3. Attackers and Vulnerabilities</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-risk-hackcrack">45.3.1. A Quick History of Hackers</a></span></dt><dt><span class="section"><a href="#s1-risk-net">45.3.2. Threats to Network Security</a></span></dt><dt><span class="section"><a href="#s1-risk-serv">45.3.3. Threats to Server Security</a></span></dt><dt><span class="section"><a href="#s1-risk-wspc">45.3.4. Threats to Workstation and Home PC Security</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-exploits">45.4. Common Exploits and Attacks</a></span></dt><dt><span class="section"><a href="#ch-security-updates">45.5. Security Updates</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-security-updates">45.5.1. Updating Packages</a></span></dt></dl></dd></dl></div><a id="id1025299" class="indexterm"></a><a id="id1025291" class="indexterm"></a><div class="para">
		Because of the increased reliance on powerful, networked computers to help run businesses and keep track of our personal information, industries have been formed around the practice of network and computer security. Enterprises have solicited the knowledge and skills of security experts to properly audit systems and tailor solutions to fit the operating requirements of the organization. Because most organizations are dynamic in nature, with workers accessing company IT resources locally and remotely, the need for secure computing environments has become more pronounced.
	</div><div class="para">
		Unfortunately, most organizations (as well as individual users) regard security as an afterthought, a process that is overlooked in favor of increased power, productivity, and budgetary concerns. Proper security implementation is often enacted <em class="firstterm">postmortem</em> — after an unauthorized intrusion has already occurred. Security experts agree that the right measures taken prior to connecting a site to an untrusted network, such as the Internet, is an effective means of thwarting most attempts at intrusion.
	</div><div xml:lang="en-US" class="section" id="ch-sgs-intro" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-sgs-intro">45.1. Introduction to Security</h2></div></div></div><a id="id1025253" class="indexterm"></a><a id="id1025249" class="indexterm"></a><div class="section" id="s1-sgs-ov-cs"><div class="titlepage"><div><div><h3 class="title" id="s1-sgs-ov-cs">45.1.1. What is Computer Security?</h3></div></div></div><a id="id1025213" class="indexterm"></a><div class="para">
			Computer security is a general term that covers a wide area of computing and information processing. Industries that depend on computer systems and networks to conduct daily business transactions and access crucial information regard their data as an important part of their overall assets. Several terms and metrics have entered our daily business vocabulary, such as total cost of ownership (TCO) and quality of service (QoS). In these metrics, industries calculate aspects such as data integrity and high-availability as part of their planning and process management costs. In some industries, such as electronic commerce, the availability and trustworthiness of data can be the difference between success and failure.
		</div><div class="section" id="s2-sgs-ov-cs-how"><div class="titlepage"><div><div><h4 class="title" id="s2-sgs-ov-cs-how">45.1.1.1. How did Computer Security Come about?</h4></div></div></div><a id="id1025204" class="indexterm"></a><div class="para">
				Information security has evolved over the years due to the increasing reliance on public networks not to disclose personal, financial, and other restricted information. There are numerous instances such as the Mitnick and the Vladimir Levin cases  that prompted organizations across all industries to rethink the way they handle information transmission and disclosure. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security.
			</div><div class="para">
				An ever-growing number of people are using their personal computers to gain access to the resources that the Internet has to offer. From research and information retrieval to electronic mail and commerce transaction, the Internet has been regarded as one of the most important developments of the 20th century.
			</div><div class="para">
				The Internet and its earlier protocols, however, were developed as a <em class="firstterm">trust-based</em> system. That is, the Internet Protocol was not designed to be secure in itself. There are no approved security standards built into the TCP/IP communications stack, leaving it open to potentially malicious users and processes across the network. Modern developments have made Internet communication more secure, but there are still several incidents that gain national attention and alert us to the fact that nothing is completely safe.
			</div></div><div class="section" id="s2-sgs-ov-cs-ex"><div class="titlepage"><div><div><h4 class="title" id="s2-sgs-ov-cs-ex">45.1.1.2. Security Today</h4></div></div></div><a id="id1025161" class="indexterm"></a><a id="id1025145" class="indexterm"></a><a id="id1025132" class="indexterm"></a><a id="id1025115" class="indexterm"></a><div class="para">
				In February of 2000, a Distributed Denial of Service (DDoS) attack was unleashed on several of the most heavily-trafficked sites on the Internet. The attack rendered yahoo.com, cnn.com, amazon.com, fbi.gov, and several other sites completely unreachable to normal users, as it tied up routers for several hours with large-byte ICMP packet transfers, also called a <em class="firstterm">ping flood</em>. The attack was brought on by unknown assailants using specially created, widely available programs that scanned vulnerable network servers, installed client applications called <em class="firstterm">Trojans</em> on the servers, and timed an attack with every infected server flooding the victim sites and rendering them unavailable. Many blame the attack on fundamental flaws in the way routers and the protocols used are structured to accept all incoming data, no matter where or for what purpose the packets are sent.
			</div><div class="para">
				Currently, an estimated 945 million people use or have used the Internet worldwide (Computer Industry Almanac, 2004). At the same time:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						On any given day, there are approximately 225 major incidences of security breach reported to the CERT Coordination Center at Carnegie Mellon University.<sup>[<a id="id1025076" href="#ftn.id1025076" class="footnote">10</a>]</sup>
					</div></li><li class="listitem"><div class="para">
						In 2003, the number of CERT reported incidences jumped to 137,529 from 82,094 in 2002 and from 52,658 in 2001.<sup>[<a id="id1025048" href="#ftn.id1025048" class="footnote">11</a>]</sup>
					</div></li><li class="listitem"><div class="para">
						The worldwide economic impact of the three most dangerous Internet Viruses of the last three years was estimated at US$13.2 Billion.<sup>[<a id="id1025003" href="#ftn.id1025003" class="footnote">12</a>]</sup>
					</div></li></ul></div><div class="para">
				Computer security has become a quantifiable and justifiable expense for all IT budgets. Organizations that require data integrity and high availability elicit the skills of system administrators, developers, and engineers to ensure 24x7 reliability of their systems, services, and information. Falling victim to malicious users, processes, or coordinated attacks is a direct threat to the success of the organization.
			</div><div class="para">
				Unfortunately, system and network security can be a difficult proposition, requiring an intricate knowledge of how an organization regards, uses, manipulates, and transmits its information. Understanding the way an organization (and the people that make up the organization) conducts business is paramount to implementing a proper security plan.
			</div></div><div class="section" id="s2-sgs-ov-cia"><div class="titlepage"><div><div><h4 class="title" id="s2-sgs-ov-cia">45.1.1.3. Standardizing Security</h4></div></div></div><div class="para">
				Enterprises in every industry rely on regulations and rules that are set by standards making bodies such as the American Medical Association (AMA) or the Institute of Electrical and Electronics Engineers (IEEE). The same ideals hold true for information security. Many security consultants and vendors agree upon the standard security model known as CIA, or <em class="firstterm">Confidentiality, Integrity, and Availability</em>. This three-tiered model is a generally accepted component to assessing risks of sensitive information and establishing security policy. The following describes the CIA model in further detail:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Confidentiality — Sensitive information must be available only to a set of pre-defined individuals. Unauthorized transmission and usage of information should be restricted. For example, confidentiality of information ensures that a customer's personal or financial information is not obtained by an unauthorized individual for malicious purposes such as identity theft or credit fraud.
					</div></li><li class="listitem"><div class="para">
						Integrity — Information should not be altered in ways that render it incomplete or incorrect. Unauthorized users should be restricted from the ability to modify or destroy sensitive information.
					</div></li><li class="listitem"><div class="para">
						Availability — Information should be accessible to authorized users any time that it is needed. Availability is a warranty that information can be obtained with an agreed-upon frequency and timeliness. This is often measured in terms of percentages and agreed to formally in Service Level Agreements (SLAs) used by network service providers and their enterprise clients.
					</div></li></ul></div></div></div><div class="section" id="s1-sgs-ov-controls"><div class="titlepage"><div><div><h3 class="title" id="s1-sgs-ov-controls">45.1.2. Security Controls</h3></div></div></div><a id="id1024926" class="indexterm"></a><a id="id1024906" class="indexterm"></a><div class="para">
			Computer security is often divided into three distinct master categories, commonly referred to as <em class="wordasword">controls</em>:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Physical
				</div></li><li class="listitem"><div class="para">
					Technical
				</div></li><li class="listitem"><div class="para">
					Administrative
				</div></li></ul></div><div class="para">
			These three broad categories define the main objectives of proper security implementation. Within these controls are sub-categories that further detail the controls and how to implement them.
		</div><div class="section" id="s2-sgs-ov-ctrl-phys"><div class="titlepage"><div><div><h4 class="title" id="s2-sgs-ov-ctrl-phys">45.1.2.1. Physical Controls</h4></div></div></div><a id="id942263" class="indexterm"></a><div class="para">
				Physical control is the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material. Examples of physical controls are:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Closed-circuit surveillance cameras
					</div></li><li class="listitem"><div class="para">
						Motion or thermal alarm systems
					</div></li><li class="listitem"><div class="para">
						Security guards
					</div></li><li class="listitem"><div class="para">
						Picture IDs
					</div></li><li class="listitem"><div class="para">
						Locked and dead-bolted steel doors
					</div></li><li class="listitem"><div class="para">
						Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods used to recognize individuals)
					</div></li></ul></div></div><div class="section" id="s2-sgs-ov-ctrl-tech"><div class="titlepage"><div><div><h4 class="title" id="s2-sgs-ov-ctrl-tech">45.1.2.2. Technical Controls</h4></div></div></div><a id="id942173" class="indexterm"></a><div class="para">
				Technical controls use technology as a basis for controlling the access and usage of sensitive data throughout a physical structure and over a network. Technical controls are far-reaching in scope and encompass such technologies as:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Encryption
					</div></li><li class="listitem"><div class="para">
						Smart cards
					</div></li><li class="listitem"><div class="para">
						Network authentication
					</div></li><li class="listitem"><div class="para">
						Access control lists (ACLs)
					</div></li><li class="listitem"><div class="para">
						File integrity auditing software
					</div></li></ul></div></div><div class="section" id="s2-sgs-ov-ctrl-admin"><div class="titlepage"><div><div><h4 class="title" id="s2-sgs-ov-ctrl-admin">45.1.2.3. Administrative Controls</h4></div></div></div><a id="id1011824" class="indexterm"></a><div class="para">
				Administrative controls define the human factors of security. It involves all levels of personnel within an organization and determines which users have access to what resources and information by such means as:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Training and awareness
					</div></li><li class="listitem"><div class="para">
						Disaster preparedness and recovery plans
					</div></li><li class="listitem"><div class="para">
						Personnel recruitment and separation strategies
					</div></li><li class="listitem"><div class="para">
						Personnel registration and accounting
					</div></li></ul></div></div></div><div class="section" id="s1-sgs-ov-concl"><div class="titlepage"><div><div><h3 class="title" id="s1-sgs-ov-concl">45.1.3. Conclusion</h3></div></div></div><a id="id1018634" class="indexterm"></a><div class="para">
			Now that you have learned about the origins, reasons, and aspects of security, you can determine the appropriate course of action with regard to Red Hat Enterprise Linux. It is important to know what factors and conditions make up security in order to plan and implement a proper strategy. With this information in mind, the process can be formalized and the path becomes clearer as you delve deeper into the specifics of the security process.
		</div></div></div><div xml:lang="en-US" class="section" id="ch-sec-access" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-sec-access">45.2. Vulnerability Assessment</h2></div></div></div><a id="id1011781" class="indexterm"></a><div class="para">
		Given time, resources, and motivation, a cracker can break into nearly any system. At the end of the day, all of the security procedures and technologies currently available cannot guarantee that any systems are safe from intrusion. Routers help secure gateways to the Internet. Firewalls help secure the edge of the network. Virtual Private Networks safely pass data in an encrypted stream. Intrusion detection systems warn you of malicious activity. However, the success of each of these technologies is dependent upon a number of variables, including:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				The expertise of the staff responsible for configuring, monitoring, and maintaining the technologies.
			</div></li><li class="listitem"><div class="para">
				The ability to patch and update services and kernels quickly and efficiently.
			</div></li><li class="listitem"><div class="para">
				The ability of those responsible to keep constant vigilance over the network.
			</div></li></ul></div><div class="para">
		Given the dynamic state of data systems and technologies, securing corporate resources can be quite complex. Due to this complexity, it is often difficult to find expert resources for all of your systems. While it is possible to have personnel knowledgeable in many areas of information security at a high level, it is difficult to retain staff who are experts in more than a few subject areas. This is mainly because each subject area of information security requires constant attention and focus. Information security does not stand still.
	</div><div class="section" id="s1-vuln-think"><div class="titlepage"><div><div><h3 class="title" id="s1-vuln-think">45.2.1. Thinking Like the Enemy</h3></div></div></div><div class="para">
			Suppose that you administer an enterprise network. Such networks are commonly comprised of operating systems, applications, servers, network monitors, firewalls, intrusion detection systems, and more. Now imagine trying to keep current with each of these. Given the complexity of today's software and networking environments, exploits and bugs are a certainty. Keeping current with patches and updates for an entire network can prove to be a daunting task in a large organization with heterogeneous systems.
		</div><div class="para">
			Combine the expertise requirements with the task of keeping current, and it is inevitable that adverse incidents occur, systems are breached, data is corrupted, and service is interrupted.
		</div><div class="para">
			To augment security technologies and aid in protecting systems, networks, and data, you must think like a cracker and gauge the security of your systems by checking for weaknesses. Preventative vulnerability assessments against your own systems and network resources can reveal potential issues that can be addressed before a cracker exploits it.
		</div><div class="para">
			A vulnerability assessment is an internal audit of your network and system security; the results of which indicate the confidentiality, integrity, and availability of your network (as explained in <a class="xref" href="#s2-sgs-ov-cia">Section 45.1.1.3, “Standardizing Security”</a>). Typically, vulnerability assessment starts with a reconnaissance phase, during which important data regarding the target systems and resources is gathered. This phase leads to the system readiness phase, whereby the target is essentially checked for all known vulnerabilities. The readiness phase culminates in the reporting phase, where the findings are classified into categories of high, medium, and low risk; and methods for improving the security (or mitigating the risk of vulnerability) of the target are discussed.
		</div><div class="para">
			If you were to perform a vulnerability assessment of your home, you would likely check each door to your home to see if they are closed and locked. You would also check every window, making sure that they closed completely and latch correctly. This same concept applies to systems, networks, and electronic data. Malicious users are the thieves and vandals of your data. Focus on their tools, mentality, and motivations, and you can then react swiftly to their actions.
		</div></div><div class="section" id="s1-vuln-defn"><div class="titlepage"><div><div><h3 class="title" id="s1-vuln-defn">45.2.2. Defining Assessment and Testing</h3></div></div></div><a id="id1010071" class="indexterm"></a><a id="id1079554" class="indexterm"></a><div class="para">
			Vulnerability assessments may be broken down into one of two types: <em class="firstterm">Outside looking in</em> and <em class="firstterm">inside looking around</em>.
		</div><div class="para">
			When performing an outside looking in vulnerability assessment, you are attempting to compromise your systems from the outside. Being external to your company provides you with the cracker's viewpoint. You see what a cracker sees — publicly-routable IP addresses, systems on your <em class="firstterm">DMZ</em>, external interfaces of your firewall, and more. DMZ stands for "demilitarized zone", which corresponds to a computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet. Typically, the DMZ contains devices accessible to Internet traffic, such as Web (HTTP ) servers, FTP servers, SMTP (e-mail) servers and DNS servers.
		</div><div class="para">
			When you perform an inside looking around vulnerability assessment, you are somewhat at an advantage since you are internal and your status is elevated to trusted. This is the viewpoint you and your co-workers have once logged on to your systems. You see print servers, file servers, databases, and other resources.
		</div><div class="para">
			There are striking distinctions between these two types of vulnerability assessments. Being internal to your company gives you elevated privileges more so than any outsider. Still today in most organizations, security is configured in such a manner as to keep intruders out. Very little is done to secure the internals of the organization (such as departmental firewalls, user-level access controls, authentication procedures for internal resources, and more). Typically, there are many more resources when looking around inside as most systems are internal to a company. Once you set yourself outside of the company, you immediately are given an untrusted status. The systems and resources available to you externally are usually very limited.
		</div><div class="para">
			Consider the difference between vulnerability assessments and <em class="firstterm">penetration tests</em>. Think of a vulnerability assessment as the first step to a penetration test. The information gleaned from the assessment is used for testing. Whereas, the assessment is checking for holes and potential vulnerabilities, the penetration testing actually attempts to exploit the findings.
		</div><div class="para">
			Assessing network infrastructure is a dynamic process. Security, both information and physical, is dynamic. Performing an assessment shows an overview, which can turn up false positives and false negatives.
		</div><div class="para">
			Security administrators are only as good as the tools they use and the knowledge they retain. Take any of the assessment tools currently available, run them against your system, and it is almost a guarantee that there are some false positives. Whether by program fault or user error, the result is the same. The tool may find vulnerabilities which in reality do not exist (false positive); or, even worse, the tool may not find vulnerabilities that actually do exist (false negative).
		</div><div class="para">
			Now that the difference between a vulnerability assessment and a penetration test is defined, take the findings of the assessment and review them carefully before conducting a penetration test as part of your new best practices approach.
		</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				Attempting to exploit vulnerabilities on production resources can have adverse effects to the productivity and efficiency of your systems and network.
			</div></div></div><div class="para">
			The following list examines some of the benefits to performing vulnerability assessments.
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Creates proactive focus on information security
				</div></li><li class="listitem"><div class="para">
					Finds potential exploits before crackers find them
				</div></li><li class="listitem"><div class="para">
					Results in systems being kept up to date and patched
				</div></li><li class="listitem"><div class="para">
					Promotes growth and aids in developing staff expertise
				</div></li><li class="listitem"><div class="para">
					Abates Financial loss and negative publicity
				</div></li></ul></div><div class="section" id="s2-vuln-defn-method"><div class="titlepage"><div><div><h4 class="title" id="s2-vuln-defn-method">45.2.2.1. Establishing a Methodology</h4></div></div></div><a id="id868046" class="indexterm"></a><div class="para">
				To aid in the selection of tools for a vulnerability assessment, it is helpful to establish a vulnerability assessment methodology. Unfortunately, there is no predefined or industry approved methodology at this time; however, common sense and best practices can act as a sufficient guide.
			</div><div class="para">
				<span class="emphasis"><em>What is the target? Are we looking at one server, or are we looking at our entire network and everything within the network? Are we external or internal to the company?</em></span> The answers to these questions are important as they help determine not only which tools to select but also the manner in which they are used.
			</div><div class="para">
				To learn more about establishing methodologies, refer to the following websites:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.isecom.org/projects/osstmm.htm">http://www.isecom.org/projects/osstmm.htm</a> <em class="citetitle">The Open Source Security Testing Methodology Manual</em> (OSSTMM)
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.owasp.org/">http://www.owasp.org/</a> <em class="citetitle">The Open Web Application Security Project</em>
					</div></li></ul></div></div></div><div class="section" id="s1-vuln-tools"><div class="titlepage"><div><div><h3 class="title" id="s1-vuln-tools">45.2.3. Evaluating the Tools</h3></div></div></div><div class="para">
			An assessment can start by using some form of an information gathering tool. When assessing the entire network, map the layout first to find the hosts that are running. Once located, examine each host individually. Focusing on these hosts requires another set of tools. Knowing which tools to use may be the most crucial step in finding vulnerabilities.
		</div><div class="para">
			Just as in any aspect of everyday life, there are many different tools that perform the same job. This concept applies to performing vulnerability assessments as well. There are tools specific to operating systems, applications, and even networks (based on the protocols used). Some tools are free; others are not. Some tools are intuitive and easy to use, while others are cryptic and poorly documented but have features that other tools do not.
		</div><div class="para">
			Finding the right tools may be a daunting task and in the end, experience counts. If possible, set up a test lab and try out as many tools as you can, noting the strengths and weaknesses of each. Review the README file or man page for the tool. Additionally, look to the Internet for more information, such as articles, step-by-step guides, or even mailing lists specific to a tool.
		</div><div class="para">
			The tools discussed below are just a small sampling of the available tools.
		</div><div class="section" id="s2-vuln-tools-net"><div class="titlepage"><div><div><h4 class="title" id="s2-vuln-tools-net">45.2.3.1. Scanning Hosts with Nmap</h4></div></div></div><a id="id1024886" class="indexterm"></a><a id="id1025250" class="indexterm"></a><div class="para">
				Nmap is a popular tool included in Red Hat Enterprise Linux that can be used to determine the layout of a network. Nmap has been available for many years and is probably the most often used tool when gathering information. An excellent man page is included that provides a detailed description of its options and usage. Administrators can use Nmap on a network to find host systems and open ports on those systems.
			</div><div class="para">
				Nmap is a competent first step in vulnerability assessment. You can map out all the hosts within your network and even pass an option that allows Nmap to attempt to identify the operating system running on a particular host. Nmap is a good foundation for establishing a policy of using secure services and stopping unused services.
			</div><div class="section" id="s3-vuln-tools-net-use"><div class="titlepage"><div><div><h5 class="title" id="s3-vuln-tools-net-use">45.2.3.1.1. Using Nmap</h5></div></div></div><a id="id941520" class="indexterm"></a><div class="para">
					Nmap can be run from a shell prompt by typing the <code class="command">nmap</code> command followed by the hostname or IP address of the machine to scan.
				</div><pre class="screen"><code class="command">nmap foo.example.com</code></pre><div class="para">
					The results of the scan (which could take up to a few minutes, depending on where the host is located) should look similar to the following:
				</div><pre class="screen">Starting nmap V. 3.50 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1591 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
25/tcp     open        smtp
111/tcp    open        sunrpc
443/tcp    open        https
515/tcp    open        printer
950/tcp    open        oftep-rpc
6000/tcp   open        X11

Nmap run completed -- 1 IP address (1 host up) scanned in 71.825 seconds</pre><div class="para">
					Nmap tests the most common network communication ports for listening or waiting services. This knowledge can be helpful to an administrator who wants to close down unnecessary or unused services.
				</div><div class="para">
					For more information about using Nmap, refer to the official homepage at the following URL:
				</div><div class="para">
					<a href="http://www.insecure.org/">http://www.insecure.org/</a>
				</div></div></div><div class="section" id="s2-vuln-tools-nessus"><div class="titlepage"><div><div><h4 class="title" id="s2-vuln-tools-nessus">45.2.3.2. Nessus</h4></div></div></div><a id="id1008695" class="indexterm"></a><a id="id1010995" class="indexterm"></a><div class="para">
				Nessus is a full-service security scanner. The plug-in architecture of Nessus allows users to customize it for their systems and networks. As with any scanner, Nessus is only as good as the signature database it relies upon. Fortunately, Nessus is frequently updated and features full reporting, host scanning, and real-time vulnerability searches. Remember that there could be false positives and false negatives, even in a tool as powerful and as frequently updated as Nessus.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Nessus is not included with Red Hat Enterprise Linux and is not supported. It has been included in this document as a reference to users who may be interested in using this popular application.
				</div></div></div><div class="para">
				For more information about Nessus, refer to the official website at the following URL:
			</div><div class="para">
				<a href="http://www.nessus.org/">http://www.nessus.org/</a>
			</div></div><div class="section" id="s2-vuln-tools-cgi"><div class="titlepage"><div><div><h4 class="title" id="s2-vuln-tools-cgi">45.2.3.3. Nikto</h4></div></div></div><a id="id1036102" class="indexterm"></a><a id="id1078469" class="indexterm"></a><div class="para">
				Nikto is an excellent common gateway interface (CGI) script scanner. Nikto not only checks for CGI vulnerabilities but does so in an evasive manner, so as to elude intrusion detection systems. It comes with thorough documentation which should be carefully reviewed prior to running the program. If you have Web servers serving up CGI scripts, Nikto can be an excellent resource for checking the security of these servers.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Nikto is not included with Red Hat Enterprise Linux and is not supported. It has been included in this document as a reference to users who may be interested in using this popular application.
				</div></div></div><div class="para">
				More information about Nikto can be found at the following URL:
			</div><div class="para">
				<a href="http://www.cirt.net/code/nikto.shtml">http://www.cirt.net/code/nikto.shtml</a>
			</div></div><div class="section" id="s2-vuln-tools-vlad"><div class="titlepage"><div><div><h4 class="title" id="s2-vuln-tools-vlad">45.2.3.4. VLAD the Scanner</h4></div></div></div><a id="id1037831" class="indexterm"></a><a id="id1086578" class="indexterm"></a><div class="para">
				VLAD is a vulnerabilities scanner developed by the <acronym class="acronym">RAZOR</acronym> team at Bindview, Inc., which checks for the SANS Top Ten list of common security issues (SNMP issues, file sharing issues, etc.). While not as full-featured as Nessus, VLAD is worth investigating.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					VLAD is not included with Red Hat Enterprise Linux and is not supported. It has been included in this document as a reference to users who may be interested in using this popular application.
				</div></div></div><div class="para">
				More information about VLAD can be found on the RAZOR team website at the following URL:
			</div><div class="para">
				<a href="http://www.bindview.com/Support/Razor/Utilities/">http://www.bindview.com/Support/Razor/Utilities/</a>
			</div></div><div class="section" id="s2-vuln-tools-concept"><div class="titlepage"><div><div><h4 class="title" id="s2-vuln-tools-concept">45.2.3.5. Anticipating Your Future Needs</h4></div></div></div><div class="para">
				Depending upon your target and resources, there are many tools available. There are tools for wireless networks, Novell networks, Windows systems, Linux systems, and more. Another essential part of performing assessments may include reviewing physical security, personnel screening, or voice/PBX network assessment. New concepts, such as <em class="firstterm">war walking</em> scanning the perimeter of your enterprise's physical structures for wireless network vulnerabilities are some emerging concepts that you can investigate and, if needed, incorporate into your assessments. Imagination and exposure are the only limits of planning and conducting vulnerability assessments.
			</div></div></div></div><div xml:lang="en-US" class="section" id="ch-risk" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-risk">45.3. Attackers and Vulnerabilities</h2></div></div></div><a id="id1037957" class="indexterm"></a><div class="para">
		To plan and implement a good security strategy, first be aware of some of the issues which determined, motivated attackers exploit to compromise systems. But before detailing these issues, the terminology used when identifying an attacker must be defined.
	</div><div class="section" id="s1-risk-hackcrack"><div class="titlepage"><div><div><h3 class="title" id="s1-risk-hackcrack">45.3.1. A Quick History of Hackers</h3></div></div></div><a id="id914945" class="indexterm"></a><a id="id1014832" class="indexterm"></a><div class="para">
			The modern meaning of the term <em class="firstterm">hacker</em> has origins dating back to the 1960s and the Massachusetts Institute of Technology (MIT) Tech Model Railroad Club, which designed train sets of large scale and intricate detail. Hacker was a name used for club members who discovered a clever trick or workaround for a problem.
		</div><div class="para">
			The term hacker has since come to describe everything from computer buffs to gifted programmers. A common trait among most hackers is a willingness to explore in detail how computer systems and networks function with little or no outside motivation. Open source software developers often consider themselves and their colleagues to be hackers, and use the word as a term of respect.
		</div><a id="id1078919" class="indexterm"></a><div class="para">
			Typically, hackers follow a form of the <em class="firstterm">hacker ethic</em> which dictates that the quest for information and expertise is essential, and that sharing this knowledge is the hackers duty to the community. During this quest for knowledge, some hackers enjoy the academic challenges of circumventing security controls on computer systems. For this reason, the press often uses the term hacker to describe those who illicitly access systems and networks with unscrupulous, malicious, or criminal intent. The more accurate term for this type of computer hacker is <em class="firstterm">cracker</em> — a term created by hackers in the mid-1980s to differentiate the two communities.
		</div><div class="section" id="s2-risk-whiteblack"><div class="titlepage"><div><div><h4 class="title" id="s2-risk-whiteblack">45.3.1.1. Shades of Gray</h4></div></div></div><a id="id944765" class="indexterm"></a><a id="id944779" class="indexterm"></a><a id="id912820" class="indexterm"></a><a id="id998218" class="indexterm"></a><a id="id998232" class="indexterm"></a><a id="id997294" class="indexterm"></a><a id="id996665" class="indexterm"></a><div class="para">
				Within the community of individuals who find and exploit vulnerabilities in systems and networks are several distinct groups. These groups are often described by the shade of hat that they "wear" when performing their security investigations and this shade is indicative of their intent.
			</div><div class="para">
				The <em class="firstterm">white hat hacker</em> is one who tests networks and systems to examine their performance and determine how vulnerable they are to intrusion. Usually, white hat hackers crack their own systems or the systems of a client who has specifically employed them for the purposes of security auditing. Academic researchers and professional security consultants are two examples of white hat hackers.
			</div><div class="para">
				A <em class="firstterm">black hat hacker</em> is synonymous with a cracker. In general, crackers are less focused on programming and the academic side of breaking into systems. They often rely on available cracking programs and exploit well known vulnerabilities in systems to uncover sensitive information for personal gain or to inflict damage on the target system or network.
			</div><div class="para">
				The <em class="firstterm">gray hat hacker</em>, on the other hand, has the skills and intent of a white hat hacker in most situations but uses his knowledge for less than noble purposes on occasion. A gray hat hacker can be thought of as a white hat hacker who wears a black hat at times to accomplish his own agenda.
			</div><div class="para">
				Gray hat hackers typically subscribe to another form of the hacker ethic, which says it is acceptable to break into systems as long as the hacker does not commit theft or breach confidentiality. Some would argue, however, that the act of breaking into a system is in itself unethical.
			</div><div class="para">
				Regardless of the intent of the intruder, it is important to know the weaknesses a cracker may likely attempt to exploit. The remainder of the chapter focuses on these issues.
			</div></div></div><div class="section" id="s1-risk-net"><div class="titlepage"><div><div><h3 class="title" id="s1-risk-net">45.3.2. Threats to Network Security</h3></div></div></div><a id="id1086189" class="indexterm"></a><div class="para">
			Bad practices when configuring the following aspects of a network can increase the risk of attack.
		</div><div class="section" id="s2-risk-net-arch"><div class="titlepage"><div><div><h4 class="title" id="s2-risk-net-arch">45.3.2.1. Insecure Architectures</h4></div></div></div><a id="id943895" class="indexterm"></a><div class="para">
				A misconfigured network is a primary entry point for unauthorized users. Leaving a trust-based, open local network vulnerable to the highly-insecure Internet is much like leaving a door ajar in a crime-ridden neighborhood — nothing may happen for an arbitrary amount of time, but <span class="emphasis"><em>eventually</em></span> someone exploits the opportunity.
			</div><div class="section" id="s3-risk-net-arch-hub"><div class="titlepage"><div><div><h5 class="title" id="s3-risk-net-arch-hub">45.3.2.1.1. Broadcast Networks</h5></div></div></div><div class="para">
					System administrators often fail to realize the importance of networking hardware in their security schemes. Simple hardware such as hubs and routers rely on the broadcast or non-switched principle; that is, whenever a node transmits data across the network to a recipient node, the hub or router sends a broadcast of the data packets until the recipient node receives and processes the data. This method is the most vulnerable to address resolution protocol (<em class="firstterm">arp</em>) or media access control (<em class="firstterm">MAC</em>) address spoofing by both outside intruders and unauthorized users on local hosts.
				</div></div><div class="section" id="s3-risk-net-arch-serv"><div class="titlepage"><div><div><h5 class="title" id="s3-risk-net-arch-serv">45.3.2.1.2. Centralized Servers</h5></div></div></div><div class="para">
					Another potential networking pitfall is the use of centralized computing. A common cost-cutting measure for many businesses is to consolidate all services to a single powerful machine. This can be convenient as it is easier to manage and costs considerably less than multiple-server configurations. However, a centralized server introduces a single point of failure on the network. If the central server is compromised, it may render the network completely useless or worse, prone to data manipulation or theft. In these situations, a central server becomes an open door which allows access to the entire network.
				</div></div></div></div><div class="section" id="s1-risk-serv"><div class="titlepage"><div><div><h3 class="title" id="s1-risk-serv">45.3.3. Threats to Server Security</h3></div></div></div><a id="id911643" class="indexterm"></a><div class="para">
			Server security is as important as network security because servers often hold a great deal of an organization's vital information. If a server is compromised, all of its contents may become available for the cracker to steal or manipulate at will. The following sections detail some of the main issues.
		</div><div class="section" id="s2-risk-serv-ports"><div class="titlepage"><div><div><h4 class="title" id="s2-risk-serv-ports">45.3.3.1. Unused Services and Open Ports</h4></div></div></div><a id="id938827" class="indexterm"></a><div class="para">
				A full installation of Red Hat Enterprise Linux contains 1000+ application and library packages. However, most server administrators do not opt to install every single package in the distribution, preferring instead to install a base installation of packages, including several server applications.
			</div><div class="para">
				A common occurrence among system administrators is to install the operating system without paying attention to what programs are actually being installed. This can be problematic because unneeded services may be installed, configured with the default settings, and possibly turned on. This can cause unwanted services, such as Telnet, DHCP, or DNS, to run on a server or workstation without the administrator realizing it, which in turn can cause unwanted traffic to the server, or even, a potential pathway into the system for crackers. Refer To <a class="xref" href="#ch-server">Section 46.2, “Server Security”</a> for information on closing ports and disabling unused services.
			</div></div><div class="section" id="s2-risk-serv-patch"><div class="titlepage"><div><div><h4 class="title" id="s2-risk-serv-patch">45.3.3.2. Unpatched Services</h4></div></div></div><a id="id950126" class="indexterm"></a><div class="para">
				Most server applications that are included in a default installation are solid, thoroughly tested pieces of software. Having been in use in production environments for many years, their code has been thoroughly refined and many of the bugs have been found and fixed.
			</div><div class="para">
				However, there is no such thing as perfect software and there is always room for further refinement. Moreover, newer software is often not as rigorously tested as one might expect, because of its recent arrival to production environments or because it may not be as popular as other server software.
			</div><div class="para">
				Developers and system administrators often find exploitable bugs in server applications and publish the information on bug tracking and security-related websites such as the Bugtraq mailing list (<a href="http://www.securityfocus.com">http://www.securityfocus.com</a>) or the Computer Emergency Response Team (CERT) website (<a href="http://www.cert.org">http://www.cert.org</a>). Although these mechanisms are an effective way of alerting the community to security vulnerabilities, it is up to system administrators to patch their systems promptly. This is particularly true because crackers have access to these same vulnerability tracking services and will use the information to crack unpatched systems whenever they can. Good system administration requires vigilance, constant bug tracking, and proper system maintenance to ensure a more secure computing environment.
			</div><div class="para">
				Refer to <a class="xref" href="#ch-security-updates">Section 45.5, “Security Updates”</a> for more information about keeping a system up-to-date.
			</div></div><div class="section" id="s2-risk-serv-lazyadmin"><div class="titlepage"><div><div><h4 class="title" id="s2-risk-serv-lazyadmin">45.3.3.3. Inattentive Administration</h4></div></div></div><a id="id1085964" class="indexterm"></a><div class="para">
				Administrators who fail to patch their systems are one of the greatest threats to server security. According to the <em class="firstterm">System Administration Network and Security Institute</em> (<em class="firstterm">SANS</em>), the primary cause of computer security vulnerability is to "assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job."<sup>[<a id="id986734" href="#ftn.id986734" class="footnote">13</a>]</sup> This applies as much to inexperienced administrators as it does to overconfident or amotivated administrators.
			</div><div class="para">
				Some administrators fail to patch their servers and workstations, while others fail to watch log messages from the system kernel or network traffic. Another common error is when default passwords or keys to services are left unchanged. For example, some databases have default administration passwords because the database developers assume that the system administrator changes these passwords immediately after installation. If a database administrator fails to change this password, even an inexperienced cracker can use a widely-known default password to gain administrative privileges to the database. These are only a few examples of how inattentive administration can lead to compromised servers.
			</div></div><div class="section" id="s2-risk-serv-insecure"><div class="titlepage"><div><div><h4 class="title" id="s2-risk-serv-insecure">45.3.3.4. Inherently Insecure Services</h4></div></div></div><a id="id946923" class="indexterm"></a><div class="para">
				Even the most vigilant organization can fall victim to vulnerabilities if the network services they choose are inherently insecure. For instance, there are many services developed under the assumption that they are used over trusted networks; however, this assumption fails as soon as the service becomes available over the Internet — which is itself inherently untrusted.
			</div><div class="para">
				One category of insecure network services are those that require unencrypted usernames and passwords for authentication. Telnet and FTP are two such services. If packet sniffing software is monitoring traffic between the remote user and such a service usernames and passwords can be easily intercepted.
			</div><div class="para">
				Inherently, such services can also more easily fall prey to what the security industry terms the <em class="firstterm">man-in-the-middle</em> attack. In this type of attack, a cracker redirects network traffic by tricking a cracked name server on the network to point to his machine instead of the intended server. Once someone opens a remote session to the server, the attacker's machine acts as an invisible conduit, sitting quietly between the remote service and the unsuspecting user capturing information. In this way a cracker can gather administrative passwords and raw data without the server or the user realizing it.
			</div><div class="para">
				Another category of insecure services include network file systems and information services such as NFS or NIS, which are developed explicitly for LAN usage but are, unfortunately, extended to include WANs (for remote users). NFS does not, by default, have any authentication or security mechanisms configured to prevent a cracker from mounting the NFS share and accessing anything contained therein. NIS, as well, has vital information that must be known by every computer on a network, including passwords and file permissions, within a plain text ASCII or DBM (ASCII-derived) database. A cracker who gains access to this database can then access every user account on a network, including the administrator's account.
			</div><div class="para">
				By default, Red Hat Enterprise Linux is released with all such services turned off. However, since administrators often find themselves forced to use these services, careful configuration is critical. Refer to <a class="xref" href="#ch-server">Section 46.2, “Server Security”</a> for more information about setting up services in a safe manner.
			</div></div></div><div class="section" id="s1-risk-wspc"><div class="titlepage"><div><div><h3 class="title" id="s1-risk-wspc">45.3.4. Threats to Workstation and Home PC Security</h3></div></div></div><a id="id1017497" class="indexterm"></a><div class="para">
			Workstations and home PCs may not be as prone to attack as networks or servers, but since they often contain sensitive data, such as credit card information, they are targeted by system crackers. Workstations can also be co-opted without the user's knowledge and used by attackers as "slave" machines in coordinated attacks. For these reasons, knowing the vulnerabilities of a workstation can save users the headache of reinstalling the operating system, or worse, recovering from data theft.
		</div><div class="section" id="s2-risk-wspc-psswd"><div class="titlepage"><div><div><h4 class="title" id="s2-risk-wspc-psswd">45.3.4.1. Bad Passwords</h4></div></div></div><a id="id891459" class="indexterm"></a><div class="para">
				Bad passwords are one of the easiest ways for an attacker to gain access to a system. For more on how to avoid common pitfalls when creating a password, refer to <a class="xref" href="#s1-wstation-pass">Section 46.1.3, “Password Security”</a>.
			</div></div><div class="section" id="s2-risk-wspc-apps"><div class="titlepage"><div><div><h4 class="title" id="s2-risk-wspc-apps">45.3.4.2. Vulnerable Client Applications</h4></div></div></div><a id="id1008708" class="indexterm"></a><div class="para">
				Although an administrator may have a fully secure and patched server, that does not mean remote users are secure when accessing it. For instance, if the server offers Telnet or FTP services over a public network, an attacker can capture the plain text usernames and passwords as they pass over the network, and then use the account information to access the remote user's workstation.
			</div><div class="para">
				Even when using secure protocols, such as SSH, a remote user may be vulnerable to certain attacks if they do not keep their client applications updated. For instance, v.1 SSH clients are vulnerable to an X-forwarding attack from malicious SSH servers. Once connected to the server, the attacker can quietly capture any keystrokes and mouse clicks made by the client over the network. This problem was fixed in the v.2 SSH protocol, but it is up to the user to keep track of what applications have such vulnerabilities and update them as necessary.
			</div><div class="para">
				<a class="xref" href="#ch-wstation">Section 46.1, “Workstation Security”</a> discusses in more detail what steps administrators and home users should take to limit the vulnerability of computer workstations.
			</div></div></div></div><div xml:lang="en-US" class="section" id="ch-exploits" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-exploits">45.4. Common Exploits and Attacks</h2></div></div></div><a id="id1084630" class="indexterm"></a><a id="id1032147" class="indexterm"></a><div class="para">
		<a class="xref" href="#tb-exploits">Table 45.1, “Common Exploits”</a> details some of the most common exploits and entry points used by intruders to access organizational network resources. Key to these common exploits are the explanations of how they are performed and how administrators can properly safeguard their network against such attacks.
	</div><div class="table" id="tb-exploits"><h6>Table 45.1. Common Exploits</h6><div class="table-contents"><table summary="Common Exploits" border="1"><colgroup><col width="20%" class="Exploit" /><col width="40%" class="Description" /><col width="40%" class="Notes" /></colgroup><thead><tr><th>
						Exploit
					</th><th>
						Description
					</th><th>
						Notes
					</th></tr></thead><tbody><tr><td>
						Null or Default Passwords
					</td><td>
						Leaving administrative passwords blank or using a default password set by the product vendor. This is most common in hardware such as routers and firewalls, though some services that run on Linux can contain default administrator passwords (though Red Hat Enterprise Linux 5 does not ship with them).
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> Commonly associated with networking hardware such as routers, firewalls, VPNs, and network attached storage (NAS) appliances. </td></tr><tr><td> Common in many legacy operating systems, especially OSes that bundle services (such as UNIX and Windows.) </td></tr><tr><td> Administrators sometimes create privileged user accounts in a rush and leave the password null, a perfect entry point for malicious users who discover the account. </td></tr></table>

</td></tr><tr><td>
						Default Shared Keys
					</td><td>
						Secure services sometimes package default security keys for development or evaluation testing purposes. If these keys are left unchanged and are placed in a production environment on the Internet, <span class="emphasis"><em>all</em></span> users with the same default keys have access to that shared-key resource, and any sensitive information that it contains.
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> Most common in wireless access points and preconfigured secure server appliances. </td></tr></table>

</td></tr><tr><td>
						IP Spoofing
					</td><td>
						A remote machine acts as a node on your local network, finds vulnerabilities with your servers, and installs a backdoor program or Trojan horse to gain control over your network resources.
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> Spoofing is quite difficult as it involves the attacker predicting TCP/IP SYN-ACK numbers to coordinate a connection to target systems, but several tools are available to assist crackers in performing such a vulnerability. </td></tr><tr><td> Depends on target system running services (such as <code class="command">rsh</code>, <code class="command">telnet</code>, FTP and others) that use <em class="firstterm">source-based</em> authentication techniques, which are not recommended when compared to PKI or other forms of encrypted authentication used in <code class="command">ssh</code> or SSL/TLS. </td></tr></table>

</td></tr><tr><td>
						Eavesdropping
					</td><td>
						Collecting data that passes between two active nodes on a network by eavesdropping on the connection between the two nodes.
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> This type of attack works mostly with plain text transmission protocols such as Telnet, FTP, and HTTP transfers. </td></tr><tr><td> Remote attacker must have access to a compromised system on a LAN in order to perform such an attack; usually the cracker has used an active attack (such as IP spoofing or man-in-the-middle) to compromise a system on the LAN. </td></tr><tr><td> Preventative measures include services with cryptographic key exchange, one-time passwords, or encrypted authentication to prevent password snooping; strong encryption during transmission is also advised. </td></tr></table>

</td></tr><tr><td>
						Service Vulnerabilities
					</td><td>
						An attacker finds a flaw or loophole in a service run over the Internet; through this vulnerability, the attacker compromises the entire system and any data that it may hold, and could possibly compromise other systems on the network.
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> HTTP-based services such as CGI are vulnerable to remote command execution and even interactive shell access. Even if the HTTP service runs as a non-privileged user such as "nobody", information such as configuration files and network maps can be read, or the attacker can start a denial of service attack which drains system resources or renders it unavailable to other users. </td></tr><tr><td> Services sometimes can have vulnerabilities that go unnoticed during development and testing; these vulnerabilities (such as <em class="firstterm">buffer overflows</em>, where attackers crash a service using arbitrary values that fill the memory buffer of an application, giving the attacker an interactive command prompt from which they may execute arbitrary commands) can give complete administrative control to an attacker. </td></tr><tr><td> Administrators should make sure that services do not run as the root user, and should stay vigilant of patches and errata updates for applications from vendors or security organizations such as CERT and CVE. </td></tr></table>

</td></tr><tr><td>
						Application Vulnerabilities
					</td><td>
						Attackers find faults in desktop and workstation applications (such as e-mail clients) and execute arbitrary code, implant Trojan horses for future compromise, or crash systems. Further exploitation can occur if the compromised workstation has administrative privileges on the rest of the network.
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> Workstations and desktops are more prone to exploitation as workers do not have the expertise or experience to prevent or detect a compromise; it is imperative to inform individuals of the risks they are taking when they install unauthorized software or open unsolicited email attachments. </td></tr><tr><td> Safeguards can be implemented such that email client software does not automatically open or execute attachments. Additionally, the automatic update of workstation software via Red Hat Network or other system management services can alleviate the burdens of multi-seat security deployments. </td></tr></table>

</td></tr><tr><td>
						Denial of Service (DoS) Attacks
					</td><td>
						Attacker or group of attackers coordinate against an organization's network or server resources by sending unauthorized packets to the target host (either server, router, or workstation). This forces the resource to become unavailable to legitimate users.
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> The most reported DoS case in the US occurred in 2000. Several highly-trafficked commercial and government sites were rendered unavailable by a coordinated ping flood attack using several compromised systems with high bandwidth connections acting as <em class="firstterm">zombies</em>, or redirected broadcast nodes. </td></tr><tr><td> Source packets are usually forged (as well as rebroadcasted), making investigation as to the true source of the attack difficult. </td></tr><tr><td> Advances in ingress filtering (IETF rfc2267) using <code class="command">iptables</code> and Network IDSes such as <code class="command">snort</code> assist administrators in tracking down and preventing distributed DoS attacks. </td></tr></table>

</td></tr></tbody></table></div></div><br class="table-break" /></div><div xml:lang="en-US" class="section" id="ch-security-updates" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-security-updates">45.5. Security Updates</h2></div></div></div><a id="id1008682" class="indexterm"></a><a id="id1036447" class="indexterm"></a><div class="para">
		As security vulnerabilities are discovered, the affected software must be updated in order to limit any potential security risks. If the software is part of a package within a Red Hat Enterprise Linux distribution that is currently supported, Red Hat, Inc. is committed to releasing updated packages that fix the vulnerability as soon as possible. Often, announcements about a given security exploit are accompanied with a patch (or source code that fixes the problem). This patch is then applied to the Red Hat Enterprise Linux package, tested by the Red Hat quality assurance team, and released as an errata update. However, if an announcement does not include a patch, a Red Hat developer works with the maintainer of the software to fix the problem. Once the problem is fixed, the package is tested and released as an errata update.
	</div><div class="para">
		If an errata update is released for software used on your system, it is highly recommended that you update the effected packages as soon as possible to minimize the amount of time the system is potentially vulnerable.
	</div><div class="section" id="s1-security-updates"><div class="titlepage"><div><div><h3 class="title" id="s1-security-updates">45.5.1. Updating Packages</h3></div></div></div><div class="para">
			When updating software on a system, it is important to download the update from a trusted source. An attacker can easily rebuild a package with the same version number as the one that is supposed to fix the problem but with a different security exploit and release it on the Internet. If this happens, using security measures such as verifying files against the original RPM does not detect the exploit. Thus, it is very important to only download RPMs from trusted sources, such as from Red Hat, Inc. and check the signature of the package to verify its integrity.
		</div><div class="para">
			Red Hat offers two ways to find information on errata updates:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					Listed and available for download on Red Hat Network
				</div></li><li class="listitem"><div class="para">
					Listed and unlinked on the Red Hat Errata website
				</div></li></ol></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Beginning with the Red Hat Enterprise Linux product line, updated packages can be downloaded only from Red Hat Network. Although the Red Hat Errata website contains updated information, it does not contain the actual packages for download.
			</div></div></div><div class="section" id="s2-security-updates-rhn"><div class="titlepage"><div><div><h4 class="title" id="s2-security-updates-rhn">45.5.1.1. Using Automatic Updates with RHN Classic</h4></div></div></div><a id="id1012546" class="indexterm"></a><div class="warning"><div class="admonition_header"><h2>Warning: Deprecate Feature</h2></div><div class="admonition"><div class="para">
					Automatic system updates are only available using RHN Classic, which basis subscription consumption on access to content repository channels. RHN Classic is available as a convenience for customer environments with legacy systems which have not updated to Certificate-Based Red Hat Network.
				</div><div class="para">
					The update and content stream is different for Certificate-Based Red Hat Network, so automatic updates are not used.
				</div><div class="para">
					The new Certificate-Based Red Hat Network and the differences between Certificate-Based Red Hat Network and RHN Classic are described in <a class="xref" href="#entitlements">Chapter 14, <em>Product Subscriptions and Entitlements</em></a>.
				</div></div></div><div class="para">
				RHN Classic allows the majority of the update process to be automated. It determines which RPM packages are necessary for the system, downloads them from a secure repository, verifies the RPM signature to make sure they have not been tampered with, and updates them. The package install can occur immediately or can be scheduled during a certain time period.
			</div><div class="para">
				RHN Classic requires a <em class="firstterm">system profile</em> for each machine, which contains hardware and software information about the system. This information is kept confidential and is not given to anyone else. It is only used to determine which errata updates are applicable to each system, and, without it, RHN Classic can not determine whether a given system needs updates. When a security errata (or any type of errata) is released, RHN Classic sends an email with a description of the errata as well as a list of systems which are affected. To apply the update, use the <span class="application"><strong>Red Hat Update Agent</strong></span> or schedule the package to be updated through the RHN Classic Subscription Management area of the Customer Portal.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Before installing any security errata, be sure to read any special instructions contained in the errata report and execute them accordingly. Refer to <a class="xref" href="#s2-security-updates-applying">Section 45.5.1.5, “Applying the Changes”</a> for general instructions about applying the changes made by an errata update.
				</div></div></div></div><div class="section" id="s2-security-updates-website"><div class="titlepage"><div><div><h4 class="title" id="s2-security-updates-website">45.5.1.2. Using the Red Hat Errata Website</h4></div></div></div><a id="id913533" class="indexterm"></a><a id="id1016258" class="indexterm"></a><div class="para">
				When security errata reports are released, they are published on the Red Hat Errata website available at <a href="http://www.redhat.com/security/">http://www.redhat.com/security/</a>. From this page, select the product and version for your system, and then select <span class="guilabel"><strong>security</strong></span> at the top of the page to display only Red Hat Enterprise Linux Security Advisories. If the synopsis of one of the advisories describes a package used on your system, click on the synopsis for more details.
			</div><div class="para">
				The details page describes the security exploit and any special instructions that must be performed in addition to updating the package to fix the security hole.
			</div><div class="para">
				To download the updated package(s), click on the link to login to Red Hat Network, click the package name(s) and save to the hard drive. It is highly recommended that you create a new directory, such as <code class="filename">/tmp/updates</code>, and save all the downloaded packages to it.
			</div></div><div class="section" id="s2-security-updates-verify"><div class="titlepage"><div><div><h4 class="title" id="s2-security-updates-verify">45.5.1.3. Verifying Signed Packages</h4></div></div></div><a id="id949560" class="indexterm"></a><div class="para">
				All Red Hat Enterprise Linux packages are signed with the Red Hat, Inc. <em class="firstterm">GPG</em> key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) held by Red Hat locks the package while the public key unlocks and verifies the package. If the public key distributed by Red Hat does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
			</div><div class="para">
				The RPM utility within Red Hat Enterprise Linux automatically tries to verify the GPG signature of an RPM package before installing it. If the Red Hat GPG key is not installed, install it from a secure, static location, such as an Red Hat Enterprise Linux installation CD-ROM.
			</div><div class="para">
				Assuming the CD-ROM is mounted in <code class="filename">/mnt/cdrom</code>, use the following command to import it into the <em class="firstterm">keyring</em> (a database of trusted keys on the system):
			</div><pre class="screen"><code class="command">rpm --import /mnt/cdrom/RPM-GPG-KEY-redhat-release</code></pre><div class="para">
				To display a list of all keys installed for RPM verification, execute the following command:
			</div><pre class="screen"><code class="command">rpm -qa gpg-pubkey*</code></pre><div class="para">
				For the Red Hat key, the output includes the following:
			</div><pre class="screen">gpg-pubkey-37017186-45761324</pre><div class="para">
				To display details about a specific key, use the <code class="command">rpm -qi</code> command followed by the output from the previous command, as in this example:
			</div><pre class="screen"><code class="command">rpm -qi gpg-pubkey-37017186-45761324</code></pre><div class="para">
				It is extremely important to verify the signature of the RPM files before installing them to ensure that they have not been altered from the Red Hat, Inc. release of the packages. To verify all the downloaded packages at once, issue the following command:
			</div><pre class="screen"><code class="command">rpm -K /tmp/updates/*.rpm</code></pre><div class="para">
				For each package, if the GPG key verifies successfully, the command returns <code class="computeroutput">gpg OK</code>. If it doesn't, make sure you are using the correct Red Hat public key, as well as verifying the source of the content. Packages that do not pass GPG verifications should not be installed, as they may have been altered by a third party.
			</div><div class="para">
				After verifying the GPG key and downloading all the packages associated with the errata report, install the packages as root at a shell prompt.
			</div></div><div class="section" id="s2-security-updates-installing"><div class="titlepage"><div><div><h4 class="title" id="s2-security-updates-installing">45.5.1.4. Installing Signed Packages</h4></div></div></div><a id="id1033555" class="indexterm"></a><div class="para">
				Installation for most packages can be done safely (except kernel packages) by issuing the following command:
			</div><pre class="screen"><code class="command">rpm -Uvh /tmp/updates/*.rpm</code></pre><div class="para">
				For kernel packages use the following command:
			</div><pre class="screen"><code class="command">rpm -ivh /tmp/updates/<em class="replaceable"><code>&lt;kernel-package&gt;</code></em></code></pre><div class="para">
				Replace <em class="replaceable"><code>&lt;kernel-package&gt;</code></em> in the previous example with the name of the kernel RPM.
			</div><div class="para">
				Once the machine has been safely rebooted using the new kernel, the old kernel may be removed using the following command:
			</div><pre class="screen"><code class="command">rpm -e <em class="replaceable"><code>&lt;old-kernel-package&gt;</code></em></code></pre><div class="para">
				Replace <em class="replaceable"><code>&lt;old-kernel-package&gt;</code></em> in the previous example with the name of the older kernel RPM.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					It is not a requirement that the old kernel be removed. The default boot loader, GRUB, allows for multiple kernels to be installed, then chosen from a menu at boot time.
				</div></div></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Before installing any security errata, be sure to read any special instructions contained in the errata report and execute them accordingly. Refer to <a class="xref" href="#s2-security-updates-applying">Section 45.5.1.5, “Applying the Changes”</a> for general instructions about applying the changes made by an errata update.
				</div></div></div></div><div class="section" id="s2-security-updates-applying"><div class="titlepage"><div><div><h4 class="title" id="s2-security-updates-applying">45.5.1.5. Applying the Changes</h4></div></div></div><a id="id911934" class="indexterm"></a><a id="id941429" class="indexterm"></a><div class="para">
				After downloading and installing security errata via Red Hat Network or the Red Hat errata website, it is important to halt usage of the older software and begin using the new software. How this is done depends on the type of software that has been updated. The following list itemizes the general categories of software and provides instructions for using the updated versions after a package upgrade.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					In general, rebooting the system is the surest way to ensure that the latest version of a software package is used; however, this option is not always available to the system administrator.
				</div></div></div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Applications</span></dt><dd><div class="para">
							User-space applications are any programs that can be initiated by a system user. Typically, such applications are used only when a user, script, or automated task utility launches them and they do not persist for long periods of time.
						</div><div class="para">
							Once such a user-space application is updated, halt any instances of the application on the system and launch the program again to use the updated version.
						</div></dd><dt class="varlistentry"><span class="term">Kernel</span></dt><dd><div class="para">
							The kernel is the core software component for the Red Hat Enterprise Linux operating system. It manages access to memory, the processor, and peripherals as well as schedules all tasks.
						</div><div class="para">
							Because of its central role, the kernel cannot be restarted without also stopping the computer. Therefore, an updated version of the kernel cannot be used until the system is rebooted.
						</div></dd><dt class="varlistentry"><span class="term">Shared Libraries</span></dt><dd><div class="para">
							Shared libraries are units of code, such as <code class="filename">glibc</code>, which are used by a number of applications and services. Applications utilizing a shared library typically load the shared code when the application is initialized, so any applications using the updated library must be halted and relaunched.
						</div><div class="para">
							To determine which running applications link against a particular library, use the <code class="command">lsof</code> command as in the following example:
						</div><pre class="screen"><code class="command">lsof /usr/lib/libwrap.so*</code></pre><div class="para">
							This command returns a list of all the running programs which use TCP wrappers for host access control. Therefore, any program listed must be halted and relaunched if the <code class="filename">tcp_wrappers</code> package is updated.
						</div></dd><dt class="varlistentry"><span class="term">SysV Services</span></dt><dd><div class="para">
							SysV services are persistent server programs launched during the boot process. Examples of SysV services include <code class="command">sshd</code>, <code class="command">vsftpd</code>, and <code class="command">xinetd</code>.
						</div><div class="para">
							Because these programs usually persist in memory as long as the machine is booted, each updated SysV service must be halted and relaunched after the package is upgraded. This can be done using the <span class="application"><strong>Services Configuration Tool</strong></span> or by logging into a root shell prompt and issuing the <code class="command">/sbin/service</code> command as in the following example:
						</div><pre class="screen"><code class="command">service <em class="replaceable"><code>&lt;service-name&gt;</code></em> restart</code></pre><div class="para">
							In the previous example, replace <em class="replaceable"><code>&lt;service-name&gt;</code></em> with the name of the service, such as <code class="command">sshd</code>.
						</div><div class="para">
							Refer to <a class="xref" href="#ch-network-config">Chapter 16, <em>Network Configuration</em></a> for more information on the <span class="application"><strong>Services Configuration Tool</strong></span>.
						</div></dd><dt class="varlistentry"><span class="term"><code class="command">xinetd</code> Services</span></dt><dd><div class="para">
							Services controlled by the <code class="command">xinetd</code> super service only run when a there is an active connection. Examples of services controlled by <code class="command">xinetd</code> include Telnet, IMAP, and POP3.
						</div><div class="para">
							Because new instances of these services are launched by <code class="command">xinetd</code> each time a new request is received, connections that occur after an upgrade are handled by the updated software. However, if there are active connections at the time the <code class="command">xinetd</code> controlled service is upgraded, they are serviced by the older version of the software.
						</div><div class="para">
							To kill off older instances of a particular <code class="command">xinetd</code> controlled service, upgrade the package for the service then halt all processes currently running. To determine if the process is running, use the <code class="command">ps</code> command and then use the <code class="command">kill</code> or <code class="command">killall</code> command to halt current instances of the service.
						</div><div class="para">
							For example, if security errata <code class="filename">imap</code> packages are released, upgrade the packages, then type the following command as root into a shell prompt:
						</div><pre class="screen"><code class="command">ps -aux | grep imap</code></pre><div class="para">
							This command returns all active IMAP sessions. Individual sessions can then be terminated by issuing the following command:
						</div><pre class="screen"><code class="command">kill <em class="replaceable"><code>&lt;PID&gt;</code></em></code></pre><div class="para">
							If this fails to terminate the session, use the following command instead:
						</div><pre class="screen"><code class="command">kill -9 <em class="replaceable"><code>&lt;PID&gt;</code></em></code></pre><div class="para">
							In the previous examples, replace <em class="replaceable"><code>&lt;PID&gt;</code></em> with the process identification number (found in the second column of the <code class="command">ps</code> command) for an IMAP session.
						</div><div class="para">
							To kill all active IMAP sessions, issue the following command:
						</div><pre class="screen"><code class="command">killall imapd</code></pre></dd></dl></div></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><div class="para"><sup>[<a id="ftn.id1025076" href="#id1025076" class="para">10</a>] </sup>
							Source: <a href="http://www.cert.org">http://www.cert.org</a>
						</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id1025048" href="#id1025048" class="para">11</a>] </sup>
							Source: <a href="http://www.cert.org/stats/">http://www.cert.org/stats/</a>
						</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id1025003" href="#id1025003" class="para">12</a>] </sup>
							Source: <a href="http://www.newsfactor.com/perl/story/16407.html">http://www.newsfactor.com/perl/story/16407.html</a>
						</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id986734" href="#id986734" class="para">13</a>] </sup>
					Source: <a href="http://www.sans.org/security-resources/mistakes.php">http://www.sans.org/security-resources/mistakes.php</a>
				</div></div></div></div><div xml:lang="en-US" class="chapter" id="ch-sec-network" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 46. Securing Your Network</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#ch-wstation">46.1. Workstation Security</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-wstation-eval">46.1.1. Evaluating Workstation Security</a></span></dt><dt><span class="section"><a href="#s1-wstation-boot-sec">46.1.2. BIOS and Boot Loader Security</a></span></dt><dt><span class="section"><a href="#s1-wstation-pass">46.1.3. Password Security</a></span></dt><dt><span class="section"><a href="#s1-wstation-privileges">46.1.4. Administrative Controls</a></span></dt><dt><span class="section"><a href="#s1-wstation-service">46.1.5. Available Network Services</a></span></dt><dt><span class="section"><a href="#s1-wstation-firewall">46.1.6. Personal Firewalls</a></span></dt><dt><span class="section"><a href="#s1-wstation-sec-tools">46.1.7. Security Enhanced Communication Tools</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-server">46.2. Server Security</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-server-tcpw-xinetd">46.2.1. Securing Services With TCP Wrappers and xinetd</a></span></dt><dt><span class="section"><a href="#s1-server-port">46.2.2. Securing Portmap</a></span></dt><dt><span class="section"><a href="#s1-server-nis">46.2.3. Securing NIS</a></span></dt><dt><span class="section"><a href="#s1-server-nfs">46.2.4. Securing NFS</a></span></dt><dt><span class="section"><a href="#s1-server-http">46.2.5. Securing the Apache HTTP Server</a></span></dt><dt><span class="section"><a href="#s1-server-ftp">46.2.6. Securing FTP</a></span></dt><dt><span class="section"><a href="#s1-server-mail">46.2.7. Securing Sendmail</a></span></dt><dt><span class="section"><a href="#s1-server-ports">46.2.8. Verifying Which Ports Are Listening</a></span></dt></dl></dd><dt><span class="section"><a href="#sso-ov">46.3. Single Sign-on (SSO)</a></span></dt><dd><dl><dt><span class="section"><a href="#sso-intro">46.3.1. Introduction</a></span></dt><dt><span class="section"><a href="#sso-sc-config">46.3.2. Getting Started with your new Smart Card</a></span></dt><dt><span class="section"><a href="#sso-sc-enrol-concept">46.3.3. How Smart Card Enrollment Works</a></span></dt><dt><span class="section"><a href="#sso-sc-login-concept">46.3.4. How Smart Card Login Works</a></span></dt><dt><span class="section"><a href="#sso-config-firefox">46.3.5. Configuring Firefox to use Kerberos for SSO</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-pam">46.4. Pluggable Authentication Modules (PAM)</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-pam-advantages">46.4.1. Advantages of PAM</a></span></dt><dt><span class="section"><a href="#s1-pam-config-files">46.4.2. PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-pam-format">46.4.3. PAM Configuration File Format</a></span></dt><dt><span class="section"><a href="#s1-pam-sample-simple">46.4.4. Sample PAM Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-pam-modules-add">46.4.5. Creating PAM Modules</a></span></dt><dt><span class="section"><a href="#s1-pam-timestamp">46.4.6. PAM and Administrative Credential Caching</a></span></dt><dt><span class="section"><a href="#s1-pam-console">46.4.7. PAM and Device Ownership</a></span></dt><dt><span class="section"><a href="#s1-pam-additional-resources">46.4.8. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-tcpwrappers">46.5. TCP Wrappers and xinetd</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-tcpwrappers-purpose">46.5.1. TCP Wrappers</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-access">46.5.2. TCP Wrappers Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-xinetd">46.5.3. xinetd</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-xinetd-config">46.5.4. xinetd Configuration Files</a></span></dt><dt><span class="section"><a href="#s1-tcpwrappers-additional-resources">46.5.5. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-kerberos">46.6. Kerberos</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-kerberos-definition">46.6.1. What is Kerberos?</a></span></dt><dt><span class="section"><a href="#s1-kerberos-terminology">46.6.2. Kerberos Terminology</a></span></dt><dt><span class="section"><a href="#s1-kerberos-works">46.6.3. How Kerberos Works</a></span></dt><dt><span class="section"><a href="#s1-kerberos-pam">46.6.4. Kerberos and PAM</a></span></dt><dt><span class="section"><a href="#s1-kerberos-server">46.6.5. Configuring a Kerberos 5 Server</a></span></dt><dt><span class="section"><a href="#s1-kerberos-clients">46.6.6. Configuring a Kerberos 5 Client</a></span></dt><dt><span class="section"><a href="#sec-kerberos-client2">46.6.7. Domain-to-Realm Mapping</a></span></dt><dt><span class="section"><a href="#sec-kerberos-server2">46.6.8. Setting Up Secondary KDCs</a></span></dt><dt><span class="section"><a href="#sec-kerberos-crossrealm">46.6.9. Setting Up Cross Realm Authentication</a></span></dt><dt><span class="section"><a href="#sec-kerberos-additional-resources">46.6.10. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-vpn">46.7. Virtual Private Networks (VPNs)</a></span></dt><dd><dl><dt><span class="section"><a href="#vpn-how-it-works">46.7.1. How Does a VPN Work?</a></span></dt><dt><span class="section"><a href="#s1-vpn-rhl">46.7.2. VPNs and Red Hat Enterprise Linux</a></span></dt><dt><span class="section"><a href="#s1-vpn-ipsec">46.7.3. IPsec</a></span></dt><dt><span class="section"><a href="#vpn-create-ipsec-connection">46.7.4. Creating an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt><dt><span class="section"><a href="#s1-ipsec-generalconf">46.7.5. IPsec Installation</a></span></dt><dt><span class="section"><a href="#s1-ipsec-host2host">46.7.6. IPsec Host-to-Host Configuration</a></span></dt><dt><span class="section"><a href="#s1-ipsec-net2net">46.7.7. IPsec Network-to-Network Configuration</a></span></dt><dt><span class="section"><a href="#s1-network-config-ipsec-start">46.7.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-fw">46.8. Firewalls</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-firewall-ipt">46.8.1. Netfilter and IPTables</a></span></dt><dt><span class="section"><a href="#s1-basic-firewall">46.8.2. Basic Firewall Configuration</a></span></dt><dt><span class="section"><a href="#s1-fireall-ipt-act">46.8.3. Using IPTables</a></span></dt><dt><span class="section"><a href="#s1-firewall-ipt-basic">46.8.4. Common IPTables Filtering</a></span></dt><dt><span class="section"><a href="#s1-firewall-ipt-fwd">46.8.5. <code class="computeroutput">FORWARD</code> and <acronym class="acronym">NAT</acronym> Rules</a></span></dt><dt><span class="section"><a href="#s1-firewall-ipt-rule">46.8.6. Malicious Software and Spoofed IP Addresses</a></span></dt><dt><span class="section"><a href="#s1-firewall-state">46.8.7. IPTables and Connection Tracking</a></span></dt><dt><span class="section"><a href="#s1-firewall-ip6t">46.8.8. IPv6</a></span></dt><dt><span class="section"><a href="#s1-firewall-moreinfo">46.8.9. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-iptables">46.9. IPTables</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-iptables-packetfiltering">46.9.1. Packet Filtering</a></span></dt><dt><span class="section"><a href="#s1-iptables-differences">46.9.2. Differences Between IPTables and IPChains</a></span></dt><dt><span class="section"><a href="#s1-iptables-options">46.9.3. Command Options for IPTables</a></span></dt><dt><span class="section"><a href="#s1-iptables-saving">46.9.4. Saving IPTables Rules</a></span></dt><dt><span class="section"><a href="#s1-iptables-init">46.9.5. IPTables Control Scripts</a></span></dt><dt><span class="section"><a href="#s1-ip6tables">46.9.6. IPTables and IPv6</a></span></dt><dt><span class="section"><a href="#s1-iptables-additional-resources">46.9.7. Additional Resources</a></span></dt></dl></dd></dl></div><div xml:lang="en-US" class="section" id="ch-wstation" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-wstation">46.1. Workstation Security</h2></div></div></div><a id="id1116960" class="indexterm"></a><div class="para">
		Securing a Linux environment begins with the workstation. Whether locking down a personal machine or securing an enterprise system, sound security policy begins with the individual computer. A computer network is only as secure as its weakest node.
	</div><div class="section" id="s1-wstation-eval"><div class="titlepage"><div><div><h3 class="title" id="s1-wstation-eval">46.1.1. Evaluating Workstation Security</h3></div></div></div><a id="id1116914" class="indexterm"></a><a id="id1116918" class="indexterm"></a><a id="id1116887" class="indexterm"></a><a id="id1116879" class="indexterm"></a><a id="id1116857" class="indexterm"></a><a id="id1116834" class="indexterm"></a><div class="para">
			When evaluating the security of a Red Hat Enterprise Linux workstation, consider the following:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<span class="emphasis"><em>BIOS and Boot Loader Security</em></span> — Can an unauthorized user physically access the machine and boot into single user or rescue mode without a password?
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Password Security</em></span> — How secure are the user account passwords on the machine?
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Administrative Controls</em></span> — Who has an account on the system and how much administrative control do they have?
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Available Network Services</em></span> — What services are listening for requests from the network and should they be running at all?
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Personal Firewalls</em></span> — What type of firewall, if any, is necessary?
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Security Enhanced Communication Tools</em></span> — Which tools should be used to communicate between workstations and which should be avoided?
				</div></li></ul></div></div><div class="section" id="s1-wstation-boot-sec"><div class="titlepage"><div><div><h3 class="title" id="s1-wstation-boot-sec">46.1.2. BIOS and Boot Loader Security</h3></div></div></div><a id="id1116720" class="indexterm"></a><a id="id1116706" class="indexterm"></a><a id="id1116687" class="indexterm"></a><div class="para">
			Password protection for the BIOS (or BIOS equivalent) and the boot loader can prevent unauthorized users who have physical access to systems from booting using removable media or obtaining root privileges through single user mode. The security measures you should take to protect against such attacks depends both on the sensitivity of the information on the workstation and the location of the machine.
		</div><div class="para">
			For example, if a machine is used in a trade show and contains no sensitive information, then it may not be critical to prevent such attacks. However, if an employee's laptop with private, unencrypted SSH keys for the corporate network is left unattended at that same trade show, it could lead to a major security breach with ramifications for the entire company.
		</div><div class="para">
			If the workstation is located in a place where only authorized or trusted people have access, however, then securing the BIOS or the boot loader may not be necessary.
		</div><div class="section" id="s2-wstation-bios"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-bios">46.1.2.1. BIOS Passwords</h4></div></div></div><a id="id1116650" class="indexterm"></a><div class="para">
				The two primary reasons for password protecting the BIOS of a computer are<sup>[<a id="id1116637" href="#ftn.id1116637" class="footnote">14</a>]</sup>:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						<span class="emphasis"><em>Preventing Changes to BIOS Settings</em></span> — If an intruder has access to the BIOS, they can set it to boot from a diskette or CD-ROM. This makes it possible for them to enter rescue mode or single user mode, which in turn allows them to start arbitrary processes on the system or copy sensitive data.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Preventing System Booting</em></span> — Some BIOSes allow password protection of the boot process. When activated, an attacker is forced to enter a password before the BIOS launches the boot loader.
					</div></li></ol></div><div class="para">
				Because the methods for setting a BIOS password vary between computer manufacturers, consult the computer's manual for specific instructions.
			</div><div class="para">
				If you forget the BIOS password, it can either be reset with jumpers on the motherboard or by disconnecting the CMOS battery. For this reason, it is good practice to lock the computer case if possible. However, consult the manual for the computer or motherboard before attempting to disconnect the CMOS battery.
			</div><div class="section" id="s3-wstation-bios-equiv"><div class="titlepage"><div><div><h5 class="title" id="s3-wstation-bios-equiv">46.1.2.1.1. Securing Non-x86 Platforms</h5></div></div></div><a id="id1116583" class="indexterm"></a><a id="id1116564" class="indexterm"></a><div class="para">
					Other architectures use different programs to perform low-level tasks roughly equivalent to those of the BIOS on x86 systems. For instance, <span class="trademark">Intel</span>® <span class="trademark">Itanium</span>™ computers use the <em class="firstterm">Extensible Firmware Interface</em> (<em class="firstterm">EFI</em>) shell.
				</div><div class="para">
					For instructions on password protecting BIOS-like programs on other architectures, refer to the manufacturer's instructions.
				</div></div></div><div class="section" id="s2-wstation-bootloader"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-bootloader">46.1.2.2. Boot Loader Passwords</h4></div></div></div><a id="id1116507" class="indexterm"></a><a id="id1116491" class="indexterm"></a><div class="para">
				The primary reasons for password protecting a Linux boot loader are as follows:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						<span class="emphasis"><em>Preventing Access to Single User Mode</em></span> — If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Preventing Access to the GRUB Console</em></span> — If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the <code class="command">cat</code> command.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Preventing Access to Insecure Operating Systems</em></span> — If it is a dual-boot system, an attacker can select an operating system at boot time (for example, DOS), which ignores access controls and file permissions.
					</div></li></ol></div><div class="para">
				Red Hat Enterprise Linux ships with the GRUB boot loader on the x86 platform. For a detailed look at GRUB, refer to the Red Hat Installation Guide.
			</div><div class="section" id="s3-bootloader-grub"><div class="titlepage"><div><div><h5 class="title" id="s3-bootloader-grub">46.1.2.2.1. Password Protecting GRUB</h5></div></div></div><a id="id1116412" class="indexterm"></a><div class="para">
					You can configure GRUB to address the first two issues listed in <a class="xref" href="#s2-wstation-bootloader">Section 46.1.2.2, “Boot Loader Passwords”</a> by adding a password directive to its configuration file. To do this, first choose a strong password, open a shell, log in as root, and then type the following command:
				</div><pre class="screen"><code class="command">grub-md5-crypt</code></pre><div class="para">
					When prompted, type the GRUB password and press <span class="keycap"><strong>Enter</strong></span>. This returns an MD5 hash of the password.
				</div><div class="para">
					Next, edit the GRUB configuration file <code class="filename">/boot/grub/grub.conf</code>. Open the file and below the <code class="command">timeout</code> line in the main section of the document, add the following line:
				</div><pre class="screen"><code class="command">password --md5 <em class="replaceable"><code>&lt;password-hash&gt;</code></em></code></pre><div class="para">
					Replace <em class="replaceable"><code>&lt;password-hash&gt;</code></em> with the value returned by <code class="command">/sbin/grub-md5-crypt</code><sup>[<a id="id1116332" href="#ftn.id1116332" class="footnote">15</a>]</sup>.
				</div><div class="para">
					The next time the system boots, the GRUB menu prevents access to the editor or command interface without first pressing <span class="keycap"><strong>p</strong></span> followed by the GRUB password.
				</div><div class="para">
					Unfortunately, this solution does not prevent an attacker from booting into an insecure operating system in a dual-boot environment. For this, a different part of the <code class="filename">/boot/grub/grub.conf</code> file must be edited.
				</div><div class="para">
					Look for the <code class="computeroutput">title</code> line of the operating system that you want to secure, and add a line with the <code class="command">lock</code> directive immediately beneath it.
				</div><div class="para">
					For a DOS system, the stanza should begin similar to the following:
				</div><pre class="screen">title DOS lock</pre><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
						A <code class="computeroutput">password</code> line must be present in the main section of the <code class="filename">/boot/grub/grub.conf</code> file for this method to work properly. Otherwise, an attacker can access the GRUB editor interface and remove the lock line.
					</div></div></div><div class="para">
					To create a different password for a particular kernel or operating system, add a <code class="command">lock</code> line to the stanza, followed by a password line.
				</div><div class="para">
					Each stanza protected with a unique password should begin with lines similar to the following example:
				</div><pre class="screen">title DOS lock password --md5 <em class="replaceable"><code>&lt;password-hash&gt;</code></em></pre></div></div></div><div class="section" id="s1-wstation-pass"><div class="titlepage"><div><div><h3 class="title" id="s1-wstation-pass">46.1.3. Password Security</h3></div></div></div><a id="id1116230" class="indexterm"></a><div class="para">
			Passwords are the primary method that Red Hat Enterprise Linux uses to verify a user's identity. This is why password security is so important for protection of the user, the workstation, and the network.
		</div><div class="para">
			For security purposes, the installation program configures the system to use <em class="firstterm">Message-Digest Algorithm</em> (<span class="emphasis"><em>MD5</em></span>) and shadow passwords. It is highly recommended that you do not alter these settings.
		</div><div class="para">
			If MD5 passwords are deselected during installation, the older <em class="firstterm">Data Encryption Standard</em> (<em class="firstterm"><acronym class="acronym">DES</acronym></em>) format is used. This format limits passwords to eight alphanumeric characters (disallowing punctuation and other special characters), and provides a modest 56-bit level of encryption.
		</div><div class="para">
			If shadow passwords are deselected during installation, all passwords are stored as a one-way hash in the world-readable <code class="filename">/etc/passwd</code> file, which makes the system vulnerable to offline password cracking attacks. If an intruder can gain access to the machine as a regular user, they can copy the <code class="filename">/etc/passwd</code> file to their own machine and run any number of password cracking programs against it. If there is an insecure password in the file, it is only a matter of time before the password cracker discovers it.
		</div><div class="para">
			Shadow passwords eliminate this type of attack by storing the password hashes in the file <code class="filename">/etc/shadow</code>, which is readable only by the root user.
		</div><div class="para">
			This forces a potential attacker to attempt password cracking remotely by logging into a network service on the machine, such as SSH or FTP. This sort of brute-force attack is much slower and leaves an obvious trail as hundreds of failed login attempts are written to system files. Of course, if the cracker starts an attack in the middle of the night on a system with weak passwords, the cracker may have gained access before dawn and edited the log files to cover their tracks.
		</div><div class="para">
			In addition to format and storage considerations is the issue of content. The single most important thing a user can do to protect their account against a password cracking attack is create a strong password.
		</div><div class="section" id="s2-wstation-pass-create"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-pass-create">46.1.3.1. Creating Strong Passwords</h4></div></div></div><a id="id1116146" class="indexterm"></a><div class="para">
				When creating a secure password, it is a good idea to follow these guidelines:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Do Not Use Only Words or Numbers</em></span> — Never use only numbers or words in a password.
					</div><div class="para">
						Some insecure examples include the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								8675309
							</div></li><li class="listitem"><div class="para">
								juan
							</div></li><li class="listitem"><div class="para">
								hackme
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Do Not Use Recognizable Words</em></span> — Words such as proper names, dictionary words, or even terms from television shows or novels should be avoided, even if they are bookended with numbers.
					</div><div class="para">
						Some insecure examples include the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								john1
							</div></li><li class="listitem"><div class="para">
								DS-9
							</div></li><li class="listitem"><div class="para">
								mentat123
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Do Not Use Words in Foreign Languages</em></span> — Password cracking programs often check against word lists that encompass dictionaries of many languages. Relying on foreign languages for secure passwords is not secure.
					</div><div class="para">
						Some insecure examples include the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								cheguevara
							</div></li><li class="listitem"><div class="para">
								bienvenido1
							</div></li><li class="listitem"><div class="para">
								1dumbKopf
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Do Not Use Hacker Terminology</em></span> — If you think you are elite because you use hacker terminology — also called l337 (LEET) speak — in your password, think again. Many word lists include LEET speak.
					</div><div class="para">
						Some insecure examples include the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								H4X0R
							</div></li><li class="listitem"><div class="para">
								1337
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Do Not Use Personal Information</em></span> — Avoid using any personal information in your passwords. If the attacker knows your identity, the task of deducing your password becomes easier. The following is a list of the types of information to avoid when creating a password:
					</div><div class="para">
						Some insecure examples include the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Your name
							</div></li><li class="listitem"><div class="para">
								The names of pets
							</div></li><li class="listitem"><div class="para">
								The names of family members
							</div></li><li class="listitem"><div class="para">
								Any birth dates
							</div></li><li class="listitem"><div class="para">
								Your phone number or zip code
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Do Not Invert Recognizable Words</em></span> — Good password checkers always reverse common words, so inverting a bad password does not make it any more secure.
					</div><div class="para">
						Some insecure examples include the following:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								R0X4H
							</div></li><li class="listitem"><div class="para">
								nauj
							</div></li><li class="listitem"><div class="para">
								9-DS
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Do Not Write Down Your Password</em></span> — Never store a password on paper. It is much safer to memorize it.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Do Not Use the Same Password For All Machines</em></span> — It is important to make separate passwords for each machine. This way if one system is compromised, all of your machines are not immediately at risk.
					</div></li></ul></div><div class="para">
				The following guidelines will help you to create a strong password:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Make the Password at Least Eight Characters Long</em></span> — The longer the password, the better. If using MD5 passwords, it should be 15 characters or longer. With DES passwords, use the maximum length (eight characters).
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Mix Upper and Lower Case Letters</em></span> — Red Hat Enterprise Linux is case sensitive, so mix cases to enhance the strength of the password.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Mix Letters and Numbers</em></span> — Adding numbers to passwords, especially when added to the middle (not just at the beginning or the end), can enhance password strength.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Include Non-Alphanumeric Characters</em></span> — Special characters such as &amp;, $, and &gt; can greatly improve the strength of a password (this is not possible if using DES passwords).
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Pick a Password You Can Remember</em></span> — The best password in the world does little good if you cannot remember it; use acronyms or other mnemonic devices to aid in memorizing passwords.
					</div></li></ul></div><div class="para">
				With all these rules, it may seem difficult to create a password that meets all of the criteria for good passwords while avoiding the traits of a bad one. Fortunately, there are some steps you can take to generate an easily-remembered, secure password.
			</div><div class="section" id="s3-wstation-pass-create-tip"><div class="titlepage"><div><div><h5 class="title" id="s3-wstation-pass-create-tip">46.1.3.1.1. Secure Password Creation Methodology</h5></div></div></div><a id="id1115697" class="indexterm"></a><div class="para">
					There are many methods that people use to create secure passwords. One of the more popular methods involves acronyms. For example:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							Think of an easily-remembered phrase, such as:
						</div><div class="para">
							"over the river and through the woods, to grandmother's house we go."
						</div></li><li class="listitem"><div class="para">
							Next, turn it into an acronym (including the punctuation).
						</div><div class="para">
							<strong class="userinput"><code>otrattw,tghwg.</code></strong>
						</div></li><li class="listitem"><div class="para">
							Add complexity by substituting numbers and symbols for letters in the acronym. For example, substitute <strong class="userinput"><code>7</code></strong> for <strong class="userinput"><code>t</code></strong> and the at symbol (<strong class="userinput"><code>@</code></strong>) for <strong class="userinput"><code>a</code></strong>:
						</div><div class="para">
							<strong class="userinput"><code>o7r@77w,7ghwg.</code></strong>
						</div></li><li class="listitem"><div class="para">
							Add more complexity by capitalizing at least one letter, such as <strong class="userinput"><code>H</code></strong>.
						</div><div class="para">
							<strong class="userinput"><code>o7r@77w,7gHwg.</code></strong>
						</div></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>Finally, do not use the example password above for any systems, ever</em></span>.
						</div></li></ul></div><div class="para">
					While creating secure passwords is imperative, managing them properly is also important, especially for system administrators within larger organizations. The following section details good practices for creating and managing user passwords within an organization.
				</div></div></div><div class="section" id="s2-wstation-pass-org-create"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-pass-org-create">46.1.3.2. Creating User Passwords Within an Organization</h4></div></div></div><a id="id1115569" class="indexterm"></a><a id="id1115552" class="indexterm"></a><div class="para">
				If an organization has a large number of users, the system administrators have two basic options available to force the use of good passwords. They can create passwords for the user, or they can let users create their own passwords, while verifying the passwords are of acceptable quality.
			</div><div class="para">
				Creating the passwords for the users ensures that the passwords are good, but it becomes a daunting task as the organization grows. It also increases the risk of users writing their passwords down.
			</div><div class="para">
				For these reasons, most system administrators prefer to have the users create their own passwords, but actively verify that the passwords are good and, in some cases, force users to change their passwords periodically through password aging.
			</div><div class="section" id="s3-wstation-pass-org-force"><div class="titlepage"><div><div><h5 class="title" id="s3-wstation-pass-org-force">46.1.3.2.1. Forcing Strong Passwords</h5></div></div></div><a id="id1115518" class="indexterm"></a><a id="id1115481" class="indexterm"></a><a id="id1115490" class="indexterm"></a><div class="para">
					To protect the network from intrusion it is a good idea for system administrators to verify that the passwords used within an organization are strong ones. When users are asked to create or change passwords, they can use the command line application <code class="command">passwd</code>, which is <em class="firstterm">Pluggable Authentication Manager</em> (<em class="firstterm">PAM</em>) aware and therefore checks to see if the password is too short or otherwise easy to crack. This check is performed using the <code class="filename">pam_cracklib.so</code> PAM module. Since PAM is customizable, it is possible to add more password integrity checkers, such as <code class="filename">pam_passwdqc</code> (available from <a href="http://www.openwall.com/passwdqc/">http://www.openwall.com/passwdqc/</a>) or to write a new module. For a list of available PAM modules, refer to <a href="http://www.kernel.org/pub/linux/libs/pam/modules.html">http://www.kernel.org/pub/linux/libs/pam/modules.html</a>. For more information about PAM, refer to <a class="xref" href="#ch-pam">Section 46.4, “Pluggable Authentication Modules (PAM)”</a>.
				</div><div class="para">
					The password check that is performed at the time of their creation does not discover bad passwords as effectively as running a password cracking program against the passwords.
				</div><div class="para">
					Many password cracking programs are available that run under Red Hat Enterprise Linux, although none ship with the operating system. Below is a brief list of some of the more popular password cracking programs:
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						None of these tools are supplied with Red Hat Enterprise Linux and are therefore not supported by Red Hat, Inc. in any way.
					</div></div></div><a id="id1115401" class="indexterm"></a><a id="id1115394" class="indexterm"></a><a id="id1115373" class="indexterm"></a><a id="id1115350" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="emphasis"><em><span class="application"><strong>John The Ripper</strong></span></em></span> — A fast and flexible password cracking program. It allows the use of multiple word lists and is capable of brute-force password cracking. It is available online at <a href="http://www.openwall.com/john/">http://www.openwall.com/john/</a>.
						</div></li><li class="listitem"><div class="para">
							<span class="emphasis"><em><span class="application"><strong>Crack</strong></span></em></span> — Perhaps the most well known password cracking software, <span class="application"><strong>Crack</strong></span> is also very fast, though not as easy to use as <span class="application"><strong>John The Ripper</strong></span>. It can be found online at <a href="http://www.openwall.com/john/">http://www.openwall.com/john/</a>.
						</div></li><li class="listitem"><div class="para">
							<span class="emphasis"><em><span class="application"><strong>Slurpie</strong></span></em></span> — <span class="application"><strong>Slurpie</strong></span> is similar to <span class="application"><strong>John The Ripper</strong></span> and <span class="application"><strong>Crack</strong></span>, but it is designed to run on multiple computers simultaneously, creating a distributed password cracking attack. It can be found along with a number of other distributed attack security evaluation tools online at <a href="http://www.ussrback.com/distributed.htm">http://www.ussrback.com/distributed.htm</a>.
						</div></li></ul></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
						Always get authorization in writing before attempting to crack passwords within an organization.
					</div></div></div></div><div class="section" id="s3-wstation-pass-org-age"><div class="titlepage"><div><div><h5 class="title" id="s3-wstation-pass-org-age">46.1.3.2.2. Password Aging</h5></div></div></div><a id="id1115223" class="indexterm"></a><a id="id1115182" class="indexterm"></a><div class="para">
					Password aging is another technique used by system administrators to defend against bad passwords within an organization. Password aging means that after a specified period (usually 90 days), the user is prompted to create a new password. The theory behind this is that if a user is forced to change their password periodically, a cracked password is only useful to an intruder for a limited amount of time. The downside to password aging, however, is that users are more likely to write their passwords down.
				</div><div class="para">
					There are two primary programs used to specify password aging under Red Hat Enterprise Linux: the <code class="command">chage</code> command or the graphical <span class="application"><strong>User Manager</strong></span> (<code class="command">system-config-users</code>) application.
				</div><div class="para">
					The <code class="option">-M</code> option of the <code class="command">chage</code> command specifies the maximum number of days the password is valid. For example, to set a user's password to expire in 90 days, use the following command:
				</div><pre class="screen"><code class="command">chage -M 90 <em class="replaceable"><code>&lt;username&gt;</code></em></code></pre><div class="para">
					In the above command, replace <em class="replaceable"><code>&lt;username&gt;</code></em> with the name of the user. To disable password expiration, it is traditional to use a value of <code class="command">99999</code> after the <code class="option">-M</code> option (this equates to a little over 273 years).
				</div><div class="para">
					You can also use the <code class="command">chage</code> command in interactive mode to modify multiple password aging and account details. Use the following command to enter interactive mode:
				</div><pre class="screen"><code class="command">chage <em class="replaceable"><code>&lt;username&gt;</code></em></code></pre><div class="para">
					The following is a sample interactive session using this command:
				</div><pre class="screen">~]# <code class="command">chage davido</code>
Changing the aging information for davido
Enter the new value, or press ENTER for the default

Minimum Password Age [0]: 10
        Maximum Password Age [99999]: 90
        Last Password Change (YYYY-MM-DD) [2006-08-18]:
        Password Expiration Warning [7]:
        Password Inactive [-1]:
        Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
~]#</pre><div class="para">
					Refer to the man page for chage for more information on the available options.
				</div><div class="para">
					You can also use the graphical <span class="application"><strong>User Manager</strong></span> application to create password aging policies, as follows. Note: you need Administrator privileges to perform this procedure.
				</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
							Click the <span class="guimenu"><strong>System</strong></span> menu on the Panel, point to <span class="guisubmenu"><strong>Administration</strong></span> and then click <span class="guimenuitem"><strong>Users and Groups</strong></span> to display the User Manager. Alternatively, type the command <code class="command">system-config-users</code> at a shell prompt.
						</div></li><li class="step"><div class="para">
							Click the <span class="guilabel"><strong>Users</strong></span> tab, and select the required user in the list of users.
						</div></li><li class="step"><div class="para">
							Click <span class="guibutton"><strong>Properties</strong></span> on the toolbar to display the User Properties dialog box (or choose <span class="guimenuitem"><strong>Properties</strong></span> on the <span class="guimenu"><strong>File</strong></span> menu).
						</div></li><li class="step"><div class="para">
							Click the <span class="guilabel"><strong>Password Info</strong></span> tab, and select the check box for <span class="guilabel"><strong>Enable password expiration</strong></span>.
						</div></li><li class="step"><div class="para">
							Enter the required value in the <span class="guilabel"><strong>Days before change required</strong></span> field, and click <span class="guibutton"><strong>OK</strong></span>.
						</div></li></ol></div><div class="figure" id="user-password-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/user_pass_info.png" width="444" alt="Specifying password aging options" /><div class="longdesc"><div class="para">
								<span class="guilabel"><strong>Password Info</strong></span> pane illustration.
							</div></div></div></div><h6>Figure 46.1. Specifying password aging options</h6></div><br class="figure-break" /><div class="para">
					For more information about user and group configuration (including instructions on forcing first time passwords), refer to <a class="xref" href="#ch-users-groups">Chapter 35, <em>Users and Groups</em></a>.
				</div></div></div></div><div class="section" id="s1-wstation-privileges"><div class="titlepage"><div><div><h3 class="title" id="s1-wstation-privileges">46.1.4. Administrative Controls</h3></div></div></div><div class="para">
			When administering a home machine, the user must perform some tasks as the root user or by acquiring effective root privileges via a <em class="firstterm">setuid</em> program, such as <code class="command">sudo</code> or <code class="command">su</code>. A setuid program is one that operates with the user ID (<span class="emphasis"><em>UID</em></span>) of the program's owner rather than the user operating the program. Such programs are denoted by an <code class="computeroutput">s</code> in the owner section of a long format listing, as in the following example:
		</div><pre class="screen">-rwsr-xr-x    1 root     root        47324 May  1 08:09 /bin/su</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				The <code class="computeroutput">s</code> may be upper case or lower case. If it appears as upper case, it means that the underlying permission bit has not been set.
			</div></div></div><div class="para">
			For the system administrators of an organization, however, choices must be made as to how much administrative access users within the organization should have to their machine. Through a PAM module called <code class="filename">pam_console.so</code>, some activities normally reserved only for the root user, such as rebooting and mounting removable media are allowed for the first user that logs in at the physical console (refer to <a class="xref" href="#ch-pam">Section 46.4, “Pluggable Authentication Modules (PAM)”</a> for more information about the <code class="filename">pam_console.so</code> module.) However, other important system administration tasks, such as altering network settings, configuring a new mouse, or mounting network devices, are not possible without administrative privileges. As a result, system administrators must decide how much access the users on their network should receive.
		</div><div class="section" id="s2-wstation-privileges-root"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-privileges-root">46.1.4.1. Allowing Root Access</h4></div></div></div><a id="id1114862" class="indexterm"></a><a id="id1114843" class="indexterm"></a><a id="id1114833" class="indexterm"></a><div class="para">
				If the users within an organization are trusted and computer-literate, then allowing them root access may not be an issue. Allowing root access by users means that minor activities, like adding devices or configuring network interfaces, can be handled by the individual users, leaving system administrators free to deal with network security and other important issues.
			</div><div class="para">
				On the other hand, giving root access to individual users can lead to the following issues:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Machine Misconfiguration</em></span> — Users with root access can misconfigure their machines and require assistance to resolve issues. Even worse, they might open up security holes without knowing it.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Running Insecure Services</em></span> — Users with root access might run insecure servers on their machine, such as FTP or Telnet, potentially putting usernames and passwords at risk. These services transmit this information over the network in plain text.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Running Email Attachments As Root</em></span> — Although rare, email viruses that affect Linux do exist. The only time they are a threat, however, is when they are run by the root user.
					</div></li></ul></div></div><div class="section" id="s2-wstation-privileges-noroot"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-privileges-noroot">46.1.4.2. Disallowing Root Access</h4></div></div></div><a id="id1114760" class="indexterm"></a><div class="para">
				If an administrator is uncomfortable allowing users to log in as root for these or other reasons, the root password should be kept secret, and access to runlevel one or single user mode should be disallowed through boot loader password protection (refer to <a class="xref" href="#s2-wstation-bootloader">Section 46.1.2.2, “Boot Loader Passwords”</a> for more information on this topic.)
			</div><div class="para">
				The following are four different ways that an administrator can further ensure that root logins are disallowed:
			</div><a id="id1114732" class="indexterm"></a><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <a id="id1114708" class="indexterm"></a>
					 Changing the root shell </span></dt><dd><div class="para">
							To prevent users from logging in directly as root, the system administrator can set the root account's shell to <code class="command">/sbin/nologin</code> in the <code class="filename">/etc/passwd</code> file.
						</div><div class="table" id="tabl-wstation-privileges-rshell"><h6>Table 46.1. Disabling the Root Shell</h6><div class="table-contents"><table summary="Disabling the Root Shell" border="1"><colgroup><col width="50%" class="does" /><col width="50%" class="doesnt" /></colgroup><thead><tr><th>
											Effects
										</th><th>
											Does Not Affect
										</th></tr></thead><tbody><tr><td>
											<div class="para">
												Prevents access to the root shell and logs any such attempts. The following programs are prevented from accessing the root account:
											</div>
											 <div class="itemizedlist"><ul><li class="listitem"><div class="para">
														<code class="command">login</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">gdm</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">kdm</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">xdm</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">su</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">ssh</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">scp</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">sftp</code>
													</div></li></ul></div>

</td><td>
											<div class="para">
												Programs that do not require a shell, such as FTP clients, mail clients, and many setuid programs. The following programs are <span class="emphasis"><em>not</em></span> prevented from accessing the root account:
											</div>
											 <div class="itemizedlist"><ul><li class="listitem"><div class="para">
														<code class="command">sudo</code>
													</div></li><li class="listitem"><div class="para">
														FTP clients
													</div></li><li class="listitem"><div class="para">
														Email clients
													</div></li></ul></div>

</td></tr></tbody></table></div></div><br class="table-break" /></dd><dt class="varlistentry"><span class="term"> <a id="id1114446" class="indexterm"></a>
					 Disabling root access via any console device (tty) </span></dt><dd><div class="para">
							To further limit access to the root account, administrators can disable root logins at the console by editing the <code class="filename">/etc/securetty</code> file. This file lists all devices the root user is allowed to log into. If the file does not exist at all, the root user can log in through any communication device on the system, whether via the console or a raw network interface. This is dangerous, because a user can log in to their machine as root via Telnet, which transmits the password in plain text over the network.
						</div><div class="para">
							By default, Red Hat Enterprise Linux's <code class="filename">/etc/securetty</code> file only allows the root user to log in at the console physically attached to the machine. To prevent the root user from logging in, remove the contents of this file by typing the following command at a shell prompt as root:
						</div><pre class="screen"><code class="command">echo &gt; /etc/securetty</code></pre><div class="para">
							To enable <code class="filename">securetty</code> support in the KDM, GDM, and XDM login managers, add the following line:
						</div><pre class="screen">auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so</pre><div class="para">
							to the files listed below:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="filename">/etc/pam.d/gdm</code>
								</div></li><li class="listitem"><div class="para">
									<code class="filename">/etc/pam.d/gdm-autologin</code>
								</div></li><li class="listitem"><div class="para">
									<code class="filename">/etc/pam.d/gdm-fingerprint</code>
								</div></li><li class="listitem"><div class="para">
									<code class="filename">/etc/pam.d/gdm-password</code>
								</div></li><li class="listitem"><div class="para">
									<code class="filename">/etc/pam.d/gdm-smartcard</code>
								</div></li><li class="listitem"><div class="para">
									<code class="filename">/etc/pam.d/kdm</code>
								</div></li><li class="listitem"><div class="para">
									<code class="filename">/etc/pam.d/kdm-np</code>
								</div></li><li class="listitem"><div class="para">
									<code class="filename">/etc/pam.d/xdm</code>
								</div></li></ul></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
								A blank <code class="filename">/etc/securetty</code> file does <span class="emphasis"><em>not</em></span> prevent the root user from logging in remotely using the OpenSSH suite of tools because the console is not opened until after authentication.
							</div></div></div><div class="table" id="tabl-wstation-privileges-tty"><h6>Table 46.2. Disabling Root Logins</h6><div class="table-contents"><table summary="Disabling Root Logins" border="1"><colgroup><col width="50%" class="does" /><col width="50%" class="doesnt" /></colgroup><thead><tr><th>
											Effects
										</th><th>
											Does Not Affect
										</th></tr></thead><tbody><tr><td>
											<div class="para">
												Prevents access to the root account via the console or the network. The following programs are prevented from accessing the root account:
											</div>
											 <div class="itemizedlist"><ul><li class="listitem"><div class="para">
														<code class="command">login</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">gdm</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">kdm</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">xdm</code>
													</div></li><li class="listitem"><div class="para">
														Other network services that open a tty
													</div></li></ul></div>

</td><td>
											<div class="para">
												Programs that do not log in as root, but perform administrative tasks through setuid or other mechanisms. The following programs are <span class="emphasis"><em>not</em></span> prevented from accessing the root account:
											</div>
											 <div class="itemizedlist"><ul><li class="listitem"><div class="para">
														<code class="command">su</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">sudo</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">ssh</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">scp</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">sftp</code>
													</div></li></ul></div>

</td></tr></tbody></table></div></div><br class="table-break" /></dd><dt class="varlistentry"><span class="term"> <a id="id1114043" class="indexterm"></a>
					 Disabling root SSH logins </span></dt><dd><div class="para">
							To prevent root logins via the SSH protocol, edit the SSH daemon's configuration file, <code class="filename">/etc/ssh/sshd_config</code>, and change the line that reads:
						</div><pre class="screen">#PermitRootLogin yes</pre><div class="para">
							to read as follows:
						</div><pre class="screen">PermitRootLogin no</pre><div class="table" id="tabl-wstation-privileges-ssh"><h6>Table 46.3. Disabling Root SSH Logins</h6><div class="table-contents"><table summary="Disabling Root SSH Logins" border="1"><colgroup><col width="50%" class="does" /><col width="50%" class="doesnt" /></colgroup><thead><tr><th>
											Effects
										</th><th>
											Does Not Affect
										</th></tr></thead><tbody><tr><td>
											<div class="para">
												Prevents root access via the OpenSSH suite of tools. The following programs are prevented from accessing the root account:
											</div>
											 <div class="itemizedlist"><ul><li class="listitem"><div class="para">
														<code class="command">ssh</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">scp</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">sftp</code>
													</div></li></ul></div>

</td><td>
											<div class="para">
												Programs that are not part of the OpenSSH suite of tools.
											</div>

</td></tr></tbody></table></div></div><br class="table-break" /></dd><dt class="varlistentry"><span class="term"> <a id="id1113873" class="indexterm"></a>
					 Using PAM to limit root access to services </span></dt><dd><div class="para">
							PAM, through the <code class="filename">/lib/security/pam_listfile.so</code> module, allows great flexibility in denying specific accounts. The administrator can use this module to reference a list of users who are not allowed to log in. To limit root access to a system service, edit the file for the target service in the <code class="filename">/etc/pam.d/</code> directory and make sure the <code class="filename">pam_listfile.so</code> module is required for authentication.
						</div><div class="para">
							The following is an example of how the module is used for the <code class="command">vsftpd</code> FTP server in the <code class="filename">/etc/pam.d/vsftpd</code> PAM configuration file (the <code class="computeroutput">\</code> character at the end of the first line is <span class="emphasis"><em>not</em></span> necessary if the directive is on a single line):
						</div><pre class="screen">auth   required   /lib/security/pam_listfile.so   item=user \
 sense=deny file=/etc/vsftpd.ftpusers onerr=succeed</pre><div class="para">
							This instructs PAM to consult the <code class="filename">/etc/vsftpd.ftpusers</code> file and deny access to the service for any listed user. The administrator can change the name of this file, and can keep separate lists for each service or use one central list to deny access to multiple services.
						</div><div class="para">
							If the administrator wants to deny access to multiple services, a similar line can be added to the PAM configuration files, such as <code class="filename">/etc/pam.d/pop</code> and <code class="filename">/etc/pam.d/imap</code> for mail clients, or <code class="filename">/etc/pam.d/ssh</code> for SSH clients.
						</div><div class="para">
							For more information about PAM, refer to <a class="xref" href="#ch-pam">Section 46.4, “Pluggable Authentication Modules (PAM)”</a>.
						</div><div class="table" id="tabl-wstation-privileges-pam"><h6>Table 46.4. Disabling Root Using PAM</h6><div class="table-contents"><table summary="Disabling Root Using PAM" border="1"><colgroup><col width="50%" class="does" /><col width="50%" class="doesnt" /></colgroup><thead><tr><th>
											Effects
										</th><th>
											Does Not Affect
										</th></tr></thead><tbody><tr><td>
											<div class="para">
												Prevents root access to network services that are PAM aware. The following services are prevented from accessing the root account:
											</div>
											 <div class="itemizedlist"><ul><li class="listitem"><div class="para">
														<code class="command">login</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">gdm</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">kdm</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">xdm</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">ssh</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">scp</code>
													</div></li><li class="listitem"><div class="para">
														<code class="command">sftp</code>
													</div></li><li class="listitem"><div class="para">
														FTP clients
													</div></li><li class="listitem"><div class="para">
														Email clients
													</div></li><li class="listitem"><div class="para">
														Any PAM aware services
													</div></li></ul></div>

</td><td>
											<div class="para">
												Programs and services that are not PAM aware.
											</div>

</td></tr></tbody></table></div></div><br class="table-break" /></dd></dl></div></div><div class="section" id="s2-wstation-privileges-limitroot"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-privileges-limitroot">46.1.4.3. Limiting Root Access</h4></div></div></div><a id="id1113576" class="indexterm"></a><div class="para">
				Rather than completely denying access to the root user, the administrator may want to allow access only via setuid programs, such as <code class="command">su</code> or <code class="command">sudo</code>.
			</div><div class="section" id="s3-wstation-privileges-limitroot-su"><div class="titlepage"><div><div><h5 class="title" id="s3-wstation-privileges-limitroot-su">46.1.4.3.1. The <code class="command">su</code> Command</h5></div></div></div><a id="id1113531" class="indexterm"></a><a id="id1113507" class="indexterm"></a><div class="para">
					When a user executes the <code class="command">su</code> command, they are prompted for the root password and, after authentication, is given a root shell prompt.
				</div><div class="para">
					Once logged in via the <code class="command">su</code> command, the user <span class="emphasis"><em>is</em></span> the root user and has absolute administrative access to the system<sup>[<a id="id1113472" href="#ftn.id1113472" class="footnote">16</a>]</sup>. In addition, once a user has become root, it is possible for them to use the <code class="command">su</code> command to change to any other user on the system without being prompted for a password.
				</div><div class="para">
					Because this program is so powerful, administrators within an organization may wish to limit who has access to the command.
				</div><div class="para">
					One of the simplest ways to do this is to add users to the special administrative group called <em class="firstterm">wheel</em>. To do this, type the following command as root:
				</div><pre class="screen"><code class="command">usermod -G wheel <em class="replaceable"><code>&lt;username&gt;</code></em></code></pre><div class="para">
					In the previous command, replace <em class="replaceable"><code>&lt;username&gt;</code></em> with the username you want to add to the <code class="command">wheel</code> group.
				</div><a id="id1113418" class="indexterm"></a><div class="para">
					You can also use the <span class="application"><strong>User Manager</strong></span> to modify group memberships, as follows. Note: you need Administrator privileges to perform this procedure.
				</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
							Click the <span class="guimenu"><strong>System</strong></span> menu on the Panel, point to <span class="guisubmenu"><strong>Administration</strong></span> and then click <span class="guimenuitem"><strong>Users and Groups</strong></span> to display the User Manager. Alternatively, type the command <code class="command">system-config-users</code> at a shell prompt.
						</div></li><li class="step"><div class="para">
							Click the <span class="guilabel"><strong>Users</strong></span> tab, and select the required user in the list of users.
						</div></li><li class="step"><div class="para">
							Click <span class="guibutton"><strong>Properties</strong></span> on the toolbar to display the User Properties dialog box (or choose <span class="guimenuitem"><strong>Properties</strong></span> on the <span class="guimenu"><strong>File</strong></span> menu).
						</div></li><li class="step"><div class="para">
							Click the <span class="guilabel"><strong>Groups</strong></span> tab, select the check box for the wheel group, and then click <span class="guibutton"><strong>OK</strong></span>. Refer to <a class="xref" href="#user-group-fig">Figure 46.2, “Adding users to the "wheel" group.”</a>.
						</div></li><li class="step"><div class="para">
							Open the PAM configuration file for <code class="command">su</code> (<code class="filename">/etc/pam.d/su</code>) in a text editor and remove the comment <span class="keycap"><strong>#</strong></span> from the following line:
						</div><pre class="screen">auth  required /lib/security/$ISA/pam_wheel.so use_uid</pre><div class="para">
							This change means that only members of the administrative group <code class="computeroutput">wheel</code> can use this program.
						</div></li></ol></div><div class="figure" id="user-group-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/user_pass_groups.png" alt="Adding users to the &quot;wheel&quot; group." /><div class="longdesc"><div class="para">
								<span class="guilabel"><strong>Groups</strong></span> pane illustration
							</div></div></div></div><h6>Figure 46.2. Adding users to the "wheel" group.</h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						The root user is part of the <code class="computeroutput">wheel</code> group by default.
					</div></div></div></div><div class="section" id="s3-wstation-privileges-limitroot-sudo"><div class="titlepage"><div><div><h5 class="title" id="s3-wstation-privileges-limitroot-sudo">46.1.4.3.2. The <code class="command">sudo</code> Command</h5></div></div></div><a id="id1100733" class="indexterm"></a><a id="id1100709" class="indexterm"></a><div class="para">
					The <code class="command">sudo</code> command offers another approach to giving users administrative access. When trusted users precede an administrative command with <code class="command">sudo</code>, they are prompted for <span class="emphasis"><em>their own</em></span> password. Then, when they have been authenticated and assuming that the command is permitted, the administrative command is executed as if they were the root user.
				</div><div class="para">
					The basic format of the <code class="command">sudo</code> command is as follows:
				</div><pre class="screen"><code class="command">sudo <em class="replaceable"><code>&lt;command&gt;</code></em></code></pre><div class="para">
					In the above example, <em class="replaceable"><code>&lt;command&gt;</code></em> would be replaced by a command normally reserved for the root user, such as <code class="command">mount</code>.
				</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						Users of the <code class="command">sudo</code> command should take extra care to log out before walking away from their machines since sudoers can use the command again without being asked for a password within a five minute period. This setting can be altered via the configuration file, <code class="filename">/etc/sudoers</code>.
					</div></div></div><div class="para">
					The <code class="command">sudo</code> command allows for a high degree of flexibility. For instance, only users listed in the <code class="filename">/etc/sudoers</code> configuration file are allowed to use the <code class="command">sudo</code> command and the command is executed in <span class="emphasis"><em>the user's</em></span> shell, not a root shell. This means the root shell can be completely disabled, as shown in <a class="xref" href="#s2-wstation-privileges-noroot">Section 46.1.4.2, “Disallowing Root Access”</a>.
				</div><div class="para">
					The <code class="command">sudo</code> command also provides a comprehensive audit trail. Each successful authentication is logged to the file <code class="filename">/var/log/messages</code> and the command issued along with the issuer's user name is logged to the file <code class="filename">/var/log/secure</code>.
				</div><div class="para">
					Another advantage of the <code class="command">sudo</code> command is that an administrator can allow different users access to specific commands based on their needs.
				</div><div class="para">
					Administrators wanting to edit the <code class="command">sudo</code> configuration file, <code class="filename">/etc/sudoers</code>, should use the <code class="command">visudo</code> command.
				</div><div class="para">
					To give someone full administrative privileges, type <code class="command">visudo</code> and add a line similar to the following in the user privilege specification section:
				</div><pre class="screen">juan ALL=(ALL) ALL</pre><div class="para">
					This example states that the user, <code class="computeroutput">juan</code>, can use <code class="command">sudo</code> from any host and execute any command.
				</div><div class="para">
					The example below illustrates the granularity possible when configuring <code class="command">sudo</code>:
				</div><pre class="screen">%users  localhost=/sbin/shutdown -h now</pre><div class="para">
					This example states that any user can issue the command <code class="command">/sbin/shutdown -h now</code> as long as it is issued from the console.
				</div><div class="para">
					The man page for <code class="filename">sudoers</code> has a detailed listing of options for this file.
				</div></div></div></div><div class="section" id="s1-wstation-service"><div class="titlepage"><div><div><h3 class="title" id="s1-wstation-service">46.1.5. Available Network Services</h3></div></div></div><a id="id1100480" class="indexterm"></a><div class="para">
			While user access to administrative controls is an important issue for system administrators within an organization, monitoring which network services are active is of paramount importance to anyone who administers and operates a Linux system.
		</div><div class="para">
			Many services under Red Hat Enterprise Linux behave as network servers. If a network service is running on a machine, then a server application (called a <em class="firstterm">daemon</em>), is listening for connections on one or more network ports. Each of these servers should be treated as a potential avenue of attack.
		</div><div class="section" id="s2-wstation-service-risks"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-service-risks">46.1.5.1. Risks To Services</h4></div></div></div><a id="id1100453" class="indexterm"></a><a id="id1100437" class="indexterm"></a><a id="id1100418" class="indexterm"></a><a id="id1100399" class="indexterm"></a><div class="para">
				Network services can pose many risks for Linux systems. Below is a list of some of the primary issues:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Denial of Service Attacks (DoS)</em></span> — By flooding a service with requests, a denial of service attack can render a system unusable as it tries to log and answer each request.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Script Vulnerability Attacks</em></span> — If a server is using scripts to execute server-side actions, as Web servers commonly do, a cracker can attack improperly written scripts. These script vulnerability attacks can lead to a buffer overflow condition or allow the attacker to alter files on the system.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Buffer Overflow Attacks</em></span> — Services that connect to ports numbered 0 through 1023 must run as an administrative user. If the application has an exploitable buffer overflow, an attacker could gain access to the system as the user running the daemon. Because exploitable buffer overflows exist, crackers use automated tools to identify systems with vulnerabilities, and once they have gained access, they use automated rootkits to maintain their access to the system.
					</div></li></ul></div><a id="id1100330" class="indexterm"></a><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The threat of buffer overflow vulnerabilities is mitigated in Red Hat Enterprise Linux by <em class="firstterm">ExecShield</em>, an executable memory segmentation and protection technology supported by x86-compatible uni- and multi-processor kernels. ExecShield reduces the risk of buffer overflow by separating virtual memory into executable and non-executable segments. Any program code that tries to execute outside of the executable segment (such as malicious code injected from a buffer overflow exploit) triggers a segmentation fault and terminates.
				</div><div class="para">
					Execshield also includes support for <em class="firstterm">No eXecute</em> (<acronym class="acronym">NX</acronym>) technology on AMD64 platforms and <em class="firstterm">eXecute Disable</em> (<acronym class="acronym">XD</acronym>) technology on Itanium and <span class="trademark">Intel</span>® 64 systems. These technologies work in conjunction with ExecShield to prevent malicious code from running in the executable portion of virtual memory with a granularity of 4KB of executable code, lowering the risk of attack from stealthy buffer overflow exploits.
				</div></div></div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					To limit exposure to attacks over the network, all services that are unused should be turned off.
				</div></div></div></div><div class="section" id="s2-wstation-service-config"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-service-config">46.1.5.2. Identifying and Configuring Services</h4></div></div></div><a id="id1100235" class="indexterm"></a><a id="id1100225" class="indexterm"></a><a id="id1100213" class="indexterm"></a><a id="id1100202" class="indexterm"></a><a id="id1100189" class="indexterm"></a><a id="id1100177" class="indexterm"></a><a id="id1103336" class="indexterm"></a><div class="para">
				To enhance security, most network services installed with Red Hat Enterprise Linux are turned off by default. There are, however, some notable exceptions:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">cupsd</code> — The default print server for Red Hat Enterprise Linux.
					</div></li><li class="listitem"><div class="para">
						<code class="command">lpd</code> — An alternative print server.
					</div></li><li class="listitem"><div class="para">
						<code class="command">xinetd</code> — A super server that controls connections to a range of subordinate servers, such as <code class="command">gssftp</code> and <code class="command">telnet</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">sendmail</code> — The Sendmail <em class="firstterm">Mail Transport Agent</em> (<abbr class="abbrev">MTA</abbr>) is enabled by default, but only listens for connections from the <span class="interface">localhost</span>.
					</div></li><li class="listitem"><div class="para">
						<code class="command">sshd</code> — The OpenSSH server, which is a secure replacement for Telnet.
					</div></li></ul></div><div class="para">
				When determining whether to leave these services running, it is best to use common sense and err on the side of caution. For example, if a printer is not available, do not leave <code class="command">cupsd</code> running. The same is true for <code class="command">portmap</code>. If you do not mount NFSv3 volumes or use NIS (the <code class="command">ypbind</code> service), then <code class="command">portmap</code> should be disabled.
			</div><a id="id991123" class="indexterm"></a><div class="para">
				Red Hat Enterprise Linux ships with three programs designed to switch services on or off. They are the <span class="application"><strong>Services Configuration Tool</strong></span> (<code class="command">system-config-services</code>), <span class="application"><strong>ntsysv</strong></span>, and <code class="command">chkconfig</code>. For information on using these tools, refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a>.
			</div><div class="figure" id="user-serv-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/serv-config.png" width="444" alt="Services Configuration Tool" /><div class="longdesc"><div class="para">
							<span class="application"><strong>Services Configuration Tool</strong></span> illustration
						</div></div></div></div><h6>Figure 46.3. <span class="application">Services Configuration Tool</span></h6></div><br class="figure-break" /><div class="para">
				If unsure of the purpose for a particular service, the <span class="application"><strong>Services Configuration Tool</strong></span> has a description field, illustrated in <a class="xref" href="#user-serv-fig">Figure 46.3, “<span class="application">Services Configuration Tool</span>”</a>, that provides additional information.
			</div><div class="para">
				Checking which network services are available to start at boot time is only part of the story. You should also check which ports are open and listening. Refer to <a class="xref" href="#s1-server-ports">Section 46.2.8, “Verifying Which Ports Are Listening”</a> for more information.
			</div></div><div class="section" id="s2-wstation-service-insecure"><div class="titlepage"><div><div><h4 class="title" id="s2-wstation-service-insecure">46.1.5.3. Insecure Services</h4></div></div></div><a id="id989555" class="indexterm"></a><div class="para">
				Potentially, any network service is insecure. This is why turning off unused services is so important. Exploits for services are routinely revealed and patched, making it very important to regularly update packages associated with any network service. Refer to <a class="xref" href="#ch-security-updates">Section 45.5, “Security Updates”</a> for more information.
			</div><div class="para">
				Some network protocols are inherently more insecure than others. These include any services that:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Transmit Usernames and Passwords Over a Network Unencrypted</em></span> — Many older protocols, such as Telnet and FTP, do not encrypt the authentication session and should be avoided whenever possible.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Transmit Sensitive Data Over a Network Unencrypted</em></span> — Many protocols transmit data over the network unencrypted. These protocols include Telnet, FTP, HTTP, and SMTP. Many network file systems, such as NFS and SMB, also transmit information over the network unencrypted. It is the user's responsibility when using these protocols to limit what type of data is transmitted.
					</div><div class="para">
						Remote memory dump services, like <code class="command">netdump</code>, transmit the contents of memory over the network unencrypted. Memory dumps can contain passwords or, even worse, database entries and other sensitive information.
					</div><div class="para">
						Other services like <code class="command">finger</code> and <code class="command">rwhod</code> reveal information about users of the system.
					</div></li></ul></div><div class="para">
				Examples of inherently insecure services include <code class="command">rlogin</code>, <code class="command">rsh</code>, <code class="command">telnet</code>, and <code class="command">vsftpd</code>.
			</div><a id="id1010536" class="indexterm"></a><a id="id1010522" class="indexterm"></a><a id="id1010565" class="indexterm"></a><div class="para">
				All remote login and shell programs (<code class="command">rlogin</code>, <code class="command">rsh</code>, and <code class="command">telnet</code>) should be avoided in favor of SSH. Refer to <a class="xref" href="#s1-wstation-sec-tools">Section 46.1.7, “Security Enhanced Communication Tools”</a> for more information about <code class="command">sshd</code>.
			</div><div class="para">
				FTP is not as inherently dangerous to the security of the system as remote shells, but FTP servers must be carefully configured and monitored to avoid problems. Refer to <a class="xref" href="#s1-server-ftp">Section 46.2.6, “Securing FTP”</a> for more information about securing FTP servers.
			</div><div class="para">
				Services that should be carefully implemented and behind a firewall include:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">finger</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">authd</code> (this was called <code class="command">identd</code> in previous Red Hat Enterprise Linux releases.)
					</div></li><li class="listitem"><div class="para">
						<code class="command">netdump</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">netdump-server</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">nfs</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">rwhod</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">sendmail</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">smb</code> (Samba)
					</div></li><li class="listitem"><div class="para">
						<code class="command">yppasswdd</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">ypserv</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">ypxfrd</code>
					</div></li></ul></div><div class="para">
				More information on securing network services is available in <a class="xref" href="#ch-server">Section 46.2, “Server Security”</a>.
			</div><div class="para">
				The next section discusses tools available to set up a simple firewall.
			</div></div></div><div class="section" id="s1-wstation-firewall"><div class="titlepage"><div><div><h3 class="title" id="s1-wstation-firewall">46.1.6. Personal Firewalls</h3></div></div></div><a id="id1031125" class="indexterm"></a><div class="para">
			After the <span class="emphasis"><em>necessary</em></span> network services are configured, it is important to implement a firewall.
		</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				You should configure the necessary services and implement a firewall <span class="emphasis"><em>before</em></span> connecting to the Internet or any other network that you do not trust.
			</div></div></div><div class="para">
			Firewalls prevent network packets from accessing the system's network interface. If a request is made to a port that is blocked by a firewall, the request is ignored. If a service is listening on one of these blocked ports, it does not receive the packets and is effectively disabled. For this reason, care should be taken when configuring a firewall to block access to ports not in use, while not blocking access to ports used by configured services.
		</div><div class="para">
			For most users, the best tool for configuring a simple firewall is the graphical firewall configuration tool which ships with Red Hat Enterprise Linux: the <span class="application"><strong>Security Level Configuration Tool</strong></span> (<code class="command">system-config-securitylevel</code>). This tool creates broad <code class="command">iptables</code> rules for a general-purpose firewall using a control panel interface.
		</div><div class="para">
			Refer to <a class="xref" href="#s1-basic-firewall">Section 46.8.2, “Basic Firewall Configuration”</a> for more information about using this application and its available options.
		</div><div class="para">
			For advanced users and server administrators, manually configuring a firewall with <code class="command">iptables</code> is probably a better option. Refer to <a class="xref" href="#ch-fw">Section 46.8, “Firewalls”</a> for more information. Refer to <a class="xref" href="#ch-iptables">Section 46.9, “IPTables”</a> for a comprehensive guide to the <code class="command">iptables</code> command.
		</div></div><div class="section" id="s1-wstation-sec-tools"><div class="titlepage"><div><div><h3 class="title" id="s1-wstation-sec-tools">46.1.7. Security Enhanced Communication Tools</h3></div></div></div><a id="id1035297" class="indexterm"></a><a id="id1018311" class="indexterm"></a><a id="id1035010" class="indexterm"></a><div class="para">
			As the size and popularity of the Internet has grown, so has the threat of communication interception. Over the years, tools have been developed to encrypt communications as they are transferred over the network.
		</div><div class="para">
			Red Hat Enterprise Linux ships with two basic tools that use high-level, public-key-cryptography-based encryption algorithms to protect information as it travels over the network.
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<span class="emphasis"><em>OpenSSH</em></span> — A free implementation of the SSH protocol for encrypting network communication.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Gnu Privacy Guard (GPG)</em></span> — A free implementation of the PGP (Pretty Good Privacy) encryption application for encrypting data.
				</div></li></ul></div><a id="id1103396" class="indexterm"></a><a id="id1100531" class="indexterm"></a><a id="id940355" class="indexterm"></a><a id="id1078472" class="indexterm"></a><div class="para">
			OpenSSH is a safer way to access a remote machine and replaces older, unencrypted services like <code class="command">telnet</code> and <code class="command">rsh</code>. OpenSSH includes a network service called <code class="command">sshd</code> and three command line client applications:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">ssh</code> — A secure remote console access client.
				</div></li><li class="listitem"><div class="para">
					<code class="command">scp</code> — A secure remote copy command.
				</div></li><li class="listitem"><div class="para">
					<code class="command">sftp</code> — A secure pseudo-ftp client that allows interactive file transfer sessions.
				</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				Although the <code class="command">sshd</code> service is inherently secure, the service <span class="emphasis"><em>must</em></span> be kept up-to-date to prevent security threats. Refer to <a class="xref" href="#ch-security-updates">Section 45.5, “Security Updates”</a> for more information.
			</div></div></div><div class="para">
			GPG is one way to ensure private email communication. It can be used both to email sensitive data over public networks and to protect sensitive data on hard drives.
		</div></div></div><div xml:lang="en-US" class="section" id="ch-server" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-server">46.2. Server Security</h2></div></div></div><a id="id914194" class="indexterm"></a><div class="para">
		When a system is used as a server on a public network, it becomes a target for attacks. Hardening the system and locking down services is therefore of paramount importance for the system administrator.
	</div><div class="para">
		Before delving into specific issues, review the following general tips for enhancing server security:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				Keep all services current, to protect against the latest threats.
			</div></li><li class="listitem"><div class="para">
				Use secure protocols whenever possible.
			</div></li><li class="listitem"><div class="para">
				Serve only one type of network service per machine whenever possible.
			</div></li><li class="listitem"><div class="para">
				Monitor all servers carefully for suspicious activity.
			</div></li></ul></div><div class="section" id="s1-server-tcpw-xinetd"><div class="titlepage"><div><div><h3 class="title" id="s1-server-tcpw-xinetd">46.2.1. Securing Services With TCP Wrappers and xinetd</h3></div></div></div><div class="para">
			<em class="firstterm">TCP Wrappers</em> provide access control to a variety of services. Most modern network services, such as SSH, Telnet, and FTP, make use of TCP Wrappers, which stand guard between an incoming request and the requested service.
		</div><div class="para">
			The benefits offered by TCP Wrappers are enhanced when used in conjunction with <code class="command">xinetd</code>, a super server that provides additional access, logging, binding, redirection, and resource utilization control.
		</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				It is a good idea to use iptables firewall rules in conjunction with TCP Wrappers and <code class="command">xinetd</code> to create redundancy within service access controls. Refer to <a class="xref" href="#ch-fw">Section 46.8, “Firewalls”</a> for more information about implementing firewalls with iptables commands.
			</div></div></div><div class="para">
			Refer to <a class="xref" href="#s1-services-tcp-wrappers">Section 17.2, “TCP Wrappers”</a> for more information on configuring TCP Wrappers and <code class="command">xinetd</code>.
		</div><div class="para">
			The following subsections assume a basic knowledge of each topic and focus on specific security options.
		</div><div class="section" id="s2-server-tcpw"><div class="titlepage"><div><div><h4 class="title" id="s2-server-tcpw">46.2.1.1. Enhancing Security With TCP Wrappers</h4></div></div></div><a id="id949138" class="indexterm"></a><div class="para">
				TCP Wrappers are capable of much more than denying access to services. This section illustrates how they can be used to send connection banners, warn of attacks from particular hosts, and enhance logging functionality. Refer to the <code class="filename">hosts_options</code> man page for information about the TCP Wrapper functionality and control language.
			</div><div class="section" id="s3-server-tcp-banner"><div class="titlepage"><div><div><h5 class="title" id="s3-server-tcp-banner">46.2.1.1.1. TCP Wrappers and Connection Banners</h5></div></div></div><a id="id1036112" class="indexterm"></a><a id="id914191" class="indexterm"></a><div class="para">
					Displaying a suitable banner when users connect to a service is a good way to let potential attackers know that the system administrator is being vigilant. You can also control what information about the system is presented to users. To implement a TCP Wrappers banner for a service, use the <code class="option">banner</code> option.
				</div><div class="para">
					This example implements a banner for <code class="command">vsftpd</code>. To begin, create a banner file. It can be anywhere on the system, but it must have same name as the daemon. For this example, the file is called <code class="filename">/etc/banners/vsftpd</code> and contains the following line:
				</div><pre class="screen">220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being removed.</pre><div class="para">
					The <code class="command">%c</code> token supplies a variety of client information, such as the username and hostname, or the username and IP address to make the connection even more intimidating.
				</div><div class="para">
					For this banner to be displayed to incoming connections, add the following line to the <code class="filename">/etc/hosts.allow</code> file:
				</div><pre class="screen">vsftpd : ALL : banners /etc/banners/</pre></div><div class="section" id="s3-server-tcp-false"><div class="titlepage"><div><div><h5 class="title" id="s3-server-tcp-false">46.2.1.1.2. TCP Wrappers and Attack Warnings</h5></div></div></div><a id="id910832" class="indexterm"></a><a id="id987140" class="indexterm"></a><div class="para">
					If a particular host or network has been detected attacking the server, TCP Wrappers can be used to warn the administrator of subsequent attacks from that host or network using the <code class="command">spawn</code> directive.
				</div><div class="para">
					In this example, assume that a cracker from the 206.182.68.0/24 network has been detected attempting to attack the server. Place the following line in the <code class="filename">/etc/hosts.deny</code> file to deny any connection attempts from that network, and to log the attempts to a special file:
				</div><pre class="screen">ALL : 206.182.68.0 : spawn /bin/ 'date' %c %d &gt;&gt; /var/log/intruder_alert</pre><div class="para">
					The <code class="command">%d</code> token supplies the name of the service that the attacker was trying to access.
				</div><div class="para">
					To allow the connection and log it, place the <code class="command">spawn</code> directive in the <code class="filename">/etc/hosts.allow</code> file.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						Because the <code class="command">spawn</code> directive executes any shell command, create a special script to notify the administrator or execute a chain of commands in the event that a particular client attempts to connect to the server.
					</div></div></div></div><div class="section" id="s3-server-tcp-log"><div class="titlepage"><div><div><h5 class="title" id="s3-server-tcp-log">46.2.1.1.3. TCP Wrappers and Enhanced Logging</h5></div></div></div><a id="id941110" class="indexterm"></a><a id="id1025799" class="indexterm"></a><div class="para">
					If certain types of connections are of more concern than others, the log level can be elevated for that service using the <code class="command">severity</code> option.
				</div><div class="para">
					For this example, assume that anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker. To denote this, place an <code class="command">emerg</code> flag in the log files instead of the default flag, <code class="command">info</code>, and deny the connection.
				</div><div class="para">
					To do this, place the following line in <code class="filename">/etc/hosts.deny</code>:
				</div><pre class="screen">in.telnetd : ALL : severity emerg</pre><div class="para">
					This uses the default <code class="command">authpriv</code> logging facility, but elevates the priority from the default value of <code class="command">info</code> to <code class="command">emerg</code>, which posts log messages directly to the console.
				</div></div></div><div class="section" id="s2-server-xinetd"><div class="titlepage"><div><div><h4 class="title" id="s2-server-xinetd">46.2.1.2. Enhancing Security With xinetd</h4></div></div></div><a id="id1037933" class="indexterm"></a><div class="para">
				This section focuses on using <code class="command">xinetd</code> to set a trap service and using it to control resource levels available to any given <code class="command">xinetd</code> service. Setting resource limits for services can help thwart <em class="firstterm">Denial of Service</em> (<acronym class="acronym">DoS</acronym>) attacks. Refer to the man pages for <code class="command">xinetd</code> and <code class="filename">xinetd.conf</code> for a list of available options.
			</div><div class="section" id="s3-server-xinetd-trap"><div class="titlepage"><div><div><h5 class="title" id="s3-server-xinetd-trap">46.2.1.2.1. Setting a Trap</h5></div></div></div><a id="id996989" class="indexterm"></a><a id="id987599" class="indexterm"></a><div class="para">
					One important feature of <code class="command">xinetd</code> is its ability to add hosts to a global <code class="filename">no_access</code> list. Hosts on this list are denied subsequent connections to services managed by <code class="command">xinetd</code> for a specified period or until <code class="command">xinetd</code> is restarted. You can do this using the <code class="command">SENSOR</code> attribute. This is an easy way to block hosts attempting to scan the ports on the server.
				</div><div class="para">
					The first step in setting up a <code class="command">SENSOR</code> is to choose a service you do not plan on using. For this example, Telnet is used.
				</div><div class="para">
					Edit the file <code class="filename">/etc/xinetd.d/telnet</code> and change the <code class="option">flags</code> line to read:
				</div><pre class="screen">flags           = SENSOR</pre><div class="para">
					Add the following line:
				</div><pre class="screen">deny_time       = 30</pre><div class="para">
					This denies any further connection attempts to that port by that host for 30 minutes. Other acceptable values for the <code class="command">deny_time</code> attribute are FOREVER, which keeps the ban in effect until <code class="command">xinetd</code> is restarted, and NEVER, which allows the connection and logs it.
				</div><div class="para">
					Finally, the last line should read:
				</div><pre class="screen">disable         = no</pre><div class="para">
					This enables the trap itself.
				</div><div class="para">
					While using <code class="option">SENSOR</code> is a good way to detect and stop connections from undesirable hosts, it has two drawbacks:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							It does not work against stealth scans.
						</div></li><li class="listitem"><div class="para">
							An attacker who knows that a <code class="option">SENSOR</code> is running can mount a Denial of Service attack against particular hosts by forging their IP addresses and connecting to the forbidden port.
						</div></li></ul></div></div><div class="section" id="s3-server-xinetd-res"><div class="titlepage"><div><div><h5 class="title" id="s3-server-xinetd-res">46.2.1.2.2. Controlling Server Resources</h5></div></div></div><a id="id939594" class="indexterm"></a><a id="id1015085" class="indexterm"></a><a id="id1085183" class="indexterm"></a><a id="id910851" class="indexterm"></a><div class="para">
					Another important feature of <code class="command">xinetd</code> is its ability to set resource limits for services under its control.
				</div><div class="para">
					It does this using the following directives:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">cps = &lt;number_of_connections&gt; &lt;wait_period&gt;</code> — Limits the rate of incoming connections. This directive takes two arguments:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="option">&lt;number_of_connections&gt;</code> — The number of connections per second to handle. If the rate of incoming connections is higher than this, the service is temporarily disabled. The default value is fifty (50).
								</div></li><li class="listitem"><div class="para">
									<code class="option">&lt;wait_period&gt;</code> — The number of seconds to wait before re-enabling the service after it has been disabled. The default interval is ten (10) seconds.
								</div></li></ul></div></li><li class="listitem"><div class="para">
							<code class="option">instances = &lt;number_of_connections&gt;</code> — Specifies the total number of connections allowed to a service. This directive accepts either an integer value or <code class="command">UNLIMITED</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="option">per_source = &lt;number_of_connections&gt;</code> — Specifies the number of connections allowed to a service by each host. This directive accepts either an integer value or <code class="command">UNLIMITED</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="option">rlimit_as = &lt;number[K|M]&gt;</code> — Specifies the amount of memory address space the service can occupy in kilobytes or megabytes. This directive accepts either an integer value or <code class="command">UNLIMITED</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="option">rlimit_cpu = &lt;number_of_seconds&gt;</code> — Specifies the amount of time in seconds that a service may occupy the CPU. This directive accepts either an integer value or <code class="command">UNLIMITED</code>.
						</div></li></ul></div><div class="para">
					Using these directives can help prevent any single <code class="command">xinetd</code> service from overwhelming the system, resulting in a denial of service.
				</div></div></div></div><div class="section" id="s1-server-port"><div class="titlepage"><div><div><h3 class="title" id="s1-server-port">46.2.2. Securing Portmap</h3></div></div></div><a id="id946633" class="indexterm"></a><div class="para">
			The <code class="command">portmap</code> service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Securing <code class="command">portmap</code> only affects NFSv2 and NFSv3 implementations, since NFSv4 no longer requires it. If you plan to implement an NFSv2 or NFSv3 server, then <code class="command">portmap</code> is required, and the following section applies.
			</div></div></div><div class="para">
			If running RPC services, follow these basic rules.
		</div><div class="section" id="s2-server-port-tcpw"><div class="titlepage"><div><div><h4 class="title" id="s2-server-port-tcpw">46.2.2.1. Protect portmap With TCP Wrappers</h4></div></div></div><a id="id1031260" class="indexterm"></a><a id="id891333" class="indexterm"></a><div class="para">
				It is important to use TCP Wrappers to limit which networks or hosts have access to the <code class="command">portmap</code> service since it has no built-in form of authentication.
			</div><div class="para">
				Further, use <span class="emphasis"><em>only</em></span> IP addresses when limiting access to the service. Avoid using hostnames, as they can be forged by DNS poisoning and other methods.
			</div></div><div class="section" id="s2-server-port-iptble"><div class="titlepage"><div><div><h4 class="title" id="s2-server-port-iptble">46.2.2.2. Protect portmap With iptables</h4></div></div></div><a id="id1078931" class="indexterm"></a><div class="para">
				To further restrict access to the <code class="command">portmap</code> service, it is a good idea to add iptables rules to the server and restrict access to specific networks.
			</div><div class="para">
				Below are two example iptables commands. The first allows TCP connections to the port 111 (used by the <code class="command">portmap</code> service) from the 192.168.0.0/24 network. The second allows TCP connections to the same port from the localhost. This is necessary for the <code class="command">sgi_fam</code> service used by <span class="application"><strong>Nautilus</strong></span>. All other packets are dropped.
			</div><pre class="screen"><code class="command">iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP</code>
<code class="command">iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT</code></pre><div class="para">
				To similarly limit UDP traffic, use the following command.
			</div><pre class="screen"><code class="command">iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROP</code></pre><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					Refer to <a class="xref" href="#ch-fw">Section 46.8, “Firewalls”</a> for more information about implementing firewalls with iptables commands.
				</div></div></div></div></div><div class="section" id="s1-server-nis"><div class="titlepage"><div><div><h3 class="title" id="s1-server-nis">46.2.3. Securing NIS</h3></div></div></div><a id="id937611" class="indexterm"></a><a id="id1032100" class="indexterm"></a><div class="para">
			The <em class="firstterm">Network Information Service</em> (<acronym class="acronym">NIS</acronym>) is an RPC service, called <code class="command">ypserv</code>,--&gt; which is used in conjunction with <code class="command">portmap</code> and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.
		</div><div class="para">
			An NIS server is comprised of several applications. They include the following:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">/usr/sbin/rpc.yppasswdd</code> — Also called the <code class="command">yppasswdd</code> service, this daemon allows users to change their NIS passwords.
				</div></li><li class="listitem"><div class="para">
					<code class="command">/usr/sbin/rpc.ypxfrd</code> — Also called the <code class="command">ypxfrd</code> service, this daemon is responsible for NIS map transfers over the network.
				</div></li><li class="listitem"><div class="para">
					<code class="command">/usr/sbin/yppush</code> — This application propagates changed NIS databases to multiple NIS servers.
				</div></li><li class="listitem"><div class="para">
					<code class="command">/usr/sbin/ypserv</code> — This is the NIS server daemon.
				</div></li></ul></div><div class="para">
			NIS is somewhat insecure by today's standards. It has no host authentication mechanisms and transmits all of its information over the network unencrypted, including password hashes. As a result, extreme care must be taken when setting up a network that uses NIS. This is further complicated by the fact that the default configuration of NIS is inherently insecure.
		</div><div class="para">
			It is recommended that anyone planning to implement an NIS server first secure the <code class="command">portmap</code> service as outlined in <a class="xref" href="#s1-server-port">Section 46.2.2, “Securing Portmap”</a>, then address the following issues, such as network planning.
		</div><div class="section" id="s1-server-nis-net"><div class="titlepage"><div><div><h4 class="title" id="s1-server-nis-net">46.2.3.1. Carefully Plan the Network</h4></div></div></div><a id="id991518" class="indexterm"></a><a id="id1020275" class="indexterm"></a><div class="para">
				Because NIS transmits sensitive information unencrypted over the network, it is important the service be run behind a firewall and on a segmented and secure network. Whenever NIS information is transmitted over an insecure network, it risks being intercepted. Careful network design can help prevent severe security breaches.
			</div></div><div class="section" id="s2-server-nis-name"><div class="titlepage"><div><div><h4 class="title" id="s2-server-nis-name">46.2.3.2. Use a Password-like NIS Domain Name and Hostname</h4></div></div></div><a id="id999852" class="indexterm"></a><a id="id914182" class="indexterm"></a><div class="para">
				Any machine within an NIS domain can use commands to extract information from the server without authentication, as long as the user knows the NIS server's DNS hostname and NIS domain name.
			</div><div class="para">
				For instance, if someone either connects a laptop computer into the network or breaks into the network from outside (and manages to spoof an internal IP address), the following command reveals the <code class="command">/etc/passwd</code> map:
			</div><pre class="screen"><code class="command">ypcat -d <em class="replaceable"><code>&lt;NIS_domain&gt;</code></em> -h <em class="replaceable"><code>&lt;DNS_hostname&gt;</code></em> passwd</code></pre><div class="para">
				If this attacker is a root user, they can obtain the <code class="command">/etc/shadow</code> file by typing the following command:
			</div><pre class="screen"><code class="command">ypcat -d <em class="replaceable"><code>&lt;NIS_domain&gt;</code></em> -h <em class="replaceable"><code>&lt;DNS_hostname&gt;</code></em> shadow</code></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					If Kerberos is used, the <code class="command">/etc/shadow</code> file is not stored within an NIS map.
				</div></div></div><div class="para">
				To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as <code class="filename">o7hfawtgmhwg.domain.com</code>. Similarly, create a <span class="emphasis"><em>different</em></span> randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.
			</div></div><div class="section" id="s2-server-nis-securenet"><div class="titlepage"><div><div><h4 class="title" id="s2-server-nis-securenet">46.2.3.3. Edit the <code class="filename">/var/yp/securenets</code> File</h4></div></div></div><a id="id1029644" class="indexterm"></a><a id="id996336" class="indexterm"></a><div class="para">
				If the <code class="filename">/var/yp/securenets</code> file is blank or does not exist (as is the case after a default installation), NIS listens to all networks. One of the first things to do is to put netmask/network pairs in the file so that <code class="command">ypserv</code> only responds to requests from the appropriate network.
			</div><div class="para">
				Below is a sample entry from a <code class="filename">/var/yp/securenets</code> file:
			</div><pre class="screen">255.255.255.0     192.168.0.0</pre><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					Never start an NIS server for the first time without creating the <code class="filename">/var/yp/securenets</code> file.
				</div></div></div><div class="para">
				This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services.
			</div></div><div class="section" id="s2-server-nis-ports"><div class="titlepage"><div><div><h4 class="title" id="s2-server-nis-ports">46.2.3.4. Assign Static Ports and Use iptables Rules</h4></div></div></div><a id="id943879" class="indexterm"></a><a id="id1029654" class="indexterm"></a><a id="id939239" class="indexterm"></a><a id="id989331" class="indexterm"></a><div class="para">
				All of the servers related to NIS can be assigned specific ports except for <code class="command">rpc.yppasswdd</code> — the daemon that allows users to change their login passwords. Assigning ports to the other two NIS server daemons, <code class="command">rpc.ypxfrd</code> and <code class="command">ypserv</code>, allows for the creation of firewall rules to further protect the NIS server daemons from intruders.
			</div><div class="para">
				To do this, add the following lines to <code class="filename">/etc/sysconfig/network</code>:
			</div><pre class="screen">YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835"</pre><div class="para">
				The following iptables rules can then be used to enforce which network the server listens to for these ports:
			</div><pre class="screen"><code class="command">iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 834 -j DROP</code>
<code class="command">iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 835 -j DROP</code>
<code class="command">iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 834 -j DROP</code>
<code class="command">iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 835 -j DROP</code></pre><div class="para">
				This means that the server only allows connections to ports 834 and 835 if the requests come from the 192.168.0.0/24 network.
			</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
					Refer to <a class="xref" href="#ch-fw">Section 46.8, “Firewalls”</a> for more information about implementing firewalls with iptables commands.
				</div></div></div></div><div class="section" id="s2-server-nis-kerb"><div class="titlepage"><div><div><h4 class="title" id="s2-server-nis-kerb">46.2.3.5. Use Kerberos Authentication</h4></div></div></div><a id="id1009272" class="indexterm"></a><a id="id1017444" class="indexterm"></a><a id="id987935" class="indexterm"></a><div class="para">
				One of the issues to consider when NIS is used for authentication is that whenever a user logs into a machine, a password hash from the <code class="filename">/etc/shadow</code> map is sent over the network. If an intruder gains access to an NIS domain and sniffs network traffic, they can collect usernames and password hashes. With enough time, a password cracking program can guess weak passwords, and an attacker can gain access to a valid account on the network.
			</div><div class="para">
				Since Kerberos uses secret-key cryptography, no password hashes are ever sent over the network, making the system far more secure. Refer to <a class="xref" href="#ch-kerberos">Section 46.6, “Kerberos”</a> for more information about Kerberos.
			</div></div></div><div class="section" id="s1-server-nfs"><div class="titlepage"><div><div><h3 class="title" id="s1-server-nfs">46.2.4. Securing NFS</h3></div></div></div><a id="id911940" class="indexterm"></a><a id="id913004" class="indexterm"></a><div class="para">
			The <em class="firstterm">Network File System</em> (<abbr class="abbrev">NFS</abbr>) is a service that provides network accessible file systems for client machines. Refer to <a class="xref" href="#ch-nfs">Chapter 20, <em>Network File System (NFS)</em></a> for more information about <abbr class="abbrev">NFS</abbr>. The following subsections assume a basic knowledge of NFS.
		</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				The version of NFS included in Red Hat Enterprise Linux, NFSv4, no longer requires the <code class="command">portmap</code> service as outlined in <a class="xref" href="#s1-server-port">Section 46.2.2, “Securing Portmap”</a>. NFS traffic now utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4 now includes Kerberos user and group authentication, as part of the <code class="filename">RPCSEC_GSS</code> kernel module. Information on <code class="command">portmap</code> is still included, since Red Hat Enterprise Linux supports NFSv2 and NFSv3, both of which utilize <code class="command">portmap</code>.
			</div></div></div><div class="section" id="s1-server-nfs-net"><div class="titlepage"><div><div><h4 class="title" id="s1-server-nfs-net">46.2.4.1. Carefully Plan the Network</h4></div></div></div><a id="id1022829" class="indexterm"></a><a id="id1088201" class="indexterm"></a><div class="para">
				Now that NFSv4 has the ability to pass all information encrypted using Kerberos over a network, it is important that the service be configured correctly if it is behind a firewall or on a segmented network. NFSv2 and NFSv3 still pass data insecurely, and this should be taken into consideration. Careful network design in all of these regards can help prevent security breaches.
			</div></div><div class="section" id="s2-server-nfs-ip"><div class="titlepage"><div><div><h4 class="title" id="s2-server-nfs-ip">46.2.4.2. Beware of Syntax Errors</h4></div></div></div><a id="id999180" class="indexterm"></a><a id="id914034" class="indexterm"></a><div class="para">
				The NFS server determines which file systems to export and which hosts to export these directories to by consulting the <code class="filename">/etc/exports</code> file. Be careful not to add extraneous spaces when editing this file.
			</div><div class="para">
				For instance, the following line in the <code class="filename">/etc/exports</code> file shares the directory <code class="command">/tmp/nfs/</code> to the host <code class="command">bob.example.com</code> with read/write permissions.
			</div><pre class="screen">/tmp/nfs/     bob.example.com(rw)</pre><div class="para">
				The following line in the <code class="filename">/etc/exports</code> file, on the other hand, shares the same directory to the host <code class="computeroutput">bob.example.com</code> with read-only permissions and shares it to the <span class="emphasis"><em>world</em></span> with read/write permissions due to a single space character after the hostname.
			</div><pre class="screen">/tmp/nfs/     bob.example.com (rw)</pre><div class="para">
				It is good practice to check any configured NFS shares by using the <code class="command">showmount</code> command to verify what is being shared:
			</div><pre class="screen"><code class="command">showmount -e <em class="replaceable"><code>&lt;hostname&gt;</code></em></code></pre></div><div class="section" id="s2-server-nfs-noroot"><div class="titlepage"><div><div><h4 class="title" id="s2-server-nfs-noroot">46.2.4.3. Do Not Use the <code class="command">no_root_squash</code> Option</h4></div></div></div><div class="para">
				By default, NFS shares change the root user to the <code class="command">nfsnobody</code> user, an unprivileged user account. This changes the owner of all root-created files to <code class="command">nfsnobody</code>, which prevents uploading of programs with the setuid bit set.
			</div><div class="para">
				If <code class="command">no_root_squash</code> is used, remote root users are able to change any file on the shared file system and leave applications infected by Trojans for other users to inadvertently execute.
			</div></div></div><div class="section" id="s1-server-http"><div class="titlepage"><div><div><h3 class="title" id="s1-server-http">46.2.5. Securing the Apache HTTP Server</h3></div></div></div><a id="id948230" class="indexterm"></a><a id="id1079430" class="indexterm"></a><div class="para">
			The Apache HTTP Server is one of the most stable and secure services that ships with Red Hat Enterprise Linux. A large number of options and techniques are available to secure the Apache HTTP Server — too numerous to delve into deeply here.
		</div><div class="para">
			When configuring the Apache HTTP Server, it is important to read the documentation available for the application. This includes <a class="xref" href="#ch-httpd">Chapter 23, <em>Apache HTTP Server</em></a>, and the Stronghold manuals, available at <a href="http://www.redhat.com/docs/manuals/stronghold/">http://www.redhat.com/docs/manuals/stronghold/</a>.
		</div><div class="para">
			System Administrators should be careful when using the following configuration options:
		</div><a id="id939141" class="indexterm"></a><a id="id1082465" class="indexterm"></a><div class="section" id="s2-server-http-sym"><div class="titlepage"><div><div><h4 class="title" id="s2-server-http-sym">46.2.5.1.  <code class="command">FollowSymLinks</code> </h4></div></div></div><div class="para">
				This directive is enabled by default, so be sure to use caution when creating symbolic links to the document root of the Web server. For instance, it is a bad idea to provide a symbolic link to <code class="filename">/</code>.
			</div></div><div class="section" id="s2-server-http-indexes"><div class="titlepage"><div><div><h4 class="title" id="s2-server-http-indexes">46.2.5.2. The <code class="command">Indexes</code> Directive</h4></div></div></div><div class="para">
				This directive is enabled by default, but may not be desirable. To prevent visitors from browsing files on the server, remove this directive.
			</div></div><div class="section" id="s2-server-http-usedir"><div class="titlepage"><div><div><h4 class="title" id="s2-server-http-usedir">46.2.5.3. The <code class="command">UserDir</code> Directive</h4></div></div></div><div class="para">
				The <code class="command">UserDir</code> directive is disabled by default because it can confirm the presence of a user account on the system. To enable user directory browsing on the server, use the following directives:
			</div><pre class="screen">UserDir enabled
UserDir disabled root</pre><div class="para">
				These directives activate user directory browsing for all user directories other than <code class="filename">/root/</code>. To add users to the list of disabled accounts, add a space-delimited list of users on the <code class="command">UserDir disabled</code> line.
			</div></div><div class="section" id="s2-server-http-ssi"><div class="titlepage"><div><div><h4 class="title" id="s2-server-http-ssi">46.2.5.4. Do Not Remove the <code class="command">IncludesNoExec</code> Directive</h4></div></div></div><div class="para">
				By default, the <em class="firstterm">Server-Side Includes</em> (<abbr class="abbrev">SSI</abbr>) module cannot execute commands. It is recommended that you do not change this setting unless absolutely necessary, as it could potentially enable an attacker to execute commands on the system.
			</div></div><div class="section" id="s2-server-http-cgi"><div class="titlepage"><div><div><h4 class="title" id="s2-server-http-cgi">46.2.5.5. Restrict Permissions for Executable Directories</h4></div></div></div><a id="id1085444" class="indexterm"></a><a id="id1018824" class="indexterm"></a><div class="para">
				Ensure that only the root user has write permissions to any directory containing scripts or CGIs. To do this, type the following commands:
			</div><pre class="screen"><code class="command">chown root <em class="replaceable"><code>&lt;directory_name&gt;</code></em></code>
<code class="command">chmod 755 <em class="replaceable"><code>&lt;directory_name&gt;</code></em></code></pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Always verify that any scripts running on the system work as intended <span class="emphasis"><em>before</em></span> putting them into production.
				</div></div></div></div></div><div class="section" id="s1-server-ftp"><div class="titlepage"><div><div><h3 class="title" id="s1-server-ftp">46.2.6. Securing FTP</h3></div></div></div><a id="id1016944" class="indexterm"></a><a id="id882404" class="indexterm"></a><div class="para">
			The <em class="firstterm">File Transfer Protocol</em> (<abbr class="abbrev">FTP</abbr>) is an older TCP protocol designed to transfer files over a network. Because all transactions with the server, including user authentication, are unencrypted, it is considered an insecure protocol and should be carefully configured.
		</div><div class="para">
			Red Hat Enterprise Linux provides three FTP servers.
		</div><a id="id1019847" class="indexterm"></a><a id="id1019202" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">gssftpd</code> — A Kerberos-aware <code class="command">xinetd</code>-based FTP daemon that does not transmit authentication information over the network.
				</div></li><li class="listitem"><div class="para">
					<span class="application"><strong>Red Hat Content Accelerator</strong></span> (<code class="command">tux</code>) — A kernel-space Web server with FTP capabilities.
				</div></li><li class="listitem"><div class="para">
					<code class="command">vsftpd</code> — A standalone, security oriented implementation of the FTP service.
				</div></li></ul></div><div class="para">
			The following security guidelines are for setting up the <code class="command">vsftpd</code> FTP service.
		</div><div class="section" id="s2-server-ftp-gbanner"><div class="titlepage"><div><div><h4 class="title" id="s2-server-ftp-gbanner">46.2.6.1. FTP Greeting Banner</h4></div></div></div><a id="id1078903" class="indexterm"></a><a id="id942548" class="indexterm"></a><div class="para">
				Before submitting a username and password, all users are presented with a greeting banner. By default, this banner includes version information useful to crackers trying to identify weaknesses in a system.
			</div><div class="para">
				To change the greeting banner for <code class="command">vsftpd</code>, add the following directive to the <code class="filename">/etc/vsftpd/vsftpd.conf</code> file:
			</div><pre class="screen">ftpd_banner=<em class="replaceable"><code>&lt;insert_greeting_here&gt;</code></em></pre><div class="para">
				Replace <em class="replaceable"><code>&lt;insert_greeting_here&gt;</code></em> in the above directive with the text of the greeting message.
			</div><div class="para">
				For mutli-line banners, it is best to use a banner file. To simplify management of multiple banners, place all banners in a new directory called <code class="filename">/etc/banners/</code>. The banner file for FTP connections in this example is <code class="filename">/etc/banners/ftp.msg</code>. Below is an example of what such a file may look like:
			</div><pre class="screen">######### # Hello, all activity on ftp.example.com is logged. #########</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					It is not necessary to begin each line of the file with <code class="command">220</code> as specified in <a class="xref" href="#s3-server-tcp-banner">Section 46.2.1.1.1, “TCP Wrappers and Connection Banners”</a>.
				</div></div></div><div class="para">
				To reference this greeting banner file for <code class="command">vsftpd</code>, add the following directive to the <code class="filename">/etc/vsftpd/vsftpd.conf</code> file:
			</div><pre class="screen">banner_file=/etc/banners/ftp.msg</pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Make sure that you specify the path to the banner file correctly in <code class="filename">/etc/vsftpd/vsftpd.conf</code>, or else every attempt to connect to <span class="application"><strong>vsftpd</strong></span> will result in the connection being closed immediately and a <code class="computeroutput">500 OOPS: cannot open banner <em class="replaceable"><code>&lt;path_to_banner_file&gt;</code></em> </code> error message.
				</div></div></div><div class="para">
				Note that the <code class="computeroutput">banner_file</code> directive in <code class="filename">/etc/vsftpd/vfsftpd.conf</code> takes precedence over any <code class="computeroutput">ftpd_banner</code> directives in the configuration file: if <code class="computeroutput">banner_file</code> is specified, then <code class="computeroutput">ftpd_banner</code> is ignored.
			</div><div class="para">
				It also is possible to send additional banners to incoming connections using TCP Wrappers as described in <a class="xref" href="#s3-server-tcp-banner">Section 46.2.1.1.1, “TCP Wrappers and Connection Banners”</a>.
			</div></div><div class="section" id="s2-server-ftp-anon"><div class="titlepage"><div><div><h4 class="title" id="s2-server-ftp-anon">46.2.6.2. Anonymous Access</h4></div></div></div><a id="id1012260" class="indexterm"></a><a id="id1084936" class="indexterm"></a><div class="para">
				The presence of the <code class="filename">/var/ftp/</code> directory activates the anonymous account.
			</div><div class="para">
				The easiest way to create this directory is to install the <code class="filename">vsftpd</code> package. This package establishes a directory tree for anonymous users and configures the permissions on directories to read-only for anonymous users.
			</div><div class="para">
				By default the anonymous user cannot write to any directories.
			</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
					If enabling anonymous access to an FTP server, be aware of where sensitive data is stored.
				</div></div></div><div class="section" id="s3-server-ftp-anon-up"><div class="titlepage"><div><div><h5 class="title" id="s3-server-ftp-anon-up">46.2.6.2.1. Anonymous Upload</h5></div></div></div><a id="id1031439" class="indexterm"></a><a id="id943422" class="indexterm"></a><div class="para">
					To allow anonymous users to upload files, it is recommended that a write-only directory be created within <code class="filename">/var/ftp/pub/</code>.
				</div><div class="para">
					To do this, type the following command:
				</div><pre class="screen"><code class="command">mkdir /var/ftp/pub/upload</code></pre><div class="para">
					Next, change the permissions so that anonymous users cannot view the contents of the directory:
				</div><pre class="screen"><code class="command">chmod 730 /var/ftp/pub/upload</code></pre><div class="para">
					A long format listing of the directory should look like this:
				</div><pre class="screen">drwx-wx---    2 root     ftp          4096 Feb 13 20:05 upload</pre><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
						Administrators who allow anonymous users to read and write in directories often find that their servers become a repository of stolen software.
					</div></div></div><div class="para">
					Additionally, under <code class="command">vsftpd</code>, add the following line to the <code class="filename">/etc/vsftpd/vsftpd.conf</code> file:
				</div><pre class="screen">anon_upload_enable=YES</pre></div></div><div class="section" id="s2-server-ftp-denylocal"><div class="titlepage"><div><div><h4 class="title" id="s2-server-ftp-denylocal">46.2.6.3. User Accounts</h4></div></div></div><a id="id1032725" class="indexterm"></a><a id="id1019903" class="indexterm"></a><div class="para">
				Because FTP transmits unencrypted usernames and passwords over insecure networks for authentication, it is a good idea to deny system users access to the server from their user accounts.
			</div><div class="para">
				To disable all user accounts in <code class="command">vsftpd</code>, add the following directive to <code class="filename">/etc/vsftpd/vsftpd.conf</code>:
			</div><pre class="screen">local_enable=NO</pre><div class="section" id="s3-server-ftp-denyusers"><div class="titlepage"><div><div><h5 class="title" id="s3-server-ftp-denyusers">46.2.6.3.1. Restricting User Accounts</h5></div></div></div><div class="para">
					To disable FTP access for specific accounts or specific groups of accounts, such as the root user and those with <code class="command">sudo</code> privileges, the easiest way is to use a PAM list file as described in <a class="xref" href="#s2-wstation-privileges-noroot">Section 46.1.4.2, “Disallowing Root Access”</a>. The PAM configuration file for <code class="command">vsftpd</code> is <code class="filename">/etc/pam.d/vsftpd</code>.
				</div><div class="para">
					It is also possible to disable user accounts within each service directly.
				</div><div class="para">
					To disable specific user accounts in <code class="command">vsftpd</code>, add the username to <code class="filename">/etc/vsftpd.ftpusers</code>
				</div></div></div><div class="section" id="s2-server-ftp-tcpw"><div class="titlepage"><div><div><h4 class="title" id="s2-server-ftp-tcpw">46.2.6.4. Use TCP Wrappers To Control Access</h4></div></div></div><a id="id991822" class="indexterm"></a><a id="id1017307" class="indexterm"></a><a id="id990782" class="indexterm"></a><div class="para">
				Use TCP Wrappers to control access to either FTP daemon as outlined in <a class="xref" href="#s2-server-tcpw">Section 46.2.1.1, “Enhancing Security With TCP Wrappers”</a>.
			</div></div></div><div class="section" id="s1-server-mail"><div class="titlepage"><div><div><h3 class="title" id="s1-server-mail">46.2.7. Securing Sendmail</h3></div></div></div><a id="id1023710" class="indexterm"></a><a id="id1083374" class="indexterm"></a><div class="para">
			Sendmail is a Mail Transport Agent (MTA) that uses the Simple Mail Transport Protocol (SMTP) to deliver electronic messages between other MTAs and to email clients or delivery agents. Although many MTAs are capable of encrypting traffic between one another, most do not, so sending email over any public networks is considered an inherently insecure form of communication.
		</div><div class="para">
			Refer to <a class="xref" href="#ch-email">Chapter 25, <em>Email</em></a> for more information about how email works and an overview of common configuration settings. This section assumes a basic knowledge of how to generate a valid <code class="filename">/etc/mail/sendmail.cf</code> by editing the <code class="filename">/etc/mail/sendmail.mc</code> and using the <code class="command">m4</code> command.
		</div><div class="para">
			It is recommended that anyone planning to implement a Sendmail server address the following issues.
		</div><div class="section" id="s2-server-mail-dos"><div class="titlepage"><div><div><h4 class="title" id="s2-server-mail-dos">46.2.7.1. Limiting a Denial of Service Attack</h4></div></div></div><a id="id1078838" class="indexterm"></a><a id="id1037147" class="indexterm"></a><div class="para">
				Because of the nature of email, a determined attacker can flood the server with mail fairly easily and cause a denial of service. By setting limits to the following directives in <code class="filename">/etc/mail/sendmail.mc</code>, the effectiveness of such attacks is limited.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">confCONNECTION_RATE_THROTTLE</code> — The number of connections the server can receive per second. By default, Sendmail does not limit the number of connections. If a limit is set and reached, further connections are delayed.
					</div></li><li class="listitem"><div class="para">
						<code class="command">confMAX_DAEMON_CHILDREN</code> — The maximum number of child processes that can be spawned by the server. By default, Sendmail does not assign a limit to the number of child processes. If a limit is set and reached, further connections are delayed.
					</div></li><li class="listitem"><div class="para">
						<code class="command">confMIN_FREE_BLOCKS</code> — The minimum number of free blocks which must be available for the server to accept mail. The default is 100 blocks.
					</div></li><li class="listitem"><div class="para">
						<code class="command">confMAX_HEADERS_LENGTH</code> — The maximum acceptable size (in bytes) for a message header.
					</div></li><li class="listitem"><div class="para">
						<code class="command">confMAX_MESSAGE_SIZE</code> — The maximum acceptable size (in bytes) for a single message.
					</div></li></ul></div></div><div class="section" id="s2-server-mail-nfs"><div class="titlepage"><div><div><h4 class="title" id="s2-server-mail-nfs">46.2.7.2. NFS and Sendmail</h4></div></div></div><a id="id944355" class="indexterm"></a><a id="id1021613" class="indexterm"></a><a id="id937968" class="indexterm"></a><div class="para">
				Never put the mail spool directory, <code class="filename">/var/spool/mail/</code>, on an NFS shared volume.
			</div><div class="para">
				Because NFSv2 and NFSv3 do not maintain control over user and group IDs, two or more users can have the same UID, and receive and read each other's mail.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					With NFSv4 using Kerberos, this is not the case, since the <code class="filename">SECRPC_GSS</code> kernel module does not utilize UID-based authentication. However, it is considered good practice <span class="emphasis"><em>not</em></span> to put the mail spool directory on NFS shared volumes.
				</div></div></div></div><div class="section" id="s2-server-mail-mailacct"><div class="titlepage"><div><div><h4 class="title" id="s2-server-mail-mailacct">46.2.7.3. Mail-only Users</h4></div></div></div><div class="para">
				To help prevent local user exploits on the Sendmail server, it is best for mail users to only access the Sendmail server using an email program. Shell accounts on the mail server should not be allowed and all user shells in the <code class="filename">/etc/passwd</code> file should be set to <code class="command">/sbin/nologin</code> (with the possible exception of the root user).
			</div></div></div><div class="section" id="s1-server-ports"><div class="titlepage"><div><div><h3 class="title" id="s1-server-ports">46.2.8. Verifying Which Ports Are Listening</h3></div></div></div><a id="id997718" class="indexterm"></a><a id="id1012996" class="indexterm"></a><a id="id1078924" class="indexterm"></a><a id="id1011747" class="indexterm"></a><a id="id1088226" class="indexterm"></a><a id="id987594" class="indexterm"></a><div class="para">
			After configuring network services, it is important to pay attention to which ports are actually listening on the system's network interfaces. Any open ports can be evidence of an intrusion.
		</div><div class="para">
			There are two basic approaches for listing the ports that are listening on the network. The less reliable approach is to query the network stack using commands such as <code class="command">netstat -an</code> or <code class="command">lsof -i</code>. This method is less reliable since these programs do not connect to the machine from the network, but rather check to see what is running on the system. For this reason, these applications are frequent targets for replacement by attackers. Crackers attempt to cover their tracks if they open unauthorized network ports by replacing <code class="command">netstat</code> and <code class="command">lsof</code> with their own, modified versions.
		</div><div class="para">
			A more reliable way to check which ports are listening on the network is to use a port scanner such as <code class="command">nmap</code>.
		</div><div class="para">
			The following command issued from the console determines which ports are listening for TCP connections from the network:
		</div><pre class="screen"><code class="command">nmap -sT -O localhost</code></pre><div class="para">
			The output of this command appears as follows:
		</div><pre class="screen">Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-09-24 13:49 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1653 ports scanned but not shown below are in state: closed)
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
111/tcp   open  rpcbind
113/tcp   open  auth
631/tcp   open  ipp
834/tcp   open  unknown
2601/tcp  open  zebra
32774/tcp open  sometimes-rpc11
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.5.25 - 2.6.3 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
Uptime 12.857 days (since Sat Sep 11 17:16:20 2004)
Nmap run completed -- 1 IP address (1 host up) scanned in 5.190 seconds</pre><div class="para">
			This output shows the system is running <code class="command">portmap</code> due to the presence of the <code class="computeroutput">sunrpc</code> service. However, there is also a mystery service on port 834. To check if the port is associated with the official list of known services, type:
		</div><pre class="screen"><code class="command">cat /etc/services | grep 834</code></pre><div class="para">
			This command returns no output. This indicates that while the port is in the reserved range (meaning 0 through 1023) and requires root access to open, it is not associated with a known service.
		</div><div class="para">
			Next, check for information about the port using <code class="command">netstat</code> or <code class="command">lsof</code>. To check for port 834 using <code class="command">netstat</code>, use the following command:
		</div><pre class="screen"><code class="command">netstat -anp | grep 834</code></pre><div class="para">
			The command returns the following output:
		</div><pre class="screen">tcp   0    0 0.0.0.0:834    0.0.0.0:*   LISTEN   653/ypbind</pre><div class="para">
			The presence of the open port in <code class="command">netstat</code> is reassuring because a cracker opening a port surreptitiously on a hacked system is not likely to allow it to be revealed through this command. Also, the <code class="option">[p]</code> option reveals the process ID (PID) of the service that opened the port. In this case, the open port belongs to <code class="command">ypbind</code> (<abbr class="abbrev">NIS</abbr>), which is an <abbr class="abbrev">RPC</abbr> service handled in conjunction with the <code class="command">portmap</code> service.
		</div><div class="para">
			The <code class="command">lsof</code> command reveals similar information to <code class="command">netstat</code> since it is also capable of linking open ports to services:
		</div><pre class="screen"><code class="command">lsof -i | grep 834</code></pre><div class="para">
			The relevant portion of the output from this command follows:
		</div><pre class="screen">ypbind      653        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
ypbind      655        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
ypbind      656        0    7u  IPv4       1319                 TCP *:834 (LISTEN)
ypbind      657        0    7u  IPv4       1319                 TCP *:834 (LISTEN)</pre><div class="para">
			These tools reveal a great deal about the status of the services running on a machine. These tools are flexible and can provide a wealth of information about network services and configuration. Refer to the man pages for <code class="command">lsof</code>, <code class="command">netstat</code>, <code class="command">nmap</code>, and <code class="filename">services</code> for more information.
		</div></div></div><div xml:lang="en-US" class="section" id="sso-ov" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sso-ov">46.3. Single Sign-on (SSO)</h2></div></div></div><div class="section" id="sso-intro"><div class="titlepage"><div><div><h3 class="title" id="sso-intro">46.3.1. Introduction</h3></div></div></div><div class="para">
			The Red Hat Enterprise Linux SSO functionality reduces the number of times Red Hat Enterprise Linux desktop users have to enter their passwords. Several major applications leverage the same underlying authentication and authorization mechanisms so that users can log in to Red Hat Enterprise Linux from the log-in screen, and then not need to re-enter their passwords. These applications are detailed below.
		</div><div class="para">
			In addition, users can log in to their machines even when there is no network (<em class="firstterm">offline mode</em>) or where network connectivity is unreliable, for example, wireless access. In the latter case, services will degrade gracefully.
		</div><div class="section" id="sso-supported-apps"><div class="titlepage"><div><div><h4 class="title" id="sso-supported-apps">46.3.1.1. Supported Applications</h4></div></div></div><div class="para">
				The following applications are currently supported by the unified log-in scheme in Red Hat Enterprise Linux:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Login
					</div></li><li class="listitem"><div class="para">
						Screensaver
					</div></li><li class="listitem"><div class="para">
						Firefox and Thunderbird
					</div></li></ul></div></div><div class="section" id="sso-supported-auth-mechanisms"><div class="titlepage"><div><div><h4 class="title" id="sso-supported-auth-mechanisms">46.3.1.2. Supported Authentication Mechanisms</h4></div></div></div><div class="para">
				Red Hat Enterprise Linux currently supports the following authentication mechanisms:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Kerberos name/password login
					</div></li><li class="listitem"><div class="para">
						Smart card/PIN login
					</div></li></ul></div></div><div class="section" id="sso-supported-cards"><div class="titlepage"><div><div><h4 class="title" id="sso-supported-cards">46.3.1.3. Supported Smart Cards</h4></div></div></div><div class="para">
				Red Hat Enterprise Linux has been tested with the Cyberflex e-gate card and reader, but any card that complies with both Java card 2.1.1 and Global Platform 2.0.1 specifications should operate correctly, as should any reader that is supported by PCSC-lite.
			</div><div class="para">
				Red Hat Enterprise Linux has also been tested with Common Access Cards (CAC). The supported reader for CAC is the SCM SCR 331 USB Reader.
			</div><div class="para">
				As of Red Hat Enterprise Linux 5.2, Gemalto smart cards (Cyberflex Access 64k v2, standard with DER SHA1 value configured as in PKCSI v2.1) are now supported. These smart cards now use readers compliant with Chip/Smart Card Interface Devices (CCID).
			</div></div><div class="section" id="sso-advantages"><div class="titlepage"><div><div><h4 class="title" id="sso-advantages">46.3.1.4. Advantages of Red Hat Enterprise Linux Single Sign-on</h4></div></div></div><div class="para">
				Numerous security mechanisms currently exist that utilize a large number of protocols and credential stores. Examples include SSL, SSH, IPsec, and Kerberos. Red Hat Enterprise Linux SSO aims to unify these schemes to support the requirements listed above. This does not mean replacing Kerberos with X.509v3 certificates, but rather uniting them to reduce the burden on both system users and the administrators who manage them.
			</div><div class="para">
				To achieve this goal, Red Hat Enterprise Linux:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Provides a single, shared instance of the NSS crypto libraries on each operating system.
					</div></li><li class="listitem"><div class="para">
						Ships the Certificate System's Enterprise Security Client (ESC) with the base operating system. The ESC application monitors smart card insertion events. If it detects that the user has inserted a smart card that was designed to be used with the Red Hat Enterprise Linux Certificate System server product, it displays a user interface instructing the user how to enroll that smart card.
					</div></li><li class="listitem"><div class="para">
						Unifies Kerberos and NSS so that users who log in to the operating system using a smart card also obtain a Kerberos credential (which allows them to log in to file servers, etc.)
					</div></li></ul></div></div></div><div class="section" id="sso-sc-config"><div class="titlepage"><div><div><h3 class="title" id="sso-sc-config">46.3.2. Getting Started with your new Smart Card</h3></div></div></div><div class="para">
			Before you can use your smart card to log in to your system and take advantage of the increased security options this technology provides, you need to perform some basic installation and configuration steps. These are described below.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				This section provides a high-level view of getting started with your smart card. More detailed information is available in the Red Hat Certificate System Enterprise Security Client Guide.
			</div></div></div><div class="procedure"><ol class="1"><li class="step"><div class="para">
					Log in with your Kerberos name and password
				</div></li><li class="step"><div class="para">
					Make sure you have the <code class="filename">nss-tools</code> package loaded.
				</div></li><li class="step"><div class="para">
					Download and install your corporate-specific root certificates. Use the following command to install the root CA certificate:
				</div><pre class="screen"><code class="command">certutil -A -d /etc/pki/nssdb -n "root ca cert" -t "CT,C,C" \</code>
	<code class="command">-i ./ca_cert_in_base64_format.crt</code></pre></li><li class="step"><div class="para">
					Verify that you have the following RPMs installed on your system: esc, pam_pkcs11, coolkey, ifd-egate, ccid, gdm, authconfig, and authconfig-gtk.
				</div></li><li class="step"><div class="para">
					Enable Smart Card Login Support
				</div><ol class="a"><li class="step"><div class="para">
							On the Gnome Title Bar, select System-&gt;Administration-&gt;Authentication.
						</div></li><li class="step"><div class="para">
							Type your machine's root password if necessary.
						</div></li><li class="step"><div class="para">
							In the Authentication Configuration dialog, click the <span class="guilabel"><strong>Authentication</strong></span> tab.
						</div></li><li class="step"><div class="para">
							Select the <span class="guilabel"><strong>Enable Smart Card Support</strong></span> check box.
						</div></li><li class="step"><div class="para">
							Click the <span class="guibutton"><strong>Configure Smart Card...</strong></span> button to display the Smartcard Settings dialog, and specify the required settings:
						</div><div class="para">
							<div class="itemizedlist"><ul><li class="listitem"><div class="para">
										<span class="guilabel"><strong>Require smart card for login</strong></span> — Clear this check box. After you have successfully logged in with the smart card you can select this option to prevent users from logging in without a smart card.
									</div></li><li class="listitem"><div class="para">
										<span class="guilabel"><strong>Card Removal Action</strong></span> — This controls what happens when you remove the smart card after you have logged in. The available options are:
									</div><div class="para">
										<div class="itemizedlist"><ul><li class="listitem"><div class="para">
													<span class="guilabel"><strong>Lock</strong></span> — Removing the smart card locks the X screen.
												</div></li><li class="listitem"><div class="para">
													<span class="guilabel"><strong>Ignore</strong></span> — Removing the smart card has no effect.
												</div></li></ul></div>

</div></li></ul></div>

</div></li></ol></li><li class="step"><div class="para">
					If you need to enable the Online Certificate Status Protocol (<abbr class="abbrev">OCSP</abbr>), open the <code class="filename">/etc/pam_pkcs11/pam_pkcs11.conf</code> file, and locate the following line:
				</div><div class="para">
					<code class="command">enable_ocsp = false;</code>
				</div><div class="para">
					Change this value to true, as follows:
				</div><div class="para">
					<code class="command">enable_ocsp = true;</code>
				</div></li><li class="step"><div class="para">
					Enroll your smart card
				</div></li><li class="step"><div class="para">
					If you are using a CAC card, you also need to perform the following steps:
				</div><ol class="a"><li class="step"><div class="para">
							Change to the root account and create a file called <code class="filename">/etc/pam_pkcs11/cn_map</code>.
						</div></li><li class="step"><div class="para">
							Add the following entry to the <code class="filename">cn_map</code> file:
						</div><div class="para">
							<em class="replaceable"><code>MY.CAC_CN.123454</code></em> -&gt; <em class="replaceable"><code>myloginid</code></em>
						</div><div class="para">
							where <em class="replaceable"><code>MY.CAC_CN.123454</code></em> is the Common Name on your CAC and <em class="replaceable"><code>myloginid</code></em> is your UNIX login ID.
						</div></li></ol></li><li class="step"><div class="para">
					Logout
				</div></li></ol></div><div class="section" id="troubleshooting"><div class="titlepage"><div><div><h4 class="title" id="troubleshooting">46.3.2.1. Troubleshooting</h4></div></div></div><div class="para">
				If you have trouble getting your smart card to work, try using the following command to locate the source of the problem:
			</div><pre class="screen"><code class="command">pklogin_finder debug</code></pre><div class="para">
				If you run the <code class="command">pklogin_finder</code> tool in debug mode while an enrolled smart card is plugged in, it attempts to output information about the validity of certificates, and if it is successful in attempting to map a login ID from the certificates that are on the card.
			</div></div></div><div class="section" id="sso-sc-enrol-concept"><div class="titlepage"><div><div><h3 class="title" id="sso-sc-enrol-concept">46.3.3. How Smart Card Enrollment Works</h3></div></div></div><div class="para">
			Smart cards are said to be <em class="firstterm">enrolled</em> when they have received an appropriate certificate signed by a valid Certificate Authority (<abbr class="abbrev">CA</abbr>). This involves several steps, described below:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					The user inserts their smart card into the smart card reader on their workstation. This event is recognized by the Enterprise Security Client (<abbr class="abbrev">ESC</abbr>).
				</div></li><li class="listitem"><div class="para">
					The enrollment page is displayed on the user's desktop. The user completes the required details and the user's system then connects to the Token Processing System (<abbr class="abbrev">TPS</abbr>) and the <abbr class="abbrev">CA</abbr>.
				</div></li><li class="listitem"><div class="para">
					The <abbr class="abbrev">TPS</abbr> enrolls the smart card using a certificate signed by the <abbr class="abbrev">CA</abbr>.
				</div></li></ol></div><div class="figure" id="fig-sso-sc-enrollment"><div class="figure-contents"><div class="mediaobject"><img src="images/SCLoginEnrollment.png" width="444" alt="How Smart Card Enrollment Works" /><div class="longdesc"><div class="para">
						How Smart Card Enrollment Works.
					</div></div></div></div><h6>Figure 46.4. How Smart Card Enrollment Works</h6></div><br class="figure-break" /></div><div class="section" id="sso-sc-login-concept"><div class="titlepage"><div><div><h3 class="title" id="sso-sc-login-concept">46.3.4. How Smart Card Login Works</h3></div></div></div><div class="para">
			This section provides a brief overview of the process of logging in using a smart card.
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					When the user inserts their smart card into the smart card reader, this event is recognized by the PAM facility, which prompts for the user's PIN.
				</div></li><li class="listitem"><div class="para">
					The system then looks up the user's current certificates and verifies their validity. The certificate is then mapped to the user's UID.
				</div></li><li class="listitem"><div class="para">
					This is validated against the KDC and login granted.
				</div></li></ol></div><div class="figure" id="fig-sso-sc-login"><div class="figure-contents"><div class="mediaobject"><img src="images/SCLogin.png" width="444" alt="How Smart Card Login Works" /><div class="longdesc"><div class="para">
						How Smart Card Login Works.
					</div></div></div></div><h6>Figure 46.5. How Smart Card Login Works</h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				You cannot log in with a card that has not been enrolled, even if it has been formatted. You need to log in with a formatted, enrolled card, or not using a smart card, before you can enroll a new card.
			</div></div></div><div class="para">
			Refer to <a class="xref" href="#ch-kerberos">Section 46.6, “Kerberos”</a> and <a class="xref" href="#ch-pam">Section 46.4, “Pluggable Authentication Modules (PAM)”</a> for more information on Kerberos and <acronym class="acronym">PAM</acronym>.
		</div></div><div class="section" id="sso-config-firefox"><div class="titlepage"><div><div><h3 class="title" id="sso-config-firefox">46.3.5. Configuring Firefox to use Kerberos for SSO</h3></div></div></div><div class="para">
			You can configure Firefox to use Kerberos for Single Sign-on. In order for this functionality to work correctly, you need to configure your web browser to send your Kerberos credentials to the appropriate <abbr class="abbrev">KDC</abbr>.The following section describes the configuration changes and other requirements to achieve this.
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					In the address bar of Firefox, type <strong class="userinput"><code>about:config</code></strong> to display the list of current configuration options.
				</div></li><li class="listitem"><div class="para">
					In the <span class="guilabel"><strong>Filter</strong></span> field, type <strong class="userinput"><code>negotiate</code></strong> to restrict the list of options.
				</div></li><li class="listitem"><div class="para">
					Double-click the <span class="emphasis"><em>network.negotiate-auth.trusted-uris</em></span> entry to display the <span class="emphasis"><em>Enter string value</em></span> dialog box.
				</div></li><li class="listitem"><div class="para">
					Enter the name of the domain against which you want to authenticate, for example, <em class="replaceable"><code>.example.com</code></em>.
				</div></li><li class="listitem"><div class="para">
					Repeat the above procedure for the <span class="emphasis"><em>network.negotiate-auth.delegation-uris</em></span> entry, using the same domain.
				</div><div class="para">
					<div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							You can leave this value blank, as it allows Kerberos ticket passing, which is not required.
						</div><div class="para">
							If you do not see these two configuration options listed, your version of Firefox may be too old to support Negotiate authentication, and you should consider upgrading.
						</div></div></div>

</div></li></ol></div><div class="figure" id="fig-sso-negotiate-dialog"><div class="figure-contents"><div class="mediaobject"><img src="images/FirefoxWithKerberosSSO.png" width="444" alt="Configuring Firefox for SSO with Kerberos" /><div class="longdesc"><div class="para">
						Configuring Firefox to use Kerberos for SSO.
					</div></div></div></div><h6>Figure 46.6. Configuring Firefox for SSO with Kerberos</h6></div><br class="figure-break" /><div class="para">
			You now need to ensure that you have Kerberos tickets. In a command shell, type <code class="command">kinit</code> to retrieve Kerberos tickets. To display the list of available tickets, type <code class="command">klist</code>. The following shows an example output from these commands:
		</div><pre class="screen">~]$ <code class="command">kinit</code>
Password for user@EXAMPLE.COM:

~]$ <code class="command">klist</code>
Ticket cache: FILE:/tmp/krb5cc_10920
Default principal: user@EXAMPLE.COM

Valid starting     Expires            Service principal
10/26/06 23:47:54  10/27/06 09:47:54  krbtgt/USER.COM@USER.COM
        renew until 10/26/06 23:47:54

Kerberos 4 ticket cache: /tmp/tkt10920
klist: You have no tickets cached</pre><div class="section" id="sso-config-firefox-troubleshoot"><div class="titlepage"><div><div><h4 class="title" id="sso-config-firefox-troubleshoot">46.3.5.1. Troubleshooting</h4></div></div></div><div class="para">
				If you have followed the configuration steps above and Negotiate authentication is not working, you can turn on verbose logging of the authentication process. This could help you find the cause of the problem. To enable verbose logging, use the following procedure:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Close all instances of Firefox.
					</div></li><li class="listitem"><div class="para">
						Open a command shell, and enter the following commands:
					</div><pre class="screen"><code class="command">export NSPR_LOG_MODULES=negotiateauth:5</code>
<code class="command">export NSPR_LOG_FILE=/tmp/moz.log</code></pre></li><li class="listitem"><div class="para">
						Restart Firefox <span class="emphasis"><em>from that shell</em></span>, and visit the website you were unable to authenticate to earlier. Information will be logged to <code class="filename">/tmp/moz.log</code>, and may give a clue to the problem. For example:
					</div><pre class="screen">-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken()
-1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure
No credentials cache found</pre><div class="para">
						This indicates that you do not have Kerberos tickets, and need to run <code class="command">kinit</code>.
					</div></li></ol></div><div class="para">
				If you are able to run <code class="command">kinit</code> successfully from your machine but you are unable to authenticate, you might see something like this in the log file:
			</div><pre class="screen">-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken()
-1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure
Server not found in Kerberos database</pre><div class="para">
				This generally indicates a Kerberos configuration problem. Make sure that you have the correct entries in the [domain_realm] section of the <code class="filename">/etc/krb5.conf</code> file. For example:
			</div><pre class="screen">.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM</pre><div class="para">
				If nothing appears in the log it is possible that you are behind a proxy, and that proxy is stripping off the HTTP headers required for Negotiate authentication. As a workaround, you can try to connect to the server using HTTPS instead, which allows the request to pass through unmodified. Then proceed to debug using the log file, as described above.
			</div></div></div></div><div xml:lang="en-US" class="section" id="ch-pam" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-pam">46.4. Pluggable Authentication Modules (PAM)</h2></div></div></div><a id="id913279" class="indexterm"></a><a id="id1082535" class="indexterm"></a><div class="para">
		Programs that grant users access to a system use <em class="firstterm">authentication</em> to verify each other's identity (that is, to establish that a user is who they say they are).
	</div><div class="para">
		Historically, each program had its own way of authenticating users. In Red Hat Enterprise Linux, many programs are configured to use a centralized authentication mechanism called <em class="firstterm">Pluggable Authentication Modules</em> (<acronym class="acronym">PAM</acronym>).
	</div><div class="para">
		PAM uses a pluggable, modular architecture, which affords the system administrator a great deal of flexibility in setting authentication policies for the system.
	</div><div class="para">
		In most situations, the default PAM configuration file for a PAM-aware application is sufficient. Sometimes, however, it is necessary to edit a PAM configuration file. Because misconfiguration of PAM can compromise system security, it is important to understand the structure of these files before making any modifications. Refer to <a class="xref" href="#s1-pam-format">Section 46.4.3, “PAM Configuration File Format”</a> for more information.
	</div><div class="section" id="s1-pam-advantages"><div class="titlepage"><div><div><h3 class="title" id="s1-pam-advantages">46.4.1. Advantages of PAM</h3></div></div></div><a id="id1030728" class="indexterm"></a><div class="para">
			PAM offers the following advantages:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					a common authentication scheme that can be used with a wide variety of applications.
				</div></li><li class="listitem"><div class="para">
					significant flexibility and control over authentication for both system administrators and application developers.
				</div></li><li class="listitem"><div class="para">
					a single, fully-documented library which allows developers to write programs without having to create their own authentication schemes.
				</div></li></ul></div></div><div class="section" id="s1-pam-config-files"><div class="titlepage"><div><div><h3 class="title" id="s1-pam-config-files">46.4.2. PAM Configuration Files</h3></div></div></div><a id="id949306" class="indexterm"></a><a id="id944279" class="indexterm"></a><a id="id1027955" class="indexterm"></a><a id="id987370" class="indexterm"></a><a id="id996137" class="indexterm"></a><div class="para">
			The <code class="filename">/etc/pam.d/</code> directory contains the PAM configuration files for each PAM-aware application. In earlier versions of PAM, the <code class="filename">/etc/pam.conf</code> file was used, but this file is now deprecated and is only used if the <code class="filename">/etc/pam.d/</code> directory does not exist.
		</div><div class="section" id="s2-pam-service-names"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-service-names">46.4.2.1. PAM Service Files</h4></div></div></div><a id="id948039" class="indexterm"></a><div class="para">
				Each PAM-aware application or <em class="firstterm">service</em> has a file in the <code class="filename">/etc/pam.d/</code> directory. Each file in this directory has the same name as the service to which it controls access.
			</div><div class="para">
				The PAM-aware program is responsible for defining its service name and installing its own PAM configuration file in the <code class="filename">/etc/pam.d/</code> directory. For example, the <code class="command">login</code> program defines its service name as <code class="command">login</code> and installs the <code class="filename">/etc/pam.d/login</code> PAM configuration file.
			</div></div></div><div class="section" id="s1-pam-format"><div class="titlepage"><div><div><h3 class="title" id="s1-pam-format">46.4.3. PAM Configuration File Format</h3></div></div></div><div class="para">
			Each PAM configuration file contains a group of directives formatted as follows:
		</div><pre class="screen"><em class="replaceable"><code>&lt;module interface&gt;</code></em>  <em class="replaceable"><code>&lt;control flag&gt;</code></em>   <em class="replaceable"><code>&lt;module name&gt;</code></em>   <em class="replaceable"><code>&lt;module arguments&gt;</code></em></pre><div class="para">
			Each of these elements is explained in the following sections.
		</div><div class="section" id="s2-pam-modules"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-modules">46.4.3.1. Module Interface</h4></div></div></div><a id="id1008588" class="indexterm"></a><a id="id882409" class="indexterm"></a><a id="id986301" class="indexterm"></a><div class="para">
				Four types of PAM module interface are currently available. Each of these corresponds to a different aspect of the authorization process:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">auth</code> — This module interface authenticates use. For example, it requests and verifies the validity of a password. Modules with this interface can also set credentials, such as group memberships or Kerberos tickets.
					</div></li><li class="listitem"><div class="para">
						<code class="command">account</code> — This module interface verifies that access is allowed. For example, it may check if a user account has expired or if a user is allowed to log in at a particular time of day.
					</div></li><li class="listitem"><div class="para">
						<code class="command">password</code> — This module interface is used for changing user passwords.
					</div></li><li class="listitem"><div class="para">
						<code class="command">session</code> — This module interface configures and manages user sessions. Modules with this interface can also perform additional tasks that are needed to allow access, like mounting a user's home directory and making the user's mailbox available.
					</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					An individual module can provide any or all module interfaces. For instance, <code class="filename">pam_unix.so</code> provides all four module interfaces.
				</div></div></div><div class="para">
				In a PAM configuration file, the module interface is the first field defined. For example, a typical line in a configuration may look like this:
			</div><pre class="screen">auth	required	pam_unix.so</pre><div class="para">
				This instructs PAM to use the <code class="filename">pam_unix.so</code> module's <code class="command">auth</code> interface.
			</div><div class="section" id="s3-pam-modules-stack"><div class="titlepage"><div><div><h5 class="title" id="s3-pam-modules-stack">46.4.3.1.1. Stacking Module Interfaces</h5></div></div></div><a id="id989161" class="indexterm"></a><div class="para">
					Module interface directives can be <span class="emphasis"><em>stacked</em></span>, or placed upon one another, so that multiple modules are used together for one purpose. If a module's control flag uses the "sufficient" or "requisite" value (refer to <a class="xref" href="#s2-pam-control-flags">Section 46.4.3.2, “Control Flag”</a> for more information on these flags), then the order in which the modules are listed is important to the authentication process.
				</div><div class="para">
					Stacking makes it easy for an administrator to require specific conditions to exist before allowing the user to authenticate. For example, the <code class="command">reboot</code> command normally uses several stacked modules, as seen in its PAM configuration file:
				</div><pre class="screen">~]# <code class="command">cat /etc/pam.d/reboot</code>
#%PAM-1.0
auth	sufficient	pam_rootok.so
auth	required	pam_console.so
#auth	include	system-auth
account	required	pam_permit.so</pre><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							The first line is a comment and is not processed.
						</div></li><li class="listitem"><div class="para">
							<code class="command">auth sufficient pam_rootok.so</code> — This line uses the <code class="filename">pam_rootok.so</code> module to check whether the current user is root, by verifying that their UID is 0. If this test succeeds, no other modules are consulted and the command is executed. If this test fails, the next module is consulted.
						</div></li><li class="listitem"><div class="para">
							<code class="command">auth required pam_console.so</code> — This line uses the <code class="filename">pam_console.so</code> module to attempt to authenticate the user. If this user is already logged in at the console, <code class="filename">pam_console.so</code> checks whether there is a file in the <code class="filename">/etc/security/console.apps/</code> directory with the same name as the service name (reboot). If such a file exists, authentication succeeds and control is passed to the next module.
						</div></li><li class="listitem"><div class="para">
							<code class="command">#auth include system-auth</code> — This line is commented and is not processed.
						</div></li><li class="listitem"><div class="para">
							<code class="command">account required pam_permit.so</code> — This line uses the <code class="filename">pam_permit.so</code> module to allow the root user or anyone logged in at the console to reboot the system.
						</div></li></ul></div></div></div><div class="section" id="s2-pam-control-flags"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-control-flags">46.4.3.2. Control Flag</h4></div></div></div><a id="id915067" class="indexterm"></a><div class="para">
				All PAM modules generate a success or failure result when called. Control flags tell PAM what do with the result. Modules can be stacked in a particular order, and the control flags determine how important the success or failure of a particular module is to the overall goal of authenticating the user to the service.
			</div><div class="para">
				There are four predefined control flags:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">required</code> — The module result must be successful for authentication to continue. If the test fails at this point, the user is not notified until the results of all module tests that reference that interface are complete.
					</div></li><li class="listitem"><div class="para">
						<code class="command">requisite</code> — The module result must be successful for authentication to continue. However, if a test fails at this point, the user is notified immediately with a message reflecting the first failed <code class="command">required</code> <span class="emphasis"><em>or</em></span> <code class="command">requisite</code> module test.
					</div></li><li class="listitem"><div class="para">
						<code class="command">sufficient</code> — The module result is ignored if it fails. However, if the result of a module flagged <code class="command">sufficient</code> is successful <span class="emphasis"><em>and</em></span> no previous modules flagged <code class="command">required</code> have failed, then no other results are required and the user is authenticated to the service.
					</div></li><li class="listitem"><div class="para">
						<code class="command">optional</code> — The module result is ignored. A module flagged as <code class="command">optional</code> only becomes necessary for successful authentication when no other modules reference the interface.
					</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					The order in which <code class="command">required</code> modules are called is not critical. Only the <code class="command">sufficient</code> and <code class="command">requisite</code> control flags cause order to become important.
				</div></div></div><div class="para">
				A newer control flag syntax that allows for more precise control is now available for PAM.
			</div><div class="para">
				The <code class="command">pam.d</code> man page, and the PAM documentation, located in the <code class="filename">/usr/share/doc/pam-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/</code> directory, where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number for PAM on your system, describe this newer syntax in detail.
			</div></div><div class="section" id="s2-pam-module-paths"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-module-paths">46.4.3.3. Module Name</h4></div></div></div><a id="id999731" class="indexterm"></a><div class="para">
				The module name provides PAM with the name of the pluggable module containing the specified module interface. In older versions of Red Hat Enterprise Linux, the full path to the module was provided in the PAM configuration file. However, since the advent of <em class="firstterm">multilib</em> systems, which store 64-bit PAM modules in the <code class="filename">/lib64/security/</code> directory, the directory name is omitted because the application is linked to the appropriate version of <code class="filename">libpam</code>, which can locate the correct version of the module.
			</div></div><div class="section" id="s2-pam-arguments"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-arguments">46.4.3.4. Module Arguments</h4></div></div></div><a id="id937034" class="indexterm"></a><div class="para">
				PAM uses <em class="firstterm">arguments</em> to pass information to a pluggable module during authentication for some modules.
			</div><div class="para">
				For example, the <code class="filename">pam_userdb.so</code> module uses information stored in a Berkeley DB file to authenticate the user. Berkeley DB is an open source database system embedded in many applications. The module takes a <code class="filename">db</code> argument so that Berkeley DB knows which database to use for the requested service.
			</div><div class="para">
				The following is a typical <code class="filename">pam_userdb.so</code> line in a PAM configuration. The <em class="replaceable"><code>&lt;path-to-file&gt;</code></em> is the full path to the Berkeley DB database file:
			</div><pre class="screen">auth	required	pam_userdb.so db=<em class="replaceable"><code>&lt;path-to-file&gt;</code></em></pre><div class="para">
				Invalid arguments are <span class="emphasis"><em>generally</em></span> ignored and do not otherwise affect the success or failure of the PAM module. Some modules, however, may fail on invalid arguments. Most modules report errors to the <code class="filename">/var/log/secure</code> file.
			</div></div></div><div class="section" id="s1-pam-sample-simple"><div class="titlepage"><div><div><h3 class="title" id="s1-pam-sample-simple">46.4.4. Sample PAM Configuration Files</h3></div></div></div><a id="id1014741" class="indexterm"></a><a id="id1035116" class="indexterm"></a><div class="para">
			The following is a sample PAM application configuration file:
		</div><pre class="screen">#%PAM-1.0
auth	required  pam_securetty.so
auth	required  pam_unix.so nullok
auth	required  pam_nologin.so
account	required  pam_unix.so
password	required  pam_cracklib.so retry=3
password	required  pam_unix.so shadow nullok use_authtok
session	required  pam_unix.so</pre><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					The first line is a comment, indicated by the hash mark (<code class="command">#</code>) at the beginning of the line.
				</div></li><li class="listitem"><div class="para">
					Lines two through four stack three modules for login authentication.
				</div><div class="para">
					<code class="command">auth required pam_securetty.so</code> — This module ensures that <span class="emphasis"><em>if</em></span> the user is trying to log in as root, the tty on which the user is logging in is listed in the <code class="filename">/etc/securetty</code> file, <span class="emphasis"><em>if</em></span> that file exists.
				</div><div class="para">
					If the tty is not listed in the file, any attempt to log in as root fails with a <code class="computeroutput">Login incorrect</code> message.
				</div><div class="para">
					<code class="command">auth required pam_unix.so nullok</code> — This module prompts the user for a password and then checks the password using the information stored in <code class="filename">/etc/passwd</code> and, if it exists, <code class="filename">/etc/shadow</code>.
				</div><div class="para">
					In the authentication phase, the <code class="filename">pam_unix.so</code> module automatically detects whether the user's password is in the <code class="filename">passwd</code> file or the <code class="filename">shadow</code> file. Refer to <a class="xref" href="#s1-users-groups-shadow-utilities">Section 35.6, “Shadow Passwords”</a> for more information.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							The argument <code class="command">nullok</code> instructs the <code class="filename">pam_unix.so</code> module to allow a blank password.
						</div><a id="id949542" class="indexterm"></a><a id="id1018332" class="indexterm"></a><a id="id1021957" class="indexterm"></a><a id="id1085242" class="indexterm"></a></li></ul></div></li><li class="listitem"><div class="para">
					<code class="command">auth required pam_nologin.so</code> — This is the final authentication step. It checks whether the <code class="filename">/etc/nologin</code> file exists. If it exists and the user is not root, authentication fails.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						In this example, all three <code class="command">auth</code> modules are checked, even if the first <code class="command">auth</code> module fails. This prevents the user from knowing at what stage their authentication failed. Such knowledge in the hands of an attacker could allow them to more easily deduce how to crack the system.
					</div></div></div></li><li class="listitem"><div class="para">
					<code class="command">account required pam_unix.so</code> — This module performs any necessary account verification. For example, if shadow passwords have been enabled, the account interface of the <code class="filename">pam_unix.so</code> module checks to see if the account has expired or if the user has not changed the password within the allowed grace period.
				</div></li><li class="listitem"><div class="para">
					<code class="command">password required pam_cracklib.so retry=3</code> — If a password has expired, the password component of the <code class="filename">pam_cracklib.so</code> module prompts for a new password. It then tests the newly created password to see whether it can easily be determined by a dictionary-based password cracking program.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							The argument <code class="command">retry=3</code> specifies that if the test fails the first time, the user has two more chances to create a strong password.
						</div></li></ul></div></li><li class="listitem"><div class="para">
					<code class="command">password required pam_unix.so shadow nullok use_authtok</code> — This line specifies that if the program changes the user's password, it should use the <code class="command">password</code> interface of the <code class="filename">pam_unix.so</code> module to do so.
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							The argument <code class="command">shadow</code> instructs the module to create shadow passwords when updating a user's password.
						</div></li><li class="listitem"><div class="para">
							The argument <code class="command">nullok</code> instructs the module to allow the user to change their password <span class="emphasis"><em>from</em></span> a blank password, otherwise a null password is treated as an account lock.
						</div></li><li class="listitem"><div class="para">
							The final argument on this line, <code class="command">use_authtok</code>, provides a good example of the importance of order when stacking PAM modules. This argument instructs the module not to prompt the user for a new password. Instead, it accepts any password that was recorded by a previous password module. In this way, all new passwords must pass the <code class="filename">pam_cracklib.so</code> test for secure passwords before being accepted.
						</div></li></ul></div></li><li class="listitem"><div class="para">
					<code class="command">session required pam_unix.so</code> — The final line instructs the session interface of the <code class="filename">pam_unix.so</code> module to manage the session. This module logs the user name and the service type to <code class="filename">/var/log/secure</code> at the beginning and end of each session. This module can be supplemented by stacking it with other session modules for additional functionality.
				</div></li></ul></div></div><div class="section" id="s1-pam-modules-add"><div class="titlepage"><div><div><h3 class="title" id="s1-pam-modules-add">46.4.5. Creating PAM Modules</h3></div></div></div><a id="id999916" class="indexterm"></a><div class="para">
			You can create or add new PAM modules at any time for use by PAM-aware applications.
		</div><div class="para">
			For example, a developer might create a one-time-password creation method and write a PAM module to support it. PAM-aware programs can immediately use the new module and password method without being recompiled or otherwise modified.
		</div><div class="para">
			This allows developers and system administrators to mix-and-match, as well as test, authentication methods for different programs without recompiling them.
		</div><div class="para">
			Documentation on writing modules is included in the <code class="filename">/usr/share/doc/pam-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/</code> directory, where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number for PAM on your system.
		</div></div><div class="section" id="s1-pam-timestamp"><div class="titlepage"><div><div><h3 class="title" id="s1-pam-timestamp">46.4.6. PAM and Administrative Credential Caching</h3></div></div></div><a id="id1025381" class="indexterm"></a><a id="id1081959" class="indexterm"></a><a id="id1082775" class="indexterm"></a><div class="para">
			A number of graphical administrative tools in Red Hat Enterprise Linux provide users with elevated privileges for up to five minutes using the <code class="filename">pam_timestamp.so</code> module. It is important to understand how this mechanism works, because a user who walks away from a terminal while <code class="filename">pam_timestamp.so</code> is in effect leaves the machine open to manipulation by anyone with physical access to the console.
		</div><div class="para">
			In the PAM timestamp scheme, the graphical administrative application prompts the user for the root password when it is launched. When the user has been authenticated, the <code class="filename">pam_timestamp.so</code> module creates a timestamp file. By default, this is created in the <code class="filename">/var/run/sudo/</code> directory. If the timestamp file already exists, graphical administrative programs do not prompt for a password. Instead, the <code class="filename">pam_timestamp.so</code> module freshens the timestamp file, reserving an extra five minutes of unchallenged administrative access for the user.
		</div><div class="para">
			You can verify the actual state of the timestamp file by inspecting the <code class="filename">/var/run/sudo/&lt;user&gt;</code> file. For the desktop, the relevant file is <code class="filename">unknown:root</code>. If it is present and its timestamp is less than five minutes old, the credentials are valid.
		</div><div class="para">
			The existence of the timestamp file is indicated by an authentication icon, which appears in the notification area of the panel.
		</div><div class="figure" id="fig-auth-icon"><div class="figure-contents"><div class="mediaobject"><img src="images/authicon.png" alt="The Authentication Icon" /><div class="longdesc"><div class="para">
						Illustration of the authentication icon.
					</div></div></div></div><h6>Figure 46.7. The Authentication Icon</h6></div><br class="figure-break" /><div class="section" id="s2-pam-timestamp-remove"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-timestamp-remove">46.4.6.1. Removing the Timestamp File</h4></div></div></div><a id="id1010410" class="indexterm"></a><a id="id1031494" class="indexterm"></a><a id="id1086563" class="indexterm"></a><div class="para">
				Before abandoning a console where a PAM timestamp is active, it is recommended that the timestamp file be destroyed. To do this from a graphical environment, click the authentication icon on the panel. This causes a dialog box to appear. Click the <span class="guibutton"><strong>Forget Authorization</strong></span> button to destroy the active timestamp file.
			</div><div class="figure" id="fig-auth-dialog"><div class="figure-contents"><div class="mediaobject"><img src="images/auth-panel.png" width="444" alt="Dismiss Authentication Dialog" /><div class="longdesc"><div class="para">
							Illustration of the authentication dismissal dialog box.
						</div></div></div></div><h6>Figure 46.8. Dismiss Authentication Dialog</h6></div><br class="figure-break" /><div class="para">
				You should be aware of the following with respect to the PAM timestamp file:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						If logged in to the system remotely using <code class="command">ssh</code>, use the <code class="command">/sbin/pam_timestamp_check -k root</code> command to destroy the timestamp file.
					</div></li><li class="listitem"><div class="para">
						You need to run the <code class="command">/sbin/pam_timestamp_check -k root</code> command from the same terminal window from which you launched the privileged application.
					</div></li><li class="listitem"><div class="para">
						You must be logged in as the user who originally invoked the <code class="filename">pam_timestamp.so</code> module in order to use the <code class="command">/sbin/pam_timestamp_check -k</code> command. Do not log in as root to use this command.
					</div></li><li class="listitem"><div class="para">
						If you want to kill the credentials on the desktop (without using the <span class="guibutton"><strong>Forget Authorization</strong></span> action on the icon), use the following command:
					</div><pre class="screen"><code class="command">pam_timestamp_check -k root &lt;/dev/null &gt;/dev/null 2&gt;/dev/null</code></pre><div class="para">
						Failure to use this command will only remove the credentials (if any) from the pty where you run the command.
					</div></li></ul></div><div class="para">
				Refer to the <code class="filename">pam_timestamp_check</code> man page for more information about destroying the timestamp file using <code class="command">pam_timestamp_check</code>.
			</div></div><div class="section" id="s2-pam-timestamp-directives"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-timestamp-directives">46.4.6.2. Common pam_timestamp Directives</h4></div></div></div><a id="id943873" class="indexterm"></a><div class="para">
				The <code class="filename">pam_timestamp.so</code> module accepts several directives. The following are the two most commonly used options:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">timestamp_timeout</code> — Specifies the period (in seconds) for which the timestamp file is valid. The default value is 300 (five minutes).
					</div></li><li class="listitem"><div class="para">
						<code class="command">timestampdir</code> — Specifies the directory in which the timestamp file is stored. The default value is <code class="command">/var/run/sudo/</code>.
					</div></li></ul></div><div class="para">
				Refer to <a class="xref" href="#s2-pam-installed-documentation">Section 46.4.8.1, “Installed Documentation”</a> for more information about controlling the <code class="filename">pam_timestamp.so</code> module.
			</div></div></div><div class="section" id="s1-pam-console"><div class="titlepage"><div><div><h3 class="title" id="s1-pam-console">46.4.7. PAM and Device Ownership</h3></div></div></div><a id="id1037772" class="indexterm"></a><a id="id996213" class="indexterm"></a><a id="id942894" class="indexterm"></a><div class="para">
			In Red Hat Enterprise Linux, the first user who logs in at the physical console of the machine can manipulate certain devices and perform certain tasks normally reserved for the root user. This is controlled by a PAM module called <code class="filename">pam_console.so</code>.
		</div><div class="section" id="s2-pam-console-dev"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-console-dev">46.4.7.1. Device Ownership</h4></div></div></div><div class="para">
				When a user logs in to a Red Hat Enterprise Linux system, the <code class="filename">pam_console.so</code> module is called by <code class="command">login</code> or the graphical login programs, <span class="application"><strong>gdm</strong></span>, <span class="application"><strong>kdm</strong></span>, and <span class="application"><strong>xdm</strong></span>. If this user is the first user to log in at the physical console — referred to as the <em class="firstterm">console user</em> — the module grants the user ownership of a variety of devices normally owned by root. The console user owns these devices until the last local session for that user ends. After this user has logged out, ownership of the devices reverts back to the root user.
			</div><div class="para">
				The devices affected include, but are not limited to, sound cards, diskette drives, and CD-ROM drives.
			</div><div class="para">
				This facility allows a local user to manipulate these devices without obtaining root access, thus simplifying common tasks for the console user.
			</div><div class="para">
				You can modify the list of devices controlled by <code class="filename">pam_console.so</code> by editing the following files: 
				<div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="filename">/etc/security/console.perms</code>
						</div></li><li class="listitem"><div class="para">
							<code class="filename">/etc/security/console.perms.d/50-default.perms</code>
						</div></li></ul></div>

</div><div class="para">
				You can change the permissions of different devices than those listed in the above files, or override the specified defaults. Rather than modify the <code class="filename">50-default.perms</code> file, you should create a new file (for example, <code class="filename"><em class="replaceable"><code>xx</code></em>-name.perms</code>) and enter the required modifications. The name of the new default file must begin with a number higher than 50 (for example, <code class="filename">51-default.perms</code>). This will override the defaults in the <code class="filename">50-default.perms</code> file.
			</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
					If the <span class="application"><strong>gdm</strong></span>, <span class="application"><strong>kdm</strong></span>, or <span class="application"><strong>xdm</strong></span> display manager configuration file has been altered to allow remote users to log in <span class="emphasis"><em>and</em></span> the host is configured to run at runlevel 5, it is advisable to change the <code class="command">&lt;console&gt;</code> and <code class="command">&lt;xconsole&gt;</code> directives in the <code class="filename">/etc/security/console.perms</code> to the following values:
				</div><pre class="screen">&lt;console&gt;=tty[0-9][0-9]* vc/[0-9][0-9]* :0\.[0-9] :0
&lt;xconsole&gt;=:0\.[0-9] :0</pre><div class="para">
					This prevents remote users from gaining access to devices and restricted applications on the machine.
				</div><div class="para">
					If the <span class="application"><strong>gdm</strong></span>, <span class="application"><strong>kdm</strong></span>, or <span class="application"><strong>xdm</strong></span> display manager configuration file has been altered to allow remote users to log in <span class="emphasis"><em>and</em></span> the host is configured to run at any multiple user runlevel other than 5, it is advisable to remove the <code class="command">&lt;xconsole&gt;</code> directive entirely and change the <code class="command">&lt;console&gt;</code> directive to the following value:
				</div><pre class="screen">&lt;console&gt;=tty[0-9][0-9]* vc/[0-9][0-9]*</pre></div></div></div><div class="section" id="s2-pam-console-halt"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-console-halt">46.4.7.2. Application Access</h4></div></div></div><div class="para">
				The console user also has access to certain programs configured for use in the <code class="filename">/etc/security/console.apps/</code> directory.
			</div><div class="para">
				This directory contains configuration files which enable the console user to run certain applications in <code class="filename">/sbin</code> and <code class="filename">/usr/sbin</code>.
			</div><div class="para">
				These configuration files have the same name as the applications that they set up.
			</div><div class="para">
				One notable group of applications that the console user has access to are three programs that shut down or reboot the system:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">/sbin/halt</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">/sbin/reboot</code>
					</div></li><li class="listitem"><div class="para">
						<code class="command">/sbin/poweroff</code>
					</div></li></ul></div><div class="para">
				Because these are PAM-aware applications, they call the <code class="filename">pam_console.so</code> module as a requirement for use.
			</div><div class="para">
				Refer to <a class="xref" href="#s2-pam-installed-documentation">Section 46.4.8.1, “Installed Documentation”</a> for more information.
			</div></div></div><div class="section" id="s1-pam-additional-resources"><div class="titlepage"><div><div><h3 class="title" id="s1-pam-additional-resources">46.4.8. Additional Resources</h3></div></div></div><a id="id1087774" class="indexterm"></a><div class="para">
			The following resources further explain methods to use and configure PAM. In addition to these resources, read the PAM configuration files on the system to better understand how they are structured.
		</div><div class="section" id="s2-pam-installed-documentation"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-installed-documentation">46.4.8.1. Installed Documentation</h4></div></div></div><a id="id891342" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						PAM-related man pages — Several man pages exist for the various applications and configuration files involved with PAM. The following is a list of some of the more important man pages.
					</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Configuration Files</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">pam</code> — Good introductory information on PAM, including the structure and purpose of the PAM configuration files.
										</div><div class="para">
											Note that this man page discusses both <code class="filename">/etc/pam.conf</code> and individual configuration files in the <code class="filename">/etc/pam.d/</code> directory. By default, Red Hat Enterprise Linux uses the individual configuration files in the <code class="filename">/etc/pam.d/</code> directory, ignoring <code class="filename">/etc/pam.conf</code> even if it exists.
										</div></li><li class="listitem"><div class="para">
											<code class="command">pam_console</code> — Describes the purpose of the <code class="filename">pam_console.so</code> module. It also describes the appropriate syntax for an entry within a PAM configuration file.
										</div></li><li class="listitem"><div class="para">
											<code class="command">console.apps</code> — Describes the format and options available in the <code class="filename">/etc/security/console.apps</code> configuration file, which defines which applications are accessible by the console user assigned by PAM.
										</div></li><li class="listitem"><div class="para">
											<code class="command">console.perms</code> — Describes the format and options available in the <code class="filename">/etc/security/console.perms</code> configuration file, which specifies the console user permissions assigned by PAM.
										</div></li><li class="listitem"><div class="para">
											<code class="command">pam_timestamp</code> — Describes the <code class="filename">pam_timestamp.so</code> module.
										</div></li></ul></div></dd></dl></div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/pam-<em class="replaceable"><code>&lt;version-number&gt;</code></em></code> — Contains a <em class="citetitle">System Administrators' Guide</em>, a <em class="citetitle">Module Writers' Manual</em>, and the <em class="citetitle">Application Developers' Manual</em>, as well as a copy of the PAM standard, DCE-RFC 86.0, where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number of PAM.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/pam-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/txts/README.pam_timestamp</code> — Contains information about the <code class="filename">pam_timestamp.so</code> PAM module, where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number of PAM.
					</div></li></ul></div></div><div class="section" id="s2-pam-useful-websites"><div class="titlepage"><div><div><h4 class="title" id="s2-pam-useful-websites">46.4.8.2. Useful Websites</h4></div></div></div><a id="id1091823" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.kernel.org/pub/linux/libs/pam/">http://www.kernel.org/pub/linux/libs/pam/</a> — The primary distribution website for the Linux-PAM project, containing information on various PAM modules, a FAQ, and additional PAM documentation.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							The documentation in the above website is for the last released upstream version of PAM and might not be 100% accurate for the PAM version included in Red Hat Enterprise Linux.
						</div></div></div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" id="ch-tcpwrappers" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-tcpwrappers">46.5. TCP Wrappers and xinetd</h2></div></div></div><a id="id1021091" class="indexterm"></a><a id="id1011430" class="indexterm"></a><a id="id1034699" class="indexterm"></a><div class="para">
		Controlling access to network services is one of the most important security tasks facing a server administrator. Red Hat Enterprise Linux provides several tools for this purpose. For example, an <code class="command">iptables</code>-based firewall filters out unwelcome network packets within the kernel's network stack. For network services that utilize it, <em class="firstterm">TCP Wrappers</em> add an additional layer of protection by defining which hosts are or are not allowed to connect to "<span class="emphasis"><em>wrapped</em></span>" network services. One such wrapped network service is the <code class="systemitem">xinetd</code> <span class="emphasis"><em>super server</em></span>. This service is called a super server because it controls connections to a subset of network services and further refines access control.
	</div><div class="para">
		<a class="xref" href="#fig-access-flowchart">Figure 46.9, “Access Control to Network Services”</a> is a basic illustration of how these tools work together to protect network services.
	</div><div class="figure" id="fig-access-flowchart"><div class="figure-contents"><div class="mediaobject"><img src="images/tcp_wrap_diagram.png" alt="Access Control to Network Services" /><div class="longdesc"><div class="para">
					Exhibit A: Access Control to Network Services Flowchart
				</div></div></div></div><h6>Figure 46.9. Access Control to Network Services</h6></div><br class="figure-break" /><div class="para">
		This chapter focuses on the role of TCP Wrappers and <code class="systemitem">xinetd</code> in controlling access to network services and reviews how these tools can be used to enhance both logging and utilization management. Refer to <a class="xref" href="#ch-iptables">Section 46.9, “IPTables”</a> for information about using firewalls with <code class="command">iptables</code>.
	</div><div class="section" id="s1-tcpwrappers-purpose"><div class="titlepage"><div><div><h3 class="title" id="s1-tcpwrappers-purpose">46.5.1. TCP Wrappers</h3></div></div></div><a id="id895014" class="indexterm"></a><a id="id915254" class="indexterm"></a><a id="id911311" class="indexterm"></a><a id="id997990" class="indexterm"></a><div class="para">
			The TCP Wrappers package (<code class="filename">tcp_wrappers</code>) is installed by default and provides host-based access control to network services. The most important component within the package is the <code class="filename">/usr/lib/libwrap.a</code> library. In general terms, a TCP-wrapped service is one that has been compiled against the <code class="filename">libwrap.a</code> library.
		</div><div class="para">
			When a connection attempt is made to a TCP-wrapped service, the service first references the host's access files (<code class="filename">/etc/hosts.allow</code> and <code class="filename">/etc/hosts.deny</code>) to determine whether or not the client is allowed to connect. In most cases, it then uses the syslog daemon (<code class="systemitem">syslogd</code>) to write the name of the requesting client and the requested service to <code class="filename">/var/log/secure</code> or <code class="filename">/var/log/messages</code>.
		</div><div class="para">
			If a client is allowed to connect, TCP Wrappers release control of the connection to the requested service and take no further part in the communication between the client and the server.
		</div><div class="para">
			In addition to access control and logging, TCP Wrappers can execute commands to interact with the client before denying or releasing control of the connection to the requested network service.
		</div><div class="para">
			Because TCP Wrappers are a valuable addition to any server administrator's arsenal of security tools, most network services within Red Hat Enterprise Linux are linked to the <code class="filename">libwrap.a</code> library. Some such applications include <code class="systemitem">/usr/sbin/sshd</code>, <code class="command">/usr/sbin/sendmail</code>, and <code class="systemitem">/usr/sbin/xinetd</code>.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				To determine if a network service binary is linked to <code class="filename">libwrap.a</code>, type the following command as the root user:
			</div><pre class="screen"><code class="command">ldd &lt;binary-name&gt; | grep libwrap</code></pre><div class="para">
				Replace <em class="replaceable"><code>&lt;binary-name&gt;</code></em> with the name of the network service binary.
			</div><div class="para">
				If the command returns straight to the prompt with no output, then the network service is <span class="emphasis"><em>not</em></span> linked to <code class="filename">libwrap.a</code>.
			</div><div class="para">
				The following example indicates that <code class="systemitem">/usr/sbin/sshd</code> is linked to <code class="filename">libwrap.a</code>:
			</div><pre class="screen">~]# <code class="command">ldd /usr/sbin/sshd | grep libwrap</code>
        libwrap.so.0 =&gt; /usr/lib/libwrap.so.0 (0x00655000)
~]#</pre></div></div><div class="section" id="s2-tcpwrappers-purpose-advantage"><div class="titlepage"><div><div><h4 class="title" id="s2-tcpwrappers-purpose-advantage">46.5.1.1. Advantages of TCP Wrappers</h4></div></div></div><a id="id911474" class="indexterm"></a><div class="para">
				TCP Wrappers provide the following advantages over other network service control techniques:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="emphasis"><em>Transparency to both the client and the wrapped network service</em></span> — Both the connecting client and the wrapped network service are unaware that TCP Wrappers are in use. Legitimate users are logged and connected to the requested service while connections from banned clients fail.
					</div></li><li class="listitem"><div class="para">
						<span class="emphasis"><em>Centralized management of multiple protocols</em></span> — TCP Wrappers operate separately from the network services they protect, allowing many server applications to share a common set of access control configuration files, making for simpler management.
					</div></li></ul></div></div></div><div class="section" id="s1-tcpwrappers-access"><div class="titlepage"><div><div><h3 class="title" id="s1-tcpwrappers-access">46.5.2. TCP Wrappers Configuration Files</h3></div></div></div><a id="id941178" class="indexterm"></a><a id="id1110327" class="indexterm"></a><a id="id940948" class="indexterm"></a><a id="id1011982" class="indexterm"></a><a id="id1085867" class="indexterm"></a><div class="para">
			To determine if a client is allowed to connect to a service, TCP Wrappers reference the following two files, which are commonly referred to as <em class="firstterm">hosts access</em> files:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">/etc/hosts.allow</code>
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/etc/hosts.deny</code>
				</div></li></ul></div><div class="para">
			When a TCP-wrapped service receives a client request, it performs the following steps:
		</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
					<span class="emphasis"><em>It references <code class="filename">/etc/hosts.allow</code>.</em></span> — The TCP-wrapped service sequentially parses the <code class="filename">/etc/hosts.allow</code> file and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If not, it moves on to the next step.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>It references <code class="filename">/etc/hosts.deny</code>.</em></span> — The TCP-wrapped service sequentially parses the <code class="filename">/etc/hosts.deny</code> file. If it finds a matching rule, it denies the connection. If not, it grants access to the service.
				</div></li></ol></div><div class="para">
			The following are important points to consider when using TCP Wrappers to protect network services:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					Because access rules in <code class="filename">hosts.allow</code> are applied first, they take precedence over rules specified in <code class="filename">hosts.deny</code>. Therefore, if access to a service is allowed in <code class="filename">hosts.allow</code>, a rule denying access to that same service in <code class="filename">hosts.deny</code> is ignored.
				</div></li><li class="listitem"><div class="para">
					The rules in each file are read from the top down and the first matching rule for a given service is the only one applied. The order of the rules is extremely important.
				</div></li><li class="listitem"><div class="para">
					If no rules for the service are found in either file, or if neither file exists, access to the service is granted.
				</div></li><li class="listitem"><div class="para">
					TCP-wrapped services do not cache the rules from the hosts access files, so any changes to <code class="filename">hosts.allow</code> or <code class="filename">hosts.deny</code> take effect immediately, without restarting network services.
				</div></li></ul></div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				If the last line of a hosts access file is not a newline character (created by pressing the <span class="keycap"><strong>Enter</strong></span> key), the last rule in the file fails and an error is logged to either <code class="filename">/var/log/messages</code> or <code class="filename">/var/log/secure</code>. This is also the case for a rule that spans multiple lines without using the backslash character. The following example illustrates the relevant portion of a log message for a rule failure due to either of these circumstances:
			</div><pre class="screen">warning: /etc/hosts.allow, line 20: missing newline or line too long</pre></div></div><div class="section" id="s2-tcpwrappers-access-rules"><div class="titlepage"><div><div><h4 class="title" id="s2-tcpwrappers-access-rules">46.5.2.1. Formatting Access Rules</h4></div></div></div><a id="id1013294" class="indexterm"></a><div class="para">
				The format for both <code class="filename">/etc/hosts.allow</code> and <code class="filename">/etc/hosts.deny</code> is identical. Each rule must be on its own line. Blank lines or lines that start with a hash (#) are ignored.
			</div><div class="para">
				Each rule uses the following basic format to control access to network services:
			</div><pre class="screen"><em class="replaceable"><code>&lt;daemon list&gt;</code></em>: <em class="replaceable"><code>&lt;client list&gt;</code></em> [: <em class="replaceable"><code>&lt;option&gt;</code></em>: <em class="replaceable"><code>&lt;option&gt;</code></em>: ...]</pre><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<em class="replaceable"><code>&lt;daemon list&gt;</code></em> — A comma-separated list of process names (<span class="emphasis"><em>not</em></span> service names) or the <code class="option">ALL</code> wildcard. The daemon list also accepts operators (refer to <a class="xref" href="#s3-tcpwrappers-access-rules-op">Section 46.5.2.1.4, “Operators”</a>) to allow greater flexibility.
					</div></li><li class="listitem"><div class="para">
						<em class="replaceable"><code>&lt;client list&gt;</code></em> — A comma-separated list of hostnames, host IP addresses, special patterns, or wildcards which identify the hosts affected by the rule. The client list also accepts operators listed in <a class="xref" href="#s3-tcpwrappers-access-rules-op">Section 46.5.2.1.4, “Operators”</a> to allow greater flexibility.
					</div></li><li class="listitem"><div class="para">
						<em class="replaceable"><code>&lt;option&gt;</code></em> — An optional action or colon-separated list of actions performed when the rule is triggered. Option fields support expansions, launch shell commands, allow or deny access, and alter logging behavior.
					</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					More information on the specialist terms above can be found elsewhere in this Guide:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<a class="xref" href="#s3-tcpwrappers-access-rules-wild">Section 46.5.2.1.1, “Wildcards”</a>
						</div></li><li class="listitem"><div class="para">
							<a class="xref" href="#s3-tcpwrappers-access-rules-pat">Section 46.5.2.1.2, “Patterns”</a>
						</div></li><li class="listitem"><div class="para">
							<a class="xref" href="#s3-tcpwrappers-access-rules-options-exp">Section 46.5.2.2.4, “Expansions”</a>
						</div></li><li class="listitem"><div class="para">
							<a class="xref" href="#s2-tcpwrappers-access-rules-options">Section 46.5.2.2, “Option Fields”</a>
						</div></li></ul></div></div></div><div class="para">
				The following is a basic sample hosts access rule:
			</div><pre class="screen">vsftpd : .example.com</pre><div class="para">
				This rule instructs TCP Wrappers to watch for connections to the FTP daemon (<code class="systemitem">vsftpd</code>) from any host in the <code class="systemitem">example.com</code> domain. If this rule appears in <code class="filename">hosts.allow</code>, the connection is accepted. If this rule appears in <code class="filename">hosts.deny</code>, the connection is rejected.
			</div><div class="para">
				The next sample hosts access rule is more complex and uses two option fields:
			</div><pre class="screen">sshd : .example.com  \ : spawn /bin/echo `/bin/date` access denied&gt;&gt;/var/log/sshd.log \ : deny</pre><div class="para">
				Note that each option field is preceded by the backslash (\). Use of the backslash prevents failure of the rule due to length.
			</div><div class="para">
				This sample rule states that if a connection to the SSH daemon (<code class="systemitem">sshd</code>) is attempted from a host in the <code class="systemitem">example.com</code> domain, execute the <code class="command">echo</code> command to append the attempt to a special log file, and deny the connection. Because the optional <code class="command">deny</code> directive is used, this line denies access even if it appears in the <code class="filename">hosts.allow</code> file. Refer to <a class="xref" href="#s2-tcpwrappers-access-rules-options">Section 46.5.2.2, “Option Fields”</a> for a more detailed look at available options.
			</div><div class="section" id="s3-tcpwrappers-access-rules-wild"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-access-rules-wild">46.5.2.1.1. Wildcards</h5></div></div></div><a id="id1017411" class="indexterm"></a><div class="para">
					Wildcards allow TCP Wrappers to more easily match groups of daemons or hosts. They are used most frequently in the client list field of access rules.
				</div><div class="para">
					The following wildcards are available:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">ALL</code> — Matches everything. It can be used for both the daemon list and the client list.
						</div></li><li class="listitem"><div class="para">
							<code class="option">LOCAL</code> — Matches any host that does not contain a period (.), such as localhost.
						</div></li><li class="listitem"><div class="para">
							<code class="option">KNOWN</code> — Matches any host where the hostname and host address are known or where the user is known.
						</div></li><li class="listitem"><div class="para">
							<code class="option">UNKNOWN</code> — Matches any host where the hostname or host address are unknown or where the user is unknown.
						</div></li><li class="listitem"><div class="para">
							<code class="option">PARANOID</code> — Matches any host where the hostname does not match the host address.
						</div></li></ul></div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
						The <code class="option">KNOWN</code>, <code class="option">UNKNOWN</code>, and <code class="option">PARANOID</code> wildcards should be used with care, because they rely on functioning DNS server for correct operation. Any disruption to name resolution may prevent legitimate users from gaining access to a service.
					</div></div></div></div><div class="section" id="s3-tcpwrappers-access-rules-pat"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-access-rules-pat">46.5.2.1.2. Patterns</h5></div></div></div><a id="id912036" class="indexterm"></a><div class="para">
					Patterns can be used in the client field of access rules to more precisely specify groups of client hosts.
				</div><div class="para">
					The following is a list of common patterns for entries in the client field:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<span class="emphasis"><em>Hostname beginning with a period (.)</em></span> — Placing a period at the beginning of a hostname matches all hosts sharing the listed components of the name. The following example applies to any host within the <code class="systemitem">example.com</code> domain:
						</div><pre class="screen">ALL : .example.com</pre></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>IP address ending with a period (.)</em></span> — Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address. The following example applies to any host within the <code class="systemitem">192.168.x.x</code> network:
						</div><pre class="screen">ALL : 192.168.</pre></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>IP address/netmask pair</em></span> — Netmask expressions can also be used as a pattern to control access to a particular group of IP addresses. The following example applies to any host with an address range of <code class="systemitem">192.168.0.0</code> through <code class="systemitem">192.168.1.255</code>:
						</div><pre class="screen">ALL : 192.168.0.0/255.255.254.0</pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
								When working in the IPv4 address space, the address/prefix length (<em class="firstterm">prefixlen</em>) pair declarations (<abbr class="abbrev">CIDR</abbr> notation) are not supported. Only IPv6 rules can use this format.
							</div></div></div></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>[IPv6 address]/prefixlen pair</em></span> — [net]/prefixlen pairs can also be used as a pattern to control access to a particular group of IPv6 addresses. The following example would apply to any host with an address range of <code class="systemitem">3ffe:505:2:1::</code> through <code class="systemitem">3ffe:505:2:1:ffff:ffff:ffff:ffff</code>:
						</div><pre class="screen">ALL : [3ffe:505:2:1::]/64</pre></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>The asterisk (*)</em></span> — Asterisks can be used to match entire groups of hostnames or IP addresses, as long as they are not mixed in a client list containing other types of patterns. The following example would apply to any host within the <code class="systemitem">example.com</code> domain:
						</div><pre class="screen">ALL : *.example.com</pre></li><li class="listitem"><div class="para">
							<span class="emphasis"><em>The slash (/)</em></span> — If a client list begins with a slash, it is treated as a file name. This is useful if rules specifying large numbers of hosts are necessary. The following example refers TCP Wrappers to the <code class="filename">/etc/telnet.hosts</code> file for all Telnet connections:
						</div><pre class="screen">in.telnetd : /etc/telnet.hosts</pre></li></ul></div><div class="para">
					Other, lesser used, patterns are also accepted by TCP Wrappers. Refer to the <code class="filename">hosts_access</code> man 5 page for more information.
				</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
						Be very careful when using hostnames and domain names. Attackers can use a variety of tricks to circumvent accurate name resolution. In addition, disruption to DNS service prevents even authorized users from using network services. It is, therefore, best to use IP addresses whenever possible.
					</div></div></div></div><div class="section" id="s3-tcpwrappers-access-rules-port"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-access-rules-port">46.5.2.1.3. Portmap and TCP Wrappers</h5></div></div></div><div class="para">
					<code class="command">Portmap</code>'s implementation of TCP Wrappers does not support host look-ups, which means <code class="command">portmap</code> can not use hostnames to identify hosts. Consequently, access control rules for portmap in <code class="filename">hosts.allow</code> or <code class="filename">hosts.deny</code> must use IP addresses, or the keyword <code class="option">ALL</code>, for specifying hosts.
				</div><div class="para">
					Changes to <code class="command">portmap</code> access control rules may not take effect immediately. You may need to restart the <code class="command">portmap</code> service.
				</div><div class="para">
					Widely used services, such as NIS and NFS, depend on <code class="command">portmap</code> to operate, so be aware of these limitations.
				</div></div><div class="section" id="s3-tcpwrappers-access-rules-op"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-access-rules-op">46.5.2.1.4. Operators</h5></div></div></div><a id="id995667" class="indexterm"></a><div class="para">
					At present, access control rules accept one operator, <code class="option">EXCEPT</code>. It can be used in both the daemon list and the client list of a rule.
				</div><div class="para">
					The <code class="option">EXCEPT</code> operator allows specific exceptions to broader matches within the same rule.
				</div><div class="para">
					In the following example from a <code class="filename">hosts.allow</code> file, all <code class="systemitem">example.com</code> hosts are allowed to connect to all services except <code class="systemitem">cracker.example.com</code>:
				</div><pre class="screen">ALL: .example.com EXCEPT cracker.example.com</pre><div class="para">
					In another example from a <code class="filename">hosts.allow</code> file, clients from the <code class="systemitem">192.168.0.<em class="replaceable"><code>x</code></em></code> network can use all services except for FTP:
				</div><pre class="screen">ALL EXCEPT vsftpd: 192.168.0.</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						Organizationally, it is often easier to avoid using <code class="option">EXCEPT</code> operators. This allows other administrators to quickly scan the appropriate files to see what hosts are allowed or denied access to services, without having to sort through <code class="option">EXCEPT</code> operators.
					</div></div></div></div></div><div class="section" id="s2-tcpwrappers-access-rules-options"><div class="titlepage"><div><div><h4 class="title" id="s2-tcpwrappers-access-rules-options">46.5.2.2. Option Fields</h4></div></div></div><a id="id912706" class="indexterm"></a><div class="para">
				In addition to basic rules that allow and deny access, the Red Hat Enterprise Linux implementation of TCP Wrappers supports extensions to the access control language through <em class="firstterm">option fields</em>. By using option fields in hosts access rules, administrators can accomplish a variety of tasks such as altering log behavior, consolidating access control, and launching shell commands.
			</div><div class="section" id="s3-tcpwrappers-access-rules-log"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-access-rules-log">46.5.2.2.1. Logging</h5></div></div></div><a id="id1010490" class="indexterm"></a><div class="para">
					Option fields let administrators easily change the log facility and priority level for a rule by using the <code class="option">severity</code> directive.
				</div><div class="para">
					In the following example, connections to the SSH daemon from any host in the <code class="systemitem">example.com</code> domain are logged to the default <code class="option">authpriv</code> <code class="option">syslog</code> facility (because no facility value is specified) with a priority of <code class="option">emerg</code>:
				</div><pre class="screen">sshd : .example.com : severity emerg</pre><div class="para">
					It is also possible to specify a facility using the <code class="option">severity</code> option. The following example logs any SSH connection attempts by hosts from the <code class="systemitem">example.com</code> domain to the <code class="option">local0</code> facility with a priority of <code class="option">alert</code>:
				</div><pre class="screen">sshd : .example.com : severity local0.alert</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						In practice, this example does not work until the syslog daemon (<code class="systemitem">syslogd</code>) is configured to log to the <code class="command">local0</code> facility. Refer to the <code class="filename">syslog.conf</code> man page for information about configuring custom log facilities.
					</div></div></div></div><div class="section" id="s3-tcpwrappers-access-rules-access"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-access-rules-access">46.5.2.2.2. Access Control</h5></div></div></div><a id="id941659" class="indexterm"></a><div class="para">
					Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the <code class="option">allow</code> or <code class="option">deny</code> directive as the final option.
				</div><div class="para">
					For example, the following two rules allow SSH connections from <code class="systemitem">client-1.example.com</code>, but deny connections from <code class="systemitem">client-2.example.com</code>:
				</div><pre class="screen">sshd : client-1.example.com : allow
sshd : client-2.example.com : deny</pre><div class="para">
					By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either <code class="filename">hosts.allow</code> or <code class="filename">hosts.deny</code>. Some administrators consider this an easier way of organizing access rules.
				</div></div><div class="section" id="s3-tcpwrappers-access-rules-comm"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-access-rules-comm">46.5.2.2.3. Shell Commands</h5></div></div></div><a id="id1008650" class="indexterm"></a><a id="id914929" class="indexterm"></a><a id="id1009142" class="indexterm"></a><div class="para">
					Option fields allow access rules to launch shell commands through the following two directives:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">spawn</code> — Launches a shell command as a child process. This directive can perform tasks like using <code class="command">/usr/sbin/safe_finger</code> to get more information about the requesting client or create special log files using the <code class="command">echo</code> command.
						</div><div class="para">
							In the following example, clients attempting to access Telnet services from the <code class="systemitem">example.com</code> domain are quietly logged to a special file:
						</div><pre class="screen">in.telnetd : .example.com \
	: spawn /bin/echo `/bin/date` from %h&gt;&gt;/var/log/telnet.log \
	: allow</pre></li><li class="listitem"><div class="para">
							<code class="command">twist</code> — Replaces the requested service with the specified command. This directive is often used to set up traps for intruders (also called "honey pots"). It can also be used to send messages to connecting clients. The <code class="command">twist</code> directive must occur at the end of the rule line.
						</div><div class="para">
							In the following example, clients attempting to access FTP services from the <code class="systemitem">example.com</code> domain are sent a message using the <code class="command">echo</code> command:
						</div><pre class="screen">vsftpd : .example.com \
	: twist /bin/echo "421 This domain has been black-listed. Access denied!"</pre></li></ul></div><div class="para">
					For more information about shell command options, refer to the <code class="filename">hosts_options</code> man page.
				</div></div><div class="section" id="s3-tcpwrappers-access-rules-options-exp"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-access-rules-options-exp">46.5.2.2.4. Expansions</h5></div></div></div><a id="id1022060" class="indexterm"></a><div class="para">
					Expansions, when used in conjunction with the <code class="command">spawn</code> and <code class="command">twist</code> directives, provide information about the client, server, and processes involved.
				</div><div class="para">
					The following is a list of supported expansions:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">%a</code> — Returns the client's IP address.
						</div></li><li class="listitem"><div class="para">
							<code class="option">%A</code> — Returns the server's IP address.
						</div></li><li class="listitem"><div class="para">
							<code class="option">%c</code> — Returns a variety of client information, such as the username and hostname, or the username and IP address.
						</div></li><li class="listitem"><div class="para">
							<code class="option">%d</code> — Returns the daemon process name.
						</div></li><li class="listitem"><div class="para">
							<code class="option">%h</code> — Returns the client's hostname (or IP address, if the hostname is unavailable).
						</div></li><li class="listitem"><div class="para">
							<code class="option">%H</code> — Returns the server's hostname (or IP address, if the hostname is unavailable).
						</div></li><li class="listitem"><div class="para">
							<code class="option">%n</code> — Returns the client's hostname. If unavailable, <code class="computeroutput">unknown</code> is printed. If the client's hostname and host address do not match, <code class="computeroutput">paranoid</code> is printed.
						</div></li><li class="listitem"><div class="para">
							<code class="option">%N</code> — Returns the server's hostname. If unavailable, <code class="computeroutput">unknown</code> is printed. If the server's hostname and host address do not match, <code class="computeroutput">paranoid</code> is printed.
						</div></li><li class="listitem"><div class="para">
							<code class="option">%p</code> — Returns the daemon's process ID.
						</div></li><li class="listitem"><div class="para">
							<code class="option">%s</code> —Returns various types of server information, such as the daemon process and the host or IP address of the server.
						</div></li><li class="listitem"><div class="para">
							<code class="option">%u</code> — Returns the client's username. If unavailable, <code class="computeroutput">unknown</code> is printed.
						</div></li></ul></div><div class="para">
					The following sample rule uses an expansion in conjunction with the <code class="command">spawn</code> command to identify the client host in a customized log file.
				</div><div class="para">
					When connections to the SSH daemon (<code class="systemitem">sshd</code>) are attempted from a host in the <code class="systemitem">example.com</code> domain, execute the <code class="command">echo</code> command to log the attempt, including the client hostname (by using the <code class="option">%h</code> expansion), to a special file:
				</div><pre class="screen">sshd : .example.com  \
	: spawn /bin/echo `/bin/date` access denied to %h&gt;&gt;/var/log/sshd.log \
	: deny</pre><div class="para">
					Similarly, expansions can be used to personalize messages back to the client. In the following example, clients attempting to access FTP services from the <code class="systemitem">example.com</code> domain are informed that they have been banned from the server:
				</div><pre class="screen">vsftpd : .example.com \
: twist /bin/echo "421 %h has been banned from this server!"</pre><div class="para">
					For a full explanation of available expansions, as well as additional access control options, refer to section 5 of the man pages for <code class="filename">hosts_access</code> (<code class="command">man 5 hosts_access</code>) and the man page for <code class="filename">hosts_options</code>.
				</div><div class="para">
					Refer to <a class="xref" href="#s1-tcpwrappers-additional-resources">Section 46.5.5, “Additional Resources”</a> for more information about TCP Wrappers.
				</div></div></div></div><div class="section" id="s1-tcpwrappers-xinetd"><div class="titlepage"><div><div><h3 class="title" id="s1-tcpwrappers-xinetd">46.5.3. xinetd</h3></div></div></div><a id="id988030" class="indexterm"></a><a id="id1079416" class="indexterm"></a><a id="id1025793" class="indexterm"></a><div class="para">
			The <code class="systemitem">xinetd</code> daemon is a TCP-wrapped <em class="firstterm">super service</em> which controls access to a subset of popular network services, including FTP, IMAP, and Telnet. It also provides service-specific configuration options for access control, enhanced logging, binding, redirection, and resource utilization control.
		</div><div class="para">
			When a client attempts to connect to a network service controlled by <code class="systemitem">xinetd</code>, the super service receives the request and checks for any TCP Wrappers access control rules.
		</div><div class="para">
			If access is allowed, <code class="systemitem">xinetd</code> verifies that the connection is allowed under its own access rules for that service. It also checks that the service can have more resources allotted to it and that it is not in breach of any defined rules.
		</div><div class="para">
			If all these conditions are met (that is, access is allowed to the service; the service has not reached its resource limit; and the service is not in breach of any defined rule), <code class="systemitem">xinetd</code> then starts an instance of the requested service and passes control of the connection to it. After the connection has been established, <code class="systemitem">xinetd</code> takes no further part in the communication between the client and the server.
		</div></div><div class="section" id="s1-tcpwrappers-xinetd-config"><div class="titlepage"><div><div><h3 class="title" id="s1-tcpwrappers-xinetd-config">46.5.4. xinetd Configuration Files</h3></div></div></div><a id="id1019809" class="indexterm"></a><div class="para">
			The configuration files for <code class="systemitem">xinetd</code> are as follows:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="filename">/etc/xinetd.conf</code> — The global <code class="systemitem">xinetd</code> configuration file.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/etc/xinetd.d/</code> — The directory containing all service-specific files.
				</div></li></ul></div><div class="section" id="s2-tcpwrappers-xinetd-config-conf"><div class="titlepage"><div><div><h4 class="title" id="s2-tcpwrappers-xinetd-config-conf">46.5.4.1. The /etc/xinetd.conf File</h4></div></div></div><a id="id1083014" class="indexterm"></a><a id="id947127" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/xinetd.conf</code> file contains general configuration settings which affect every service under <code class="systemitem">xinetd</code>'s control. It is read when the <code class="systemitem">xinetd</code> service is first started, so for configuration changes to take effect, you need to restart the <code class="systemitem">xinetd</code> service. The following is a sample <code class="filename">/etc/xinetd.conf</code> file:
			</div><pre class="screen">defaults
{
         instances               = 60
	 log_type                = SYSLOG	authpriv
	 log_on_success          = HOST PID
	 log_on_failure          = HOST
	 cps                     = 25 30
}
includedir /etc/xinetd.d</pre><div class="para">
				These lines control the following aspects of <code class="systemitem">xinetd</code>:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="option">instances</code> — Specifies the maximum number of simultaneous requests that <code class="systemitem">xinetd</code> can process.
					</div></li><li class="listitem"><div class="para">
						<code class="option">log_type</code> — Configures <code class="systemitem">xinetd</code> to use the <code class="command">authpriv</code> log facility, which writes log entries to the <code class="filename">/var/log/secure</code> file. Adding a directive such as <code class="option">FILE /var/log/xinetdlog</code> would create a custom log file called <code class="filename">xinetdlog</code> in the <code class="filename">/var/log/</code> directory.
					</div></li><li class="listitem"><div class="para">
						<code class="option">log_on_success</code> — Configures <code class="systemitem">xinetd</code> to log successful connection attempts. By default, the remote host's IP address and the process ID of the server processing the request are recorded.
					</div></li><li class="listitem"><div class="para">
						<code class="option">log_on_failure</code> — Configures <code class="systemitem">xinetd</code> to log failed connection attempts or if the connection was denied.
					</div></li><li class="listitem"><div class="para">
						<code class="option">cps</code> — Configures <code class="systemitem">xinetd</code> to allow no more than 25 connections per second to any given service. If this limit is exceeded, the service is retired for 30 seconds.
					</div></li><li class="listitem"><div class="para">
						<code class="option">includedir</code> <code class="filename">/etc/xinetd.d/</code> — Includes options declared in the service-specific configuration files located in the <code class="filename">/etc/xinetd.d/</code> directory. Refer to <a class="xref" href="#s2-tcpwrappers-xinetd-config-files">Section 46.5.4.2, “The /etc/xinetd.d/ Directory”</a> for more information.
					</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					Often, both the <code class="option">log_on_success</code> and <code class="option">log_on_failure</code> settings in <code class="filename">/etc/xinetd.conf</code> are further modified in the service-specific configuration files. More information may therefore appear in a given service's log file than the <code class="filename">/etc/xinetd.conf</code> file may indicate. Refer to <a class="xref" href="#s3-tcpwrappers-xinetd-alt-log">Section 46.5.4.3.1, “Logging Options”</a> for further information.
				</div></div></div></div><div class="section" id="s2-tcpwrappers-xinetd-config-files"><div class="titlepage"><div><div><h4 class="title" id="s2-tcpwrappers-xinetd-config-files">46.5.4.2. The /etc/xinetd.d/ Directory</h4></div></div></div><a id="id914006" class="indexterm"></a><a id="id1032086" class="indexterm"></a><div class="para">
				The <code class="filename">/etc/xinetd.d/</code> directory contains the configuration files for each service managed by <code class="systemitem">xinetd</code> and the names of the files correlate to the service. As with <code class="filename">xinetd.conf</code>, this directory is read only when the <code class="systemitem">xinetd</code> service is started. For any changes to take effect, the administrator must restart the <code class="systemitem">xinetd</code> service.
			</div><div class="para">
				The format of files in the <code class="filename">/etc/xinetd.d/</code> directory use the same conventions as <code class="filename">/etc/xinetd.conf</code>. The primary reason the configuration for each service is stored in a separate file is to make customization easier and less likely to affect other services.
			</div><div class="para">
				To gain an understanding of how these files are structured, consider the <code class="filename">/etc/xinetd.d/krb5-telnet</code> file:
			</div><pre class="screen">service telnet
{
         flags           = REUSE
	 socket_type     = stream
	 wait            = no
	 user            = root
	 server          = /usr/kerberos/sbin/telnetd
	 log_on_failure  += USERID
	 disable         = yes
}</pre><div class="para">
				These lines control various aspects of the <code class="command">telnet</code> service:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="option">service</code> — Specifies the service name, usually one of those listed in the <code class="filename">/etc/services</code> file.
					</div></li><li class="listitem"><div class="para">
						<code class="option">flags</code> — Sets any of a number of attributes for the connection. <code class="option">REUSE</code> instructs <code class="systemitem">xinetd</code> to reuse the socket for a Telnet connection.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							The <code class="option">REUSE</code> flag is deprecated. All services now implicitly use the <code class="option">REUSE</code> flag.
						</div></div></div></li><li class="listitem"><div class="para">
						<code class="option">socket_type</code> — Sets the network socket type to <code class="option">stream</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="option">wait</code> — Specifies whether the service is single-threaded (<code class="option">yes</code>) or multi-threaded (<code class="option">no</code>).
					</div></li><li class="listitem"><div class="para">
						<code class="option">user</code> — Specifies which user ID the process runs under.
					</div></li><li class="listitem"><div class="para">
						<code class="option">server</code> — Specifies which binary executable to launch.
					</div></li><li class="listitem"><div class="para">
						<code class="option">log_on_failure</code> — Specifies logging parameters for <code class="option">log_on_failure</code> in addition to those already defined in <code class="filename">xinetd.conf</code>.
					</div></li><li class="listitem"><div class="para">
						<code class="option">disable</code> — Specifies whether the service is disabled (<code class="option">yes</code>) or enabled (<code class="option">no</code>).
					</div></li></ul></div><div class="para">
				Refer to the <code class="filename">xinetd.conf</code> man page for more information about these options and their usage.
			</div></div><div class="section" id="s2-tcpwrappers-xinetd-alt"><div class="titlepage"><div><div><h4 class="title" id="s2-tcpwrappers-xinetd-alt">46.5.4.3. Altering xinetd Configuration Files</h4></div></div></div><div class="para">
				A range of directives is available for services protected by <code class="systemitem">xinetd</code>. This section highlights some of the more commonly used options.
			</div><div class="section" id="s3-tcpwrappers-xinetd-alt-log"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-xinetd-alt-log">46.5.4.3.1. Logging Options</h5></div></div></div><a id="id986612" class="indexterm"></a><div class="para">
					The following logging options are available for both <code class="filename">/etc/xinetd.conf</code> and the service-specific configuration files within the <code class="filename">/etc/xinetd.d/</code> directory.
				</div><div class="para">
					The following is a list of some of the more commonly used logging options:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">ATTEMPT</code> — Logs the fact that a failed attempt was made (<code class="option">log_on_failure</code>).
						</div></li><li class="listitem"><div class="para">
							<code class="option">DURATION</code> — Logs the length of time the service is used by a remote system (<code class="option">log_on_success</code>).
						</div></li><li class="listitem"><div class="para">
							<code class="option">EXIT</code> — Logs the exit status or termination signal of the service (<code class="option">log_on_success</code>).
						</div></li><li class="listitem"><div class="para">
							<code class="option">HOST</code> — Logs the remote host's IP address (<code class="option">log_on_failure</code> and <code class="option">log_on_success</code>).
						</div></li><li class="listitem"><div class="para">
							<code class="option">PID</code> — Logs the process ID of the server receiving the request (<code class="option">log_on_success</code>).
						</div></li><li class="listitem"><div class="para">
							<code class="option">USERID</code> — Logs the remote user using the method defined in RFC 1413 for all multi-threaded stream services (<code class="option">log_on_failure</code> and<code class="option">log_on_success</code>).
						</div></li></ul></div><div class="para">
					For a complete list of logging options, refer to the <code class="filename">xinetd.conf</code> man page.
				</div></div><div class="section" id="s3-tcpwrappers-xinetd-config-access"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-xinetd-config-access">46.5.4.3.2. Access Control Options</h5></div></div></div><a id="id942613" class="indexterm"></a><a id="id1011638" class="indexterm"></a><div class="para">
					Users of <code class="systemitem">xinetd</code> services can choose to use the TCP Wrappers hosts access rules, provide access control via the <code class="systemitem">xinetd</code> configuration files, or a mixture of both. Refer to <a class="xref" href="#s1-tcpwrappers-access">Section 46.5.2, “TCP Wrappers Configuration Files”</a> for more information about TCP Wrappers hosts access control files.
				</div><div class="para">
					This section discusses using <code class="systemitem">xinetd</code> to control access to services.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						Unlike TCP Wrappers, changes to access control only take effect if the <code class="systemitem">xinetd</code> administrator restarts the <code class="systemitem">xinetd</code> service.
					</div><div class="para">
						Also, unlike TCP Wrappers, access control through <code class="systemitem">xinetd</code> only affects services controlled by <code class="systemitem">xinetd</code>.
					</div></div></div><div class="para">
					The <code class="systemitem">xinetd</code> hosts access control differs from the method used by TCP Wrappers. While TCP Wrappers places all of the access configuration within two files, <code class="filename">/etc/hosts.allow</code> and <code class="filename">/etc/hosts.deny</code>, <code class="systemitem">xinetd</code>'s access control is found in each service's configuration file in the <code class="filename">/etc/xinetd.d/</code> directory.
				</div><div class="para">
					The following hosts access options are supported by <code class="systemitem">xinetd</code>:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">only_from</code> — Allows only the specified hosts to use the service.
						</div></li><li class="listitem"><div class="para">
							<code class="option">no_access</code> — Blocks listed hosts from using the service.
						</div></li><li class="listitem"><div class="para">
							<code class="option">access_times</code> — Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM.
						</div></li></ul></div><div class="para">
					The <code class="option">only_from</code> and <code class="option">no_access</code> options can use a list of IP addresses or host names, or can specify an entire network. Like TCP Wrappers, combining <code class="systemitem">xinetd</code> access control with the enhanced logging configuration can increase security by blocking requests from banned hosts while verbosely recording each connection attempt.
				</div><div class="para">
					For example, the following <code class="filename">/etc/xinetd.d/telnet</code> file can be used to block Telnet access from a particular network group and restrict the overall time range that even allowed users can log in:
				</div><pre class="screen">service telnet
{
         disable         = no
	 flags           = REUSE
	 socket_type     = stream
	 wait            = no
	 user            = root
	 server          = /usr/kerberos/sbin/telnetd
	 log_on_failure  += USERID
	 no_access       = 172.16.45.0/24
	 log_on_success  += PID HOST EXIT
	 access_times    = 09:45-16:15
}</pre><div class="para">
					In this example, when a client system from the <code class="systemitem">10.0.1.0/24</code> network, such as <code class="systemitem">10.0.1.2</code>, tries to access the Telnet service, it receives the following message:
				</div><pre class="screen">Connection closed by foreign host.</pre><div class="para">
					In addition, their login attempts are logged in <code class="filename">/var/log/messages</code> as follows:
				</div><pre class="screen">Sep  7 14:58:33 localhost xinetd[5285]: FAIL: telnet address from=172.16.45.107
Sep  7 14:58:33 localhost xinetd[5283]: START: telnet pid=5285 from=172.16.45.107
Sep  7 14:58:33 localhost xinetd[5283]: EXIT: telnet status=0 pid=5285 duration=0(sec)</pre><div class="para">
					When using TCP Wrappers in conjunction with <code class="systemitem">xinetd</code> access controls, it is important to understand the relationship between the two access control mechanisms.
				</div><div class="para">
					The following is the sequence of events followed by <code class="systemitem">xinetd</code> when a client requests a connection:
				</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
							The <code class="systemitem">xinetd</code> daemon accesses the TCP Wrappers hosts access rules using a <code class="filename">libwrap.a</code> library call. If a deny rule matches the client, the connection is dropped. If an allow rule matches the client, the connection is passed to <code class="systemitem">xinetd</code>.
						</div></li><li class="listitem"><div class="para">
							The <code class="systemitem">xinetd</code> daemon checks its own access control rules both for the <code class="systemitem">xinetd</code> service and the requested service. If a deny rule matches the client, the connection is dropped. Otherwise, <code class="systemitem">xinetd</code> starts an instance of the requested service and passes control of the connection to that service.
						</div></li></ol></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						Care should be taken when using TCP Wrappers access controls in conjunction with <code class="systemitem">xinetd</code> access controls. Misconfiguration can cause undesirable effects.
					</div></div></div></div><div class="section" id="s3-tcpwrappers-xinetd-config-redirection"><div class="titlepage"><div><div><h5 class="title" id="s3-tcpwrappers-xinetd-config-redirection">46.5.4.3.3. Binding and Redirection Options</h5></div></div></div><a id="id1078828" class="indexterm"></a><a id="id940213" class="indexterm"></a><div class="para">
					The service configuration files for <code class="systemitem">xinetd</code> support binding the service to an IP address and redirecting incoming requests for that service to another IP address, hostname, or port.
				</div><div class="para">
					Binding is controlled with the <code class="option">bind</code> option in the service-specific configuration files and links the service to one IP address on the system. When this is configured, the <code class="option">bind</code> option only allows requests to the correct IP address to access the service. You can use this method to bind different services to different network interfaces based on requirements.
				</div><div class="para">
					This is particularly useful for systems with multiple network adapters or with multiple IP addresses. On such a system, insecure services (for example, Telnet), can be configured to listen only on the interface connected to a private network and not to the interface connected to the Internet.
				</div><div class="para">
					The <code class="option">redirect</code> option accepts an IP address or hostname followed by a port number. It configures the service to redirect any requests for this service to the specified host and port number. This feature can be used to point to another port number on the same system, redirect the request to a different IP address on the same machine, shift the request to a totally different system and port number, or any combination of these options. A user connecting to a certain service on a system may therefore be rerouted to another system without disruption.
				</div><div class="para">
					The <code class="systemitem">xinetd</code> daemon is able to accomplish this redirection by spawning a process that stays alive for the duration of the connection between the requesting client machine and the host actually providing the service, transferring data between the two systems.
				</div><div class="para">
					The advantages of the <code class="option">bind</code> and <code class="option">redirect</code> options are most clearly evident when they are used together. By binding a service to a particular IP address on a system and then redirecting requests for this service to a second machine that only the first machine can see, an internal system can be used to provide services for a totally different network. Alternatively, these options can be used to limit the exposure of a particular service on a multi-homed machine to a known IP address, as well as redirect any requests for that service to another machine especially configured for that purpose.
				</div><div class="para">
					For example, consider a system that is used as a firewall with this setting for its Telnet service:
				</div><pre class="screen">service telnet
{
         socket_type		= stream
	 wait			= no
	 server			= /usr/kerberos/sbin/telnetd
	 log_on_success		+= DURATION USERID
	 log_on_failure		+= USERID
	 bind                    = 123.123.123.123
	 redirect                = 10.0.1.13 23
}</pre><div class="para">
					The <code class="option">bind</code> and <code class="option">redirect</code> options in this file ensure that the Telnet service on the machine is bound to the external IP address (<code class="systemitem">123.123.123.123</code>), the one facing the Internet. In addition, any requests for Telnet service sent to <code class="systemitem">123.123.123.123</code> are redirected via a second network adapter to an internal IP address (<code class="systemitem">10.0.1.13</code>) that only the firewall and internal systems can access. The firewall then sends the communication between the two systems, and the connecting system thinks it is connected to <code class="systemitem">123.123.123.123</code> when it is actually connected to a different machine.
				</div><div class="para">
					This feature is particularly useful for users with broadband connections and only one fixed IP address. When using Network Address Translation (NAT), the systems behind the gateway machine, which are using internal-only IP addresses, are not available from outside the gateway system. However, when certain services controlled by <code class="systemitem">xinetd</code> are configured with the <code class="option">bind</code> and <code class="option">redirect</code> options, the gateway machine can act as a proxy between outside systems and a particular internal machine configured to provide the service. In addition, the various <code class="systemitem">xinetd</code> access control and logging options are also available for additional protection.
				</div></div><div class="section" id="sec-tcpwrappers-resourcemanagement"><div class="titlepage"><div><div><h5 class="title" id="sec-tcpwrappers-resourcemanagement">46.5.4.3.4. Resource Management Options</h5></div></div></div><a id="id869700" class="indexterm"></a><a id="id1014202" class="indexterm"></a><a id="id1025762" class="indexterm"></a><a id="id995637" class="indexterm"></a><div class="para">
					The <code class="systemitem">xinetd</code> daemon can add a basic level of protection from Denial of Service (DoS) attacks. The following is a list of directives which can aid in limiting the effectiveness of such attacks:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">per_source</code> — Defines the maximum number of instances for a service per source IP address. It accepts only integers as an argument and can be used in both <code class="filename">xinetd.conf</code> and in the service-specific configuration files in the <code class="filename">xinetd.d/</code> directory.
						</div></li><li class="listitem"><div class="para">
							<code class="option">cps</code> — Defines the maximum number of connections per second. This directive takes two integer arguments separated by white space. The first argument is the maximum number of connections allowed to the service per second. The second argument is the number of seconds that <code class="systemitem">xinetd</code> must wait before re-enabling the service. It accepts only integers as arguments and can be used in either the <code class="filename">xinetd.conf</code> file or the service-specific configuration files in the <code class="filename">xinetd.d/</code> directory.
						</div></li><li class="listitem"><div class="para">
							<code class="option">max_load</code> — Defines the CPU usage or load average threshold for a service. It accepts a floating point number argument.
						</div><div class="para">
							The load average is a rough measure of how many processes are active at a given time. See the <code class="command">uptime</code>, <code class="command">who</code>, and <code class="command">procinfo</code> commands for more information about load average.
						</div></li></ul></div><div class="para">
					There are more resource management options available for <code class="systemitem">xinetd</code>. Refer to the <code class="filename">xinetd.conf</code> man page for more information.
				</div></div></div></div><div class="section" id="s1-tcpwrappers-additional-resources"><div class="titlepage"><div><div><h3 class="title" id="s1-tcpwrappers-additional-resources">46.5.5. Additional Resources</h3></div></div></div><a id="id1019796" class="indexterm"></a><div class="para">
			More information about TCP Wrappers and <code class="systemitem">xinetd</code> is available from system documentation and on the Internet.
		</div><div class="section" id="s2-tcpwrappers-installed-doc"><div class="titlepage"><div><div><h4 class="title" id="s2-tcpwrappers-installed-doc">46.5.5.1. Installed Documentation</h4></div></div></div><a id="id937526" class="indexterm"></a><a id="id942756" class="indexterm"></a><div class="para">
				The documentation on your system is a good place to start looking for additional configuration options for TCP Wrappers, <code class="systemitem">xinetd</code>, and access control.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/tcp_wrappers-<em class="replaceable"><code>&lt;version&gt;</code></em>/</code> — This directory contains a <code class="filename">README</code> file that discusses how TCP Wrappers work and the various hostname and host address spoofing risks that exist.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/usr/share/doc/xinetd-<em class="replaceable"><code>&lt;version&gt;</code></em>/</code> — This directory contains a <code class="filename">README</code> file that discusses aspects of access control and a <code class="filename">sample.conf</code> file with various ideas for modifying service-specific configuration files in the <code class="filename">/etc/xinetd.d/</code> directory.
					</div></li><li class="listitem"><div class="para">
						TCP Wrappers and <code class="systemitem">xinetd</code>-related man pages — A number of man pages exist for the various applications and configuration files involved with TCP Wrappers and <code class="systemitem">xinetd</code>. The following are some of the more important man pages:
					</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Server Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man xinetd</code> — The man page for <code class="systemitem">xinetd</code>.
										</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Configuration Files</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man 5 hosts_access</code> — The man page for the TCP Wrappers hosts access control files.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man hosts_options</code> — The man page for the TCP Wrappers options fields.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man xinetd.conf</code> — The man page listing <code class="systemitem">xinetd</code> configuration options.
										</div></li></ul></div></dd></dl></div></li></ul></div></div><div class="section" id="s2-tcpwrappers-useful-websites"><div class="titlepage"><div><div><h4 class="title" id="s2-tcpwrappers-useful-websites">46.5.5.2. Useful Websites</h4></div></div></div><a id="id1021265" class="indexterm"></a><a id="id944951" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.xinetd.org">http://www.xinetd.org/</a> — The home of <code class="systemitem">xinetd</code>, containing sample configuration files, a full listing of features, and an informative FAQ.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.macsecurity.org/resources/xinetd/tutorial.shtml">http://www.macsecurity.org/resources/xinetd/tutorial.shtml</a> — A thorough tutorial that discusses many different ways to optimize default <code class="systemitem">xinetd</code> configuration files to meet specific security goals.
					</div></li></ul></div></div><div class="section" id="s2-tcpwrappers-related-books"><div class="titlepage"><div><div><h4 class="title" id="s2-tcpwrappers-related-books">46.5.5.3. Related Books</h4></div></div></div><a id="id1027680" class="indexterm"></a><a id="id1085645" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<em class="citetitle">Hacking Linux Exposed</em> by Brian Hatch, James Lee, and George Kurtz; Osbourne/McGraw-Hill — An excellent security resource with information about TCP Wrappers and <code class="systemitem">xinetd</code>.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" id="ch-kerberos" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-kerberos">46.6. Kerberos</h2></div></div></div><a id="id1023415" class="indexterm"></a><div class="para">
		System security and integrity within a network can be unwieldy. It can occupy the time of several administrators just to keep track of what services are being run on a network and the manner in which these services are used.
	</div><div class="para">
		Further, authenticating users to network services can prove dangerous when the method used by the protocol is inherently insecure, as evidenced by the transfer of unencrypted passwords over a network using the traditional FTP and Telnet protocols.
	</div><div class="para">
		Kerberos is a way to eliminate the need for protocols that allow unsafe methods of authentication, thereby enhancing overall network security.
	</div><div class="section" id="s1-kerberos-definition"><div class="titlepage"><div><div><h3 class="title" id="s1-kerberos-definition">46.6.1. What is Kerberos?</h3></div></div></div><div class="para">
			Kerberos is a network authentication protocol created by MIT, and uses symmetric-key cryptography<sup>[<a id="id939332" href="#ftn.id939332" class="footnote">17</a>]</sup> to authenticate users to network services, which means passwords are never actually sent over the network.
		</div><div class="para">
			Consequently, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted.
		</div><div class="section" id="s2-kerberos-advantages"><div class="titlepage"><div><div><h4 class="title" id="s2-kerberos-advantages">46.6.1.1. Advantages of Kerberos</h4></div></div></div><a id="id1022596" class="indexterm"></a><div class="para">
				Most conventional network services use password-based authentication schemes. Such schemes require a user to authenticate to a given network server by supplying their username and password. Unfortunately, the transmission of authentication information for many services is unencrypted. For such a scheme to be secure, the network has to be inaccessible to outsiders, and all computers and users on the network must be trusted and trustworthy.
			</div><div class="para">
				Even if this is the case, a network that is connected to the Internet can no longer be assumed to be secure. Any attacker who gains access to the network can use a simple packet analyzer, also known as a packet sniffer, to intercept usernames and passwords, compromising user accounts and the integrity of the entire security infrastructure.
			</div><div class="para">
				The primary design goal of Kerberos is to eliminate the transmission of unencrypted passwords across the network. If used properly, Kerberos effectively eliminates the threat that packet sniffers would otherwise pose on a network.
			</div></div><div class="section" id="s2-kerberos-implementations"><div class="titlepage"><div><div><h4 class="title" id="s2-kerberos-implementations">46.6.1.2. Disadvantages of Kerberos</h4></div></div></div><a id="id1037370" class="indexterm"></a><div class="para">
				Although Kerberos removes a common and severe security threat, it may be difficult to implement for a variety of reasons:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Migrating user passwords from a standard UNIX password database, such as <code class="filename">/etc/passwd</code> or <code class="filename">/etc/shadow</code>, to a Kerberos password database can be tedious, as there is no automated mechanism to perform this task. Refer to Question 2.23 in the online Kerberos FAQ:
					</div><div class="para">
						<a href="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#pwconvert"> http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html</a>
					</div></li><li class="listitem"><div class="para">
						Kerberos has only partial compatibility with the Pluggable Authentication Modules (PAM) system used by most Red Hat Enterprise Linux servers. Refer to <a class="xref" href="#s1-kerberos-pam">Section 46.6.4, “Kerberos and PAM”</a> for more information about this issue.
					</div></li><li class="listitem"><div class="para">
						Kerberos assumes that each user is trusted but is using an untrusted host on an untrusted network. Its primary goal is to prevent unencrypted passwords from being transmitted across that network. However, if anyone other than the proper user has access to the one host that issues tickets used for authentication — called the <em class="firstterm">key distribution center</em> (<em class="firstterm">KDC</em>) — the entire Kerberos authentication system is at risk.
					</div></li><li class="listitem"><div class="para">
						For an application to use Kerberos, its source must be modified to make the appropriate calls into the Kerberos libraries. Applications modified in this way are considered to be <em class="firstterm">Kerberos-aware</em>, or <em class="firstterm">kerberized</em>. For some applications, this can be quite problematic due to the size of the application or its design. For other incompatible applications, changes must be made to the way in which the server and client communicate. Again, this may require extensive programming. Closed-source applications that do not have Kerberos support by default are often the most problematic.
					</div></li><li class="listitem"><div class="para">
						Kerberos is an all-or-nothing solution. If Kerberos is used on the network, any unencrypted passwords transferred to a non-Kerberos aware service is at risk. Thus, the network gains no benefit from the use of Kerberos. To secure a network with Kerberos, one must either use Kerberos-aware versions of <span class="emphasis"><em>all</em></span> client/server applications that transmit passwords unencrypted, or not use <span class="emphasis"><em>any</em></span> such client/server applications at all.
					</div></li></ul></div></div></div><div class="section" id="s1-kerberos-terminology"><div class="titlepage"><div><div><h3 class="title" id="s1-kerberos-terminology">46.6.2. Kerberos Terminology</h3></div></div></div><a id="id939794" class="indexterm"></a><div class="para">
			Kerberos has its own terminology to define various aspects of the service. Before learning how Kerberos works, it is important to learn the following terms.
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">authentication server (AS)</span></dt><dd><div class="para">
						A server that issues tickets for a desired service which are in turn given to users for access to the service. The AS responds to requests from clients who do not have or do not send credentials with a request. It is usually used to gain access to the ticket-granting server (TGS) service by issuing a ticket-granting ticket (TGT). The AS usually runs on the same host as the key distribution center (KDC).
					</div></dd><dt class="varlistentry"><span class="term">ciphertext</span></dt><dd><div class="para">
						Encrypted data.
					</div></dd><dt class="varlistentry"><span class="term">client</span></dt><dd><div class="para">
						An entity on the network (a user, a host, or an application) that can receive a ticket from Kerberos.
					</div></dd><dt class="varlistentry"><span class="term">credentials</span></dt><dd><div class="para">
						A temporary set of electronic credentials that verify the identity of a client for a particular service. Also called a ticket.
					</div></dd><dt class="varlistentry"><span class="term">credential cache or ticket file</span></dt><dd><div class="para">
						A file which contains the keys for encrypting communications between a user and various network services. Kerberos 5 supports a framework for using other cache types, such as shared memory, but files are more thoroughly supported.
					</div></dd><dt class="varlistentry"><span class="term">crypt hash</span></dt><dd><div class="para">
						A one-way hash used to authenticate users. These are more secure than using unencrypted data, but they are still relatively easy to decrypt for an experienced cracker.
					</div></dd><dt class="varlistentry"><span class="term">GSS-API</span></dt><dd><div class="para">
						The Generic Security Service Application Program Interface (defined in RFC-2743 published by The Internet Engineering Task Force) is a set of functions which provide security services. This API is used by clients and services to authenticate to each other without either program having specific knowledge of the underlying mechanism. If a network service (such as cyrus-IMAP) uses GSS-API, it can authenticate using Kerberos.
					</div></dd><dt class="varlistentry"><span class="term">hash</span></dt><dd><div class="para">
						Also known as a <em class="firstterm">hash value</em>. A value generated by passing a string through a <em class="firstterm">hash function</em>. These values are typically used to ensure that transmitted data has not been tampered with.
					</div></dd><dt class="varlistentry"><span class="term">hash function</span></dt><dd><div class="para">
						A way of generating a digital "fingerprint" from input data. These functions rearrange, transpose or otherwise alter data to produce a <em class="firstterm">hash value</em>.
					</div></dd><dt class="varlistentry"><span class="term">key</span></dt><dd><div class="para">
						Data used when encrypting or decrypting other data. Encrypted data cannot be decrypted without the proper key or extremely good fortune on the part of the cracker.
					</div></dd><dt class="varlistentry"><span class="term">key distribution center (KDC)</span></dt><dd><div class="para">
						A service that issues Kerberos tickets, and which usually run on the same host as the ticket-granting server (TGS).
					</div></dd><dt class="varlistentry"><span class="term">keytab (or key table)</span></dt><dd><div class="para">
						A file that includes an unencrypted list of principals and their keys. Servers retrieve the keys they need from keytab files instead of using <code class="command">kinit</code>. The default keytab file is <code class="filename">/etc/krb5.keytab</code>. The KDC administration server, <code class="command">/usr/kerberos/sbin/kadmind</code>, is the only service that uses any other file (it uses <code class="filename">/var/kerberos/krb5kdc/kadm5.keytab</code>).
					</div></dd><dt class="varlistentry"><span class="term">kinit</span></dt><dd><div class="para">
						The <code class="command">kinit</code> command allows a principal who has already logged in to obtain and cache the initial ticket-granting ticket (TGT). Refer to the <code class="command">kinit</code> man page for more information.
					</div></dd><dt class="varlistentry"><span class="term">principal (or principal name)</span></dt><dd><div class="para">
						The principal is the unique name of a user or service allowed to authenticate using Kerberos. A principal follows the form <code class="computeroutput">root[/instance]@REALM</code>. For a typical user, the root is the same as their login ID. The <code class="computeroutput">instance</code> is optional. If the principal has an instance, it is separated from the root with a forward slash ("/"). An empty string ("") is considered a valid instance (which differs from the default <code class="computeroutput">NULL</code> instance), but using it can be confusing. All principals in a realm have their own key, which for users is derived from a password or is randomly set for services.
					</div></dd><dt class="varlistentry"><span class="term">realm</span></dt><dd><div class="para">
						A network that uses Kerberos, composed of one or more servers called KDCs and a potentially large number of clients.
					</div></dd><dt class="varlistentry"><span class="term">service</span></dt><dd><div class="para">
						A program accessed over the network.
					</div></dd><dt class="varlistentry"><span class="term">ticket</span></dt><dd><div class="para">
						A temporary set of electronic credentials that verify the identity of a client for a particular service. Also called credentials.
					</div></dd><dt class="varlistentry"><span class="term">ticket-granting server (TGS)</span></dt><dd><div class="para">
						A server that issues tickets for a desired service which are in turn given to users for access to the service. The TGS usually runs on the same host as the KDC.
					</div></dd><dt class="varlistentry"><span class="term">ticket-granting ticket (TGT)</span></dt><dd><div class="para">
						A special ticket that allows the client to obtain additional tickets without applying for them from the KDC.
					</div></dd><dt class="varlistentry"><span class="term">unencrypted password</span></dt><dd><div class="para">
						A plain text, human-readable password.
					</div></dd></dl></div></div><div class="section" id="s1-kerberos-works"><div class="titlepage"><div><div><h3 class="title" id="s1-kerberos-works">46.6.3. How Kerberos Works</h3></div></div></div><a id="id986647" class="indexterm"></a><a id="id1014916" class="indexterm"></a><a id="id986120" class="indexterm"></a><a id="id943626" class="indexterm"></a><a id="id943642" class="indexterm"></a><div class="para">
			Kerberos differs from username/password authentication methods. Instead of authenticating each user to each network service, Kerberos uses symmetric encryption and a trusted third party (a KDC), to authenticate users to a suite of network services. When a user authenticates to the KDC, the KDC sends a ticket specific to that session back to the user's machine, and any Kerberos-aware services look for the ticket on the user's machine rather than requiring the user to authenticate using a password.
		</div><div class="para">
			When a user on a Kerberos-aware network logs in to their workstation, their principal is sent to the KDC as part of a request for a TGT from the Authentication Server. This request can be sent by the log-in program so that it is transparent to the user, or can be sent by the <code class="command">kinit</code> program after the user logs in.
		</div><div class="para">
			The KDC then checks for the principal in its database. If the principal is found, the KDC creates a TGT, which is encrypted using the user's key and returned to that user.
		</div><div class="para">
			The login or <code class="command">kinit</code> program on the client then decrypts the TGT using the user's key, which it computes from the user's password. The user's key is used only on the client machine and is <span class="emphasis"><em>not</em></span> transmitted over the network.
		</div><div class="para">
			The TGT is set to expire after a certain period of time (usually ten to twenty-four hours) and is stored in the client machine's credentials cache. An expiration time is set so that a compromised TGT is of use to an attacker for only a short period of time. After the TGT has been issued, the user does not have to re-enter their password until the TGT expires or until they log out and log in again.
		</div><div class="para">
			Whenever the user needs access to a network service, the client software uses the TGT to request a new ticket for that specific service from the TGS. The service ticket is then used to authenticate the user to that service transparently.
		</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
				The Kerberos system can be compromised if a user on the network authenticates against a non-Kerberos aware service by transmitting a password in plain text. The use of non-Kerberos aware services is highly discouraged. Such services include Telnet and FTP. The use of other encrypted protocols, such as SSH or SSL-secured services, however, is preferred, although not ideal.
			</div></div></div><div class="para">
			This is only a broad overview of how Kerberos authentication works. Refer to <a class="xref" href="#sec-kerberos-additional-resources">Section 46.6.10, “Additional Resources”</a> for links to more in-depth information.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Kerberos depends on the following network services to function correctly. 
				<div class="itemizedlist"><ul><li class="listitem"><div class="para">
							Approximate clock synchronization between the machines on the network.
						</div><div class="para">
							A clock synchronization program should be set up for the network, such as <code class="command">ntpd</code>. Refer to <code class="filename">/usr/share/doc/ntp-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/index.html</code> for details on setting up Network Time Protocol servers (where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number of the <code class="filename">ntp</code> package installed on your system).
						</div></li><li class="listitem"><div class="para">
							Domain Name Service (DNS).
						</div><div class="para">
							You should ensure that the DNS entries and hosts on the network are all properly configured. Refer to the <em class="citetitle">Kerberos V5 System Administrator's Guide</em> in <code class="filename">/usr/share/doc/krb5-server-<em class="replaceable"><code>&lt;version-number&gt;</code></em></code> for more information (where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number of the <code class="filename">krb5-server</code> package installed on your system).
						</div></li></ul></div>

</div></div></div></div><div class="section" id="s1-kerberos-pam"><div class="titlepage"><div><div><h3 class="title" id="s1-kerberos-pam">46.6.4. Kerberos and PAM</h3></div></div></div><a id="id1101233" class="indexterm"></a><a id="id1021697" class="indexterm"></a><div class="para">
			Kerberos-aware services do not currently make use of Pluggable Authentication Modules (PAM) — these services bypass PAM completely. However, applications that use PAM can make use of Kerberos for authentication if the <code class="filename">pam_krb5</code> module (provided in the <code class="filename">pam_krb5</code> package) is installed. The <code class="filename">pam_krb5</code> package contains sample configuration files that allow services such as <code class="command">login</code> and <code class="command">gdm</code> to authenticate users as well as obtain initial credentials using their passwords. If access to network servers is always performed using Kerberos-aware services or services that use GSS-API, such as IMAP, the network can be considered reasonably safe.
		</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				Administrators should be careful not to allow users to authenticate to most network services using Kerberos passwords. Many protocols used by these services do not encrypt the password before sending it over the network, destroying the benefits of the Kerberos system. For example, users should not be allowed to authenticate to Telnet services with the same password they use for Kerberos authentication.
			</div></div></div></div><div class="section" id="s1-kerberos-server"><div class="titlepage"><div><div><h3 class="title" id="s1-kerberos-server">46.6.5. Configuring a Kerberos 5 Server</h3></div></div></div><a id="id891041" class="indexterm"></a><div class="para">
			When setting up Kerberos, install the KDC first. If it is necessary to set up slave servers, install the master first.
		</div><div class="para">
			To configure the first Kerberos KDC, follow these steps:
		</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
					Ensure that time synchronization and DNS are functioning correctly on all client and server machines before configuring Kerberos. Pay particular attention to time synchronization between the Kerberos server and its clients. If the time difference between the server and client is greater than five minutes (this is configurable in Kerberos 5), Kerberos clients can not authenticate to the server. This time synchronization is necessary to prevent an attacker from using an old Kerberos ticket to masquerade as a valid user.
				</div><div class="para">
					It is advisable to set up a Network Time Protocol (NTP) compatible client/server network even if Kerberos is not being used. Red Hat Enterprise Linux includes the <code class="filename">ntp</code> package for this purpose. Refer to <code class="filename">/usr/share/doc/ntp-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/index.html</code> (where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number of the <code class="filename">ntp</code> package installed on your system) for details about how to set up Network Time Protocol servers, and <a href="http://www.ntp.org">http://www.ntp.org</a> for more information about NTP.
				</div></li><li class="step"><div class="para">
					Install the <code class="filename">krb5-libs</code>, <code class="filename">krb5-server</code>, and <code class="filename">krb5-workstation</code> packages on the dedicated machine which runs the KDC. This machine needs to be very secure — if possible, it should not run any services other than the KDC.
				</div></li><li class="step"><div class="para">
					Edit the <code class="filename">/etc/krb5.conf</code> and <code class="filename">/var/kerberos/krb5kdc/kdc.conf</code> configuration files to reflect the realm name and domain-to-realm mappings. A simple realm can be constructed by replacing instances of <em class="replaceable"><code>EXAMPLE.COM</code></em> and <em class="replaceable"><code>example.com</code></em> with the correct domain name — being certain to keep uppercase and lowercase names in the correct format — and by changing the KDC from <em class="replaceable"><code>kerberos.example.com</code></em> to the name of the Kerberos server. By convention, all realm names are uppercase and all DNS hostnames and domain names are lowercase. For full details about the formats of these configuration files, refer to their respective man pages.
				</div></li><li class="step"><div class="para">
					Create the database using the <code class="command">kdb5_util</code> utility from a shell prompt:
				</div><pre class="screen"><code class="command">/usr/kerberos/sbin/kdb5_util create -s</code></pre><div class="para">
					The <code class="command">create</code> command creates the database that stores keys for the Kerberos realm. The <code class="command">-s</code> switch forces creation of a <em class="firstterm">stash</em> file in which the master server key is stored. If no stash file is present from which to read the key, the Kerberos server (<code class="command">krb5kdc</code>) prompts the user for the master server password (which can be used to regenerate the key) every time it starts.
				</div></li><li class="step"><div class="para">
					Edit the <code class="filename">/var/kerberos/krb5kdc/kadm5.acl</code> file. This file is used by <code class="command">kadmind</code> to determine which principals have administrative access to the Kerberos database and their level of access. Most organizations can get by with a single line:
				</div><pre class="screen">*/admin@EXAMPLE.COM  *</pre><div class="para">
					Most users are represented in the database by a single principal (with a <span class="emphasis"><em>NULL</em></span>, or empty, instance, such as <span class="emphasis"><em>joe@EXAMPLE.COM</em></span>). In this configuration, users with a second principal with an instance of <span class="emphasis"><em>admin</em></span> (for example, <span class="emphasis"><em>joe/admin@EXAMPLE.COM</em></span>) are able to wield full power over the realm's Kerberos database.
				</div><div class="para">
					After <code class="command">kadmind</code> has been started on the server, any user can access its services by running <code class="command">kadmin</code> on any of the clients or servers in the realm. However, only users listed in the <code class="filename">kadm5.acl</code> file can modify the database in any way, except for changing their own passwords.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						The <code class="command">kadmin</code> utility communicates with the <code class="command">kadmind</code> server over the network, and uses Kerberos to handle authentication. Consequently, the first principal must already exist before connecting to the server over the network to administer it. Create the first principal with the <code class="command">kadmin.local</code> command, which is specifically designed to be used on the same host as the KDC and does not use Kerberos for authentication.
					</div></div></div><div class="para">
					Type the following <code class="command">kadmin.local</code> command at the KDC terminal to create the first principal:
				</div><pre class="screen"><code class="command">/usr/kerberos/sbin/kadmin.local -q "addprinc <em class="replaceable"><code>username</code></em>/admin"</code></pre></li><li class="step"><div class="para">
					Start Kerberos using the following commands:
				</div><pre class="screen"><code class="command">service krb5kdc start</code>
<code class="command">service kadmin start</code>
<code class="command">service krb524 start</code></pre></li><li class="step"><div class="para">
					Add principals for the users using the <code class="command">addprinc</code> command within <code class="command">kadmin</code>. <code class="command">kadmin</code> and <code class="command">kadmin.local</code> are command line interfaces to the KDC. As such, many commands — such as <code class="command">addprinc</code> — are available after launching the <code class="command">kadmin</code> program. Refer to the <code class="command">kadmin</code> man page for more information.
				</div></li><li class="step"><div class="para">
					Verify that the KDC is issuing tickets. First, run <code class="command">kinit</code> to obtain a ticket and store it in a credential cache file. Next, use <code class="command">klist</code> to view the list of credentials in the cache and use <code class="command">kdestroy</code> to destroy the cache and the credentials it contains.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						By default, <code class="command">kinit</code> attempts to authenticate using the same system login username (not the Kerberos server). If that username does not correspond to a principal in the Kerberos database, <code class="command">kinit</code> issues an error message. If that happens, supply <code class="command">kinit</code> with the name of the correct principal as an argument on the command line (<code class="command">kinit <em class="replaceable"><code>&lt;principal&gt;</code></em></code>).
					</div></div></div></li></ol></div><div class="para">
			Once these steps are completed, the Kerberos server should be up and running.
		</div></div><div class="section" id="s1-kerberos-clients"><div class="titlepage"><div><div><h3 class="title" id="s1-kerberos-clients">46.6.6. Configuring a Kerberos 5 Client</h3></div></div></div><a id="id1081668" class="indexterm"></a><div class="para">
			Setting up a Kerberos 5 client is less involved than setting up a server. At a minimum, install the client packages and provide each client with a valid <code class="filename">krb5.conf</code> configuration file. While <code class="command">ssh</code> and <code class="command">slogin</code> are the preferred method of remotely logging in to client systems, Kerberized versions of <code class="command">rsh</code> and <code class="command">rlogin</code> are still available, though deploying them requires that a few more configuration changes be made.
		</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
					Be sure that time synchronization is in place between the Kerberos client and the KDC. Refer to <a class="xref" href="#s1-kerberos-server">Section 46.6.5, “Configuring a Kerberos 5 Server”</a> for more information. In addition, verify that DNS is working properly on the Kerberos client before configuring the Kerberos client programs.
				</div></li><li class="step"><div class="para">
					Install the <code class="filename">krb5-libs</code> and <code class="filename">krb5-workstation</code> packages on all of the client machines. Supply a valid <code class="filename">/etc/krb5.conf</code> file for each client (usually this can be the same <code class="filename">krb5.conf</code> file used by the KDC).
				</div></li><li class="step"><div class="para">
					Before a workstation in the realm can use Kerberos to authenticate users who connect using <code class="command">ssh</code> or Kerberized <code class="command">rsh</code> or <code class="command">rlogin</code>, it must have its own host principal in the Kerberos database. The <code class="command">sshd</code>, <code class="command">kshd</code>, and <code class="command">klogind</code> server programs all need access to the keys for the <span class="emphasis"><em>host</em></span> service's principal. Additionally, in order to use the kerberized <code class="command">rsh</code> and <code class="command">rlogin</code> services, that workstation must have the <code class="filename">xinetd</code> package installed.
				</div><div class="para">
					Using <code class="command">kadmin</code>, add a host principal for the workstation on the KDC. The instance in this case is the hostname of the workstation. Use the <code class="command">-randkey</code> option for the <code class="command">kadmin</code>'s <code class="command">addprinc</code> command to create the principal and assign it a random key:
				</div><pre class="screen"><code class="command">addprinc -randkey host/<em class="replaceable"><code>blah.example.com</code></em></code></pre><div class="para">
					Now that the principal has been created, keys can be extracted for the workstation by running <code class="command">kadmin</code> <span class="emphasis"><em>on the workstation itself</em></span>, and using the <code class="command">ktadd</code> command within <code class="command">kadmin</code>:
				</div><pre class="screen"><code class="command">ktadd -k /etc/krb5.keytab host/<em class="replaceable"><code>blah.example.com</code></em></code></pre></li><li class="step"><div class="para">
					To use other kerberized network services, they must first be started. Below is a list of some common kerberized services and instructions about enabling them:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">ssh</code> — OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have <code class="option">GSSAPIAuthentication</code> enabled. If the client also has <code class="option">GSSAPIDelegateCredentials</code> enabled, the user's credentials are made available on the remote system.
						</div></li><li class="listitem"><div class="para">
							<code class="command">rsh</code> and <code class="command">rlogin</code> — To use the kerberized versions of <code class="command">rsh</code> and <code class="command">rlogin</code>, enable <code class="command">klogin</code>, <code class="command">eklogin</code>, and <code class="command">kshell</code>.
						</div></li><li class="listitem"><div class="para">
							Telnet — To use kerberized Telnet, <code class="command">krb5-telnet</code> must be enabled.
						</div></li><li class="listitem"><div class="para">
							FTP — To provide FTP access, create and extract a key for the principal with a root of <code class="computeroutput">ftp</code>. Be certain to set the instance to the fully qualified hostname of the FTP server, then enable <code class="command">gssftp</code>.
						</div></li><li class="listitem"><div class="para">
							IMAP — To use a kerberized IMAP server, the <code class="filename">cyrus-imap</code> package uses Kerberos 5 if it also has the <code class="filename">cyrus-sasl-gssapi</code> package installed. The <code class="filename">cyrus-sasl-gssapi</code> package contains the Cyrus SASL plugins which support GSS-API authentication. Cyrus IMAP should function properly with Kerberos as long as the <code class="command">cyrus</code> user is able to find the proper key in <code class="filename">/etc/krb5.keytab</code>, and the root for the principal is set to <code class="command">imap</code> (created with <code class="command">kadmin</code>).
						</div><div class="para">
							An alternative to <code class="filename">cyrus-imap</code> can be found in the <code class="command">dovecot</code> package, which is also included in Red Hat Enterprise Linux. This package contains an IMAP server but does not, to date, support GSS-API and Kerberos.
						</div></li><li class="listitem"><div class="para">
							CVS — To use a kerberized CVS server, <code class="command">gserver</code> uses a principal with a root of <code class="computeroutput">cvs</code> and is otherwise identical to the CVS <code class="command">pserver</code>.
						</div></li></ul></div><div class="para">
					Refer to <a class="xref" href="#ch-services">Chapter 17, <em>Controlling Access to Services</em></a> for details about how to enable services.
				</div></li></ol></div></div><div class="section" id="sec-kerberos-client2"><div class="titlepage"><div><div><h3 class="title" id="sec-kerberos-client2">46.6.7. Domain-to-Realm Mapping</h3></div></div></div><div class="para">
			When a client attempts to access a service running on a particular server, it knows the name of the service (<span class="emphasis"><em>host</em></span>) and the name of the server (<span class="emphasis"><em>foo.example.com</em></span>), but because more than one realm may be deployed on your network, it must guess at the name of the realm in which the service resides.
		</div><div class="para">
			By default, the name of the realm is taken to be the DNS domain name of the server, upper-cased.
		</div><div class="literallayout"><p>foo.example.org → EXAMPLE.ORG<br />
		foo.example.com → EXAMPLE.COM<br />
		foo.hq.example.com → HQ.EXAMPLE.COM</p></div><div class="para">
			In some configurations, this will be sufficient, but in others, the realm name which is derived will be the name of a non-existent realm. In these cases, the mapping from the server's DNS domain name to the name of its realm must be specified in the <span class="emphasis"><em>domain_realm</em></span> section of the client system's <code class="filename">krb5.conf</code>. For example:
		</div><pre class="screen">[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM</pre><div class="para">
			The above configuration specifies two mappings. The first mapping specifies that any system in the "example.com" DNS domain belongs to the <span class="emphasis"><em>EXAMPLE.COM</em></span> realm. The second specifies that a system with the exact name "example.com" is also in the realm. (The distinction between a domain and a specific host is marked by the presence or lack of an initial ".".) The mapping can also be stored directly in DNS.
		</div></div><div class="section" id="sec-kerberos-server2"><div class="titlepage"><div><div><h3 class="title" id="sec-kerberos-server2">46.6.8. Setting Up Secondary KDCs</h3></div></div></div><div class="para">
			For a number of reasons, you may choose to run multiple KDCs for a given realm. In this scenario, one KDC (the <span class="emphasis"><em>master KDC</em></span>) keeps a writable copy of the realm database and runs <code class="command">kadmind</code> (it is also your realm's <span class="emphasis"><em>admin server</em></span>), and one or more KDCs (<span class="emphasis"><em>slave KDCs</em></span>) keep read-only copies of the database and run <code class="command">kpropd</code>.
		</div><div class="para">
			The master-slave propagation procedure entails the master KDC dumping its database to a temporary dump file and then transmitting that file to each of its slaves, which then overwrite their previously-received read-only copies of the database with the contents of the dump file.
		</div><div class="para">
			To set up a slave KDC, first ensure that the master KDC's <code class="filename">krb5.conf</code> and <code class="filename">kdc.conf</code> files are copied to the slave KDC.
		</div><div class="para">
			Start <code class="command">kadmin.local</code> from a root shell on the master KDC and use its <code class="command">add_principal</code> command to create a new entry for the master KDC's <span class="emphasis"><em>host</em></span> service, and then use its <code class="command">ktadd</code> command to simultaneously set a random key for the service and store the random key in the master's default keytab file. This key will be used by the <code class="command">kprop</code> command to authenticate to the slave servers. You will only need to do this once, regardless of how many slave servers you install.
		</div><pre class="screen">~]# <code class="command">kadmin.local -r EXAMPLE.COM</code>
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin: <strong class="userinput"><code>add_principal -randkey host/masterkdc.example.com</code></strong>
Principal "host/host/masterkdc.example.com@EXAMPLE.COM" created.
kadmin: <strong class="userinput"><code>ktadd host/masterkdc.example.com</code></strong>
Entry for principal host/masterkdc.example.com with kvno 3, encryption type Triple DES cbc mode with \
	HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/masterkdc.example.com with kvno 3, encryption type ArcFour with HMAC/md5 \
	added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/masterkdc.example.com with kvno 3, encryption type DES with HMAC/sha1 added \
	to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/masterkdc.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 \
	added to keytab WRFILE:/etc/krb5.keytab.
kadmin: <strong class="userinput"><code>quit</code></strong></pre><div class="para">
			Start <code class="command">kadmin</code> from a root shell on the slave KDC and use its <code class="command">add_principal</code> command to create a new entry for the slave KDC's <span class="emphasis"><em>host</em></span> service, and then use <code class="command">kadmin</code>'s <code class="command">ktadd</code> command to simultaneously set a random key for the service and store the random key in the slave's default keytab file. This key is used by the <code class="command">kpropd</code> service when authenticating clients.
		</div><pre class="screen">~]# <code class="command">kadmin -p jimbo/admin@EXAMPLE.COM -r EXAMPLE.COM</code>
Authenticating as principal jimbo/admin@EXAMPLE.COM with password.
Password for jimbo/admin@EXAMPLE.COM:
kadmin: <strong class="userinput"><code>add_principal -randkey host/slavekdc.example.com</code></strong>
Principal "host/slavekdc.example.com@EXAMPLE.COM" created.
kadmin: <strong class="userinput"><code>ktadd host/slavekdc.example.com@EXAMPLE.COM</code></strong>
Entry for principal host/slavekdc.example.com with kvno 3, encryption type Triple DES cbc mode with \
	HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/slavekdc.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added \
	to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/slavekdc.example.com with kvno 3, encryption type DES with HMAC/sha1 added \
	to keytab WRFILE:/etc/krb5.keytab.
Entry for principal host/slavekdc.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added \
	to keytab WRFILE:/etc/krb5.keytab.
kadmin: <strong class="userinput"><code>quit</code></strong></pre><div class="para">
			With its service key, the slave KDC could authenticate any client which would connect to it. Obviously, not all of them should be allowed to provide the slave's <code class="command">kprop</code> service with a new realm database. To restrict access, the <code class="command">kprop</code> service on the slave KDC will only accept updates from clients whose principal names are listed in <code class="filename">/var/kerberos/krb5kdc/kpropd.acl</code>. Add the master KDC's host service's name to that file.
		</div><pre class="screen">~]# <code class="command">echo host/masterkdc.example.com@EXAMPLE.COM &gt; /var/kerberos/krb5kdc/kpropd.acl</code></pre><div class="para">
			Once the slave KDC has obtained a copy of the database, it will also need the master key which was used to encrypt it. If your KDC database's master key is stored in a <span class="emphasis"><em>stash</em></span> file on the master KDC (typically named <code class="filename">/var/kerberos/krb5kdc/.k5.REALM</code>, either copy it to the slave KDC using any available secure method, or create a dummy database and identical stash file on the slave KDC by running <code class="command">kdb5_util create -s</code> (the dummy database will be overwritten by the first successful database propagation) and supplying the same password.
		</div><div class="para">
			Ensure that the slave KDC's firewall allows the master KDC to contact it using TCP on port 754 (<span class="emphasis"><em>krb5_prop</em></span>), and start the <code class="command">kprop</code> service. Then, double-check that the <code class="command">kadmin</code> service is <span class="emphasis"><em>disabled</em></span>.
		</div><div class="para">
			Now perform a manual database propagation test by dumping the realm database, on the master KDC, to the default data file which the <code class="command">kprop</code> command will read (<code class="filename">/var/kerberos/krb5kdc/slave_datatrans</code>), and then use the <code class="command">kprop</code> command to transmit its contents to the slave KDC.
		</div><pre class="screen">~]# <code class="command">/usr/kerberos/sbin/kdb5_util dump /var/kerberos/krb5kdc/slave_datatrans</code>
~]# <code class="command">kprop slavekdc.example.com</code></pre><div class="para">
			Using <code class="command">kinit</code>, verify that a client system whose <code class="filename">krb5.conf</code> lists only the slave KDC in its list of KDCs for your realm is now correctly able to obtain initial credentials from the slave KDC.
		</div><div class="para">
			That done, simply create a script which dumps the realm database and runs the <code class="command">kprop</code> command to transmit the database to each slave KDC in turn, and configure the <code class="command">cron</code> service to run the script periodically.
		</div></div><div class="section" id="sec-kerberos-crossrealm"><div class="titlepage"><div><div><h3 class="title" id="sec-kerberos-crossrealm">46.6.9. Setting Up Cross Realm Authentication</h3></div></div></div><div class="para">
			<span class="emphasis"><em>Cross-realm authentication</em></span> is the term which is used to describe situations in which clients (typically users) of one realm use Kerberos to authenticate to services (typically server processes running on a particular server system) which belong to a realm other than their own.
		</div><div class="para">
			For the simplest case, in order for a client of a realm named <code class="literal">A.EXAMPLE.COM</code> to access a service in the <code class="literal">B.EXAMPLE.COM</code> realm, both realms must share a key for a principal named <code class="literal">krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM</code>, and both keys must have the same key version number associated with them.
		</div><div class="para">
			To accomplish this, select a very strong password or passphrase, and create an entry for the principal in both realms using kadmin.
		</div><pre class="screen">~]# <code class="command">kadmin -r A.EXAMPLE.COM</code>
kadmin: <strong class="userinput"><code>add_principal krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM</code></strong>
Enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM":
Re-enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM":
Principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM" created.
kadmin:	<strong class="userinput"><code>quit</code></strong>
~]# <code class="command">kadmin -r B.EXAMPLE.COM</code>
kadmin: <strong class="userinput"><code>add_principal krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM</code></strong>
Enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM":
Re-enter password for principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM":
Principal "krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM" created.
kadmin: <strong class="userinput"><code>quit</code></strong></pre><div class="para">
			Use the <code class="command">get_principal</code> command to verify that both entries have matching key version numbers (<code class="literal">kvno</code> values) and encryption types.
		</div><div class="warning"><div class="admonition_header"><h2>Dumping the Database Doesn't Do It</h2></div><div class="admonition"><div class="para">
				Security-conscious administrators may attempt to use the <code class="command">add_principal</code> command's <code class="literal">-randkey</code> option to assign a random key instead of a password, dump the new entry from the database of the first realm, and import it into the second. This will not work unless the master keys for the realm databases are identical, as the keys contained in a database dump are themselves encrypted using the master key.
			</div></div></div><div class="para">
			Clients in the <code class="literal">A.EXAMPLE.COM</code> realm are now able to authenticate to services in the <code class="literal">B.EXAMPLE.COM</code> realm. Put another way, the <code class="literal">B.EXAMPLE.COM</code> realm now <span class="emphasis"><em>trusts</em></span> the <code class="literal">A.EXAMPLE.COM</code> realm, or phrased even more simply, <code class="literal">B.EXAMPLE.COM</code> now <span class="emphasis"><em>trusts</em></span> <code class="literal">A.EXAMPLE.COM</code>.
		</div><div class="para">
			This brings us to an important point: cross-realm trust is unidirectional by default. The KDC for the <code class="literal">B.EXAMPLE.COM</code> realm may trust clients from the <code class="literal">A.EXAMPLE.COM</code> to authenticate to services in the <code class="literal">B.EXAMPLE.COM</code> realm, but the fact that it does has no effect on whether or not clients in the <code class="literal">B.EXAMPLE.COM</code> realm are trusted to authenticate to services in the <code class="literal">A.EXAMPLE.COM</code> realm. To establish trust in the other direction, both realms would need to share keys for the <code class="literal">krbtgt/A.EXAMPLE.COM@B.EXAMPLE.COM</code> service (take note of the reversed in order of the two realms compared to the example above).
		</div><div class="para">
			If direct trust relationships were the only method for providing trust between realms, networks which contain multiple realms would be very difficult to set up. Luckily, cross-realm trust is transitive. If clients from <code class="literal">A.EXAMPLE.COM</code> can authenticate to services in <code class="literal">B.EXAMPLE.COM</code>, and clients from <code class="literal">B.EXAMPLE.COM</code> can authenticate to services in <code class="literal">C.EXAMPLE.COM</code>, then clients in <code class="literal">A.EXAMPLE.COM</code> can also authenticate to services in <code class="literal">C.EXAMPLE.COM</code>, <span class="emphasis"><em>even if <code class="literal">C.EXAMPLE.COM</code> doesn't directly trust <code class="literal">A.EXAMPLE.COM</code></em></span>. This means that, on a network with multiple realms which all need to trust each other, making good choices about which trust relationships to set up can greatly reduce the amount of effort required.
		</div><div class="para">
			Now you face the more conventional problems: the client's system must be configured so that it can properly deduce the realm to which a particular service belongs, and it must be able to determine how to obtain credentials for services in that realm.
		</div><div class="para">
			First things first: the principal name for a service provided from a specific server system in a given realm typically looks like this:
		</div><pre class="screen">service/server.example.com@EXAMPLE.COM</pre><div class="para">
			In this example, <span class="emphasis"><em>service</em></span> is typically either the name of the protocol in use (other common values include <span class="emphasis"><em>ldap</em></span>, <span class="emphasis"><em>imap</em></span>, <span class="emphasis"><em>cvs</em></span>, and <span class="emphasis"><em>HTTP</em></span>) or <span class="emphasis"><em>host</em></span>, <span class="emphasis"><em>server.example.com</em></span> is the fully-qualified domain name of the system which runs the service, and <code class="literal">EXAMPLE.COM</code> is the name of the realm.
		</div><div class="para">
			To deduce the realm to which the service belongs, clients will most often consult DNS or the <code class="literal">domain_realm</code> section of <code class="filename">/etc/krb5.conf</code> to map either a hostname (<span class="emphasis"><em>server.example.com</em></span>) or a DNS domain name (<span class="emphasis"><em>.example.com</em></span>) to the name of a realm (<span class="emphasis"><em>EXAMPLE.COM</em></span>).
		</div><div class="para">
			Having determined which to which realm a service belongs, a client then has to determine the set of realms which it needs to contact, and in which order it must contact them, to obtain credentials for use in authenticating to the service.
		</div><div class="para">
			This can be done in one of two ways.
		</div><div class="para">
			The default method, which requires no explicit configuration, is to give the realms names within a shared hierarchy. For an example, assume realms named <code class="literal">A.EXAMPLE.COM</code>, <code class="literal">B.EXAMPLE.COM</code>, and <code class="literal">EXAMPLE.COM</code>. When a client in the <code class="literal">A.EXAMPLE.COM</code> realm attempts to authenticate to a service in <code class="literal">B.EXAMPLE.COM</code>, it will, by default, first attempt to get credentials for the <code class="literal">EXAMPLE.COM</code> realm, and then to use those credentials to obtain credentials for use in the <code class="literal">B.EXAMPLE.COM</code> realm.
		</div><div class="para">
			The client in this scenario treats the realm name as one might treat a DNS name. It repeatedly strips off the components of its own realm's name to generate the names of realms which are "above" it in the hierarchy until it reaches a point which is also "above" the service's realm. At that point it begins prepending components of the service's realm name until it reaches the service's realm. Each realm which is involved in the process is another "hop".
		</div><div class="para">
			For example, using credentials in <code class="literal">A.EXAMPLE.COM</code>, authenticating to a service in <code class="literal">B.EXAMPLE.COM</code>: 
<div class="literallayout"><p><br />
		A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM<br />
</p></div>
			 <div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="literal">A.EXAMPLE.COM</code> and <code class="literal">EXAMPLE.COM</code> share a key for <code class="literal">krbtgt/EXAMPLE.COM@A.EXAMPLE.COM</code>
					</div></li><li class="listitem"><div class="para">
						<code class="literal">EXAMPLE.COM</code> and <code class="literal">B.EXAMPLE.COM</code> share a key for <code class="literal">krbtgt/B.EXAMPLE.COM@EXAMPLE.COM</code>
					</div></li></ul></div>

</div><div class="para">
			Another example, using credentials in <code class="literal">SITE1.SALES.EXAMPLE.COM</code>, authenticating to a service in <code class="literal">EVERYWHERE.EXAMPLE.COM</code>: 
<div class="literallayout"><p><br />
		SITE1.SALES.EXAMPLE.COM → SALES.EXAMPLE.COM → EXAMPLE.COM → EVERYWHERE.EXAMPLE.COM<br />
</p></div>
			 <div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="literal">SITE1.SALES.EXAMPLE.COM</code> and <code class="literal">SALES.EXAMPLE.COM</code> share a key for <code class="literal">krbtgt/SALES.EXAMPLE.COM@SITE1.SALES.EXAMPLE.COM</code>
					</div></li><li class="listitem"><div class="para">
						<code class="literal">SALES.EXAMPLE.COM</code> and <code class="literal">EXAMPLE.COM</code> share a key for <code class="literal">krbtgt/EXAMPLE.COM@SALES.EXAMPLE.COM</code>
					</div></li><li class="listitem"><div class="para">
						<code class="literal">EXAMPLE.COM</code> and <code class="literal">EVERYWHERE.EXAMPLE.COM</code> share a key for <code class="literal">krbtgt/EVERYWHERE.EXAMPLE.COM@EXAMPLE.COM</code>
					</div></li></ul></div>

</div><div class="para">
			Another example, this time using realm names whose names share no common suffix (<code class="literal">DEVEL.EXAMPLE.COM</code> and <code class="literal">PROD.EXAMPLE.ORG</code>): 
<div class="literallayout"><p><br />
		DEVEL.EXAMPLE.COM → EXAMPLE.COM → COM → ORG → EXAMPLE.ORG → PROD.EXAMPLE.ORG<br />
</p></div>
			 <div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="literal">DEVEL.EXAMPLE.COM</code> and <code class="literal">EXAMPLE.COM</code> share a key for <code class="literal">krbtgt/EXAMPLE.COM@DEVEL.EXAMPLE.COM</code>
					</div></li><li class="listitem"><div class="para">
						<code class="literal">EXAMPLE.COM</code> and <code class="literal">COM</code> share a key for <code class="literal">krbtgt/COM@EXAMPLE.COM</code>
					</div></li><li class="listitem"><div class="para">
						<code class="literal">COM</code> and <code class="literal">ORG</code> share a key for <code class="literal">krbtgt/ORG@COM</code>
					</div></li><li class="listitem"><div class="para">
						<code class="literal">ORG</code> and <code class="literal">EXAMPLE.ORG</code> share a key for <code class="literal">krbtgt/EXAMPLE.ORG@ORG</code>
					</div></li><li class="listitem"><div class="para">
						<code class="literal">EXAMPLE.ORG</code> and <code class="literal">PROD.EXAMPLE.ORG</code> share a key for <code class="literal">krbtgt/PROD.EXAMPLE.ORG@EXAMPLE.ORG</code>
					</div></li></ul></div>

</div><div class="para">
			The more complicated, but also more flexible, method involves configuring the <code class="literal">capaths</code> section of <code class="filename">/etc/krb5.conf</code>, so that clients which have credentials for one realm will be able to look up which realm is next in the chain which will eventually lead to the being able to authenticate to servers.
		</div><div class="para">
			The format of the <code class="literal">capaths</code> section is relatively straightforward: each entry in the section is named after a realm in which a client might exist. Inside of that subsection, the set of intermediate realms from which the client must obtain credentials is listed as values of the key which corresponds to the realm in which a service might reside. If there are no intermediate realms, the value "." is used.
		</div><div class="para">
			Here's an example:
		</div><pre class="screen">[capaths]
A.EXAMPLE.COM = {
	B.EXAMPLE.COM = .
	C.EXAMPLE.COM = B.EXAMPLE.COM
	D.EXAMPLE.COM = B.EXAMPLE.COM
	D.EXAMPLE.COM = C.EXAMPLE.COM
}</pre><div class="para">
			In this example, clients in the <code class="literal">A.EXAMPLE.COM</code> realm can obtain cross-realm credentials for <code class="literal">B.EXAMPLE.COM</code> directly from the <code class="literal">A.EXAMPLE.COM</code> KDC.
		</div><div class="para">
			If those clients wish to contact a service in the<code class="literal">C.EXAMPLE.COM</code> realm, they will first need to obtain necessary credentials from the <code class="literal">B.EXAMPLE.COM</code> realm (this requires that <code class="literal">krbtgt/B.EXAMPLE.COM@A.EXAMPLE.COM</code> exist), and then use <code class="literal">those</code> credentials to obtain credentials for use in the <code class="literal">C.EXAMPLE.COM</code> realm (using <code class="literal">krbtgt/C.EXAMPLE.COM@B.EXAMPLE.COM</code>).
		</div><div class="para">
			If those clients wish to contact a service in the <code class="literal">D.EXAMPLE.COM</code> realm, they will first need to obtain necessary credentials from the <code class="literal">B.EXAMPLE.COM</code> realm, and then credentials from the <code class="literal">C.EXAMPLE.COM</code> realm, before finally obtaining credentials for use with the <code class="literal">D.EXAMPLE.COM</code> realm.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Without a capath entry indicating otherwise, Kerberos assumes that cross-realm trust relationships form a hierarchy.
			</div><div class="para">
				Clients in the <code class="literal">A.EXAMPLE.COM</code> realm can obtain cross-realm credentials from <code class="literal">B.EXAMPLE.COM</code> realm directly. Without the "." indicating this, the client would instead attempt to use a hierarchical path, in this case:
			</div><div class="literallayout"><p><br />
		A.EXAMPLE.COM → EXAMPLE.COM → B.EXAMPLE.COM<br />
</p></div></div></div></div><div class="section" id="sec-kerberos-additional-resources"><div class="titlepage"><div><div><h3 class="title" id="sec-kerberos-additional-resources">46.6.10. Additional Resources</h3></div></div></div><a id="id1087260" class="indexterm"></a><div class="para">
			For more information about Kerberos, refer to the following resources.
		</div><div class="section" id="s2-kerberos-installed-documentation"><div class="titlepage"><div><div><h4 class="title" id="s2-kerberos-installed-documentation">46.6.10.1. Installed Documentation</h4></div></div></div><a id="id1010665" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The <em class="citetitle">Kerberos V5 Installation Guide</em> and the <em class="citetitle">Kerberos V5 System Administrator's Guide</em> in PostScript and HTML formats. These can be found in the <code class="filename">/usr/share/doc/krb5-server-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/</code> directory (where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number of the <code class="command">krb5-server</code> package installed on your system).
					</div></li><li class="listitem"><div class="para">
						The <em class="citetitle">Kerberos V5 UNIX User's Guide</em> in PostScript and HTML formats. These can be found in the <code class="filename">/usr/share/doc/krb5-workstation-<em class="replaceable"><code>&lt;version-number&gt;</code></em>/</code> directory (where <em class="replaceable"><code>&lt;version-number&gt;</code></em> is the version number of the <code class="command">krb5-workstation</code> package installed on your system).
					</div></li><li class="listitem"><div class="para">
						Kerberos man pages — There are a number of man pages for the various applications and configuration files involved with a Kerberos implementation. The following is a list of some of the more important man pages.
					</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Client Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man kerberos</code> — An introduction to the Kerberos system which describes how credentials work and provides recommendations for obtaining and destroying Kerberos tickets. The bottom of the man page references a number of related man pages.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man kinit</code> — Describes how to use this command to obtain and cache a ticket-granting ticket.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man kdestroy</code> — Describes how to use this command to destroy Kerberos credentials.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man klist</code> — Describes how to use this command to list cached Kerberos credentials.
										</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Administrative Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man kadmin</code> — Describes how to use this command to administer the Kerberos V5 database.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man kdb5_util</code> — Describes how to use this command to create and perform low-level administrative functions on the Kerberos V5 database.
										</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Server Applications</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man krb5kdc</code> — Describes available command line options for the Kerberos V5 KDC.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man kadmind</code> — Describes available command line options for the Kerberos V5 administration server.
										</div></li></ul></div></dd><dt class="varlistentry"><span class="term">Configuration Files</span></dt><dd><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="command">man krb5.conf</code> — Describes the format and options available within the configuration file for the Kerberos V5 library.
										</div></li><li class="listitem"><div class="para">
											<code class="command">man kdc.conf</code> — Describes the format and options available within the configuration file for the Kerberos V5 AS and KDC.
										</div></li></ul></div></dd></dl></div></li></ul></div></div><div class="section" id="s2-kerberos-useful-websites"><div class="titlepage"><div><div><h4 class="title" id="s2-kerberos-useful-websites">46.6.10.2. Useful Websites</h4></div></div></div><a id="id1014114" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://web.mit.edu/kerberos/www/">http://web.mit.edu/kerberos/www/</a> — <em class="citetitle">Kerberos: The Network Authentication Protocol</em> webpage from MIT.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html">http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html</a> — The Kerberos Frequently Asked Questions (FAQ).
					</div></li><li class="listitem"><div class="para">
						<a href="ftp://athena-dist.mit.edu/pub/kerberos/doc/usenix.PS">ftp://athena-dist.mit.edu/pub/kerberos/doc/usenix.PS</a> — The PostScript version of <em class="citetitle">Kerberos: An Authentication Service for Open Network Systems</em> by Jennifer G. Steiner, Clifford Neuman, and Jeffrey I. Schiller. This document is the original paper describing Kerberos.
					</div></li><li class="listitem"><div class="para">
						<a href="http://web.mit.edu/kerberos/www/dialogue.html">http://web.mit.edu/kerberos/www/dialogue.html</a> — <em class="citetitle">Designing an Authentication System: a Dialogue in Four Scenes</em> originally by Bill Bryant in 1988, modified by Theodore Ts'o in 1997. This document is a conversation between two developers who are thinking through the creation of a Kerberos-style authentication system. The conversational style of the discussion make this a good starting place for people who are completely unfamiliar with Kerberos.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.ornl.gov/~jar/HowToKerb.html">http://www.ornl.gov/~jar/HowToKerb.html</a> — <em class="citetitle">How to Kerberize your site</em> is a good reference for kerberizing a network.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.networkcomputing.com/netdesign/kerb1.html">http://www.networkcomputing.com/netdesign/kerb1.html</a> — <em class="citetitle">Kerberos Network Design Manual</em> is a thorough overview of the Kerberos system.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" id="ch-vpn" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-vpn">46.7. Virtual Private Networks (VPNs)</h2></div></div></div><a id="id1013314" class="indexterm"></a><a id="id1017456" class="indexterm"></a><div class="para">
		Organizations with several satellite offices often connect to each other with dedicated lines for efficiency and protection of sensitive data in transit. For example, many businesses use frame relay or <em class="firstterm">Asynchronous Transfer Mode</em> (<acronym class="acronym">ATM</acronym>) lines as an end-to-end networking solution to link one office with others. This can be an expensive proposition, especially for small to medium sized businesses (<acronym class="acronym">SMB</acronym>s) that want to expand without paying the high costs associated with enterprise-level, dedicated digital circuits.
	</div><div class="para">
		To address this need, <em class="firstterm">Virtual Private Networks</em> (<abbr class="abbrev">VPN</abbr>s) were developed. Following the same functional principles as dedicated circuits, <abbr class="abbrev">VPN</abbr>s allow for secured digital communication between two parties (or networks), creating a <em class="firstterm">Wide Area Network</em> (<acronym class="acronym">WAN</acronym>) from existing <em class="firstterm">Local Area Networks</em> (<acronym class="acronym">LAN</acronym>s). Where it differs from frame relay or ATM is in its transport medium. <abbr class="abbrev">VPN</abbr>s transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software <abbr class="abbrev">VPN</abbr> implementations incorporate open standard encryption methods to further mask data in transit.
	</div><div class="para">
		Some organizations employ hardware <abbr class="abbrev">VPN</abbr> solutions to augment security, while others use software or protocol-based implementations. Several vendors provide hardware <abbr class="abbrev">VPN</abbr> solutions, such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based <abbr class="abbrev">VPN</abbr> solution for Linux called FreeS/Wan that utilizes a standardized <em class="firstterm">Internet Protocol Security</em> (<abbr class="abbrev">IPsec</abbr>) implementation. These <abbr class="abbrev">VPN</abbr> solutions, irrespective of whether they are hardware or software based, act as specialized routers that exist between the IP connection from one office to another.
	</div><div class="section" id="vpn-how-it-works"><div class="titlepage"><div><div><h3 class="title" id="vpn-how-it-works">46.7.1. How Does a VPN Work?</h3></div></div></div><div class="para">
			When a packet is transmitted from a client, it sends it through the <abbr class="abbrev">VPN</abbr> router or gateway, which adds an <em class="firstterm">Authentication Header</em> (<abbr class="abbrev">AH</abbr>) for routing and authentication. The data is then encrypted and, finally, enclosed with an <em class="firstterm">Encapsulating Security Payload</em> (<abbr class="abbrev">ESP</abbr>). This latter constitutes the decryption and handling instructions.
		</div><div class="para">
			The receiving <abbr class="abbrev">VPN</abbr> router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or other node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets already decrypted and ready for processing. The encryption/decryption process in a network-to-network <abbr class="abbrev">VPN</abbr> connection is transparent to a local node.
		</div><div class="para">
			With such a heightened level of security, an attacker must not only intercept a packet, but decrypt the packet as well. Intruders who employ a man-in-the-middle attack between a server and client must also have access to at least one of the private keys for authenticating sessions. Because they employ several layers of authentication and encryption, <abbr class="abbrev">VPN</abbr>s are a secure and effective means of connecting multiple remote nodes to act as a unified intranet.
		</div></div><div class="section" id="s1-vpn-rhl"><div class="titlepage"><div><div><h3 class="title" id="s1-vpn-rhl">46.7.2. VPNs and Red Hat Enterprise Linux</h3></div></div></div><div class="para">
			Red Hat Enterprise Linux provides various options in terms of implementing a software solution to securely connect to a <acronym class="acronym">WAN</acronym>. <em class="firstterm">Internet Protocol Security</em> (<acronym class="acronym">IPsec</acronym>) is the supported <abbr class="abbrev">VPN</abbr> implementation for Red Hat Enterprise Linux, and sufficiently addresses the usability needs of organizations with branch offices or remote users.
		</div></div><div class="section" id="s1-vpn-ipsec"><div class="titlepage"><div><div><h3 class="title" id="s1-vpn-ipsec">46.7.3. IPsec</h3></div></div></div><a id="id1110464" class="indexterm"></a><a id="id1028536" class="indexterm"></a><div class="para">
			Red Hat Enterprise Linux supports <abbr class="abbrev">IPsec</abbr> for connecting remote hosts and networks to each other using a secure tunnel on a common carrier network such as the Internet. <abbr class="abbrev">IPsec</abbr> can be implemented using a host-to-host (one computer workstation to another) or network-to-network (one <acronym class="acronym">LAN</acronym>/<acronym class="acronym">WAN</acronym> to another) configuration.
		</div><div class="para">
			The <abbr class="abbrev">IPsec</abbr> implementation in Red Hat Enterprise Linux uses <em class="firstterm">Internet Key Exchange</em> (<em class="firstterm">IKE</em>), a protocol implemented by the Internet Engineering Task Force (<acronym class="acronym">IETF</acronym>), used for mutual authentication and secure associations between connecting systems.
		</div><a id="id914900" class="indexterm"></a></div><div class="section" id="vpn-create-ipsec-connection"><div class="titlepage"><div><div><h3 class="title" id="vpn-create-ipsec-connection">46.7.4. Creating an <abbr class="abbrev">IPsec</abbr> Connection</h3></div></div></div><div class="para">
			An <abbr class="abbrev">IPsec</abbr> connection is split into two logical phases. In phase 1, an <abbr class="abbrev">IPsec</abbr> node initializes the connection with the remote node or network. The remote node or network checks the requesting node's credentials and both parties negotiate the authentication method for the connection.
		</div><div class="para">
			On Red Hat Enterprise Linux systems, an <abbr class="abbrev">IPsec</abbr> connection uses the <em class="firstterm">pre-shared key</em> method of <abbr class="abbrev">IPsec</abbr> node authentication. In a pre-shared key <abbr class="abbrev">IPsec</abbr> connection, both hosts must use the same key in order to move to Phase 2 of the <abbr class="abbrev">IPsec</abbr> connection.
		</div><div class="para">
			Phase 2 of the <abbr class="abbrev">IPsec</abbr> connection is where the <em class="firstterm">Security Association</em> (<acronym class="acronym">SA</acronym>) is created between <abbr class="abbrev">IPsec</abbr> nodes. This phase establishes an <abbr class="abbrev">SA</abbr> database with configuration information, such as the encryption method, secret session key exchange parameters, and more. This phase manages the actual <abbr class="abbrev">IPsec</abbr> connection between remote nodes and networks.
		</div><div class="para">
			The Red Hat Enterprise Linux implementation of <abbr class="abbrev">IPsec</abbr> uses IKE for sharing keys between hosts across the Internet. The <code class="command">racoon</code> keying daemon handles the IKE key distribution and exchange. Refer to the <code class="command">racoon</code> man page for more information about this daemon.
		</div></div><div class="section" id="s1-ipsec-generalconf"><div class="titlepage"><div><div><h3 class="title" id="s1-ipsec-generalconf">46.7.5. IPsec Installation</h3></div></div></div><a id="id914121" class="indexterm"></a><a id="id914295" class="indexterm"></a><div class="para">
			Implementing <abbr class="abbrev">IPsec</abbr> requires that the <code class="filename">ipsec-tools</code> RPM package be installed on all <abbr class="abbrev">IPsec</abbr> hosts (if using a host-to-host configuration) or routers (if using a network-to-network configuration). The RPM package contains essential libraries, daemons, and configuration files for setting up the <abbr class="abbrev">IPsec</abbr> connection, including:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="command">/sbin/setkey</code> — manipulates the key management and security attributes of <abbr class="abbrev">IPsec</abbr> in the kernel. This executable is controlled by the <code class="command">racoon</code> key management daemon. Refer to the <code class="command">setkey</code>(8) man page for more information.
				</div></li><li class="listitem"><div class="para">
					<code class="command">/usr/sbin/racoon</code> — the IKE key management daemon, used to manage and control security associations and key sharing between IPsec-connected systems.
				</div></li><li class="listitem"><div class="para">
					<code class="filename">/etc/racoon/racoon.conf</code> — the <code class="command">racoon</code> daemon configuration file used to configure various aspects of the <abbr class="abbrev">IPsec</abbr> connection, including authentication methods and encryption algorithms used in the connection. Refer to the <code class="filename">racoon.conf</code>(5) man page for a complete listing of available directives.
				</div></li></ul></div><div class="para">
			To configure <abbr class="abbrev">IPsec</abbr> on Red Hat Enterprise Linux, you can use the <span class="application"><strong>Network Administration Tool</strong></span>, or manually edit the networking and <abbr class="abbrev">IPsec</abbr> configuration files.
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					To connect two network-connected hosts via IPsec, refer to <a class="xref" href="#s1-ipsec-host2host">Section 46.7.6, “IPsec Host-to-Host Configuration”</a>.
				</div></li><li class="listitem"><div class="para">
					To connect one <acronym class="acronym">LAN</acronym>/<acronym class="acronym">WAN</acronym> to another via IPsec, refer to <a class="xref" href="#s1-ipsec-net2net">Section 46.7.7, “IPsec Network-to-Network Configuration”</a>.
				</div></li></ul></div></div><div class="section" id="s1-ipsec-host2host"><div class="titlepage"><div><div><h3 class="title" id="s1-ipsec-host2host">46.7.6. IPsec Host-to-Host Configuration</h3></div></div></div><a id="id1082732" class="indexterm"></a><a id="id1016289" class="indexterm"></a><a id="id1020653" class="indexterm"></a><div class="para">
			IPsec can be configured to connect one desktop or workstation (host) to another using a host-to-host connection. This type of connection uses the network to which each host is connected to create a secure tunnel between each host. The requirements of a host-to-host connection are minimal, as is the configuration of <abbr class="abbrev">IPsec</abbr> on each host. The hosts need only a dedicated connection to a carrier network (such as the Internet) and Red Hat Enterprise Linux to create the <abbr class="abbrev">IPsec</abbr> connection.
		</div><div class="section" id="s2-network-config-ipsec-host"><div class="titlepage"><div><div><h4 class="title" id="s2-network-config-ipsec-host">46.7.6.1. Host-to-Host Connection</h4></div></div></div><a id="id913359" class="indexterm"></a><a id="id1010797" class="indexterm"></a><div class="para">
				A host-to-host <abbr class="abbrev">IPsec</abbr> connection is an encrypted connection between two systems, both running <abbr class="abbrev">IPsec</abbr> with the same authentication key. With the <abbr class="abbrev">IPsec</abbr> connection active, any network traffic between the two hosts is encrypted.
			</div><div class="para">
				To configure a host-to-host <abbr class="abbrev">IPsec</abbr> connection, use the following steps for each host:
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					You should perform the following procedures on the actual machine that you are configuring. Avoid attempting to configure and establish <abbr class="abbrev">IPsec</abbr> connections remotely.
				</div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						In a command shell, type <code class="command">system-config-network</code> to start the <span class="application"><strong>Network Administration Tool</strong></span>.
					</div></li><li class="listitem"><div class="para">
						On the <span class="guilabel"><strong>IPsec</strong></span> tab, click <span class="guibutton"><strong>New</strong></span> to start the <abbr class="abbrev">IPsec</abbr> configuration wizard.
					</div></li><li class="listitem"><div class="para">
						Click <span class="guibutton"><strong>Forward</strong></span> to start configuring a host-to-host <abbr class="abbrev">IPsec</abbr> connection.
					</div></li><li class="listitem"><div class="para">
						Enter a unique name for the connection, for example, <strong class="userinput"><code>ipsec0</code></strong>. If required, select the check box to automatically activate the connection when the computer starts. Click <span class="guibutton"><strong>Forward</strong></span> to continue.
					</div></li><li class="listitem"><div class="para">
						Select <span class="guilabel"><strong>Host to Host encryption</strong></span> as the connection type, and then click <span class="guibutton"><strong>Forward</strong></span>.
					</div></li><li class="listitem" id="st-host-encrypt-type"><div class="para">
						Select the type of encryption to use: manual or automatic.
					</div><a id="id891264" class="indexterm"></a><a id="id1016313" class="indexterm"></a><div class="para">
						If you select manual encryption, an encryption key must be provided later in the process. If you select automatic encryption, the <code class="command">racoon</code> daemon manages the encryption key. The <code class="filename">ipsec-tools</code> package must be installed if you want to use automatic encryption.
					</div><div class="para">
						Click <span class="guibutton"><strong>Forward</strong></span> to continue.
					</div></li><li class="listitem"><div class="para">
						Enter the IP address of the remote host.
					</div><div class="para">
						To determine the IP address of the remote host, use the following command <span class="emphasis"><em>on the remote host</em></span>:
					</div><pre class="screen"><code class="command">ifconfig <em class="replaceable"><code>&lt;device&gt;</code></em></code></pre><div class="para">
						where <em class="replaceable"><code>&lt;device&gt;</code></em> is the Ethernet device that you want to use for the <abbr class="abbrev">VPN</abbr> connection.
					</div><div class="para">
						If only one Ethernet card exists in the system, the device name is typically eth0. The following example shows the relevant information from this command (note that this is an example output only):
					</div><pre class="screen">eth0      Link encap:Ethernet  HWaddr 00:0C:6E:E8:98:1D
          inet addr:172.16.44.192  Bcast:172.16.45.255  Mask:255.255.254.0</pre><div class="para">
						The IP address is the number following the <code class="computeroutput">inet addr:</code> label.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							For host-to-host connections, both hosts should have a public, routable address. Alternatively, both hosts can have a private, non-routable address (for example, from the 10.x.x.x or 192.168.x.x ranges) as long as they are on the sam LAN.
						</div><div class="para">
							If the hosts are on different LANs, or one has a public address while the other has a private address, refer to <a class="xref" href="#s1-ipsec-net2net">Section 46.7.7, “IPsec Network-to-Network Configuration”</a>.
						</div></div></div><div class="para">
						Click <span class="guibutton"><strong>Forward</strong></span> to continue.
					</div></li><li class="listitem" id="st-host-to-host-keys"><div class="para">
						If manual encryption was selected in step <a class="xref" href="#st-host-encrypt-type">6</a>, specify the encryption key to use, or click <span class="guibutton"><strong>Generate</strong></span> to create one.
					</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
								Specify an authentication key or click <span class="guibutton"><strong>Generate</strong></span> to generate one. It can be any combination of numbers and letters.
							</div></li><li class="listitem"><div class="para">
								Click <span class="guibutton"><strong>Forward</strong></span> to continue.
							</div></li></ol></div></li><li class="listitem"><div class="para">
						Verify the information on the <span class="guilabel"><strong>IPsec — Summary</strong></span> page, and then click <span class="guibutton"><strong>Apply</strong></span>.
					</div></li><li class="listitem"><div class="para">
						Click <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> to save the configuration.
					</div><div class="para">
						You may need to restart the network for the changes to take effect. To restart the network, use the following command:
					</div><pre class="screen"><code class="command">service network restart</code></pre></li><li class="listitem"><div class="para">
						Select the <abbr class="abbrev">IPsec</abbr> connection from the list and click the <span class="guibutton"><strong>Activate</strong></span> button.
					</div></li><li class="listitem"><div class="para">
						Repeat the entire procedure for the other host. It is essential that the same keys from step <a class="xref" href="#st-host-to-host-keys">8</a> be used on the other hosts. Otherwise, <abbr class="abbrev">IPsec</abbr> will not work.
					</div></li></ol></div><div class="para">
				After configuring the <abbr class="abbrev">IPsec</abbr> connection, it appears in the <abbr class="abbrev">IPsec</abbr> list as shown in <a class="xref" href="#fig-neat-ipsec">Figure 46.10, “IPsec Connection”</a>.
			</div><div class="figure" id="fig-neat-ipsec"><div class="figure-contents"><div class="mediaobject"><img src="images/sec-ipsec-host2host.png" alt="IPsec Connection" /><div class="longdesc"><div class="para">
							IPsec Connection
						</div></div></div></div><h6>Figure 46.10. IPsec Connection</h6></div><br class="figure-break" /><div class="para">
				The following files are created when the <abbr class="abbrev">IPsec</abbr> connection is configured:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/etc/sysconfig/network-scripts/ifcfg-<em class="replaceable"><code>&lt;nickname&gt;</code></em></code>
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/etc/sysconfig/network-scripts/keys-<em class="replaceable"><code>&lt;nickname&gt;</code></em></code>
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/etc/racoon/<em class="replaceable"><code>&lt;remote-ip&gt;</code></em>.conf</code>
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/etc/racoon/psk.txt</code>
					</div></li></ul></div><div class="para">
				If automatic encryption is selected, <code class="filename">/etc/racoon/racoon.conf</code> is also created.
			</div><div class="para">
				When the interface is up, <code class="filename">/etc/racoon/racoon.conf</code> is modified to include <code class="filename"><em class="replaceable"><code>&lt;remote-ip&gt;</code></em>.conf</code>.
			</div></div><div class="section" id="s2-ipsec-host2host-cfg"><div class="titlepage"><div><div><h4 class="title" id="s2-ipsec-host2host-cfg">46.7.6.2. Manual <abbr class="abbrev">IPsec</abbr> Host-to-Host Configuration</h4></div></div></div><div class="para">
				The first step in creating a connection is to gather system and network information from each workstation. For a host-to-host connection, you need the following:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						The IP address of each host
					</div></li><li class="listitem"><div class="para">
						A unique name, for example, <code class="computeroutput">ipsec1</code>. This is used to identify the <abbr class="abbrev">IPsec</abbr> connection and to distinguish it from other devices or connections.
					</div></li><li class="listitem"><div class="para">
						A fixed encryption key or one automatically generated by <code class="command">racoon</code>.
					</div></li><li class="listitem"><div class="para">
						A pre-shared authentication key that is used during the initial stage of the connection and to exchange encryption keys during the session.
					</div></li></ul></div><div class="para">
				For example, suppose Workstation A and Workstation B want to connect to each other through an <abbr class="abbrev">IPsec</abbr> tunnel. They want to connect using a pre-shared key with the value of <code class="computeroutput">Key_Value01</code>, and the users agree to let <code class="command">racoon</code> automatically generate and share an authentication key between each host. Both host users decide to name their connections <code class="computeroutput">ipsec1</code>.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					You should choose a PSK that uses a mixture of upper- and lower-case characters, numbers and punctuation. An easily-guessable PSK constitutes a security risk.
				</div><div class="para">
					It is not necessary to use the same connection name for each host. You should choose a name that is convenient and meaningful for your installation.
				</div></div></div><div class="para">
				The following is the <abbr class="abbrev">IPsec</abbr> configuration file for Workstation A for a host-to-host <abbr class="abbrev">IPsec</abbr> connection with Workstation B. The unique name to identify the connection in this example is <em class="replaceable"><code>ipsec1</code></em>, so the resulting file is called <code class="filename">/etc/sysconfig/network-scripts/ifcfg-ipsec1</code>.
			</div><pre class="screen">DST=<em class="replaceable"><code>X.X.X.X</code></em>
TYPE=IPSEC
ONBOOT=no
IKE_METHOD=PSK</pre><div class="para">
				For Workstation A, <em class="replaceable"><code>X.X.X.X</code></em> is the IP address of Workstation B. For Workstation B, <em class="replaceable"><code>X.X.X.X</code></em> is the IP address of Workstation A. This connection is not set to initiate on boot-up (<code class="computeroutput">ONBOOT=no</code>) and it uses the pre-shared key method of authentication (<code class="computeroutput">IKE_METHOD=PSK</code>).
			</div><div class="para">
				The following is the content of the pre-shared key file (called <code class="filename">/etc/sysconfig/network-scripts/keys-ipsec1</code>) that both workstations need to authenticate each other. The contents of this file should be identical on both workstations, and only the root user should be able to read or write this file.
			</div><pre class="screen">IKE_PSK=Key_Value01</pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					To change the <code class="filename">keys-ipsec1</code> file so that only the root user can read or edit the file, use the following command after creating the file:
				</div><pre class="screen"><code class="command">chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1</code></pre></div></div><div class="para">
				To change the authentication key at any time, edit the <code class="filename">keys-ipsec1</code> file on both workstations. <span class="emphasis"><em>Both authentication keys must be identical for proper connectivity</em></span>.
			</div><div class="para">
				The next example shows the specific configuration for the phase 1 connection to the remote host. The file is called <code class="filename"><em class="replaceable"><code>X.X.X.X</code></em>.conf</code>, where <em class="replaceable"><code>X.X.X.X</code></em> is the IP address of the remote <abbr class="abbrev">IPsec</abbr> host. Note that this file is automatically generated when the <abbr class="abbrev">IPsec</abbr> tunnel is activated and should not be edited directly.
			</div><pre class="screen">remote <em class="replaceable"><code>X.X.X.X</code></em>
{
         exchange_mode aggressive, main;
	 my_identifier address;
	 proposal {
	 	encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2 ;
	}
}</pre><div class="para">
				The default phase 1 configuration file that is created when an <abbr class="abbrev">IPsec</abbr> connection is initialized contains the following statements used by the Red Hat Enterprise Linux implementation of IPsec:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">remote <em class="replaceable"><code>X.X.X.X</code></em></span></dt><dd><div class="para">
							Specifies that the subsequent stanzas of this configuration file apply only to the remote node identified by the <em class="replaceable"><code>X.X.X.X</code></em> IP address.
						</div></dd><dt class="varlistentry"><span class="term">exchange_mode aggressive</span></dt><dd><div class="para">
							The default configuration for <abbr class="abbrev">IPsec</abbr> on Red Hat Enterprise Linux uses an aggressive authentication mode, which lowers the connection overhead while allowing configuration of several <abbr class="abbrev">IPsec</abbr> connections with multiple hosts.
						</div></dd><dt class="varlistentry"><span class="term">my_identifier address</span></dt><dd><div class="para">
							Specifies the identification method to use when authenticating nodes. Red Hat Enterprise Linux uses IP addresses to identify nodes.
						</div></dd><dt class="varlistentry"><span class="term">encryption_algorithm 3des</span></dt><dd><div class="para">
							Specifies the encryption cipher used during authentication. By default, <em class="firstterm">Triple Data Encryption Standard</em> (<acronym class="acronym">3DES</acronym>) is used.
						</div></dd><dt class="varlistentry"><span class="term">hash_algorithm sha1;</span></dt><dd><div class="para">
							Specifies the hash algorithm used during phase 1 negotiation between nodes. By default, Secure Hash Algorithm version 1 is used.
						</div></dd><dt class="varlistentry"><span class="term">authentication_method pre_shared_key</span></dt><dd><div class="para">
							Specifies the authentication method used during node negotiation. By default, Red Hat Enterprise Linux uses pre-shared keys for authentication.
						</div></dd><dt class="varlistentry"><span class="term">dh_group 2</span></dt><dd><div class="para">
							Specifies the Diffie-Hellman group number for establishing dynamically-generated session keys. By default, modp1024 (group 2) is used.
						</div></dd></dl></div><div class="section" id="sec-racoon-conf"><div class="titlepage"><div><div><h5 class="title" id="sec-racoon-conf">46.7.6.2.1. The Racoon Configuration File</h5></div></div></div><div class="para">
					The <code class="filename">/etc/racoon/racoon.conf</code> files should be identical on all <abbr class="abbrev">IPsec</abbr> nodes <span class="emphasis"><em>except</em></span> for the <code class="command">include "/etc/racoon/<em class="replaceable"><code>X.X.X.X</code></em>.conf"</code> statement. This statement (and the file it references) is generated when the <abbr class="abbrev">IPsec</abbr> tunnel is activated. For Workstation A, the <em class="replaceable"><code>X.X.X.X</code></em> in the <code class="command">include</code> statement is Workstation B's IP address. The opposite is true of Workstation B. The following shows a typical <code class="filename">racoon.conf</code> file when the <abbr class="abbrev">IPsec</abbr> connection is activated.
				</div><pre class="screen"># Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
        pfs_group 2;
        lifetime time 1 hour ;
        encryption_algorithm 3des, blowfish 448, rijndael ;
        authentication_algorithm hmac_sha1, hmac_md5 ;
        compression_algorithm deflate ;
}
include "/etc/racoon/X.X.X.X.conf";</pre><div class="para">
					This default <code class="filename">racoon.conf</code> file includes defined paths for <abbr class="abbrev">IPsec</abbr> configuration, pre-shared key files, and certificates. The fields in <code class="computeroutput">sainfo anonymous</code> describe the phase 2 SA between the <abbr class="abbrev">IPsec</abbr> nodes — the nature of the <abbr class="abbrev">IPsec</abbr> connection (including the supported encryption algorithms used) and the method of exchanging keys. The following list defines the fields of phase 2:
				</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">sainfo anonymous</span></dt><dd><div class="para">
								Denotes that SA can anonymously initialize with any peer provided that the <abbr class="abbrev">IPsec</abbr> credentials match.
							</div></dd><dt class="varlistentry"><span class="term">pfs_group 2</span></dt><dd><div class="para">
								Defines the Diffie-Hellman key exchange protocol, which determines the method by which the <abbr class="abbrev">IPsec</abbr> nodes establish a mutual temporary session key for the second phase of <abbr class="abbrev">IPsec</abbr> connectivity. By default, the Red Hat Enterprise Linux implementation of <abbr class="abbrev">IPsec</abbr> uses group 2 (or <code class="computeroutput">modp1024</code>) of the Diffie-Hellman cryptographic key exchange groups. Group 2 uses a 1024-bit modular exponentiation that prevents attackers from decrypting previous <abbr class="abbrev">IPsec</abbr> transmissions even if a private key is compromised.
							</div></dd><dt class="varlistentry"><span class="term">lifetime time 1 hour</span></dt><dd><div class="para">
								This parameter specifies the lifetime of an SA and can be quantified either by time or by bytes of data. The default Red Hat Enterprise Linux implementation of <abbr class="abbrev">IPsec</abbr> specifies a one hour lifetime.
							</div></dd><dt class="varlistentry"><span class="term">encryption_algorithm 3des, blowfish 448, rijndael</span></dt><dd><div class="para">
								Specifies the supported encryption ciphers for phase 2. Red Hat Enterprise Linux supports 3DES, 448-bit Blowfish, and Rijndael (the cipher used in the <em class="firstterm">Advanced Encryption Standard</em>, or <acronym class="acronym">AES</acronym>).
							</div></dd><dt class="varlistentry"><span class="term">authentication_algorithm hmac_sha1, hmac_md5</span></dt><dd><div class="para">
								Lists the supported hash algorithms for authentication. Supported modes are sha1 and md5 hashed message authentication codes (HMAC).
							</div></dd><dt class="varlistentry"><span class="term">compression_algorithm deflate</span></dt><dd><div class="para">
								Defines the Deflate compression algorithm for IP Payload Compression (IPCOMP) support, which allows for potentially faster transmission of IP datagrams over slow connections.
							</div></dd></dl></div><div class="para">
					To start the connection, use the following command on each host:
				</div><pre class="screen"><code class="command">ifup &lt;nickname&gt;</code></pre><div class="para">
					where &lt;nickname&gt; is the name you specified for the <abbr class="abbrev">IPsec</abbr> connection.
				</div><div class="para">
					To test the <abbr class="abbrev">IPsec</abbr> connection, run the <code class="command">tcpdump</code> utility to view the network packets being transferred between the hosts and verify that they are encrypted via IPsec. The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example:
				</div><pre class="screen">~]# <code class="command">tcpdump -n -i eth0 host &lt;targetSystem&gt;</code>

IP 172.16.45.107 &gt; 172.16.44.192: AH(spi=0x0954ccb6,seq=0xbb): ESP(spi=0x0c9f2164,seq=0xbb)</pre></div></div></div><div class="section" id="s1-ipsec-net2net"><div class="titlepage"><div><div><h3 class="title" id="s1-ipsec-net2net">46.7.7. IPsec Network-to-Network Configuration</h3></div></div></div><a id="id997036" class="indexterm"></a><a id="id940098" class="indexterm"></a><a id="id938903" class="indexterm"></a><div class="para">
			IPsec can also be configured to connect an entire network (such as a <acronym class="acronym">LAN</acronym> or <acronym class="acronym">WAN</acronym>) to a remote network using a network-to-network connection. A network-to-network connection requires the setup of <abbr class="abbrev">IPsec</abbr> routers on each side of the connecting networks to transparently process and route information from one node on a <acronym class="acronym">LAN</acronym> to a node on a remote <acronym class="acronym">LAN</acronym>. <a class="xref" href="#gr-vpn-ipsecdia">Figure 46.11, “A network-to-network <abbr class="abbrev">IPsec</abbr> tunneled connection”</a> shows a network-to-network <abbr class="abbrev">IPsec</abbr> tunneled connection.
		</div><div class="figure" id="gr-vpn-ipsecdia"><div class="figure-contents"><div class="mediaobject"><img src="images/n-t-n-ipsec-diagram.png" width="444" alt="A network-to-network IPsec tunneled connection" /><div class="longdesc"><div class="para">
						A network-to-network <abbr class="abbrev">IPsec</abbr> tunneled connection
					</div></div></div></div><h6>Figure 46.11. A network-to-network <abbr class="abbrev">IPsec</abbr> tunneled connection</h6></div><br class="figure-break" /><div class="para">
			This diagram shows two separate <acronym class="acronym">LAN</acronym>s separated by the Internet. These <acronym class="acronym">LAN</acronym>s use <abbr class="abbrev">IPsec</abbr> routers to authenticate and initiate a connection using a secure tunnel through the Internet. Packets that are intercepted in transit would require brute-force decryption in order to crack the cipher protecting the packets between these <acronym class="acronym">LAN</acronym>s. The process of communicating from one node in the 192.168.1.0/24 IP range to another in the 192.168.2.0/24 range is completely transparent to the nodes as the processing, encryption/decryption, and routing of the <abbr class="abbrev">IPsec</abbr> packets are completely handled by the <abbr class="abbrev">IPsec</abbr> router.
		</div><div class="para">
			The information needed for a network-to-network connection include:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					The externally-accessible IP addresses of the dedicated <abbr class="abbrev">IPsec</abbr> routers
				</div></li><li class="listitem"><div class="para">
					The network address ranges of the <acronym class="acronym">LAN</acronym>/<acronym class="acronym">WAN</acronym> served by the <abbr class="abbrev">IPsec</abbr> routers (such as 192.168.1.0/24 or 10.0.1.0/24)
				</div></li><li class="listitem"><div class="para">
					The IP addresses of the gateway devices that route the data from the network nodes to the Internet
				</div></li><li class="listitem"><div class="para">
					A unique name, for example, <code class="computeroutput">ipsec1</code>. This is used to identify the <abbr class="abbrev">IPsec</abbr> connection and to distinguish it from other devices or connections.
				</div></li><li class="listitem"><div class="para">
					A fixed encryption key or one automatically generated by <code class="command">racoon</code>
				</div></li><li class="listitem"><div class="para">
					A pre-shared authentication key that is used during the initial stage of the connection and to exchange encryption keys during the session.
				</div></li></ul></div><div class="section" id="s2-network-config-ipsec-vpn"><div class="titlepage"><div><div><h4 class="title" id="s2-network-config-ipsec-vpn">46.7.7.1. Network-to-Network (<abbr class="abbrev">VPN</abbr>) Connection</h4></div></div></div><a id="id1023326" class="indexterm"></a><a id="id1023340" class="indexterm"></a><div class="para">
				A network-to-network <abbr class="abbrev">IPsec</abbr> connection uses two <abbr class="abbrev">IPsec</abbr> routers, one for each network, through which the network traffic for the private subnets is routed.
			</div><div class="para">
				For example, as shown in <a class="xref" href="#fig-n-t-n-ipsec">Figure 46.12, “Network-to-Network IPsec”</a>, if the 192.168.1.0/24 private network sends network traffic to the 192.168.2.0/24 private network, the packets go through gateway0, to ipsec0, through the Internet, to ipsec1, to gateway1, and to the 192.168.2.0/24 subnet.
			</div><div class="para">
				<abbr class="abbrev">IPsec</abbr> routers require publicly addressable IP addresses and a second Ethernet device connected to their respective private networks. Traffic only travels through an <abbr class="abbrev">IPsec</abbr> router if it is intended for another <abbr class="abbrev">IPsec</abbr> router with which it has an encrypted connection.
			</div><div class="figure" id="fig-n-t-n-ipsec"><div class="figure-contents"><div class="mediaobject"><img src="images/n-t-n-ipsec-diagram.png" width="444" alt="Network-to-Network IPsec" /><div class="longdesc"><div class="para">
							Network-to-Network IPsec
						</div></div></div></div><h6>Figure 46.12. Network-to-Network IPsec</h6></div><br class="figure-break" /><div class="para">
				Alternate network configuration options include a firewall between each IP router and the Internet, and an intranet firewall between each <abbr class="abbrev">IPsec</abbr> router and subnet gateway. The <abbr class="abbrev">IPsec</abbr> router and the gateway for the subnet can be one system with two Ethernet devices: one with a public IP address that acts as the <abbr class="abbrev">IPsec</abbr> router; and one with a private IP address that acts as the gateway for the private subnet. Each <abbr class="abbrev">IPsec</abbr> router can use the gateway for its private network or a public gateway to send the packets to the other <abbr class="abbrev">IPsec</abbr> router.
			</div><div class="para">
				Use the following procedure to configure a network-to-network <abbr class="abbrev">IPsec</abbr> connection:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						In a command shell, type <code class="command">system-config-network</code> to start the <span class="application"><strong>Network Administration Tool</strong></span>.
					</div></li><li class="listitem"><div class="para">
						On the <span class="guilabel"><strong>IPsec</strong></span> tab, click <span class="guibutton"><strong>New</strong></span> to start the <abbr class="abbrev">IPsec</abbr> configuration wizard.
					</div></li><li class="listitem"><div class="para">
						Click <span class="guibutton"><strong>Forward</strong></span> to start configuring a network-to-network <abbr class="abbrev">IPsec</abbr> connection.
					</div></li><li class="listitem"><div class="para">
						Enter a unique nickname for the connection, for example, <strong class="userinput"><code>ipsec0</code></strong>. If required, select the check box to automatically activate the connection when the computer starts. Click <span class="guibutton"><strong>Forward</strong></span> to continue.
					</div></li><li class="listitem"><div class="para">
						Select <span class="guilabel"><strong>Network to Network encryption (VPN)</strong></span> as the connection type, and then click <span class="guibutton"><strong>Forward</strong></span>.
					</div></li><li class="listitem" id="st-host-encrypt-type-n"><div class="para">
						Select the type of encryption to use: manual or automatic.
					</div><a id="id999363" class="indexterm"></a><a id="id999376" class="indexterm"></a><div class="para">
						If you select manual encryption, an encryption key must be provided later in the process. If you select automatic encryption, the <code class="command">racoon</code> daemon manages the encryption key. The <code class="filename">ipsec-tools</code> package must be installed if you want to use automatic encryption.
					</div><div class="para">
						Click <span class="guibutton"><strong>Forward</strong></span> to continue.
					</div></li><li class="listitem"><div class="para">
						On the <span class="guilabel"><strong>Local Network</strong></span> page, enter the following information:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Local Network Address</strong></span> — The IP address of the device on the <abbr class="abbrev">IPsec</abbr> router connected to the private network.
							</div></li><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Local Subnet Mask</strong></span> — The subnet mask of the local network IP address.
							</div></li><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Local Network Gateway</strong></span> — The gateway for the private subnet.
							</div></li></ul></div><div class="para">
						Click <span class="guibutton"><strong>Forward</strong></span> to continue.
					</div><div class="figure" id="fig-local-network"><div class="figure-contents"><div class="mediaobject"><img src="images/n-to-n-ipsec-local.png" width="444" alt="Local Network Information" /><div class="longdesc"><div class="para">
									Local Network Information
								</div></div></div></div><h6>Figure 46.13. Local Network Information</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
						On the <span class="guilabel"><strong>Remote Network</strong></span> page, enter the following information:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Remote IP Address</strong></span> — The publicly addressable IP address of the <abbr class="abbrev">IPsec</abbr> router for the <span class="emphasis"><em>other</em></span> private network. In our example, for ipsec0, enter the publicly addressable IP address of ipsec1, and vice versa.
							</div></li><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Remote Network Address</strong></span> — The network address of the private subnet behind the <span class="emphasis"><em>other</em></span> <abbr class="abbrev">IPsec</abbr> router. In our example, enter <strong class="userinput"><code>192.168.1.0</code></strong> if configuring ipsec1, and enter <strong class="userinput"><code>192.168.2.0</code></strong> if configuring ipsec0.
							</div></li><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Remote Subnet Mask</strong></span> — The subnet mask of the remote IP address.
							</div></li><li class="listitem"><div class="para">
								<span class="guilabel"><strong>Remote Network Gateway</strong></span> — The IP address of the gateway for the remote network address.
							</div></li><li class="listitem" id="st-host-to-host-keys-n"><div class="para">
								If manual encryption was selected in step <a class="xref" href="#st-host-encrypt-type-n">6</a>, specify the encryption key to use or click <span class="guibutton"><strong>Generate</strong></span> to create one.
							</div><div class="para">
								Specify an authentication key or click <span class="guibutton"><strong>Generate</strong></span> to generate one. This key can be any combination of numbers and letters.
							</div></li></ul></div><div class="para">
						Click <span class="guibutton"><strong>Forward</strong></span> to continue.
					</div><div class="figure" id="fig-remote-network"><div class="figure-contents"><div class="mediaobject"><img src="images/n-to-n-ipsec-remote.png" width="444" alt="Remote Network Information" /><div class="longdesc"><div class="para">
									Remote Network Information
								</div></div></div></div><h6>Figure 46.14. Remote Network Information</h6></div><br class="figure-break" /></li><li class="listitem"><div class="para">
						Verify the information on the <span class="guilabel"><strong>IPsec — Summary</strong></span> page, and then click <span class="guibutton"><strong>Apply</strong></span>.
					</div></li><li class="listitem"><div class="para">
						Select <span class="guimenu"><strong>File</strong></span> &gt; <span class="guimenuitem"><strong>Save</strong></span> to save the configuration.
					</div></li><li class="listitem"><div class="para">
						Select the <abbr class="abbrev">IPsec</abbr> connection from the list, and then click <span class="guibutton"><strong>Activate</strong></span> to activate the connection.
					</div></li><li class="listitem"><div class="para">
						Enable IP forwarding:
					</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
								Edit <code class="filename">/etc/sysctl.conf</code> and set <code class="computeroutput">net.ipv4.ip_forward</code> to <strong class="userinput"><code>1</code></strong>.
							</div></li><li class="listitem"><div class="para">
								Use the following command to enable the change:
							</div><pre class="screen"><code class="command">sysctl -p /etc/sysctl.conf</code></pre></li></ol></div></li></ol></div><div class="para">
				The network script to activate the <abbr class="abbrev">IPsec</abbr> connection automatically creates network routes to send packets through the <abbr class="abbrev">IPsec</abbr> router if necessary.
			</div></div><div class="section" id="s2-ipsec-net2net-cfg"><div class="titlepage"><div><div><h4 class="title" id="s2-ipsec-net2net-cfg">46.7.7.2. Manual <abbr class="abbrev">IPsec</abbr> Network-to-Network Configuration</h4></div></div></div><div class="para">
				Suppose <acronym class="acronym">LAN</acronym> A (lana.example.com) and <acronym class="acronym">LAN</acronym> B (lanb.example.com) want to connect to each other through an <abbr class="abbrev">IPsec</abbr> tunnel. The network address for <acronym class="acronym">LAN</acronym> A is in the 192.168.1.0/24 range, while <acronym class="acronym">LAN</acronym> B uses the 192.168.2.0/24 range. The gateway IP address is 192.168.1.254 for <acronym class="acronym">LAN</acronym> A and 192.168.2.254 for <acronym class="acronym">LAN</acronym> B. The <abbr class="abbrev">IPsec</abbr> routers are separate from each <acronym class="acronym">LAN</acronym> gateway and use two network devices: eth0 is assigned to an externally-accessible static IP address which accesses the Internet, while eth1 acts as a routing point to process and transmit <acronym class="acronym">LAN</acronym> packets from one network node to the remote network nodes.
			</div><div class="para">
				The <abbr class="abbrev">IPsec</abbr> connection between each network uses a pre-shared key with the value of <code class="computeroutput">r3dh4tl1nux</code>, and the administrators of A and B agree to let <code class="command">racoon</code> automatically generate and share an authentication key between each <abbr class="abbrev">IPsec</abbr> router. The administrator of <acronym class="acronym">LAN</acronym> A decides to name the <abbr class="abbrev">IPsec</abbr> connection <code class="computeroutput">ipsec0</code>, while the administrator of <acronym class="acronym">LAN</acronym> B names the <abbr class="abbrev">IPsec</abbr> connection <code class="computeroutput">ipsec1</code>.
			</div><div class="para">
				The following example shows the contents of the <code class="filename">ifcfg</code> file for a network-to-network <abbr class="abbrev">IPsec</abbr> connection for <acronym class="acronym">LAN</acronym> A. The unique name to identify the connection in this example is <em class="replaceable"><code>ipsec0</code></em>, so the resulting file is called <code class="filename">/etc/sysconfig/network-scripts/ifcfg-ipsec0</code>.
			</div><pre class="screen">TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.1.254
DSTGW=192.168.2.254
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=<em class="replaceable"><code>X.X.X.X</code></em></pre><div class="para">
				The following list describes the contents of this file:
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">TYPE=IPSEC</span></dt><dd><div class="para">
							Specifies the type of connection.
						</div></dd><dt class="varlistentry"><span class="term">ONBOOT=yes</span></dt><dd><div class="para">
							Specifies that the connection should initiate on boot-up.
						</div></dd><dt class="varlistentry"><span class="term">IKE_METHOD=PSK</span></dt><dd><div class="para">
							Specifies that the connection uses the pre-shared key method of authentication.
						</div></dd><dt class="varlistentry"><span class="term">SRCGW=192.168.1.254</span></dt><dd><div class="para">
							The IP address of the source gateway. For LAN A, this is the LAN A gateway, and for LAN B, the LAN B gateway.
						</div></dd><dt class="varlistentry"><span class="term">DSTGW=192.168.2.254</span></dt><dd><div class="para">
							The IP address of the destination gateway. For LAN A, this is the LAN B gateway, and for LAN B, the LAN A gateway.
						</div></dd><dt class="varlistentry"><span class="term">SRCNET=192.168.1.0/24</span></dt><dd><div class="para">
							Specifies the source network for the <abbr class="abbrev">IPsec</abbr> connection, which in this example is the network range for LAN A.
						</div></dd><dt class="varlistentry"><span class="term">DSTNET=192.168.2.0/24</span></dt><dd><div class="para">
							Specifies the destination network for the <abbr class="abbrev">IPsec</abbr> connection, which in this example is the network range for <acronym class="acronym">LAN</acronym> B.
						</div></dd><dt class="varlistentry"><span class="term">DST=X.X.X.X</span></dt><dd><div class="para">
							The externally-accessible IP address of <acronym class="acronym">LAN</acronym> B.
						</div></dd></dl></div><div class="para">
				The following example is the content of the pre-shared key file called <code class="filename">/etc/sysconfig/network-scripts/keys-ipsec<em class="replaceable"><code>X</code></em></code> (where <em class="replaceable"><code>X</code></em> is 0 for <acronym class="acronym">LAN</acronym> A and 1 for <acronym class="acronym">LAN</acronym> B) that both networks use to authenticate each other. The contents of this file should be identical and only the root user should be able to read or write this file.
			</div><pre class="screen">IKE_PSK=r3dh4tl1nux</pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					To change the <code class="filename">keys-ipsec<em class="replaceable"><code>X</code></em></code> file so that only the root user can read or edit the file, use the following command after creating the file:
				</div><pre class="screen"><code class="command">chmod 600 /etc/sysconfig/network-scripts/keys-ipsec1</code></pre></div></div><div class="para">
				To change the authentication key at any time, edit the <code class="filename">keys-ipsec<em class="replaceable"><code>X</code></em></code> file on both <abbr class="abbrev">IPsec</abbr> routers. <span class="emphasis"><em>Both keys must be identical for proper connectivity</em></span>.
			</div><div class="para">
				The following example is the contents of the <code class="filename">/etc/racoon/racoon.conf</code> configuration file for the <abbr class="abbrev">IPsec</abbr> connection. Note that the <code class="computeroutput">include</code> line at the bottom of the file is automatically generated and only appears if the <abbr class="abbrev">IPsec</abbr> tunnel is running.
			</div><pre class="screen"># Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous
{
	pfs_group 2;
	lifetime time 1 hour ;
	encryption_algorithm 3des, blowfish 448, rijndael ;
	authentication_algorithm hmac_sha1, hmac_md5 ;
	compression_algorithm deflate ;
}
include "/etc/racoon/<em class="replaceable"><code>X.X.X.X</code></em>.conf"</pre><div class="para">
				The following is the specific configuration for the connection to the remote network. The file is called <code class="filename"><em class="replaceable"><code>X.X.X.X</code></em>.conf</code> (where <em class="replaceable"><code>X.X.X.X</code></em> is the IP address of the remote <abbr class="abbrev">IPsec</abbr> router). Note that this file is automatically generated when the <abbr class="abbrev">IPsec</abbr> tunnel is activated and should not be edited directly.
			</div><pre class="screen">remote <em class="replaceable"><code>X.X.X.X</code></em>
{
        exchange_mode aggressive, main;
	my_identifier address;
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2 ;
	}
}</pre><div class="para">
				Prior to starting the <abbr class="abbrev">IPsec</abbr> connection, IP forwarding should be enabled in the kernel. To enable IP forwarding:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Edit <code class="filename">/etc/sysctl.conf</code> and set <code class="computeroutput">net.ipv4.ip_forward</code> to <strong class="userinput"><code>1</code></strong>.
					</div></li><li class="listitem"><div class="para">
						Use the following command to enable the change:
					</div><pre class="screen"><code class="command">sysctl -p /etc/sysctl.conf</code></pre></li></ol></div><div class="para">
				To start the <abbr class="abbrev">IPsec</abbr> connection, use the following command on each router:
			</div><pre class="screen"><code class="command">ifup ipsec0</code></pre><div class="para">
				The connections are activated, and both <acronym class="acronym">LAN</acronym> A and <acronym class="acronym">LAN</acronym> B are able to communicate with each other. The routes are created automatically via the initialization script called by running <code class="command">ifup</code> on the <abbr class="abbrev">IPsec</abbr> connection. To show a list of routes for the network, use the following command:
			</div><pre class="screen"><code class="command">ip route list</code></pre><div class="para">
				To test the <abbr class="abbrev">IPsec</abbr> connection, run the <code class="command">tcpdump</code> utility on the externally-routable device (eth0 in this example) to view the network packets being transferred between the hosts (or networks), and verify that they are encrypted via IPsec. For example, to check the <abbr class="abbrev">IPsec</abbr> connectivity of <acronym class="acronym">LAN</acronym> A, use the following command:
			</div><pre class="screen"><code class="command">tcpdump -n -i eth0 host <em class="replaceable"><code>lana.example.com</code></em></code></pre><div class="para">
				The packet should include an AH header and should be shown as ESP packets. ESP means it is encrypted. For example (back slashes denote a continuation of one line):
			</div><pre class="screen">12:24:26.155529 lanb.example.com &gt; lana.example.com: AH(spi=0x021c9834,seq=0x358): \
	lanb.example.com &gt; lana.example.com: ESP(spi=0x00c887ad,seq=0x358) (DF) \
	(ipip-proto-4)</pre></div></div><div class="section" id="s1-network-config-ipsec-start"><div class="titlepage"><div><div><h3 class="title" id="s1-network-config-ipsec-start">46.7.8. Starting and Stopping an <abbr class="abbrev">IPsec</abbr> Connection</h3></div></div></div><div class="para">
			If the <abbr class="abbrev">IPsec</abbr> connection was not configured to activate on boot, you can control it from the command line.
		</div><div class="para">
			To start the connection, use the following command on each host for host-to-host IPsec, or each <abbr class="abbrev">IPsec</abbr> router for network-to-network IPsec:
		</div><pre class="screen"><code class="command">ifup <em class="replaceable"><code>&lt;nickname&gt;</code></em></code></pre><div class="para">
			where <em class="replaceable"><code>&lt;nickname&gt;</code></em> is the nickname configured earlier, such as <code class="computeroutput">ipsec0</code>.
		</div><div class="para">
			To stop the connection, use the following command:
		</div><pre class="screen"><code class="command">ifdown <em class="replaceable"><code>&lt;nickname&gt;</code></em></code></pre></div></div><div xml:lang="en-US" class="section" id="ch-fw" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-fw">46.8. Firewalls</h2></div></div></div><a id="id882387" class="indexterm"></a><div class="para">
		Information security is commonly thought of as a process and not a product. However, standard security implementations usually employ some form of dedicated mechanism to control access privileges and restrict network resources to users who are authorized, identifiable, and traceable. Red Hat Enterprise Linux includes several tools to assist administrators and security engineers with network-level access control issues.
	</div><div class="para">
		Firewalls are one of the core components of a network security implementation. Several vendors market firewall solutions catering to all levels of the marketplace: from home users protecting one PC to data center solutions safeguarding vital enterprise information. Firewalls can be stand-alone hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall. Vendors such as Checkpoint, McAfee, and Symantec have also developed proprietary software firewall solutions for home and business markets.
	</div><div class="para">
		Apart from the differences between hardware and software firewalls, there are also differences in the way firewalls function that separate one solution from another. <a class="xref" href="#tb-fw-types">Table 46.5, “Firewall Types”</a> details three common types of firewalls and how they function:
	</div><a id="id1010310" class="indexterm"></a><a id="id891238" class="indexterm"></a><a id="id1014055" class="indexterm"></a><a id="id1022075" class="indexterm"></a><a id="id1020170" class="indexterm"></a><div class="table" id="tb-fw-types"><h6>Table 46.5. Firewall Types</h6><div class="table-contents"><table summary="Firewall Types" border="1"><colgroup><col width="10%" class="method" /><col width="30%" class="description" /><col width="30%" class="advantages" /><col width="30%" class="disadvantages" /></colgroup><thead><tr><th>
						Method
					</th><th>
						Description
					</th><th>
						Advantages
					</th><th>
						Disadvantages
					</th></tr></thead><tbody><tr><td>
						NAT
					</td><td>
						<em class="firstterm">Network Address Translation</em> (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several. The Linux kernel has built-in NAT functionality through the Netfilter kernel subsystem.
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> · Can be configured transparently to machines on a LAN </td></tr><tr><td> · Protection of many machines and services behind one or more external IP addresses simplifies administration duties </td></tr><tr><td> · Restriction of user access to and from the LAN can be configured by opening and closing ports on the NAT firewall/gateway </td></tr></table>

</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> · Cannot prevent malicious activity once users connect to a service outside of the firewall </td></tr></table>

</td></tr><tr><td>
						Packet Filter
					</td><td>
						A packet filtering firewall reads each data packet that passes through a LAN. It can read and process packets by header information and filters the packet based on sets of programmable rules implemented by the firewall administrator. The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem.
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> · Customizable through the <code class="command">iptables</code> front-end utility </td></tr><tr><td> · Does not require any customization on the client side, as all network activity is filtered at the router level rather than the application level </td></tr><tr><td> · Since packets are not transmitted through a proxy, network performance is faster due to direct connection from client to remote host </td></tr></table>

</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> · Cannot filter packets for content like proxy firewalls </td></tr><tr><td> · Processes packets at the protocol layer, but cannot filter packets at an application layer </td></tr><tr><td> · Complex network architectures can make establishing packet filtering rules difficult, especially if coupled with <em class="firstterm">IP masquerading</em> or local subnets and DMZ networks </td></tr></table>

</td></tr><tr><td>
						Proxy
					</td><td>
						Proxy firewalls filter all requests of a certain protocol or type from LAN clients to a proxy machine, which then makes those requests to the Internet on behalf of the local client. A proxy machine acts as a buffer between malicious remote users and the internal network client machines.
					</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> · Gives administrators control over what applications and protocols function outside of the LAN </td></tr><tr><td> · Some proxy servers can cache frequently-accessed data locally rather than having to use the Internet connection to request it. This helps to reduce bandwidth consumption </td></tr><tr><td> · Proxy services can be logged and monitored closely, allowing tighter control over resource utilization on the network </td></tr></table>

</td><td>
						<table border="0" summary="Simple list" class="simplelist"><tr><td> · Proxies are often application-specific (HTTP, Telnet, etc.), or protocol-restricted (most proxies work with TCP-connected services only) </td></tr><tr><td> · Application services cannot run behind a proxy, so your application servers must use a separate form of network security </td></tr><tr><td> · Proxies can become a network bottleneck, as all requests and transmissions are passed through one source rather than directly from a client to a remote service </td></tr></table>

</td></tr></tbody></table></div></div><br class="table-break" /><div class="section" id="s1-firewall-ipt"><div class="titlepage"><div><div><h3 class="title" id="s1-firewall-ipt">46.8.1. Netfilter and IPTables</h3></div></div></div><a id="id913235" class="indexterm"></a><a id="id913247" class="indexterm"></a><a id="id997225" class="indexterm"></a><div class="para">
			The Linux kernel features a powerful networking subsystem called <em class="firstterm">Netfilter</em>. The Netfilter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to <em class="firstterm">mangle</em> IP header information for advanced routing and connection state management. Netfilter is controlled using the <code class="command">iptables</code> tool.
		</div><div class="section" id="s2-firewall-ipt-background"><div class="titlepage"><div><div><h4 class="title" id="s2-firewall-ipt-background">46.8.1.1. IPTables Overview</h4></div></div></div><div class="para">
				The power and flexibility of Netfilter is implemented using the <code class="command">iptables</code> administration tool, a command line tool similar in syntax to its predecessor, <code class="command">ipchains</code>.
			</div><div class="para">
				A similar syntax does not mean similar implementation, however. <code class="command">ipchains</code> requires intricate rule sets for: filtering source paths; filtering destination paths; and filtering both source and destination connection ports.
			</div><div class="para">
				By contrast, <code class="command">iptables</code> uses the Netfilter subsystem to enhance network connection, inspection, and processing. <code class="command">iptables</code> features advanced logging, pre- and post-routing actions, network address translation, and port forwarding, all in one command line interface.
			</div><div class="para">
				This section provides an overview of <code class="command">iptables</code>. For more detailed information, refer to <a class="xref" href="#ch-iptables">Section 46.9, “IPTables”</a>.
			</div></div></div><div class="section" id="s1-basic-firewall"><div class="titlepage"><div><div><h3 class="title" id="s1-basic-firewall">46.8.2. Basic Firewall Configuration</h3></div></div></div><a id="id1086484" class="indexterm"></a><div class="para">
			Just as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attempts to prevent malicious software from spreading to your computer. It also helps to prevent unauthorized users from accessing your computer.
		</div><div class="para">
			In a default Red Hat Enterprise Linux installation, a firewall exists between your computer or network and any untrusted networks, for example the Internet. It determines which services on your computer remote users can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Red Hat Enterprise Linux system with an Internet connection.
		</div><div class="section" id="s2-basic-firewall-securitylevel"><div class="titlepage"><div><div><h4 class="title" id="s2-basic-firewall-securitylevel">46.8.2.1. <span class="application"><strong>Security Level Configuration Tool</strong></span></h4></div></div></div><a id="id942433" class="indexterm"></a><a id="id1013243" class="indexterm"></a><div class="para">
				During the <span class="guilabel"><strong>Firewall Configuration</strong></span> screen of the Red Hat Enterprise Linux installation, you were given the option to enable a basic firewall as well as to allow specific devices, incoming services, and ports.
			</div><div class="para">
				After installation, you can change this preference by using the <span class="application"><strong>Security Level Configuration Tool</strong></span>.
			</div><div class="para">
				To start this application, use the following command:
			</div><pre class="screen"><code class="command">system-config-securitylevel</code></pre><div class="figure" id="rh-securitylevel-fig"><div class="figure-contents"><div class="mediaobject"><img src="images/rh-securitylevel.png" alt="Security Level Configuration Tool" /><div class="longdesc"><div class="para">
							Security Level Configuration
						</div></div></div></div><h6>Figure 46.15. <span class="application">Security Level Configuration Tool</span></h6></div><br class="figure-break" /><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					The <span class="application"><strong>Security Level Configuration Tool</strong></span> only configures a basic firewall. If the system needs more complex rules, refer to <a class="xref" href="#ch-iptables">Section 46.9, “IPTables”</a> for details on configuring specific <code class="command">iptables</code> rules.
				</div></div></div></div><div class="section" id="s2-basic-firewall-securitylevel-enable"><div class="titlepage"><div><div><h4 class="title" id="s2-basic-firewall-securitylevel-enable">46.8.2.2. Enabling and Disabling the Firewall</h4></div></div></div><a id="id987914" class="indexterm"></a><div class="para">
				Select one of the following options for the firewall:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Disabled</strong></span> — Disabling the firewall provides complete access to your system and does no security checking. This should only be selected if you are running on a trusted network (not the Internet) or need to configure a custom firewall using the iptables command line tool.
					</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
							Firewall configurations and any customized firewall rules are stored in the <code class="filename">/etc/sysconfig/iptables</code> file. If you choose <span class="guilabel"><strong>Disabled</strong></span> and click <span class="guibutton"><strong>OK</strong></span>, these configurations and firewall rules will be lost.
						</div></div></div></li><li class="listitem"><div class="para">
						<span class="guilabel"><strong>Enabled</strong></span> — This option configures the system to reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall.
					</div><div class="para">
						If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice.
					</div></li></ul></div></div><div class="section" id="s2-basic-firewall-securitylevel-services"><div class="titlepage"><div><div><h4 class="title" id="s2-basic-firewall-securitylevel-services">46.8.2.3. Trusted Services</h4></div></div></div><a id="id1036058" class="indexterm"></a><div class="para">
				Enabling options in the <span class="guilabel"><strong>Trusted services</strong></span> list allows the specified service to pass through the firewall.
			</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><span class="guilabel"><strong>WWW (HTTP)</strong></span></span></dt><dd><div class="para">
							The HTTP protocol is used by Apache (and by other Web servers) to serve web pages. If you plan on making your Web server publicly available, select this check box. This option is not required for viewing pages locally or for developing web pages. This service requires that the <code class="filename">httpd</code> package be installed.
						</div><div class="para">
							Enabling <span class="guilabel"><strong>WWW (HTTP)</strong></span> will not open a port for HTTPS, the SSL version of HTTP. If this service is required, select the <span class="guilabel"><strong>Secure WWW (HTTPS)</strong></span> check box.
						</div></dd><dt class="varlistentry"><span class="term"><span class="guilabel"><strong>FTP</strong></span></span></dt><dd><div class="para">
							The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, select this check box. This service requires that the <code class="filename">vsftpd</code> package be installed.
						</div></dd><dt class="varlistentry"><span class="term"><span class="guilabel"><strong>SSH</strong></span></span></dt><dd><div class="para">
							Secure Shell (SSH) is a suite of tools for logging into and executing commands on a remote machine. To allow remote access to the machine via ssh, select this check box. This service requires that the <code class="filename">openssh-server</code> package be installed.
						</div></dd><dt class="varlistentry"><span class="term"><span class="guilabel"><strong>Telnet</strong></span></span></dt><dd><div class="para">
							Telnet is a protocol for logging into remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. To allow remote access to the machine via telnet, select this check box. This service requires that the <code class="filename">telnet-server</code> package be installed.
						</div></dd><dt class="varlistentry"><span class="term"><span class="guilabel"><strong>Mail (SMTP)</strong></span></span></dt><dd><div class="para">
							SMTP is a protocol that allows remote hosts to connect directly to your machine to deliver mail. You do not need to enable this service if you collect your mail from your ISP's server using POP3 or IMAP, or if you use a tool such as <code class="command">fetchmail</code>. To allow delivery of mail to your machine, select this check box. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.
						</div></dd><dt class="varlistentry"><span class="term"><span class="guilabel"><strong>NFS4</strong></span></span></dt><dd><div class="para">
							The Network File System (NFS) is a file sharing protocol commonly used on *NIX systems. Version 4 of this protocol is more secure than its predecessors. If you want to share files or directories on your system with other network users, select this check box.
						</div></dd><dt class="varlistentry"><span class="term"><span class="guilabel"><strong>Samba</strong></span></span></dt><dd><div class="para">
							Samba is an implementation of Microsoft's proprietary SMB networking protocol. If you need to share files, directories, or locally-connected printers with Microsoft Windows machines, select this check box.
						</div></dd></dl></div></div><div class="section" id="s2-basic-firewall-securitylevel-other"><div class="titlepage"><div><div><h4 class="title" id="s2-basic-firewall-securitylevel-other">46.8.2.4. Other Ports</h4></div></div></div><a id="id1021888" class="indexterm"></a><div class="para">
				The <span class="application"><strong>Security Level Configuration Tool</strong></span> includes an <span class="guilabel"><strong>Other ports</strong></span> section for specifying custom IP ports as being trusted by <code class="command">iptables</code>. For example, to allow IRC and Internet printing protocol (IPP) to pass through the firewall, add the following to the <span class="guilabel"><strong>Other ports</strong></span> section:
			</div><div class="para">
				<code class="computeroutput">194:tcp,631:tcp</code>
			</div></div><div class="section" id="s2-basic-firewall-securitylevel-commit"><div class="titlepage"><div><div><h4 class="title" id="s2-basic-firewall-securitylevel-commit">46.8.2.5. Saving the Settings</h4></div></div></div><a id="id1030516" class="indexterm"></a><div class="para">
				Click <span class="guibutton"><strong>OK</strong></span> to save the changes and enable or disable the firewall. If <span class="guilabel"><strong>Enable firewall</strong></span> was selected, the options selected are translated to <code class="command">iptables</code> commands and written to the <code class="filename">/etc/sysconfig/iptables</code> file. The <code class="command">iptables</code> service is also started so that the firewall is activated immediately after saving the selected options. If <span class="guilabel"><strong>Disable firewall</strong></span> was selected, the <code class="filename">/etc/sysconfig/iptables</code> file is removed and the <code class="command">iptables</code> service is stopped immediately.
			</div><div class="para">
				The selected options are also written to the <code class="filename">/etc/sysconfig/system-config-securitylevel</code> file so that the settings can be restored the next time the application is started. Do not edit this file by hand.
			</div><div class="para">
				Even though the firewall is activated immediately, the <code class="command">iptables</code> service is not configured to start automatically at boot time. Refer to <a class="xref" href="#s2-basic-firewall-activate-iptables">Section 46.8.2.6, “Activating the IPTables Service”</a> for more information.
			</div></div><div class="section" id="s2-basic-firewall-activate-iptables"><div class="titlepage"><div><div><h4 class="title" id="s2-basic-firewall-activate-iptables">46.8.2.6. Activating the IPTables Service</h4></div></div></div><a id="id891531" class="indexterm"></a><a id="id1010113" class="indexterm"></a><div class="para">
				The firewall rules are only active if the <code class="command">iptables</code> service is running. To manually start the service, use the following command:
			</div><pre class="screen"><code class="command">service iptables restart</code></pre><div class="para">
				To ensure that <code class="command">iptables</code> starts when the system is booted, use the following command:
			</div><pre class="screen"><code class="command">chkconfig --level 345 iptables on</code></pre><div class="para">
				The <code class="command">ipchains</code> service is not included in Red Hat Enterprise Linux. However, if <code class="command">ipchains</code> is installed (for example, an upgrade was performed and the system had <code class="command">ipchains</code> previously installed), the <code class="command">ipchains</code> and <code class="command">iptables</code> services should not be activated simultaneously. To make sure the <code class="command">ipchains</code> service is disabled and configured not to start at boot time, use the following two commands:
			</div><pre class="screen"><code class="command">service ipchains stop</code>
<code class="command">chkconfig --level 345 ipchains off</code></pre></div></div><div class="section" id="s1-fireall-ipt-act"><div class="titlepage"><div><div><h3 class="title" id="s1-fireall-ipt-act">46.8.3. Using IPTables</h3></div></div></div><a id="id1009752" class="indexterm"></a><div class="para">
			The first step in using <code class="command">iptables</code> is to start the <code class="command">iptables</code> service. Use the following command to start the <code class="command">iptables</code> service:
		</div><pre class="screen"><code class="command">service iptables start</code></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				The <code class="command">ip6tables</code> service can be turned off if you intend to use the <code class="command">iptables</code> service only. If you deactivate the <code class="command">ip6tables</code> service, remember to deactivate the IPv6 network also. Never leave a network device active without the matching firewall.
			</div></div></div><div class="para">
			To force <code class="command">iptables</code> to start by default when the system is booted, use the following command:
		</div><pre class="screen"><code class="command">chkconfig --level 345 iptables on</code></pre><div class="para">
			This forces <code class="command">iptables</code> to start whenever the system is booted into runlevel 3, 4, or 5.
		</div><div class="section" id="iptables-command-syntax"><div class="titlepage"><div><div><h4 class="title" id="iptables-command-syntax">46.8.3.1. IPTables Command Syntax</h4></div></div></div><div class="para">
				The following sample <code class="command">iptables</code> command illustrates the basic command syntax:
			</div><pre class="screen"><code class="command">iptables -A <em class="replaceable"><code>&lt;chain&gt;</code></em> -j <em class="replaceable"><code>&lt;target&gt;</code></em></code></pre><a id="id1085226" class="indexterm"></a><div class="para">
				The <code class="option">-A</code> option specifies that the rule be appended to <em class="firstterm">&lt;chain&gt;</em>. Each chain is comprised of one or more <em class="firstterm">rules</em>, and is therefore also known as a <em class="firstterm">ruleset</em>.
			</div><div class="para">
				The three built-in chains are INPUT, OUTPUT, and FORWARD. These chains are permanent and cannot be deleted. The chain specifies the point at which a packet is manipulated.
			</div><div class="para">
				The <code class="option">-j <em class="replaceable"><code>&lt;target&gt;</code></em></code> option specifies the target of the rule; i.e., what to do if the packet matches the rule. Examples of built-in targets are ACCEPT, DROP, and REJECT.
			</div><div class="para">
				Refer to the <code class="command">iptables</code> man page for more information on the available chains, options, and targets.
			</div></div><div class="section" id="s2-firewall-policies"><div class="titlepage"><div><div><h4 class="title" id="s2-firewall-policies">46.8.3.2. Basic Firewall Policies</h4></div></div></div><a id="id988402" class="indexterm"></a><a id="id1027978" class="indexterm"></a><div class="para">
				Establishing basic firewall policies creates a foundation for building more detailed, user-defined rules.
			</div><div class="para">
				Each <code class="command">iptables</code> chain is comprised of a default policy, and zero or more rules which work in concert with the default policy to define the overall ruleset for the firewall.
			</div><div class="para">
				The default policy for a chain can be either DROP or ACCEPT. Security-minded administrators typically implement a default policy of DROP, and only allow specific packets on a case-by-case basis. For example, the following policies block all incoming and outgoing packets on a network gateway:
			</div><pre class="screen"><code class="command">iptables -P INPUT DROP</code>
<code class="command">iptables -P OUTPUT DROP</code></pre><div class="para">
				It is also recommended that any <em class="firstterm">forwarded packets</em> — network traffic that is to be routed from the firewall to its destination node — be denied as well, to restrict internal clients from inadvertent exposure to the Internet. To do this, use the following rule:
			</div><pre class="screen"><code class="command">iptables -P FORWARD DROP</code></pre><div class="para">
				When you have established the default policies for each chain, you can create and save further rules for your particular network and security requirements.
			</div><div class="para">
				The following sections describe how to save iptables rules and outline some of the rules you might implement in the course of building your iptables firewall.
			</div></div><div class="section" id="s2-firewall-ipt-act-sav"><div class="titlepage"><div><div><h4 class="title" id="s2-firewall-ipt-act-sav">46.8.3.3. Saving and Restoring IPTables Rules</h4></div></div></div><a id="id1016829" class="indexterm"></a><a id="id1016846" class="indexterm"></a><a id="id1015527" class="indexterm"></a><div class="para">
				Changes to <code class="command">iptables</code> are transitory; if the system is rebooted or if the <code class="command">iptables</code> service is restarted, the rules are automatically flushed and reset. To save the rules so that they are loaded when the <code class="command">iptables</code> service is started, use the following command:
			</div><pre class="screen"><code class="command">service iptables save</code></pre><div class="para">
				The rules are stored in the file <code class="filename">/etc/sysconfig/iptables</code> and are applied whenever the service is started or the machine is rebooted.
			</div></div></div><div class="section" id="s1-firewall-ipt-basic"><div class="titlepage"><div><div><h3 class="title" id="s1-firewall-ipt-basic">46.8.4. Common IPTables Filtering</h3></div></div></div><a id="id988761" class="indexterm"></a><a id="id937650" class="indexterm"></a><a id="id1009078" class="indexterm"></a><div class="para">
			Preventing remote attackers from accessing a LAN is one of the most important aspects of network security. The integrity of a LAN should be protected from malicious remote users through the use of stringent firewall rules.
		</div><div class="para">
			However, with a default policy set to block all incoming, outgoing, and forwarded packets, it is impossible for the firewall/gateway and internal LAN users to communicate with each other or with external resources.
		</div><div class="para">
			To allow users to perform network-related functions and to use networking applications, administrators must open certain ports for communication.
		</div><div class="para">
			For example, to allow access to port 80 <span class="emphasis"><em>on the firewall</em></span>, append the following rule:
		</div><pre class="screen"><code class="command">iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT</code></pre><div class="para">
			This allows users to browse websites that communicate using the standard port 80. To allow access to secure websites (for example, https://www.example.com/), you also need to provide access to port 443, as follows:
		</div><pre class="screen"><code class="command">iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT</code></pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				When creating an <code class="command">iptables</code> ruleset, order is important.
			</div><div class="para">
				If a rule specifies that any packets from the 192.168.100.0/24 subnet be dropped, and this is followed by a rule that allows packets from 192.168.100.13 (which is within the dropped subnet), then the second rule is ignored.
			</div><div class="para">
				The rule to allow packets from 192.168.100.13 must precede the rule that drops the remainder of the subnet.
			</div><div class="para">
				To insert a rule in a specific location in an existing chain, use the <code class="option">-I</code> option. For example:
			</div><pre class="screen"><code class="command">iptables -I INPUT 1 -i lo -p all -j ACCEPT</code></pre><div class="para">
				This rule is inserted as the first rule in the INPUT chain to allow local loopback device traffic.
			</div></div></div><div class="para">
			There may be times when you require remote access to the LAN. Secure services, for example SSH, can be used for encrypted remote connection to LAN services.
		</div><div class="para">
			Administrators with PPP-based resources (such as modem banks or bulk ISP accounts), dial-up access can be used to securely circumvent firewall barriers. Because they are direct connections, modem connections are typically behind a firewall/gateway.
		</div><div class="para">
			For remote users with broadband connections, however, special cases can be made. You can configure <code class="command">iptables</code> to accept connections from remote SSH clients. For example, the following rules allow remote SSH access:
		</div><pre class="screen"><code class="command">iptables -A INPUT -p tcp --dport 22 -j ACCEPT</code>
<code class="command">iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT</code></pre><div class="para">
			These rules allow incoming and outbound access for an individual system, such as a single PC directly connected to the Internet or a firewall/gateway. However, they do not allow nodes behind the firewall/gateway to access these services. To allow LAN access to these services, you can use <em class="firstterm">Network Address Translation</em> (<acronym class="acronym">NAT</acronym>) with <code class="command">iptables</code> filtering rules.
		</div></div><div class="section" id="s1-firewall-ipt-fwd"><div class="titlepage"><div><div><h3 class="title" id="s1-firewall-ipt-fwd">46.8.5. <code class="computeroutput">FORWARD</code> and <acronym class="acronym">NAT</acronym> Rules</h3></div></div></div><a id="id1017027" class="indexterm"></a><a id="id1084420" class="indexterm"></a><a id="id1084430" class="indexterm"></a><a id="id949465" class="indexterm"></a><a id="id1030470" class="indexterm"></a><div class="para">
			Most ISPs provide only a limited number of publicly routable IP addresses to the organizations they serve.
		</div><div class="para">
			Administrators must, therefore, find alternative ways to share access to Internet services without giving public IP addresses to every node on the LAN. Using private IP addresses is the most common way of allowing all nodes on a LAN to properly access internal and external network services.
		</div><div class="para">
			Edge routers (such as firewalls) can receive incoming transmissions from the Internet and route the packets to the intended LAN node. At the same time, firewalls/gateways can also route outgoing requests from a LAN node to the remote Internet service.
		</div><div class="para">
			This forwarding of network traffic can become dangerous at times, especially with the availability of modern cracking tools that can spoof <span class="emphasis"><em>internal</em></span> IP addresses and make the remote attacker's machine act as a node on your LAN.
		</div><div class="para">
			To prevent this, <code class="command">iptables</code> provides routing and forwarding policies that can be implemented to prevent abnormal usage of network resources.
		</div><div class="para">
			The <code class="computeroutput">FORWARD</code> chain allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), use the following rules:
		</div><pre class="screen"><code class="command">iptables -A FORWARD -i eth1 -j ACCEPT</code>
<code class="command">iptables -A FORWARD -o eth1 -j ACCEPT</code></pre><div class="para">
			This rule gives systems behind the firewall/gateway access to the internal network. The gateway routes packets from one LAN node to its intended destination node, passing all packets through its <code class="filename">eth1</code> device.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				By default, the IPv4 policy in Red Hat Enterprise Linux kernels disables support for IP forwarding. This prevents machines that run Red Hat Enterprise Linux from functioning as dedicated edge routers. To enable IP forwarding, use the following command:
			</div><pre class="screen"><code class="command">sysctl -w net.ipv4.ip_forward=1</code></pre><div class="para">
				This configuration change is only valid for the current session; it does not persist beyond a reboot or network service restart. To permanently set IP forwarding, edit the <code class="filename">/etc/sysctl.conf</code> file as follows:
			</div><div class="para">
				Locate the following line:
			</div><pre class="screen">net.ipv4.ip_forward = 0</pre><div class="para">
				Edit it to read as follows:
			</div><pre class="screen">net.ipv4.ip_forward = 1</pre><div class="para">
				Use the following command to enable the change to the <code class="filename">sysctl.conf</code> file:
			</div><pre class="screen"><code class="command">sysctl -p /etc/sysctl.conf</code></pre></div></div><div class="section" id="postrouting-ipmasquerading"><div class="titlepage"><div><div><h4 class="title" id="postrouting-ipmasquerading">46.8.5.1. Postrouting and IP Masquerading</h4></div></div></div><a id="id1020764" class="indexterm"></a><a id="id1011672" class="indexterm"></a><div class="para">
				Accepting forwarded packets via the firewall's internal IP device allows LAN nodes to communicate with each other; however they still cannot communicate externally to the Internet.
			</div><div class="para">
				To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for <em class="firstterm">IP masquerading</em>, which masks requests from LAN nodes with the IP address of the firewall's external device (in this case, eth0):
			</div><pre class="screen"><code class="command">iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</code></pre><div class="para">
				This rule uses the NAT packet matching table (<code class="option">-t nat</code>) and specifies the built-in POSTROUTING chain for NAT (<code class="option">-A POSTROUTING</code>) on the firewall's external networking device (<code class="option">-o eth0</code>).
			</div><div class="para">
				POSTROUTING allows packets to be altered as they are leaving the firewall's external device.
			</div><div class="para">
				The <code class="option">-j MASQUERADE</code> target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.
			</div></div><div class="section" id="prerouting"><div class="titlepage"><div><div><h4 class="title" id="prerouting">46.8.5.2. Prerouting</h4></div></div></div><a id="id1101655" class="indexterm"></a><div class="para">
				If you have a server on your internal network that you want make available externally, you can use the <code class="option">-j DNAT</code> target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded.
			</div><div class="para">
				For example, if you want to forward incoming HTTP requests to your dedicated Apache HTTP Server at 172.31.0.23, use the following command:
			</div><pre class="screen"><code class="command">iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80</code></pre><div class="para">
				This rule specifies that the <acronym class="acronym">nat</acronym> table use the built-in PREROUTING chain to forward incoming HTTP requests exclusively to the listed destination IP address of 172.31.0.23.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					If you have a default policy of DROP in your FORWARD chain, you must append a rule to forward all incoming HTTP requests so that destination NAT routing is possible. To do this, use the following command:
				</div><pre class="screen"><code class="command">iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT</code></pre><div class="para">
					This rule forwards all incoming HTTP requests from the firewall to the intended destination; the Apache HTTP Server behind the firewall.
				</div></div></div></div><div class="section" id="s2-firewall-dmz"><div class="titlepage"><div><div><h4 class="title" id="s2-firewall-dmz">46.8.5.3. DMZs and IPTables</h4></div></div></div><a id="id914532" class="indexterm"></a><a id="id940190" class="indexterm"></a><a id="id944003" class="indexterm"></a><a id="id944014" class="indexterm"></a><a id="id1032848" class="indexterm"></a><div class="para">
				You can create <code class="command">iptables</code> rules to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a <em class="firstterm">demilitarized zone</em> (<acronym class="acronym">DMZ</acronym>). A <acronym class="acronym">DMZ</acronym> is a special local subnetwork dedicated to providing services on a public carrier, such as the Internet.
			</div><div class="para">
				For example, to set a rule for routing incoming HTTP requests to a dedicated HTTP server at 10.0.4.2 (outside of the 192.168.1.0/24 range of the LAN), NAT uses the <code class="computeroutput">PREROUTING</code> table to forward the packets to the appropriate destination:
			</div><pre class="screen"><code class="command">iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.2:80</code></pre><div class="para">
				With this command, all HTTP connections to port 80 from outside of the LAN are routed to the HTTP server on a network separate from the rest of the internal network. This form of network segmentation can prove safer than allowing HTTP connections to a machine on the network.
			</div><div class="para">
				If the HTTP server is configured to accept secure connections, then port 443 must be forwarded as well.
			</div></div></div><div class="section" id="s1-firewall-ipt-rule"><div class="titlepage"><div><div><h3 class="title" id="s1-firewall-ipt-rule">46.8.6. Malicious Software and Spoofed IP Addresses</h3></div></div></div><a id="id1030744" class="indexterm"></a><a id="id1027608" class="indexterm"></a><div class="para">
			More elaborate rules can be created that control access to specific subnets, or even specific nodes, within a LAN. You can also restrict certain dubious applications or programs such as Trojans, worms, and other client/server viruses from contacting their server.
		</div><div class="para">
			For example, some Trojans scan networks for services on ports from 31337 to 31340 (called the <span class="emphasis"><em>elite</em></span> ports in cracking terminology).
		</div><div class="para">
			Since there are no legitimate services that communicate via these non-standard ports, blocking them can effectively diminish the chances that potentially infected nodes on your network independently communicate with their remote master servers.
		</div><div class="para">
			The following rules drop all TCP traffic that attempts to use port 31337:
		</div><pre class="screen"><code class="command">iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP</code>
<code class="command">iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP</code></pre><div class="para">
			You can also block outside connections that attempt to spoof private IP address ranges to infiltrate your LAN.
		</div><div class="para">
			For example, if your LAN uses the 192.168.1.0/24 range, you can design a rule that instructs the Internet-facing network device (for example, eth0) to drop any packets to that device with an address in your LAN IP range.
		</div><div class="para">
			Because it is recommended to reject forwarded packets as a default policy, any other spoofed IP address to the external-facing device (eth0) is rejected automatically.
		</div><pre class="screen"><code class="command">iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP</code></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				There is a distinction between the <code class="computeroutput">DROP</code> and <code class="computeroutput">REJECT</code> targets when dealing with <span class="emphasis"><em>appended</em></span> rules.
			</div><div class="para">
				The <code class="computeroutput">REJECT</code> target denies access and returns a <code class="computeroutput">connection refused</code> error to users who attempt to connect to the service. The <code class="computeroutput">DROP</code> target, as the name implies, drops the packet without any warning.
			</div><div class="para">
				Administrators can use their own discretion when using these targets. However, to avoid user confusion and attempts to continue connecting, the <code class="computeroutput">REJECT</code> target is recommended.
			</div></div></div></div><div class="section" id="s1-firewall-state"><div class="titlepage"><div><div><h3 class="title" id="s1-firewall-state">46.8.7. IPTables and Connection Tracking</h3></div></div></div><a id="id949614" class="indexterm"></a><a id="id1013213" class="indexterm"></a><a id="id1013228" class="indexterm"></a><a id="id1087698" class="indexterm"></a><div class="para">
			You can inspect and restrict connections to services based on their <em class="firstterm">connection state.</em> A module within <code class="command">iptables</code> uses a method called <em class="firstterm">connection tracking</em> to store information about incoming connections. You can allow or deny access based on the following connection states:
		</div><a id="id1038141" class="indexterm"></a><a id="id1022487" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="option">NEW</code> — A packet requesting a new connection, such as an HTTP request.
				</div></li><li class="listitem"><div class="para">
					<code class="option">ESTABLISHED</code> — A packet that is part of an existing connection.
				</div></li><li class="listitem"><div class="para">
					<code class="option">RELATED</code> — A packet that is requesting a new connection but is part of an existing connection. For example, FTP uses port 21 to establish a connection, but data is transferred on a different port (typically port 20).
				</div></li><li class="listitem"><div class="para">
					<code class="option">INVALID</code> — A packet that is not part of any connections in the connection tracking table.
				</div></li></ul></div><div class="para">
			You can use the stateful functionality of <code class="command">iptables</code> connection tracking with any network protocol, even if the protocol itself is stateless (such as UDP). The following example shows a rule that uses connection tracking to forward only the packets that are associated with an established connection:
		</div><pre class="screen"><code class="command">iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT</code></pre></div><div class="section" id="s1-firewall-ip6t"><div class="titlepage"><div><div><h3 class="title" id="s1-firewall-ip6t">46.8.8. IPv6</h3></div></div></div><a id="id943362" class="indexterm"></a><a id="id943376" class="indexterm"></a><div class="para">
			The introduction of the next-generation Internet Protocol, called IPv6, expands beyond the 32-bit address limit of IPv4 (or IP). IPv6 supports 128-bit addresses, and carrier networks that are IPv6 aware are therefore able to address a larger number of routable addresses than IPv4.
		</div><div class="para">
			Red Hat Enterprise Linux supports IPv6 firewall rules using the Netfilter 6 subsystem and the <code class="command">ip6tables</code> command. In Red Hat Enterprise Linux 5, both IPv4 and IPv6 services are enabled by default.
		</div><div class="para">
			The <code class="command">ip6tables</code> command syntax is identical to <code class="command">iptables</code> in every aspect except that it supports 128-bit addresses. For example, use the following command to enable SSH connections on an IPv6-aware network server:
		</div><pre class="screen"><code class="command">ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j ACCEPT</code></pre><div class="para">
			For more information about IPv6 networking, refer to the IPv6 Information Page at <a href="http://www.ipv6.org/">http://www.ipv6.org/</a>.
		</div></div><div class="section" id="s1-firewall-moreinfo"><div class="titlepage"><div><div><h3 class="title" id="s1-firewall-moreinfo">46.8.9. Additional Resources</h3></div></div></div><a id="id1023836" class="indexterm"></a><a id="id937811" class="indexterm"></a><a id="id937825" class="indexterm"></a><div class="para">
			There are several aspects to firewalls and the Linux Netfilter subsystem that could not be covered in this chapter. For more information, refer to the following resources.
		</div><div class="section" id="s2-firewall-moreinfo-doc"><div class="titlepage"><div><div><h4 class="title" id="s2-firewall-moreinfo-doc">46.8.9.1. Installed Documentation</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Refer to <a class="xref" href="#ch-iptables">Section 46.9, “IPTables”</a> for more detailed information on the <code class="command">iptables</code> command, including definitions for many command options.
					</div></li><li class="listitem"><div class="para">
						The <code class="command">iptables</code> man page contains a brief summary of the various options.
					</div></li></ul></div></div><div class="section" id="s2-firewall-moreinfo-web"><div class="titlepage"><div><div><h4 class="title" id="s2-firewall-moreinfo-web">46.8.9.2. Useful Websites</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.netfilter.org/">http://www.netfilter.org/</a> — The official homepage of the Netfilter and <code class="command">iptables</code> project.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.tldp.org/">http://www.tldp.org/</a> — The Linux Documentation Project contains several useful guides relating to firewall creation and administration.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.iana.org/assignments/port-numbers">http://www.iana.org/assignments/port-numbers</a> — The official list of registered and common service ports as assigned by the Internet Assigned Numbers Authority.
					</div></li></ul></div></div><div class="section" id="s2-firewall-moreinfo-bk"><div class="titlepage"><div><div><h4 class="title" id="s2-firewall-moreinfo-bk">46.8.9.3. Related Documentation</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<em class="citetitle">Red Hat Linux Firewalls</em>, by Bill McCarty; Red Hat Press — a comprehensive reference to building network and server firewalls using open source packet filtering technology such as Netfilter and <code class="command">iptables</code>. It includes topics that cover analyzing firewall logs, developing firewall rules, and customizing your firewall using various graphical tools.
					</div></li><li class="listitem"><div class="para">
						<em class="citetitle">Linux Firewalls</em>, by Robert Ziegler; New Riders Press — contains a wealth of information on building firewalls using both 2.2 kernel <code class="command">ipchains</code> as well as Netfilter and <code class="command">iptables</code>. Additional security topics such as remote access issues and intrusion detection systems are also covered.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" id="ch-iptables" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-iptables">46.9. IPTables</h2></div></div></div><a id="id997363" class="indexterm"></a><a id="id1079276" class="indexterm"></a><a id="id1012003" class="indexterm"></a><div class="para">
		Included with Red Hat Enterprise Linux are advanced tools for network <em class="firstterm">packet filtering</em> — the process of controlling network packets as they enter, move through, and exit the network stack within the kernel. Kernel versions prior to 2.4 relied on <code class="command">ipchains</code> for packet filtering and used lists of rules applied to packets at each step of the filtering process. The 2.4 kernel introduced <code class="command">iptables</code> (also called <em class="firstterm">netfilter</em>), which is similar to <code class="command">ipchains</code> but greatly expands the scope and control available for filtering network packets.
	</div><div class="para">
		This chapter focuses on packet filtering basics, defines the differences between <code class="command">ipchains</code> and <code class="command">iptables</code>, explains various options available with <code class="command">iptables</code> commands, and explains how filtering rules can be preserved between system reboots.
	</div><div class="para">
		Refer to <a class="xref" href="#s1-iptables-additional-resources">Section 46.9.7, “Additional Resources”</a> for instructions on how to construct <code class="command">iptables</code> rules and setting up a firewall based on these rules.
	</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
			The default firewall mechanism in the 2.4 and later kernels is <code class="command">iptables</code>, but <code class="command">iptables</code> cannot be used if <code class="command">ipchains</code> is already running. If <code class="command">ipchains</code> is present at boot time, the kernel issues an error and fails to start <code class="command">iptables</code>.
		</div><div class="para">
			The functionality of <code class="command">ipchains</code> is not affected by these errors.
		</div></div></div><div class="section" id="s1-iptables-packetfiltering"><div class="titlepage"><div><div><h3 class="title" id="s1-iptables-packetfiltering">46.9.1. Packet Filtering</h3></div></div></div><a id="id947349" class="indexterm"></a><a id="id1035006" class="indexterm"></a><a id="id891319" class="indexterm"></a><a id="id999321" class="indexterm"></a><a id="id1034396" class="indexterm"></a><div class="para">
			The Linux kernel uses the <span class="application"><strong>Netfilter</strong></span> facility to filter packets, allowing some of them to be received by or pass through the system while stopping others. This facility is built in to the Linux kernel, and has three built-in <em class="firstterm">tables</em> or <em class="firstterm">rules lists</em>, as follows:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<code class="option">filter</code> — The default table for handling network packets.
				</div></li><li class="listitem"><div class="para">
					<code class="option">nat</code> — Used to alter packets that create a new connection and used for <em class="firstterm">Network Address Translation</em> (<em class="firstterm">NAT</em>).
				</div></li><li class="listitem"><div class="para">
					<code class="option">mangle</code> — Used for specific types of packet alteration.
				</div></li></ul></div><div class="para">
			Each table has a group of built-in <em class="firstterm">chains</em>, which correspond to the actions performed on the packet by <code class="command">netfilter</code>.
		</div><div class="para">
			The built-in chains for the <code class="option">filter</code> table are as follows:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<em class="firstterm">INPUT</em> — Applies to network packets that are targeted for the host.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">OUTPUT</em> — Applies to locally-generated network packets.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">FORWARD</em> — Applies to network packets routed through the host.
				</div></li></ul></div><div class="para">
			The built-in chains for the <code class="option">nat</code> table are as follows:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<em class="firstterm">PREROUTING</em> — Alters network packets when they arrive.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">OUTPUT</em> — Alters locally-generated network packets before they are sent out.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">POSTROUTING</em> — Alters network packets before they are sent out.
				</div></li></ul></div><div class="para">
			The built-in chains for the <code class="option">mangle</code> table are as follows:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<em class="firstterm">INPUT</em> — Alters network packets targeted for the host.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">OUTPUT</em> — Alters locally-generated network packets before they are sent out.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">FORWARD</em> — Alters network packets routed through the host.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">PREROUTING</em> — Alters incoming network packets before they are routed.
				</div></li><li class="listitem"><div class="para">
					<em class="firstterm">POSTROUTING</em> — Alters network packets before they are sent out.
				</div></li></ul></div><div class="para">
			Every network packet received by or sent from a Linux system is subject to at least one table. However, a packet may be subjected to multiple rules within each table before emerging at the end of the chain. The structure and purpose of these rules may vary, but they usually seek to identify a packet coming from or going to a particular IP address, or set of addresses, when using a particular protocol and network service.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				By default, firewall rules are saved in the <code class="filename">/etc/sysconfig/iptables</code> or <code class="filename">/etc/sysconfig/ip6tables</code> files.
			</div><div class="para">
				The <code class="command">iptables</code> service starts before any DNS-related services when a Linux system is booted. This means that firewall rules can only reference numeric IP addresses (for example, 192.168.0.1). Domain names (for example, host.example.com) in such rules produce errors.
			</div></div></div><div class="para">
			Regardless of their destination, when packets match a particular rule in one of the tables, a <em class="firstterm">target</em> or action is applied to them. If the rule specifies an <code class="command">ACCEPT</code> target for a matching packet, the packet skips the rest of the rule checks and is allowed to continue to its destination. If a rule specifies a <code class="command">DROP</code> target, that packet is refused access to the system and nothing is sent back to the host that sent the packet. If a rule specifies a <code class="command">QUEUE</code> target, the packet is passed to user-space. If a rule specifies the optional <code class="command">REJECT</code> target, the packet is dropped, but an error packet is sent to the packet's originator.
		</div><div class="para">
			Every chain has a default policy to <code class="command">ACCEPT</code>, <code class="command">DROP</code>, <code class="command">REJECT</code>, or <code class="command">QUEUE</code>. If none of the rules in the chain apply to the packet, then the packet is dealt with in accordance with the default policy.
		</div><div class="para">
			The <code class="command">iptables</code> command configures these tables, as well as sets up new tables if necessary. 
		</div></div><div class="section" id="s1-iptables-differences"><div class="titlepage"><div><div><h3 class="title" id="s1-iptables-differences">46.9.2. Differences Between IPTables and IPChains</h3></div></div></div><a id="id1024788" class="indexterm"></a><div class="para">
			Both <code class="command">ipchains</code> and <code class="command">iptables</code> use chains of rules that operate within the Linux kernel to filter packets based on matches with specified rules or rule sets. However, <code class="command">iptables</code> offers a more extensible way of filtering packets, giving the administrator greater control without building undue complexity into the system.
		</div><div class="para">
			You should be aware of the following significant differences between <code class="command">ipchains</code> and <code class="command">iptables</code>:
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"> <span class="emphasis"><em>Using <code class="command">iptables</code>, each filtered packet is processed using rules from only one chain rather than multiple chains.</em></span> </span></dt><dd><div class="para">
						For example, a FORWARD packet coming into a system using <code class="command">ipchains</code> would have to go through the INPUT, FORWARD, and OUTPUT chains to continue to its destination. However, <code class="command">iptables</code> only sends packets to the INPUT chain if they are destined for the local system, and only sends them to the OUTPUT chain if the local system generated the packets. It is therefore important to place the rule designed to catch a particular packet within the chain that actually handles the packet.
					</div></dd><dt class="varlistentry"><span class="term"> <span class="emphasis"><em>The DENY target has been changed to DROP.</em></span> </span></dt><dd><div class="para">
						In <code class="command">ipchains</code>, packets that matched a rule in a chain could be directed to the DENY target. This target must be changed to DROP in <code class="command">iptables</code>.
					</div></dd><dt class="varlistentry"><span class="term"> <span class="emphasis"><em>Order matters when placing options in a rule.</em></span> </span></dt><dd><div class="para">
						In <code class="command">ipchains</code>, the order of the rule options does not matter.
					</div><div class="para">
						The <code class="command">iptables</code> command has a stricter syntax. The <code class="command">iptables</code> command requires that the protocol (ICMP, TCP, or UDP) be specified before the source or destination ports.
					</div></dd><dt class="varlistentry"><span class="term"> <span class="emphasis"><em>Network interfaces must be associated with the correct chains in firewall rules.</em></span> </span></dt><dd><div class="para">
						For example, incoming interfaces (<code class="option">-i</code> option) can only be used in INPUT or FORWARD chains. Similarly, outgoing interfaces (<code class="option">-o</code> option) can only be used in FORWARD or OUTPUT chains.
					</div><div class="para">
						In other words, INPUT chains and incoming interfaces work together; OUTPUT chains and outgoing interfaces work together. FORWARD chains work with both incoming and outgoing interfaces.
					</div><div class="para">
						OUTPUT chains are no longer used by incoming interfaces, and INPUT chains are not seen by packets moving through outgoing interfaces.
					</div></dd></dl></div><div class="para">
			This is not a comprehensive list of the changes. Refer to <a class="xref" href="#s1-iptables-additional-resources">Section 46.9.7, “Additional Resources”</a> for more specific information.
		</div></div><div class="section" id="s1-iptables-options"><div class="titlepage"><div><div><h3 class="title" id="s1-iptables-options">46.9.3. Command Options for IPTables</h3></div></div></div><a id="id1000400" class="indexterm"></a><div class="para">
			Rules for filtering packets are created using the <code class="command">iptables</code> command. The following aspects of the packet are most often used as criteria:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<span class="emphasis"><em>Packet Type</em></span> — Specifies the type of packets the command filters.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Packet Source/Destination</em></span> — Specifies which packets the command filters based on the source or destination of the packet.
				</div></li><li class="listitem"><div class="para">
					<span class="emphasis"><em>Target</em></span> — Specifies what action is taken on packets matching the above criteria.
				</div></li></ul></div><div class="para">
			Refer to <a class="xref" href="#s2-iptables-options-match">Section 46.9.3.4, “IPTables Match Options”</a> and <a class="xref" href="#s2-iptables-options-target">Section 46.9.3.5, “Target Options”</a> for more information about specific options that address these aspects of a packet.
		</div><div class="para">
			The options used with specific <code class="command">iptables</code> rules must be grouped logically, based on the purpose and conditions of the overall rule, for the rule to be valid. The remainder of this section explains commonly-used options for the <code class="command">iptables</code> command.
		</div><div class="section" id="s2-iptables-options-structure"><div class="titlepage"><div><div><h4 class="title" id="s2-iptables-options-structure">46.9.3.1. Structure of IPTables Command Options</h4></div></div></div><a id="id1016349" class="indexterm"></a><div class="para">
				Many <code class="command">iptables</code> commands have the following structure:
			</div><pre class="screen">iptables [-t <em class="replaceable"><code>&lt;table-name&gt;</code></em>] <em class="replaceable"><code>&lt;command&gt;</code></em> <em class="replaceable"><code>&lt;chain-name&gt;</code></em> \
			<em class="replaceable"><code>&lt;parameter-1&gt;</code></em> <em class="replaceable"><code>&lt;option-1&gt;</code></em> \
			<em class="replaceable"><code>&lt;parameter-n&gt;</code></em> <em class="replaceable"><code>&lt;option-n&gt;</code></em></pre><div class="para">
				<em class="replaceable"><code>&lt;table-name&gt;</code></em> — Specifies which table the rule applies to. If omitted, the <code class="option">filter</code> table is used.
			</div><div class="para">
				<em class="replaceable"><code>&lt;command&gt;</code></em> — Specifies the action to perform, such as appending or deleting a rule.
			</div><div class="para">
				<em class="replaceable"><code>&lt;chain-name&gt;</code></em> — Specifies the chain to edit, create, or delete.
			</div><div class="para">
				<em class="replaceable"><code>&lt;parameter&gt;-&lt;option&gt;</code></em> pairs — Parameters and associated options that specify how to process a packet that matches the rule.
			</div><div class="para">
				The length and complexity of an <code class="command">iptables</code> command can change significantly, based on its purpose.
			</div><div class="para">
				For example, a command to remove a rule from a chain can be very short:
			</div><div class="para">
				<code class="command">iptables -D <em class="replaceable"><code>&lt;chain-name&gt; &lt;line-number&gt;</code></em></code>
			</div><div class="para">
				In contrast, a command that adds a rule which filters packets from a particular subnet using a variety of specific parameters and options can be rather long. When constructing <code class="command">iptables</code> commands, it is important to remember that some parameters and options require further parameters and options to construct a valid rule. This can produce a cascading effect, with the further parameters requiring yet more parameters. Until every parameter and option that requires another set of options is satisfied, the rule is not valid.
			</div><div class="para">
				Type <code class="command">iptables -h</code> to view a comprehensive list of <code class="command">iptables</code> command structures.
			</div></div><div class="section" id="s2-iptables-options-commands"><div class="titlepage"><div><div><h4 class="title" id="s2-iptables-options-commands">46.9.3.2. Command Options</h4></div></div></div><a id="id1100159" class="indexterm"></a><div class="para">
				Command options instruct <code class="command">iptables</code> to perform a specific action. Only one command option is allowed per <code class="command">iptables</code> command. With the exception of the help command, all commands are written in upper-case characters.
			</div><div class="para">
				The <code class="command">iptables</code> commands are as follows:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="option">-A</code> — Appends the rule to the end of the specified chain. Unlike the <code class="option">-I</code> option described below, it does not take an integer argument. It always appends the rule to the end of the specified chain.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-C</code> — Checks a particular rule before adding it to the user-specified chain. This command can help you construct complex <code class="command">iptables</code> rules by prompting you for additional parameters and options.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-D &lt;integer&gt; | &lt;rule&gt;</code> — Deletes a rule in a particular chain by number (such as <code class="option">5</code> for the fifth rule in a chain), or by rule specification. The rule specification must exactly match an existing rule.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-E</code> — Renames a user-defined chain. A user-defined chain is any chain other than the default, pre-existing chains. (Refer to the <code class="option">-N</code> option, below, for information on creating user-defined chains.) This is a cosmetic change and does not affect the structure of the table.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							If you attempt to rename one of the default chains, the system reports a <code class="computeroutput">Match not found</code> error. You cannot rename the default chains.
						</div></div></div></li><li class="listitem"><div class="para">
						<code class="option">-F</code> — Flushes the selected chain, which effectively deletes every rule in the chain. If no chain is specified, this command flushes every rule from every chain.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-h</code> — Provides a list of command structures, as well as a quick summary of command parameters and options.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-I [&lt;integer&gt;]</code> — Inserts the rule in the specified chain at a point specified by a user-defined integer argument. If no argument is specified, the rule is inserted at the top of the chain.
					</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
							As noted above, the order of rules in a chain determines which rules apply to which packets. This is important to remember when adding rules using either the <code class="option">-A</code> or <code class="option">-I</code> option.
						</div><div class="para">
							This is especially important when adding rules using the <code class="option">-I</code> with an integer argument. If you specify an existing number when adding a rule to a chain, <code class="command">iptables</code> adds the new rule <span class="emphasis"><em>before</em></span> (or above) the existing rule.
						</div></div></div></li><li class="listitem"><div class="para">
						<code class="option">-L</code> — Lists all of the rules in the chain specified after the command. To list all rules in all chains in the default <code class="option">filter</code> table, do not specify a chain or table. Otherwise, the following syntax should be used to list the rules in a specific chain in a particular table:
					</div><pre class="screen"><code class="command">iptables -L <em class="replaceable"><code>&lt;chain-name&gt;</code></em> -t <em class="replaceable"><code>&lt;table-name&gt;</code></em></code></pre><div class="para">
						Additional options for the <code class="option">-L</code> command option, which provide rule numbers and allow more verbose rule descriptions, are described in <a class="xref" href="#s2-iptables-options-list">Section 46.9.3.6, “Listing Options”</a>.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-N</code> — Creates a new chain with a user-specified name. The chain name must be unique, otherwise an error message is displayed.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-P</code> — Sets the default policy for the specified chain, so that when packets traverse an entire chain without matching a rule, they are sent to the specified target, such as ACCEPT or DROP.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-R</code> — Replaces a rule in the specified chain. The rule's number must be specified after the chain's name. The first rule in a chain corresponds to rule number one.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-X</code> — Deletes a user-specified chain. You cannot delete a built-in chain.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-Z</code> — Sets the byte and packet counters in all chains for a table to zero.
					</div></li></ul></div></div><div class="section" id="s2-iptables-options-parameters"><div class="titlepage"><div><div><h4 class="title" id="s2-iptables-options-parameters">46.9.3.3. IPTables Parameter Options</h4></div></div></div><a id="id987384" class="indexterm"></a><div class="para">
				Certain <code class="command">iptables</code> commands, including those used to add, append, delete, insert, or replace rules within a particular chain, require various parameters to construct a packet filtering rule.
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="option">-c</code> — Resets the counters for a particular rule. This parameter accepts the <code class="option">PKTS</code> and <code class="option">BYTES</code> options to specify which counter to reset.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-d</code> — Sets the destination hostname, IP address, or network of a packet that matches the rule. When matching a network, the following IP address/netmask formats are supported:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="option"><em class="replaceable"><code>N.N.N.N</code></em>/<em class="replaceable"><code>M.M.M.M</code></em></code> — Where <em class="replaceable"><code>N.N.N.N</code></em> is the IP address range and <em class="replaceable"><code>M.M.M.M</code></em> is the netmask.
							</div></li><li class="listitem"><div class="para">
								<code class="option"><em class="replaceable"><code>N.N.N.N</code></em>/<em class="replaceable"><code>M</code></em></code> — Where <em class="replaceable"><code>N.N.N.N</code></em> is the IP address range and <em class="replaceable"><code>M</code></em> is the bitmask.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="option">-f</code> — Applies this rule only to fragmented packets.
					</div><div class="para">
						You can use the exclamation point character (<code class="option">!</code>) option after this parameter to specify that only unfragmented packets are matched.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							Distinguishing between fragmented and unfragmented packets is desirable, despite fragmented packets being a standard part of the IP protocol.
						</div><div class="para">
							Originally designed to allow IP packets to travel over networks with differing frame sizes, these days fragmentation is more commonly used to generate DoS attacks using mal-formed packets. It's also worth noting that IPv6 disallows fragmentation entirely.
						</div></div></div></li><li class="listitem"><div class="para">
						<code class="option">-i</code> — Sets the incoming network interface, such as <code class="option">eth0</code> or <code class="option">ppp0</code>. With <code class="command">iptables</code>, this optional parameter may only be used with the INPUT and FORWARD chains when used with the <code class="option">filter</code> table and the PREROUTING chain with the <code class="option">nat</code> and <code class="option">mangle</code> tables.
					</div><div class="para">
						This parameter also supports the following special options:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Exclamation point character (<code class="option">!</code>) — Reverses the directive, meaning any specified interfaces are excluded from this rule.
							</div></li><li class="listitem"><div class="para">
								Plus character (<code class="option">+</code>) — A wildcard character used to match all interfaces that match the specified string. For example, the parameter <code class="option">-i eth+</code> would apply this rule to any Ethernet interfaces but exclude any other interfaces, such as <code class="option">ppp0</code>.
							</div></li></ul></div><div class="para">
						If the <code class="option">-i</code> parameter is used but no interface is specified, then every interface is affected by the rule.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-j</code> — Jumps to the specified target when a packet matches a particular rule.
					</div><div class="para">
						The standard targets are <code class="option">ACCEPT</code>, <code class="option">DROP</code>, <code class="option">QUEUE</code>, and <code class="option">RETURN</code>.
					</div><div class="para">
						Extended options are also available through modules loaded by default with the Red Hat Enterprise Linux <code class="command">iptables</code> RPM package. Valid targets in these modules include <code class="option">LOG</code>, <code class="option">MARK</code>, and <code class="option">REJECT</code>, among others. Refer to the <code class="command">iptables</code> man page for more information about these and other targets.
					</div><div class="para">
						This option can also be used to direct a packet matching a particular rule to a user-defined chain outside of the current chain so that other rules can be applied to the packet.
					</div><div class="para">
						If no target is specified, the packet moves past the rule with no action taken. The counter for this rule, however, increases by one.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-o</code> — Sets the outgoing network interface for a rule. This option is only valid for the OUTPUT and FORWARD chains in the <code class="option">filter</code> table, and the POSTROUTING chain in the <code class="option">nat</code> and <code class="option">mangle</code> tables. This parameter accepts the same options as the incoming network interface parameter (<code class="option">-i</code>).
					</div></li><li class="listitem"><div class="para">
						<code class="option">-p &lt;protocol&gt;</code> — Sets the IP protocol affected by the rule. This can be either <code class="option">icmp</code>, <code class="option">tcp</code>, <code class="option">udp</code>, or <code class="option">all</code>, or it can be a numeric value, representing one of these or a different protocol. You can also use any protocols listed in the <code class="filename">/etc/protocols</code> file.
					</div><div class="para">
						The "<code class="option">all</code>" protocol means the rule applies to every supported protocol. If no protocol is listed with this rule, it defaults to "<code class="option">all</code>".
					</div></li><li class="listitem"><div class="para">
						<code class="option">-s</code> — Sets the source for a particular packet using the same syntax as the destination (<code class="option">-d</code>) parameter.
					</div></li></ul></div></div><div class="section" id="s2-iptables-options-match"><div class="titlepage"><div><div><h4 class="title" id="s2-iptables-options-match">46.9.3.4. IPTables Match Options</h4></div></div></div><a id="id1083984" class="indexterm"></a><div class="para">
				Different network protocols provide specialized matching options which can be configured to match a particular packet using that protocol. However, the protocol must first be specified in the <code class="command">iptables</code> command. For example, <code class="option">-p <em class="replaceable"><code>&lt;protocol-name&gt;</code></em></code> enables options for the specified protocol. Note that you can also use the protocol ID, instead of the protocol name. Refer to the following examples, each of which have the same effect:
			</div><pre class="screen"><code class="command">iptables -A INPUT -p icmp --icmp-type any -j ACCEPT</code>
<code class="command">iptables -A INPUT -p 5813 --icmp-type any -j ACCEPT</code></pre><div class="para">
				Service definitions are provided in the <code class="filename">/etc/services</code> file. For readability, it is recommended that you use the service names rather than the port numbers.
			</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
					Secure the <code class="filename">/etc/services</code> file to prevent unauthorized editing. If this file is editable, crackers can use it to enable ports on your machine you have otherwise closed. To secure this file, type the following commands as root:
				</div><pre class="screen"><code class="command">chown root.root /etc/services</code>
<code class="command">chmod 0644 /etc/services</code>
<code class="command">chattr +i /etc/services</code></pre><div class="para">
					This prevents the file from being renamed, deleted or having links made to it.
				</div></div></div><div class="section" id="s3-iptables-options-match-tcp"><div class="titlepage"><div><div><h5 class="title" id="s3-iptables-options-match-tcp">46.9.3.4.1. TCP Protocol</h5></div></div></div><a id="id986511" class="indexterm"></a><div class="para">
					These match options are available for the TCP protocol (<code class="option">-p tcp</code>):
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">--dport</code> — Sets the destination port for the packet.
						</div><div class="para">
							To configure this option, use a network service name (such as www or smtp); a port number; or a range of port numbers.
						</div><div class="para">
							To specify a range of port numbers, separate the two numbers with a colon (<code class="option">:</code>). For example: <code class="option">-p tcp --dport 3000:3200</code>. The largest acceptable valid range is <code class="option">0:65535</code>.
						</div><div class="para">
							Use an exclamation point character (<code class="option">!</code>) after the <code class="option">--dport</code> option to match all packets that <span class="emphasis"><em>do not</em></span> use that network service or port.
						</div><div class="para">
							To browse the names and aliases of network services and the port numbers they use, view the <code class="filename">/etc/services</code> file.
						</div><div class="para">
							The <code class="option">--destination-port</code> match option is synonymous with <code class="option">--dport</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="option">--sport</code> — Sets the source port of the packet using the same options as <code class="option">--dport</code>. The <code class="option">--source-port</code> match option is synonymous with <code class="option">--sport</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="option">--syn</code> — Applies to all TCP packets designed to initiate communication, commonly called <em class="firstterm">SYN packets</em>. Any packets that carry a data payload are not touched.
						</div><div class="para">
							Use an exclamation point character (<code class="option">!</code>) after the <code class="option">--syn</code> option to match all non-SYN packets.
						</div></li><li class="listitem"><div class="para">
							<code class="option">--tcp-flags &lt;tested flag list&gt; &lt;set flag list&gt;</code> — Allows TCP packets that have specific bits (flags) set, to match a rule.
						</div><div class="para">
							The <code class="option">--tcp-flags</code> match option accepts two parameters. The first parameter is the mask; a comma-separated list of flags to be examined in the packet. The second parameter is a comma-separated list of flags that must be set for the rule to match.
						</div><div class="para">
							The possible flags are:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="option">ACK</code>
								</div></li><li class="listitem"><div class="para">
									<code class="option">FIN</code>
								</div></li><li class="listitem"><div class="para">
									<code class="option">PSH</code>
								</div></li><li class="listitem"><div class="para">
									<code class="option">RST</code>
								</div></li><li class="listitem"><div class="para">
									<code class="option">SYN</code>
								</div></li><li class="listitem"><div class="para">
									<code class="option">URG</code>
								</div></li><li class="listitem"><div class="para">
									<code class="option">ALL</code>
								</div></li><li class="listitem"><div class="para">
									<code class="option">NONE</code>
								</div></li></ul></div><div class="para">
							For example, an <code class="command">iptables</code> rule that contains the following specification only matches TCP packets that have the SYN flag set and the ACK and FIN flags not set:
						</div><div class="para">
							<code class="command">--tcp-flags ACK,FIN,SYN SYN</code>
						</div><div class="para">
							Use the exclamation point character (<code class="option">!</code>) after the <code class="option">--tcp-flags</code> to reverse the effect of the match option.
						</div></li><li class="listitem"><div class="para">
							<code class="option">--tcp-option</code> — Attempts to match with TCP-specific options that can be set within a particular packet. This match option can also be reversed with the exclamation point character (<code class="option">!</code>).
						</div></li></ul></div></div><div class="section" id="s3-iptables-options-match-udp"><div class="titlepage"><div><div><h5 class="title" id="s3-iptables-options-match-udp">46.9.3.4.2. UDP Protocol</h5></div></div></div><a id="id895032" class="indexterm"></a><div class="para">
					These match options are available for the UDP protocol (<code class="option">-p udp</code>):
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">--dport</code> — Specifies the destination port of the UDP packet, using the service name, port number, or range of port numbers. The <code class="option">--destination-port</code> match option is synonymous with <code class="option">--dport</code>.
						</div></li><li class="listitem"><div class="para">
							<code class="option">--sport</code> — Specifies the source port of the UDP packet, using the service name, port number, or range of port numbers. The <code class="option">--source-port</code> match option is synonymous with <code class="option">--sport</code>.
						</div></li></ul></div><div class="para">
					For the <code class="option">--dport</code> and <code class="option">--sport</code> options, to specify a range of port numbers, separate the two numbers with a colon (:). For example: <code class="option">-p tcp --dport 3000:3200</code>. The largest acceptable valid range is 0:65535.
				</div></div><div class="section" id="s3-iptables-options-match-icmp"><div class="titlepage"><div><div><h5 class="title" id="s3-iptables-options-match-icmp">46.9.3.4.3. ICMP Protocol</h5></div></div></div><a id="id1021942" class="indexterm"></a><div class="para">
					The following match options are available for the Internet Control Message Protocol (ICMP) (<code class="option">-p icmp</code>):
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">--icmp-type</code> — Sets the name or number of the ICMP type to match with the rule. A list of valid ICMP names can be retrieved by typing the <code class="command">iptables -p icmp -h</code> command.
						</div></li></ul></div></div><div class="section" id="s3-iptables-options-match-modules"><div class="titlepage"><div><div><h5 class="title" id="s3-iptables-options-match-modules">46.9.3.4.4. Additional Match Option Modules</h5></div></div></div><a id="id989426" class="indexterm"></a><div class="para">
					Additional match options are available through modules loaded by the <code class="command">iptables</code> command.
				</div><div class="para">
					To use a match option module, load the module by name using the <code class="option">-m <em class="replaceable"><code>&lt;module-name&gt;</code></em></code>, where <em class="replaceable"><code>&lt;module-name&gt;</code></em> is the name of the module.
				</div><div class="para">
					Many modules are available by default. You can also create modules to provide additional functionality.
				</div><div class="para">
					The following is a partial list of the most commonly used modules:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="option">limit</code> module — Places limits on how many packets are matched to a particular rule.
						</div><div class="para">
							When used in conjunction with the <code class="command">LOG</code> target, the <code class="option">limit</code> module can prevent a flood of matching packets from filling up the system log with repetitive messages or using up system resources.
						</div><div class="para">
							Refer to <a class="xref" href="#s2-iptables-options-target">Section 46.9.3.5, “Target Options”</a> for more information about the <code class="command">LOG</code> target.
						</div><div class="para">
							The <code class="option">limit</code> module enables the following options:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="option">--limit</code> — Sets the maximum number of matches for a particular time period, specified as a <code class="option"><em class="replaceable"><code>&lt;value&gt;/&lt;period&gt;</code></em></code> pair. For example, using <code class="option">--limit 5/hour</code> allows five rule matches per hour.
								</div><div class="para">
									Periods can be specified in seconds, minutes, hours, or days.
								</div><div class="para">
									If a number and time modifier are not used, the default value of <code class="option">3/hour</code> is assumed.
								</div></li><li class="listitem"><div class="para">
									<code class="option">--limit-burst</code> — Sets a limit on the number of packets able to match a rule at one time.
								</div><div class="para">
									This option is specified as an integer and should be used in conjunction with the <code class="option">--limit</code> option.
								</div><div class="para">
									If no value is specified, the default value of five (5) is assumed.
								</div></li></ul></div></li><li class="listitem"><div class="para">
							<code class="option">state</code> module — Enables state matching.
						</div><div class="para">
							The <code class="option">state</code> module enables the following options:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="option">--state</code> — match a packet with the following connection states:
								</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
											<code class="option">ESTABLISHED</code> — The matching packet is associated with other packets in an established connection. You need to accept this state if you want to maintain a connection between a client and a server.
										</div></li><li class="listitem"><div class="para">
											<code class="option">INVALID</code> — The matching packet cannot be tied to a known connection.
										</div></li><li class="listitem"><div class="para">
											<code class="option">NEW</code> — The matching packet is either creating a new connection or is part of a two-way connection not previously seen. You need to accept this state if you want to allow new connections to a service.
										</div></li><li class="listitem"><div class="para">
											<code class="option">RELATED</code> — The matching packet is starting a new connection related in some way to an existing connection. An example of this is FTP, which uses one connection for control traffic (port 21), and a separate connection for data transfer (port 20).
										</div></li></ul></div><div class="para">
									These connection states can be used in combination with one another by separating them with commas, such as <code class="option">-m state --state INVALID,NEW</code>.
								</div></li></ul></div></li><li class="listitem"><div class="para">
							<code class="option">mac</code> module — Enables hardware MAC address matching.
						</div><div class="para">
							The <code class="option">mac</code> module enables the following option:
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="option">--mac-source</code> — Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point character (<code class="option">!</code>) after the <code class="option">--mac-source</code> match option.
								</div></li></ul></div></li></ul></div><div class="para">
					Refer to the <code class="command">iptables</code> man page for more match options available through modules.
				</div></div></div><div class="section" id="s2-iptables-options-target"><div class="titlepage"><div><div><h4 class="title" id="s2-iptables-options-target">46.9.3.5. Target Options</h4></div></div></div><a id="id989073" class="indexterm"></a><div class="para">
				When a packet has matched a particular rule, the rule can direct the packet to a number of different targets which determine the appropriate action. Each chain has a default target, which is used if none of the rules on that chain match a packet or if none of the rules which match the packet specify a target.
			</div><div class="para">
				The following are the standard targets:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="option"><em class="replaceable"><code>&lt;user-defined-chain&gt;</code></em></code> — A user-defined chain within the table. User-defined chain names must be unique. This target passes the packet to the specified chain.
					</div></li><li class="listitem"><div class="para">
						<code class="option">ACCEPT</code> — Allows the packet through to its destination or to another chain.
					</div></li><li class="listitem"><div class="para">
						<code class="option">DROP</code> — Drops the packet without responding to the requester. The system that sent the packet is not notified of the failure.
					</div></li><li class="listitem"><div class="para">
						<code class="option">QUEUE</code> — The packet is queued for handling by a user-space application.
					</div></li><li class="listitem"><div class="para">
						<code class="option">RETURN</code> — Stops checking the packet against rules in the current chain. If the packet with a <code class="option">RETURN</code> target matches a rule in a chain called from another chain, the packet is returned to the first chain to resume rule checking where it left off. If the <code class="option">RETURN</code> rule is used on a built-in chain and the packet cannot move up to its previous chain, the default target for the current chain is used.
					</div></li></ul></div><div class="para">
				In addition, extensions are available which allow other targets to be specified. These extensions are called target modules or match option modules and most only apply to specific tables and situations. Refer to <a class="xref" href="#s3-iptables-options-match-modules">Section 46.9.3.4.4, “Additional Match Option Modules”</a> for more information about match option modules.
			</div><div class="para">
				Many extended target modules exist, most of which only apply to specific tables or situations. Some of the most popular target modules included by default in Red Hat Enterprise Linux are:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="option">LOG</code> — Logs all packets that match this rule. Because the packets are logged by the kernel, the <code class="filename">/etc/syslog.conf</code> file determines where these log entries are written. By default, they are placed in the <code class="filename">/var/log/messages</code> file.
					</div><div class="para">
						Additional options can be used after the <code class="option">LOG</code> target to specify the way in which logging occurs:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="option">--log-level</code> — Sets the priority level of a logging event. Refer to the <code class="filename">syslog.conf</code> man page for a list of priority levels.
							</div></li><li class="listitem"><div class="para">
								<code class="option">--log-ip-options</code> — Logs any options set in the header of an IP packet.
							</div></li><li class="listitem"><div class="para">
								<code class="option">--log-prefix</code> — Places a string of up to 29 characters before the log line when it is written. This is useful for writing syslog filters for use in conjunction with packet logging.
							</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
									Due to an issue with this option, you should add a trailing space to the <em class="replaceable"><code>log-prefix</code></em> value.
								</div></div></div></li><li class="listitem"><div class="para">
								<code class="option">--log-tcp-options</code> — Logs any options set in the header of a TCP packet.
							</div></li><li class="listitem"><div class="para">
								<code class="option">--log-tcp-sequence</code> — Writes the TCP sequence number for the packet in the log.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="option">REJECT</code> — Sends an error packet back to the remote system and drops the packet.
					</div><div class="para">
						The <code class="option">REJECT</code> target accepts <code class="option">--reject-with <em class="replaceable"><code>&lt;type&gt;</code></em></code> (where <em class="replaceable"><code>&lt;type&gt;</code></em> is the rejection type) allowing more detailed information to be returned with the error packet. The message <code class="computeroutput">port-unreachable</code> is the default error type given if no other option is used. Refer to the <code class="command">iptables</code> man page for a full list of <code class="option"><em class="replaceable"><code>&lt;type&gt;</code></em></code> options.
					</div></li></ul></div><div class="para">
				Other target extensions, including several that are useful for IP masquerading using the <code class="option">nat</code> table, or with packet alteration using the <code class="option">mangle</code> table, can be found in the <code class="command">iptables</code> man page.
			</div></div><div class="section" id="s2-iptables-options-list"><div class="titlepage"><div><div><h4 class="title" id="s2-iptables-options-list">46.9.3.6. Listing Options</h4></div></div></div><a id="id1012095" class="indexterm"></a><div class="para">
				The default list command, <code class="command">iptables -L [&lt;chain-name&gt;]</code>, provides a very basic overview of the default filter table's current chains. Additional options provide more information:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="option">-v</code> — Displays verbose output, such as the number of packets and bytes each chain has processed, the number of packets and bytes each rule has matched, and which interfaces apply to a particular rule.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-x</code> — Expands numbers into their exact values. On a busy system, the number of packets and bytes processed by a particular chain or rule may be abbreviated to <code class="computeroutput">Kilobytes</code>, <code class="computeroutput">Megabytes</code> (Megabytes) or <code class="computeroutput">Gigabytes</code>. This option forces the full number to be displayed.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-n</code> — Displays IP addresses and port numbers in numeric format, rather than the default hostname and network service format.
					</div></li><li class="listitem"><div class="para">
						<code class="option">--line-numbers</code> — Lists rules in each chain next to their numeric order in the chain. This option is useful when attempting to delete the specific rule in a chain or to locate where to insert a rule within a chain.
					</div></li><li class="listitem"><div class="para">
						<code class="option">-t &lt;table-name&gt;</code> — Specifies a table name. If omitted, defaults to the filter table.
					</div></li></ul></div><div class="para">
				The following examples illustrate the use of several of these options. Note the difference in the byte display by including the <code class="option">-x</code> option.
			</div><pre class="screen">~]# <code class="command">iptables -L OUTPUT -v -n -x</code>
Chain OUTPUT (policy ACCEPT 64005 packets, 6445791 bytes)
    pkts      bytes target     prot opt in     out     source               destination
    1593   133812 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

~]# <code class="command">iptables -L OUTPUT -v -n</code>
Chain OUTPUT (policy ACCEPT 64783 packets, 6492K bytes)
    pkts bytes target     prot opt in     out     source               destination
    1819  153K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
~]#</pre></div></div><div class="section" id="s1-iptables-saving"><div class="titlepage"><div><div><h3 class="title" id="s1-iptables-saving">46.9.4. Saving IPTables Rules</h3></div></div></div><a id="id1018293" class="indexterm"></a><a id="id1017381" class="indexterm"></a><a id="id1031535" class="indexterm"></a><a id="id999691" class="indexterm"></a><a id="id999711" class="indexterm"></a><a id="id1029175" class="indexterm"></a><a id="id1000429" class="indexterm"></a><div class="para">
			Rules created with the <code class="command">iptables</code> command are stored in memory. If the system is restarted before saving the <code class="command">iptables</code> rule set, all rules are lost. For netfilter rules to persist through a system reboot, they need to be saved. To save netfilter rules, type the following command as root:
		</div><pre class="screen"><code class="command">service iptables save</code></pre><div class="para">
			This executes the <code class="command">iptables</code> init script, which runs the <code class="command">/sbin/iptables-save</code> program and writes the current <code class="command">iptables</code> configuration to <code class="filename">/etc/sysconfig/iptables</code>. The existing <code class="filename">/etc/sysconfig/iptables</code> file is saved as <code class="filename">/etc/sysconfig/iptables.save</code>.
		</div><div class="para">
			The next time the system boots, the <code class="command">iptables</code> init script reapplies the rules saved in <code class="filename">/etc/sysconfig/iptables</code> by using the <code class="command">/sbin/iptables-restore</code> command.
		</div><div class="para">
			While it is always a good idea to test a new <code class="command">iptables</code> rule before committing it to the <code class="filename">/etc/sysconfig/iptables</code> file, it is possible to copy <code class="command">iptables</code> rules into this file from another system's version of this file. This provides a quick way to distribute sets of <code class="command">iptables</code> rules to multiple machines.
		</div><div class="para">
			You can also save the iptables rules to a separate file for distribution, backup or other purposes. To save your iptables rules, type the following command as root:
		</div><pre class="screen"><code class="command">iptables-save &gt; <em class="replaceable"><code>&lt;filename&gt;</code></em></code></pre><div class="para">
			where <em class="replaceable"><code>&lt;filename&gt;</code></em> is a user-defined name for your ruleset.
		</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				If distributing the <code class="filename">/etc/sysconfig/iptables</code> file to other machines, type <code class="command">/sbin/service iptables restart</code> for the new rules to take effect.
			</div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Note the difference between the <code class="command">iptables</code> <span class="emphasis"><em>command</em></span> (<code class="command">/sbin/iptables</code>), which is used to manipulate the tables and chains that constitute the <code class="command">iptables</code> functionality, and the <code class="command">iptables</code> <span class="emphasis"><em>service</em></span> (<code class="command">/sbin/iptables service</code>), which is used to enable and disable the <code class="command">iptables</code> service itself.
			</div></div></div></div><div class="section" id="s1-iptables-init"><div class="titlepage"><div><div><h3 class="title" id="s1-iptables-init">46.9.5. IPTables Control Scripts</h3></div></div></div><a id="id1034268" class="indexterm"></a><a id="id911454" class="indexterm"></a><a id="id1014984" class="indexterm"></a><a id="id1010012" class="indexterm"></a><a id="id1014961" class="indexterm"></a><a id="id1009044" class="indexterm"></a><a id="id1087981" class="indexterm"></a><a id="id1101081" class="indexterm"></a><a id="id1030538" class="indexterm"></a><a id="id990644" class="indexterm"></a><a id="id1013007" class="indexterm"></a><a id="id1085000" class="indexterm"></a><div class="para">
			There are two basic methods for controlling <code class="command">iptables</code> in Red Hat Enterprise Linux:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<span class="application"><strong>Security Level Configuration Tool</strong></span> (<code class="command">system-config-securitylevel</code>) — A graphical interface for creating, activating, and saving basic firewall rules. Refer to <a class="xref" href="#s1-basic-firewall">Section 46.8.2, “Basic Firewall Configuration”</a> for more information.
				</div></li><li class="listitem"><div class="para">
					<code class="command">/sbin/service iptables <em class="replaceable"><code>&lt;option&gt;</code></em></code> — Used to manipulate various functions of <code class="command">iptables</code> using its initscript. The following options are available:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">start</code> — If a firewall is configured (that is, <code class="filename">/etc/sysconfig/iptables</code> exists), all running <code class="command">iptables</code> are stopped completely and then started using the <code class="command">/sbin/iptables-restore</code> command. This option only works if the <code class="command">ipchains</code> kernel module is not loaded. To check if this module is loaded, type the following command as root:
						</div><pre class="screen"><code class="command">lsmod | grep ipchains</code></pre><div class="para">
							If this command returns no output, it means the module is not loaded. If necessary, use the <code class="command">/sbin/rmmod</code> command to remove the module.
						</div></li><li class="listitem"><div class="para">
							<code class="command">stop</code> — If a firewall is running, the firewall rules in memory are flushed, and all iptables modules and helpers are unloaded.
						</div><div class="para">
							If the <code class="command">IPTABLES_SAVE_ON_STOP</code> directive in the <code class="filename">/etc/sysconfig/iptables-config</code> configuration file is changed from its default value to <code class="command">yes</code>, current rules are saved to <code class="filename">/etc/sysconfig/iptables</code> and any existing rules are moved to the file <code class="filename">/etc/sysconfig/iptables.save</code>.
						</div><div class="para">
							Refer to <a class="xref" href="#s2-iptables-init-conf">Section 46.9.5.1, “IPTables Control Scripts Configuration File”</a> for more information about the <code class="filename">iptables-config</code> file.
						</div></li><li class="listitem"><div class="para">
							<code class="command">restart</code> — If a firewall is running, the firewall rules in memory are flushed, and the firewall is started again if it is configured in <code class="filename">/etc/sysconfig/iptables</code>. This option only works if the <code class="command">ipchains</code> kernel module is not loaded.
						</div><div class="para">
							If the <code class="command">IPTABLES_SAVE_ON_RESTART</code> directive in the <code class="filename">/etc/sysconfig/iptables-config</code> configuration file is changed from its default value to <code class="command">yes</code>, current rules are saved to <code class="filename">/etc/sysconfig/iptables</code> and any existing rules are moved to the file <code class="filename">/etc/sysconfig/iptables.save</code>.
						</div><div class="para">
							Refer to <a class="xref" href="#s2-iptables-init-conf">Section 46.9.5.1, “IPTables Control Scripts Configuration File”</a> for more information about the <code class="filename">iptables-config</code> file.
						</div></li><li class="listitem"><div class="para">
							<code class="command">status</code> — Displays the status of the firewall and lists all active rules.
						</div><div class="para">
							The default configuration for this option displays IP addresses in each rule. To display domain and hostname information, edit the <code class="filename">/etc/sysconfig/iptables-config</code> file and change the value of <code class="command">IPTABLES_STATUS_NUMERIC</code> to <code class="command">no</code>. Refer to <a class="xref" href="#s2-iptables-init-conf">Section 46.9.5.1, “IPTables Control Scripts Configuration File”</a> for more information about the <code class="filename">iptables-config</code> file.
						</div></li><li class="listitem"><div class="para">
							<code class="command">panic</code> — Flushes all firewall rules. The policy of all configured tables is set to <code class="command">DROP</code>.
						</div><div class="para">
							This option could be useful if a server is known to be compromised. Rather than physically disconnecting from the network or shutting down the system, you can use this option to stop all further network traffic but leave the machine in a state ready for analysis or other forensics.
						</div></li><li class="listitem"><div class="para">
							<code class="command">save</code> — Saves firewall rules to <code class="filename">/etc/sysconfig/iptables</code> using <code class="command">iptables-save</code>. Refer to <a class="xref" href="#s1-iptables-saving">Section 46.9.4, “Saving IPTables Rules”</a> for more information.
						</div></li></ul></div></li></ul></div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				To use the same initscript commands to control netfilter for IPv6, substitute <code class="command">ip6tables</code> for <code class="command">iptables</code> in the <code class="command">/sbin/service</code> commands listed in this section. For more information about IPv6 and netfilter, refer to <a class="xref" href="#s1-ip6tables">Section 46.9.6, “IPTables and IPv6”</a>.
			</div></div></div><div class="section" id="s2-iptables-init-conf"><div class="titlepage"><div><div><h4 class="title" id="s2-iptables-init-conf">46.9.5.1. IPTables Control Scripts Configuration File</h4></div></div></div><a id="id1022276" class="indexterm"></a><div class="para">
				The behavior of the <code class="command">iptables</code> initscripts is controlled by the <code class="filename">/etc/sysconfig/iptables-config</code> configuration file. The following is a list of directives contained in this file:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">IPTABLES_MODULES</code> — Specifies a space-separated list of additional <code class="command">iptables</code> modules to load when a firewall is activated. These can include connection tracking and NAT helpers.
					</div></li><li class="listitem"><div class="para">
						<code class="command">IPTABLES_MODULES_UNLOAD</code> — Unloads modules on restart and stop. This directive accepts the following values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — The default value. This option must be set to achieve a correct state for a firewall restart or stop.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — This option should only be set if there are problems unloading the netfilter modules.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">IPTABLES_SAVE_ON_STOP</code> — Saves current firewall rules to <code class="filename">/etc/sysconfig/iptables</code> when the firewall is stopped. This directive accepts the following values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — Saves existing rules to <code class="filename">/etc/sysconfig/iptables</code> when the firewall is stopped, moving the previous version to the <code class="filename">/etc/sysconfig/iptables.save</code> file.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — The default value. Does not save existing rules when the firewall is stopped.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">IPTABLES_SAVE_ON_RESTART</code> — Saves current firewall rules when the firewall is restarted. This directive accepts the following values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — Saves existing rules to <code class="filename">/etc/sysconfig/iptables</code> when the firewall is restarted, moving the previous version to the <code class="filename">/etc/sysconfig/iptables.save</code> file.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — The default value. Does not save existing rules when the firewall is restarted.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">IPTABLES_SAVE_COUNTER</code> — Saves and restores all packet and byte counters in all chains and rules. This directive accepts the following values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — Saves the counter values.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — The default value. Does not save the counter values.
							</div></li></ul></div></li><li class="listitem"><div class="para">
						<code class="command">IPTABLES_STATUS_NUMERIC</code> — Outputs IP addresses in numeric form instead of domain or hostnames. This directive accepts the following values:
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								<code class="command">yes</code> — The default value. Returns only IP addresses within a status output.
							</div></li><li class="listitem"><div class="para">
								<code class="command">no</code> — Returns domain or hostnames within a status output.
							</div></li></ul></div></li></ul></div></div></div><div class="section" id="s1-ip6tables"><div class="titlepage"><div><div><h3 class="title" id="s1-ip6tables">46.9.6. IPTables and IPv6</h3></div></div></div><a id="id939090" class="indexterm"></a><div class="para">
			If the <code class="filename">iptables-ipv6</code> package is installed, netfilter in Red Hat Enterprise Linux can filter the next-generation IPv6 Internet protocol. The command used to manipulate the IPv6 netfilter is <code class="command">ip6tables</code>.
		</div><div class="para">
			Most directives for this command are identical to those used for <code class="command">iptables</code>, except the <code class="command">nat</code> table is not yet supported. This means that it is not yet possible to perform IPv6 network address translation tasks, such as masquerading and port forwarding.
		</div><div class="para">
			Rules for <code class="command">ip6tables</code> are saved in the <code class="filename">/etc/sysconfig/ip6tables</code> file. Previous rules saved by the <code class="command">ip6tables</code> initscripts are saved in the <code class="filename">/etc/sysconfig/ip6tables.save</code> file.
		</div><div class="para">
			Configuration options for the <code class="command">ip6tables</code> init script are stored in <code class="filename">/etc/sysconfig/ip6tables-config</code>, and the names for each directive vary slightly from their <code class="command">iptables</code> counterparts.
		</div><div class="para">
			For example, the <code class="filename">iptables-config</code> directive <code class="command">IPTABLES_MODULES</code>:the equivalent in the <code class="filename">ip6tables-config</code> file is <code class="command">IP6TABLES_MODULES</code>.
		</div></div><div class="section" id="s1-iptables-additional-resources"><div class="titlepage"><div><div><h3 class="title" id="s1-iptables-additional-resources">46.9.7. Additional Resources</h3></div></div></div><a id="id1037712" class="indexterm"></a><div class="para">
			Refer to the following sources for additional information on packet filtering with <code class="command">iptables</code>.
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					<a class="xref" href="#ch-fw">Section 46.8, “Firewalls”</a> — Contains a chapter about the role of firewalls within an overall security strategy as well as strategies for constructing firewall rules.
				</div></li></ul></div><div class="section" id="s2-iptables-installed-documentation"><div class="titlepage"><div><div><h4 class="title" id="s2-iptables-installed-documentation">46.9.7.1. Installed Documentation</h4></div></div></div><a id="id1024293" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">man iptables</code> — Contains a description of <code class="command">iptables</code> as well as a comprehensive list of targets, options, and match extensions.
					</div></li></ul></div></div><div class="section" id="s2-iptables-useful-websites"><div class="titlepage"><div><div><h4 class="title" id="s2-iptables-useful-websites">46.9.7.2. Useful Websites</h4></div></div></div><a id="id988063" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.netfilter.org/">http://www.netfilter.org/</a> — The home of the netfilter/iptables project. Contains assorted information about <code class="command">iptables</code>, including a FAQ addressing specific problems and various helpful guides by Rusty Russell, the Linux IP firewall maintainer. The HOWTO documents on the site cover subjects such as basic networking concepts, kernel packet filtering, and NAT configurations.
					</div></li><li class="listitem"><div class="para">
						<a href="http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html">http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html</a> — An introduction to the way packets move through the Linux kernel, plus an introduction to constructing basic <code class="command">iptables</code> commands.
					</div></li></ul></div></div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><div class="para"><sup>[<a id="ftn.id1116637" href="#id1116637" class="para">14</a>] </sup>
					Since system BIOSes differ between manufacturers, some may not support password protection of either type, while others may support one type but not the other.
				</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id1116332" href="#id1116332" class="para">15</a>] </sup>
						GRUB also accepts unencrypted passwords, but it is recommended that an MD5 hash be used for added security.
					</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id1113472" href="#id1113472" class="para">16</a>] </sup>
						This access is still subject to the restrictions imposed by SELinux, if it is enabled. 
					</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id939332" href="#id939332" class="para">17</a>] </sup>
				A system where both the client and the server share a common key that is used to encrypt and decrypt network communication.
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="selg-overview" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 47. Security and SELinux</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sec-acm-ov">47.1. Access Control Mechanisms (ACMs)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-dac-intro1">47.1.1. Discretionary Access Control (DAC)</a></span></dt><dt><span class="section"><a href="#sec-acl-intro1">47.1.2. Access Control Lists (ACLs)</a></span></dt><dt><span class="section"><a href="#sec-mac-intro1">47.1.3. Mandatory Access Control (MAC)</a></span></dt><dt><span class="section"><a href="#sec-rbac-intro1">47.1.4. Role-based Access Control (RBAC)</a></span></dt><dt><span class="section"><a href="#sec-mls-intro1">47.1.5. Multi-Level Security (MLS)</a></span></dt><dt><span class="section"><a href="#sec-mcs-intro1">47.1.6. Multi-Category Security (MCS)</a></span></dt></dl></dd><dt><span class="section"><a href="#ch-selinux">47.2. Introduction to SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#s1-SELinux-overview">47.2.1. SELinux Overview</a></span></dt><dt><span class="section"><a href="#s1-SELinux-files">47.2.2. Files Related to SELinux</a></span></dt><dt><span class="section"><a href="#s1-SELinux-resources">47.2.3. Additional Resources</a></span></dt></dl></dd><dt><span class="section"><a href="#rhlcommon-appendix-0005">47.3. Brief Background and History of SELinux</a></span></dt><dt><span class="section"><a href="#sec-mcs-ov">47.4. Multi-Category Security (MCS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-mcs-intro">47.4.1. Introduction</a></span></dt><dt><span class="section"><a href="#sec-mcs-apps">47.4.2. Applications for Multi-Category Security</a></span></dt><dt><span class="section"><a href="#sec-selinux-security-contexts">47.4.3. SELinux Security Contexts</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-mcs-getstarted">47.5. Getting Started with Multi-Category Security (MCS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-mcs-getstarted-intro">47.5.1. Introduction</a></span></dt><dt><span class="section"><a href="#sec-mcs-comp-userid">47.5.2. Comparing SELinux and Standard Linux User Identities</a></span></dt><dt><span class="section"><a href="#sec-mcs-config-categories">47.5.3. Configuring Categories</a></span></dt><dt><span class="section"><a href="#sec-mcs-assign-cat2users">47.5.4. Assigning Categories to Users</a></span></dt><dt><span class="section"><a href="#sec-mcs-assign-cat2files">47.5.5. Assigning Categories to Files</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-mls-ov">47.6. Multi-Level Security (MLS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-mls-multilevel">47.6.1. Why Multi-Level?</a></span></dt><dt><span class="section"><a href="#sec-mls-seclevels">47.6.2. Security Levels, Objects and Subjects</a></span></dt><dt><span class="section"><a href="#sec-mls-policy">47.6.3. MLS Policy</a></span></dt><dt><span class="section"><a href="#sec-mls-lspp-cert">47.6.4. LSPP Certification</a></span></dt></dl></dd><dt><span class="section"><a href="#rhlcommon-chapter-0001">47.7. SELinux Policy Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#rhlcommon-section-0056">47.7.1. What is the SELinux Policy?</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0091">47.7.2. Where is the Policy?</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0016">47.7.3. The Role of Policy in the Boot Process</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0049">47.7.4. Object Classes and Permissions</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-policy-targeted-oview">47.8. Targeted Policy Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#rhlcommon-section-0003">47.8.1. What is the Targeted Policy?</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0010">47.8.2. Files and Directories of the Targeted Policy</a></span></dt><dt><span class="section"><a href="#sec-selinux-policy-targeted-rolesandusers">47.8.3. Understanding the Users and Roles in the Targeted Policy</a></span></dt></dl></dd></dl></div><div xml:lang="en-US" class="section" id="sec-acm-ov" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sec-acm-ov">47.1. Access Control Mechanisms (ACMs)</h2></div></div></div><div class="para">
		This section provides a basic introduction to <em class="firstterm">Access Control Mechanisms</em> (<abbr class="abbrev">ACM</abbr>s). <abbr class="abbrev">ACM</abbr>s provide a means for system administrators to control which users and processes can access different files, devices, interfaces, etc., in a computer system. This is a primary consideration when securing a computer system or network of any size.
	</div><div class="section" id="sec-dac-intro1"><div class="titlepage"><div><div><h3 class="title" id="sec-dac-intro1">47.1.1. Discretionary Access Control (DAC)</h3></div></div></div><div class="para">
			<em class="firstterm">Discretionary Access Control</em> (<abbr class="abbrev">DAC</abbr>) defines the basic access controls for objects in a filesystem. This is the typical access control provided by file permissions, sharing, etc. Such access is generally at the discretion of the owner of the object (file, directory, device, etc.).
		</div><div class="para">
			<abbr class="abbrev">DAC</abbr> provides a means of restricting access to objects based on the identity of the users or groups (subjects) that try to access those objects. Depending on a subject's access permissions, they may also be able to pass permissions to other subjects.
		</div></div><div class="section" id="sec-acl-intro1"><div class="titlepage"><div><div><h3 class="title" id="sec-acl-intro1">47.1.2. Access Control Lists (ACLs)</h3></div></div></div><div class="para">
			<em class="firstterm">Access Control Lists</em> (<abbr class="abbrev">ACL</abbr>s) provide further control over which objects a subject can access. For more information, refer to <a class="xref" href="#ch-acls">Chapter 9, <em>Access Control Lists</em></a>.
		</div></div><div class="section" id="sec-mac-intro1"><div class="titlepage"><div><div><h3 class="title" id="sec-mac-intro1">47.1.3. Mandatory Access Control (MAC)</h3></div></div></div><div class="para">
			<em class="firstterm">Mandatory Access Control</em> (<abbr class="abbrev">MAC</abbr>) is a security mechanism that restricts the level of control that users (subjects) have over the objects that they create. Unlike in a <abbr class="abbrev">DAC</abbr> implementation, where users have full control over their own files, directories, etc., <abbr class="abbrev">MAC</abbr> adds additional labels, or categories, to all file system objects. Users and processes must have the appropriate access to these categories before they can interact with these objects.
		</div><div class="para">
			In Red Hat Enterprise Linux, <abbr class="abbrev">MAC</abbr> is enforced by SELinux. For more information, refer to <a class="xref" href="#ch-selinux">Section 47.2, “Introduction to SELinux”</a>.
		</div></div><div class="section" id="sec-rbac-intro1"><div class="titlepage"><div><div><h3 class="title" id="sec-rbac-intro1">47.1.4. Role-based Access Control (RBAC)</h3></div></div></div><div class="para">
			<em class="firstterm">Role-based Access Control</em> (<abbr class="abbrev">RBAC</abbr>) is an alternative method of controlling user access to file system objects. Instead of access being controlled by user permissions, the system administrator establishes <em class="firstterm">Roles</em> based on business functional requirements or similar criteria. These Roles have different types and levels of access to objects.
		</div><div class="para">
			In contrast to <abbr class="abbrev">DAC</abbr> or <abbr class="abbrev">MAC</abbr> systems, where users have access to objects based on their own and the object's permissions, users in an <abbr class="abbrev">RBAC</abbr> system must be members of the appropriate group, or Role, before they can interact with files, directories, devices, etc.
		</div><div class="para">
			From an administrative point of view, this makes it easier to control who has access to various parts of the file system, just by controlling their group memberships.
		</div></div><div class="section" id="sec-mls-intro1"><div class="titlepage"><div><div><h3 class="title" id="sec-mls-intro1">47.1.5. Multi-Level Security (MLS)</h3></div></div></div><div class="para">
			<em class="firstterm">Multi-Level Security</em> (<abbr class="abbrev">MLS</abbr>) is a specific Mandatory Access Control (<abbr class="abbrev">MAC</abbr>) security scheme. Under this scheme, processes are called Subjects. Files, sockets and other passive operating system entities are called Objects. For more information, refer to <a class="xref" href="#sec-mls-ov">Section 47.6, “Multi-Level Security (MLS)”</a>. 
		</div></div><div class="section" id="sec-mcs-intro1"><div class="titlepage"><div><div><h3 class="title" id="sec-mcs-intro1">47.1.6. Multi-Category Security (MCS)</h3></div></div></div><div class="para">
			<em class="firstterm">Multi-Category Security</em> (<abbr class="abbrev">MCS</abbr>) is an enhancement to SELinux, and allows users to label files with categories. <abbr class="abbrev">MCS</abbr> is an adaptation of <abbr class="abbrev">MLS</abbr> and re-uses much of the <abbr class="abbrev">MLS</abbr> framework in SELinux. For more information, refer to <a class="xref" href="#sec-mcs-intro">Section 47.4.1, “Introduction”</a>
		</div></div></div><div xml:lang="en-US" class="section" id="ch-selinux" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="ch-selinux">47.2. Introduction to SELinux</h2></div></div></div><a id="id1081731" class="indexterm"></a><div class="para">
		<em class="firstterm">Security-Enhanced Linux</em> (<acronym class="acronym">SELinux</acronym>) is a security architecture integrated into the 2.6.x kernel using the <em class="firstterm">Linux Security Modules</em> (<acronym class="acronym">LSM</acronym>). It is a project of the United States National Security Agency (NSA) and the SELinux community. SELinux integration into Red Hat Enterprise Linux was a joint effort between the NSA and Red Hat.
	</div><div class="section" id="s1-SELinux-overview"><div class="titlepage"><div><div><h3 class="title" id="s1-SELinux-overview">47.2.1. SELinux Overview</h3></div></div></div><a id="id1089809" class="indexterm"></a><div class="para">
			SELinux provides a flexible <em class="firstterm">Mandatory Access Control</em> (<abbr class="abbrev">MAC</abbr>) system built into the Linux kernel. Under standard Linux <em class="firstterm">Discretionary Access Control</em> (<abbr class="abbrev">DAC</abbr>), an application or process running as a user (UID or SUID) has the user's permissions to objects such as files, sockets, and other processes. Running a <acronym class="acronym">MAC</acronym> kernel protects the system from malicious or flawed applications that can damage or destroy the system.
		</div><div class="para">
			SELinux defines the access and transition rights of every user, application, process, and file on the system. SELinux then governs the interactions of these entities using a security policy that specifies how strict or lenient a given Red Hat Enterprise Linux installation should be.
		</div><div class="para">
			On a day-to-day basis, system users will be largely unaware of SELinux. Only system administrators need to consider how strict a policy to implement for their server environment. The policy can be as strict or as lenient as needed, and is very finely detailed. This detail gives the SELinux kernel complete, granular control over the entire system.
		</div><div class="formalpara"><h5 class="formalpara" id="id1118011">The SELinux Decision Making Process</h5>
				When a subject, (for example, an application), attempts to access an object (for example, a file), the policy enforcement server in the kernel checks an <em class="firstterm">access vector cache</em> (<abbr class="abbrev">AVC</abbr>), where subject and object permissions are cached. If a decision cannot be made based on data in the <abbr class="abbrev">AVC</abbr>, the request continues to the security server, which looks up the <em class="firstterm">security context</em> of the application and the file in a matrix. Permission is then granted or denied, with an <code class="computeroutput">avc: denied</code> message detailed in <code class="filename">/var/log/messages</code> if permission is denied. The security context of subjects and objects is applied from the installed policy, which also provides the information to populate the security server's matrix.
			</div><div class="para">
			Refer to the following diagram:
		</div><div class="figure" id="fig-sel-decision"><div class="figure-contents"><div class="mediaobject"><img src="images/SELinux_Decision_Process.png" width="444" alt="SELinux Decision Process" /><div class="longdesc"><div class="para">
						SELinux Decision Process.
					</div></div></div></div><h6>Figure 47.1. SELinux Decision Process</h6></div><br class="figure-break" /><div class="formalpara"><h5 class="formalpara" id="id1079743">SELinux Operating Modes</h5>
				Instead of running in <em class="firstterm">enforcing</em> mode, SELinux can run in <em class="firstterm">permissive</em> mode, where the <abbr class="abbrev">AVC</abbr> is checked and denials are logged, but SELinux does not enforce the policy. This can be useful for troubleshooting and for developing or fine-tuning SELinux policy.
			</div><div class="para">
			For more information about how SELinux works, refer to <a class="xref" href="#s1-SELinux-resources">Section 47.2.3, “Additional Resources”</a>.
		</div></div><div class="section" id="s1-SELinux-files"><div class="titlepage"><div><div><h3 class="title" id="s1-SELinux-files">47.2.2. Files Related to SELinux</h3></div></div></div><a id="id1104464" class="indexterm"></a><div class="para">
			The following sections describe SELinux configuration files and related file systems.
		</div><div class="section" id="s2-SELinux-files-selinux"><div class="titlepage"><div><div><h4 class="title" id="s2-SELinux-files-selinux">47.2.2.1. The SELinux Pseudo-File System</h4></div></div></div><a id="id1104441" class="indexterm"></a><div class="para">
				The <code class="filename">/selinux/</code> pseudo-file system contains commands that are most commonly used by the kernel subsystem. This type of file system is similar to the <code class="filename">/proc/</code> pseudo-file system.
			</div><div class="para">
				Administrators and users do not normally need to manipulate this component.
			</div><div class="para">
				The following example shows sample contents of the <code class="filename">/selinux/</code> directory:
			</div><pre class="screen">-rw-rw-rw-  1 root root 0 Sep 22 13:14 access
dr-xr-xr-x  1 root root 0 Sep 22 13:14 booleans
--w-------  1 root root 0 Sep 22 13:14 commit_pending_bools
-rw-rw-rw-  1 root root 0 Sep 22 13:14 context
-rw-rw-rw-  1 root root 0 Sep 22 13:14 create
--w-------  1 root root 0 Sep 22 13:14 disable
-rw-r--r--  1 root root 0 Sep 22 13:14 enforce
-rw-------  1 root root 0 Sep 22 13:14 load
-r--r--r--  1 root root 0 Sep 22 13:14 mls
-r--r--r--  1 root root 0 Sep 22 13:14 policyvers
-rw-rw-rw-  1 root root 0 Sep 22 13:14 relabel
-rw-rw-rw-  1 root root 0 Sep 22 13:14 user</pre><div class="para">
				For example, running the <code class="command">cat</code> command on the <code class="filename">enforce</code> file reveals either a <code class="option">1</code> for enforcing mode or <code class="option">0</code> for permissive mode.
			</div></div><div class="section" id="s2-SELinux-files-etc"><div class="titlepage"><div><div><h4 class="title" id="s2-SELinux-files-etc">47.2.2.2. SELinux Configuration Files</h4></div></div></div><a id="id1102323" class="indexterm"></a><div class="para">
				The following sections describe SELinux configuration and policy files, and related file systems located in the <code class="filename">/etc/</code> directory.
			</div><div class="section" id="s3-SELinux-files-etc-sysconfig-selinux"><div class="titlepage"><div><div><h5 class="title" id="s3-SELinux-files-etc-sysconfig-selinux">47.2.2.2.1. The <code class="filename">/etc/sysconfig/selinux</code> Configuration File</h5></div></div></div><a id="id938552" class="indexterm"></a><div class="para">
					There are two ways to configure SELinux under Red Hat Enterprise Linux: using the <span class="application"><strong>SELinux Administration Tool</strong></span> (<code class="command">system-config-selinux</code>), or manually editing the configuration file (<code class="filename">/etc/sysconfig/selinux</code>).
				</div><div class="para">
					The <code class="filename">/etc/sysconfig/selinux</code> file is the primary configuration file for enabling or disabling SELinux, as well as for setting which policy to enforce on the system and how to enforce it.
				</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						The <code class="filename">/etc/sysconfig/selinux</code> contains a symbolic link to the actual configuration file, <code class="filename">/etc/selinux/config</code>.
					</div></div></div><div class="para">
					The following explains the full subset of options available for configuration:
				</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
							<code class="command">SELINUX=<em class="replaceable"><code>enforcing|permissive|disabled</code></em></code> — Defines the top-level state of SELinux on a system.
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="option">enforcing</code> — The SELinux security policy is enforced.
								</div></li><li class="listitem"><div class="para">
									<code class="option">permissive</code> — The SELinux system prints warnings but does not enforce policy.
								</div><div class="para">
									This is useful for debugging and troubleshooting purposes. In permissive mode, more denials are logged because subjects can continue with actions that would otherwise be denied in enforcing mode. For example, traversing a directory tree in permissive mode produces <code class="computeroutput">avc: denied</code> messages for every directory level read. In enforcing mode, SELinux would have stopped the initial traversal and kept further denial messages from occurring.
								</div></li><li class="listitem"><div class="para">
									<code class="option">disabled</code> — SELinux is fully disabled. SELinux hooks are disengaged from the kernel and the pseudo-file system is unregistered.
								</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
										Actions made while SELinux is disabled may result in the file system no longer having the correct security context. That is, the security context defined by the policy. The best way to relabel the file system is to create the flag file <code class="filename">/.autorelabel</code> and reboot the machine. This causes the relabel to occur very early in the boot process, before any processes are running on the system. Using this procedure means that processes can not accidentally create files in the wrong context or start up in the wrong context.
									</div><div class="para">
										It is possible to use the <code class="command">fixfiles relabel</code> command prior to enabling SELinux to relabel the file system. This method is not recommended, however, because after it is complete, it is still possible to have processes potentially running on the system in the wrong context. These processes could create files that would also be in the wrong context.
									</div></div></div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
								Additional white space at the end of a configuration line or as extra lines at the end of the file may cause unexpected behavior. To be safe, remove unnecessary white space.
							</div></div></div></li><li class="listitem"><div class="para">
							<code class="command">SELINUXTYPE=<code class="option">targeted|strict</code></code> — Specifies which policy SELinux should enforce.
						</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
									<code class="option">targeted</code> — Only targeted network daemons are protected.
								</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
										The following daemons are protected in the default targeted policy: <code class="command">dhcpd, httpd (apache.te), named, nscd, ntpd, portmap, snmpd, squid</code>, and <code class="command">syslogd</code>. The rest of the system runs in the <span class="property">unconfined_t</span> domain. This domain allows subjects and objects with that security context to operate using standard Linux security.
									</div><div class="para">
										The policy files for these daemons are located in <code class="filename">/etc/selinux/targeted/src/policy/domains/program</code>. These files are subject to change as newer versions of Red Hat Enterprise Linux are released.
									</div></div></div><div class="para">
									Policy enforcement for these daemons can be turned on or off, using Boolean values controlled by the <span class="application"><strong>SELinux Administration Tool</strong></span> (<code class="command">system-config-selinux</code>).
								</div><div class="para">
									Setting a Boolean value for a targeted daemon to <code class="constant">1</code> disables SELinux protection for the daemon. For example, you can set <code class="option">dhcpd_disable_trans</code> to <code class="constant">1</code> to prevent <code class="command">init</code>, which executes apps labeled <code class="option">dhcpd_exec_t</code>, from transitioning to the <code class="option">dhcpd_t</code> domain.
								</div><div class="para">
									Use the <code class="command">getsebool -a</code> command to list all SELinux booleans. The following is an example of using the <code class="command">setsebool</code> command to set an SELinux boolean. The <code class="option">-P</code> option makes the change permanent. Without this option, the boolean would be reset to <code class="option">1</code> at reboot.
								</div><pre class="screen"><code class="command">setsebool -P dhcpd_disable_trans=0</code></pre></li><li class="listitem"><div class="para">
									<code class="command">strict</code> — Full SELinux protection, for all daemons. Security contexts are defined for all subjects and objects, and every action is processed by the policy enforcement server.
								</div></li></ul></div></li><li class="listitem"><div class="para">
							<code class="command">SETLOCALDEFS=<code class="option">0|1</code></code> — Controls how local definitions (users and booleans) are set. Set this value to 1 to have these definitions controlled by <code class="command">load_policy</code> from files in <code class="filename">/etc/selinux/<em class="replaceable"><code>&lt;policyname&gt;</code></em></code>. or set it to 0 to have them controlled by <code class="command">semanage</code>.
						</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
								You should not change this value from the default (0) unless you are fully aware of the impact of such a change.
							</div></div></div></li></ul></div></div><div class="section" id="s3-SELinux-files-etc-selinux"><div class="titlepage"><div><div><h5 class="title" id="s3-SELinux-files-etc-selinux">47.2.2.2.2. The <code class="filename">/etc/selinux/</code> Directory</h5></div></div></div><a id="id1104529" class="indexterm"></a><div class="para">
					The <code class="filename">/etc/selinux/</code> directory is the primary location for all policy files as well as the main configuration file.
				</div><div class="para">
					The following example shows sample contents of the <code class="filename">/etc/selinux/</code> directory:
				</div><pre class="screen">-rw-r--r--  1 root root  448 Sep 22 17:34 config
drwxr-xr-x  5 root root 4096 Sep 22 17:27 strict
drwxr-xr-x  5 root root 4096 Sep 22 17:28 targeted</pre><div class="para">
					The two subdirectories, <code class="filename">strict/</code> and <code class="filename">targeted/</code>, are the specific directories where the policy files of the same name (that is, <code class="filename">strict</code> and <code class="filename">targeted</code>) are contained.
				</div></div></div><div class="section" id="sec-selinux-files-utils"><div class="titlepage"><div><div><h4 class="title" id="sec-selinux-files-utils">47.2.2.3. SELinux Utilities</h4></div></div></div><a id="id946233" class="indexterm"></a><div class="para">
				The following are some of the commonly used SELinux utilities:
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">/usr/sbin/setenforce</code> — Modifies in real-time the mode in which SELinux runs.
					</div><div class="para">
						For example:
					</div><div class="para">
						<code class="command">setenforce 1</code> — SELinux runs in enforcing mode.
					</div><div class="para">
						<code class="command">setenforce 0</code> — SELinux runs in permissive mode.
					</div><div class="para">
						To actually disable SELinux, you need to either specify the appropriate <code class="command">setenforce</code> parameter in <code class="filename">/etc/sysconfig/selinux</code> or pass the parameter <code class="command">selinux=0</code> to the kernel, either in <code class="filename">/etc/grub.conf</code> or at boot time.
					</div></li><li class="listitem"><div class="para">
						<code class="command">/usr/sbin/sestatus -v</code> — Displays the detailed status of a system running SELinux. The following example shows an excerpt of <code class="command">sestatus -v</code> output:
					</div><pre class="screen">SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

Process contexts:
Current context:                user_u:system_r:unconfined_t:s0
Init context:                   system_u:system_r:init_t:s0
/sbin/mingetty                  system_u:system_r:getty_t:s0</pre></li><li class="listitem"><div class="para">
						<code class="command">/usr/bin/newrole</code> — Runs a new shell in a new context, or role. Policy must allow the transition to the new role.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							This command is only available if you have the <code class="filename">policycoreutils-newrole</code> package installed, which is required for the strict and MLS policies.
						</div></div></div></li><li class="listitem"><div class="para">
						<code class="command">/sbin/restorecon</code> — Sets the security context of one or more files by marking the extended attributes with the appropriate file or security context.
					</div></li><li class="listitem"><div class="para">
						<code class="command">/sbin/fixfiles</code> — Checks or corrects the security context database on the file system.
					</div></li></ul></div><div class="para">
				Refer to the man page associated with these utilities for more information.
			</div><div class="para">
				Refer to the <code class="filename">setools</code> or <code class="filename">policycoreutils</code> package contents for more information on all available binary utilities. To view the contents of a package, use the following command:
			</div><div class="para">
				<code class="command">rpm -ql <em class="replaceable"><code>&lt;package-name&gt;</code></em></code>
			</div></div></div><div class="section" id="s1-SELinux-resources"><div class="titlepage"><div><div><h3 class="title" id="s1-SELinux-resources">47.2.3. Additional Resources</h3></div></div></div><a id="id1023961" class="indexterm"></a><div class="para">
			Refer to the following resources for more detailed information on SELinux.
		</div><div class="section" id="s2-SELinux-resources-installed"><div class="titlepage"><div><div><h4 class="title" id="s2-SELinux-resources-installed">47.2.3.1. Installed Documentation</h4></div></div></div><a id="id1031778" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="command">/usr/share/doc/setools-&lt;<em class="replaceable"><code>version-number</code></em>&gt;/</code> All documentation for utilities contained in the <code class="filename">setools</code> package. This includes all helper scripts, sample configuration files, and documentation.
					</div></li></ul></div></div><div class="section" id="s2-SELinux-resources-community"><div class="titlepage"><div><div><h4 class="title" id="s2-SELinux-resources-community">47.2.3.2. Useful Websites</h4></div></div></div><a id="id1085612" class="indexterm"></a><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<a href="http://www.nsa.gov/research/selinux/index.shtml">http://www.nsa.gov/research/selinux/index.shtml</a> Homepage for the NSA SELinux development team. Many resources are available in HTML and PDF formats. Although many of these links are not SELinux specific, some concepts may apply.
					</div></li><li class="listitem"><div class="para">
						<a href="http://docs.fedoraproject.org/">http://docs.fedoraproject.org/</a> Homepage for the Fedora documentation project, which contains Fedora Core specific materials that may be more timely, since the release cycle is much shorter.
					</div></li><li class="listitem"><div class="para">
						<a href="http://selinux.sourceforge.net">http://selinux.sourceforge.net</a> Homepage for the SELinux community.
					</div></li></ul></div></div></div></div><div xml:lang="en-US" class="section" id="rhlcommon-appendix-0005" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="rhlcommon-appendix-0005">47.3. Brief Background and History of SELinux</h2></div></div></div><a id="id937712" class="indexterm"></a><a id="id938015" class="indexterm"></a><a id="id939747" class="indexterm"></a><a id="id1080848" class="indexterm"></a><a id="id939707" class="indexterm"></a><a id="id939286" class="indexterm"></a><a id="id938735" class="indexterm"></a><a id="id998302" class="indexterm"></a><a id="id1017134" class="indexterm"></a><a id="id1027213" class="indexterm"></a><a id="id1080617" class="indexterm"></a><div class="para">
		SELinux was originally a development project from the National Security Agency (<em class="glossterm"><abbr class="abbrev">NSA</abbr></em>)<sup>[<a id="id1099819" href="#ftn.id1099819" class="footnote">18</a>]</sup> and others. It is an implementation of the <em class="glossterm">Flask</em> operating system security architecture.<sup>[<a id="id998512" href="#ftn.id998512" class="footnote">19</a>]</sup>The NSA integrated SELinux into the Linux kernel using the <em class="glossterm">Linux Security Modules</em> (<em class="glossterm"><abbr class="abbrev">LSM</abbr></em>) framework. SELinux motivated the creation of <abbr class="abbrev">LSM</abbr>, at the suggestion of Linus Torvalds, who wanted a modular approach to security instead of just accepting SELinux into the kernel.
	</div><div class="para">
		Originally, the SELinux implementation used <em class="firstterm">persistent security IDs</em> (<abbr class="abbrev">PSIDs</abbr>) stored in an unused field of the ext2 inode. These numerical representations (i.e., non-human-readable) were mapped by SELinux to a security context label. Unfortunately, this required modifying each file system type to support <abbr class="abbrev">PSID</abbr>s, so was not a scalable solution or one that would be supported upstream in the Linux kernel.
	</div><div class="para">
		The next evolution of SELinux was as a loadable kernel module for the 2.4.<em class="replaceable"><code>&lt;x&gt;</code></em> series of Linux kernels. This module stored <abbr class="abbrev">PSID</abbr>s in a normal file, and SELinux was able to support more file systems. This solution was not optimal for performance, and was inconsistent across platforms. Finally, the SELinux code was integrated upstream to the 2.6.<em class="replaceable"><code>x</code></em> kernel, which has full support for <abbr class="abbrev">LSM</abbr> and has <em class="glossterm">extended attributes</em> (<em class="glossterm"><span class="property">xattrs</span></em>) in the ext3 file system. SELinux was moved to using <span class="property">xattrs</span> to store security context information. The <span class="property">xattr</span> namespace provides useful separation for multiple security modules existing on the same system.
	</div><div class="para">
		Much of the work to get the kernel ready for upstream, as well as subsequent SELinux development, has been a joint effort between the NSA, Red Hat, and the community of SELinux developers.
	</div><div class="para">
		For more information about the history of SELinux, the definitive website is <a href="http://www.nsa.gov/research/selinux/index.shtml">http://www.nsa.gov/research/selinux/index.shtml</a>.
	</div></div><div xml:lang="en-US" class="section" id="sec-mcs-ov" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sec-mcs-ov">47.4. Multi-Category Security (MCS)</h2></div></div></div><div class="section" id="sec-mcs-intro"><div class="titlepage"><div><div><h3 class="title" id="sec-mcs-intro">47.4.1. Introduction</h3></div></div></div><div class="para">
			<em class="firstterm">Multi-Category Security</em> (<abbr class="abbrev">MCS</abbr>) is an enhancement to SELinux, and allows users to label files with categories. These categories are used to further constrain <em class="firstterm">Discretionary Access Control</em> (<abbr class="abbrev">DAC</abbr>) and <em class="firstterm">Type Enforcement</em> (<abbr class="abbrev">TE</abbr>) logic. They may also be used when displaying or printing files. An example of a category is "Company_Confidential". Only users with access to this category can access files labeled with the category, assuming the existing <abbr class="abbrev">DAC</abbr> and <abbr class="abbrev">TE</abbr> rules also permit access.
		</div><div class="para">
			The term <span class="emphasis"><em>categories</em></span> refers to the same non-hierarchical categories used by <em class="firstterm">Multi-Level Security</em> (<abbr class="abbrev">MLS</abbr>). Under <abbr class="abbrev">MLS</abbr>, objects and subjects are labeled with <em class="firstterm">Security Levels</em>. These Security Levels consist of a hierarchical sensitivity value (such as "Top Secret") and zero or more non-hierarchical categories (such as "Crypto"). Categories provide compartments within sensitivity levels and enforce the need-to-know security principle. Refer to <a class="xref" href="#sec-mls-ov">Section 47.6, “Multi-Level Security (MLS)”</a> for more information about Multi-Level Security.
		</div><div class="section" id="sec-mcs-whatis"><div class="titlepage"><div><div><h4 class="title" id="sec-mcs-whatis">47.4.1.1. What is Multi-Category Security?</h4></div></div></div><div class="para">
				<abbr class="abbrev">MCS</abbr> is an adaptation of <abbr class="abbrev">MLS</abbr>. From a technical point of view, <abbr class="abbrev">MCS</abbr> is a policy change, combined with a few userland modifications to hide some of the unneeded <abbr class="abbrev">MLS</abbr> technology. Some kernel changes were also made, but only relating to making it easy to upgrade to <abbr class="abbrev">MCS</abbr> (or <abbr class="abbrev">MLS</abbr>) without invoking a full file system relabel.
			</div><div class="para">
				The hope is to improve the quality of the system as a whole, reduce costs, leverage the open source process, increase transparency, and make the technology base useful to more than a small group of extremely special-case users.
			</div></div></div><div class="section" id="sec-mcs-apps"><div class="titlepage"><div><div><h3 class="title" id="sec-mcs-apps">47.4.2. Applications for Multi-Category Security</h3></div></div></div><div class="para">
			Beyond access control, <abbr class="abbrev">MCS</abbr> could be used to display the <abbr class="abbrev">MCS</abbr> categories at the top and bottom of printed pages. This may also include a cover sheet to indicate document handling procedures. It should also be possible to integrate <abbr class="abbrev">MCS</abbr> with future developments in SELinux, such as Security Enhanced X. Integration with a directory server will also make <abbr class="abbrev">MCS</abbr> support for email easier. This could involve users manually labeling outgoing emails or by attaching suitably labeled files. The email client can then determine whether the recipients are known to be cleared to access the categories associated with the emails.
		</div></div><div class="section" id="sec-selinux-security-contexts"><div class="titlepage"><div><div><h3 class="title" id="sec-selinux-security-contexts">47.4.3. SELinux Security Contexts</h3></div></div></div><div class="para">
			SELinux stores security contexts as an extended attribute of a file. The <code class="option">"security."</code> namespace is used for security modules, and the <code class="option">security.selinux</code> name is used to persistently store SELinux security labels on files. The contents of this attribute will vary depending on the file or directory you inspect and the policy the machine is enforcing.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				This is expected to change in the 2.6.15 kernel (and already has in the latest -mm kernels), so that <code class="command">getxattr(2)</code> always returns the kernel's canonicalized version of the label.
			</div></div></div><div class="para">
			You can use the <code class="command">ls -Z</code> command to view the category label of a file:
		</div><pre class="screen">~]# <code class="command">ls -Z gravityControl.txt</code>
-rw-r--r--  user     user     user_u:object_r:tmp_t:Moonbase_Plans gravityControl.txt</pre><div class="para">
			You can use the <code class="command">gefattr(1)</code> command to view the internal category value (c10):
		</div><pre class="screen">~]# <code class="command">getfattr -n security.selinux gravityControl.txt</code>
# file: gravityControl.txt
security.selinux="user_u:object_r:tmp_t:s0:c10\000"</pre><div class="para">
			Refer to <a class="xref" href="#sec-mcs-getstarted">Section 47.5, “Getting Started with Multi-Category Security (MCS)”</a> for details on creating categories and assigning them to files.
		</div></div></div><div xml:lang="en-US" class="section" id="sec-mcs-getstarted" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sec-mcs-getstarted">47.5. Getting Started with Multi-Category Security (MCS)</h2></div></div></div><div class="para">
		This section provides an introduction to using MCS labels to extend the Mandatory Access Control (MAC) capabilities of SELinux. It discusses MCS categories, SELinux user identities, and how they apply to Linux user accounts and files. It builds on the conceptual information provided in <a class="xref" href="#sec-mcs-ov">Section 47.4, “Multi-Category Security (MCS)”</a>, and introduces some basic examples of usage.
	</div><div class="section" id="sec-mcs-getstarted-intro"><div class="titlepage"><div><div><h3 class="title" id="sec-mcs-getstarted-intro">47.5.1. Introduction</h3></div></div></div><div class="para">
			MCS labeling from a user and system administrator standpoint is straightforward. It consists of configuring a set of categories, which are simply text labels, such as "Company_Confidential" or "Medical_Records", and then assigning users to those categories. The system administrator first configures the categories, then assigns users to them as required. The users can then use the labels as they see fit.
		</div><div class="para">
			The names of the categories and their meanings are set by the system administrator, and can be set to whatever is required for the specific deployment. A system in a home environment may have only one category of "Private", and be configured so that only trusted local users are assigned to this category.
		</div><div class="para">
			In a corporate environment, categories could be used to identify documents confidential to specific departments. Categories could be established for "Finance", "Payroll", "Marketing", and "Personnel". Only users assigned to those categories can access resources labeled with the same category.
		</div><div class="para">
			After users have been assigned to categories, they can label any of their own files with any of the categories to which they have been assigned. For example, a home user in the system described above could label all of their personal files as "Private", and no service such as Apache or vsftp would ever be able to access those files, because they don't have access to the "Private" category.
		</div><div class="para">
			MCS works on a simple principle: to access a file, a user needs to be assigned to all of the categories with which the file is labeled. The MCS check is applied after normal Linux Discretionary Access Control (DAC) and Type Enforcement (TE) rules, so it can only further restrict security.
		</div></div><div class="section" id="sec-mcs-comp-userid"><div class="titlepage"><div><div><h3 class="title" id="sec-mcs-comp-userid">47.5.2. Comparing SELinux and Standard Linux User Identities</h3></div></div></div><div class="para">
			SELinux maintains its own user identity for processes, separately from Linux user identities. In the targeted policy (the default for Red Hat Enterprise Linux), only a minimal number of SELinux user identities exist:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					system_u — System processes
				</div></li><li class="listitem"><div class="para">
					root — System administrator
				</div></li><li class="listitem"><div class="para">
					user_u — All login users
				</div></li></ul></div><div class="para">
			Use the <code class="command">semanage user -l</code> command to list SELinux users:
		</div><pre class="screen">~]# <code class="command">semanage user -l</code>

Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range            SELinux Roles

root            user       s0         s0-s0:c0.c1023       system_r sysadm_r user_r
system_u        user       s0         s0-s0:c0.c1023       system_r
user_u          user       s0         s0-s0:c0.c1023       system_r sysadm_r user_r</pre><div class="para">
			Refer to <a class="xref" href="#sec-selinux-policy-targeted-rolesandusers">Section 47.8.3, “Understanding the Users and Roles in the Targeted Policy”</a> for more information about SELinux users and roles.
		</div><div class="formalpara"><h5 class="formalpara" id="id946660">SELinux Logins</h5>
				One of the properties of targeted policy is that login users all run in the same security context. From a TE point of view, in targeted policy, they are security-equivalent. To effectively use MCS, however, we need to be able to assign different sets of categories to different Linux users, even though they are all the same SELinux user (<code class="systemitem">user_u</code>). This is solved by introducing the concept of an SELinux login. This is used during the login process to assign MCS categories to Linux users when their shell is launched.
			</div><div class="para">
			Use the <code class="command">semanage login -a</code> command to assign Linux users to SELinux user identities:
		</div><pre class="screen">~]# <code class="command">semanage login -a james</code>
~]# <code class="command">semanage login -a daniel</code>
~]# <code class="command">semanage login -a olga</code></pre><div class="para">
			Now when you list the SELinux users, you can see the Linux users assigned to a specific SELinux user identity:
		</div><pre class="screen">~]# <code class="command">semanage login -l</code>

__default__               user_u                    s0
james                     user_u                    s0
daniel                    user_u                    s0
root                      root                      s0-s0:c0.c1023
olga                      user_u                    s0</pre><div class="para">
			Notice that at this stage only the root account is assigned to any categories. By default, the root account is configured with access to all categories.
		</div><div class="para">
			Red Hat Enterprise Linux and SELinux are preconfigured with several default categories, but to make effective use of MCS, the system administrator typically modifies these or creates further categories to suit local requirements.
		</div></div><div class="section" id="sec-mcs-config-categories"><div class="titlepage"><div><div><h3 class="title" id="sec-mcs-config-categories">47.5.3. Configuring Categories</h3></div></div></div><div class="para">
			SELinux maintains a mapping between internal sensitivity and category levels and their human-readable representations in the <code class="filename">setrans.conf</code> file. The system administrator edits this file to manage and maintain the required categories.
		</div><div class="para">
			Use the <code class="command">chcat -L</code> command to list the current categories:
		</div><pre class="screen">~]# <code class="command">chcat -L</code>
s0
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh</pre><div class="para">
			To modify the categories or to start creating your own, modify the <code class="filename">/etc/selinux/&lt;<em class="replaceable"><code>selinuxtype</code></em>&gt;/setrans.conf</code> file. For the example introduced above, add the Marketing, Finance, Payroll, and Personnel categories as follows (this example uses the targeted policy, and irrelevant sections of the file have been omitted):
		</div><pre class="screen">~]# <code class="command">vi /etc/selinux/targeted/setrans.conf</code>
s0:c0=Marketing
s0:c1=Finance
s0:c2=Payroll
s0:c3=Personnel</pre><div class="para">
			Use the <code class="command">chcat -L</code> command to check the newly-added categories:
		</div><pre class="screen">~]# <code class="command">chcat -L</code>
s0:c0                          Marketing
s0:c1                          Finance
s0:c2                          Payroll
s0:c3                          Personnel
s0
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				After you make any changes to the <code class="filename">setrans.conf</code> file, you need to restart the MCS translation service before those changes take effect. Use the following command to restart the service:
			</div><pre class="screen">~]# <code class="command">service mcstrans restart</code></pre></div></div></div><div class="section" id="sec-mcs-assign-cat2users"><div class="titlepage"><div><div><h3 class="title" id="sec-mcs-assign-cat2users">47.5.4. Assigning Categories to Users</h3></div></div></div><div class="para">
			Now that the required categories have been added to the system, you can start assigning them to SELinux users and files. To further develop the example above, assume that James is in the Marketing department, Daniel is in the Finance and Payroll departments, and Olga is in the Personnel department. Each of these users has already been assigned an SELinux login.
		</div><div class="para">
			Use the <code class="command">chcat</code> command to assign MCS categories to SELinux logins:
		</div><pre class="screen">~]# <code class="command">chcat -l -- +Marketing james</code>
~]# <code class="command">chcat -l -- +Finance,+Payroll daniel</code>
~]# <code class="command">chcat -l -- +Personnel olga</code></pre><div class="para">
			You can also use the <code class="command">chcat</code> command with additional command-line arguments to list the categories that are assigned to users:
		</div><pre class="screen">~]# <code class="command">chcat -L -l daniel james olga</code>
daniel: Finance,Payroll
james: Marketing
olga: Personnel</pre><div class="para">
			You can add further Linux users, assign them to SELinux user identities and then assign categories to them as required. For example, if the company director also requires a user account with access to all categories, follow the same procedure as above:
		</div><pre class="screen"># Create a user account for the company director (Karl)
~]# <code class="command">useradd karl</code>
~]# <code class="command">passwd karl</code>
Changing password for user karl.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

# Assign the user account to an SELinux login
~]# <code class="command">semanage login -a karl</code>

# Assign all the MCS categories to the new login
~]# <code class="command">chcat -l -- +Marketing,+Finance,+Payroll,+Personnel karl</code></pre><div class="para">
			Use the <code class="command">chcat</code> command to verify the addition of the new user:
		</div><pre class="screen">~]# <code class="command">chcat -L -l daniel james olga karl</code>
daniel: Finance,Payroll
james: Marketing
olga: Personnel
karl: Marketing,Finance,Payroll,Personnel</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				MCS category access is assigned during login. Consequently, a user does not have access to newly-assigned categories until they log in again. Similarly, if access to a category is revoked, this is only apparent to the user after the next login.
			</div></div></div></div><div class="section" id="sec-mcs-assign-cat2files"><div class="titlepage"><div><div><h3 class="title" id="sec-mcs-assign-cat2files">47.5.5. Assigning Categories to Files</h3></div></div></div><div class="para">
			At this point we have a system that has several user accounts, each of which is mapped to an SELinux user identity. We have also established a number of categories that are suitable for the particular deployment, and assigned those categories to different users.
		</div><div class="para">
			All of the files on the system, however, still fall under the same category, and are therefore accessible by everyone (but still according to the standard Linux DAC and TE constraints). We now need to assign categories to the various files on the system so that only the appropriate users can access them.
		</div><div class="para">
			For this example, we create a file in Daniel's home directory:
		</div><pre class="screen">[daniel@dhcp-133 ~]$ <code class="command">echo "Financial Records 2006" &gt; financeRecords.txt</code></pre><div class="para">
			Use the <code class="command">ls -Z</code> command to check the initial security context of the file:
		</div><pre class="screen">[daniel@dhcp-133 ~]$ <code class="command">ls -Z financeRecords.txt</code>
-rw-r--r--  daniel daniel user_u:object_r:user_home_t      financeRecords.txt</pre><div class="para">
			Notice that at this stage the file has the default context for a file created in the user's home directory (<code class="systemitem">user_home_t</code>) and has no categories assigned to it. We can add the required category using the <code class="command">chcat</code> command. Now when you check the security context of the file, you can see the category has been applied.
		</div><pre class="screen">[daniel@dhcp-133 ~]$ <code class="command">chcat -- +Finance financeRecords.txt</code>
[daniel@dhcp-133 ~]$ <code class="command">ls -Z financeRecords.txt</code>
-rw-r--r--  daniel daniel root:object_r:user_home_t:Finance financeRecords.txt</pre><div class="para">
			In many cases, you need to assign more than one category to a file. For example, some files may need to be accessible to users from both the Finance and Payroll departments.
		</div><pre class="screen">[daniel@dhcp-133 ~]$ <code class="command">chcat -- +Payroll financeRecords.txt</code>
[daniel@dhcp-133 ~]$ <code class="command">ls -Z financeRecords.txt</code>
-rw-r--r--  daniel daniel root:object_r:user_home_t:Finance,Payroll financeRecords.txt</pre><div class="para">
			Each of the categories that have been assigned to the file are displayed in the security context. You can add and delete categories to files as required. Only users assigned to those categories can access that file, assuming that Linux DAC and TE permissions would already allow the access.
		</div><div class="para">
			If a user who is assigned to a different category tries to access the file, they receive an error message:
		</div><pre class="screen">[olga@dhcp-133 ~]$ <code class="command">cat financeRecords.txt</code>
cat: financeRecords.txt: Permission Denied</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Refer to the man pages for <code class="command">semanage</code> and <code class="command">chcat</code> for more information on the available options for these commands.
			</div></div></div></div></div><div xml:lang="en-US" class="section" id="sec-mls-ov" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sec-mls-ov">47.6. Multi-Level Security (MLS)</h2></div></div></div><div class="para">
		Protecting sensitive or confidential data is paramount in many businesses. In the event such information is made public, businesses may face legal or financial ramifications. At the very least, they will suffer a loss of customer trust. In most cases, however, they can recover from these financial and other losses with appropriate investment or compensation.
	</div><div class="para">
		The same cannot be said of the defense and related communities, which includes military services, intelligence organizations and some areas of police service. These organizations cannot easily recover should sensitive information be leaked, and may not recover at all. These communities require higher levels of security than those employed by businesses and other organizations.
	</div><div class="para">
		Having information of different security levels on the same computer systems poses a real threat. It is not a straight-forward matter to isolate different information security levels, even though different users log in using different accounts, with different permissions and different access controls.
	</div><div class="para">
		Some organizations go as far as to purchase dedicated systems for each security level. This is often prohibitively expensive, however. A mechanism is required to enable users at different security levels to access systems simultaneously, without fear of information contamination.
	</div><div class="section" id="sec-mls-multilevel"><div class="titlepage"><div><div><h3 class="title" id="sec-mls-multilevel">47.6.1. Why Multi-Level?</h3></div></div></div><div class="para">
			The term multi-level arises from the defense community's security classifications: Confidential, Secret, and Top Secret.
		</div><div class="para">
			Individuals must be granted appropriate clearances before they can see classified information. Those with Confidential clearance are only authorized to view Confidential documents; they are not trusted to look at Secret or Top Secret information. The rules that apply to data flow operate from lower levels to higher levels, and never the reverse. This is illustrated below.
		</div><div class="figure" id="fig-sec-levels"><div class="figure-contents"><div class="mediaobject"><img src="images/security-intro-to-mls.png" alt="Information Security Levels" /><div class="longdesc"><div class="para">
						Hierarchy of Information Security Levels. The arrows indicate the direction in which rules allow data to flow.
					</div></div></div></div><h6>Figure 47.2. Information Security Levels</h6></div><br class="figure-break" /><div class="section" id="sec-mls-blp"><div class="titlepage"><div><div><h4 class="title" id="sec-mls-blp">47.6.1.1. The Bell-La Padula Model (BLP)</h4></div></div></div><div class="para">
				SELinux, like most other systems that protect multi-level data, uses the <abbr class="abbrev">BLP</abbr> model. This model specifies how information can flow within the system based on labels attached to each subject and object. Refer to the following diagram:
			</div><div class="figure" id="fig-sec-dataflow"><div class="figure-contents"><div class="mediaobject"><img src="images/security-mls-data-flow.png" width="444" alt="Available data flows using an MLS system" /><div class="longdesc"><div class="para">
							Processes can read the same or lower security levels, but can only write to their own or higher security levels.
						</div></div></div></div><h6>Figure 47.3. Available data flows using an MLS system</h6></div><br class="figure-break" /><div class="para">
				Under such a system, users, computers, and networks use labels to indicate security levels. Data can flow between like levels, for example between "Secret" and "Secret", or from a lower level to a higher level. This means that users at level "Secret" can share data with one another, and can also retrieve information from Confidential-level (i.e., lower-level), users. However, data cannot flow from a higher level to a lower level. This prevents processes at the "Secret" level from viewing information classified as "Top Secret". It also prevents processes at a higher level from accidentally writing information to a lower level. This is referred to as the "no read up, no write down" model.
			</div></div><div class="section" id="sec-mls-sys-privileges"><div class="titlepage"><div><div><h4 class="title" id="sec-mls-sys-privileges">47.6.1.2. MLS and System Privileges</h4></div></div></div><div class="para">
				<abbr class="abbrev">MLS</abbr> access rules are always combined with conventional access permissions (file permissions). For example, if a user with a security level of "Secret" uses Discretionary Access Control (<acronym class="acronym">DAC</acronym>) to block access to a file by other users, this also blocks access by users with a security level of "Top Secret". A higher security clearance does not automatically give permission to arbitrarily browse a file system.
			</div><div class="para">
				Users with top-level clearances do not automatically acquire administrative rights on multi-level systems. While they may have access to all information on the computer, this is different from having administrative rights.
			</div></div></div><div class="section" id="sec-mls-seclevels"><div class="titlepage"><div><div><h3 class="title" id="sec-mls-seclevels">47.6.2. Security Levels, Objects and Subjects</h3></div></div></div><div class="para">
			As discussed above, subjects and objects are labeled with <em class="firstterm">Security Levels</em> (<abbr class="abbrev">SL</abbr>s), which are composed of two types of entities:
		</div><div class="para">
			<div class="orderedlist"><ol><li class="listitem"><div class="para">
						<code class="option">Sensitivity</code>: — A hierarchical attribute such as "Secret" or "Top Secret".
					</div></li><li class="listitem"><div class="para">
						<code class="option">Categories</code>: — A set of non-hierarchical attributes such as "US Only" or "UFO".
					</div></li></ol></div>

</div><div class="para">
			An <abbr class="abbrev">SL</abbr> must have one sensitivity, and may have zero or more categories.
		</div><div class="para">
			Examples of <abbr class="abbrev">SL</abbr>s are: { Secret / UFO, Crypto }, { Top Secret / UFO, Crypto, Stargate } and { Unclassified }
		</div><div class="para">
			Note the hierarchical sensitivity followed by zero or more categories. The reason for having categories as well as sensitivities is so that sensitivities can be further compartmentalized on a need-to-know basis. For example, while a process may be cleared to the "Secret" sensitivity level, it may not need any type of access to the project "Warp Drive" (which could be the name of a category).
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				<div class="orderedlist"><ol><li class="listitem"><div class="para">
							Security Levels on objects are called <em class="firstterm">Classifications</em>.
						</div></li><li class="listitem"><div class="para">
							Security Levels on subjects are called <em class="firstterm">Clearances</em>.
						</div></li></ol></div>

</div><div class="para">
				Thus, objects are labeled with a Classification, while subjects operate with a specific Clearance. Security Levels can have also <em class="firstterm">Ranges</em>, but these are beyond the scope of this introduction.
			</div></div></div></div><div class="section" id="sec-mls-policy"><div class="titlepage"><div><div><h3 class="title" id="sec-mls-policy">47.6.3. MLS Policy</h3></div></div></div><div class="para">
			SELinux uses the <em class="firstterm">Bell-La Padula</em> <abbr class="abbrev">BLP</abbr> model, with Type Enforcement (<abbr class="abbrev">TE</abbr>) for integrity. In simple terms, <abbr class="abbrev">MLS</abbr> policy ensures that a Subject has an appropriate clearance to access an Object of a particular classification.
		</div><div class="para">
			For example, under <abbr class="abbrev">MLS</abbr>, the system needs to know how to process a request such as: Can a process running with a clearance of { Top Secret / UFO, Rail gun } write to a file classified as { Top Secret / UFO } ?
		</div><div class="para">
			The <abbr class="abbrev">MLS</abbr> model and the policy implemented for it will determine the answer. (Consider, for example, the problem of information leaking out of the Rail gun category into the file).
		</div><div class="para">
			<abbr class="abbrev">MLS</abbr> meets a very narrow (yet critical) set of security requirements based around the way information and personnel are managed in rigidly controlled environments such as the military. <abbr class="abbrev">MLS</abbr> is typically difficult to work with and does not map well to general-case scenarios.
		</div><div class="para">
			Type Enforcement (<abbr class="abbrev">TE</abbr>) under SELinux is a more flexible and expressive security scheme, which is in many cases more suitable than <abbr class="abbrev">MLS</abbr>.
		</div><div class="para">
			There are, however, several scenarios where traditional <abbr class="abbrev">MLS</abbr> is still required. For example, a file server where the stored data may be of mixed classification and where clients connect at different clearances. This results in a large number of Security Levels and a need for strong isolation all on a single system.
		</div><div class="para">
			This type of scenario is the reason that SELinux includes <abbr class="abbrev">MLS</abbr> as a security model, as an adjunct to <abbr class="abbrev">TE</abbr>.
		</div></div><div class="section" id="sec-mls-lspp-cert"><div class="titlepage"><div><div><h3 class="title" id="sec-mls-lspp-cert">47.6.4. LSPP Certification</h3></div></div></div><div class="para">
			Efforts are being made to have Linux certified as an <abbr class="abbrev">MLS</abbr> operating system. The certification is equivalent to the old B1 rating, which has been reworked into the <a href="http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf">Labeled Security Protection Profile</a> under the <a href="http://www.commoncriteriaportal.org/files/ppfiles/lspp.pdf">Common Criteria</a> scheme.
		</div></div></div><div xml:lang="en-US" class="section" id="rhlcommon-chapter-0001" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="rhlcommon-chapter-0001">47.7. SELinux Policy Overview</h2></div></div></div><a id="id1084688" class="indexterm"></a><a id="id987254" class="indexterm"></a><div class="para">
		This chapter is an overview of SELinux policy, some of its internals, and how it works. It discusses the policy in general terms, while <a class="xref" href="#sec-sel-policy-targeted-oview">Section 47.8, “Targeted Policy Overview”</a> focuses on the details of the targeted policy as it ships in Red Hat Enterprise Linux. This chapter starts with a brief overview of what policy is and where it resides.
	</div><div class="para">
		Following on from this, the role of SELinux during the boot process is discussed. This is followed by discussions on file security contexts, object classes and permissions, attributes, types, access vectors, macros, users and roles, constraints, and a brief discussion summarizing special kernel interfaces.
	</div><a id="id1090869" class="indexterm"></a><a id="id1011194" class="indexterm"></a><a id="id1031571" class="indexterm"></a><a id="id949737" class="indexterm"></a><div class="section" id="rhlcommon-section-0056"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0056">47.7.1. What is the SELinux Policy?</h3></div></div></div><div class="para">
			The SELinux Policy is the set of rules that guide the SELinux security engine. It defines <em class="firstterm">types</em> for file objects and <em class="firstterm">domains</em> for processes. It uses roles to limit the domains that can be entered, and has user identities to specify the roles that can be attained. In essence, types and domains are equivalent, the difference being that types apply to objects while domains apply to processes.
		</div><div class="section" id="sec-selinux-types"><div class="titlepage"><div><div><h4 class="title" id="sec-selinux-types">47.7.1.1. SELinux Types</h4></div></div></div><div class="para">
				A type is a way of grouping items based on their similarity from a security perspective. This is not necessarily related to the unique purpose of an application or the content of a document. For example, a file can have any type of content and be for any purpose, but if it belongs to a user and exists in that user's home directory, it is considered to be of a specific security type, <code class="systemitem">user_home_t</code>.
			</div><div class="para">
				These object types are considered alike because they are accessible in the same way by the same set of subjects. Similarly, processes tend to be of the same type if they have the same permissions as other subjects. In the targeted policy, programs that run in the <code class="systemitem">unconfined_t</code> domain have an executable file with a type such as <code class="systemitem">sbin_t</code>. From an SELinux perspective, this means they are all equivalent in terms of what they can and cannot do on the system.
			</div><div class="para">
				For example, the binary executable file object at <code class="filename">/usr/bin/postgres</code> has the type <span class="property">postgresql_exec_t</span>. All of the targeted daemons have their own <code class="systemitem">*_exec_t</code> type for their executable applications. In fact, the entire set of <span class="application"><strong>PostgreSQL</strong></span> executables such as <code class="command">createlang</code>, <code class="command">pg_dump</code>, and <code class="command">pg_restore</code> have the same type, <code class="systemitem">postgresql_exec_t</code>, and they transition to the same domain, <code class="systemitem">postgresql_t</code>, upon execution.
			</div><div class="section" id="sec-selinux-accessing-types"><div class="titlepage"><div><div><h5 class="title" id="sec-selinux-accessing-types">47.7.1.1.1. Using Policy Rules to Define Type Access</h5></div></div></div><div class="para">
					The SELinux policy defines various rules which determine how each domain may access each type. Only what is specifically allowed by the rules is permitted. By default, every operation is denied and audited, meaning it is logged in the <code class="filename">$AUDIT_LOG</code> file. In Red Hat Enterprise Linux, this is set to <code class="filename">/var/log/messages</code>. The policy is compiled into binary format for loading into the kernel security server, and each time the security server makes a decision, it is cached in the <abbr class="abbrev">AVC</abbr> to optimize performance.
				</div><div class="para">
					The policy can be defined either by modifying the existing files or by adding local <em class="firstterm">Type Enforcement (<abbr class="abbrev">TE</abbr>)</em> and <em class="firstterm">File Context (<abbr class="abbrev">FC</abbr>)</em> files to the policy tree. These new policies can be loaded into the kernel in real time. Otherwise, the policy is loaded during the boot process by <code class="command">init</code>, as explained in <a class="xref" href="#rhlcommon-section-0016">Section 47.7.3, “The Role of Policy in the Boot Process”</a>. Ultimately, every system operation is determined by the policy and the type-labeling of the files.
				</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
						After loading a new policy, it is recommended that you restart any services that may have new or changed labeling. Generally speaking, this is only the targeted daemons, as listed in <a class="xref" href="#rhlcommon-section-0003">Section 47.8.1, “What is the Targeted Policy?”</a>.
					</div></div></div></div></div><div class="section" id="sec-selinux-mac"><div class="titlepage"><div><div><h4 class="title" id="sec-selinux-mac">47.7.1.2. SELinux and Mandatory Access Control</h4></div></div></div><div class="para">
				SELinux is an implementation of <em class="firstterm">Mandatory Access Control (<acronym class="acronym">MAC</acronym>)</em>. Depending on the security policy type, SELinux implements either <em class="firstterm">Type Enforcement (<abbr class="abbrev">TE</abbr>)</em>, <em class="firstterm">Roles Based Access Control (<abbr class="abbrev">RBAC</abbr>)</em> or <em class="firstterm">Bell-La Padula Model Multi-Level Security (<abbr class="abbrev">MLS</abbr>)</em>.
			</div><div class="para">
				The policy specifies the rules in the implemented environment. It is written in a language created specifically for writing security policy. Policy writers use <code class="command">m4</code> macros to capture common sets of low-level rules. A number of <code class="command">m4</code> macros are defined in the existing policy, which facilitate the writing of new policy. These rules are preprocessed into many additional rules as part of building the <code class="filename">policy.conf</code> file, which is compiled into the binary policy.
			</div><div class="para">
				Access rights are divided differently among domains, and no domain is required to act as a master for all other domains. Moving between domains is controlled by the policy, through login programs, userspace programs such as <code class="command">newrole</code>, or by requiring a new process execution in the new domain. This movement between domains is referred to as a <em class="glossterm">transition</em>.
			</div></div></div><div class="section" id="rhlcommon-section-0091"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0091">47.7.2. Where is the Policy?</h3></div></div></div><a id="id1090967" class="indexterm"></a><a id="id1020857" class="indexterm"></a><a id="id1023903" class="indexterm"></a><a id="id1110520" class="indexterm"></a><div class="para">
			There are two components to the policy: the binary tree and the source tree. The binary tree is provided by the <code class="filename">selinux-policy-<em class="replaceable"><code>&lt;policyname&gt;</code></em></code> package and supplies the binary policy file.
		</div><div class="para">
			Alternatively, the binary policy can be built from source when the <code class="filename">selinux-policy-devel</code> package is installed.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Information on how to edit, write and compile policy is currently outside the scope of this document.
			</div></div></div><div class="section" id="sec-selinux-binaryfiles"><div class="titlepage"><div><div><h4 class="title" id="sec-selinux-binaryfiles">47.7.2.1. Binary Tree Files</h4></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						<code class="filename">/etc/selinux/targeted/</code> — this is the root directory for the <span class="property">targeted</span> policy, and contains the binary tree.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/etc/selinux/targeted/policy/</code> — this is the location of the binary policy file <code class="filename">policy.<em class="replaceable"><code>&lt;xx&gt;</code></em></code>. In this guide, the variable <code class="envar">SELINUX_POLICY</code> is used for this directory.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/etc/selinux/targeted/contexts/</code> — this is the location of the security context information and configuration files, which are used during runtime by various applications.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/etc/selinux/targeted/contexts/files/</code> — contains the default contexts for the entire file system. This is referenced by <code class="command">restorecon</code> when performing relabeling operations.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/etc/selinux/targeted/contexts/users/</code> — in the <span class="property">targeted</span> policy, only the <code class="filename">root</code> file is in this directory. These files are used for determining context when a user logs in. For example, for the root user, the context is <span class="property">user_u:system_r:unconfined_t</span>.
					</div></li><li class="listitem"><div class="para">
						<code class="filename">/etc/selinux/targeted/modules/active/booleans*</code> — this is where the runtime Booleans are configured.
					</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
							These files should never be manually changed. You should use the <code class="command">getsebool</code>, <code class="command">setsebool</code> and <code class="command">semanage</code> tools to manipulate runtime Booleans.
						</div></div></div></li></ul></div></div><div class="section" id="sec-selinux-sourcefiles"><div class="titlepage"><div><div><h4 class="title" id="sec-selinux-sourcefiles">47.7.2.2. Source Tree Files</h4></div></div></div><div class="para">
				For developing policy modules, the <code class="filename">selinux-policy-devel</code> package includes all of the interface files used to build policy. It is recommended that people who build policy use these files to build the policy modules.
			</div><div class="para">
				This package installs the policy interface files under <code class="filename">/usr/share/selinux/devel/include</code> and has <code class="filename">make</code> files installed in <code class="filename">/usr/share/selinux/devel/Makefile</code>.
			</div><div class="para">
				To help applications that need the various SELinux paths, <code class="filename">libselinux</code> provides a number of functions that return the paths to the different configuration files and directories. This negates the need for applications to hard-code the paths, especially since the active policy location is dependent on the <span class="property">SELINUXTYPE</span> setting in <code class="filename">/etc/selinux/config</code>.
			</div><div class="para">
				For example, if <span class="property">SELINUXTYPE</span> is set to <span class="property">strict</span>, the active policy location is under <code class="filename">/etc/selinux/strict</code>.
			</div><div class="para">
				To view the list of available functions, use the following command:
			</div><pre class="screen"><code class="command">man 3 selinux_binary_policy_path</code></pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
					This man page is available only if you have the <code class="literal">libselinux-devel</code> RPM installed.
				</div><div class="para">
					The use of <code class="filename">libselinux</code> and related functions is outside the scope of this document.
				</div></div></div></div></div><div class="section" id="rhlcommon-section-0016"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0016">47.7.3. The Role of Policy in the Boot Process</h3></div></div></div><a id="id938205" class="indexterm"></a><a id="id1017760" class="indexterm"></a><a id="id940415" class="indexterm"></a><a id="id995875" class="indexterm"></a><a id="id949474" class="indexterm"></a><a id="id1024800" class="indexterm"></a><div class="para">
			SELinux plays an important role during the early stages of system start-up. Because all processes must be labeled with their correct domain, <code class="command">init</code> performs some essential operations early in the boot process to maintain synchronization between labeling and policy enforcement.
		</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
					After the kernel has been loaded during the boot process, the initial process is assigned the predefined <em class="firstterm">initial SELinux ID (initial <acronym class="acronym">SID</acronym>)</em> <span class="property">kernel</span>. Initial <acronym class="acronym">SID</acronym>s are used for bootstrapping before the policy is loaded.
				</div></li><li class="step"><div class="para">
					<code class="command">/sbin/init</code> mounts <code class="filename">/proc/</code>, and then searches for the <code class="computeroutput">selinuxfs</code> file system type. If it is present, that means SELinux is enabled in the kernel.
				</div></li><li class="step"><div class="para">
					If <code class="command">init</code> does not find SELinux in the kernel, or if it is disabled via the <em class="parameter"><code>selinux=0</code></em> boot parameter, or if <code class="filename">/etc/selinux/config</code> specifies that <code class="computeroutput">SELINUX=disabled</code>, the boot process proceeds with a non-SELinux system.
				</div><div class="para">
					At the same time, <code class="command">init</code> sets the enforcing status if it is different from the setting in <code class="filename">/etc/selinux/config</code>. This happens when a parameter is passed during the boot process, such as <em class="parameter"><code>enforcing=0</code></em> or <em class="parameter"><code>enforcing=1</code></em>. The kernel does not enforce any policy until the initial policy is loaded.
				</div></li><li class="step"><div class="para">
					If SELinux is present, <code class="filename">/selinux/</code> is mounted.
				</div></li><li class="step"><div class="para">
					<code class="command">init</code> checks <code class="filename">/selinux/policyvers</code> for the supported policy version. The version number in <code class="filename">/selinux/policyvers</code> is the latest policy version your kernel supports. <code class="command">init</code> inspects <code class="filename">/etc/selinux/config</code> to determine which policy is active, such as the targeted policy, and loads the associated file at <code class="filename">$SELINUX_POLICY/policy.<em class="replaceable"><code>&lt;version&gt;</code></em></code>.
				</div><div class="para">
					If the binary policy is <span class="emphasis"><em>not</em></span> the version supported by the kernel, <code class="command">init</code> attempts to load the policy file if it is a previous version. This provides backward compatibility with older policy versions.
				</div><div class="para">
					If the local settings in <code class="filename">/etc/selinux/targeted/booleans</code> are different from those compiled in the policy, <code class="command">init</code> modifies the policy in memory based on the local settings prior to loading the policy into the kernel.
				</div></li><li class="step"><div class="para">
					By this stage of the process, the policy is fully loaded into the kernel. The initial SIDs are then mapped to security contexts in the policy. In the case of the targeted policy, the new domain is <span class="property">user_u:system_r:unconfined_t</span>. The kernel can now begin to retrieve security contexts dynamically from the in-kernel security server.
				</div></li><li class="step"><div class="para">
					<code class="command">init</code> then re-executes itself so that it can transition to a different domain, if the policy defines it. For the targeted policy, there is no transition defined and <code class="command">init</code> remains in the <code class="systemitem">unconfined_t</code> domain.
				</div></li><li class="step"><div class="para">
					At this point, <code class="command">init</code> continues with its normal boot process.
				</div></li></ol></div><div class="para">
			The reason that <code class="command">init</code> re-executes itself is to accommodate stricter SELinux policy controls. The objective of re-execution is to transition to a new domain with its own granular rules. The only way that a process can enter a domain is during execution, which means that such processes are the only <em class="glossterm">entry points</em> into the domains.
		</div><div class="para">
			For example, if the policy has a specific domain for <code class="command">init</code>, such as <code class="systemitem">init_t</code>, a method is required to change from the initial <acronym class="acronym">SID</acronym>, such as <span class="property">kernel</span>, to the correct runtime domain for <code class="command">init</code>. Because this transition may need to occur, <code class="command">init</code> is coded to re-execute itself after loading the policy.
		</div><div class="para">
			This <code class="command">init</code> transition occurs if the <code class="code">domain_auto_trans(kernel_t, init_exec_t, <em class="replaceable"><code>&lt;target_domain_t&gt;</code></em>)</code> rule is present in the policy. This rule states that an automatic transition occurs on anything executing in the <code class="systemitem">kernel_t</code> domain that executes a file of type <span class="property">init_exec_t</span>. When this execution occurs, the new process is assigned the domain <code class="systemitem"><em class="replaceable"><code>&lt;target_domain_t&gt;</code></em></code>, using an actual target domain such as <code class="systemitem">init_t</code>.
		</div></div><div class="section" id="rhlcommon-section-0049"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0049">47.7.4. Object Classes and Permissions</h3></div></div></div><a id="id1031560" class="indexterm"></a><a id="id938936" class="indexterm"></a><a id="id913852" class="indexterm"></a><a id="id913669" class="indexterm"></a><a id="id1111266" class="indexterm"></a><a id="id1097292" class="indexterm"></a><div class="para">
			SELinux defines a number of classes for objects, making it easier to group certain permissions by specific classes. For example:
		</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
					File-related classes include <code class="classname">filesystem</code> for file systems, <code class="classname">file</code> for files, and <code class="classname">dir</code> for directories. Each class has its own associated set of permissions.
				</div><div class="para">
					The <code class="classname">filesystem</code> class can mount, unmount, get attributes, set quotas, relabel, and so forth. The <code class="classname">file</code> class has common file permissions such as read, write, get and set attributes, lock, relabel, link, rename, append, etc.
				</div></li><li class="listitem"><div class="para">
					Network related classes include <code class="classname">tcp_socket</code> for TCP sockets, <code class="classname">netif</code> for network interfaces, and <code class="classname">node</code> for network nodes.
				</div><div class="para">
					The <code class="classname">netif</code> class, for example, can send and receive on TCP, UDP and raw sockets (<code class="computeroutput">tcp_recv</code>, <code class="computeroutput">tcp_send</code>, <code class="computeroutput">udp_send</code>, <code class="computeroutput">udp_recv</code>, <code class="computeroutput">rawip_recv</code>, and <code class="computeroutput">rawip_send</code>.)
				</div></li></ul></div><div class="para">
			The object classes have matching declarations in the kernel, meaning that it is not trivial to add or change object class details. The same is true for permissions. Development work is ongoing to make it possible to dynamically register and unregister classes and permissions.
		</div><div class="para">
			Permissions are the actions that a subject can perform on an object, if the policy allows it. These permissions are the access requests that SELinux actively allows or denies.
		</div></div></div><div xml:lang="en-US" class="section" id="sec-sel-policy-targeted-oview" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sec-sel-policy-targeted-oview">47.8. Targeted Policy Overview</h2></div></div></div><a id="id1009673" class="indexterm"></a><div class="para">
		This chapter is an overview and examination of the SELinux targeted policy, the current supported policy for Red Hat Enterprise Linux.
	</div><div class="para">
		Much of the content in this chapter is applicable to all types of SELinux policy, in terms of file locations and the type of content in those files. The difference lies in which files exist in the key locations and their contents.
	</div><div class="section" id="rhlcommon-section-0003"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0003">47.8.1. What is the Targeted Policy?</h3></div></div></div><a id="id936986" class="indexterm"></a><a id="id1104959" class="indexterm"></a><a id="id915092" class="indexterm"></a><div class="para">
			The SELinux policy is highly configurable. For Red Hat Enterprise Linux 5, Red Hat supports a single policy, the <em class="glossterm">targeted policy</em>. Under the targeted policy, every subject and object runs in the <code class="systemitem">unconfined_t</code> domain <span class="emphasis"><em>except</em></span> for the specific targeted daemons. Objects that are in the <code class="systemitem">unconfined_t</code> domain have no restrictions and fall back to using standard Linux security, that is, <acronym class="acronym">DAC</acronym>. The daemons that are part of the targeted policy run in their own domains and are restricted in every operation they perform on the system. This way daemons that are exploited or compromised in any way are contained and can only cause limited damage.
		</div><div class="para">
			For example, the <code class="systemitem">http</code> and <code class="systemitem">ntp</code> daemons are both protected in the default targeted policy, and run in the <code class="systemitem">httpd_t</code> and <code class="systemitem">ntpd_t</code> domains, respectively. The <code class="systemitem">ssh</code> daemon, however, is not protected in this policy, and consequently runs in the <code class="systemitem">unconfined_t</code> domain.
		</div><div class="para">
			Refer to the following sample output, which illustrates the various domains for the daemons mentioned above:
		</div><pre class="screen">user_u:system_r:httpd_t         25129 ?        00:00:00 httpd
user_u:system_r:ntpd_t          25176 ?        00:00:00 ntpd
system_u:system_r:unconfined_t         25245 ? 00:00:00 sshd</pre><div class="formalpara"><h5 class="formalpara" id="id939307">The Strict Policy</h5>
				The opposite of the targeted policy is the <em class="glossterm">strict policy</em>. In the strict policy, every subject and object exists in a specific security domain, and all interactions and transitions are individually considered within the policy rules.
			</div><div class="para">
			The strict policy is a much more complex environment, and does not ship with Red Hat Enterprise Linux. This guide focuses on the targeted policy that ships with Red Hat Enterprise Linux, and the components of SELinux used by the targeted daemons.
		</div><div class="para">
			The targeted daemons are as follows: <code class="command">dhcpd</code>; <code class="command">httpd</code>; <code class="command">mysqld</code>; <code class="command">named</code>; <code class="command">nscd</code>; <code class="command">ntpd</code>; <code class="command">portmap</code>; <code class="command">postgres</code>; <code class="command">snmpd</code>; <code class="command">squid</code>; <code class="command">syslogd</code>; and <code class="command">winbind</code>.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Depending on your installation, only some of these daemons may be present.
			</div></div></div></div><div class="section" id="rhlcommon-section-0010"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0010">47.8.2. Files and Directories of the Targeted Policy</h3></div></div></div><a id="id997348" class="indexterm"></a><a id="id986898" class="indexterm"></a><a id="id941717" class="indexterm"></a><a id="id912896" class="indexterm"></a><div class="para">
			Refer to <a class="xref" href="#rhlcommon-section-0091">Section 47.7.2, “Where is the Policy?”</a> for a list of the common files and directories used by SELinux.
		</div></div><div class="section" id="sec-selinux-policy-targeted-rolesandusers"><div class="titlepage"><div><div><h3 class="title" id="sec-selinux-policy-targeted-rolesandusers">47.8.3. Understanding the Users and Roles in the Targeted Policy</h3></div></div></div><a id="id913602" class="indexterm"></a><a id="id912373" class="indexterm"></a><div class="para">
			This section covers the specific roles enabled for the targeted policy. The <code class="systemitem">unconfined_t</code> type exists in every role, which significantly reduces the usefulness of roles in the targeted policy. More extensive use of roles requires a change to the strict policy paradigm, where every process runs in an individually considered domain.
		</div><div class="para">
			Effectively, there are only two roles in the targeted policy: <code class="systemitem">system_r</code> and <code class="systemitem">object_r</code>. The initial role is <code class="systemitem">system_r</code>, and everything else inherits that role. The remaining roles are defined for compatibility purposes between the targeted policy and the strict policy.<sup>[<a id="id1025554" href="#ftn.id1025554" class="footnote">20</a>]</sup>
		</div><div class="para">
			Three of the four roles are defined by the policy. The fourth role, <code class="systemitem">object_r</code>, is an implied role and is not found in policy source. Because roles are created and populated by types using one or more declarations in the policy, there is no single file that declares all roles. (Remember that the policy itself is generated from a number of separate files.)
		</div><a id="id997063" class="indexterm"></a><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="systemitem">system_r</code></span></dt><dd><div class="para">
						This role is for all system processes except user processes:
					</div><pre class="screen">system_r (28 types)
    dhcpd_t
    httpd_helper_t
    httpd_php_t
    httpd_suexec_t
    httpd_sys_script_t
    httpd_t
    httpd_unconfined_script_t
    initrc_t
    ldconfig_t
    mailman_cgi_t
    mailman_mail_t
    mailman_queue_t
    mysqld_t
    named_t
    ndc_t
    nscd_t
    ntpd_t
    pegasus_t
    portmap_t
    postgresql_t
    snmpd_t
    squid_t
    syslogd_t
    system_mail_t
    unconfined_t
    winbind_helper_t
    winbind_t
    ypbind_t</pre></dd><dt class="varlistentry"><span class="term"><code class="systemitem">user_r</code></span></dt><dd><div class="para">
						This is the default user role for regular Linux users. In a strict policy, individual users might be used, allowing for the users to have special roles to perform privileged operations. In the targeted policy, all users run in the <code class="systemitem">unconfined_t</code> domain.
					</div></dd><dt class="varlistentry"><span class="term"><code class="systemitem">object_r</code></span></dt><dd><div class="para">
						In SELinux, roles are not utilized for objects when <abbr class="abbrev">RBAC</abbr> is being used. Roles are strictly for subjects. This is because roles are task-oriented and they group together entities which perform actions (for example, processes). All such entities are collectively referred to as subjects. For this reason, all objects have the role <code class="systemitem">object_r</code>, and the role is only used as a placeholder in the label.
					</div></dd><dt class="varlistentry"><span class="term"><code class="systemitem">sysadm_r</code></span></dt><dd><div class="para">
						This is the system administrator role in a strict policy. If you log in directly as the root user, the default role may actually be <code class="systemitem">staff_r</code>. If this is true, use the <code class="command">newrole -r sysadm_r</code> command to change to the SELinux system administrator role to perform system administration tasks. In the targeted policy, the following retain <code class="systemitem">sysadm_r</code> for compatibility:
					</div><pre class="screen">sysadm_r (6 types)
    httpd_helper_t
    httpd_sys_script_t
    initrc_t
    ldconfig_t
    ndc_t
    unconfined_t</pre></dd></dl></div><div class="para">
			There is effectively only one user identity in the targeted policy. The <code class="systemitem">user_u</code> identity was chosen because <code class="filename">libselinux</code> falls back to <code class="systemitem">user_u</code> as the default SELinux user identity. This occurs when there is no matching SELinux user for the Linux user who is logging in. Using <code class="systemitem">user_u</code> as the single user in the targeted policy makes it easier to change to the strict policy. The remaining users exist for compatibility with the strict policy.<sup>[<a id="id868189" href="#ftn.id868189" class="footnote">21</a>]</sup>
		</div><div class="para">
			The one exception is the SELinux user <code class="computeroutput">root</code>. You may notice <code class="computeroutput">root</code> as the user identity in a process's context. This occurs when the SELinux user <code class="computeroutput">root</code> starts daemons from the command line, or restarts a daemon originally started by <code class="command">init</code>.
		</div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><div class="para"><sup>[<a id="ftn.id1099819" href="#id1099819" class="para">18</a>] </sup>
			The NSA is the cryptologic agency of the United States of America's Federal government, charged with information assurance and signals intelligence. You can read more about the NSA at their website, <a href="http://www.nsa.gov/about/">http://www.nsa.gov/about/</a>.
		</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id998512" href="#id998512" class="para">19</a>] </sup>
			Flask grew out of a project that integrated the <em class="glossterm">Distributed Trusted Operating System</em> (<em class="glossterm"><abbr class="abbrev">DTOS</abbr></em>) into the Fluke research operating system. Flask was the name of the architecture and the implementation in the Fluke operating system.
		</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id1025554" href="#id1025554" class="para">20</a>] </sup>
				Any role could have been chosen for the targeted policy, but <code class="systemitem">system_r</code> already had existing authorization for the daemon domains, simplifying the process. This was done because no mechanism currently exists to alias roles.
			</div></div><div class="footnote"><div class="para"><sup>[<a id="ftn.id868189" href="#id868189" class="para">21</a>] </sup>
				A user aliasing mechanism would also work here, to alias all identities from the strict policy to a single user identity in the targeted policy.
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="rhlcommon-chapter-0017" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 48. Working With SELinux</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sec-sel-usercontrol">48.1. End User Control of SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-selinux-files-moving">48.1.1. Moving and Copying Files</a></span></dt><dt><span class="section"><a href="#sec-sel-context-checking-processanduser">48.1.2. Checking the Security Context of a Process, User, or File Object</a></span></dt><dt><span class="section"><a href="#sec-sel-file-relabel">48.1.3. Relabeling a File or Directory</a></span></dt><dt><span class="section"><a href="#sec-sel-backup-maintain-context">48.1.4. Creating Archives That Retain Security Contexts</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-admincontrol">48.2. Administrator Control of SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-selinux-status-viewing">48.2.1. Viewing the Status of SELinux</a></span></dt><dt><span class="section"><a href="#sec-sel-fsrelabel">48.2.2. Relabeling a File System</a></span></dt><dt><span class="section"><a href="#id1104143">48.2.3. Managing NFS Home Directories</a></span></dt><dt><span class="section"><a href="#sec-sel-grant-dir-access">48.2.4. Granting Access to a Directory or a Tree</a></span></dt><dt><span class="section"><a href="#sec-sel-backup-restore-system">48.2.5. Backing Up and Restoring the System</a></span></dt><dt><span class="section"><a href="#sec-sel-enable-disable-enforcement">48.2.6. Enabling or Disabling Enforcement</a></span></dt><dt><span class="section"><a href="#sec-sel-enable-disable">48.2.7. Enable or Disable SELinux</a></span></dt><dt><span class="section"><a href="#sec-sel-policy-changing">48.2.8. Changing the Policy</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0097">48.2.9. Specifying the Security Context of Entire File Systems</a></span></dt><dt><span class="section"><a href="#sec-sel-category-changing">48.2.10. Changing the Security Category of a File or User</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0085">48.2.11. Running a Command in a Specific Security Context</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0086">48.2.12. Useful Commands for Scripts</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0087">48.2.13. Changing to a Different Role</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0088">48.2.14. When to Reboot</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-analystcontrol">48.3. Analyst Control of SELinux</a></span></dt><dd><dl><dt><span class="section"><a href="#rhlcommon-section-0081">48.3.1. Enabling Kernel Auditing</a></span></dt><dt><span class="section"><a href="#rhlcommon-section-0092">48.3.2. Dumping and Viewing Logs</a></span></dt></dl></dd></dl></div><div class="para">
		SELinux presents both a new security paradigm and a new set of practices and tools for administrators and some end-users. The tools and techniques discussed in this chapter focus on standard operations performed by end-users, administrators, and analysts.
	</div><div xml:lang="en-US" class="section" id="sec-sel-usercontrol" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sec-sel-usercontrol">48.1. End User Control of SELinux</h2></div></div></div><a id="id1128464" class="indexterm"></a><a id="id1021626" class="indexterm"></a><a id="id1013163" class="indexterm"></a><a id="id1013148" class="indexterm"></a><a id="id1013202" class="indexterm"></a><a id="id1102115" class="indexterm"></a><div class="para">
		In general, end users have little interaction with SELinux when Red Hat Enterprise Linux is running the targeted policy. This is because users are running in the domain of <code class="systemitem">unconfined_t</code> along with the rest of the system <span class="emphasis"><em>except</em></span> the targeted daemons.
	</div><div class="para">
		In most situations, standard DAC controls prevent you from performing tasks for which you do not have the required access or permissions before SELinux is consulted. Consequently, it is likely that you will never generate an <code class="computeroutput">avc: denied</code> message.
	</div><div class="para">
		The following sections cover the general tasks and practices that an end user might need to perform on a Red Hat Enterprise Linux system. These tasks apply to users of all privilege levels, not only to end users.
	</div><div class="section" id="sec-selinux-files-moving"><div class="titlepage"><div><div><h3 class="title" id="sec-selinux-files-moving">48.1.1. Moving and Copying Files</h3></div></div></div><a id="id1088503" class="indexterm"></a><a id="id1128470" class="indexterm"></a><a id="id1102112" class="indexterm"></a><a id="id1128439" class="indexterm"></a><div class="para">
			In file system operations, security context must now be considered in terms of the label of the file, the process accessing it, and the directories where the operation is happening. Because of this, moving and copying files with <code class="command">mv</code> and <code class="command">cp</code> may have unexpected results.
		</div><div class="formalpara"><h5 class="formalpara" id="id1082392">Copying Files: SELinux Options for cp</h5>
				Unless you specify otherwise, <code class="command">cp</code> follows the default behavior of creating a new file based on the domain of the creating process and the type of the target directory. Unless there is a specific rule to set the label, the file inherits the type from the target directory.
			</div><div class="para">
			Use the <code class="option">-Z <em class="replaceable"><code>user:role:type</code></em></code> option to specify the required label for the new file.
		</div><div class="para">
			The <code class="option">-p</code> (or <code class="option">--preserve=mode,ownership,timestamps</code>) option preserves the specified attributes and, if possible, additional attributes such as links.
		</div><pre class="screen">
touch bar foo
ls -Z bar foo
-rw-rw-r--  auser   auser   user_u:object_r:user_home_t   bar
-rw-rw-r--  auser   auser   user_u:object_r:user_home_t   foo
</pre><div class="para">
			If you use the <code class="command">cp</code> command without any additional command-line arguments, a copy of the file is created in the new location using the default type of the creating process and the target directory. In this case, because there is no specific rule that applies to <code class="command">cp</code> and <code class="filename">/tmp</code>, the new file has the type of the parent directory:
		</div><pre class="screen">
cp bar /tmp
ls -Z /tmp/bar
-rw-rw-r--  auser   auser   user_u:object_r:tmp_t   /tmp/bar
</pre><div class="para">
			The type <code class="systemitem">tmp_t</code> is the default type for temporary files.
		</div><div class="para">
			Use the <code class="option">-Z</code> option to specify the label for the new file:
		</div><pre class="screen">
cp -Z user_u:object_r:user_home_t foo /tmp
ls -Z /tmp/foo
-rw-rw-r--  auser   auser   user_u:object_r:user_home_t   /tmp/foo
</pre><div class="formalpara"><h5 class="formalpara" id="id945254">Moving Files: SELinux Options for mv</h5>
				Moving files with <code class="command">mv</code> retains the original type associated with the file. Care should be taken using this command as it can cause problems. For example, if you move files with the type <code class="systemitem">user_home_t</code> into <code class="filename">~/public_html</code>, then the <code class="systemitem">httpd</code> daemon is not able to serve those files until you relabel them. Refer to <a class="xref" href="#sec-sel-file-relabel">Section 48.1.3, “Relabeling a File or Directory”</a> for more information about file labeling.
			</div><div class="table" id="sec-sel-mv-cp-commands"><h6>Table 48.1. Behavior of mv and cp Commands</h6><div class="table-contents"><table summary="Behavior of mv and cp Commands" border="1"><colgroup><col width="38%" class="command" /><col width="63%" class="behavior" /></colgroup><thead><tr><th>
							Command
						</th><th>
							Behavior
						</th></tr></thead><tbody><tr><td>
							<code class="command">mv</code>
						</td><td>
							The file retains its original label. This may cause problems, confusion, or minor insecurity. For example, the <code class="command">tmpwatch</code> program running in the <code class="systemitem">sbin_t</code> domain might not be allowed to delete an aged file in the <code class="filename">/tmp</code> directory because of the file's type.
						</td></tr><tr><td>
							<code class="command">cp</code>
						</td><td>
							Makes a copy of the file using the default behavior based on the domain of the creating process (<code class="command">cp</code>) and the type of the target directory.
						</td></tr><tr><td>
							<code class="command">cp -p</code>
						</td><td>
							Makes a copy of the file, preserving the specified attributes and security contexts, if possible. The default attributes are <span class="property">mode</span>, <span class="property">ownership</span>, and <span class="property">timestamps</span>. Additional attributes are <span class="property">links</span> and <span class="property">all</span>.
						</td></tr><tr><td>
							<code class="command">cp -Z <em class="replaceable"><code>&lt;user:role:type&gt;</code></em></code>
						</td><td>
							Makes a copy of the file with the specified labels. The <code class="option">-Z</code> option is synonymous with <code class="option">--context</code>.
						</td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="sec-sel-context-checking-processanduser"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-context-checking-processanduser">48.1.2. Checking the Security Context of a Process, User, or File Object</h3></div></div></div><a id="id900441" class="indexterm"></a><a id="id1017847" class="indexterm"></a><a id="id1102057" class="indexterm"></a><a id="id1019608" class="indexterm"></a><a id="id900435" class="indexterm"></a><a id="id1023569" class="indexterm"></a><div class="formalpara"><h5 class="formalpara" id="id1128465">Checking a Process ID</h5>
				In Red Hat Enterprise Linux, the <code class="option">-Z</code> option is equivalent to <code class="option">--context</code>, and can be used with the <code class="command">ps</code>, <code class="command">id</code>, <code class="command">ls</code>, and <code class="command">cp</code> commands. The behavior of the <code class="command">cp</code> command with respect to SELinux is explained in <a class="xref" href="#sec-sel-mv-cp-commands">Table 48.1, “Behavior of mv and cp Commands”</a>.
			</div><div class="para">
			The following example shows a small sample of the output of the <code class="command">ps</code> command. Most of the processes are running in the <code class="systemitem">unconfined_t</code> domain, with a few exceptions.
		</div><pre class="screen">
[user@localhost ~]$ ps auxZ
LABEL                           USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
system_u:system_r:init_t        root         1  0.0  0.1   2032   620 ?        Ss   15:09   0:00 init [5]
system_u:system_r:kernel_t      root         2  0.0  0.0      0     0 ?        S    15:09   0:00 [migration/0]
system_u:system_r:kernel_t      root         3  0.0  0.0      0     0 ?        SN   15:09   0:00 [ksoftirqd/0]

user_u:system_r:unconfined_t    user     3122  0.0  0.6   6908  3232 ?        S    16:47   0:01 /usr/libexec/gconfd-2 5
user_u:system_r:unconfined_t    user     3125  0.0  0.1   2540   588 ?        S    16:47   0:00 /usr/bin/gnome-keyring-daemon
user_u:system_r:unconfined_t    user     3127  0.0  1.4  33612  6988 ?        Sl   16:47   0:00 /usr/libexec/gnome-settings-daemon
user_u:system_r:unconfined_t    user     3144  0.1  1.4  16528  7360 ?        Ss   16:47   0:01 metacity --sm-client-id=default1
user_u:system_r:unconfined_t    user     3148  0.2  2.9  79544 14808 ?        Ss   16:47   0:03 gnome-panel --sm-client-id default2

</pre><div class="formalpara"><h5 class="formalpara" id="id1091179">Checking a User ID</h5>
				You can use the <code class="option">-Z</code> option with the <code class="command">id</code> command to determine a user's security context. Note that with this command you cannot combine <code class="option">-Z</code> with other options.
			</div><pre class="screen">
[root@localhost ~]# id -Z
user_u:system_r:unconfined_t
</pre><div class="para">
			Note that you cannot use the <code class="option">-Z</code> option with the <code class="command">id</code> command to inspect the security context of a different user. That is, you can only display the security context of the currently logged-in user:
		</div><pre class="screen">
[user@localhost ~]$ id
uid=501(user) gid=501(user) groups=501(user) context=user_u:system_r:unconfined_t
[user@localhost ~]$ id root
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[user@localhost ~]$ id -Z root
id: cannot display context when selinux not enabled or when displaying the id
of a different user
</pre><div class="formalpara"><h5 class="formalpara" id="id938609">Check a File ID</h5>
				You can use the <code class="option">-Z</code> option with the <code class="command">ls</code> command to group common long-format information. You can display mode, user, group, security context, and filename information.
			</div><pre class="screen">
cd /etc
ls -Z h* -d
drwxr-xr-x  root root  system_u:object_r:etc_t        hal
-rw-r--r--  root root  system_u:object_r:etc_t        host.conf
-rw-r--r--  root root  user_u:object_r:etc_t          hosts
-rw-r--r--  root root  system_u:object_r:etc_t        hosts.allow
-rw-r--r--  root root  system_u:object_r:etc_t        hosts.canna
-rw-r--r--  root root  system_u:object_r:etc_t        hosts.deny
drwxr-xr-x  root root  system_u:object_r:hotplug_etc_t  hotplug
drwxr-xr-x  root root  system_u:object_r:etc_t        hotplug.d
drwxr-xr-x  root root  system_u:object_r:httpd_sys_content_t htdig
drwxr-xr-x  root root  system_u:object_r:httpd_config_t httpd
</pre></div><div class="section" id="sec-sel-file-relabel"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-file-relabel">48.1.3. Relabeling a File or Directory</h3></div></div></div><a id="id900433" class="indexterm"></a><a id="id1033223" class="indexterm"></a><div class="para">
			You may need to relabel a file when moving or copying into special directories related to the targeted daemons, such as <code class="filename">~/public_html</code> directories, or when writing scripts that work in directories outside of <code class="filename">/home</code>.
		</div><div class="para">
			There are two general types of relabeling operations: 
			<div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Deliberately changing the type of a file
					</div></li><li class="listitem"><div class="para">
						Restoring files to the default state according to policy
					</div></li></ul></div>

</div><div class="para">
			There are also relabeling operations that an administrator performs. These are covered in <a class="xref" href="#sec-sel-fsrelabel">Section 48.2.2, “Relabeling a File System”</a>.
		</div><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				The majority of SELinux permission control in the targeted policy is Type Enforcement (<abbr class="abbrev">TE</abbr>). Consequently, you can generally ignore the user and role information in a security label and focus on just changing the type. You do not normally need to consider the role and user settings on files.
			</div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If relabeling affects the label on a daemon's executable, you should restart the daemon to be sure it is running in the correct domain. For example, if <code class="systemitem">/usr/sbin/mysqld</code> has the wrong security label, and you address this by using a relabeling operation such as <code class="command">restorecon</code>, you must restart <code class="systemitem">mysqld</code> after the relabeling operation. Setting the executable file to have the correct type (<code class="systemitem">mysqld_exec_t</code>) ensures that it transitions to the proper domain when started.
			</div></div></div><div class="para">
			Use the <code class="command">chcon</code> command to change a file to the correct type. You need to know the correct type that you want to apply to use this command. The directories and files in the following example are labeled with the default type defined for file system objects created in <code class="filename">/home</code>:
		</div><pre class="screen">
cd ~
ls -Zd public_html/
drwxrwxr-x  auser  auser  user_u:object_r:user_home_t public_html/

ls -Z web_files/
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   1.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   2.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   3.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   4.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   5.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   index.html
</pre><div class="para">
			If you move these files into the <code class="filename">public_html</code> directory, they retain the original type:
		</div><pre class="screen">
mv web_files/* public_html/
ls -Z public_html/
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   1.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   2.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   3.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   4.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   5.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t   index.html
</pre><div class="para">
			To make these files viewable from a special user public HTML folder, they need to have a type that <code class="systemitem">httpd</code> has permissions to read, presuming the Apache HTTP Server is configured for UserDir and the Boolean value <code class="option">httpd_enable_homedirs</code> is enabled.
		</div><pre class="screen">
chcon -R -t httpd_user_content_t public_html/
ls -Z public_html
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t   1.html
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t   2.html
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t   3.html
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t   4.html
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t   5.html
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t   index.html

ls -Z public_html/ -d
drwxrwxr-x  auser  auser  user_u:object_r:httpd_user_content_t  public_html/
</pre><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				If the file has no label, such as a file created while SELinux was disabled in the kernel, you need to give it a full label with <code class="command">chcon system_u:object_r:shlib_t foo.so</code>. Otherwise, you will receive an error about applying a partial context to an unlabeled file.
			</div></div></div><div class="para">
			Use the <code class="command">restorecon</code> command to restore files to the default values according to the policy. There are two other methods for performing this operation that work on the entire file system: <code class="command">fixfiles</code> or a policy relabeling operation. Each of these methods requires superuser privileges. Cautions against both of these methods appear in <a class="xref" href="#sec-sel-fsrelabel">Section 48.2.2, “Relabeling a File System”</a>.
		</div><div class="para">
			The following example demonstrates restoring the default user home directory context to a set of files that have different types. The first two sets of files have different types, and are being moved into a directory for archiving. Their contexts are different from each other, and are incorrect for a standard user's home directory:
		</div><pre class="screen">
ls -Z /tmp/
-rw-rw-r--  auser  auser  user_u:object_r:tmp_t            /tmp/file1
-rw-rw-r--  auser  auser  user_u:object_r:tmp_t            /tmp/file2
-rw-rw-r--  auser  auser  user_u:object_r:tmp_t            /tmp/file3

mv /tmp/{1,2,3} archives/
mv public_html/* archives/
ls -Z archives/
-rw-rw-r--  auser  auser  user_u:object_r:tmp_t            file1
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t    file1.html
-rw-rw-r--  auser  auser  user_u:object_r:tmp_t            file2
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t    file2.html
-rw-rw-r--  auser  auser  user_u:object_r:tmp_t            file3
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t    file3.html
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t    file4.html
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t    file5.html
-rw-rw-r--  auser  auser  user_u:object_r:httpd_user_content_t  index.html
</pre><div class="para">
			The <code class="filename">archives/</code> directory already has the default type because it was created in the user's home directory:
		</div><pre class="screen">
ls -Zd archives/
drwxrwxr-x  auser  auser  user_u:object_r:user_home_t  archives/
</pre><div class="para">
			Using the <code class="command">restorecon</code> command to relabel the files uses the default file contexts set by the policy, so these files are labeled with the default label for their current directory.
		</div><pre class="screen">
/sbin/restorecon -R archives/
ls -Z archives/
-rw-rw-r--  auser  auser  system_u:object_r:user_home_t    file1
-rw-rw-r--  auser  auser  system_u:object_r:user_home_t    file1.html
-rw-rw-r--  auser  auser  system_u:object_r:user_home_t    file2
-rw-rw-r--  auser  auser  system_u:object_r:user_home_t    file2.html
-rw-rw-r--  auser  auser  system_u:object_r:user_home_t    file3
-rw-rw-r--  auser  auser  system_u:object_r:user_home_t    file3.html
-rw-rw-r--  auser  auser  system_u:object_r:user_home_t    file4.html
-rw-rw-r--  auser  auser  system_u:object_r:user_home_t    file5.html
-rw-rw-r--  auser  auser  system_u:object_r:user_home_t    index.html
</pre></div><div class="section" id="sec-sel-backup-maintain-context"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-backup-maintain-context">48.1.4. Creating Archives That Retain Security Contexts</h3></div></div></div><a id="id1056860" class="indexterm"></a><a id="id1110744" class="indexterm"></a><a id="id1102895" class="indexterm"></a><a id="id1029077" class="indexterm"></a><div class="para">
			You can use either the <code class="command">tar</code> or <code class="command">star</code> utilities to create archives that retain SELinux security contexts. The following example uses <code class="command">star</code> to demonstrate how to create such an archive. You need to use the appropriate <code class="option">-xattr</code> and <code class="option">-H=exustar</code> options to ensure that the extra attributes are captured and that the header for the <code class="filename">*.star</code> file is of a type that fully supports xattrs. Refer to the man page for more information about these and other options.
		</div><div class="para">
			The following example illustrates the creation and extraction of a set of html files and directories. Note that the two directories have different labels. Unimportant parts of the file context have been omitted for printing purposes (indicated by ellipses '...'):
		</div><pre class="screen">
ls -Z public_html/ web_files/

public_html/:
-rw-rw-r--  auser  auser  ...httpd_user_content_t 1.html
-rw-rw-r--  auser  auser  ...httpd_user_content_t 2.html
-rw-rw-r--  auser  auser  ...httpd_user_content_t 3.html
-rw-rw-r--  auser  auser  ...httpd_user_content_t 4.html
-rw-rw-r--  auser  auser  ...httpd_user_content_t 5.html
-rw-rw-r--  auser  auser  ...httpd_user_content_t index.html
web_files/:
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  1.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  2.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  3.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  4.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  5.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  index.html
</pre><div class="para">
			The following command creates the archive, retaining all of the SELinux security contexts:
		</div><pre class="screen">
star -xattr -H=exustar -c -f all_web.star public_html/ web_files/
star: 11 blocks + 0 bytes (total of 112640 bytes = 110.00k).
</pre><div class="para">
			Use the <code class="command">ls</code> command with the <code class="option">-Z</code> option to validate the security context:
		</div><pre class="screen">
ls -Z all_web.star
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t \  all_web.star
</pre><div class="para">
			You can now copy the archive to a different directory. In this example, the archive is copied to <code class="filename">/tmp</code>. If there is no specific policy to make a derivative temporary type, the default behavior is to acquire the <code class="systemitem">tmp_t</code> type.
		</div><pre class="screen">
cp all_web.star /tmp/ cd /tmp/

ls -Z all_web.star
-rw-rw-r--  auser  auser  user_u:object_r:tmp_t  all_web.star
</pre><div class="para">
			Now you can expand the archives using <code class="command">star</code> and it restores the extended attributes:
		</div><pre class="screen">
star -xattr -x -f all_web.star
star: 11 blocks + 0 bytes (total of 112640 bytes = 110.00k).

ls -Z /tmp/public_html/ /tmp/web_files/
/tmp/public_html/:
-rw-rw-r--  auser  auser  ...httpd_sys_content_t 1.html
-rw-rw-r--  auser  auser  ...httpd_sys_content_t 2.html
-rw-rw-r--  auser  auser  ...httpd_sys_content_t 3.html
-rw-rw-r--  auser  auser  ...httpd_sys_content_t 4.html
-rw-rw-r--  auser  auser  ...httpd_sys_content_t 5.html
-rw-rw-r--  auser  auser  ...httpd_sys_content_t index.html
/tmp/web_files/:
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  1.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  2.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  3.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  4.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  5.html
-rw-rw-r--  auser  auser  user_u:object_r:user_home_t  \ index.html
</pre><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
				If you use an absolute path when you create an archive using <code class="command">star</code>, the archive expands on that same path. For example, an archive made with this command restores the files to <code class="filename">/var/log/httpd/</code>:
			</div><pre class="screen">
star -xattr -H=exustar -c -f httpd_logs.star /var/log/httpd/
</pre><div class="para">
				If you attempt to expand this archive, <code class="command">star</code> issues a warning if the files in the path are newer than the ones in the archive.
			</div></div></div></div></div><div xml:lang="en-US" class="section" id="sec-sel-admincontrol" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sec-sel-admincontrol">48.2. Administrator Control of SELinux</h2></div></div></div><a id="id1100854" class="indexterm"></a><a id="id939870" class="indexterm"></a><a id="id1000148" class="indexterm"></a><a id="id1092416" class="indexterm"></a><a id="id1025330" class="indexterm"></a><div class="para">
		In addition to the tasks often performed by users in <a class="xref" href="#sec-sel-usercontrol">Section 48.1, “End User Control of SELinux”</a>, SELinux administrators could be expected to perform a number of additional tasks. These tasks typically require root access to the system. Such tasks are significantly easier under the targeted policy. For example, there is no need to consider adding, editing, or deleting Linux users from the SELinux users, nor do you need to consider roles.
	</div><div class="para">
		This section covers the types of tasks required of an administrator who maintains Red Hat Enterprise Linux running SELinux.
	</div><div class="section" id="sec-selinux-status-viewing"><div class="titlepage"><div><div><h3 class="title" id="sec-selinux-status-viewing">48.2.1. Viewing the Status of SELinux</h3></div></div></div><a id="id1036428" class="indexterm"></a><a id="id1110206" class="indexterm"></a><a id="id1086041" class="indexterm"></a><a id="id993158" class="indexterm"></a><div class="para">
			The <code class="command">sestatus</code> command provides a configurable view into the status of SELinux. The simplest form of this command shows the following information:
		</div><pre class="screen">~]# <code class="command">sestatus</code>
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted</pre><div class="para">
			The <code class="option">-v</code> option includes information about the security contexts of a series of files that are specified in <code class="filename">/etc/sestatus.conf</code>:
		</div><pre class="screen">~]# <code class="command">sestatus -v</code>
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted

Process contexts:
Current context:                user_u:system_r:unconfined_t
Init context:                   system_u:system_r:init_t
/sbin/mingetty                  system_u:system_r:getty_t
/usr/sbin/sshd                  system_u:system_r:unconfined_t:s0-s0:c0.c1023

File contexts:
Controlling term:               user_u:object_r:devpts_t
/etc/passwd                     system_u:object_r:etc_t
/etc/shadow                     system_u:object_r:shadow_t
/bin/bash                       system_u:object_r:shell_exec_t
/bin/login                      system_u:object_r:login_exec_t
/bin/sh                         system_u:object_r:bin_t -&gt; system_u:object_r:shell_exec_t
/sbin/agetty                    system_u:object_r:getty_exec_t
/sbin/init                      system_u:object_r:init_exec_t
/sbin/mingetty                  system_u:object_r:getty_exec_t
/usr/sbin/sshd                  system_u:object_r:sshd_exec_t
/lib/libc.so.6                  system_u:object_r:lib_t -&gt; system_u:object_r:lib_t
/lib/ld-linux.so.2              system_u:object_r:lib_t -&gt; system_u:object_r:ld_so_t</pre><div class="para">
			The <code class="option">-b</code> displays the current state of booleans. You can use this in combination with grep or other tools to determine the status of particular booleans:
		</div><pre class="screen">~]# <code class="command">sestatus -b | grep httpd | grep on$</code>
httpd_builtin_scripting           on
httpd_disable_trans               on
httpd_enable_cgi                  on
httpd_enable_homedirs             on
httpd_unified                     on</pre></div><div class="section" id="sec-sel-fsrelabel"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-fsrelabel">48.2.2. Relabeling a File System</h3></div></div></div><a id="id1083293" class="indexterm"></a><a id="id1084401" class="indexterm"></a><div class="para">
			You may never need to relabel an entire file system. This usually occurs only when labeling a file system for SELinux for the first time, or when switching between different types of policy, such as changing from the targeted to the strict policy.
		</div><div class="formalpara"><h5 class="formalpara" id="id783209">Relabeling a File System Using init</h5>
				The recommended method for relabeling a file system is to reboot the machine. This allows the <code class="systemitem">init</code> process to perform the relabeling, ensuring that applications have the correct labels when they are started and that they are started in the right order. If you relabel a file system without rebooting, some processes may continue running with an incorrect context. Manually ensuring that all the daemons are restarted and running in the correct context can be difficult.
			</div><div class="para">
			Use the following procedure to relabel a file system using this method.
		</div><pre class="screen"><code class="command">touch /.autorelabel</code>
<code class="command">reboot</code></pre><div class="para">
			At boot time, <code class="systemitem">init.rc</code> checks for the existence of <code class="filename">/.autorelabel</code>. If this file exists, SELinux performs a complete file system relabel (using the <code class="command">/sbin/fixfiles -f -F relabel</code> command), and then deletes <code class="filename">/.autorelabel</code>.
		</div><div class="formalpara"><h5 class="formalpara" id="id1100913">Relabeling a File System Using fixfiles</h5>
				It is possible to relabel a file system using the <code class="command">fixfiles</code> command, or to relabel based on the RPM database:
			</div><div class="para">
			Use the following command to relabel a file system only using the <code class="command">fixfiles</code> command:
		</div><pre class="screen"><code class="command">fixfiles relabel</code></pre><div class="para">
			Use the following command to relabel a file system based on the RPM database:
		</div><pre class="screen"><code class="command">fixfiles -R <em class="replaceable"><code>&lt;packagename&gt;</code></em> restore</code></pre><div class="para">
			Using <code class="command">fixfiles</code> to restore contexts from packages is safer and quicker.
		</div><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
				Running <code class="command">fixfiles</code> on the entire file system without rebooting may make the system unstable.
			</div><div class="para">
				If the relabeling operation applies a new policy that is different from the policy that was in place when the system booted, existing processes may be running in incorrect and insecure domains. For example, a process could be in a domain that is not an allowed transition for that process in the new policy, granting unexpected permissions to that process alone.
			</div><div class="para">
				In addition, one of the options to <code class="command">fixfiles relabel</code> prompts for approval to empty <code class="filename">/tmp/</code> because it is not possible to reliably relabel <code class="filename">/tmp/</code>. Since <code class="command">fixfiles</code> is run as root, temporary files that applications are relying upon are erased. This could make the system unstable or behave unexpectedly.
			</div></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1104143">48.2.3. Managing NFS Home Directories</h3></div></div></div><a id="id1089409" class="indexterm"></a><a id="id946223" class="indexterm"></a><div class="para">
			In Red Hat Enterprise Linux 5, most targeted daemons do not interact with user data and are not affected by NFS-mounted home directories. One exception is the Apache HTTP Server. For example, CGI scripts that are on the mounted file system have the <code class="systemitem">nfs_t</code> type, which is not a type that <code class="systemitem">httpd_t</code> is allowed to execute.
		</div><div class="para">
			If you are having problems with the default type of <code class="systemitem">nfs_t</code>, try mounting the home directories with a different context:
		</div><pre class="screen"><code class="command">mount -t nfs -o context=user_u:object_r:user_home_dir_t \</code>
	<code class="command">fileserver.example.com:/shared/homes/ /home</code></pre><div class="warning"><div class="admonition_header"><h2>Caution</h2></div><div class="admonition"><div class="para">
				<a class="xref" href="#rhlcommon-section-0097">Section 48.2.9, “Specifying the Security Context of Entire File Systems”</a> explains how to mount a directory so that <code class="command">httpd</code> can execute scripts. If you do this for user home directories, it gives the Apache HTTP Server increased access to those directories. Remember that a mountpoint label applies to the entire mounted file system.
			</div></div></div><div class="para">
			Future versions of the SELinux policy address the functionality of NFS.
		</div></div><div class="section" id="sec-sel-grant-dir-access"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-grant-dir-access">48.2.4. Granting Access to a Directory or a Tree</h3></div></div></div><a id="id914984" class="indexterm"></a><a id="id1103606" class="indexterm"></a><a id="id1013779" class="indexterm"></a><a id="id1093827" class="indexterm"></a><div class="para">
			Similar to standard Linux DAC permissions, a targeted daemon must have SELinux permissions to be able to descend the directory tree. This does not mean that a directory and its contents need to have the same type. There are many types, such as <code class="systemitem">root_t</code>, <code class="systemitem">tmp_t</code>, and <code class="systemitem">usr_t</code> that grant read access for a directory. These types are suitable for directories that do not contain any confidential information, and that you want to be widely readable. They could also be used for a parent directory of more secured directories with different contexts.
		</div><div class="para">
			If you are working with an <code class="computeroutput">avc: denied</code> message, there are some common problems that arise with directory traversal. For example, many programs run a command equivalent to <code class="command">ls -l /</code> that is not necessary to their operation but generates a denial message in the logs. For this you need to create a <code class="computeroutput">dontaudit</code> rule in your <code class="filename">local.te</code> file.
		</div><div class="para">
			When trying to interpret AVC denial messages, do not be misled by the <code class="computeroutput">path=/</code> component. This path is not related to the label for the root file system, <code class="filename">/</code>. It is actually relative to the root of the file system on the device node. For example, if your <code class="filename">/var/</code> directory is located on an <abbr class="abbrev">LVM</abbr> (<em class="firstterm">Logical Volume Management</em> <sup>[<a id="id999739" href="#ftn.id999739" class="footnote">22</a>]</sup>) device, <code class="filename">/dev/dm-0</code>, the device node is identified in the message as <code class="computeroutput">dev=dm-0</code>. When you see <code class="computeroutput">path=/</code> in this example, that is the top level of the LVM device <code class="filename">dm-0</code>, not necessarily the same as the root file system designation <code class="filename">/</code>.
		</div></div><div class="section" id="sec-sel-backup-restore-system"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-backup-restore-system">48.2.5. Backing Up and Restoring the System</h3></div></div></div><div class="para">
			Refer to the explanation in <a class="xref" href="#sec-sel-backup-maintain-context">Section 48.1.4, “Creating Archives That Retain Security Contexts”</a>.
		</div></div><div class="section" id="sec-sel-enable-disable-enforcement"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-enable-disable-enforcement">48.2.6. Enabling or Disabling Enforcement</h3></div></div></div><a id="id1086026" class="indexterm"></a><a id="id910855" class="indexterm"></a><a id="id1023477" class="indexterm"></a><a id="id1016417" class="indexterm"></a><a id="id996736" class="indexterm"></a><a id="id1056647" class="indexterm"></a><a id="id938303" class="indexterm"></a><a id="id944113" class="indexterm"></a><a id="id1110260" class="indexterm"></a><a id="id1031728" class="indexterm"></a><div class="para">
			You can enable and disable SELinux enforcement at runtime or configure it to start in the correct mode at boot time, using the command line or GUI. SELinux can operate in one of three modes: <em class="glossterm">disabled</em>, meaning not enabled in the kernel; <em class="glossterm">permissive</em>, meaning SELinux is running and logging but not controlling permissions; or <em class="glossterm">enforcing</em>, meaning SELinux is running and enforcing policy.
		</div><div class="para">
			Use the <code class="command">setenforce</code> command to change between permissive and enforcing modes at runtime. Use <code class="command">setenforce 0</code> to enter permissive mode; use <code class="command">setenforce 1</code> to enter enforcing mode.
		</div><div class="para">
			The <code class="command">sestatus</code> command displays the current mode and the mode from the configuration file referenced during boot:
		</div><pre class="screen">~]# <code class="command">sestatus | grep -i mode</code>
Current mode:           permissive
Mode from config file:  permissive</pre><div class="para">
			Note that changing the runtime enforcement does not affect the boot time configuration:
		</div><pre class="screen">~]# <code class="command">setenforce 1</code>
~]# <code class="command">sestatus | grep -i mode</code>
Current mode:           enforcing
Mode from config file:  permissive</pre><div class="para">
			You can also disable enforcing mode for a single daemon. For example, if you are trying to troubleshoot the <code class="systemitem">named</code> daemon and SELinux, you can turn off enforcing for just that daemon.
		</div><div class="para">
			Use the <code class="command">getsebool</code> command to get the current status of the boolean:
		</div><pre class="screen">~]# <code class="command">getsebool named_disable_trans</code>
named_disable_trans --&gt; off</pre><div class="para">
			Use the following command to disable enforcing mode for this daemon:
		</div><pre class="screen">~]# <code class="command">setsebool named_disable_trans 1</code>
~]# <code class="command">getsebool named_disable_trans</code>
named_disable_trans --&gt; on</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				This sets the runtime value only. Use the <code class="option">-P</code> option to make the change persistent across reboots.
			</div><div class="para">
				Any *_disable_trans booleans that are set to "on" invoke the conditional that prevents the process from transitioning to the domain on execution.
			</div></div></div><div class="para">
			Use the following command to find which of these booleans are set:
		</div><pre class="screen">~]# <code class="command">getsebool -a | grep disable.*on</code>
httpd_disable_trans=1
mysqld_disable_trans=1
ntpd_disable_trans=1</pre><div class="para">
			You can set any number of boolean values using the <code class="command">setsebool</code> command:
		</div><pre class="screen"><code class="command">setsebool -P httpd_disable_trans=1 mysqld_disable_trans=1 ntpd_disable_trans=1</code></pre><div class="para">
			You can also use <code class="command">togglesebool <em class="replaceable"><code>&lt;boolean_name&gt;</code></em></code> to change the value of a specific boolean:
		</div><pre class="screen">~]# <code class="command">getsebool httpd_disable_trans</code>
httpd_disable_trans --&gt; off
~]# <code class="command">togglesebool httpd_disable_trans</code>
httpd_disable_trans: active</pre><div class="para">
			You can configure all of these settings using <span class="application"><strong>system-config-selinux</strong></span>. The same configuration files are used, so changes appear bidirectionally.
		</div><div class="formalpara"><h5 class="formalpara" id="id1091223">Changing a Runtime Boolean</h5>
				Use the following procedure to change a runtime boolean using the GUI.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				Administrator privileges are required to perform this procedure.
			</div></div></div><div class="procedure"><ol class="1"><li class="step"><div class="para">
					On the <span class="guimenu"><strong>System</strong></span> menu, point to <span class="guisubmenu"><strong>Administration</strong></span> and then click <span class="guimenuitem"><strong>Security Level and Firewall</strong></span> to display the Security Level Configuration dialog box.
				</div></li><li class="step"><div class="para">
					Click the <span class="guilabel"><strong>SELinux</strong></span> tab, and then click <span class="guilabel"><strong>Modify SELinux Policy</strong></span>.
				</div></li><li class="step"><div class="para">
					In the selection list, click the arrow next to the <span class="guilabel"><strong>Name Service</strong></span> entry, and select the <span class="guilabel"><strong>Disable SELinux protection for named daemon</strong></span> check box.
				</div></li><li class="step"><div class="para">
					Click <span class="guibutton"><strong>OK</strong></span> to apply the change. Note that it may take a short time for the policy to be reloaded.
				</div></li></ol></div><div class="figure" id="fig-change-runtime_bool"><div class="figure-contents"><div class="mediaobject"><img src="images/Change_Runtime_Boolean.png" alt="Using the Security Level Configuration dialog box to change a runtime boolean." /><div class="longdesc"><div class="para">
						Using the Security Level Configuration dialog box to change a runtime boolean.
					</div></div></div></div><h6>Figure 48.1. Using the Security Level Configuration dialog box to change a runtime boolean.</h6></div><br class="figure-break" /><div class="para">
			If you want to control these settings with scripts, you can use the <code class="command"> setenforce(1)</code>, <code class="command">getenforce(1)</code>, and <code class="command">selinuxenabled(1)</code> commands.
		</div></div><div class="section" id="sec-sel-enable-disable"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-enable-disable">48.2.7. Enable or Disable SELinux</h3></div></div></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
				Changes you make to files while SELinux is disabled may give them an unexpected security label, and new files will not have a label. You may need to relabel part or all of the file system after re-enabling SELinux.
			</div></div></div><div class="para">
			From the command line, you can edit the <code class="filename">/etc/sysconfig/selinux</code> file. This file is a symlink to <code class="filename">/etc/selinux/config</code>. The configuration file is self-explanatory. Changing the value of <em class="parameter"><code>SELINUX</code></em> or <em class="parameter"><code>SELINUXTYPE</code></em> changes the state of SELinux and the name of the policy to be used the next time the system boots.
		</div><pre class="screen">~]# <code class="command">cat /etc/sysconfig/selinux</code>
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0</pre><div class="formalpara"><h5 class="formalpara" id="id1128490">Changing the Mode of SELinux Using the GUI</h5>
				Use the following procedure to change the mode of SELinux using the GUI.
			</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				You need administrator privileges to perform this procedure.
			</div></div></div><div class="procedure"><ol class="1"><li class="step"><div class="para">
					On the <span class="guimenu"><strong>System</strong></span> menu, point to <span class="guisubmenu"><strong>Administration</strong></span> and then click <span class="guimenuitem"><strong>Security Level and Firewall</strong></span> to display the Security Level Configuration dialog box.
				</div></li><li class="step"><div class="para">
					Click the <span class="guilabel"><strong>SELinux</strong></span> tab.
				</div></li><li class="step"><div class="para">
					In the <span class="guilabel"><strong>SELinux Setting</strong></span> select either <code class="option">Disabled</code>, <code class="option">Enforcing</code> or <code class="option">Permissive</code>, and then click <span class="guibutton"><strong>OK</strong></span>.
				</div></li><li class="step"><div class="para">
					If you changed from <code class="option">Enabled</code> to <code class="option">Disabled</code> or vice versa, you need to restart the machine for the change to take effect.
				</div></li></ol></div><div class="para">
			Changes made using this dialog box are immediately reflected in <code class="filename">/etc/sysconfig/selinux</code>.
		</div></div><div class="section" id="sec-sel-policy-changing"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-policy-changing">48.2.8. Changing the Policy</h3></div></div></div><a id="id1081384" class="indexterm"></a><a id="id1099941" class="indexterm"></a><a id="id1012056" class="indexterm"></a><a id="id938317" class="indexterm"></a><div class="para">
			This section provides a brief introduction to using customized policies on your system. A full discussion of this topic is beyond the scope of this document.
		</div><div class="para">
			To load a different policy on your system, change the following line in <code class="filename">/etc/sysconfig/selinux</code>:
		</div><pre class="screen">SELINUXTYPE=<em class="replaceable"><code>&lt;policyname&gt;</code></em></pre><div class="para">
			where <em class="replaceable"><code>&lt;policyname&gt;</code></em> is the policy name directory under <code class="filename">/etc/selinux/</code>. This assumes that you have the custom policy installed. After changing the <em class="parameter"><code>SELINUXTYPE</code></em> parameter, run the following commands:
		</div><pre class="screen"><code class="command">touch /.autorelabel</code>
<code class="command">reboot</code></pre><div class="para">
			Use the following procedure to load a different policy using the <span class="application"><strong>system-config-selinux</strong></span> utility:
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				You need administrator privileges to perform this procedure.
			</div></div></div><div class="procedure"><ol class="1"><li class="step"><div class="para">
					Ensure that the complete directory structure for the required policy exists under <code class="filename">/etc/selinux</code>.
				</div></li><li class="step"><div class="para">
					On the <span class="guimenu"><strong>System</strong></span> menu, point to <span class="guisubmenu"><strong>Administration</strong></span> and then click <span class="guimenuitem"><strong>Security Level and Firewall</strong></span> to display the Security Level Configuration dialog box.
				</div></li><li class="step"><div class="para">
					Click the <span class="guilabel"><strong>SELinux</strong></span> tab.
				</div></li><li class="step"><div class="para">
					In the <span class="guilabel"><strong>Policy Type</strong></span> list, select the policy that you want to load, and then click <span class="guibutton"><strong>OK</strong></span>. This list is only visible if more than one policy is installed.
				</div></li><li class="step"><div class="para">
					Restart the machine for the change to take effect.
				</div></li></ol></div><div class="figure" id="fig-load-new-policy"><div class="figure-contents"><div class="mediaobject"><img src="images/Load_New_Policy.png" alt="Using the Security Level Configuration dialog box to load a custom policy." /><div class="longdesc"><div class="para">
						Using the Security Level Configuration dialog box to load a custom policy.
					</div></div></div></div><h6>Figure 48.2. Using the Security Level Configuration dialog box to load a custom policy.</h6></div><br class="figure-break" /></div><div class="section" id="rhlcommon-section-0097"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0097">48.2.9. Specifying the Security Context of Entire File Systems</h3></div></div></div><a id="id1109569" class="indexterm"></a><a id="id963579" class="indexterm"></a><a id="id1056868" class="indexterm"></a><a id="id917503" class="indexterm"></a><a id="id917516" class="indexterm"></a><a id="id1130502" class="indexterm"></a><a id="id900423" class="indexterm"></a><div class="para">
			You can use the <code class="command">mount -o context=</code> command to set a single context for an entire file system. This might be a file system that is already mounted and that supports xattrs, or a network file system that obtains a genfs label such as <code class="systemitem">cifs_t</code> or <code class="systemitem">nfs_t</code>.
		</div><div class="para">
			For example, if you need the Apache HTTP Server to read from a mounted directory or loopback file system, you need to set the type to <code class="computeroutput">httpd_sys_content_t</code>:
		</div><pre class="screen"><code class="command">mount -t nfs -o context=system_u:object_r:httpd_sys_content_t \</code>
	<code class="command">server1.example.com:/shared/scripts /var/www/cgi</code></pre><div class="note"><div class="admonition_header"><h2>Tip</h2></div><div class="admonition"><div class="para">
				When troubleshooting <code class="command">httpd</code> and SELinux problems, reduce the complexity of your situation. For example, if you have the file system mounted at <code class="filename">/mnt</code> and then symbolically linked to <code class="filename">/var/www/html/foo</code>, you have two security contexts to be concerned with. Because one security context is of the object class <span class="property">file</span> and the other of type <span class="property">lnk_file</span>, they are treated differently by the policy and unexpected behavior may occur.
			</div></div></div></div><div class="section" id="sec-sel-category-changing"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-category-changing">48.2.10. Changing the Security Category of a File or User</h3></div></div></div><a id="id1021839" class="indexterm"></a><a id="id1021852" class="indexterm"></a><a id="id1102207" class="indexterm"></a><div class="para">
			Refer to <a class="xref" href="#sec-mcs-assign-cat2files">Section 47.5.5, “Assigning Categories to Files”</a> and <a class="xref" href="#sec-mcs-assign-cat2users">Section 47.5.4, “Assigning Categories to Users”</a> for information about adding and changing the security categories of files and users.
		</div></div><div class="section" id="rhlcommon-section-0085"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0085">48.2.11. Running a Command in a Specific Security Context</h3></div></div></div><a id="id1016535" class="indexterm"></a><a id="id1096929" class="indexterm"></a><a id="id1082647" class="indexterm"></a><div class="para">
			You can use the <code class="command">runcon</code> command to run a command in a specific context. This is useful for scripting or for testing policy, but care should be taken to ensure that it is implemented correctly.
		</div><div class="para">
			For example, you could use the following command to run a script to test for mislabeled content. The arguments that appear after the command are considered to be part of the command. (In this example, <code class="filename">~/bin/contexttest</code> is a user-defined script.)
		</div><pre class="screen"><code class="command">runcon -t httpd_t ~/bin/contexttest -ARG1 -ARG2</code></pre><div class="para">
			You can also specify the entire context, as follows:
		</div><pre class="screen"><code class="command">runcon user_u:system_r:httpd_t ~/bin/contexttest</code></pre></div><div class="section" id="rhlcommon-section-0086"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0086">48.2.12. Useful Commands for Scripts</h3></div></div></div><a id="id998884" class="indexterm"></a><a id="id1112595" class="indexterm"></a><div class="para">
			The following is a list of useful commands introduced with SELinux, and which you may find useful when writing scripts to help administer your system:
		</div><div class="variablelist"><dl><dt class="varlistentry"><span class="term"><code class="command">getenforce</code></span></dt><dd><div class="para">
						This command returns the enforcing status of SELinux.
					</div></dd><dt class="varlistentry"><span class="term"><code class="command">setenforce [ <em class="replaceable"><code>Enforcing</code></em> | <em class="replaceable"><code>Permissive</code></em> | <em class="replaceable"><code>1</code></em> | <em class="replaceable"><code>0</code></em> ]</code></span></dt><dd><div class="para">
						This command controls the enforcing mode of SELinux. The option <code class="option">1</code> or <code class="option">Enforcing</code> tells SELinux to enter enforcing mode. The option <code class="option">0</code> or <code class="option">Permissive</code> tells SELinux to enter passive mode. Access violations are still logged, but not prevented.
					</div></dd><dt class="varlistentry"><span class="term"><code class="command">selinuxenabled</code></span></dt><dd><div class="para">
						This command exits with a status of <code class="computeroutput">0</code> if SELinux is enabled, and <code class="computeroutput">1</code> if SELinux is disabled.
					</div><pre class="screen">~]# <code class="command">selinuxenabled</code>
~]# <code class="command">echo $?</code>
0</pre></dd><dt class="varlistentry"><span class="term"><code class="command">getsebool [-a] [<em class="replaceable"><code>boolean_name</code></em>]</code></span></dt><dd><div class="para">
						This command shows the status of all booleans (<code class="option">-a</code>) or a specific boolean (<code class="option">&lt;boolean_name&gt;</code>).
					</div></dd><dt class="varlistentry"><span class="term"><code class="command">setsebool [-P] &lt;boolean_name&gt; value | bool1=val1 bool2=val2 ...</code></span></dt><dd><div class="para">
						This command sets one or more boolean values. The <code class="option">-P</code> option makes the changes persistent across reboots.
					</div></dd><dt class="varlistentry"><span class="term"><code class="command">togglesebool boolean ...</code></span></dt><dd><div class="para">
						This command toggles the setting of one or more booleans. This effects boolean settings in memory only; changes are not persistent across reboots.
					</div></dd></dl></div></div><div class="section" id="rhlcommon-section-0087"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0087">48.2.13. Changing to a Different Role</h3></div></div></div><a id="id938564" class="indexterm"></a><a id="id1103290" class="indexterm"></a><a id="id1079499" class="indexterm"></a><a id="id1079512" class="indexterm"></a><a id="id942048" class="indexterm"></a><div class="para">
			You use the <code class="command">newrole</code> command to run a new shell with the specified type and/or role. Changing roles is typically only meaningful in the strict policy; the targeted policy is generally restricted to a single role. Changing types may be useful for testing, validation, and development purposes.
		</div><pre class="screen"><code class="command">newrole -r <em class="replaceable"><code>&lt;role_r&gt;</code></em> -t <em class="replaceable"><code>&lt;type_t&gt;</code></em> [-- [ARGS]...]</code></pre><div class="para">
			The <code class="option">ARGS</code> are passed directly to the shell specified in the user's entry in the <code class="filename">/etc/passwd</code> file.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				The <code class="command">newrole</code> command is part of the <code class="filename">policycoreutils-newrole</code> package, which is required if you install the strict or MLS policy. It is not installed by default in Red Hat Enterprise Linux.
			</div></div></div></div><div class="section" id="rhlcommon-section-0088"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0088">48.2.14. When to Reboot</h3></div></div></div><a id="id986876" class="indexterm"></a><a id="id1119120" class="indexterm"></a><a id="id1119135" class="indexterm"></a><div class="para">
			The primary reason for rebooting the system from an SELinux perspective is to completely relabel the file system. On occasion you might need to reboot the system to enable or disable SELinux.
		</div></div></div><div xml:lang="en-US" class="section" id="sec-sel-analystcontrol" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="sec-sel-analystcontrol">48.3. Analyst Control of SELinux</h2></div></div></div><div class="para">
		This section describes some common tasks that a security analyst might need to perform on an SELinux system.
	</div><div class="section" id="rhlcommon-section-0081"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0081">48.3.1. Enabling Kernel Auditing</h3></div></div></div><a id="id1012788" class="indexterm"></a><a id="id1109610" class="indexterm"></a><a id="id1097537" class="indexterm"></a><a id="id996510" class="indexterm"></a><a id="id996524" class="indexterm"></a><div class="para">
			As part of an SELinux analysis or troubleshooting exercise, you might choose to enable complete kernel-level auditing. This can be quite verbose, because it generates one or more additional audit messages for each AVC audit message. To enable this level of auditing, append the <em class="parameter"><code>audit=1</code></em> parameter to your kernel boot line, either in the <code class="filename">/etc/grub.conf</code> file or on the GRUB menu at boot time.
		</div><div class="para">
			This is an example of a full audit log entry when <code class="command">httpd</code> is denied access to <code class="filename">~/public_html</code> because the directory is not labeled as Web content. Notice that the time and serial number stamps in the audit(...) field are identical in each case. This makes it easier to track a specific event in the audit logs:
		</div><pre class="screen">Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
	avc:  denied  { getattr } for  pid=2239 exe=/usr/sbin/httpd \
	path=/home/auser/public_html dev=hdb2 ino=921135 \
	scontext=user_u:system_r:httpd_t \
	tcontext=system_u:object_r:user_home_t tclass=dir</pre><div class="para">
			The following audit message tells more about the source, including the kind of system call involved, showing that httpd tried to stat the directory:
		</div><pre class="screen">Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
	syscall=195 exit=4294967283 a0=9ef88e0 a1=bfecc0d4 a2=a97ff4 \
	a3=bfecc0d4 items=1 pid=2239 loginuid=-1 uid=48 gid=48 euid=48 \
	suid=48 fsuid=48 egid=48 sgid=48 fsgid=48</pre><div class="para">
			The following message provides more information about the target:
		</div><pre class="screen">Jan 15 08:03:56 hostname kernel: audit(1105805036.075:2392892): \
	item=0 name=/home/auser/public_html inode=921135 dev=00:00</pre><div class="para">
			The serial number stamp is always identical for a particular audited event. The time stamp may or may not be identical.
		</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
				If you are using an audit daemon for troubleshooting, the daemon may capture audit messages into a location other than <code class="filename">/var/log/messages</code>, such as <code class="filename">/var/log/audit/audit.log</code>.
			</div></div></div></div><div class="section" id="rhlcommon-section-0092"><div class="titlepage"><div><div><h3 class="title" id="rhlcommon-section-0092">48.3.2. Dumping and Viewing Logs</h3></div></div></div><a id="id946820" class="indexterm"></a><a id="id946834" class="indexterm"></a><a id="id1000105" class="indexterm"></a><a id="id895080" class="indexterm"></a><div class="para">
			The Red Hat Enterprise Linux 5 implementation of SELinux routes AVC audit messages to <code class="filename">/var/log/messages</code>. You can use any of the standard search utilities (for example, <code class="command">grep</code>), to search for lines containing <code class="computeroutput">avc</code> or <code class="computeroutput">audit</code>.
		</div></div></div><div class="footnotes"><br /><hr width="100" align="left" /><div class="footnote"><div class="para"><sup>[<a id="ftn.id999739" href="#id999739" class="para">22</a>] </sup>
				LVM is the grouping of physical storage into virtual pools that are partitioned into logical volumes.
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="sec-sel-policy-customizing" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 49. Customizing SELinux Policy</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sec-sel-policy-customizing-intro">49.1. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-policy-customizing-modpolicy">49.1.1. Modular Policy</a></span></dt></dl></dd><dt><span class="section"><a href="#sec-sel-building-policy-module">49.2. Building a Local Policy Module</a></span></dt><dd><dl><dt><span class="section"><a href="#sec-sel-use-audit2allow">49.2.1. Using audit2allow to Build a Local Policy Module</a></span></dt><dt><span class="section"><a href="#sec-sel-analyze-te">49.2.2. Analyzing the Type Enforcement (TE) File</a></span></dt><dt><span class="section"><a href="#sec-sel-load-policy-package">49.2.3. Loading the Policy Package</a></span></dt></dl></dd></dl></div><div class="section" id="sec-sel-policy-customizing-intro"><div class="titlepage"><div><div><h2 class="title" id="sec-sel-policy-customizing-intro">49.1. Introduction</h2></div></div></div><div class="para">
			In earlier releases of Red Hat Enterprise Linux it was necessary to install the <code class="filename">selinux-policy-targeted-sources</code> packages and then to create a <code class="filename">local.te</code> file in the <code class="filename">/etc/selinux/targeted/src/policy/domains/misc</code> directory. You could use the <code class="command">audit2allow</code> utility to translate the AVC messages into allow rules, and then rebuild and reload the policy.
		</div><div class="para">
			The problem with this was that every time a new policy package was released it would have to execute the Makefile in order to try to keep the local policy.
		</div><div class="para">
			In Red Hat Enterprise Linux 5, this process has been completely revised. The "sources" rpm packages have been completely removed, and policy packages are treated more like the kernel. To look at the sources used to build the policy, you need to install the source rpm, <code class="filename">selinux-policy-XYZ.src.rpm</code>. A further package, <code class="filename">selinux-policy-devel</code>, has also been added, which provides further customization functionality.
		</div><div class="section" id="sec-sel-policy-customizing-modpolicy"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-policy-customizing-modpolicy">49.1.1. Modular Policy</h3></div></div></div><div class="para">
				Red Hat Enterprise Linux introduces the concept of <em class="firstterm">modular policy</em>. This allows vendors to ship SELinux policy separately from the operating system policy. It also allows administrators to make local changes to policy without worrying about the next policy install. The most important command that was added was <code class="command">semodule</code>.
			</div><div class="para">
				<code class="command">semodule</code> is the tool used to manage SELinux policy modules, including installing, upgrading, listing and removing modules. You can also use <code class="command">semodule</code> to force a rebuild of policy from the module store and/or to force a reload of policy without performing any other transaction. <code class="command">semodule</code> acts on module packages created by <code class="command">semodule_package</code>. Conventionally, these files have a .pp suffix (policy package), although this is not mandated in any way.
			</div><div class="section" id="sec-sel-list-policy-modules"><div class="titlepage"><div><div><h4 class="title" id="sec-sel-list-policy-modules">49.1.1.1. Listing Policy Modules</h4></div></div></div><div class="para">
					To list the policy modules on a system, use the <code class="command">semodule -l</code> command:
				</div><pre class="screen">~]# <code class="command">semodule -l</code>
amavis  1.1.0
ccs     1.0.0
clamav  1.1.0
dcc     1.1.0
evolution       1.1.0
iscsid  1.0.0
mozilla 1.1.0
mplayer 1.1.0
nagios  1.1.0
oddjob  1.0.1
pcscd   1.0.0
pyzor   1.1.0
razor   1.1.0
ricci   1.0.0
smartmon        1.1.0</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
						This command does not list the base policy module, which is also installed.
					</div><div class="para">
						The <code class="filename">/usr/share/selinux/targeted/</code> directory contains a number of policy package (*.pp) files. These files are included in the <code class="filename">selinux-policy</code> rpm and are used to build the policy file.
					</div></div></div></div></div></div><div class="section" id="sec-sel-building-policy-module"><div class="titlepage"><div><div><h2 class="title" id="sec-sel-building-policy-module">49.2. Building a Local Policy Module</h2></div></div></div><div class="para">
			The following section uses an actual example to demonstrate building a local policy module to address an issue with the current policy. This issue involves the <code class="command">ypbind init</code> script, which executes the <code class="command">setsebool</code> command, which in turn tries to use the terminal. This is generating the following denial:
		</div><pre class="screen">type=AVC msg=audit(1164222416.269:22): avc:  denied  { use } for  pid=1940 comm="setsebool" name="0" dev=devpts ino=2 \
	scontext=system_u:system_r:semanage_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=fd</pre><div class="para">
			Even though everything still works correctly (that is, it is not preventing any applications form running as intended), it does interrupt the normal work flow of the user. Creating a local policy module addresses this issue.
		</div><div class="section" id="sec-sel-use-audit2allow"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-use-audit2allow">49.2.1. Using audit2allow to Build a Local Policy Module</h3></div></div></div><div class="para">
				The <code class="command">audit2allow</code> utility now has the ability to build policy modules. Use the following command to build a policy module based on specific contents of the <code class="filename">audit.log</code> file:
			</div><div class="para">
				<code class="command"> ausearch -m AVC --comm setsebool | audit2allow -M mysemanage</code>
			</div><div class="para">
				The <code class="command">audit2allow</code> utility has built a type enforcement file (<code class="filename">mysemanage.te</code>). It then executed the <code class="command">checkmodule</code> command to compile a module file (<code class="filename">mysemanage.mod</code>). Lastly, it uses the <code class="command">semodule_package</code> command to create a policy package (<code class="filename">mysemanage.pp</code>). The <code class="command">semodule_package</code> command combines different policy files (usually just the module and potentially a file context file) into a policy package.
			</div></div><div class="section" id="sec-sel-analyze-te"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-analyze-te">49.2.2. Analyzing the Type Enforcement (TE) File</h3></div></div></div><div class="para">
				Use the <code class="command">cat</code> command to inspect the contents of the TE file:
			</div><pre class="screen">~]# <code class="command">cat mysemanag.te</code>
module mysemanage 1.0;

require {
	class fd use;
	type init_t;
	type semanage_t;
	role system_r;
};

allow semanage_t init_t:fd use;</pre><div class="para">
				The TE file is comprised of three sections. The first section is the <code class="command">module</code> command, which identifies the module name and version. The module name must be unique. If you create an <code class="command">semanage</code> module using the name of a pre-existing module, the system would try to replace the existing module package with the newly-created version. The last part of the module line is the version. <code class="command">semodule</code> can update module packages and checks the update version against the currently installed version.
			</div><div class="para">
				The next block of the TE file is the <code class="command">require</code> block. This informs the policy loader which types, classes and roles are required in the system policy before this module can be installed. If any of these fields are undefined, the <code class="command">semodule</code> command will fail.
			</div><div class="para">
				Lastly are the allow rules. In this example, you could modify this line to <code class="option">dontaudit</code>, because <code class="command">semodule</code> does not need to access the file descriptor.
			</div></div><div class="section" id="sec-sel-load-policy-package"><div class="titlepage"><div><div><h3 class="title" id="sec-sel-load-policy-package">49.2.3. Loading the Policy Package</h3></div></div></div><div class="para">
				The last step in the process of creating a local policy module is to load the policy package into the kernel.
			</div><div class="para">
				Use the <code class="command">semodule</code> command to load the policy package:
			</div><pre class="screen">~]# <code class="command">semodule -i mysemanage.pp</code></pre><div class="para">
				This command recompiles the policy file and regenerates the file context file. The changes are permanent and will survive a reboot. You can also copy the policy package file (<code class="filename">mysemanage.pp</code>) to other machines and install it using <code class="command">semodule</code>.
			</div><div class="para">
				The <code class="command">audit2allow</code> command outputs the commands it executed to create the policy package so that you can edit the TE file. This means you can add new rules as required or change the <code class="option">allow</code> rule to <code class="option">dontaudit</code>. You could then recompile and repackage the policy package to be installed again.
			</div><div class="para">
				There is no limit to the number of policy packages, so you could create one for each local modification you want to make. Alternatively, you could continue to edit a single package, but you need to ensure that the "require" statements match all of the allow rules.
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="selg-chapter-0054" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 50. References</h2></div></div></div><a id="id1046378" class="indexterm"></a><a id="id1041564" class="indexterm"></a><a id="id829316" class="indexterm"></a><a id="id859823" class="indexterm"></a><a id="id862660" class="indexterm"></a><a id="id852551" class="indexterm"></a><a id="id1039280" class="indexterm"></a><a id="id952614" class="indexterm"></a><a id="id871493" class="indexterm"></a><a id="id834659" class="indexterm"></a><a id="id836167" class="indexterm"></a><div class="para">
		The following references are pointers to additional information that is relevant to SELinux and Red Hat Enterprise Linux but beyond the scope of this guide. Note that due to the rapid development of SELinux, some of this material may only apply to specific releases of Red Hat Enterprise Linux.
	</div><div class="variablelist"><h6>Books</h6><dl><dt class="varlistentry"><span class="term">SELinux by Example</span></dt><dd><div class="para">
					Mayer, MacMillan, and Caplan
				</div><div class="para">
					Prentice Hall, 2007
				</div></dd></dl></div><div class="variablelist"><h6>Tutorials and Help</h6><dl><dt class="varlistentry"><span class="term">Understanding and Customizing the Apache HTTP SELinux Policy</span></dt><dd><div class="para">
					<a href="http://docs.fedoraproject.org/selinux-apache-fc3/">http://docs.fedoraproject.org/selinux-apache-fc3/</a>
				</div></dd><dt class="varlistentry"><span class="term">Tutorials and talks from Russell Coker</span></dt><dd><div class="para">
					<a href="http://www.coker.com.au/selinux/talks/ibmtu-2004/">http://www.coker.com.au/selinux/talks/ibmtu-2004/</a>
				</div></dd><dt class="varlistentry"><span class="term">Generic Writing SELinux policy HOWTO</span></dt><dd><div class="para">
					<a href="https://sourceforge.net/docman/display_doc.php?docid=21959[amp   ]group_id=21266">https://sourceforge.net/docman/display_doc.php?docid=21959[amp ]group_id=21266</a>
				</div></dd><dt class="varlistentry"><span class="term">Red Hat Knowledgebase</span></dt><dd><div class="para">
					<a href="http://kbase.redhat.com/">http://kbase.redhat.com/</a>
				</div></dd></dl></div><div class="variablelist"><h6>General Information</h6><dl><dt class="varlistentry"><span class="term">NSA SELinux main website</span></dt><dd><div class="para">
					<a href="http://www.nsa.gov/research/selinux/index.shtml">http://www.nsa.gov/research/selinux/index.shtml</a>
				</div></dd><dt class="varlistentry"><span class="term">NSA SELinux FAQ</span></dt><dd><div class="para">
					<a href="http://www.nsa.gov/research/selinux/faqs.shtml">http://www.nsa.gov/research/selinux/faqs.shtml</a>
				</div></dd><dt class="varlistentry"><span class="term">Fedora SELinux FAQ </span></dt><dd><div class="para">
					<a href="http://docs.fedoraproject.org/selinux-faq/">http://docs.fedoraproject.org/selinux-faq/</a>
				</div></dd><dt class="varlistentry"><span class="term">SELinux NSA's Open Source Security Enhanced Linux</span></dt><dd><div class="para">
					<a href="http://www.oreilly.com/catalog/selinux/">http://www.oreilly.com/catalog/selinux/</a>
				</div></dd></dl></div><div class="variablelist"><h6>Technology</h6><dl><dt class="varlistentry"><span class="term">An Overview of Object Classes and Permissions</span></dt><dd><div class="para">
					<a href="http://www.tresys.com/selinux/obj_perms_help.html">http://www.tresys.com/selinux/obj_perms_help.html</a>
				</div></dd><dt class="varlistentry"><span class="term">Integrating Flexible Support for Security Policies into the Linux Operating System (a history of Flask implementation in Linux)</span></dt><dd><div class="para">
					<a href="http://www.nsa.gov/research/_files/selinux/papers/freenix01/freenix01.shtml">http://www.nsa.gov/research/_files/selinux/papers/freenix01/freenix01.shtml</a>
				</div></dd><dt class="varlistentry"><span class="term">Implementing SELinux as a Linux Security Module</span></dt><dd><div class="para">
					<a href="http://www.nsa.gov/research/selinux/index.shtmlpapers/module-abs.cfm">http://www.nsa.gov/research/selinux/index.shtmlpapers/module-abs.cfm</a>
				</div></dd><dt class="varlistentry"><span class="term">A Security Policy Configuration for the Security-Enhanced Linux</span></dt><dd><div class="para">
					<a href="http://www.nsa.gov/research/_files/selinux/papers/policy/policy.shtml">http://www.nsa.gov/research/_files/selinux/papers/policy/policy.shtml</a>
				</div></dd></dl></div><div class="variablelist"><h6>Community</h6><dl><dt class="varlistentry"><span class="term">SELinux community page</span></dt><dd><div class="para">
					<a href="http://selinux.sourceforge.net">http://selinux.sourceforge.net</a>
				</div></dd><dt class="varlistentry"><span class="term">IRC</span></dt><dd><div class="para">
					irc.freenode.net, #rhel-selinux
				</div></dd></dl></div><div class="variablelist"><h6>History</h6><dl><dt class="varlistentry"><span class="term">Quick history of Flask</span></dt><dd><div class="para">
					<a href="http://www.cs.utah.edu/flux/fluke/html/flask.html">http://www.cs.utah.edu/flux/fluke/html/flask.html</a>
				</div></dd><dt class="varlistentry"><span class="term">Full background on Fluke</span></dt><dd><div class="para">
					<a href="http://www.cs.utah.edu/flux/fluke/html/index.html">http://www.cs.utah.edu/flux/fluke/html/index.html</a>
				</div></dd></dl></div></div></div><div class="part" id="pt-gls"><div class="titlepage"><div><div><h1 class="title">Part VIII. Red Hat Training And Certification</h1></div></div></div><div class="partintro" id="id636869"><div></div><div class="para">
				Red Hat courses and certifications are indisputably regarded as the best in Linux, and perhaps in all of IT. Taught entirely by experienced Red Hat experts, our certification programs measure competency on actual live systems and are in great demand by employers and IT professionals alike.
			</div><div class="para">
				Choosing the right certification depends on your background and goals. Whether you have advanced, minimal, or no UNIX or Linux experience whatsoever, Red Hat Training has a training and certification path that is right for you.
			</div><div class="toc"><p><strong>Table of Contents</strong></p><dl><dt><span class="chapter"><a href="#id787954">51. Red Hat Training and Certification </a></span></dt><dd><dl><dt><span class="section"><a href="#id829426">51.1. Three Ways to Train</a></span></dt><dt><span class="section"><a href="#id816702">51.2. Microsoft Certified Professional Resource Center</a></span></dt></dl></dd><dt><span class="chapter"><a href="#id1067658">52. Certification Tracks</a></span></dt><dd><dl><dt><span class="section"><a href="#id852515">52.1. Free Pre-assessment tests</a></span></dt></dl></dd><dt><span class="chapter"><a href="#id873232">53. RH033: Red Hat Linux Essentials</a></span></dt><dd><dl><dt><span class="section"><a href="#id894216">53.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1066595">53.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id916642">53.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id782363">53.1.3. Audience</a></span></dt><dt><span class="section"><a href="#id873716">53.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id968261">53.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id966775">54. RH035: Red Hat Linux Essentials for Windows Professionals</a></span></dt><dd><dl><dt><span class="section"><a href="#id853968">54.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id830873">54.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id916407">54.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id829991">54.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id1044349">54.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id841235">54.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id836058">55. RH133: Red Hat Linux System Administration and Red Hat Certified Technician (RHCT) Certification</a></span></dt><dd><dl><dt><span class="section"><a href="#id1064663">55.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id811050">55.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id955399">55.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id873123">55.1.3. Audience</a></span></dt><dt><span class="section"><a href="#id1067874">55.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id961892">55.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id841891">56. RH202 RHCT EXAM - The fastest growing credential in all of Linux.</a></span></dt><dd><dl><dt><span class="section"><a href="#id965127">56.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id869970">56.1.1. Prerequisites</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id915595">57. RH253 Red Hat Linux Networking and Security Administration</a></span></dt><dd><dl><dt><span class="section"><a href="#id856575">57.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1064675">57.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id859622">57.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id1058119">57.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id790844">57.1.4. Course Objectives </a></span></dt><dt><span class="section"><a href="#id857548">57.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1067872">58. RH300: RHCE Rapid track course (and RHCE exam)</a></span></dt><dd><dl><dt><span class="section"><a href="#id687329">58.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id780615">58.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id833974">58.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id870452">58.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id919739">58.1.4. Course Objectives </a></span></dt><dt><span class="section"><a href="#id830416">58.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1034514">59. RH302 RHCE EXAM</a></span></dt><dd><dl><dt><span class="section"><a href="#id1066495">59.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1087875">59.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id924044">59.1.2. Content</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1067544">60. RHS333: RED HAT enterprise security: network services</a></span></dt><dd><dl><dt><span class="section"><a href="#id995562">60.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id873332">60.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id830926">60.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id996965">60.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id836336">60.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id924669">60.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id833533">61. RH401: Red Hat Enterprise Deployment and systems management</a></span></dt><dd><dl><dt><span class="section"><a href="#id855602">61.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1065422">61.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id836477">61.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id818644">61.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id833516">61.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id1045390">61.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1071718">62. RH423: Red Hat Enterprise Directory services and authentication</a></span></dt><dd><dl><dt><span class="section"><a href="#id815015">62.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1044193">62.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id687317">62.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id772131">62.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id856919">62.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id955600">62.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id916926">63. SELinux Courses</a></span></dt><dd><dl><dt><span class="section"><a href="#id1042457">63.1. RHS427: Introduction to SELinux and Red Hat Targeted Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#id1067175">63.1.1. Audience</a></span></dt><dt><span class="section"><a href="#id1063752">63.1.2. Course Summary</a></span></dt></dl></dd><dt><span class="section"><a href="#id858295">63.2. RHS429: Red Hat Enterprise SELinux Policy Administration </a></span></dt></dl></dd><dt><span class="chapter"><a href="#id872701">64. RH436: Red Hat Enterprise storage management</a></span></dt><dd><dl><dt><span class="section"><a href="#id921578">64.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id858471">64.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id815123">64.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id871065">64.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id1042930">64.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id939435">64.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id774488">65. RH442: Red Hat Enterprise system monitoring and performance tuning</a></span></dt><dd><dl><dt><span class="section"><a href="#id871946">65.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id815672">65.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id1046122">65.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id784224">65.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id1041965">65.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id986688">65.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#id1066813">66. Red Hat Enterprise Linux Developer Courses</a></span></dt><dd><dl><dt><span class="section"><a href="#id915816">66.1. RHD143: Red Hat Linux Programming Essentials </a></span></dt><dt><span class="section"><a href="#id920609">66.2. RHD221 Red Hat Linux Device Drivers </a></span></dt><dt><span class="section"><a href="#id1045737">66.3. RHD236 Red Hat Linux Kernel Internals </a></span></dt><dt><span class="section"><a href="#id920037">66.4. RHD256 Red Hat Linux Application Development and Porting</a></span></dt></dl></dd><dt><span class="chapter"><a href="#id1024463">67. JBoss Courses</a></span></dt><dd><dl><dt><span class="section"><a href="#id841812">67.1. RHD161 JBoss and EJB3 for Java</a></span></dt><dd><dl><dt><span class="section"><a href="#id775487">67.1.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id836245">67.2. RHD163 JBoss for Web Developers </a></span></dt><dd><dl><dt><span class="section"><a href="#id856763">67.2.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id1101252">67.3. RHD167: JBOSS - HIBERNATE ESSENTIALS</a></span></dt><dd><dl><dt><span class="section"><a href="#id1101267">67.3.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id833142">67.3.2. Course Summary</a></span></dt></dl></dd><dt><span class="section"><a href="#id1014256">67.4. RHD267: JBOSS - ADVANCED HIBERNATE</a></span></dt><dd><dl><dt><span class="section"><a href="#id1014280">67.4.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id967506">67.5. RHD261:JBOSS for advanced J2EE developers</a></span></dt><dd><dl><dt><span class="section"><a href="#id887211">67.5.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id1082436">67.6. RH336: JBOSS for Administrators</a></span></dt><dd><dl><dt><span class="section"><a href="#id1018796">67.6.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id987009">67.6.2. Course Summary</a></span></dt></dl></dd><dt><span class="section"><a href="#id1014310">67.7. RHD439: JBoss Clustering</a></span></dt><dd><dl><dt><span class="section"><a href="#id948015">67.7.1. Prerequisites </a></span></dt></dl></dd><dt><span class="section"><a href="#id1058335">67.8. RHD449: JBoss jBPM </a></span></dt><dd><dl><dt><span class="section"><a href="#id1010139">67.8.1. Description </a></span></dt><dt><span class="section"><a href="#id1079022">67.8.2. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id1009430">67.9. RHD451 JBoss Rules</a></span></dt><dd><dl><dt><span class="section"><a href="#id1085588">67.9.1. Prerequisites</a></span></dt></dl></dd></dl></dd></dl></div></div><div xml:lang="en-US" class="chapter" id="id787954" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 51. Red Hat Training and Certification </h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id829426">51.1. Three Ways to Train</a></span></dt><dt><span class="section"><a href="#id816702">51.2. Microsoft Certified Professional Resource Center</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id829426">51.1. Three Ways to Train</h2></div></div></div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Open Enrollment</span></dt><dd><div class="para">
						Open enrollment courses are offered continually in 50+ locations across North America and 125+ locations worldwide. Red Hat courses are performance—based—students have access to at least one dedicated system, and in some courses, as many as five. Instructors are all experienced Red Hat Certified Engineers (RHCEs) who are intimately familiar with course curriculum.
					</div><div class="para">
						Course schedules are available at <a href="http://www.redhat.com/explore/training">http://www.redhat.com/explore/training</a>
					</div></dd><dt class="varlistentry"><span class="term">Onsite Training</span></dt><dd><div class="para">
						Onsite training is delivered by Red Hat at your facility for teams of 12 to 16 people per class. Red Hat's technical staff will assist your technical staff prior to arrival to ensure the training venue is prepared to run Red Hat Enterprise Linux, Red Hat or JBoss courses, and/or Red Hat certification exams. Onsites are a great way to train large groups at once. Open enrollment can be leveraged later for incremental training.
					</div><div class="para">
						For more information, visit <a href="http://www.redhat.com/explore/onsite">http://www.redhat.com/explore/onsite</a>
					</div></dd><dt class="varlistentry"><span class="term">eLearning</span></dt><dd><div class="para">
						Fully updated for Red Hat Enterprise Linux 4! No time for class? Red Hat's e—Learning titles are delivered online and cover RHCT and RHCE track skills. Our growing catalog also includes courses on the latest programming languages, scripting and ecommerce.
					</div><div class="para">
						For course listings visit <a href="http://www.redhat.com/explore/elearning">http://www.redhat.com/explore/elearning</a>
					</div></dd></dl></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id816702">51.2. Microsoft Certified Professional Resource Center</h2></div></div></div><div class="para">
			Tailored info and offers for Microsoft® Certified Professionals looking to add a Red Hat certification to their personal portfolio.
		</div><div class="para">
			Check it out today: <a href="http://www.redhat.com/explore/manager">http://www.redhat.com/explore/manager</a>
		</div></div></div><div xml:lang="en-US" class="chapter" id="id1067658" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 52. Certification Tracks</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id852515">52.1. Free Pre-assessment tests</a></span></dt></dl></div><div class="variablelist"><dl><dt class="varlistentry"><span class="term">Red Hat Certified Technician® (RHCT®)</span></dt><dd><div class="para">
					Now entering its third year, Red Hat Certified Technician is the fastest-growing credential in all of Linux, with currently over 15,000 certification holders. RHCT is the best first step in establishing Linux credentials and is an ideal initial certification for those transitioning from non-UNIX®/ Linux environments.
				</div><div class="para">
					Red Hat certifications are indisputably regarded as the best in Linux, and perhaps, according to some, in all of IT. Taught entirely by experienced Red Hat experts, our certification programs measure competency on actual live systems and are in great demand by employers and IT professionals alike.
				</div><div class="para">
					Choosing the right certification depends on your background and goals. Whether you have advanced, minimal, or no UNIX or Linux experience whatsoever, Red Hat Training has a training and certification path that is right for you.
				</div></dd><dt class="varlistentry"><span class="term">Red Hat Certified Engineer® (RHCE®)</span></dt><dd><div class="para">
					Red Hat Certified Engineer began in 1999 and has been earned by more than 20,000 Linux experts. Called the "crown jewel of Linux certifications," independent surveys have ranked the RHCE program #1 in all of IT.
				</div></dd><dt class="varlistentry"><span class="term">Red Hat Certified Security Specialist (RHCSS)</span></dt><dd><div class="para">
					An RHCSS has RHCE security knowledge plus specialized skills in Red Hat Enterprise Linux, Red Hat Directory Server and SELinux to meet the security requirements of today's enterprise environments. RHCSS is Red Hat's newest certification, and the only one of its kind in Linux.
				</div></dd><dt class="varlistentry"><span class="term">Red Hat Certified Architect (RHCA)</span></dt><dd><div class="para">
					RHCEs who seek advanced training can enroll in Enterprise Architect courses and prove their competency with the newly announced Red Hat Certified Architect (RHCA) certification. RHCA is the capstone certification to Red Hat Certified Technician (RHCT) and Red Hat Certified Engineer (RHCE), the most acclaimed certifications in the Linux space.
				</div></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id852515">52.1. Free Pre-assessment tests</h2></div></div></div><div class="para">
			Test your Linux smarts and identify your Red Hat course level with our automated pre-assessment tests.
		</div><div class="para">
			Completely free, no obligations, 10 minutes of your time. <a href="http://www.redhat.com/explore/assess">http://www.redhat.com/explore/assess</a>
		</div></div></div><div xml:lang="en-US" class="chapter" id="id873232" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 53. RH033: Red Hat Linux Essentials</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id894216">53.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1066595">53.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id916642">53.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id782363">53.1.3. Audience</a></span></dt><dt><span class="section"><a href="#id873716">53.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id968261">53.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="para">
		<a href="http://www.redhat.com/training/rhce/courses/rh033.html">http://www.redhat.com/training/rhce/courses/rh033.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id894216">53.1. Course Description</h2></div></div></div><div class="para">
			The first course for both RHCT and RHCE certification tracks, RH033 is ideal for individuals who have never used Linux or UNIX, and who have no prior command line experience in any other operating system. You are taught the basics of a Red Hat Enterprise Linux environment, and it prepares you for your future role as a system administrator.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1066595">53.1.1. Prerequisites</h3></div></div></div><div class="para">
				User-level experience with any computer system, use of menus, use of any graphical user interface.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id916642">53.1.2. Goal</h3></div></div></div><div class="para">
				A Red Hat Enterprise Linux power user who can be productive in using and customizing a Red Hat system for common command line processes and desktop productivity roles, and who is ready to learn system administration (RH133).
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id782363">53.1.3. Audience</h3></div></div></div><div class="para">
				Users who are new to Linux and have no prior UNIX or command line skills, who want to develop and practice the basic skills to use and control their own Red Hat Linux system.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id873716">53.1.4. Course Objectives</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Understand the Linux file system
					</div></li><li class="listitem"><div class="para">
						Perform common file maintenance
					</div></li><li class="listitem"><div class="para">
						Use and customize the GNOME interface
					</div></li><li class="listitem"><div class="para">
						Issue essential Linux commands from the command line
					</div></li><li class="listitem"><div class="para">
						Perform common tasks using the GNOME GUI
					</div></li><li class="listitem"><div class="para">
						Open, edit, and save text documents using the vi editor
					</div></li><li class="listitem"><div class="para">
						File access permissions
					</div></li><li class="listitem"><div class="para">
						Customize X Window System
					</div></li><li class="listitem"><div class="para">
						Regular expression pattern matching and I/O redirection
					</div></li><li class="listitem"><div class="para">
						Install, upgrade, delete and query packages on your system
					</div></li><li class="listitem"><div class="para">
						Network utilities for the user
					</div></li><li class="listitem"><div class="para">
						Power user utilities
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id968261">53.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				RH133 Red Hat Linux Sys. Admin.
			</div><div class="para">
				RH253 Red Hat Linux Net. and Sec. Admin
			</div><div class="para">
				RH300 Red Hat Linux RHCE Rapid Track
			</div><div class="para">
				"I would enthusiastically recommend this course to anyone interested in Linux."——Mike Kimmel, ITT Systems Division
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id966775" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 54. RH035: Red Hat Linux Essentials for Windows Professionals</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id853968">54.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id830873">54.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id916407">54.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id829991">54.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id1044349">54.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id841235">54.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="para">
		<a href="http://www.redhat.com/training/rhce/courses/rh035.html">http://www.redhat.com/training/rhce/courses/rh035.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id853968">54.1. Course Description</h2></div></div></div><div class="para">
			Designed for Windows® professionals with no prior UNIX or Linux experience, this course teaches fundamental Red Hat Enterprise Linux system administration skills. The first day provides a conceptual and practical transition for individuals to successfully add Linux management competencies to their portfolio. The remaining four days combines with the highly-acclaimed RH033 course, immersing individuals in the basics of a Red Hat Enterprise Linux environment and preparing them for future roles as cross-platform system administrators. The course also serves as the first course in the RHCT and RHCE tracks.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id830873">54.1.1. Prerequisites</h3></div></div></div><div class="para">
				Have experience with job tasks using Windows OS products at technician or system administrator level; experience as an IT professional; no prior UNIX or Linux experience required.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id916407">54.1.2. Goal</h3></div></div></div><div class="para">
				A Red Hat Enterprise Linux power user familiar with common command line processes who can perform some system administration tasks using graphical tools. The individual will also be ready to develop a deeper understanding of Red Hat Enterprise Linux system administration (RH133).
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id829991">54.1.3. Audience </h3></div></div></div><div class="para">
				The typical student will be a Windows technician who prefers to manage servers using a graphic user interface. The individual will also possess a desire to effectively manage Red Hat Enterprise Linux systems and broaden their individual skill set.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1044349">54.1.4. Course Objectives</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Learn to install software, configure the network, configure authentication, and install and configure various services using graphical tools
					</div></li><li class="listitem"><div class="para">
						Understand the Linux file system
					</div></li><li class="listitem"><div class="para">
						Issue essential Linux commands from the command line
					</div></li><li class="listitem"><div class="para">
						Understand file access permissions
					</div></li><li class="listitem"><div class="para">
						Customize X Window System
					</div></li><li class="listitem"><div class="para">
						Use regular expression pattern matching and I/O redirection
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id841235">54.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				RH133 Red Hat Linux Sys. Admin. (p. 8)
			</div><div class="para">
				RH253 Red Hat Linux Net. and Sec. Admin. (p. 9)
			</div><div class="para">
				RH300 Red Hat Linux RHCE Rapid Track (p. 10)
			</div><div class="para">
				"All in all I would rate this training experience as one of the best I have ever attended, and I've been in this industry for over 15 years." — Bill Legge, IT Consultant
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id836058" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 55. RH133: Red Hat Linux System Administration and Red Hat Certified Technician (RHCT) Certification</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id1064663">55.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id811050">55.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id955399">55.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id873123">55.1.3. Audience</a></span></dt><dt><span class="section"><a href="#id1067874">55.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id961892">55.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="para">
		<a href="http://www.redhat.com/training/rhce/courses/rh133.html">http://www.redhat.com/training/rhce/courses/rh133.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1064663">55.1. Course Description</h2></div></div></div><div class="para">
			RH133 focuses on skills in systems administration on Red Hat Linux, to a level where you can attach and configure a workstation on an existing network. This 4.5-day course provides intensive hands-on training on Red Hat Enterprise Linux, and includes the RH202 RHCT Certification Lab Exam on the last day.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id811050">55.1.1. Prerequisites</h3></div></div></div><div class="para">
				RH033 Red Hat Linux Essentials or equivalent experience with Red Hat Linux.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id955399">55.1.2. Goal</h3></div></div></div><div class="para">
				Upon successful completion of this course, students will possess basic Linux system administrator knowledge which can be proved by passing the RHCT Exam. The exam is a performance-based lab exam that tests actual ability to install, configure, and attach a new Red Hat Linux system to an existing production network.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id873123">55.1.3. Audience</h3></div></div></div><div class="para">
				Linux or UNIX users who understand the basics of Red Hat Linux and desire further technical training to begin the process of becoming a system administrator.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1067874">55.1.4. Course Objectives</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Install Red Hat Linux interactively and with Kickstart
					</div></li><li class="listitem"><div class="para">
						Control common system hardware; administer Linux printing subsystem
					</div></li><li class="listitem"><div class="para">
						Create and maintain the Linux filesystem
					</div></li><li class="listitem"><div class="para">
						Perform user and group administration
					</div></li><li class="listitem"><div class="para">
						Integrate a workstation with an existing network
					</div></li><li class="listitem"><div class="para">
						Configure a workstation as a client to NIS, DNS, and DHCP services
					</div></li><li class="listitem"><div class="para">
						Automate tasks with at, cron, and anacron
					</div></li><li class="listitem"><div class="para">
						Back up filesystems to tape and tar archive
					</div></li><li class="listitem"><div class="para">
						Manipulate software packages with RPM
					</div></li><li class="listitem"><div class="para">
						Configure the X Window System and the GNOME d.e.
					</div></li><li class="listitem"><div class="para">
						Perform performance, memory, and process mgmt.
					</div></li><li class="listitem"><div class="para">
						Configure basic host security
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id961892">55.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				RH253 Red Hat Linux Net. and Sec. Admin. (p. 9)
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id841891" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 56. RH202 RHCT EXAM - The fastest growing credential in all of Linux.</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id965127">56.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id869970">56.1.1. Prerequisites</a></span></dt></dl></dd></dl></div><div class="para">
		<a href="http://www.redhat.com/training/rhce/courses/rh202.html">http://www.redhat.com/training/rhce/courses/rh202.html</a>
	</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
				RHCT exam is included with RH133. It can also be purchased on its own for $349
			</div></li><li class="listitem"><div class="para">
				RHCT exams occur on the fifth day of all RH133 classes
			</div></li></ol></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id965127">56.1. Course Description</h2></div></div></div><div class="para">
			The RHCT (Red Hat Certified Technician) is a hands-on, performance-based exam testing candidates actual skills in installing, configuring, and troubleshooting Red Hat Enterprise Linux. The Certification Lab Exam is bundled with RH133, but individuals who have mastered the content of RH033 and RH133 can take just the exam.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id869970">56.1.1. Prerequisites</h3></div></div></div><div class="para">
				Candidates should consider taking RH033 and RH133 in preparation for the exam, but they are not required to take it.
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id915595" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 57. RH253 Red Hat Linux Networking and Security Administration</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id856575">57.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1064675">57.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id859622">57.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id1058119">57.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id790844">57.1.4. Course Objectives </a></span></dt><dt><span class="section"><a href="#id857548">57.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id856575">57.1. Course Description</h2></div></div></div><div class="para">
			RH253 arms students with in-depth knowledge needed to configure common Red Hat Enterprise Linux network services. Network and local security tasks are also topics of this course.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1064675">57.1.1. Prerequisites</h3></div></div></div><div class="para">
				RH133 Red Hat Linux System Administration or equivalent experience with Red Hat Enterprise Linux, LAN/WAN fundamentals or equivalent, internetworking with TCP/IP or equivalent.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id859622">57.1.2. Goal</h3></div></div></div><div class="para">
				Upon completion of this course, individuals can set up a Red Hat Enterprise Linux server and configure common network services and security at a basic level.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1058119">57.1.3. Audience </h3></div></div></div><div class="para">
				Linux or UNIX system administrators who already have some real-world experience with Red Hat Enterprise Linux systems administration, want a first course in networking services and security, and want to build skills at configuring common network services and security administration using Red Hat Enterprise Linux.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id790844">57.1.4. Course Objectives </h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Networking services on Red Hat Linux server-side setup, configuration, and basic administration of common networking services: DNS, NIS, Apache, SMB, DHCP, Sendmail, FTP. Other common services: tftp, pppd, proxy.
					</div></li><li class="listitem"><div class="para">
						Introduction to security
					</div></li><li class="listitem"><div class="para">
						Developing a security policy
					</div></li><li class="listitem"><div class="para">
						Local security
					</div></li><li class="listitem"><div class="para">
						Files and filesystem security
					</div></li><li class="listitem"><div class="para">
						Password security
					</div></li><li class="listitem"><div class="para">
						Kernel security
					</div></li><li class="listitem"><div class="para">
						Basic elements of a firewall
					</div></li><li class="listitem"><div class="para">
						Red Hat Linux-based security tools
					</div></li><li class="listitem"><div class="para">
						Responding to a break-in attempt
					</div></li><li class="listitem"><div class="para">
						Security sources and methods
					</div></li><li class="listitem"><div class="para">
						Overview of OSS security tools
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id857548">57.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				RH302 RHCE Certification Exam
			</div><div class="para">
				"This course was excellent. The teacher was fantastic—his depth of knowledge is amazing."——Greg Peters, Future Networks USA
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id1067872" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 58. RH300: RHCE Rapid track course (and RHCE exam)</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id687329">58.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id780615">58.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id833974">58.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id870452">58.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id919739">58.1.4. Course Objectives </a></span></dt><dt><span class="section"><a href="#id830416">58.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="para">
		The fastest path to RHCE certification for experienced UNIX/Linux users.
	</div><div class="para">
		<a href="http://www.redhat.com/training/rhce/courses/rh300.html">http://www.redhat.com/training/rhce/courses/rh300.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id687329">58.1. Course Description</h2></div></div></div><div class="para">
			Five days in duration, this course provides intensive hands-on training on Red Hat Linux, and includes the RHCE Certification Exam on the last day.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id780615">58.1.1. Prerequisites</h3></div></div></div><div class="para">
				RH033, RH133, RH253 or equivalent experience with UNIX. Please do not register for RH300 unless you are experienced with systems administration or are a power user in UNIX or Linux environments.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id833974">58.1.2. Goal</h3></div></div></div><div class="para">
				Upon successful completion of this course, individuals will be a Red Hat Linux system administrator who has been trained and then tested using the RHCE Exam.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id870452">58.1.3. Audience </h3></div></div></div><div class="para">
				UNIX or Linux system administrators who have significant real-world experience and who want a fast-track course to prepare for the RHCE Exam.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id919739">58.1.4. Course Objectives </h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Hardware and Installation (x86 architecture)
					</div></li><li class="listitem"><div class="para">
						Configuration and administration
					</div></li><li class="listitem"><div class="para">
						Alternate installation methods
					</div></li><li class="listitem"><div class="para">
						Kernel services and configuration
					</div></li><li class="listitem"><div class="para">
						Standard networking services
					</div></li><li class="listitem"><div class="para">
						X Window system
					</div></li><li class="listitem"><div class="para">
						User and host security
					</div></li><li class="listitem"><div class="para">
						Routers, Firewalls, Clusters and Troubleshooting
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id830416">58.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				Enterprise Architect curriculum and RHCA certification
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id1034514" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 59. RH302 RHCE EXAM</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id1066495">59.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1087875">59.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id924044">59.1.2. Content</a></span></dt></dl></dd></dl></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
				RHCE exams are included with RH300. It can also be purchased on its own.
			</div></li><li class="listitem"><div class="para">
				RHCE exams occur on the fifth day of all RH300 classes
			</div></li></ol></div><div class="para">
		<a href="http://www.redhat.com/training/rhce/courses/rhexam.html">http://www.redhat.com/training/rhce/courses/rhexam.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1066495">59.1. Course Description</h2></div></div></div><div class="para">
			RHCE stands apart from many other certification programs in the IT sector because of its emphasis on hands-on, performance-based testing of actual skills in Red Hat Linux installation, configuration, debugging, and setup of key networking services.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1087875">59.1.1. Prerequisites</h3></div></div></div><div class="para">
				See RH300 course prerequisites. For further information, please refer to the RHCE Exam Prep Guide: www.redhat.com/training/rhce/examprep.html
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id924044">59.1.2. Content</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Section I: Troubleshooting and System Maintenance (2.5 hrs)
					</div></li><li class="listitem"><div class="para">
						Section II: Installation and Configuration (3 hrs.)
					</div></li></ol></div><div class="para">
				"Seriously, this was an outstanding class. I feel very well prepared for the test tomorrow." — Logan Ingalls, Web developer, Texterity Inc., USA
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id1067544" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 60. RHS333: RED HAT enterprise security: network services</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id995562">60.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id873332">60.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id830926">60.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id996965">60.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id836336">60.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id924669">60.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="para">
		Security for the most commonly deployed services.
	</div><div class="para">
		<a href="http://www.redhat.com/training/architect/courses/rhs333.html">http://www.redhat.com/training/architect/courses/rhs333.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id995562">60.1. Course Description</h2></div></div></div><div class="para">
			Red Hat Enterprise Linux has gained considerable momentum as the operating system of choice for deploying network services such as web, ftp, email, and file sharing. Red Hat's RHCE curriculum provides training in deploying these services and on the essential elements of securing them.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id873332">60.1.1. Prerequisites</h3></div></div></div><div class="para">
				RH253, RH300, or RHCE certification or equivalent work experience is required for this course. Course participants should already know the essential elements of how to configure the services covered, as this course will be focusing on more advanced topics from the outset.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id830926">60.1.2. Goal</h3></div></div></div><div class="para">
				This class advances beyond the essential security coverage offered in the RHCE curriculum and delves deeper into the security features, capabilities, and risks associated with the most commonly deployed services.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id996965">60.1.3. Audience </h3></div></div></div><div class="para">
				The audience for this course includes system administrators, consultants, and other IT professionals responsible for the planning, implementation, and maintenance of network servers. While the emphasis is on running these services on Red Hat Enterprise Linux, and the content and labs will assume its use, system administrators and others using proprietary forms of UNIX may also find many elements of this course relevant.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id836336">60.1.4. Course Objectives</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Mastering basic service security
					</div></li><li class="listitem"><div class="para">
						Understanding cryptography
					</div></li><li class="listitem"><div class="para">
						Logging system activity
					</div></li><li class="listitem"><div class="para">
						Securing BIND and DNS
					</div></li><li class="listitem"><div class="para">
						Network user authentication security
					</div></li><li class="listitem"><div class="para">
						Improving NFS security
					</div></li><li class="listitem"><div class="para">
						The secure shell: OpenSSH
					</div></li><li class="listitem"><div class="para">
						Securing email with Sendmail and Postfix
					</div></li><li class="listitem"><div class="para">
						Managing FTP access
					</div></li><li class="listitem"><div class="para">
						Apache security
					</div></li><li class="listitem"><div class="para">
						Basics of intrusion response
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id924669">60.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				RH401 Red Hat Enterprise Deployment and System Mgmt. RH423 Red Hat Enterprise Directory Services and Authentication RH436 Red Hat Enterprise Storage Mgmt. RH442 Red Hat Enterprise System Monitoring and Performance Tuning
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id833533" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 61. RH401: Red Hat Enterprise Deployment and systems management</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id855602">61.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1065422">61.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id836477">61.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id818644">61.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id833516">61.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id1045390">61.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="para">
		Manage Red Hat Enterprise Linux deployments.
	</div><div class="para">
		<a href="http://www.redhat.com/training/architect/courses/rh401.html">http://www.redhat.com/training/architect/courses/rh401.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id855602">61.1. Course Description</h2></div></div></div><div class="para">
			RH401 is a four-day intensive hands-on lab course in skills and methods critical to large-scale deployment and management of mission-critical Red Hat Enterprise Linux systems, including failover and load-balancing, CVS for system administrators, RPM rebuilding, and performance tuning for specific applications.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1065422">61.1.1. Prerequisites</h3></div></div></div><div class="para">
				RH253 at a minimum, RHCE certification preferred, or comparable skills and knowledge. All prospective course participants without RHCE certification are encouraged to verify skills with Red Hat's free online pre—assessment tests. Note: Persons should not enroll in RH401 without meeting the above prerequisites.
			</div><div class="para">
				All prospective course participants who do not possess RHCE certification are strongly advised to contact Red Hat Global Learning Services for a skills assessment when they enroll.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id836477">61.1.2. Goal</h3></div></div></div><div class="para">
				RH401 trains senior system administrators to manage large numbers of Enterprise Linux servers in a variety of roles, and/or manage them for mission—critical applications that require failover and load-balancing. Further, RH401 is benchmarked on expert—level competencies in managing operating systems for enterprise roles—the course teaches how to implement and manage enterprise Red Hat Enterprise Linux deployments efficiently and effectively in ways that make the entire enterprise deployment manageable by a team.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id818644">61.1.3. Audience </h3></div></div></div><div class="para">
				Senior Red Hat Enterprise Linux system administrators and other IT professionals working in enterprise environments and mission-critical systems.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id833516">61.1.4. Course Objectives</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Configuration management using CVS
					</div></li><li class="listitem"><div class="para">
						Construction of custom RPM packages
					</div></li><li class="listitem"><div class="para">
						Software management with Red Hat Network Proxy Server
					</div></li><li class="listitem"><div class="para">
						Assembling a host provisioning and management system
					</div></li><li class="listitem"><div class="para">
						Performance tuning and analysis
					</div></li><li class="listitem"><div class="para">
						High-availability network load-balancing clusters
					</div></li><li class="listitem"><div class="para">
						High-availability application failover clusters
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1045390">61.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				RHS333 Enterprise Security: Securing Network Services
			</div><div class="para">
				RH423 Red Hat Enterprise Directory Services and Authentication
			</div><div class="para">
				RH436 Red Hat Enterprise Storage Mgmt.
			</div><div class="para">
				RH442 Red Hat Enterprise System Monitoring and Performance Tuning
			</div><div class="para">
				"After taking RH401 I am completely confident that I can implement enterprise—scale high—availability solutions end-to-end."——Barry Brimer, Bunge North America
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id1071718" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 62. RH423: Red Hat Enterprise Directory services and authentication</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id815015">62.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id1044193">62.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id687317">62.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id772131">62.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id856919">62.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id955600">62.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="para">
		Manage and deploy directory services for Red Hat Enterprise Linux systems.
	</div><div class="para">
		<a href="http://www.redhat.com/training/architect/courses/rh423.html">http://www.redhat.com/training/architect/courses/rh423.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id815015">62.1. Course Description</h2></div></div></div><div class="para">
			RH423 is an intensive course that provides four days of instruction and labs on cross-platform integration of directory services to provide authentication or information service across the enterprise.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1044193">62.1.1. Prerequisites</h3></div></div></div><div class="para">
				RH253 at a minimum, RHCE certification preferred, or comparable skills and knowledge. All prospective course participants without RHCE certification are encouraged to verify skills with Red Hat's free online pre—assessment tests. Note: Persons should not enroll in RH423 without meeting the above prerequisites. All prospective course participants who do not possess RHCE certification are strongly advised to contact Red Hat Global Learning Services for a skills assessment when they enroll.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id687317">62.1.2. Goal</h3></div></div></div><div class="para">
				RH423 trains senior system administrators to manage and deploy directory services on and for Red Hat Enterprise Linux systems. Gaining an understanding of the basic concepts, configuration, and management of LDAP—based services is central to this course. Students will integrate standard network clients and services with the directory service in order to take advantage of its capabilities. We will also look at PAM, the Pluggable Authentication Modules system, and how it is integrated with services that require authentication and authorization.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id772131">62.1.3. Audience </h3></div></div></div><div class="para">
				Senior Red Hat Enterprise Linux system administrators and other IT professionals working in enterprise environments and mission-critical systems.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id856919">62.1.4. Course Objectives</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Basic LDAP concepts
					</div></li><li class="listitem"><div class="para">
						How to configure and manage an OpenLDAP server
					</div></li><li class="listitem"><div class="para">
						Using LDAP as a "white pages" directory service
					</div></li><li class="listitem"><div class="para">
						Using LDAP for user authentication and management
					</div></li><li class="listitem"><div class="para">
						Integrating multiple LDAP servers
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id955600">62.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				RHS333 Enterprise Security: Securing Network Services
			</div><div class="para">
				RH401 Red Hat Enterprise Deployment and Systems Management
			</div><div class="para">
				RH436 Red Hat Enterprise Storage Mgmt. (p. 16)
			</div><div class="para">
				RH442 Red Hat Enterprise System Monitoring and Performance Tuning
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id916926" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 63. SELinux Courses</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id1042457">63.1. RHS427: Introduction to SELinux and Red Hat Targeted Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#id1067175">63.1.1. Audience</a></span></dt><dt><span class="section"><a href="#id1063752">63.1.2. Course Summary</a></span></dt></dl></dd><dt><span class="section"><a href="#id858295">63.2. RHS429: Red Hat Enterprise SELinux Policy Administration </a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1042457">63.1. RHS427: Introduction to SELinux and Red Hat Targeted Policy</h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/security/courses/rhs427.html">http://www.redhat.com/training/security/courses/rhs427.html</a>
		</div><div class="para">
			1-day rapid intro to SELinux, how it operates within the Red Hat targeted policy, and the tools available for working with this powerful capability. RHS427 constitutes the first day of RH429.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1067175">63.1.1. Audience</h3></div></div></div><div class="para">
				Computer security specialists and others responsible for implementing security policies on a Linux computer. RHS429 requires RHCE or comparable knowledge.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1063752">63.1.2. Course Summary</h3></div></div></div><div class="para">
				Among the most significant features of Red Hat Enterprise Linux is SELinux (Security Enhanced Linux), a powerful, kernel-level security layer that provides fine-grained control over what users and processes may access and do on a system. By default, SELinux is enabled on Red Hat Enterprise Linux systems, enforcing a set of mandatory access controls that Red Hat calls the targeted policy. These access controls substantially enhance the security of the network services they target, but can sometimes affect the behavior of third-party applications and scripts that worked on previous versions of Red Hat Enterprise Linux.
			</div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id858295">63.2. RHS429: Red Hat Enterprise SELinux Policy Administration </h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/security/courses/rhs429.html">http://www.redhat.com/training/security/courses/rhs429.html</a>
		</div><div class="para">
			Among the most significant features of Red Hat Enterprise Linux is SELinux (Security Enhanced Linux), a powerful, kernel-level security layer that provides fine-grained control over what users and processes may access and execute on a system. RHS429 introduces advanced system administrators, security administrators, and applications programmers to SELinux policy writing. Participants in this course will learn how SELinux works; how to manage SELinux; and how to write an SELinux policy.
		</div></div></div><div xml:lang="en-US" class="chapter" id="id872701" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 64. RH436: Red Hat Enterprise storage management</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id921578">64.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id858471">64.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id815123">64.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id871065">64.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id1042930">64.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id939435">64.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="para">
		Deploy and manage Red Hat's cluster file system technology.
	</div><div class="para">
		Equipment-intensive:
	</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
				five servers
			</div></li><li class="listitem"><div class="para">
				storage array
			</div></li></ol></div><div class="para">
		<a href="http://www.redhat.com/training/architect/courses/rh436.html">http://www.redhat.com/training/architect/courses/rh436.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id921578">64.1. Course Description</h2></div></div></div><div class="para">
			RH436 provides intensive hands-on experience with the emerging Shared Storage technology delivered by Red Hat Global File System (GFS). This four-day course focuses on the implementation of native Red Hat Enterprise Linux technologies included in Red Hat Cluster Suite and GFS.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id858471">64.1.1. Prerequisites</h3></div></div></div><div class="para">
				RH253 at a minimum, RHCE certification preferred, or comparable skills and knowledge. All prospective course participants without RHCE certification are encouraged to verify skills with Red Hat's free online pre—assessment tests.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id815123">64.1.2. Goal</h3></div></div></div><div class="para">
				This course is designed to train people with RHCE-level competency on skills required to deploy and manage highly available storage data to the mission-critical enterprise computing environment. Complementing skills gained in RH401, this course delivers extensive hands-on training with the cluster file system, GFS.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id871065">64.1.3. Audience </h3></div></div></div><div class="para">
				Senior Red Hat Enterprise Linux system administrators and other IT professionals working in enterprise environments and mission-critical systems.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1042930">64.1.4. Course Objectives</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Review Red Hat Enterprise Linux storage management technologies
					</div></li><li class="listitem"><div class="para">
						Data storage design: Data sharing
					</div></li><li class="listitem"><div class="para">
						Cluster Suite overview
					</div></li><li class="listitem"><div class="para">
						Global File System (GFS) overview
					</div></li><li class="listitem"><div class="para">
						GFS management
					</div></li><li class="listitem"><div class="para">
						Modify the online GFS environment: Managing data capacity
					</div></li><li class="listitem"><div class="para">
						Monitor GFS
					</div></li><li class="listitem"><div class="para">
						Implement GFS modifications
					</div></li><li class="listitem"><div class="para">
						Migrating Cluster Suite NFS from DAS to GFS
					</div></li><li class="listitem"><div class="para">
						Re-visit Cluster Suite using GFS
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id939435">64.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				RHS333 Enterprise Security: Securing Network Services
			</div><div class="para">
				RH401 Red Hat Enterprise Deployment and Systems Management
			</div><div class="para">
				RH423 Red Hat Enterprise Directory Services and Authentication
			</div><div class="para">
				RH442 Red Hat Enterprise System Monitoring and Performance Tuning
			</div><div class="para">
				"The class gave me a chance to use some of the latest Linux tools, and was a reminder of the benefits of using Linux for high-availability systems."——Paul W. Frields, FBI — Operational Technology Division Quantico, VA, USA
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id774488" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 65. RH442: Red Hat Enterprise system monitoring and performance tuning</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id871946">65.1. Course Description</a></span></dt><dd><dl><dt><span class="section"><a href="#id815672">65.1.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id1046122">65.1.2. Goal</a></span></dt><dt><span class="section"><a href="#id784224">65.1.3. Audience </a></span></dt><dt><span class="section"><a href="#id1041965">65.1.4. Course Objectives</a></span></dt><dt><span class="section"><a href="#id986688">65.1.5. Follow-on Courses</a></span></dt></dl></dd></dl></div><div class="para">
		Performance tuning and capacity planning for Red Hat Enterprise Linux
	</div><div class="para">
		<a href="http://www.redhat.com/training/architect/courses/rh442.html">http://www.redhat.com/training/architect/courses/rh442.html</a>
	</div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id871946">65.1. Course Description</h2></div></div></div><div class="para">
			RH442 is an advanced four-day hands-on lab course covering system architecture, performance characteristics, monitoring, benchmarking, and network performance tuning.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id815672">65.1.1. Prerequisites</h3></div></div></div><div class="para">
				RHCT at a minimum, RHCE certification recommended, or comparable skills and knowledge. All prospective course participants without RHCE certification are encouraged to verify skills with Red Hat's free online pre—assessment tests.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1046122">65.1.2. Goal</h3></div></div></div><div class="para">
				RH442 is designed to teach the methodology of performance tuning and capacity planning for Red Hat Enterprise Linux. This class will cover:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						A discussion of system architecture with an emphasis on understanding the implications of system architecture on system performance
					</div></li><li class="listitem"><div class="para">
						Methods for testing the effects of performance adjustments (benchmarking)
					</div></li><li class="listitem"><div class="para">
						Open source benchmarking utilities
					</div></li><li class="listitem"><div class="para">
						Methods for analyzing system performance and networking performance
					</div></li><li class="listitem"><div class="para">
						Tuning configurations for specific application loads
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id784224">65.1.3. Audience </h3></div></div></div><div class="para">
				RH442 is aimed at senior Red Hat Enterprise Linux system administrators and other IT professionals working in enterprise environments and mission-critical systems.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1041965">65.1.4. Course Objectives</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Overview of system components and architecture as they relate to system performance
					</div></li><li class="listitem"><div class="para">
						Translating manufacturers' hardware specifications into useful information
					</div></li><li class="listitem"><div class="para">
						Using standard monitoring tools effectively to gather and analyze trend information
					</div></li><li class="listitem"><div class="para">
						Gathering performance-related data with SNMP
					</div></li><li class="listitem"><div class="para">
						Using open source benchmarking utilities
					</div></li><li class="listitem"><div class="para">
						Network performance tuning
					</div></li><li class="listitem"><div class="para">
						Application performance tuning considerations
					</div></li><li class="listitem"><div class="para">
						Tuning for specific configurations
					</div></li></ol></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id986688">65.1.5. Follow-on Courses</h3></div></div></div><div class="para">
				RHS333 Enterprise Security: Securing Network Services
			</div><div class="para">
				RH401 Red Hat Enterprise Deployment and Systems Management
			</div><div class="para">
				RH423 Red Hat Enterprise Directory Services and Authentication
			</div><div class="para">
				RH436 Red Hat Enterprise Storage Mgmt.
			</div></div></div></div><div xml:lang="en-US" class="chapter" id="id1066813" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 66. Red Hat Enterprise Linux Developer Courses</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id915816">66.1. RHD143: Red Hat Linux Programming Essentials </a></span></dt><dt><span class="section"><a href="#id920609">66.2. RHD221 Red Hat Linux Device Drivers </a></span></dt><dt><span class="section"><a href="#id1045737">66.3. RHD236 Red Hat Linux Kernel Internals </a></span></dt><dt><span class="section"><a href="#id920037">66.4. RHD256 Red Hat Linux Application Development and Porting</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id915816">66.1. RHD143: Red Hat Linux Programming Essentials </h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/developer/courses/rhd143.html">http://www.redhat.com/training/developer/courses/rhd143.html</a>
		</div><div class="para">
			An intensive hands-on course designed to rapidly train staff in key skills for developing applications and programs on Red Hat Enterprise Linux. This five-day course provides hands-on training, concepts, demonstrations, with emphasis on realistic labs and programming exercises. Upon completion of the course, students will have learned and practiced the essential skills required to develop programs for Linux systems.
		</div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id920609">66.2. RHD221 Red Hat Linux Device Drivers </h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/developer/courses/rhd221.html">http://www.redhat.com/training/developer/courses/rhd221.html</a>
		</div><div class="para">
			This course is designed to teach experienced programmers how to develop device drivers for Linux systems. Upon completion of the course, students will understand the Linux architecture, hardware and memory management, modularization, and the layout of the kernel source, and will have practiced key concepts and skills for development of character, block, and network drivers.
		</div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1045737">66.3. RHD236 Red Hat Linux Kernel Internals </h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/developer/courses/rhd236.html">http://www.redhat.com/training/developer/courses/rhd236.html</a>
		</div><div class="para">
			This course is designed to provide a detailed examination of the Linux kernel architecture, including process scheduling, memory management, file systems, and driving peripheral devices. This five-day course provides hands-on training, concepts, and demonstrations, with emphasis on realistic labs and programming exercises.
		</div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id920037">66.4. RHD256 Red Hat Linux Application Development and Porting</h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/developer/courses/rhd256.html">http://www.redhat.com/training/developer/courses/rhd256.html</a>
		</div><div class="para">
			A four-day developer course for experienced programmers who are already familiar with development on a UNIX-like system and want to develop new applications as well as port existing applications to Red Hat Enterprise Linux.
		</div></div></div><div xml:lang="en-US" class="chapter" id="id1024463" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 67. JBoss Courses</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#id841812">67.1. RHD161 JBoss and EJB3 for Java</a></span></dt><dd><dl><dt><span class="section"><a href="#id775487">67.1.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id836245">67.2. RHD163 JBoss for Web Developers </a></span></dt><dd><dl><dt><span class="section"><a href="#id856763">67.2.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id1101252">67.3. RHD167: JBOSS - HIBERNATE ESSENTIALS</a></span></dt><dd><dl><dt><span class="section"><a href="#id1101267">67.3.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id833142">67.3.2. Course Summary</a></span></dt></dl></dd><dt><span class="section"><a href="#id1014256">67.4. RHD267: JBOSS - ADVANCED HIBERNATE</a></span></dt><dd><dl><dt><span class="section"><a href="#id1014280">67.4.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id967506">67.5. RHD261:JBOSS for advanced J2EE developers</a></span></dt><dd><dl><dt><span class="section"><a href="#id887211">67.5.1. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id1082436">67.6. RH336: JBOSS for Administrators</a></span></dt><dd><dl><dt><span class="section"><a href="#id1018796">67.6.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#id987009">67.6.2. Course Summary</a></span></dt></dl></dd><dt><span class="section"><a href="#id1014310">67.7. RHD439: JBoss Clustering</a></span></dt><dd><dl><dt><span class="section"><a href="#id948015">67.7.1. Prerequisites </a></span></dt></dl></dd><dt><span class="section"><a href="#id1058335">67.8. RHD449: JBoss jBPM </a></span></dt><dd><dl><dt><span class="section"><a href="#id1010139">67.8.1. Description </a></span></dt><dt><span class="section"><a href="#id1079022">67.8.2. Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#id1009430">67.9. RHD451 JBoss Rules</a></span></dt><dd><dl><dt><span class="section"><a href="#id1085588">67.9.1. Prerequisites</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id841812">67.1. RHD161 JBoss and EJB3 for Java</h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/jboss/courses/rhd161.html">http://www.redhat.com/training/jboss/courses/rhd161.html</a>
		</div><div class="para">
			Developers JBoss and EJB3 for Java Developers is targeted toward proficient Java developers who wish to extend their knowledge to EJB3 and J2EE middleware programming using the JBoss Application Server. This class is an in-depth introduction to EJB3 and J2EE using the JBoss Application Server. It provides a hands-on approach to EJB3 and J2EE application development, deployment and the tools necessary to facilitate both processes.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id775487">67.1.1. Prerequisites</h3></div></div></div><div class="para">
				Basic Java programming skills and knowledge of OOAD concepts are required. The student must have practical knowledge of, and/or experience with, the following:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						The object-oriented concepts of inheritance, polymorphism and encapsulation
					</div></li><li class="listitem"><div class="para">
						Java syntax, specifically for data types, variables, operators, statements and control flow
					</div></li><li class="listitem"><div class="para">
						Writing Java classes as well as using Java interfaces and abstract classes
					</div></li></ol></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id836245">67.2. RHD163 JBoss for Web Developers </h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/jboss/courses/rhd163.html">http://www.redhat.com/training/jboss/courses/rhd163.html</a>
		</div><div class="para">
			JBoss for Web Developers focuses on web tier technologies in the JBoss Enterprise Middleware System (JEMS) product stack. We cover details on JBoss Portal, how to create and deploy portlets, integrating portlets with other web tier frameworks such as JavaServer Faces JSF) and configuring and tuning the Tomcat web container embedded in JBoss Application Server. Familiarity with JSP and Servlet development and related specification is heavily recommended. No previous experience with Portlets or JSF is required.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id856763">67.2.1. Prerequisites</h3></div></div></div><div class="para">
				The prerequisite skills for this class are basic J2EE Web Container (Servlet/JSP) programming skills and some experience with J2EE Web-based and multi-tier application deployments on the JBoss Application Server in conjunction with the Tomcat container (whether embedded with Apache or integrated with the JBoss Application server). The student should have development experience with the following technologies:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						JNDI
					</div></li><li class="listitem"><div class="para">
						The Servlet 2.3/2.4 API
					</div></li><li class="listitem"><div class="para">
						The JSP 2.0 API
					</div></li><li class="listitem"><div class="para">
						J2EE application development and deployment on the JBoss Application Server
					</div></li><li class="listitem"><div class="para">
						Deployment of a Web Application on embedded (stand alone) Tomcat or on integrated Tomcat (JBossWeb)
					</div></li><li class="listitem"><div class="para">
						A working knowledge of JDBC and EJB2.1 or EJB3.0
					</div></li></ol></div><div class="para">
				while not a prerequisite, is helpful.
			</div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1101252">67.3. RHD167: JBOSS - HIBERNATE ESSENTIALS</h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/jboss/courses/rhd167.html">http://www.redhat.com/training/jboss/courses/rhd167.html</a>
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1101267">67.3.1. Prerequisites</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						An understanding of the relational persistence model
					</div></li><li class="listitem"><div class="para">
						Competency with the Java language
					</div></li><li class="listitem"><div class="para">
						Knowledge of OOAD concepts
					</div></li><li class="listitem"><div class="para">
						Familiarity with the UML
					</div></li><li class="listitem"><div class="para">
						Experience with a dialect of SQL
					</div></li><li class="listitem"><div class="para">
						Using the JDK and creating the necessary environment for compilation and execution of a Java executable from the command line
					</div></li><li class="listitem"><div class="para">
						An understanding of JDB
					</div></li></ol></div><div class="para">
				No prior knowledge of J2EE or Hibernate is required. This training is based on Hibernate 3.2 series.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id833142">67.3.2. Course Summary</h3></div></div></div><div class="para">
				Hibernate Essentials is targeted toward Java developers who must become competent with the Hibernate or the Java Persistence API object/relational persistence and query service implementation. The primary audience is intended to be Java developers who work with SQL-based database systems or database developers who are looking for an introduction to object-oriented software development. Database administrators who are interested in how ORM may affect performance and how to tune the performance of the SQL database management system and persistence layer will also find this course of value. This course covers the JBoss, Inc. implementation of the JSR-220 sub-specification for Java Persistence and it covers the foundational APIs of version 3.x of the JBoss, Inc. Hibernate product, or simply, Hibernate 3.
			</div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1014256">67.4. RHD267: JBOSS - ADVANCED HIBERNATE</h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/jboss/courses/rhd267.html">http://www.redhat.com/training/jboss/courses/rhd267.html</a>
		</div><div class="para">
			JBoss Advanced Hibernate training is targeted toward Java developers who wish to extract the full power of the Hibernate O/R Mapping framework. The primary target audience consists of Java developers who work with SQL-based database systems, database developers who are looking for an introduction to object-oriented software development and database administrators interested in how ORM affects performance and how to tune the performance of the SQL database management system and persistence layer. The training covers the new Hibernate 3 features.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1014280">67.4.1. Prerequisites</h3></div></div></div><div class="para">
				The prerequisite skills for this class are the following:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Basic Hibernate knowledge.
					</div></li><li class="listitem"><div class="para">
						Competency with the Java language
					</div></li><li class="listitem"><div class="para">
						Knowledge of OOAD concepts
					</div></li><li class="listitem"><div class="para">
						Familiarity with the UML
					</div></li><li class="listitem"><div class="para">
						Experience with a dialect of SQL
					</div></li><li class="listitem"><div class="para">
						Using the JDK and creating the necessary environment for compilation and execution of a Java executable from the command line.
					</div></li><li class="listitem"><div class="para">
						Experience with, or comprehensive knowledge of JNDI and JDBC.
					</div></li><li class="listitem"><div class="para">
						Entity EJB2.1 or EJB3.0 knowledge, while not a prerequisite, is helpful.
					</div></li><li class="listitem"><div class="para">
						Prior reading of the book Hibernate in Action, by Christian Bauer and Gavin King (published by Manning) is recommended.
					</div></li></ol></div><div class="para">
				"The best part of the Advanced Hibernate course was networking with fellow engineers that had problems similar to my own, and working with a knowledgeable instructor to solve them."--Mike Pasternak, Consulting Engineer, United Switch &amp; Signal
			</div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id967506">67.5. RHD261:JBOSS for advanced J2EE developers</h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/jboss/courses/rhd261.html">http://www.redhat.com/training/jboss/courses/rhd261.html</a>
		</div><div class="para">
			JBoss for Advanced J2EE Developers is targeted toward J2EE professionals who wish to take advantage of the JBoss Application Server internal architecture to enhance the functionality and performance of J2EE applications on the JBoss Application Server. This course covers topics such as JMX and those beyond the J2EE specification such as Microkernel architecture, Security, Clustering, and Fine Tuning.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id887211">67.5.1. Prerequisites</h3></div></div></div><div class="para">
				It is highly recommended that students either complete the JBoss for Java Developers course OR take the Middleware Placement Exam prior to registering for the JBoss for Advanced J2EE Developers course. The developer should have practical experience with each of the following topics:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						JNDI
					</div></li><li class="listitem"><div class="para">
						JDBC
					</div></li><li class="listitem"><div class="para">
						Servlets and JSPs
					</div></li><li class="listitem"><div class="para">
						Enterprise Java Beans
					</div></li><li class="listitem"><div class="para">
						JMS
					</div></li><li class="listitem"><div class="para">
						The J2EE Security Model
					</div></li><li class="listitem"><div class="para">
						J2EE application development and deployment on the JBoss Application
					</div></li><li class="listitem"><div class="para">
						Experience with ANT and XDoclet or similar technologies.
					</div></li></ol></div><div class="para">
				While prior knowledge of JMX is helpful, it is not required. This training is based on the 4.x series of the JBoss Application Server.
			</div><div class="para">
				"I thought the training materials were well-organized, including both the handbook and the labs. The instructor frequently asked for feedback on material and pace. It was apparent that he cared about our understanding of the material."--Jeremy Prellwitz, SiRAS.com, USA
			</div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1082436">67.6. RH336: JBOSS for Administrators</h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/jboss/courses/rh336.html">http://www.redhat.com/training/jboss/courses/rh336.html</a>
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1018796">67.6.1. Prerequisites</h3></div></div></div><div class="para">
				Basic working knowledge of the Windows or Linux (Unix-based) operating system. The student must have experience with the following:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Creating directories, files and modifying access rights to the file store
					</div></li><li class="listitem"><div class="para">
						Installing a JDK
					</div></li><li class="listitem"><div class="para">
						Configuring environment variables, such as JAVA_HOME, for an Operating system
					</div></li><li class="listitem"><div class="para">
						Launching Java applications and executing an OS-dependent script that launches a Java application.
					</div></li><li class="listitem"><div class="para">
						Creating and expanding a Java archive file (the jar utility)
					</div></li></ol></div><div class="para">
				No prior knowledge of J2EE or the JBoss Application Server is required. Some familiarity with supporting Java applications with XML configurations, however, is strongly recommended.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id987009">67.6.2. Course Summary</h3></div></div></div><div class="para">
				JBoss for Administrators is targeted toward application support individuals, such as system administrators, configuration management and quality assurance personnel who wish to become proficient in configuring and administrating the JBoss application server (3.2.x and 4.x series) and the applications deployed on the application server.
			</div><div class="para">
				"The JBoss for Administrators course was a great balance of both lecture and labs. It is always nice to have hands on knowledge of the topics to make them seem more real and applicable."——Thomas Skowronek, Palm Harbor Homes, USA
			</div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1014310">67.7. RHD439: JBoss Clustering</h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/jboss/courses/rhd439.html">http://www.redhat.com/training/jboss/courses/rhd439.html</a>
		</div><div class="para">
			Clustering is a 4-day training focusing on high availability services of JBoss Enterprise Middleware System (JEMS). You will learn how JBoss Application Server leverages JGroups and JBoss Cache for replication and fail-over, how to configure, tune and implement JGroups protocol stacks, how to leverage JBoss Cache in your own middleware application implementation and how to use and configure mod_jk for HTTP load balancing. We will also cover in some detail JBoss Application Server high availability services such as HA-JNDI, HA-JMS and HA-singleton.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id948015">67.7.1. Prerequisites </h3></div></div></div><div class="para">
				Completion of the JBoss for Advanced J2EE Developers course is strongly recommended before taking this course. It is also strongly recommended that the student has at minimum 18 month practical development experience using J2EE and other Java middleware technologies, and it is suggested that the student have some practical experience with JBoss Application Server. Solid Java programming experience (minimum 3 years) is required and understanding of basic TCP/IP topics is necessary.
			</div><div class="para">
				The student must have the following skills:
			</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						JTA, Transactions, Java concurrency
					</div></li><li class="listitem"><div class="para">
						EJB 2.1, JMS, reliable messaging technologies
					</div></li><li class="listitem"><div class="para">
						Previous experience with Apache httpd and some exposure to mod_jk and/or mod_proxy
					</div></li><li class="listitem"><div class="para">
						Familiar with JBoss AS microkernel and JMX
					</div></li><li class="listitem"><div class="para">
						Familiarity with TCP/IP, UDP, Multicasting
					</div></li></ol></div><div class="para">
				"The JBoss for Administrators course was very informative. Our instructor did a great job at answering our questions (some very specific to the student) while maintaining the course direction. I am very excited about applying what I have learned in the course."——Andy Beier, Arizona Statue University, USA
			</div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1058335">67.8. RHD449: JBoss jBPM </h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/jboss/courses/rhd449.html">http://www.redhat.com/training/jboss/courses/rhd449.html</a>
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1010139">67.8.1. Description </h3></div></div></div><div class="para">
				JBoss jBPM training is targeted for system architects and developers who work closely with business analysts and are responsible for bringing business processes into J2EE environment using jBPM as a BPM engine. In addition, The JBoss jBPM training will provide students with a thorough understanding of the BPM landscape, types of engines and positioning of the buzzwords.
			</div><div class="para">
				Students will acquire practical hands on expertise and will be ready to start developing business processes with JBoss jBPM after the course. Another goal of the training is to provide a thorough preparation for comparing workflow engines.
			</div></div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1079022">67.8.2. Prerequisites</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						The student must have previous experience developing an Hibernate application. The student must know how to configure a simple Session Factory for Hibernate, utilize a Hibernate Session and transactional demarcation and how to perform basic queries on Hibernate objects.
					</div></li><li class="listitem"><div class="para">
						Competency with Java application development.
					</div></li><li class="listitem"><div class="para">
						Previous exposure to the concepts of workflow and business process modeling (BPM) is not required
					</div></li><li class="listitem"><div class="para">
						Experience with JBoss Eclipse or the Eclipse IDE with the JBoss plugin is recommended but not required
					</div></li><li class="listitem"><div class="para">
						Basic notions of JUnit test framework is recommended.
					</div></li></ol></div></div></div><div class="section"><div class="titlepage"><div><div><h2 class="title" id="id1009430">67.9. RHD451 JBoss Rules</h2></div></div></div><div class="para">
			<a href="http://www.redhat.com/training/jboss/courses/rhd451.html">http://www.redhat.com/training/jboss/courses/rhd451.html</a>
		</div><div class="para">
			The course covers the core engine for Drools 3 (JBoss Rules 3.0), as well as the various techniques and languages that can be used to manage business rules, and how the rule engine may be embedded in J2SE and J2EE applications. This course will be a complimentary course to any future courses on rule management using future releases of Jboss Rules.
		</div><div class="section"><div class="titlepage"><div><div><h3 class="title" id="id1085588">67.9.1. Prerequisites</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
						Basic Java competency
					</div></li><li class="listitem"><div class="para">
						Some understanding of what constitutes an inferencing rule engine versus a scripting engine
					</div></li><li class="listitem"><div class="para">
						Viewing of the Jboss Rules webinars and demos is recommended but not required
					</div></li><li class="listitem"><div class="para">
						Java EE specific experience is not required for the course, but students who need to know how to integrate with Java EE will need the appropriate experience
					</div></li></ol></div></div></div></div></div><div xml:lang="en-US" class="appendix" id="id870806" lang="en-US"><div class="titlepage"><div><div><h1 id="id870806" class="title">Revision History</h1></div></div></div><div class="para">
		<div class="revhistory"><table border="0" width="100%" summary="Revision history"><tr><th align="left" valign="top" colspan="3"><strong>Revision History</strong></th></tr><tr><td align="left">Revision 10-0</td><td align="left">Thu Jul 21 2011</td><td align="left"><span class="author"><span class="firstname">Jaromír</span> <span class="surname">Hradílek</span></span></td></tr><tr><td align="left" colspan="3">
					<table border="0" summary="Simple list" class="simplelist"><tr><td>Resolve BZ#720382: MinorMod: Network Interfaces: LINKDELAY parameter needs to be added to "Interface Configuration Files".</td></tr><tr><td>Resolve BZ#632028: MajorMod: Redundant Array of Independent Disks (RAID): Document mdadm Usage.</td></tr><tr><td>Resolve BZ#720009: MinorMod: LVM: Update screenshots in the "Manual LVM Partitioning" section.</td></tr><tr><td>Resolve BZ#711162: MinorMod: Network Interfaces: Incorrect static routes configuration.</td></tr><tr><td>Resolve BZ#707238: broadcast is calculated with ipcalc, not ifcalc.</td></tr><tr><td>Resolve BZ#678316: HOTPLUG network config file option is not documented.</td></tr><tr><td>Resolve BZ#562018: Ch.4 Redundant Array of Independent Disks (RAID) - screenshots need updating.</td></tr><tr><td>Resolve BZ#485033: iptables -p ALL --dport not allowed according to man 8 iptables.</td></tr></table>

</td></tr><tr><td align="left">Revision 9-0</td><td align="left">Thu Jan 13 2011</td><td align="left"><span class="author"><span class="firstname">Jaromír</span> <span class="surname">Hradílek</span></span></td></tr><tr><td align="left" colspan="3">
					<table border="0" summary="Simple list" class="simplelist"><tr><td>Resolve BZ#249485: 'fsid=num' is listed under NFS client options, but it is a server-only option.</td></tr><tr><td>Resolve BZ#253659: additional commands required when adding machines to domain.</td></tr><tr><td>Resolve BZ#453242: guide does not tell you which packages you need to run an NFS server.</td></tr><tr><td>Resolve BZ#504250: cell should have newline characters, it shouldn't be all on one line.</td></tr><tr><td>Resolve BZ#520650: /proc/loadavg documentation error.</td></tr><tr><td>Resolve BZ#584075: vsftp typo for text_userdb_names.</td></tr><tr><td>Resolve BZ#625384: bonding configuration SLAVE=bond0 is invalid.</td></tr><tr><td>Resolve BZ#644617: misspelled word.</td></tr><tr><td>Resolve BZ#645123: spelling Errors in Deployment Guide II.</td></tr><tr><td>Resolve BZ#595366: RFE: document Shared Subtrees.</td></tr></table>

</td></tr><tr><td align="left">Revision 8-0</td><td align="left">Thu July 30 2010</td><td align="left"><span class="author"><span class="firstname">Douglas</span> <span class="surname">Silas</span></span></td></tr><tr><td align="left" colspan="3">
					<table border="0" summary="Simple list" class="simplelist"><tr><td>Resolve BZ#239313: document oom_adj and oom_score.</td></tr><tr><td>Resolve BZ#526502: correct quotaon instructions with proper, safe operating procedures.</td></tr><tr><td>Resolve BZ#551367: correct SELinux dhcpd_disable_trans description.</td></tr><tr><td>Resolve BZ#521215: clarify NFS interaction with portmapper, rpc.mountd, rpc.lockd and rpc.statd.</td></tr><tr><td>Resolve BZ#453875: various OpenSSH chapter corrections.</td></tr><tr><td>Resolve BZ#455162: correct zone example configuration file, description.</td></tr><tr><td>Resolve BZ#460767: make it a proper daemon.</td></tr><tr><td>Resolve BZ#600702: correct directories used for SSL key generation.</td></tr></table>

</td></tr><tr><td align="left">Revision 7-0</td><td align="left">Wed Sep 30 2009</td><td align="left"><span class="author"><span class="firstname">Douglas</span> <span class="surname">Silas</span></span>, <span class="author"><span class="firstname">Jarek</span> <span class="surname">Hradilek</span></span>, <span class="author"><span class="firstname">Martin</span> <span class="surname">Prpic</span></span></td></tr><tr><td align="left" colspan="3">
					<table border="0" summary="Simple list" class="simplelist"><tr><td>Change heading titles to correspond with actual headings used in 'man rpm'.</td></tr><tr><td>Resolve BZ#499053: /usr/sbin/racoon is correct install path.</td></tr><tr><td>Remove any mention of 'pkgpolicy' in /etc/yum.conf as per BZ#237773.</td></tr><tr><td>Resolve BZ#455162: correct example zone file with regard to records, description.</td></tr><tr><td>Resolve BZ#510851: /proc/cmdline has confusing descriptions of sample output.</td></tr><tr><td>Resolve BZ#510847: page with multiple footnotes formatted incorrectly in online PDF.</td></tr><tr><td>Resolve BZ#214326: more detailed usage info concerning vsftpd banners and secueerity.</td></tr><tr><td>Resolve BZ#241314: formatting problems in screen elements.</td></tr><tr><td>Resolve BZ#466239: postfix connect-from-remote-host configuration fix.</td></tr></table>

</td></tr><tr><td align="left">Revision 7-0</td><td align="left">Mon Sep 14 2009</td><td align="left"><span class="author"><span class="firstname">Douglas</span> <span class="surname">Silas</span></span></td></tr><tr><td align="left" colspan="3">
					<table border="0" summary="Simple list" class="simplelist"><tr><td>Resolve BZ#214326: Server Security FTP Banner instructions: questions re: vsftpd.conf.</td></tr><tr><td>Resolve BZ#466239: insert line into Postfix config file to allow connecting remotely.</td></tr><tr><td>Resolve BZ#499053: path for racoon daemon is /usr/sbin/racoon, not /sbin/racoon.</td></tr><tr><td>Resolve BZ#510847: missing footnotes in PDF output.</td></tr><tr><td>Resolve BZ#510851: rewrite /proc/cmdline minor section to make more sense.</td></tr><tr><td>Resolve BZ#515613: correct location of RHEL5 GPG keys and key details.</td></tr><tr><td>Resolve BZ#523070: various minor fixes; --redhatprovides to rpm -q --whatprovides.</td></tr></table>

</td></tr><tr><td align="left">Revision 6-0</td><td align="left">Wed Sep 02 2009</td><td align="left"><span class="author"><span class="firstname">Douglas</span> <span class="surname">Silas</span></span></td></tr><tr><td align="left" colspan="3">
					<table border="0" summary="Simple list" class="simplelist"><tr><td>Resolve BZ#492539: "This directive is useful..." to "This directive must be used in machines containing more than one NIC to ensure...".</td></tr><tr><td>Resolve BZ#241314: re: kernel-pae and hugemem support on RHEL 4 and 5.</td></tr><tr><td>Resolve BZ#453071: incorrect tag use led to config files and other screen elements being displayed on single lines.</td></tr><tr><td>Resolve BZ#507987: clarify and correct statements about partitions being in use while resizing or removing.</td></tr><tr><td>Resolve BZ#462550: recommended amount of swap space, according to <a href="http://kbase.redhat.com/faq/docs/DOC-15252">http://kbase.redhat.com/faq/docs/DOC-15252</a>.</td></tr><tr><td>Resolve BZ#466239: line omitted from Postfix configuration meant connecting remotely failed</td></tr><tr><td>Resolving other MODIFIED BZs (fixed previously): 468483, 480324, 481246, 481247, 438823, 454841, 485187, 429989, 452065, 453466.</td></tr></table>

</td></tr><tr><td align="left">Revision 5-0</td><td align="left">Wed Jan 28 2009</td><td align="left"><span class="author"><span class="firstname">Michael Hideo</span> <span class="surname">Smith</span></span></td></tr><tr><td align="left" colspan="3">
					<table border="0" summary="Simple list" class="simplelist"><tr><td>Resolves: #460981</td></tr><tr><td>Changing 64GB *tested* support to support for 16GB.</td></tr></table>

</td></tr></table></div>

</div></div><div xml:lang="en-US" class="appendix" id="colophon" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Colophon</h1></div></div></div><div class="para">
		The manuals are written in DocBook XML v4.3 format.
	</div><div class="para">
		Garrett LeSage created the admonition graphics (note, tip, important, caution, and warning). They may be freely redistributed with the Red Hat documentation.
	</div><div class="para">
		Contributing Writers: John Ha (System Administration, Filesystems, Kernel), Joshua Wulf (Installation and Booting), Brian Cleary (Virtualization), David O'Brien (Security and SELinux), Michael Hideo (System Administration), Don Domingo (System Administration), Michael Behm (System Administration), Paul Kennedy (Storage), Melissa Goldin (Red Hat Network)
	</div><div class="para">
		Honoring those who have gone before: Sandra Moore, Edward C. Bailey, Karsten Wade, Mark Johnson, Andrius Benokraitis, Lucy Ringland
	</div><div class="para">
		Honoring engineering efforts: Jeffrey Fearn
	</div><div class="para">
		Technical Editing: Michael Behm
	</div><div class="para">
		Graphic Artist: Andrew Fitzsimon
	</div><div class="para">
		The Red Hat Localization Team consists of the following people:
	</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
				East Asian Languages
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Simplified Chinese
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Tony Tongjie Fu
							</div></li><li class="listitem"><div class="para">
								Simon Xi Huang
							</div></li><li class="listitem"><div class="para">
								Leah Wei Liu
							</div></li><li class="listitem"><div class="para">
								Sarah Saiying Wang
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Traditional Chinese
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Chester Cheng
							</div></li><li class="listitem"><div class="para">
								Terry Chuang
							</div></li><li class="listitem"><div class="para">
								Ben Hung-Pin Wu
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Japanese
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Kiyoto Hashida
							</div></li><li class="listitem"><div class="para">
								Junko Ito
							</div></li><li class="listitem"><div class="para">
								Noriko Mizumoto
							</div></li><li class="listitem"><div class="para">
								Takuro Nagamoto
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Korean
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Eun-ju Kim
							</div></li><li class="listitem"><div class="para">
								Michelle Kim
							</div></li></ul></div></li></ul></div></li><li class="listitem"><div class="para">
				Latin Languages
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						French
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Jean-Paul Aubry
							</div></li><li class="listitem"><div class="para">
								Fabien Decroux
							</div></li><li class="listitem"><div class="para">
								Myriam Malga
							</div></li><li class="listitem"><div class="para">
								Audrey Simons
							</div></li><li class="listitem"><div class="para">
								Corina Roe
							</div></li></ul></div></li><li class="listitem"><div class="para">
						German
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Jasna Dimanoski
							</div></li><li class="listitem"><div class="para">
								Verena Furhuer
							</div></li><li class="listitem"><div class="para">
								Bernd Groh
							</div></li><li class="listitem"><div class="para">
								Daniela Kugelmann
							</div></li><li class="listitem"><div class="para">
								Timo Trinks
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Italian
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Francesco Valente
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Brazilian Portuguese
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Glaucia de Freitas
							</div></li><li class="listitem"><div class="para">
								Leticia de Lima
							</div></li><li class="listitem"><div class="para">
								David Barzilay
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Spanish
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Angela Garcia
							</div></li><li class="listitem"><div class="para">
								Gladys Guerrero
							</div></li><li class="listitem"><div class="para">
								Yelitza Louze
							</div></li><li class="listitem"><div class="para">
								Manuel Ospina
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Russian
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Yuliya Poyarkova
							</div></li></ul></div></li></ul></div></li><li class="listitem"><div class="para">
				Indic Languages
			</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
						Bengali
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Runa Bhattacharjee
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Gujarati
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Ankitkumar Rameshchandra Patel
							</div></li><li class="listitem"><div class="para">
								Sweta Kothari
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Hindi
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Rajesh Ranjan
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Malayalam
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Ani Peter
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Marathi
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Sandeep Shedmake
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Punjabi
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								Amanpreet Singh Alam
							</div></li><li class="listitem"><div class="para">
								Jaswinder Singh
							</div></li></ul></div></li><li class="listitem"><div class="para">
						Tamil
					</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
								I Felix
							</div></li><li class="listitem"><div class="para">
								N Jayaradha
							</div></li></ul></div></li></ul></div></li></ul></div></div></div></body></html>