Comprehensive System Administration
Lecture 9 notes:
administrivia:
Enrollment
Any problems? Please email me to get on the course announcement list:
jones@csua.berkeley.edu
Getting Help
If you have trouble, please email me, or one of the other teachers.
The OCF staffers are often around the lab, and can be helpful.
Don't forget your classmates can also be helpful.
Class Project
The course project description is in Lecture 5.
Your writeup is due by the end of April.
Questions?
class notes:
Topics:
process control
basic networking
basic security
Process Control
Process is unix-speak for "program." You can see what processes you have
running by using the ps command:
% ps
PID TTY TIME CMD
18061 pts/3 0:00 csh
18264 pts/3 0:00 tcsh
or
% ps -f
UID PID PPID C STIME TTY TIME CMD
jones 18061 18058 0 Apr 06 pts/3 0:00 -csh
jones 18264 18061 0 Apr 06 pts/3 0:00 tcsh
The "-f" flag gives more information (a "full" listing).
So what do these columns mean?
UID is the user that owns the process.
PID is the process ID of the process.
PPID is the PID of the process that spawned this process (the Parent PID).
TTY is the terminal on which the process is running.
CMD is the name of the process.
From the listing above, you can see that I have two processes, and
that the tcsh process was spawned from the csh process (the tcsh PPID
is the same as the csh PID).
This relationship is better illustrated by the pstree command:
% pstree jones
-csh---tcsh---vim
-csh---tcsh---perl---ps
Here you see that I have one window open editing this file with vim,
and another window running pstree, which is a perl script that
calls ps.
The basics - process control from the command prompt
Let's create a dummy process to manipulate. We'll create an empty
file, and create a process to watch for any lines added to the
end of that file:
% touch jib
% tail -f jib &
[1] + Suspended (tty output) tail -f jib
[1] 4739
What happened? Remember that the & character added to the end of
a line puts the command into the background.
The [1] above tells you that "tail -f jib" is job #1, while the [1] 4739
tells you that the PID of that process is 4739. We can confirm this with
ps:
% ps
PID TTY TIME CMD
18061 pts/3 0:00 csh
18264 pts/3 0:00 tcsh
4739 pts/3 0:00 tail
We can get the same result by starting the command without the "&",
and then sending the process the suspend signal by hitting ctrl-z:
(stuff the user types below is in bold)
% tail -f jib
^Z
Suspended
At this point, the process is suspended, and you are at a command prompt.
You can now do other stuff until you are ready to resume the process,
using fg to bring the process back to the foreground:
If this is a command that can run in the background (is not interactive
with the user) you can let the command run in the background using bg.
You can bring the command to the foreground at any time using fg.
At some point, you will want to end the command. You can send the interrupt
signal to the command while the command is in the foreground with ctrl-C:
At this point, the "tail -f jib" process is over.
more advanced: kill
The kill command can be used to control processes without bringing
them to the foreground. If you are the superuser, the kill command can
be used to terminate other user's commands, or to send signals to system
daemons, which the daemons interpret as input. A common example of this
is causing the web-server to reload it's configuration, after it has been
changed, by sending it the HANGUP signal: kill -HUP httpdPID (where
httpdPID is the PID of your webserver)
From a user's perspective, you can
% ps
PID TTY TIME CMD
5149 pts/25 0:00 csh
% ps -u jones
PID TTY TIME CMD
18061 pts/3 0:00 csh
4946 pts/36 0:01 vim
5149 pts/25 0:00 csh
4844 pts/3 0:00 tail
10955 pts/36 0:00 csh
18264 pts/3 0:01 tcsh
11081 pts/36 0:01 tcsh
If we call ps with no arguements, it reports on the processes
associated with the local terminal. To see all of my processes on the
machine, I call ps -u jones.
Say I went home or my computer froze and I wanted to stop that tail job.
I couldn't use job control as described above because I don't have access
to terminal 3. I would have to use the kill command:
% kill 4844
[2] Terminated tail -f jib
Some commands don't repond to the terminate signal (aka SIGTERM, aka
signal -15). You can send other signals to the program, for a full list,
read the kill manpage. The most popular signals are:
Signal Name Kill# nemonic catchable?
----------- ----- ------- ----------
hangup -1 HUP catchable
interrupt -2 INT catchable
quit -3 QUIT catchable
kill -9 KILL not catchable
terminate -15 TERM catchable
Catchable signals are signals that a program can "catch" and interpret
as input. It's up to the program's designer to cause the program to
behave in a predictable manner for a given signal (i.e. to cause the
program to exit when it gets a QUIT signal).
If a program doesn't respond to plain-vanila kill, or kill -3, you
can use kill -9 (or kill -KILL):
% ps
PID TTY TIME CMD
5493 pts/3 0:00 tail
18061 pts/3 0:00 csh
18264 pts/3 0:01 tcsh
% kill -3 5493
% ps
PID TTY TIME CMD
5493 pts/3 0:00 tail
18061 pts/3 0:00 csh
18264 pts/3 0:01 tcsh
% kill -9 5493
[1] Killed tail -f blah
% ps
PID TTY TIME CMD
18061 pts/3 0:00 csh
18264 pts/3 0:01 tcsh
kill -9 is viewed as a last resort, because it terminates the
program without allowing itself to clean up it's memory close any files
or do whatever else it is supposed to before exiting. Some programs
use the signals other than -9 as alerts that they are about to be killed,
and clean up, but don't terminate when those signals are recieved, so
those signals should be tried first.
More advanced stuff: process execution priority with nice
nice [-19 -> 19] cmd args (default is 10)
renice #
"be nice, run slower (less frequently)"
what's eating up my cpu time?
top
Basic Networking
Network configuration could be a very rich topic, and unfortunately for
the purposes of this class, we can't get into how it all works. At a bare
minimum, you should know how to get your machine onto a pre-existing
network. Happily, this is not too complex.
In order to get network connectivity, you will have to know the following:
- An unused IP address on your subnet
- The IP address of your subnet's gateway
- The netmask of your subnet
- Where your OS expects this information to be configured
- Your broadcast address
- Your Domain Name Server (DNS server)
Several terms have been introduced, so I'll give brief explanations:
IP Address the numerical address of your machine, i.e. 128.32.191.87
subnet a local area network
gateway the IP address of the machine that connects your subnet
to the greater network.
netmask this tells machines on your subnet whether communication
with a certain IP involves communication inside or outside your subnet.
broadcast address the subnet address that all machines watch for
broadcast messages. Usually you don't have to configure this, the
standard is
DNS server a machine on the net that translates from named internet
addresses (ie "google.com") to IP addresses.
This information is usually specified in rc files, with ifconfig
commands, or in some linux distributions, it is done with the new
command line tools ifup and ifdown (found in the
/etc/sysconfig/network-scripts on RedHat at the time of this writing).
Usually, when you install a system you are prompted to enter all of this
information, and if you do so correctly, your machine will be configured
properly. This is great, but what if you need to change the information
later, or if you made a mistake? You'd probably like to avoid doing a
complete reinstall just to reconfigure your networking.
Unfortunately, the config files containing this information are in
different places on each OS, so you'll need to consult the documentation
for your OS if you need to change this, or search around for it by hand.
Optionally, you may be able to access the tools that you used to configure
the system initially. For instance, on one version of VAlinux RedHat, I
was able to use the "/usr/sbin/netconfig" tool until I discovered where
the actual network configuration files were kept. Unfortunately that tool
is a specific installation/configuration tool, and probably doesn't exist
on other systems or even other versions of RedHat. Check your OS's docs,
especially the installation docs for hints on where to find such tools.
After you've got all this stuff configured, you can check if your system
can happily communicate to others on the network using the ping
command. Ping is a simple command that sends a packet and waits for a
response from the remote server (the response is sometimes called "pong").
I usually test pinging the gateway, and some machine not on the local
subnet:
famine [62] ping 128.32.191.1
128.32.191.1 is alive
famine [64] ping 64.208.34.100
64.208.34.100 is alive
At this point, we have to use IP addresses, rather than standard named
addresses like google.com because we haven't configured DNS yet.
Finally, if you don't have DNS configured, you can tell your system your
DNS server by modifying your /etc/resolv.conf file.
The file should contain at least a line that looks like:
nameserver 128.32.191.249
where the IP address is the IP address of a nearby DNS server.
You can specify as many nameservers as you like, and you can also specify
other things about your local network to make name resolution more
convenient. For instance you can add search and domainlines:
domain OCF.Berkeley.EDU
search OCF.Berkeley.EDU Berkeley.EDU
adding these lines allows you to specify addresses more simply, for
instance, I could simply type "ssh csua" rather than "ssh csua.berkeley.edu"
because the system would automagically search the domains specified for a
machine named csua.
Basic Security
stopping unneeded services:
disabling telnet and ftp:
(after making sure ssh is up and running, even after reboot)
Why disable telnet and ftp? Even though telnet and ftp are old services,
there are new bugs and exploits being found for versions of these utilites
on an ongoing basis. Besides new problems cropping up, there is a
fundemental problem with those two protocols in that they transmit your
password in plaintext over the net when you log in, allowing anyone who is
surreptitiously watching the network to learn your password as the bits zoom
by. The ssh and scp protocols have been created to replace telnet and ftp
respectively and address this problem. Be sure to install and configure
sshd before disabling telnet and ftp unless you don't intend to support
remote access.
The inet daemon starts the telnet and ftp services, and the file
/etc/inetd.conf controls which services inetd spawns on which ports. We
commented these services out and restarted inetd as specified in the file
itself.
From a inetd.conf file in which telnet has been turned off (note the #'s
before the telnet line):
# These are standard services.
#
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
inetd then needs to be told to reload it's configuration: (kill -HUP
inetd's PID).
To confirm that you successfully turned off a service, try to telnet to that
service's port (you can find what service is running on which port by
looking in /etc/inet/services or /etc/services):
Telnet usually lives on port 23:
telnet localhost 23
no homework
enrichment
read the manpages for ps, fg, bg, top, kill, nice, renice, and your favorite
shells
read the manpages for ping, resolv.conf