Fedora Linux Preface Welcome to Fedora Linux : A Complete Guide to Red Hat's Community Distribution . I've based this book on the premise that the best way to learn Linux is to use it; each lab deals with a specific task or problem and starts with solutions. It then expands the discussion to explain the principles underlying the solutions and shows you where you can learn more about the topic if you want to dig deeper. Although the labs do build on each other in some small ways, I expect that most readers will jump from lab to lab according to their needs and interests rather than read the book linearly from front to back. Where appropriate, I have have included both graphical user interface and command-line techniques; use whichever approach suits your needs and style. This book is written for experienced computer users, regardless of their previous experience with Linux. It covers both desktop and server configurations, and is ideally suited to an administrator or power user migrating to Fedora Linux from another environment, such as Windows, Mac OS X, or Unix. This book is targeted at Fedora Core 6 but will also be useful to users of Fedora Core 5 and Fedora Core 7. Fedora is more than an operating system; it includes a wide range of applications, programming languages, and tools, and many of these packages are the subject of their own books. This book does not cover each topic in exhaustive detail; instead, it is designed to give you the most critical information in an accessible format and show you how the packages work within the context of Fedora. At the time of writing, Fedora Core 6 was being finalized; my apologies for the inevitable little discrepancies between the screenshots and descriptions in this book and the final version of Fedora Core 6 How This Book Is Organized Each chapter in this book contains a number of labs. Each lab covers a task or problem and contains four sections: How Do I Do That? A description of techniques that may be used to accomplish the task or solve the problem How Does It Work? An explanation of how the solution and the underlying technology work What About... An exploration of related concepts and ideas Where Can I Learn More? Pointers to additional information if you want to dig into the topic in greater detail The labs are grouped into 10 chapters: Chapter 1, Quick Start: Installing Fedora Covers the installation of Fedora Core using a variety of installation media and methods. Chapter 2, Using Fedora on Your Desktop Introduces the use of Fedora on the desktop, including the use and customization of the GNOME and KDE graphical user interfaces and the configuration of basic features such as the display and printing. Chapter 3, Using Fedora on Your Notebook Deals with the issues specific to using Fedora on a notebook computer, including power management, hopping between networks, and configuring external video for presentations. Chapter 4, Basic System Management Covers basic system management tasks, including user and group administration, file management, remote access, and service configuration. Chapter 5, Package Management Discusses package managementadding, removing, and updating softwareand shows you how to take advantage of the thousands of packages available through Fedora's software repositories. Chapter 6, Storage Administration Deals with storage administration using logical volume management and RAID arrays. It also covers data backup, including unattended overnight backups. Chapter 7, Network Services Is the server chapter. It covers the Samba file server (compatible with Windows systems), as well as DHCP, DNS, web, email, and print services. Web-based applications including Wikis and webmail round out the coverage. Chapter 8, Securing Your System Deals with security using Fedora's security facilities including SELinux, PAM, and ACLs. Chapter 9, The Fedora Community Discusses the Fedora community and how you can become involved. Chapter 10, Advanced Installation Deals with advanced installation options, including resizing a Windows partition to make room for Fedora, automating the installation process with Kickstart, and using Xen virtualization. What You Need to Use This Book Since this is a hands-on book, you'll want to have a computer available on which to run Fedora. Although you can use these labs with a production system, it's a good idea to use a noncritical machine so that you can freely experiment. And although it's not required, a good Internet connection is very helpful because it makes it easy to obtain software updates. If you have Fedora installed, that's greatbut if you don't, Chapter 1 will take you through the process. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, file extensions, pathnames, and directories. Constant width Indicates commands, options, switches, the contents of files, or the output from commands. Constant width bold Shows commands or other text that should be typed literally by the user. Also used to highlight key portions of code or files. Constant width italic Shows text that should be replaced with user-supplied values. $ This is the shell prompt for a regular user, which indicates that the command interpreter is ready to accept a new command. The normal Fedora shell prompt includes additional information before the dollar sign, including the username, hostname, and current directory; I've left those out to reduce clutter in the examples. # This is the shell prompt for the system administrator, known as root or the superuser . Use the command su - to switch from a normal account to the superuser account.   Using Code Examples This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact O'Reilly for permission unless you're reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O'Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product's documentation does require permission. We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: " Fedora Linux by Chris Tyler. Copyright 2007 O'Reilly Media, Inc., 978-0-596-52682-5." Safari® Enabled   When you see a Safari® Enabled icon on the cover of your favorite technology book, that means the book is available online through the O'Reilly Network Safari Bookshelf. Safari offers a solution that's better than e-books. It's a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com . How to Contact Us Please address comments and questions concerning this book to the publisher: O'Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-998-9938 (in the United States or Canada) 707-829-0515 (international or local) 707-829-0104 (fax) There is a web page for this book, which lists errata, examples, and any additional information. You can access this page at: http://www.oreilly.com/catalog/fedoralinux To comment on or ask technical questions about this book, send email to: bookquestions@oreilly.com For more information about books, conferences, software, Resource Centers, and the O'Reilly Network, see the O'Reilly web site at: http://www.oreilly.com Acknowledgments Thank you to the open source community and to Red Hat and the Fedora community in particular for developing, integrating, and supporting such a powerful collection of software. I'd like to thank my editor, Brian Jepson, for his patient and skillful work and many suggestions; to David Brickner for getting me started on this project; and to Behdad Esfahbod for his thoughtful and detailed technical review. My deep gratitude to my loving wife Diane and my girls Saralyn and Laura, who have patiently kept the family going without me for the past eight months. And above all, my humble thanks to God for the skills and understanding he has given memay they be used to His glory. Chapter 1. Quick Start: Installing Fedora Fedora is a powerful, fast-changing, freely available operating system. It can be used as a productive desktop or server environment, or it can be used to learn about Linux and experiment with new technologies. 1.1. Choosing Fedora: Is It Right for You? There are many different Linux distributions, each with a different set of features, aimed at a different type of user. Before you invest time and effort in Linux, you need to decide if Fedora is the right distribution for you. 1.1.1. How Do I Do That? Fedora Core is a collection of software that provides a complete working environment for a desktop or a server computer. It is often called an operating system , but, like other Linux distributions, it provides a lot more functionality than operating systems such as Microsoft Windows or Mac OS X because it includes desktop productivity applications and server software. Fedora Extras is a collection of software that is compatible with and extends the functionality of Fedora Core. Fedora is developed and supported by a large community of developers, testers, package maintainers, documentation writers, marketers, and advocates. Many leading community members are also employees of Red Hat, Inc., which provides servers, build systems (the computers that compile and test the thousands of packages included with Fedora) and some funding for the project. In return, Red Hat gains the opportunity to receive feedback on new software and features before incorporating them into its commercial product line, called Red Hat Enterprise Linux. 1.1.1.1. What compatibility do you need? If you want (or need) to run Windows games or a specific Windows application, Fedora may not be the right OS for youalthough Wine will let you run some Windows applications when you're in a pinch. Two commercial products based on Wine are available: Cedega, for Windows games, and CrossOver Office, for Microsoft Office and other business applications. 1.1.1.2. What level of stability do you need? A new Fedora release is made approximately every four to nine months, and only the current and next-to-current releases are actively maintained by the project (beyond this time frame, security and bug fixes are supplied by the Fedora Legacy project). If you need a platform with long-term stability, consider using Red Hat Enterprise Linux (RHEL) instead (or CentOS, which is a nonaffiliated project based on RHEL that does not have commercial support). Each RHEL release is supported with updates and security enhancements for a full seven years. Because Fedora serves as a testbed for new technologies, it can be used to gain a preview of the new technologies that will be incorporated into future Red Hat Enterprise Linux releases. 1.1.1.3. What kind of support do you need? As a community distribution, support for Fedora is provided by the Fedora community rather than a commercial entity. That means that most questions receive a quick and friendly answer, but since no one is being paid to help you, you may not receive any answers to unique or unusual questions. If you like Fedora but need commercial support, consider using RHEL, which is Red Hat's fully supported commercial Linux product. 1.1.1.4. Does your equipment meet Fedora's system requirements? Fedora will install on PCs with Intel and AMD 32- and 64-bit processors, as well as compatible processors from Transmeta, Via, and others. You will need a minimum of 256 MB of memory, 7 GB of disk space, and a processor speed of 400 MHz to obtain reasonable performance with the graphical user interface. A broadband Internet connection is desirable for obtaining software updates but is not necessary. You can install a very basic version of Fedora Core without a graphical user interface on a system with as little as 64 MB of memory, 1 GB of disk space, and a processor speed of 200 MHz. However, this is not recommended for desktop usage. You can also install Fedora Core on a system with a PowerPC processor, such as an Apple Mac produced after 1999 and before 2006, or an IBM RS/6000 system. 1.1.2. How Does It Work? Fedora Core includes over 2,200 software packages, and Fedora Extras (a library of compatible software) includes hundreds more. All of these packages are open source ( http://www.opensource.org/ ), which means that the human-readable version of the software ( source code ) is distributed along with the ready-to-run binaries . Each package is licensed under one of a set of open source licenses that permits the software to be modified, adapted, and redistributed. Most of these packages are developed and maintained by a team that may include developers, documentation writers, and testers, and most of the packages are not specific to Fedora; they're also distributed with other Linux distributions and non-Linux operating systems (for example, the excellent Firefox web browser is used on Linux, Windows, Mac OS X, and many other operating systems). Each of these pieces of software is packaged for Fedora by another maintainer. To distinguish the two groups, the original developers and maintainers of the software are called the upstream maintainers , while the people responsible for integrating the package into Fedora are called Fedora maintainer s. The Fedora packages use the RPM package format for ease of management by package tools such as yum . The current development version of Fedora is called Rawhide (see Lab 9.4, "Running Rawhide ") and is highly unstable; people using Rawhide expect a steady flow of changes, along with features that appear and disappear, and work and then stop working again. Rawhide serves as the testing and proving ground for the software that will become the next Fedora release. A similar process is used for Fedora Core updates and Fedora Extras: software is released to a testing repository, where it is tested by volunteers on the bleeding edge, and once the bugs are worked out, the software is moved to the Fedora Core updates or Fedora Extras repository. 1.1.3. What About... 1.1.3.1. ...trying Fedora but also keeping Windows? Fedora Core can be configured for dual booting , as long as you have sufficient disk space for both operating systems. You will be given the opportunity to select the default operating system during the Fedora installation, and you can override this default during the boot process, selecting the operating system you wish to use from a menu. If Windows is currently using your entire hard disk, you will need to resize the Windows partition (see Lab 10.1, "Resizing a Windows Partition ") or add an extra disk drive. If Windows is not yet installed on your computer, you should install it before Fedora; otherwise, it may overwrite your Fedora bootloader (or, in some cases, the entire Fedora installation). 1.1.3.2. ...other Linux distributions? There are dozens and dozens of Linux distributions, each aimed at a different audience. For details about specific distributions, visit http://distrowatch.com . 1.1.3.3. ...seeing a list of the software packages included in Fedora Core? Visit http://download.fedora.redhat.com/pub/fedora/linux/core/6/i386/os/repodata/ , and you'll see a browsable display of all of the packages in Fedora Core. Click on a package name to see a detailed description of the package. 1.1.4. Where Can I Learn More? 1.2. Obtaining Fedora Core Software The Fedora software exists in two parts: Fedora Core, a Linux distribution that includes base applications for desktop and server systems, and Fedora Extras , a repository of additional applications that can be added easily to a Fedora Core system. The first step is to obtain a copy of the Fedora Core software itself. 1.2.1. How Do I Do That? The Fedora Core installer is a bare-bones configuration of Linux designed specifically for the installation process. Once the installer is running, it configures and installs the Fedora Core software on your system. There are, therefore, two parts to the software: the software used to boot up the system for the installation session, and the software that is installed on your system. These may be on the same media, or they may be separated into boot media and installation media . 1.2.1.1. Determining your architecture Before selecting the media and obtaining the software, you must determine which architecture (machine type) you are using. Fedora Core is available for three different architectures: i386 All Intel-compatible 32-bit systems with a standard BIOS, including all Intel 32-bit Celeron, Pentium, Centrino, and Core systems; AMD 32-bit Athlon, Duron, and Turion systems; and VIA CPUs such as the C3 and Eden processors. Older processors such as 80386, 80486, and K6 processors will also work. Fedora Core may be installed on Apple Mac systems with an Intel processor by using Apple's Boot Camp software (included in Mac OS X 10.5 and available in beta form for Mac OS X 10.4). x86_64 All AMD-compatible 64-bit systems, including Opteron, Athlon 64, Duron 64, and Turion 64 systems, and Intel 64-bit Pentium 4, Xeon, and Core 2 systems. These systems can also run the i386 version but will do so in 32-bit mode. PPC Systems based on the PowerPC G3/POWER4 and later PowerPC processors, including recent PPC-based Apple Macs (manufactured between 1999 and 2006), IBM eServer pSeries, and IBM RS/6000 systems. This chapter focuses on the i386 and x86_64 platforms, but the PPC installation procedure is quite similar. 1.2.1.2. Choosing boot and installation media The Fedora Core installation boot software is usually started from a CD or DVD disc. It's also possible to boot from a USB flash disk drive if the system's BIOS supports it, or to boot from a network boot server using the PXE protocol. Table 1-1 outlines the boot media requirements. Table 1-1. Boot media requirements for installing Fedora Core 6 Media type Media count Size Notes DVD 1 4.7 GB (or larger) All of the software will fit on one disc (which serves as both the boot and installation medium), so this is usually the fastest and most convenient installation option. CD 1 8 MB (any CD) A single CD or mini-CD can be used to start a network or hard disk installation. If you will be using CDs for both the boot and installation media, five 700 MB discs are required (see Table 1-2). USB flash drive 1 8 MB or higher Requires a Linux system to configure the drive. Useful for network or hard disk installation. The BIOS of some systems will not permit booting from a USB flash key (beware of BIOS versions that permit booting only from a USB floppy or Zip drive). PXE Server (Network Boot) 1 6.5 MB Requires an existing system to serve as the PXE server (see Lab 10.3, "Preparing Alternate Installation Media"). Once the system has been booted, the rest of the installation software can be on a DVD, several CDs, an existing hard drive partition on the computer (or an external hard disk drive), or an FTP, NFS, or HTTP server. Table 1-2 outlines the requirements. Table 1-2. Installation media requirements for Fedora Core 6 Media type Media count Size Notes DVD 1 4.7 GB or higher Same media used for booting. CD 5 700 MB The images will not fit on 650 MB discs, such as some CD-RWs or old CD-Rs. Network server (HTTP, NFS, or FTP) 1 3.5 GB of disk space on the server HTTP is the lightest of the three protocols and is often the easiest to set up. Hard disk partition 1 3.5 GB of disk space Only ext2 and ext3 (Linux) and FAT (Windows/DOS) partitions are supported, on an internal or external disk drive. NTFS and LVM-based partitions will not work. This option is useful when adding Fedora to a computer that already has an operating system installed; the existing OS can be used to download the installation images. Note that the file size exceeds the maximum for FAT16 filesystems (2 GB). 1.2.1.3. Creating Fedora Core CDs or DVDs To create a Fedora Core CD or DVD set, you must obtain the ISO image files . To download the entire Fedora Core distribution for installation direct from disc, use one of these two procedures: iso directory. You will probably not need the files containing "SRPM" in the name. If you want the CD images, get the files containing "disc1," "disc2," and so forth in the name; to obtain the DVD image, get the file containing "DVD" in the name. Some download tools have problems with files over 2 GB in size. Most of the time, these problems affect only the download size, progress, or time-remaining displays during the download process, but some versions of the Lynx browser will not successfully download files over 2 GB. Older versions of wget also have a 2 GB limitation. If you are downloading onto a Windows system that is formatted with the FAT file system, the maximum file size may be 2 GB (FAT16) or 4 GB (FAT32). To download only the boot disk ISO (for use with a network or hard disk installation): os directory, and then select the images directory. Download the file named boot.iso . (You can also find this file in the images directory of the Fedora Core DVD or CD disc 1). Once you have the image files, burn them onto optical media using the CD-creator program available on the platform used for downloading. For example, on Windows you could use Nero or Roxio Easy Media Creator; on a Linux system (such as Fedora Core 4), right-click on the file and select "Write to disc," or use a tool such as K3B , xcdroast , or growisofs . When burning a CD or DVD, use the ISO image file as the disc filesystem, but do not place the ISO image inside another filesystem on the disc. You will usually get the correct results if you save the ISO file to the desktop and then double-click on it. To verify that the disk was created correctly, open it after you burn it: you should see several files and directories. If you see a single file with a .iso extension, the disc was not created correctly. 1.2.1.4. Buying Fedora Core CDs or DVDs Depending on the speed of your Internet connection, it may be faster and cheaper to purchase a set of Fedora discs than to download the software. A list of online Fedora Core vendors is available at http://fedoraproject.org/wiki/Distribution/OnlineVendors , and a list of local retailers carrying Fedora Core is at http://fedoraproject.org/wiki/Distribution/LocalVendors . 1.2.1.5. Preparing files for a hard disk installation To install Fedora Core from a FAT, ext2, or ext3 partition, simply copy the ISO image files for the DVD or CD set onto that disk partition. For example, on a Windows system with a FAT32 disk partition D: , download the DVD image file as though you were going to burn it onto a DVD but place the image file on drive D: (be sure to record the name of the directory/folder containing the images!). 1.2.1.6. Preparing a USB flash disk, network installation server, or PXE boot server Each of these tasks is most easily performed on a running Linux system; see Chapter 10 for instructions. (Similar software is available for other platforms.) 1.2.2. How Does It Work? An ISO image file is an exact copy of the contents of an optical disk. The name comes from the fact that data on optical discs is stored using a standard known as ISO 9660 . Each type of boot media has a unique standard for specifying how boot data is stored. On optical discs, the El Torito standard permits the system BIOS to find the boot software. For USB disks, a standard hard disk boot sector is used. For PXE network booting, a boot protocol (bootp) server is used to identify the boot files, and a trivial file transfer protocol (TFTP) server is used to serve them to the client system. The first piece of software that loads from the boot media is the bootloader: isolinux for optical discs, syslinux for USB flash drives, or pxelinux for PXE boot servers. After accepting boot parameters from the user, the bootloader subsequently loads two files: vmlinuz A compressed Linux kernel; the heart of the Fedora Core operating system. initrd.img A filesystem image that is loaded into memory and used as a ramdisk. This provides the drivers, startup scripts, and programs to get the system started. Once these files have been loaded, the kernel is executed and begins the install process. 1.2.3. What About... 1.2.3.1. ...installing from a floppy disk? The Fedora installer has grown to the point that it no longer fits on a floppy disk. The USB flash disk method has replaced the floppy-disk boot procedure. 1.2.4. Where Can I Learn More? syslinux , isolinux , and pxelinux : http://syslinux.zytor.com/ 1.3. Installing Fedora Core Installing Fedora Core is a simple and straightforward task on most modern computers. 1.3.1. How Do I Do That? To install Fedora Core, you'll need the installation media and your computer. If you are going to use a local area network or broadband Internet connection, it's recommended that you have it connected during the installation process. A Fedora installation will usually take 15 to 90 minutes, depending on the speed of your computer and the amount of optional software you choose to install. 1.3.1.1. Preparing for dual-boot If your system already has Windows installed, and you intend to continue to use Windows, you will need to free up some space on the hard disk for Fedora Core. See Lab 10.1, "Resizing a Windows Partition ," for instructions on shrinking a Windows disk partition (or deleting one that is unused). There is an alternative to repartitioning your disk: you can install an additional disk drive in your system and use that drive for Fedora, or use an external USB or FireWire drive. Be sure to check the system requirements in the release notes at http://fedora.redhat.com/docs/release-notes/ or in the root directory of the Fedora Core DVD or CD disc 1. On your system, if you have any data that you want to preserve, back it up before installing Fedora Core, and test the integrity of the backup copy. 1.3.1.2. Starting the installation Insert your installation media (DVD, CD, or USB stick, or plug your system into a network with a PXE network boot server) and turn your system on. If it does not boot from the installation media, change your system BIOS settings to boot from it. The first thing you will see is the boot screen shown in Figure 1-1 . Figure 1-1. Fedora Core installation boot screen The boot: prompt at the bottom of the screen lets you configure special options. You can press Enter for a standard, graphical installation, or you can type linux followed by any of the keywords in Table 1-3 to specify particular options for the installation session. Table 1-4 lists hard disk device names. Additional installation boot options are discussed in Chapter 10.  Table 1-3. Fedora Core basic installation options Option Description Notes lowres Uses 640x480 screen resolution. Use if you are installing with a very old monitor. resolution= 1024x 768 Specifies a standard video resolution. Use if the installer does not correctly detect your monitor capabilities and the video signal is out of range. text Uses text mode for installation (no graphics mode or mouse access). Use this if graphics are garbled or slow when using the regular installer. askmethod Ask the user for the installation method (source of the software to be installed). The installer will automatically ask if the boot media is a USB flash drive or a network boot. For a CD or DVD installation, the installer will assume that you're installing from the CD or DVD unless the askmethod or method= options are specified. method= method Specifies the installation method:cdromInstall from optical disc (CD or DVD)http:// server / pathInstall from HTTP serverftp:// server / pathInstall from FTP servernfs: server / pathInstall from a NFS serverhd:// partition / pathInstall from an ISO file on a hard disk partition For the hd installation method, take the hard disk device name from Table 1-4 and add the partition number at the end. For example, if the ISO file is in the folder fc6 on the 2nd partition of the primary master hard disk, use: method=hd://dev/hda2/fc6/. expert Enables the use of a driver disk with additional device driver modules. Use this to install onto hardware that requires driver modules not included in Fedora Core 6.  Table 1-4. Hard disk device names Device name Disk type Controller Unit /dev/hda Parallel ATA (IDE) Primary Master /dev/hdb Parallel ATA (IDE) Primary Slave /dev/hdc Parallel ATA (IDE) Secondary Master /dev/hdd Parallel ATA (IDE) Secondary Slave /dev/hde Parallel ATA (IDE) Auxiliary #1 Master /dev/hdf Parallel ATA (IDE) Auxiliary #1 Slave /dev/hdg Parallel ATA (IDE) Auxiliary #2 Master /dev/hdh Parallel ATA (IDE) Auxiliary #2 Slave /dev/sd SATA, SCSI, IEEE1394, or USB is a for the first disk found, b for the second disk found, c for the third disk, and so forth. With USB and IEEE1394 (FireWire) devices, the assignments may change between reboots.    For example, if you are using a CD for booting, and you want to use text mode and to be asked for the installation method, enter this boot string: boot: linux text askmethod In most cases, you should simply press Enter at the boot prompt. The Linux kernel and ramdisk ( initrd.img ) will load, as shown in Figure 1-2 , and then start executing, as shown in Figure 1-3 . Figure 1-2. Loading the kernel and initrd (ramdisk)    Figure 1-3. The Linux kernel starting up   1.3.1.3. Testing the installation media At this pointif you are installing from DVD or CD seta media-check tool enables you to test the DVD or CD set, as shown in Figure 1-4 . Press Enter to test the discs (optional), or press Tab and then Enter to skip the media check. The tests will take 26 minutes per CD or 812 minutes per DVD on a modern computer. Some disc burning programs will pad the image before burning it, adding additional data to the end of the disc. This will cause the disc to fail the media check even though the disc is valid.  Figure 1-4. DVD/CD media check   1.3.1.4. Selecting the installation method The screen shown in Figure 1-5 will appear only if you did not not boot from an optical disc, or if you entered the method or askmethod keywords at the boot prompt ( Figure 1-1 ). Figure 1-5. Language selection screen Select the language to use during installation using the up/down cursor keys, and then press Enter to proceed. The keyboard selection screen shown in Figure 1-6 will appear. Figure 1-6. Keyboard selection screen Select the entry that matches your keyboard and press Enter. If you included the askmethod keyword at the boot prompt or booted from a USB flash disk or a PXE boot server, the installation method dialog shown in Figure 1-7 will appear next. Figure 1-7. Installation method dialog If you select an installation method that is network-based (NFS, FTP, or HTTP), you will be presented with a network configuration screen where you can enable automatic IP configuration through DHCP and select IPV4 (used on most networks) and/or IPV6. If you do not enable DHCP support, an additional page will appear to collect the IP settings (IP address, netmask, DNS server, and gateway). In most established networks (including small business or home networks with a broadband Internet connection through a router/gateway device), the IP settings can be obtained from a DHCP server. If in doubt, try the DHCP server option; if it fails, you will be given the opportunity to enter the network information manually. If you select the hard disk installation method, you will be prompted to select the disk device and path to the Fedora Core ISO images. Use Table 1-4 to determine the disk device, and append the partition number to the device name (for example, use /dev/hda2 for partition 2 on the IDE primary master disk); for the path, enter the pathname of the directory containing the ISO images, using the forward-slash ( / ) character to separate directories instead of the Windows-style backslash ( \ ). 1.3.1.5. Installation stage 2 At this point, control of the system passes from the boot media to the installation media. For example, if you've used a USB flash drive to boot and HTTP for the installation method, it is at this point that the system switches over to software from the HTTP server. If you're using a graphical installation, the graphical environment will be started now, and the splash screen shown in Figure 1-8 will appear. Click Next to proceed. If your mouse is not working, you can activate a graphical button on the installation screen by using the keyboard; just press Alt and the letter underlined in the button label. For example, to view the release notes while on the splash screen in Figure 1-8, press Alt-R (because R is underlined on the Release notes button).   If you are using a text-mode installation, you will see a text-based version of each of the following screens; the layout may be slightly different to accommodate the available screen space and the absence of a mouse pointer. Use the Tab key to navigate among the controls on the text screen. You cannot manually create a new Logical Volume configuration using the text-mode installer  Figure 1-8. Fedora Core graphical-installation splash screen If you have not already selected your language and keyboard type, the screens shown in Figures 1-9 and 1-10 are presented to collect this information. Figure 1-9. Graphical language selection Figure 1-10. Graphical keyboard selection 1.3.1.6. Upgrading a Fedora installation The installation program will check to see if you have an existing Fedora installation; if you do, it will offer you the option of upgrading the current system instead of performing a new installation (Figure 1-11). Figure 1-11. Upgrade option Choose Install Fedora Core if you want to replace your existing installation, or "Upgrade an existing installation" if you want to upgrade your existing Fedora system to Fedora Core 6. Click Next. This dialog may appear if you previously started a Fedora installation, but aborted the installation process before it was finished (producing a partially installed system). In that case, choose Install rather than Upgrade to ensure that the new system is complete. If you have an existing Fedora installation and you want to replace it with Fedora Core 6, but you wish to preserve the data in your home directories, and the home directories have their own filesystem or partition, you can choose Upgrade.  If you choose Install, skip to the next section titled "Performing a New Fedora Installation." Otherwise, the screen shown in Figure 1-12 will appear, asking what you want to do with the bootloader configuration. Figure 1-12. Bootloader configuration during upgrade   Choose an option based on your current bootloader: Update boot loader configuration Use this if your previous installation installed the GRUB bootloader (the default for recent versions of Fedora Core). Skip boot loader updating Use this if you are using a third-party bootloader program. You will need to refer to your bootloader documentation to determine how to update the bootloader manually. Create new boot loader configuration Select this option if you are using the older LILO bootloader. The installation system will replace LILO with GRUB. Click Next. After a few seconds, the screen shown in Figure 1-13 will appear. Figure 1-13. Fedora installation confirmation screen  This is the point of no return. Click Next to proceed with the upgrade, but remember that the upgrade process must run to completion and cannot be safely interrupted. The Fedora installer will analyze the software installed in your existing Fedora system, determine what needs to be updated, and install the new packages. 1.3.1.7. Performing a new Fedora installation If any of your hard disks are empty and have not been previously used, the warning message displayed in Figure 1-14 will appear. If the drive contains data that you wish to preserve, abort the installation and boot into your existing operating system, figure out why the disk does not show a partition table, and restart the installation. Otherwise, click Yes to continue the installation. Figure 1-14. Warning about a blank partition table The installer will now ask what you want to do about partitioning, as shown in Figure 1-15 . In most cases, there are four options available: Remove all partitions on selected drives and create default layout This will wipe out everything on the drive and use the entire drive for Fedora Core. Select this option on a new computer or a computer you want to convert for use entirely with Fedora Core. This is also the right option to use when you are installing Linux on a second (or third) disk drive, leaving the software and data on the other drives untouchedbut be careful that only the Fedora Core drive is selected in the list of available disks. Remove Linux partitions on selected drives and create default layout Use this option if you are replacing an existing Linux installation and want to leave other operating systems (such as Windows) untouched. Figure 1-15. Disk and partition strategy selection Use free space on selected drives and create default layout If you have unused space on your disk drive, or you have shrunk a Windows partition to free up some space, select this option. Create custom layout If you are familiar with partitioning and have special requirementsfor example, you wish to preserve only one filesystem (such as /home ) from a previous Linux installationselect this option. If you have more than one disk drive installed, you will be able to select the drive(s) to be used for Fedora using the checkboxes in the rectangle labeled "Select the drive(s) to use for this installation." Refer to Table 1-4 for Linux disk names. At the bottom of this screen, be sure to select the checkbox labeled "Review and modify partitioning layout" so that you will have an opportunity to see the proposed disk layout before it is used. Click Next to continue. If you have selected an option that involves removing an existing partition, you will see the partition-removal warning shown in Figure 1-16 . Review the information shown, and then click Yes to confirm that you are prepared to remove the partitions listed. Figure 1-16. Partition removal warning 1.3.1.8. Partitioning layout By default, Fedora Core uses a system called Logical Volume Management (LVM). A partition managed using LVM is called a physical volume (PV). Storage space from one or more PVs is used to create a pool of storage called a volume group (VG). Out of this pool of storage, one or more virtual partitions are created; each virtual partition is a logical volume (LV). Figure 1-17 illustrates the relationship between these components. Figure 1-17. Relationship between LVM components LVM has several advantages over traditional partitioning: home filesystem. Chapter 6 delves into more detail regarding LVM. Although logical volumes can be enlarged or reduced at any time, the ext3 filesystem that Fedora uses can be enlarged only while it is in use. It must not be in use when it is reduced in size. This can make it fairly complicated to shrink an ext3 partition. Because it's difficult to determine how much disk space each filesystem will require in the future, it is a good idea to make Fedora filesystems no larger than necessary at first, and then add space to them as required. This avoids the need to reduce the size of one LV in order to increase the size of another. Unfortunately, the LVM system is too complex to use during the early stages of the booting process, so a system configured to use LVM must also have a small traditional partition for boot files. In order to use Fedora Core's hibernate feature, you will also need a swap partition (either instead of or in addition to swapspace on a logical volume). See Lab 3.1, "Power Management," for more information on hibernation.  If you have selected a partitioning option that includes the default layout and have selected the checkbox to review and modify the layout, the screen in Figure 1-18 will appear at this point in the installation. Figure 1-18. Fedora Disk Druid partitioning screen The table on the bottom half of the screen contains two sections: one for LVM volume groups and one for hard disks. The default layout creates a 100 MB boot partition, and takes all remaining available disk space on all drives and places it in a single volume group named VolGroup00 . The space in this volume group is then divided into two logical volumes: LogVol00 for the root filesystem and LogVol01 for swap space (virtual memory). There are three improvements that we are going to make to the default Fedora Core partition/LVM layout: /home filesystem, so that users' home directories are separated from the operating system. This will enable you to wipe out the operating system and reinstall it (or install another distribution of Linux or a later version of Fedora Core) without affecting the users' files. To make these changes, double-click on the line in the table that reads VolGroup00 and then click the Edit button. The Edit LVM Volume Group window will appear, as shown in Figure 1-19 . Figure 1-19. Edit LVM Volume Group window  Start by changing the Volume Group Name at the top of this window from VolGroup00 to main . Next, click on the entry that has a mount point of / and click Edit; the Edit Logical Volume window shown in Figure 1-20 will appear. Figure 1-20. Edit Logical Volume window for the root LV   Change the Logical Volume Name to root , and change the size to a value that is closer to the size of the installation. I recommend 8,000 MB (i.e., 8 GB; most server and desktop systems will take 26 GB of space to install, so 8 GB gives a modest amount of headroom). Click OK when you are done. Figure 1-21 shows the settings that repeat the process for the other predefined LV: click on this LV and then click Edit. Change the Logical Volume Name to swap , leaving the size at the default value. Click OK when you are done. Figure 1-21. Edit Logical Volume window for the swap LV  Finally, click the Add button and create a new Logical Volume to hold the home directories, as shown in Figure 1-22. Set the Mount Point to /home , the File System Type to ext3 , the Logical Volume Name to home , and then set a reasonable size for storing the users' home directories (if you're not sure what value to use, start with 1000 ). Click OK when you are done. Figure 1-22. Creating a new Logical Volume for the home LV  Review the final disk partition and LVM layout, and then click Next. The bootloader configuration screen will appear, as shown in Figure 1-23 . Figure 1-23. Bootloader configuration screen  The default bootloader configuration replaces any existing bootloader installed on the main hard disk. If you have more than one operating system installed, the bootloader will ask you which OS to boot when the system is started. If you have a Windows boot partition present, it will be listed as a boot option, but it will be labeled Other. To change this label to something more descriptive, click on that entry, and then click Edit. Enter the text of your choice, such as Windows XP Professional , and then click OK. Use the checkboxes in the Default column to select which operating system will be loaded by default if the user doesn't override the selection at boot time. It is a good idea to install a bootloader password. Without this, any person with physical access to your machine will be able to easily override all security by booting the system into single-user mode. Click "Use a boot loader password" and then enter your selected password twice when prompted.  The bootloader password is a critical piece of information. Don't lose it! Click Next to proceed. 1.3.1.9. General questions If you have not already configured the network, and you have a network adapter installed in your system, the network configuration screen appears next, as shown in Figure 1-24 . Figure 1-24. Network configuration screen If you have a DHCP server on your networkwhich is the case in most large networks and in most small office and home networks that have a broadband Internet gateway/router devicethen you will only need to change the "Set the hostname" option to "manually" and then enter the hostname of your choice (unless your DHCP server sets the hostname for you). If you have a registered domain, choose a hostname within that domain, such as bluesky.fedorabook.com (which specifies the host bluesky within the domain fedorabook.com ); otherwise, choose a hostname and append .localdomain to the end of the name. If you do not have a DHCP server on your network, select your primary Ethernet card from the Network Devices list and then click Edit. You will see the Edit interface window shown in Figure 1-25 . Click on the "Configure using DHCP " option to deselect that checkbox, then enter the IP address and netmask. Click OK to save this information, and enter the hostname, gateway, and DNS server information in the blanks provided (it is necessary only to enter a Primary DNS server). Figure 1-25. Edit interface window Click Next to proceed to the next step in the installation, which is time zone selection, as shown in Figure 1-26 . Figure 1-26. Time zone selection Click on your region of the map to zoom in, and then click on the major city closest to your locationor use the pull-down menu to select your time zone. You can choose to configure the system's hardware clock to store information in local time or in Coordinated Universal Time (UTC). This is controlled by the checkbox labeled "System clock uses UTC." If you are using multiple operating systems on your computer (dual-boot), to use local time, deselect the checkbox so that the other operating system will interpret the time correctly. If you are using only Fedora, or Fedora and another distribution of Linux, choose UTC by selecting the checkbox. This will avoid multiple adjustments of the clock when entering or exiting daylight savings time. Click Next to proceed. The screen in Figure 1-27 requests that you enter a root password for the system (twice). This is the master system administration password, so be sure to safeguard it against both theft and loss. Choose passwords that are easy for you to remember but hard for others to guess. One way to do this it to choose a line or verse from a song, poem, book, or play, and use the first letter from each word plus the punctuation marks. For example, from Shakespeare's line "Do you bite your thumb at us, sir?" you would derive the password Dybytau,s?  Figure 1-27. Creating a root password  1.3.1.10. Software selection The next screen, shown in Figure 1-28 , is used to select the software that will be installed. Use the checkboxes to select the categories of applications that you wish to have installed. To further refine the software selection, select the "Customize now" option; this is recommended if you are installing on a system with minimal disk space or a slow Internet connection. When installing from DVD or CD, the button labeled "Add additional software repositories" can be used to add a Fedora Updates network repository to ensure that the latest versions of the Fedora Core packages are installed. This can be somewhat faster than installing the disc version of all packages and then updating the software after installation, but it requires a good Internet connection (or local repository). See Lab 5.3, "Using Repositories," for more information.  Figure 1-28. Software selection screen  Click Next to continue. If you selected "Customize now," you will see the screen shown in Figure 1-29 . Otherwise, skip ahead two paragraphs. Figure 1-29. Software customization screen  Select a category on the left side to see the package groups within that family on the right side. Use the checkboxes provided to select the groups you want. For even finer control, you can select a package group, click the "Optional packages" button, then select the individual packages you wish to include from the window shown in Figure 1-30 . Figure 1-30. Optional package selection screen    Click Next to continue. After a short time for dependency processing, the screen shown in Figure 1-31 will appear. Figure 1-31. Installation confirmation   This is the point of no return; once you click Next, the partition table, filesystems, and bootloader will all be modified. Once the installation process begins, it cannot be safely interrupted and must be allowed to run to completion. During the installation, a progress bar similar to the one in Figure 1-32 will be shown. Bored? You can read the release notes during the installation; just click on the button in the lower-left corner of the screen.  Figure 1-32. Installation progress indicator  When the installation is complete, the confirmation message shown in Figure 1-33 is displayed. Remove the installation boot media, and then click Reboot to start up the new system. On some systems, you may need to click Reboot and wait for the system to start the boot process before you can remove optical media.  Figure 1-33. Completed installation  1.3.1.11. First boot The first time you boot your freshly installed Fedora system, you will be asked a few questions to finish up the initial configuration. The display shown in Figure 1-34 will greet you; as you work through the questions, the arrow on the lefthand side of the screen will move downward to indicate your progress. Figure 1-34. First boot welcome screen Click Forward to proceed to the license-agreement screen. Read the license carefully, and then click Yes or No to indicate whether you accept the license terms. Click Forward to enter the firewall configuration screen. I strongly recommend that you leave the firewall enabled, and that you initially select only ssh as a trusted service. You can loosen your firewall to permit other inbound services later, as you set those services up. Click Next to proceed to SELinux configuration. SELinux hardens the Linux kernel against attack. Although it can be a bit difficult to configure at times, the protection that it provides is well worth the extra effort. SELinux is covered in more detail in Lab 8.2, "Using SELinux ." For now, leave the Modify SELinux Policy option at its default setting; you can always adjust SELinux later. Click Forward to proceed to the date and time configuration screen. Select the current date by clicking on the calendar, and enter the current time into the fields provided. If you have an always-on Internet connection, click on the Network Time Protocol tab. Select the checkbox labeled Enable Network Time Protocol. This will configure your system to communicate with timeservers on the Internet to keep the clock closely synchronized to official time. This is valuable because it ensures that time and date stamps on your system are always accurate. You can edit the list of timeservers that can be contacted using the Add, Edit, and Remove buttons beside the server list. The NTP Server Pool Project maintains a pool of publicly accessible timeservers; the default server list ( 0.fedora.pool.ntp.org , 1.fedora.pool.ntp.org , and 2.fedora.pool.ntp.org ) configures your system to randomly select up to three timeservers from the pool at boot. To use a timeserver in your country, use your ISO country code as the hostname within the pool.ntp.org domain; I'm in Canada, so a server in my country could be found using the name ca.pool.ntp.org . Click Next to proceed on to creating the first user. The root password that you entered during installation is used only for system administration and should not be used for day-to-day work. This screen lets you create the first user account; you can create as many additional accounts as you want later (see Lab 4.7, "Managing Users and Groups"). Fill in the four fields on this screen: Username Choose a username that contains no spaces and starts with a letter. This name will be used for logging in and will also serve as the user's local email address (typically, this is not intended to replace the email address you got from your ISP or mail provider; it is generally used to receive system notices and other local messages). I recommend using only lowercase letters, digits, underscores, and periods. If you are setting up a home or personal system, first names work well; for a corporate server, full names in firstname.lastname form reduce the likelihood of confusion between users (now and in the future). Full name Enter the user's full name (for example, Chris Tyler ). Password Enter a password that is easy to remember and hard to guess. Just like the root password, using the first letter from each word plus the punctuation from an obscure line of text can be helpful (for example, FL:AcgtRHcd. for "Fedora Linux: A complete guide to Red Hat's community distribution."). If the button in the lower-righthand corner of the screen reads Forward, there is one more step. Click on that button to proceed to the the sound card check screen. On this screen, click on the Play button (labeled ) and adjust the volume slider until you hear a guitar strum on the right, left, then the center channel of your sound system. If you don't hear anything, check your speaker power, physical volume control, and sound connections (if you have multiple sound cards, use the device tabs on the left side to switch between them), clicking Play after each adjustment (or just select the Repeat checkbox). If you can't get sound working at this point, don't worry; you may just need access to some of the advanced mixer controls, which you can experiment with later (see Lab 2.6, "Configuring Sound "). Click Finish. Congratulations, Fedora is installed and ready to use! 1.3.2. How Does It Work? The Fedora Core installer is named Anaconda . It shares code and technology with several other tools, including: yum, pup, and pirut Tools for adding and removing software (see Chapter 5). kudzu A tool that checks the system at boot time to see if any hardware has been added or removed, and adjusts the system configuration appropriately. system-config- component Graphical tools to configure individual system components. Because the hard disk is in an unknown state and the CD is not writable during the installation session, Anaconda uses a ramdisk an area of memory configured to act like a disk driveas the filesystem while it is running. After interacting with you to get the configuration details, Anaconda partitions and formats the hard disks and mounts them. It then starts installing RPM packages containing the selected software. Finally, it reboots the system. Each time the system boots, the init script /etc/rc.d/init.d/firstboot is executed. If the file /etc/sysconfig/firstboot does not exist, the Python script /usr/sbin/firstboot is executed to ask the initial configuration questions. Once the configuration details have been saved, the firstboot script exits and the normal boot sequence continues. 1.3.3. What About... 1.3.3.1. ...rerunning the firstboot process to reset the system configuration? You can rerun the firstboot script by adding reconfig to the boot parameters when the system is started (boot parameters are entered in the same way as runlevels are during the boot process; see Lab 4.5, "Using Runlevels"). The sequence of steps used during a reconfiguration is slightly different and longer from that used when the script executes for the first time; for example, you can change the system's default language during reconfiguration. If you are not using a bootloader password, then any user with physical access to your computer can reset the password of any account on the system using the reconfig boot argument. 1.3.3.2. ...getting help if I encounter problems during (or after) installation? Fedora is a community-based project, and the Fedora community is very helpful. The best places to turn for help are the Fedora Forum and the Fedora mailing lists. You can also access help using IRC (see Lab 9.2, "Using IRC ," for more information). 1.3.4. Where Can I Learn More? kudzu and yum Chapter 2. Using Fedora on Your Desktop Fedora Linux provides a solid desktop computing environmentincluding a graphical user interface, communication tools, and office applicationsthat goes well beyond the traditional definition of an operating system. This chapter focuses on using Fedora in the desktop role. Where possible, the labs in this book include instructions for performing tasks using both the graphical user interface and the command line. If you are not familiar with entering Linux commands, see Lab 4.1, "Using the Command Line." 2.1. Getting Started Using the Fedora Graphical User Interfaces Fedora Core provides two attractive and easy-to-use graphical user interfaces (GUIs): KDE and GNOME. Each of these GUIs should be a comfortable adjustment for the majority of Windows and Mac users because basic operations are similar. However, there are some capabilities that are unique to Linux, and learning to use these features will enable you to take full advantage of the Fedora GUIs. 2.1.1. How Do I Do That? Fedora Linux can boot into graphical mode or text mode, depending on the default runlevel (see Lab 4.5, "Using Runlevels"); when installed using the graphical installation program, Fedora's default is to present the graphical login display shown in Figure 2-1 . Figure 2-1. Fedora default login screen In the middle of the screen are four clickable controls: Language Displays a dialog enabling you to select the default language for the session. This will not change the messages on the login display, but it will change the default for messages after you successfully log in. Where possible, messages will appear in this selected language, but when no translation for the selected language is found, messages will appear in the default language for the application (usually English). After you enter a username and password, you will be given the choice of making the selected language the permanent default for that username, or using it only for one session. Session Permits you to select the session type: GNOME (the default) or a fail-safe session. If you install additional software for other desktop environments, such as KDE or Xfce, they will also appear on this menu. Restart Presents a confirmation dialog, then restarts the computer. Except for the kernel (the core of the operating system), almost everything in Fedora can be restarted without a reboot, so this option is usually used only when switching between operating systems in a dual-boot configuration. Shut Down Presents a confirmation dialog, then shuts down the system and turns the computer off. If you press F10, a menu containing most of these options appears. After you enter your username and password, the system will check to see if you have selected a session type or language different from your normal settings. If so, you will be asked if the change is temporary ("Just for This Session") or permanent ("Make default"). Click on one of the buttons to make your selection. 2.1.1.1. KDE or GNOME? GNOME and KDE are built upon different technology and have been designed with different philosophiesas a GNOME or KDE advocate will quickly tell you. However, the most common operations are the same in both environments, and the GNOME and KDE communities collaborate on a number of key issues through freedesktop.org ( http://freedesktop.org ). The friendly rivalry between the groups spurs them on to develop innovations and refinements for both desktop environments. Fedora installs and uses GNOME by default, and it is the best choice for most Fedora users. However, KDE is provided on the installation CDs/DVD, and it's worthwhile experimenting with both desktops to find the one that suits your style. Regardless of which GUI environment you use, you can run both KDE and GNOME programs and have them side by side on your display. For example, you can fire up Evolution (the GNOME email/calendar/ scheduling application) and Konqueror (the KDE web browser) and cut and paste data between them. This interoperability is enabled by the X Window System, which provides the foundation for both GUIs. 2.1.1.2. Using the desktop Once you have logged in, you will see the GNOME desktop, shown in Figure 2-2 , or the KDE desktop, shown in Figure 2-3 . The same default visual theme has been installed in both environments to provide a fairly consistent appearance and style. Figure 2-2. Fedora GNOME desktop. Figure 2-3. Fedora KDE desktop Although the two desktop environments have some significant differences, their main features are very similar. Here is a summary; where KDE and GNOME differ in their naming conventions, I've used a unified terminology (which will mortify GNOME or KDE purists but allow the rest of us to talk about the desktop in a sane way): Panel bar (panel) Fedora's default configuration of the GNOME desktop includes two panel bars, one at the top of the screen and one at the bottom. Fedora's KDE configuration includes one panel bar at the bottom of the screen. In both cases, you can move the panels to any edge of the screen by clicking on them (in an empty area of the panel) and dragging them. You can move an item within a panel by clicking on it with the middle mouse button (on a mouse with a wheel, depress the wheel; on a two-button mouse, press both buttons simultaneously) and dragging it to the desired location. To shove other items along while dragging an item, hold down the Shift key. You can lock an item to a specific location within the panel by right-clicking and selecting the checkbox labeled "Lock to panel"; to unlock the item, deselect the checkbox.  Application/panel menus GNOME's application menus appear on the left side of the top panel bar. Three menus are provided: Applications, which contains various useful programs; Places, which contains a list of location-oriented options, such as viewing your home directory or desktop, searching for files, or going to a recently edited document; and System, which includes preferences, administration, help, and options to log out or lock the display. KDE's main panel menu is called the K menu (it's customized to look like an F in Fedora) and is located at the left side of the panel bar. It includes roughly the same applications as the GNOME menus, with some KDE programs replacing GNOME programs (such as the KDE Control Center instead of the GNOME Preference options). Both environments permit you to access the application menu by pressing Alt-F1. Panel icons Common applications have icons on the panel bar. To add an icon for another program to the panel, find the program on the application menu, then right-click and select "Add this Launcher to Panel" or "Add Item to Main Panel." Desktop icons A default set of icons appears on the desktop, including your Home directory, Computer, and Trash. You can create additional icons by dragging files from a file manager or links from a web browser and dropping them on the desktop. Desktop icons are stored in the directory named ~/Desktop . Workplace/desktop switcher Both GNOME and KDE include virtual desktop (or workspace ) capability, which means that the visible screen represents only one of several desktop workspaces. To switch between desktops, click on one of the desktop icons in the desktop switcher, or place your mouse pointer over the desktop switcher and roll the mouse wheel. GNOME's workplace switcher also allows you to drag a window outline from one desktop to another. GNOME's workspaces are initially arranged in a horizontal row, while KDE's are arranged in a 2 The virtual desktop facility provides a lot of screen area to arrange your windows; many users arrange their open applications according to tasksfor example, having email and messaging programs open on one desktop, a web browser on another, and OpenOffice.org on a third. Window/task list When an application is running, an entry appears in the window list (or task list ) in the bottom panel. KDE's default task list includes the windows in all virtual desktops; GNOME's includes only windows in the current virtual desktop. Clock/calendar Click on the clock/calendar to display a calendar of the current month. The GNOME version of the calendar will also show you to-do list items from the Evolution scheduler program, and double-clicking on a date will take you to the Evolution schedule for that date. Applets and monitors A panel can also display applets and monitors to let you perform operations easily and to keep you informed. To add additional applets to the panel bar, right-click an empty spot on the panel and select "Add to Panel," and then select the applet or monitor from the list displayed. 2.1.1.3. Managing windows When you start a program by clicking on an icon or application menu item, one or more windows will appear. Almost all windows have a title bar and window controls, as shown on the window in Figure 2-4 . Figure 2-4. Dasher window, showing title bar and window controls These are the basic controls: Window border When you position the mouse cursor over any edge or corner of a resizable window, it will change to a double-ended arrow. Click and drag to resize the window. Title bar Clicking and dragging the title bar will move the window. Double-clicking the title bar can be configured to maximize the window to fill the entire screen (the default for GNOME, similar to Windows) or to roll up the window into the title bar like a window shade (the default for KDE, similar to Mac OS 9). Window menu Clicking on the icon on the left side of the titlebar will bring up the window menu. You can also view the window menu by right-clicking anywhere on the window border. The window menu contains options for placing the window on top of all other windows; maximizing, minimizing, and closing the window; and placing the window on a specific workspace/desktop or making it appear on all workspaces. Minimize, maximize, and close icons There are three icons on the right side of the titlebar. Clicking the leftmost one will minimize the window (you can then access through the window list); clicking the middle one will maximize or unmaximize the window, and clicking on the rightmost one will close the window. You can also minimize a window by clicking on its entry in the window list. Table 2-1 lists a number of useful keyboard shortcuts available for window management. Table 2-1. Keyboard shortcuts for window management Action GNOME KDE Display window menu Alt-Space Alt-F3 Close window Alt-F4 Alt-F4 Unmaximize (Restore) Alt-F5 Task list menu Alt-F5 Move window using cursor keys Alt-F7 Resize window using cursor keys Alt-F8 Minimize Alt-F9 Maximize Alt-F10 2.1.1.4. Fast pasting KDE, GNOME, and other GUIs based on the X Window System have standard cut-and-paste features. Most applications use Ctrl-X for cut, Ctrl-C for copy, and Ctrl-V for paste, which is compatible with the keyboard shortcuts on other platforms. But the X Window System also has a faster way of pasting: select the text (or graphic) you want to duplicate by highlighting it, then click the middle mouse button at the point you wish to paste. For example, to fast-paste a web address from Firefox into an email being composed in Evolution, you can highlight the text in Firefox (place the mouse cursor at the start of the text, press the left mouse button, drag the cursor over the text, and release the button), then move to the Evolution window and press the middle mouse button to paste that text. Taking this one step further, all of the Fedora web browsers allow you to highlight a web address in any application's window, then middle-click on a blank spot in the browser window to go directly to that page (with Firefox, you can also search using this technique, by highlighting a search term instead of an addressas long as there's no period in your search term). The clipboard used for cut/copy-and-paste operations is not used for fast pasting; instead, the selection (highlighted text or graphics) is directly duplicated (pasted) into the destination, and the clipboard contents are left intact. 2.1.1.5. Logging out To log out of the desktop, press Ctrl-Alt-Delete. A confirmation dialog will appear, and then you will be logged out. You can also select the Log Out option from the application menu (System menu in GNOME). 2.1.2. How Does It Work? The Fedora GUI is built in seven layers plus some toolkits or user-interface libraries, as shown in Figure 2-5 . Figure 2-5. Layers in the Fedora GUI This architecture fits in well with the Unix/Linux philosophy of writing programs that each do one task and do it well. The layers can be mixed and matched to serve various needs; for example, in the standard Fedora configuration, selecting a GNOME or KDE session changes the software used for the Session Manager, Window Manager, and Desktop Environment layers, even though the Display Manager and Application Clients remain the same. Likewise, if the system is configured for character-mode login, but the user starts the GUI after she has logged in, then the Display Manager layer is not used at all. The X server manages all of the display hardware and is the only program that directly accesses the hardware. Client programswhich include any program that needs to communicate with the user, including the Display Manager, Session Manager, Window Manager, Desktop Environment, and Application Clientscommunicate with the X server using the X protocol over a network connection. That means that any application that can be used on a local display can also be used on a remote display. This provides powerful flexibility for remote access. The Toolkits are function libraries used to simplify development of GUI applications. GTK+ is the toolkit used by GNOME, and Qt is used by KDE applications (though not all applications that use these toolkits are full-blown GNOME or KDE applications, because both environments provide additional services). 2.1.3. What About... 2.1.3.1. ...other desktops/GUIs? Many other desktop/GUI environments are availablefor example, Xfce, a nice but lightweight desktop environment included in the Fedora Extras repository. To install Xfce: # yum groupinstall XFCE You'll see an entry for Xfce in the Display Manager's Session menu (shown in Figure 2-1). See Chapter 5 for more information on using yum  2.1.4. Where Can I Learn More? 2.2. Customizing GNOME Fedora's version of the GNOME desktop provides a convenient and attractive desktop environment, but by customizing it for the way you work you can increase your comfort and productivity. 2.2.1. How Do I Do That? Almost all of the Fedora GNOME desktop, as well as desktop options that are not part of GNOME or KDE, can be configured using the System This lab looks at the GNOME settings most commonly used to customize the desktop. Most GNOME settings take effect immediately; you do not need to click an Apply button for a change to take effect 2.2.1.1. Customizing the desktop appearance using themes The GNOME desktop and the Metacity window manager (the default GNOME window manager) use themes to configure appearance. Each theme is a combination of configuration information, images, and software that provides a particular visual effect and behavior. Three types of component themes are used on the desktop: Application (or control) themes Configure the appearance of the controls: elements used by applications to build the graphical user interface, such as buttons, sliders, scrollbars, and text-entry fields. Window border themes Used by the Metacity window manager to control the appearance of the window borders, title bar, and title bar buttons. Icons Control the appearance of icons on the panel, desktop, application toolbars, and Nautilus file manager. One component theme from each category can be combined into an overall desktop theme . To change themes, select System Figure 2-6. Theme preferences tool You can select a desktop theme from this list by clicking on it. The theme will start to load immediately, and the appearance of your desktop will change in a few seconds. To create a custom combination of component themes, click the Theme Details button. The window shown on the right of Figure 2-6 will be displayed. There is a tab for each of the three component theme types. You can select a different theme for any of the components, and when you do, a Custom Theme entry will appear in the main Theme Preferences window. Your selection will take effect immediately so that you can preview the effect. Once you are satisfied with a combination of component themes, click on the Save Theme button to name the combination and save it as a desktop theme. To install additional component themes, open a browser and go to http://art.gnome.org/ , and open the Theme Preferences window in an adjacent part of the screen. When you find a theme on art.gnome.org that you wish to install, simply drag the download icon (a small floppy disk) from the browser window to the Theme Preferences window, and it will automatically be installed. You can then combine that component theme with others to produce a new desktop theme as described earlier. 2.2.1.2. Customizing the panels Fedora's desktop is configured with two panels by default: one at the top of the screen containing the menus, icons, and applets, and one at the bottom of the screen containing the task list. You can add another panel by right-clicking on an existing one and selecting New Panel. The new panel will appear on an edge of the screen that doesn't have a panel, or at the top of the screen if all of the edges are occupied. You can move it to another location by dragging it with the mouse. To delete a panel, right-click on it and select "Delete this Panel." If there is anything on the panel, a confirmation dialog will appear before the panel is deleted. To add items to a panel, right-click on the panel and select "Add to Panel." Although most of the options presented are applets or monitors, you can also add a drawer , which is like a panel that can be unfolded from another panel. A drawer is managed in the same way as a panel, by right-clicking on it. To move an item around a panel, or move it to another panel, middle-click on the item and drag it (or right-click and use the Move menu option). To push along other icons, hold the shift key while dragging. To delete an item from the panel, right-click on it and select "Remove from Panel." To set a panel's properties, right-click it and select Properties. A small window will appear, containing two tabs, General and Background. The General tab contains these settings: Orientation Selects one of the four screen edges for panel placement. Size Sets the panel size in pixels. 48 pixels is the default; the minimum size is 23 pixels, and the maximum is 120. Reducing this number will make the panel smaller and leave more screen space for your applications, while increasing this number will increase the panel size, making the icons bigger so that they are easier to see and click on. Experiment to find a value that works well for you; I find that 24 pixels is right for my eyes. Expand Selecting this checkbox makes the panel expand to fill the entire edge of the screen; deselecting it makes the panel just large enough to hold its contents. Autohide When selected, most of the panel will slide off the screen when not in contact with the mouse pointer, freeing up space for applications. To unhide the panel, place your mouse pointer over the part of the panel that is still visible. Show hide buttons Enables buttons at the end of the panel that can be clicked to make the panel slide off the screen (endwise). The "Arrows on Hide Buttons" checkbox will make the hide buttons bigger and add a graphical arrow to each one. The Background tab lets you set the background color to the default for the current desktop theme, a solid color (which can have a pseudo-transparency effect applied using the Style slider), or a background image. This is almost always left at the default setting, which uses the desktop theme. 2.2.1.3. Customizing the desktop background The menu option Systemgure 2-7. Figure 2-7. Desktop Background Preferences window You can change to any of the listed background images by clicking on it. To add your own image, drag and drop an image file from the Nautilus file manager, or click the Add Wallpaper button and enter the filename; to remove an image, highlight it and click the Remove button. If you don't want a background image, select the No Wallpaper option. The Style control determines how the selected image will be displayed: Centered The image is placed, full-size, in the center of the screen. If it's smaller than the screen, the remaining space is filled with the desktop color; if it's larger than the screen, it is automatically cropped. Fill Screen The image is scaled in both the horizontal and vertical dimensions to fill the screen. This may result in some distortion of the image if its rectangular proportions ( aspect ratio ) don't match those of the screen. Scaled The image is scaled, keeping the original aspect ratio, until it fills the screen. Any remaining space is filled with the desktop color. For photographs, this is a better choice than Fill Screen. Tiled The image is placed in the upper-left corner of the screen and repeated as many times as necessary (both horizontally and vertically) to fill the screen. The Desktop Colors control sets the desktop color style (solid, horizontal gradient, or vertical gradient) and the colors used for that style. The color or gradient selected here will fill any part of the background not covered by an image and will show through background images that have transparency. 2.2.1.4. Customizing the window manager's behavior Select the menu option System Select windows when the mouse moves over them This behavior is called focus-follows-mouse and is very popular with some long-time users of the X Window System. Normally, you need to click on a window to give it focus in other words, the last window clicked is the window that receives keyboard input. If you select this checkbox, you can focus a window simply by placing your mouse pointer over it. This is convenient, but if your mouse pointer drifts to another window, you may end up typing into the wrong window. If you select "focus-follows-mouse," then you can optionally configure the window manager to automatically raise focused windows after a brief pause, so that they are on top of other windows. Titlebar Action Configures the window manager to maximize or shade a window when the titlebar is double-clicked. Movement Key This setting selects the modifier key for moving windows. If you hold down the selected modifier and click on a window, you can drag it to a new location. 2.2.1.5. Customizing Nautilus The Nautilus file manager is configured using the Edit Here are some common customizations for Nautilus: ash" option and a new Delete option. 2.2.1.6. Customizing keyboard shortcuts Both mice and keyboards are effective input devicesbut switching between them can significantly slow you down. A good set of keyboard shortcuts enables you to perform common operations without switching to the mouse. Fedora's GNOME configuration contains a good set of keyboard shortcuts. To change shortcuts or add new ones, select the menu option System Figure 2-8. GNOME Keyboard Shortcuts window This window shows a number of actions on the desktop and the shortcut key for each. To change a shortcut, click on an entry. The shortcut for that entry will change to read New Accelerator. Press the key or key combination that you wish to use for that keyboard shortcut; if the shortcut is not already in use, it will be assigned to the selected action, and if it is in use, the conflict will be displayed in an error dialog. To remove a keyboard shortcut, click on an entry, and then press Backspace. If you have a "multimedia" keyboard with keys for sound control and common applications, you can in most cases use those keys as shortcuts. However, the Keyboard Shortcuts window will show these keys as hexadecimal codes, as shown in the highlighted line in Figure 2-8. Not all keys can be used as shortcuts because some multimedia keyboards are internally divided to act as two separate keyboards, with multimedia keys being sent to a different output. In a few rare cases, the multimedia keys don't generate normal keyboard scancodes at all. 2.2.2. How Does It Work? GNOME stores most of its configuration in hidden directories in each user's home directory. Most configuration options and settings are stored, using the Gconf system, in XML files located in ~/.gconf . Themes consist of a large number of files, stored in specific directories according to the type of theme and whether the theme is installed for personal use or system-wide use, as shown in Table 2-2 . The GNOME theme configuration tools perform a personal installation of themes. Table 2-2. Directories for themes and icons Theme type Personal installation System-wide installation Icon themes ~/.icons /usr/share/icons/ Application/control and Window Manager themes ~/.themes /usr/share/themes/ When a new user is created, the files and directories in /etc/skel are copied to the new user's home directory; you can include default configuration settings by placing them into that directory. For example, files in /etc/skel/.gconf are placed in ~/.gconf when a new account is created. GNOME panels are managed by the gnome-panel program, and the desktop is managed by Nautilus. 2.2.3. What About... 2.2.3.1. ...making a theme available to all users? After testing component themes, you can move them from your personal theme directories to the system-wide directories: # mv /home/ yourusername /.icons/* /usr/share/icons/ # mv /home/ yourusername /.themes/* /usr/share/themes/ # chown -R root:root /usr/share/{icons,themes} 2.2.4. Where Can I Learn More? 2.3. Customizing KDE Fedora's KDE defaults are altered from the original upstream developers' versioneven more so than GNOME is modified from its upstream version. For this reason, some die-hard KDE fans don't like working on a Fedora system. Like GNOME, KDE can be tweaked, fiddled, and configured to look and work just the way you want. 2.3.1. How Do I Do That? Most KDE configuration is performed through the KDE Control Center, which is found on the K menu. The Control Center is shown in Figure 2-9. If you do not have KDE installed, you can install it; see Lab 5.3, "Using Repositories."  Figure 2-9. KDE Control Center   Along the lefthand side of this window, there is a collapsible menu of configuration categories; each category contains several subcategories, which can be revealed or hidden by clicking on the +/- icon in front of the category name. Each subcategory is handled by a separate configuration module . When you click on a configuration category, the configuration module for that category is shown on the righthand side of the window. You can also configure some desktop components by right-clicking on them. For example, right-clicking on the desktop and selecting Configure Desktop will bring up a subset of the Control Center options, which is useful for changing the appearance of the desktop. Unlike GNOME, KDE settings are not usually automatically applied; you must click on the Apply button before your changes take effect. An alternative, express way to change basic KDE desktop settings is to select Settings 2.3.1.1. Customizing the desktop appearance using themes To configure KDE themes, select Appearance & Themes To install a new theme, click the "Get new themes..." link in the upper-right corner to open the Konqueror web browser with the kde-look home page (http://kde-look.org). Select a theme that is packaged into a .kth file and download it to your system. Click the Install New Theme button within the KDE Control Center and open the downloaded file to install it into the list of available themes. Relatively few themes are packaged in the .kth format required by the Theme Manager. Themes supplied in source format cannot be installed by the Theme Manager and must be configured manually. 2.3.1.2. Customizing the panels KDE panels are configured in much the same way as GNOME panels. You can add a new panel by right-clicking on an existing one and selecting Add New Panel The Add New Panel facility can add special panel types that are pre-populated with specific tools; for details, right-click on a panel and select Help.  To delete a panel, right-click on any panel and select Remove Panel, and then select the panel you wish to remove. It is not possible to remove the original panel. If the panel contains anything, a confirmation dialog will appear before the panel is deleted. To add items to a panel, right-click on the panel and select "Add Applet to panel" or "Add Application to panel"the difference being that applets run within the panel, displaying information or performing useful actions, while applications are simply buttons that launch programs. To delete an application from the panel, right-click on it and select "Remove application." To delete an applet, place your mouse cursor over it, which will cause a small bar to appear beside it; right-click on this bar, and select "Remove applet." To move a panel object, middle-click on the object (or on the bar beside the object if it is an applet) and drag it to the desired location. To push other objects around, hold down the Shift key while dragging; to move between bars, left-click and drag. To set a panel's properties, right-click on a panel and select Configure Panel, which displays the window in Figure 2-10 . You can also start the KDE Control Center and select Desktop Figure 2-10. KDE panel configuration window   In either case, you will have buttons or tabs for Arrangement, Hiding, Menus, and Appearance. The Arrangement section contains these settings: Position The location of the panel on the screen. There are twelve buttons, enabling you to place the panel in the center or either corner of any edge of the screen (for example, if you place the panel on the bottom edge of the screen, you can place it in the left corner, the center, or the right corner). The position along an edge has no effect if the panel length has been set to 100%. Length The percent of the screen edge that will be occupied by the panel. The default is 100%, where the panel fills the entire length of one side of the screen. The checkbox labeled "Expand as required to fit contents" makes the specified length the minimum. Size The thickness of the panel in pixels. The Fedora default is rather big, so I usually set this to Small or Tiny. The settings affect the panel selected by the "Settings for" drop-down menu. As you adjust the settings, the preview in the Screen section is updated to show your changes. The Hiding section contains three settings: Hide Mode Configures the panel to be displayed all the time unless manually hidden, to hide itself after a period of time, or to be coverable by other windows. To reveal an automatically hidden panel, place the mouse cursor along the edge of the screen where the panel would normally appear. Panel-Hiding Buttons Allows you to add buttons to the left and right (or top and bottom) ends of the panel. Panel Animation Configures the animated sliding of the panel when it is hidden or revealed. The panel animation is a cute effect, and it serves the practical purpose of helping the user understand what's happening to the panel. Like the Arrangement options, the Hiding options are applied to the panel selected with the "Settings for" control. The Appearance section lets you configure icon mouseover effects (which include really big, animated tool tips), tool tips helps, colored or patterned button backgrounds, and a pseudo-transparency effect for panels. 2.3.1.3. Customizing the desktop background The background image or color is adjusted using the Appearance & Themes Figure 2-11. KDE desktop background configuration You can individually configure the desktop background for each virtual desktop. This can make it easier to identify which virtual desktop is currently displayed, but it can use a lot of memory and increases the amount of time it takes to switch desktops. The "Settings for Desktop" control selects the desktop to be configured; use All Desktops to use the same image on all of the virtual desktops. In this configuration module, there are two sections: Background Selects a picture or slideshow to use for the image background. Options Sets the background image position, scaling, and tiling (repeat) options; background colors, patterns, and gradients; and blending between the background image and background colors/patterns. There are also two special buttons: Advanced Options Permits you to use a program to draw the desktop background (such as kwebdesktop , which uses a web page for the desktop background), to set the color and shadow for the desktop icon text, and to set the size of the background cache. Get New Wallpapers Provides a simple way to download wallpapers from http://kde-look.org , using the window shown at bottom right in Figure 2-11 . A list of available wallpapers appears (you can use the tabs to change the sort order); clicking on one will present a preview, and clicking Install will add that wallpaper to the Picture list in the KDesktop Background window. 2.3.1.4. Customizing the window manager's behavior To configure window-manager behavior, right-click on a title bar and select Configure Window Behavior. Figure 2-12 shows the window that appears. You can access the same options through the Control Center using the Appearance & Themes Figure 2-12. KDE window-manager behavior configuration The KDE window manager, kwin, offers extensive configuration options: Window Decorations Enables you to select the window-manager theme and the buttons that will be placed in the title bar. Some themes have additional customization options, such as adjustable border width. Actions Configures the actions performed when the various mouse buttons are clicked on the title bar and active or inactive windows. The Titlebar Actions tab contains settings for the action that will be taken when the user clicks on the window title bar, frame, and maximize button. Focus The window with focusalso called the active windowreceives keyboard input. This section selects the focus policy: Click to Focus Click on a window to give it focus. Focus Follows Mouse Place the mouse cursor over a window to give it focus. You can also change focus with Alt-Tab or Shift-Alt-Tab. Focus Under Mouse Same as Focus Follows Mouse, but Alt-Tab/Shift-Alt-Tab does not change the window focus (though it will raise other windows to the top), and new windows will not receive focus. Focus Strictly Under Mouse Same as Focus Under Mouse, but moving the mouse pointer over the desktop background (not over any window) will unfocus all windows instead of leaving the last window focused. If you select a focus policy other than "Click to Focus," you can configure a delay between when a window receives focus and when it raises, as well as whether focused windows are raised at all (placed in front of other windows). The Navigation section enables you to set options related to keyboard navigation between windows (Alt-Tab/Shift-Alt-Tab). Moving Configures behavior when windows are moved. For best performance on a slower system (or a remote connection), disable the options "Display content in moving windows," "Display content in resizing windows," and "Animate minimize and restore"but on a fast machine, these options can provide useful user feedback. The Snap Zone settings make it easier to align windows with other windows or with the edge of the screen. Advanced Configures Shading (window roll-up) animation and automatic unrolling when under the mouse; Active Desktop Borders, which permit you to move off the desktop onto an adjacent virtual desktop; and Focus Stealing Prevention, which attempts to eliminate unpleasant surprises when you're typing and a new window appears (which in normal circumstances would automatically get focus). Right-click on the control and select "What's This?" to see a detailed description of the options. Window-Specific Settings Enables you to configure kwin to handle some applications differently than others. To create special settings for a window, ensure that the window is presently on the screen, and then click New in that window. A window labeled Edit Window-Specific Settings will appear; click the Detect button, and then click on the window you wish to configure. You can then use the provided tabs to configure your desired settings, such as specific window geometry (size and location) or preferences (e.g., causing the window to stay above or below other windows). Translucency Enables transparency and shadow effects for windows. This uses the COMPOSITE capability of the X server, which requires a modern graphics card for good operation; you can then use these settings to configure the transparency, shadows, and fade effects. To enable the COMPOSITE extension, see Lab 2.4, "Fine-Tuning Your Display Configuration ." 2.3.1.5. Customizing Konqueror Since Konqueror was designed as both a web browser and a file manager, it offers many options for customization. You can access these configuration options by selecting Settings Figure 2-13. Konqueror configuration window; Control Panel version (left) and Konqueror Settings version (right) Here are some of the most useful customizations: lizing them but does not free up disk space right away). ior tab/button will make Konqueror display an extended preview whenever you hover the mouse pointer over a file icon. & Move tab (Control Center only) enables "Copy to" and "Move to" options on context menus. This is a useful feature that offers recent and common directories as copy/move targets. 2.3.1.6. Customizing keyboard shortcuts Keyboard shortcuts are configured using the Control Center option Regional & Accessibilityhe Shortcut field to clear it. Figure 2-14. KDE keyboard shortcut configuration 2.3.2. How Does It Work? KDE configuration options are stored in text files in ~/.kde/share/config . The format of these files varies slightly, but most take the form of name and value pairs divided into sections denoted by section titles in square brackets: [$Version] update_info=kfmclient_3_2.upd:kfmclient_3_2 [HTML Settings] AutomaticDetectionLanguage=0 [KonqMainWindow Toolbar Speech Toolbar] IconText=IconOnly Index=4 ...(snip)... [SearchBar] Mode=1 Since these are text files, they may be copied from one account to another. 2.3.3. What About... 2.3.3.1. ...setting the defaults for new users? The directory /etc/skel acts as a template, or skeleton , for new account creation. Any KDE configuration files placed in /etc/skel/.kde/share/config will get copied to new user accounts automatically. 2.3.4. Where Can I Learn More? 2.4. Fine-Tuning Your Display Configuration Fedora's Anaconda installer detects and configures most display hardware optimally. However, there are some situations where it's necessary to override the default configuration to set up a desired display resolution and color depth. 2.4.1. How Do I Do That?  Fedora's display configuration program is called system-config-display . If you have a working graphical display, you can start this program by selecting System If you don't have a working graphical display, or you've booted into character mode (see Lab 4.5, "Using Runlevels "), you can start this program from the command line: $ system-config-display You are attempting to run "system-config-display" which requires administrative privileges, but more information is needed in order to do so. Password for root: secret The graphical display will be started in a very basic mode so that the graphical configuration dialog can be displayed. system-config-display uses the existing display configuration as a starting point. If the existing configuration does not work at all, you may need to delete it to force system-config-display to start from scratch: # rm /etc/X11/xorg.conf   Whether started from the menu or the command line, the window shown in Figure 2-15 will be displayed. Figure 2-15. system-config-display window This dialog has three tabs: Settings Selects the default resolution and color depth for the system. The maximum display resolution is limited by the monitor setting on the Hardware tab; the color depth should almost always be set to "Millions of Colors," which enables 24-bit color. Hardware Selects the monitor and video card type installed in your system. The Anaconda installer will have preselected the best match in most cases, but in some display configurationsincluding those with keyboard-video-mouse (KVM) switches, video splitters, or old monitorsthe monitor type cannot be determined automatically. If your monitor does not appear on the list, select the closest option from the Generic CRT or Generic LCD categories. In most cases, the exact video card model is not important; it's the chipset that counts. From your video card documentation, find out the chipset manufacturer and model (such as NVIDIA GeForce 4 MX) and select that option from the list. In many cases, an exact match is not required because one video driver is used for a wide range of chipsets. If there are no options that work for your video card, select the VESA driver, which will provide basic capabilities on almost any modern video card.  Dual head The X.org server used in Fedora can drive multiple monitors. If you have a second monitor connected to a second video card , you can enable it here. Select the checkbox labeled "Use dual head," then specify the video card, resolution, and color depth to be used. You can also specify the desktop layout as "Individual desktops" or "Spanning desktops"; for most applications, "Spanning desktops" is most versatile, since it enables you to move windows between desktops or even have a window fill both desktops. The second monitor is assumed to be to the right of the primary monitor. Once you have selected the desired configuration, click OK. The new configuration will take effect the next time you start the graphical user interface. If you logged in graphically, the GUI won't restart until you restart the system. You can force it to restart sooner by pressing Ctrl-Alt-Backspacebut you will lose any unsaved data, so exit from all applications first. (This key sequence abruptly aborts the X server process and normally should not be used to exit from a graphical session). 2.4.2. How Does It Work? system-config-display changes the X server configuration file, /etc/X11/xorg.conf . If necessary, it creates an entirely new file. Most of the information for this file is determined from the hardware by probing. The xorg.conf file contains configuration information for four types of devices: The xorg.conf file is a plain-text file and can be edited by hand (see Lab 4.4, "Basic Text Editing Using vi "). Be sure to make a backup copy before making any changes. You can find a detailed description of the configuration options in xorg.conf 's manpage (see Lab 4.2, "Accessing Online Documentation "): $ man xorg.conf The file is divided into sections, each of which looks like this: Section " SectionName "  Configuration Directives EndSection The most commonly used sections in this file are shown in Table 2-3. Table 2-3. Common xorg.conf section names Name Description Monitor Monitor specifications. InputDevice Keyboard configuration. Pointer device configuration (mice, graphics tablets, touch screens). Device Video card configuration. Screen Associates a Device with a Monitor and defines the available resolutions and color depth. ServerLayout Associates one or more Screen sections with two or more InputDevice sections. Different ServerLayouts can be defined to combine devices in different ways for use at different times; for example, a laptop can have a ServerLayout that specifies that the internal+external displays should be used, and another one that specifies only the internal display. Files Location of auxiliary files such as fonts, drivers, and color tables. ServerFlags Flags to control the overall operation of the X server. The flags may alternatively be placed in the ServerLayout sections if they apply to some ServerLayouts but not to others. Extensions Enables/disables extensions to the server capabilities. Module Loads additional modules. (Modules may provide extensions, but extensions don't have to exist as separate modules.) Modes Defines special video modes (rarely required). DRI Direct Render Interface (DRI) device configuration, used for some 3-D gaming. Here is a typical xorg.conf file: Section "ServerLayout"  Identifier "single head configuration"  Screen 0 "Screen0" 0 0  InputDevice "Keyboard0" "CoreKeyboard"  InputDevice "Synaptics" "CorePointer"  InputDevice "Mouse0" "AlwaysCore" EndSection Section "Files"  FontPath "unix/:7100" EndSection Section "Module"  Load "glx"  Load "dri"  Load "synaptics" EndSection Section "InputDevice"  Identifier "Keyboard0"  Driver "kbd"   Option "XkbModel" "pc105"  Option "XkbLayout" "us" EndSection Section "InputDevice"  Identifier "Mouse0"  Driver "mouse"  Option "Device" "/dev/input/mice"  Option "Protocol" "IMPS/2"  Option "ZAxisMapping" "4 5" # Scrollwheel support  Option "Emulate3Buttons" "yes" # L+R buttons count as middle EndSection Section "InputDevice"  Identifier "Synaptics" # Laptop touchpad  Driver "synaptics"  Option "Device" "/dev/input/mice"  Option "Protocol" "auto-dev"  Option "Emulate3Buttons" "yes" EndSection Section "Monitor"  Identifier "Monitor0"  VendorName "Monitor Vendor" # Just for reference  ModelName "LCD Panel 1400x1050" # Just for reference  HorizSync 31.5 - 90.0 # Horiz. sync in kHz  VertRefresh 59.0 - 75.0 # Vert. refresh in Hz  Option "dpms" # Enables power management EndSection Section "Device"  Identifier "Videocard0"  Driver "nv"  VendorName "Videocard vendor" # Just for reference  BoardName "nVidia Corporation NV34M [GeForce FX Go5200]" # Ditto EndSection Section "Screen"  Identifier "Screen0"  Device "Videocard0" # Associates the video card   Monitor "Monitor0" # with this monitor  DefaultDepth 24 # Default is 24-bit colour  SubSection "Display"   Viewport 0 0 # "0 0" is almost always used   Depth 24 # This section used by default   Modes "1400x1050" "1280x1024" "1024x768" "800x600" "640x480" # Change modes with Ctrl-Alt-+/-  EndSubSection # This next SubSection is not selected by default (because of the # DefaultDepth line in the previous section). However, it would be used if the # -depth option was specified on the X server command line, # overriding the DefaultDepth setting.  SubSection "Display"   Viewport 0 0   Depth 16 # Because default is 24-bit,   Modes "800x600" "640x480" # ...this will usually be ignored  EndSubSection EndSection Section "DRI" # Configures DRI devices...  Group 0 # Root (user ID 0) owns them   Mode 0666 # Readable/writable by all EndSection Section "Extensions"  Option "Composite" "Enabled" # Enables transparency, etc. EndSection To change the default color depth, edit the DefaultDepth line in the Screen section (make sure that a SubSection for that depth exists in the Screen section of the file). Values that work with most video cards include 8, 16, and 24 bits; the number of colors available is 2depth . Similarly, the default resolution is controlled by the Modes entry in SubSection "Display" with the same Depth as DefaultDepth . For example, to change the configuration in this example from a 24-bit (16-million-color) to 16 bit (65,536 color) depth, and to change the resolution to 800x600, change the DefaultDepth to 16 and then change the Modes line in the SubSection for 16-bit color: Section "Screen"  Identifier "Screen0"  Device "Videocard0" # Associates the video card  Monitor "Monitor0" # with this monitor  DefaultDepth 16 # Default is 16-bit colour  SubSection "Display"   Viewport 0 0 # "0 0" is almost always used   Depth 24 # This section used by default   Modes "1400x1050" "1280x1024" "1024x768" "800x600" "640x480" # Change modes with Ctrl-Alt-+/-  EndSubSection  SubSection "Display"   Viewport 0 0   Depth 16   Modes "800x600"  EndSubSection EndSection The Composite extension, enabled in the Extensions section of the file, powers the use of advanced visual effects, including transparency. Not all video drivers support Composite . 2.4.3. What About... 2.4.3.1. ...per-user display resolution settings? The GNOME menu option System The system-wide resolution setting will be used for the user login display; individual user settings will take effect after the user logs in. The color depth can't be set this way because the architecture of the X Window System requires the color depth to be a system-wide setting. 2.4.3.2. ...creating the xorg.conf file without using system-config-display? The X server itself is capable of generating a reasonable xorg.conf file, which you can then fine-tune by manually editing it: # X -configure :1 The system will automatically start an X server using display number :0. Additional X servers can be started as long as they each use a unique display numberwhich is why :1 was used in this command. The new configuration file will be placed in /root/xorg.conf.new . In order to use it, you'll need to link the name /dev/mouse to the default mouse device: # ln -s /dev/input/mice /dev/mouse   You can then test the new configuration: $ X -config /root/xorg.conf.new   This will present a blank display with an X-shaped mouse pointer. If the display looks right and you can move the pointer with your mouse, then go ahead and install this new configuration file as the default configuration: # mv /root/X11/xorg.conf /root/X11/xorg.conf.backup # mv /root/xorg.conf.new /etc/X11/xorg.conf   You can fine-tune this configuration either manually or by using tools such as system-config-display . 2.4.3.3. ...using multiple mice and keyboards with one display? The default X server configuration will work with all USB pointer devices and keyboards plugged into the system. The devices will work in parallel; for example, if you have two mice, moving either one will move the onscreen pointer, and if you have two keyboards, typing on either will send characters to the display. Most keyboards will be detected as soon as they are plugged in, but other keyboards will be detected only when the system starts. For example, I have a secondary French Canadian USB keyboard and a USB calculator/numeric keypad; the French Canadian keyboard is detected as soon as it is plugged in, but the numeric keypad must be plugged in during boot in order to be detected properly. Special features of advanced pointers (such as touchpads) will not be configured automatically unless those devices are plugged in when system-config-display is run. 2.4.3.4. ...a nonstandard monitor, such as a widescreen laptop display? In most cases, these displays can be probed automatically using VESA standard protocols. If not, edit /etc/X11/ xorg.conf , find the Monitor section, and enter the HorizSync (horizontal scan frequency) and VertRefresh (vertical scan/refresh frequency) values specified in your monitor documentation: Section "Monitor"  Identifier "Monitor0"  VendorName "Monitor Vendor"   ModelName "Unknown Monitor"  HorizSync 32.00 - 72.0 # Horiz. sync in kHz  VertRefresh 58.0 - 62.0 # Vert. refresh in Hz EndSection Next, edit the default resolution to match your hardware: Section "Screen"  Identifier "Screen0"  Device "Videocard0  Monitor "Monitor0"  DefaultDepth 24  SubSection "Display"   Depth 24   Modes "1280x800"  EndSubSection EndSection 2.4.4. Where Can I Learn More? xorg.conf (information about the X server configuration file). 2.5. Configuring Printing In order to print from your Fedora system, you have to configure at least one print queue to manage documents waiting to be printed. For printers directly connected to your computer, this process is fully automatic, and for other printers (such as those on your network), it is very simple. 2.5.1. How Do I Do That? Select the menu option Systemw, grouped according to connection type; if you click on one of these printers, the configuration details for that printer will appear on the right. Figure 2-16. Printer configuration window 2.5.1.1. Add a new print queue USB and parallel printers, as well as network printers that use the Internet Print Protocol (IPP), will be detected and configured automatically; you can adjust the printer configuration by editing the values in the main printer-configuration window (Figure 2-16) and then clicking Apply. Other printers must be configured manually. Click on the New Printer icon to access the window shown in Figure 2-17. Figure 2-17. New Printer window Enter the name of the printer, which should be short and contain no spaces. I recommend using the generic printer type followed by a number (e.g., laser3 or inkjet0 ); even if you only have one printer now, you may add more in the future. If desired, you can add verbose description and location information. Click Forward to proceed to the connection configuration step, shown in Figure 2-18 . Figure 2-18. Printer connection configuration The Devices list shows all detected local printers, plus serial ports and common network printing protocols. Select the appropriate option; for network printers, you will need to enter the IP address or hostname as well as the printer or queue name. Press Forward to proceed to the driver configuration step, shown in the left side of Figure 2-19. Select the printer manufacturer, then click Forward; on the next display (shown on the right side of Figure 2-19), select the printer model. Use the Comments buttons to display information about the printer, driver, or PPD file. The Drivers list may present more than one driver option. In almost all cases, it is best to use the default driver. Click Forward, then click Apply on the confirmation dialog that appears. Figure 2-19. Printer driver selection 2.5.1.2. Edit an existing print queue To change an existing queue configuration, select the printer in the main window (Figure 2-16) and edit the option values on the tabs: Settings Configures the printer description, location, connection details, printer driver, and printer status (enabled/accepting/shared). Enabled means the the queue contents will be sent to the printer; accepting means that new print requests may be enqueued. Policies Configures starting and ending banner pages (which identify each print job) and the action to be taken when a printer error occurs. Access control Used to restrict printer access to specific users, or to prevent specific users from accessing the printer. Printer options Configures the default settings for printer features such as stapling, duplexing, media, ink cartridge type, and resolution. 2.5.1.3. Set the default print queue The default print queue is used for all print requests that do not specify a queue. To set the default, select a printer and then click Make Default Printer. Click Apply to activate your change. 2.5.1.4. Printing The command lpr (line printer requester) is used to place a print request into a queue. When used from the command line, lpr can accept input from standard input or from a specified file. For example, to print the file output.ps : $ lpr output.ps Or to print the calendar for the year, generated by the cal -y command: $ cal -y | lpr To specify a specific print queue (such as laser3 ), add the -P argument along with the name of the queue: $ lpr -P laser3 output.ps $ cal -y | lpr -P laser3 You can view the status of a print queue, including the documents in the queue, by clicking on the printer icon that appears in the notification area of the GNOME panel bar. The window shown in Figure 2-20 will appear; this window shows all print requests made by you on all print queues. To delete a document from the queue, right-click on it and select the Cancel document option. Figure 2-20. Document print-status window The lpq command provides another way of viewing a queue's contents: $ lpq inkjet0 is ready no entries While the graphical Document print-status window shows requests by one user on all queues, lpq shows requests by all users on a single queue. The output in the previous example shows that there are no documents in the default queue inkjet0 . You can specify a specific printer queue using the -P argument: $ lpq -P laser3 laser3 is ready and printing Rank Owner Job File(s) Total Size active chris 91 report.ps 124928 bytes 2 jason 92 spreadsheet.ps 523423 bytes In this case, there are two jobs in the queue; job 91 is printing, and job 92 is scheduled to be printed next. You can delete a document using the lprm command, which accepts a job number (the default is the active job) and the -P option to specify the print queue. This command will delete job 92 on the print queue laser3 : $ lprm -P laser3 92 2.5.2. How Does It Work? Fedora's printing system combines four fairly complex tools into a comprehensive print solution. The Common Unix Printing System (CUPS) provides queue management and printer sharing; the Foomatic system provides access to the large database of printer configuration information and notes maintained by linuxprinting.org; Ghostscript converts PostScript, the most common printer output format used by Linux applications, into other formats for use by non-PostScript printers; and the system-config-printer script provides the user interface for printer configuration. system-config-printer manipulates the CUPS configuration files in /etc/cups and restarts the CUPS server (cupsd) to load configuration changes. These files can be edited by hand, but this is not recommended. CUPS provides queue management, storing queued documents in /var/spool/cups until they are printed. It is heavily tied into the Internet Print Protocol (IPP), which is based on the web protocol HTTP. You can connect to the CUPS server's administrative interface by accessing the address http://localhost:631 / through a web browser; however, if you do any configuration through that interface, you may no longer be able to use system-config-printer , which is generally a better configuration tool. Applications vary enormously in the quality of their interface into the print system: lpr command to be used; queue selection is performed using lpr 's -P option. The printer icon in the GNOME panel's notification area is provided by the eggcups program. 2.5.3. What About... 2.5.3.1. ...creating a group of similar printers that are accessed on a first-available-printer basis? This is called a printer class; to create one, use the New Class button in the graphical configuration tool. Add the desired printers to the printer class and click Apply; you can then print to the printer class instead of a specific printer, and the first available printer will be used to print your document. 2.5.3.2. ...setting up more than one queue for a printer? Not only is it possible to set up more than one queue for a printer, it's a good idea, because each queue can have a different driver configuration. For example, I have a color inkjet printer, which is used in text mode with plain paper and in a photo mode with photo paper. I have created three separate queues: color0-draft for fast, low-quality printing that saves ink; color0 for regular printing; and color0-photo for photo printing. The appropriate driver options have been set for each. Although it is possible to create just one queue and set the resolution and paper type within some applications, not all applications are capable of setting those options, and it's simply faster and more convenient to have preconfigured queues. Similarly, I have single- and double-sided queues for my laser printer. Printer queues are created with default driver options. To adjust the driver options, create the queue, and then use the Printer Options tab to access the driver settings. 2.5.3.3. ...making a PDF instead of printing? Many applications that don't provide PDF output do provide the ability to print to a file instead of printing to an output queue; this feature can be used to save a PostScript copy of the print request, which you can then convert to a PDF by using Ghostscript via the ps2pdf script. For example, you could "print" from Firefox to the file bankstatement.ps and then convert bankstatement.ps to bankstatement.pdf with this command: $ ps2pdf bankstatement.ps The resulting PDF file can be viewed with Evince, xpdf, or Adobe Acrobat Reader (not installed by default). 2.5.3.4. ...using an HP multifunction printer? HP produces several lines of multifunction printer/copier/scanner devices that use a multiplexed communication protocol; the printer and scanner are accessed through a single connection. The software necessary to access these devices is built into Fedora Core; just ensure that the hplip service is running. 2.5.4. Where Can I Learn More? lpr , lpq , and lprm & Print sharing: "Configuring Samba to Share Files with Windows" 2.6. Configuring Sound Fedora Core contains drivers for many different types of sound cards. However, it may be necessary to configure the sound path or select from different sound devices before your sound output is usable. 2.6.1. How Do I Do That? Fedora provides two tools for configuring sound: the Soundcard Detection tool and the audio mixer. To access the Soundcard Detection tool, select System Figure 2-21. Soundcard Detection window This window offers a minimal set of options: basically, you can select the default device to be used, and you can play a test sound. To test your sound card, make sure that your speakers are plugged in and turned on, then click the Play button. You should hear a guitar chord played on the right, then the left, and then the right+left channels. If you don't, try selecting different device tabs (on the left side of the window) and PCM Device settings (at the bottom of the window) until you find a combination that works. Your system may have multiple sound cards (e.g., both a motherboard and PCI sound card), or there may be sound devices on your sound card that are not connected to a sound path that goes to your speakers; they may instead go to a modem, headphone jack, or thin air. If you still don't hear anything, then it's time to break out the Volume Control/Mixer. In GNOME, you can do this either by right-clicking on the volume-control panel applet (the icon that looks like a speaker, shown way back in Figure 2-2) and selecting Open Volume Control, or by selecting the menu option System Figure 2-22. KDE KMix (left) and GNOME Volume Control (right) To change which sound device is being configured, click File Make sure the sound device you are configuring with the Volume Control/Mixer is the same device you are testing with the Soundcard Detection tool!  Modern sound chips have many different inputs, outputs, and processing sections, but not all sound card designs implement all of these features, and even if the features are implemented, some of the inputs and outputs may not be connected to anything, or they may be connected to an input or output labeled with a different name. KMix presents controls for almost every available input, output, sound path routing option, and switch; GNOME's Volume Control lets you configure which controls you wish to display. This reduces clutter on the screen, but it also means that required controls may not be visible until you enable them. To change the configuration of the Volume Control, select its menu option Edit With all of the sound card controls in front of you, you can now experiment to see which control is preventing the test sound from reaching your ears. After each adjustment, test the result by clicking on the Play button in the Soundcard Detection tool. First, check to make sure that your Pulse Code Modulation (PCM), Master, Headphone, and Master Mono outputs are turned up and not muted (i.e., the Volume Control speaker icons are not crossed out or the KMix LEDs are illuminated). If that doesn't solve the problem, experiment with the switches (such as External Amplifier) and the PCM output path/3-D processing. After you have set the options you want, they will be saved and restored by default the next time you log in, so for most users this is a one-time (per user) configuration step. Once you have found the correct sound device, select the Settings tab in the Audio Configuration window (Figure 2-21) and set the Default Audio Card and Default PCM Device. Click OK to save your configuration and exit. Once you have sound working, you can change the volume level by placing your mouse over the volume-control panel applet and rolling the mouse wheel: away from you increases the volume; toward you decreases the volume. If you don't have a mouse wheel, click on the volume panel applet to reveal a slider control. To mute the sound, right-click on the panel applet and select Mute. To configure sound when using a text console, type: $ alsamixer The AlsaMixer display is shown in Figure 2-23 . Use the left/right cursor keys to select a control, up/down to set levels, Tab to switch between the Playback/Capture (Output/Input) views, M to mute, and Escape to exit. Figure 2-23. AlsaMixer display  2.6.2. How Does It Work? Fedora uses the Advanced Linux Sound Architecture system (ALSA), which has replaced the Open Sound System (OSS) used in older Linux kernels. The ALSA interface is generally more advanced than the OSS interface; however, OSS is used on many Unix systems, so ALSA also provides an OSS-compatible sound interface for the convenience of cross-platform software developers. ALSA uses devices in the /dev/snd directory such as /dev/snd/controlC0 , which is used by the Volume Control and KMix tools to control the first sound card (C0). Devices for OSS compatibility are in the /dev directory and include /dev/dsp , /dev/audio , and /dev/mixer . Most sound chips have several inputsin some cases, a few dozen inputswhich are routed through various sound paths to arrive at one or more outputs. Most of these inputs have a description assigned by the chip designer, but it's not necessary for the sound card designer to use a particular input for its designated purpose, and it's also not guaranteed that the system builder will connect a given signal source to the appropriate input on the sound card. Since the ALSA drivers generally use the designations provided by the chip documentation, you may find situations where the Video control manages the CD-ROM volume, or the Headset control affects the main speaker output. It's not uncommon for different sound card models to use the same chipsets, with the support circuitry for some features left off of the budget models. In these cases, ALSA has no idea which features are wired up and which ones have been omitted, which explains why there are so many controls that don't do anything. The Soundcard Detection tool is a Python script named system-config-soundcard . This script configures the file /etc/asound.conf with the selected default PCM device. When the system is shut down, the script /etc/rc.d/init.d/halt saves the sound configuration (including mixer settings) to /etc/asound.state . The state is restored by the Udev subsystem using the program /etc/dev.d/sound/alsa.dev when the sound devices are detected during system boot. 2.6.3. What About... 2.6.3.1. ...allowing multiple users to use a sound device at the same time? When a user logs in, Fedora assigns ownership of the sound devices to that user and sets the permissions so that only that user can open them. If you want to allow several users (including those remotely logged in) to use sound at the same time, you can change the permissions of the sound devices so that they're universally accessible: $ chmod 0777 /dev/snd/* /dev/mixer* /dev/audio* /dev/dsp* To make this the default configuration, add this line to the end of the system-wide login script, /etc/profile . 2.6.3.2. ...controlling the volume levels from the command line or a script? The amixer utility provides command-line access to the sound controls. Run without arguments, it will tell you all of the current settings (which can run into hundreds of lines of output): $ amixer Simple mixer control 'Master',0  Capabilities: pvolume pswitch pswitch-joined  Playback channels: Front Left - Front Right  Limits: Playback 0 - 31  Mono:  Front Left: Playback 17 [55%] [on]  Front Right: Playback 17 [55%] [on] Simple mixer control 'Master Mono',0  Capabilities: pvolume pvolume-joined pswitch pswitch-joined  Playback channels: Mono  Limits: Playback 0 - 31  Mono: Playback 14 [45%] [on] Simple mixer control 'Headphone',0  Capabilities: pvolume pswitch pswitch-joined  Playback channels: Front Left - Front Right  Limits: Playback 0 - 31   Mono:  Front Left: Playback 20 [65%] [on]  Front Right: Playback 20 [65%] [on] ...(Lines snipped)... You can generate a more compact list of just the simple mixer control names using the scontrols subcommand as an argument: $ amixer scontrols Simple mixer control 'Master',0 Simple mixer control 'Master Mono',0 Simple mixer control 'Headphone',0 Simple mixer control '3D Control - Center',0 Simple mixer control '3D Control - Depth',0 Simple mixer control '3D Control - Switch',0 Simple mixer control 'PCM',0 ...(Lines snipped)... To get the setting for a single control, use the get subcommand: $ amixer get Master Simple mixer control 'Master',0  Capabilities: pvolume pswitch  Playback channels: Front Left - Front Right  Limits: Playback 0 - 31   Mono:  Front Left: Playback 20 [65%] [on]  Front Right: Playback 20 [65%] [on] To change a setting, use the set subcommand: $ amixer set Master 31 Simple mixer control 'Master',0  Capabilities: pvolume pswitch  Playback channels: Front Left - Front Right  Limits: Playback 0 - 31  Mono:  Front Left: Playback 31 [100%] [on]  Front Right: Playback 31 [100%] [on] 2.6.3.3. ...playing or recording an audio file from the command line? There are many different audio file formats, and Fedora includes many different media players so that you can listen to them (including Totem, Mplayer, and Xine). Fedora Core also includes the sox utility to convert between formats; the sox package also includes a handy script named play that can be run from the command line. It converts just about any file into an appropriate format for output and sends the sound to your speakers: $ play /usr/share/sounds/KDE_Startup_2.ogg You can also apply various sox effects to the output. To play a file backward at a reduced volume: $ play /usr/share/sounds/KDE_Startup_2.ogg -v 0.2 reverse The sox package also includes the rec script to record sound: $ rec /tmp/x.ogg Send break (control-c) to end recording          Ctrl-C 2.6.4. Where Can I Learn More? alsactl, alsamixer, amixer, speaker-test, sox, play, and rec 2.7. Adding and Configuring Fonts Although Fedora ships with a good set of basic fonts, many users find it useful to add more fonts. Fortunately, this is very easy to do, either graphically or from the command line. 2.7.1. How Do I Do That? Fonts can be easily added or removed by manually copying the font files or by using the file managers: Nautilus (GNOME) or Konqueror (KDE). 2.7.1.1. Adding and removing fonts using GNOME Nautilus GNOME's Nautilus file manager has a special URI for viewing and managing fonts. To access it: 1. Start Nautilus; use the My Computer or Home desktop icons, the panel bar icons, or any folder in the Places menu. 2. Select Open Location from the Nautilus File menu, or press Ctrl-L. An Open Location dialog will appear. 3. Enter fonts:/ in the location text box. Figure 2-24 shows the Nautilus font display. Figure 2-24. Font display in GNOME's Nautilus file manager The lower- and uppercase letter A of each font are displayed, if the font has those characters. Double-clicking on a font (or right-clicking and selecting " Open with GNOME Font Viewer") will display some basic information about the fontincluding the license, file size, and font stylealong with an extended font sample, as shown in Figure 2-25 . Figure 2-25. GNOME font viewer To install fonts into your personal font directory (~/.fonts), simply drag and drop them into the Nautilus font window. The fonts may not show up in the Nautilus display until you log out and log in again, but they will be installed and immediately accessible to applications when they start (if an application is already running, just restart that application to gain access to the new fonts). To install fonts that are in a compressed archive, such as those from http://www.1001freefonts.com , click on the .zip archive link (i.e., for the Windows font) in your web browser, then select "Open with Archive Manager" as the action. You can then drag and drop the file from the Archive Manager window to the Nautilus font window. A personal font can be deleted in the same way that a file is deleted using Nautilus: drag it from the Nautilus window to the trash can, or right-click on it and select "Move to Trash." Nautilus does not permit you to install or delete system-wide fonts. However, Konqueror does, and it is possible to run Konqueror within a GNOME session. One easy way of doing this is to type Ctrl-F2 and enter konqueror in the dialog that appears. 2.7.1.2. Adding and removing fonts using KDE Konqueror KDE's Konqueror file and web browser enables you to view, install, and delete fonts from both the system-wide font directories and your personal font directory. To access this mode: 1. Start Konqueror, using the Home or Web Browser panel icons, or the K menu. 2. Enter fonts:/ into the location field. The window will show icons labeled Personal and System; double-click on the group you wish to see, and the display shown in Figure 2-26 will appear (the System group is shown here). Figure 2-26. Konqueror system font display Double-clicking on a font will present the KFontView window shown in Figure 2-27 , showing an extended font sample. Clicking on the T icon will enable you to change the sample sentence; the default sentence is same pangram used in the GNOME font viewer. Figure 2-27. KFontView window To add fonts, simply drag and drop them into the font window. If you drop them into the system font window, you will be prompted to enter the root password. To delete a font, treat it like a file: drag and drop it onto the trash can, or right-click and select Delete. As with installation, you will be prompted for the root password if the font is from the system font window. You can also install and remove fonts through the KDE Control Panel. 2.7.1.3. Adding and removing fonts from the command line When an application starts, the font configuration system automatically scans ~/.fonts (your personal font directory) as well as /usr/share/fonts (which is the system-wide font directory). Any changes to the fonts contained in those directories are detected automatically, so adding fonts is simply a matter of placing files into those directories, and removing fonts is simply a matter of deleting them. For example, if you have a compressed tar file named /tmp/newfonts.tgz containing a folder named newfonts full of TrueType fonts and wish to install them for your own private use, you can use these commands: $ cd ~/.fonts $ tar xvzf /tmp/newfonts.tgz "*.ttf" "*.TTF" Or, to install the fonts so that they are accessible to all users system-wide: # cd /usr/share/fonts # mkdir newfonts # cd newfonts # tar xvzf /tmp/newfonts.tgz "*.ttf" "*.TTF" To delete all of your personal fonts: $ rm -rf ~/.fonts/* And to delete the system-wide fonts installed in newfonts : # rm -rf /user/share/fonts/ newfonts 2.7.1.4. Installing the Microsoft fonts Web pages and documents created on Microsoft systems often use fonts that are distributed with Windows. For a time, Microsoft made these fonts available free of charge on its web site; although they are no longer available directly from Microsoft, they are available from fontconfig.org under Microsoft's fairly simple licensing terms, documented in http://fontconfig.org/webfonts/Licen.TXT . Installing these fonts makes it possible to view Word and Excel documents and web pages created under Windows as they were originally designed. Mozilla, Firefox, OpenOffice, and other applications can all use these fonts. In order to install these fonts, you'll need to obtain a copy of the cabextract program to extract the fonts from archives created in Microsoft's proprietary CAB format: # yum install cabextract Once cabextract is installed, you can easily install the Microsoft fonts from the command line: # wget http://fontconfig.org/webfonts/webfonts.tar.gz # tar xvzf webfonts.tar.gz # cd msfonts # cabextract *.exe # mkdir /usr/share/fonts/microsoft # cp *.[tT]* /usr/share/fonts/microsoft # cd .. # rm -rf msfonts # fc-cache 2.7.1.5. Using newly installed fonts Applications load their font lists at startup time, so simply relaunching an application is usually all that is required before you can start using new fonts. The command fc-cache will create an index cache to speed application startup. To use it: $ fc-cache # fc-cache Running fc-cache as a regular user will create the index cache for ~/.fonts , which is not really necessary because the index cache will be created automatically. Running it as root will create the index cache for /usr/share/fonts and is strongly recommended; otherwise, an index of the system-wide fonts will be created for each individual user, wasting time and storage space. 2.7.1.6. Configuring font rendering options Font rendering can be tuned to adjust the font appearance to suit user preferences and the display hardware in use. Both GNOME and KDE provide configuration tools to configure font rendering. The GNOME configuration window shown in Figure 2-28 is accessed from the menu item System& Themes Figure 2-28. GNOME font-rendering preferences tool Figure 2-29. KDE font rendering preferences tool In both cases, you can enable or disable antialiasing, adjust the level of antialiasing hinting, and set subpixel order. On an older system with a slow CPU and/or low memory resources, turning off antialiasing can make enough of a performance difference to turn an unbearably slow system into one that performs reasonably. When antialiasing is enabled, the hinting level can be set according to user preferenceexperiment and see what looks best. If you have an LCD screen, select "Smoothing: Subpixel (LCD)" in GNOME or "Use Subpixel Smoothing" in KDE. You'll also need to select the order of the red, green, and blue elements on your screen; since this information is almost never documented in the hardware specifications, use a large magnifying glass or experiment until you find the setting that looks the best. 2.7.2. How Does It Work? X Window System programs use one of two different font systems. The old system, known as core fonts , is still used by a few applications and is needed to start the X server. Almost all current applications use a system comprising two components: FreeType and fontconfig , two software libraries that provide high-quality font rendering and font matching. Since these are client-side libraries accessed by applications, each application separately handles its own font operations. FreeType's sub-pixel rendering capability is, by and large, useful only on LCDs. It involves treating each of the RGB color elements in a pixel as a partial pixel. Figure 2-30 shows an enlarged diagonal line border between black and white regions on an LCD screen, rendered using subpixel hinting. Figure 2-30. Subpixel rendering on an LCD panel Note that each pixel is comprised of a red, green, and a blue element; on this display, they are arranged horizontally in R-G-B order. In the first row, there is one white pixel. In the second row, there is a white pixel followed by one-third of a white pixelwhich, in this case, means a red pixel. The third row consists of a white pixel followed by two-thirds of a pixela red-plus-green pixel, which displays as yellow. The fourth row contains two white pixels. It seems odd that a color pixel would be perceived as a partial pixel, but it works because of sophisticated algorithms and the fact that the subpixels are a continuation of the R-G-B element pattern on the line. 2.7.3. What About... 2.7.3.1. ...getting a list of available fonts? The fc-list program (a utility provided with Fontconfig) will list all of the fonts available through the Xft/Fontconfig system: $ fc-list Luxi Serif:style=Regular MiscFixed:style=Regular Utopia:style=Bold Italic Nimbus Sans L:style=Regular Italic Bitstream Vera Sans Mono:style=Bold Webdings:style=Regular Console:style=Regular URW Palladio L:style=Roman Century Schoolbook L:style=Bold Italic Luxi Serif:style=Bold ...(snip)... The list isn't in any sort of order, and it contains a lot of information about the styles available for each font, so it's not very readable. Using some arguments and the sort command will produce a much more readable list of available font faces: $ fc-list : family|sort -u Andale Mono Arial Arial Black Bitstream Charter Bitstream Vera Sans Bitstream Vera Sans Mono Bitstream Vera Serif Century Schoolbook L Comic Sans MS Console console8x8 Courier ...(snip).. 2.7.3.2. ...specifying a font name? Fontconfig font names are very easy to use: just specify the font face you wish to use. You can optionally include a size (separated by a hyphen) or font attribute name/value pairs (after a colon). For matching purposes, you can specify multiple values for the font name or size, separated by commas. The first matching value will be selected. Table 2-4 lists some font names expressed using this notation. Table 2-4. Fontconfig font names Font name Meaning Courier-12 Courier face, 12-point size Utopia:style=italic Utopia face in italics Helvetica,Arial,Swiss-12 Helvetica, Arial, or Swiss face (preferred in that order), 12-point size Fixed-12,16,10 Fixed face in 12-, 16-, or 10-point size (preferred in that order) For a complete list of font properties that can be used in font names, see the documentation on the Fontconfig web site at http://fontconfig.org . Note that many of the properties mentioned in the documentation are not used; on most systems, style is the only property specified for most of the fonts. xterm has support for Fontconfig/Xft and can be used to test a Fontconfig font name. The command-line option to use is -fa (face); if the font name contains spaces, be sure to quote it on the command line. Here are some examples: $ xterm -fa courier $ xterm -fa courier-12 $ xterm -fa courier-18:style=italic $ xterm -fa "Bitstream Vera Sans Mono-16:style=bold" $ xterm -fa foo,bar,baz,utopia,courier,qux-12,18,10:style=italic If the selected font does not use character-cell spacing, xterm will add considerable spacing between characters (the last example demonstrates this). 2.7.4. Where Can I Learn More? fc-list , fc-cache , and Xft 2.8. Using USB Storage USB is a widely used interface for peripherals. It's intelligent, fast, hot-pluggable, uses a compact and foolproof connector, and even provides a couple of watts of power for small devices. Many USB devices fall into the storage class, including cameras, portable music players, and storage card readers. These devices can easily be used with Fedora. 2.8.1. How Do I Do That? Using USB storage in Fedora Core is easy: simply insert the USB storage device into any available USB port. If you're using GNOME, the device will be mounted, an icon will appear on the desktop, and a window will open showing the contents of the device. When you insert a USB storage device while running KDE, the dialog in Figure 2-31 appears with two options: "Open in New Window" and "Do Nothing." Choose one of the options and click OK. If you want to skip this dialog next time you insert a storage device, select the checkbox labeled "Always do this for this type of media." Figure 2-31. KDE USB Storage action dialog The action performed when a new USB storage device is detected is configurable in both GNOME and KDE. 2.8.1.1. Safely removing a USB drive Before unplugging a USB drive, you should unmount it to prevent data loss. In GNOME and KDE, right-click on the drive's desktop icon and select the menu option Unmount Volume or Remove Safely. Wait until the activity lights stop blinking and then unplug the drive. 2.8.1.2. Configuring default actions in GNOME To configure the action taken when GNOME detects a new USB storage device, select the menu option System Figure 2-32. Removable Drives and Media Preferences tool The first tab, Storage, contains four checkboxes for USB storage devices: Mount removable drives when hot-plugged Freshly inserted USB drives will be mounted, and a corresponding icon will appear on the desktop. Mount removable media when inserted Freshly inserted media such as CDs and DVDs will be mounted, and an icon will appear on the desktop. This option does not apply to media inserted into a memory-card reader! Use the "Mount removable drives when hot-plugged" option for memory cards.  Browse removable media when inserted Removable drives and removable media will be displayed in a Nautilus window when they are mounted, regardless of whether they are mounted automatically (depending on the settings of the checkboxes) or manually. Auto-run programs on new drives and media Searches for a file named autorun on newly mounted media, prompts the user for confirmation, and then executes that file. The file may be a script or a compiled program. The auto-run feature does not work with automatically mounted media because GNOME takes the precaution of mounting media with the noexec option, which prevents direct execution of files (including autorun files). It does work with manually mounted media.  The third tab, Cameras, has a checkbox labeled "Import digital photos when connected." When checked (which is the default), GNOME will look for a directory named dcim on any newly mounted USB media. If found, it will run the specified command (the default is gthumb-import ). 2.8.1.3. Configuring default actions in KDE To configure the behavior of KDE when storage devices are inserted, open the KDE Control Center and select the configuration category Peripherals Figure 2-33. KDE Removable Media configuration Select Unmounted Removable Medium in the "Medium types" menu. Two actions will be displayed: "Open in New Window," which mounts the drive and opens a Konqueror browse window, and Do Nothing, which causes a drive icon to be displayed on the desktop, which, when clicked, will mount and browse the drive. To set one of these actions as the default, click on it, then click "Toggle as Auto Action," and then Apply. The selected action will take place automatically when new media is detected. 2.8.2. How Does It Work? When a USB storage device is detected by the USB drivers, the hal subsystem takes note and sends a message on the dbus , a messaging system for desktop applications. GNOME or KDE desktop applications listen for messages on the dbus and then perform the action you have configured, such as mounting the drive or displaying the drive contents in a window. USB devices use a set of data items called descriptors to inform the controlling host of their capabilities. The Class descriptor is used to identify storage devices. These devices, which understand the same commands used to control SCSI disk drives, are given a device name in the form /dev/sd where is a sequential drive letter ( sd stands for SCSI disk ). Partitions within a USB storage device, if present, are given device names in the form /dev/sd where

is the partition number (1 is the first partition). When a drive is mounted in a Fedora system, a record of the mount is made in /etc/mtab , which can be viewed with the mount command: $ mount /dev/mapper/main-root on / type ext3 (rw) /dev/proc on /proc type proc (rw) /dev/sys on /sys type sysfs (rw) /dev/devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/md0 on /boot type ext3 (rw) /dev/shm on /dev/shm type tmpfs (rw) /dev/mapper/main-home on /home type ext3 (rw) /dev/mapper/main-var on /var type ext3 (rw,acl) /dev/sda on /media/spreadsheet type ext2 (rw,noexec,nosuid,nodev) /dev/sdb on /media/disk type vfat (rw,noexec,nosuid,nodev,shortname=winnt,uid=500) This particular single USB storage device appears as two separate devices, highlighted in bold in this example: a disk drive, mounted using the filesystem label as the mount point ( /media/ ), and a floppy disk (mounted as /media/disk in the output above). This is a common configuration used on older USB keys; the emulated floppy disk device is intended to store encryption or password software for accessing the main storage device. Removable media is mounted under the /media directory. A more useful way of looking at the /etc/mtab table is to use df : # df -h Filesystem Size Used Avail Use% Mounted on /dev/mapper/main-root 30G 8.9G 20G 32% / /dev/md0 251M 33M 205M 14% /boot /dev/shm 506M 0 506M 0% /dev/shm /dev/mapper/main-home 31G 5.9G 25G 20% /home /dev/mapper/main-var 36G 26G 9.3G 74% /var /dev/sda 120M 1.6M 112M 2% /media/spreadsheet /dev/sdb 1.4M 70K 1.4M 5% /media/disk This shows most of the information displayed by mount , but with a nice column layout showing the total size, amount of storage used, and the available space. /proc/mounts contains the same information as /etc/mtab but is generated directly from the kernel's data structures (and is therefore more reliable). The kernel uses memory as a buffer, writing data to disk periodically. Unmounting a disk flushes the buffer to disk immediately and updates the disk control structures to indicate that the drive is in a consistent (clean) state. If a drive is removed while mounted, some data (including parts of files) may not be written to the disk, resulting in data corruption. 2.8.3. What About... 2.8.3.1. ...partitioning a flash drive? You can use the standard fdisk utility to partition a flash drive (after unmounting it, if necessary). Here is an example in which fdisk is used to divide a 64 MB flash drive into two partitions: # fdisk /dev/sdb Since fdisk is an interactive tool, it's necessary to enter single-letter commands to specify the changes that should be made to the partition table. First, print the partition table on the screen so you can review it: Command (m for help): p Disk /dev/sdb: 65 MB, 65536000 bytes 3 heads, 42 sectors/track, 1015 cylinders Units = cylinders of 126 * 512 = 64512 bytes  Device Boot Start End Blocks Id System /dev/sdb1 1 1015 63924 83 Linux This table shows a 64 MB device (64,512 bytes) with one partition. If the display does not match the device you are trying to partition, you may be partitioning the wrong device; enter q to exit immediately!  Delete the old partition: Command (m for help): d Selected partition 1 Create a new primary partition number 1 that is 30 MB in size: Command (m for help): n Command action  e extended  p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-1015, default 1): ENTER Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-1015, default 1015): +30M   Create a new primary partition number 2, taking up the rest of the drive: Command (m for help): n Command action  e extended  p primary partition (1-4) p Partition number (1-4): 2 First cylinder (467-1015, default 467): ENTER Using default value 467 Last cylinder or +size or +sizeM or +sizeK (467-1015, default 1015): ENTER Using default value 1015 Print the partition table to check it: Command (m for help): p Disk /dev/sdb: 65 MB, 65536000 bytes 3 heads, 42 sectors/track, 1015 cylinders Units = cylinders of 126 * 512 = 64512 bytes  Device Boot Start End Blocks Id System /dev/sdb1 1 466 29337 83 Linux /dev/sdb2 467 1015 34587 83 Linux Set the type code for the two partitions: Command (m for help): t Partition number (1-4): 1 Hex code (type L to list codes): L  0 Empty 1e Hidden W95 FAT1 80 Old Minix be Solaris boot  1 FAT12 24 NEC DOS 81 Minix / old Lin bf Solaris  2 XENIX root 39 Plan 9 82 Linux swap / So c1 DRDOS/sec (FAT- ...(snip)...  9 AIX bootable 4f QNX4.x 3rd part 8e Linux LVM df BootIt  a OS/2 Boot Manag 50 OnTrack DM 93 Amoeba e1 DOS access  b W95 FAT32 51 OnTrack DM6 Aux 94 Amoeba BBT e3 DOS R/O  c W95 FAT32 (LBA) 52 CP/M 9f BSD/OS e4 SpeedStor  e W95 FAT16 (LBA) 53 OnTrack DM6 Aux a0 IBM Thinkpad hi eb BeOS fs ...(snip)... 1c Hidden W95 FAT3 75 PC/IX Hex code (type L to list codes): c Changed system type of partition 1 to c (W95 FAT32 (LBA)) Command (m for help): t Partition number (1-4): 2 Hex code (type L to list codes): c Changed system type of partition 2 to c (W95 FAT32 (LBA)) Write (save) and exit: Command (m for help): w The partition table has been altered! Calling ioctl( ) to re-read partition table. Syncing disks. The partition type used, c , indicates that the partition will contain a FAT filesystem. This enables compatibility with Windows and Mac OS X systems and is also necessary for most camera flash-memory cards and digital music players. Once the partitions have been created, they can be formatted with mkfs : # mkfs -t vfat -n spreadsheet -F 32 /dev/sdb1 mkdosfs 2.10 (22 Sep 2003) # mkfs -t vfat -n database -F 3 2 /dev/sdb2 mkdosfs 2.10 (22 Sep 2003) You may need to remove and reinsert the drive to force the kernel to load the new partition table before you can format the partitions.   The option -F 32 forces the use of 32-bit file allocation tables, which is not strictly necessary for drives under 512 MB in size but is required for larger drives and matches the filesystem type assigned to the partition by the previous fdisk command. The -n labelname option sets the filesystem label, which will be used to determine the mount points for the filesystem. If you have ever used your USB drive without a partition table (formatting /dev/sda instead of /dev/sda1, for example), erase the master boot record (MBR) before partitioning to prevent udev from later detecting the drive as unpartitioned and mounting it incorrectly: # dd bs=1k count=1 if=/dev/zero of=/dev/sdb 2.8.3.2. ...using a Linux filesystem such as ext2 on a USB storage device? You can use ext2 or any other filesystem on a USB storage device, but that will reduce compatibility with other systems. To format the partition /dev/sdb2 with an ext3 filesystem: # mkfs -t ext3 /dev/sdb2 2.8.3.3. ...accessing USB storage from a nongraphical application? Automatically mounted storage media are mounted to the directory /media/

Success!

In an elementary configuration, Apache is responsible for mapping the web namespace to the local filesystem namespace, performing access control and logging, collecting the requested resource (either by reading a file or executing code), and sending the resource to the client. 7.5.3. What About... 7.5.3.1. ...interpreting the Apache logfiles? Logfiles come in two forms: access logs and error logs. An access log in the default common format contains entries like these (all on one line): 24.43.223.54 - - [28/Feb/2006:22:01:33 -0500] "GET / HTTP/1.1" 200 956 The fields here are the IP address of the remote host (24.43.223.54); the remote user login name (-); the authenticated username on the local system (- , because the user did not authenticate); the date, time, and time zone of the request ([28/Feb/2006:22:01:33 -0500]); the request string (GET / HTTP/1.1); the status code returned to the client (200, meaning OK); and the number of bytes sent to the client (956). If you use the combined log format, the entries will look like this: 24.43.223.54 - - [28/Feb/2006:22:01:33 -0500] "GET / HTTP/1.1" 200 956 "http://www.fedorabook.com/index.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202 Fedora/1.0.7-1.2.fc4 Firefox/1.0.7" The additional fields are the referring page, which linked to or contained the information requested ( http://www.fedorabook.com/index.html ), and the user agent header, which describes the client software (Firefox on a Fedora system in this case). The user agent information is interesting, but the referrer information is critical if you want to analyze where your visitors are coming from, which pages they visit first, and how they progress through your web site. The error logfile contains entries like this: [Tue Feb 28 22:01:33 2006] [error] [client 24.43.223.54] File does not exist: /var/www/html/favicon.ico This indicates the date and time, the fact that this is an error, the client IP address, and the detail of the error. 7.5.3.2. ...using a more secure authentication scheme than Basic? The problem with basic authentication is that the user ID and password travel in plain text across the network. Anyone snooping on the network can see the password. A slightly better approach is to use digest authentication, which hashes the password before sending it across the network. This is still not nearly as secure as encrypting the connection. To use digest authentication, use the same authentication configuration as you would for basic authentication, but substitute Digest for the AuthType : AuthType Digest AuthName " prices " AuthUserFile /var/www/digest Require valid-user Create the password file using the htdigest command instead of htpasswd . htdigest requires one additional argument in front of the username, called the realm ; copy the value from the AuthName directive and use it for the realm. Here is an example: # htdigest -c /var/www/digest prices chris Adding password for chris in realm prices. New password:  confidentialpassword Re-type new password:  confidentialpassword # htdigest /var/www/digest prices diane Adding user diane in realm prices New password:  bigsecret Re-type new password:  bigsecret htdigest does not accept the -b option used with htpasswd. 7.5.4. Where Can I Learn More? http:/// (to disable access to the manual, remove /var/www/manual ). httpd , htpasswd , htdigest , and httpd_selinux. 7.6. Configuring the sendmail Server sendmail is a robust email server. Like Apache, it has an enormous number of configuration options to handle many different service scenarios, even though many of these scenarios are pretty rare. With a small amount of configuration, sendmail can be configured to handle most mail-serving tasks. 7.6.1. How Do I Do That? Fedora's default sendmail configuration will: sendmail service at each boot This configuration may or may not work for you, depending on how you are connected to the Internet. 7.6.1.1. Preparing to configure sendmail and activating changes To configure sendmail easily, install the sendmail-cf package: # yum install sendmail-cf Changes to the sendmail configuration are made to the file /etc/mail/sendmail.mc . However, this isn't the sendmail configuration file! Instead, it's a file that is used to generate the sendmail configuration file, /etc/mail/sendmail.cf . To generate a new sendmail.cf file: # cd /etc/mail # make This must be done after each change is made to sendmail.mc . Reload the sendmail server to make your changes take effect: # service sendmail reload (You can also use the Restart button in the Services tool.) 7.6.1.2. Configuring sendmail to use a mail relay Some Internet Service Providers (ISPs) block email traffic to all mail servers except their own. This is intended to block viruses that set themselves up as a mail server, but it also interferes with Fedora's default sendmail configuration, which expects to be able to send email directly to the destination system. To configure sendmail to send your outbound email through your ISP's mail server, find the line in /etc/mail/sendmail.mc that contains the word SMART_HOST : dnl # Uncomment and edit the following line if your outgoing mail needs to dnl # be sent out through an external mail server: dnl # dnl define(\QSMART_HOST',\Qsmtp.your.provider ') In this file, dnl means discard to newline , which effectively turns this line into a comment. Uncomment the SMART_HOST line by removing the dnl and then replace smtp.your.provider with the name of your ISP's mail server: define(\QSMART_HOST',\Qmailserver.yourisp.com ') 7.6.1.3. Configuring sendmail to accept inbound email Fedora's standard sendmail configuration does not accept email from remote systems, a feature that must be enabled if the system is going to act as an Internet email host. To enable remote inbound connections, locate the line in sendmail.mc that contains the loopback address 127.0.0.1: dnl # The following causes sendmail to only listen on the IPv4 loopback address dnl # 127.0.0.1 and not on any other network devices. Remove the loopback dnl # address restriction to accept email from the internet or intranet. dnl # DAEMON_OPTIONS(\QPort=smtp,Addr=127.0.0.1, Name=MTA')dnl Add dnl to the start of this line to comment it out:  dnl DAEMON_OPTIONS(\QPort=smtp,Addr=127.0.0.1, Name=MTA')dnl sendmail will then accept connections on all network interfaces and deliver mail that is addressed to a user on the local host. For example, if the hostname is bluesky.fedorabook.com , then email addressed to chris@bluesky.fedorabook.com will be delivered to the mailbox of the local user chris , which is /var/spool/mail/chris . To configure sendmail to accept mail for other destinations, add those destinations to the file /etc/mail/local-host-names : # local-host-names - include all aliases for your machine here.  fedorabook.commailserver.fedorabook.comglobal.proximity.on.ca Remember to enable inbound connections on port 25 (SMTP) in your firewall configuration. 7.6.1.4. Using aliases There are many standard email addresses that people expect to be able to use: webmaster to reach the person responsible for the web server and content, abuse to report spam problems, info as a general information contact, and so forth. Mail sent to these standard addresses can be redirected to the mailbox of chosen users through the sendmail alias facility. Aliases are configured in the file /etc/aliases , which looks like this: # # Aliases in this file will NOT be expanded in the header from # Mail, but WILL be visible over networks or from /bin/mail. # # >>>>>>>>>> The program "newaliases" must be run after # >> NOTE >> this file is updated for any changes to # >>>>>>>>>> show through to sendmail. # # Basic system aliases -- these MUST be present. mailer-daemon: postmaster postmaster: root # General redirections for pseudo accounts. bin: root daemon: root adm: root ...(Lines snipped)... info: postmaster marketing: postmaster sales: postmaster support: postmaster # trap decode to catch security attacks decode: root # Person who should get root's mail #root: marc You'll notice that all of the standard aliases are redirected to root but on most systems, no one checks the root mailbox, so you should start by defining who is to receive mail addressed to root . Uncomment the last line of this file and replace marc with a valid user ID: root: chris   Run the newaliases command after each edit to the /etc/aliases file to ensure that the changes are put into effect immediately: # newaliases/etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total  Next, change any aliases that you do not wish to redirect to root , sending the mail to the user of your choice: info: sam marketing: frida sales: angela support: henry   Destination mailboxes do not have to be local: abuse: hotline@global.proximity.on.ca   And it's possible to specify multiple destinations for an alias, separated by commas: webmaster: frank, jason@fedorabook.com   This opens up the possibility of using aliases to create simple mailing lists. For example, all of your sales people could be reached through one address: sales-team: angela, sue, mike, olgovie, george sysadmins: nancy43252345234@hotmail.com, scott84353534534@gmail.com, george   Note that alias destinations can be on multiple lines. You can create as many aliases as you want, whenever you want. Aliases are handy for creating disposable email addresses . I create batches of made-up addresses from time to time and use them when I register for a conference or web site, or when I enter a contest: daa: chris dab: chris dac: chris dad: chris dae: chris daf: chris When I use one of these addresses, I record who I gave it to, and if I see spam arriving with that address, then I know who has been abusing my personal information. I can discontinue receiving mail at that address simply by removing the offending alias from the aliases file. This strategy is also effective when publishing email addresses on a web site: simply change the address on the web site periodically, using a different disposable email address each time. If a spammer harvests your email address from the web page, it will be useful to them only for a short time. 7.6.1.5. Configuring virtual users Aliases (and regular user accounts) have one critical limitation: they apply to all of the domains for which sendmail is accepting mail. If you have a server that is accepting mail for fedorabook.com as well as global.proximity.on.ca , and you define an alias or create a user account named chris , then mail to chris@fedorabook.com and mail to chris@global.proximity.on.ca will end up in the same mailbox. To overcome this limitation, use the /etc/mail/ virtusertable file to define where mail to each address should be sent. Each line in this file consists of an address, a space, and the destination. Here is an example: chris@fedorabook.com chris chris@global.proximity.on.ca chris7895378943683897@gmail.com   Note that the syntax for /etc/mail/virtusertable differs from the syntax for /etc/aliases: there are no colons, and only one destination address may appear in each entry. virtusertable also permits the redirection of entire domains, by leaving out the username portion of the email address: joe@fedorabook.com joseph frank@fedorabook.com frank265897e93456738@hotmail.com @fedorabook.com chris The last entry will redirect all mail to the fedorabook.com domain to the local user chris , except for mail addressed to joe@fedorabook.com or frank@fedorabook.com (because they are listed first, and the file is processed in the sequence given). Like /etc/mail/sendmail.mc , the virtusertable file must be processed before it is used: # cd /etc/mail # make 7.6.1.6. Configuring Masquerading sendmail includes masquerading capability, which enables outbound mail to be modified so that it looks like it came from another system. This is commonly used to remove hostname information from the email address. To configure bluesky.fedorabook.com so that outbound mail appears to be from user @fedorabook.com instead of user @bluesky.fedorabook.com , locate the MASQUERADE_AS line in /etc/mail/sendmail.mc : dnl # The following example makes mail from this host and any additional dnl # specified domains appear to be sent from mydomain.com dnl # dnl MASQUERADE_AS(\Qmydomain.com')dnl Uncomment the MASQUERADE_AS line and replace mydomain.com with the domain name you wish to use: MASQUERADE_AS(\Q fedorabook.com ')dnl 7.6.2. How Does It Work? Fedora's email system, like most others, is divided into three parts: mail transport agent (MTA) Transports mail between systems. sendmail is the default MTA. mail delivery agent (MDA) Delivers mail to local users, optionally performing filtering or sending vacation replies ("Jane is away from the office until Monday; she will read and reply to your mail when she returns"). Fedora uses procmail in this role. mail user agent (MUA) The email client that interacts with the user. A Fedora user can choose from many different MDAs, including Evolution, Thunderbird, SquirrelMail, and the text-based mail command. Originally written when a wide range of email transportation schemes were in use, sendmail is designed to route mail through and between these different systems, each with their own address format and message queuing system. Because of this heritage, sendmail has a sophisticated and complex configuration system, but many of the configuration options are not used for Internet email servers. sendmail is now used almost exclusively with the Simple Mail Transport Protocol (SMTP), which is a human-readable transfer protocol that uses TCP/IP connections on port 25. You can use telnet to connect to an SMTP server and manually send mail if you want: $ telnet concord2.proximity.on.ca smtp Trying 127.0.0.1... Connected to concord2.proximity.on.ca (127.0.0.1). Escape character is '^]'. 220 concord2.proximity.on.ca ESMTP Sendmail 8.13.5/8.13.5; Thu, 2 Mar 2006 13:07:11 -0500 EHLO fedorabook.com 250- concord2.proximity.on.ca Hello concord8.proximity.on.ca [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP MAIL From: chris@fedorabook.com 250 2.1.0 chris@fedorabook.com... Sender ok RCPT To: chris@concord2.proximity.on.ca 250 2.1.5 chris@concord2.proximity.on.ca... Recipient ok DATA 354 Enter mail, end with "." on a line by itself Subject: Greetings!Date: Thu, Mar 2006 12:08:11 -0500 Hi there -- just dropping you a quick note viatelnet. Hope your day is going well. -Chris . 250 2.0.0 k22I7BTo016133 Message accepted for delivery QUIT 221 2.0.0 concord2.proximity.on.ca closing connection Notice the blank line separating the email headers from the message bodyjust like HTTP transfers. The HTTP format is derived from the email format. You can also send mail by sending it to the standard input of a sendmail process: $ /usr/bin/sendmail chris@concord2.proximity.on.caSubject: Test II Did you remember to renew the domain registration?If not, please take care of this before next Tuesday.[Ctrl-D] Outbound mail is queued in /var/spool/mqueue /. Inbound mail is delivered via procmail to users' mailboxes in /var/spool/mail/ . The mailboxes are simply text files containing all of the messages concatenated end to end; this format is sometimes called mbox format . The /etc/mail/sendmail.mc file used for configuration is an m4 macro file. It is interpreted by the m4 command using files in /usr/share/sendmail-cf/m4/ to build /etc/mail/sendmail.cf . While it is possible to construct the sendmail.cf file by hand, it's typically eight times as long as the sendmail.mc file and uses a very cryptic structure. Here's a snippet: R< > $+             $: < > < $1 <> $&h >   nope, restore +detail R< > < $+ <> + $* > $: < > < $1 + $2 >     check whether +detail R< > < $+ <> $* >   $: < > < $1 >          else discard R< > < $+ + $* > $*    < > < $1 > + $2 $3  find the user part R< > < $+ > + $*    $#local $@ $2 $: @ $1  strip the extra + R< > < $+ >         $@ $1                  no +detail R$+                 $: $1 <> $&h           add +detail back in Most system administrators would much rather deal with sendmail.mc than sendmail.cf . 7.6.3. What About... 7.6.3.1. ...using an alternate MTA? Postfix is an alternate MTA shipped as part of Fedora. For most users, sendmail will work well, but if you are familiar with Postfix configuration you may want to use it instead. You can easily switch between sendmail and Postfix using the alternatives command: # alternatives --config mta There are 2 programs which provide 'mta'.  Selection Command ----------------------------------------------- *+ 1            /usr/sbin/sendmail.sendmail    2             /usr/sbin/sendmail.postfix Enter to keep the current selection[+], or type selection number:  2 You can also switch graphically, using the system-switch-mail command available through the menu option Systemsystem-switch-mail). The window shown in Figure 7-20 will be displayed; select the MTA you wish to use and click OK. Figure 7-20. The Mail Transport Agent Switcher tool. 7.6.3.2. ...fetching mail from a remote mailbox? If you're using Fedora at a location that does not have a permanent Internet connection with a static IP address, incoming email cannot be delivered directly to sendmail. Instead, you'll have to arrange for the email to be delivered to mailboxes on another system and then pick up the mail from that system. Many MUAs such as Evolution will directly access remote mailboxes, but sometimes you want to have that mail flow through the local mail system so that alias handling and procmail processing take place. Fetchmail can retrieve mail from a remote mailbox and feed it to sendmail on the local system. To configure Fetchmail, create the file ~/.fetchmailrc using a text editor. Here is a simple configuration: # Check for email at five-minute (300-second) intervals set daemon 300 # Poll the system fedorabook.com using the POP3 protocol poll fedorabook.com with protocol POP3 :  # Describe how the usernames on this machine relate  # to the usernames on fedorabook.com  user chris here is chris.tyler there, password " FedoraRules! "  user diane here is diane.tyler there, password " BiggestSecret "; This will fetch the mail for two users from one server using the Post Office Protocol, Version 3 (POP3). Fetchmail can retrieve mail using many different protocols and has an uncommonly readable configuration syntax; consult its extensive manpage for the gritty details. Once you have set up the ~/.fetchmailrc file, execute the fetchmail command: $ fetchmail   It will run in the background until you stop it by running fetchmail with the -q option: $ fetchmail -q fetchmail: background fetchmail at 8025 killed. To make fetchmail run automatically whenever you log in, place it in your ~/.bash_profile. 7.6.4. Where Can I Learn More? sendmail , procmail , procmailrc , fetchmail , procmailex , and postfix (check the See Also section for a long list of other manpages related to postfix ) /usr/share/doc/sendmail* , /usr/share/doc/fetchmail* , /usr/share/doc/procmail* , and /usr/share/doc/postfix* directories sendmail web site: http://www.sendmail.org fetchmail web site: http://www.catb.org/~esr/fetchmail procmail web site: http://www.procmail.org postfix web site: http://www.postfix.org 7.7. Configuring IMAP and POP3 Email Having mail delivered to the system mailboxes in /var/spool/mail is fineas long as the users are using an MUA running on the Fedora system. If a user is running his MUA on another systemEvolution on another Fedora system in the local network, or perhaps Outlook on a Windows machinethen the user needs IMAP or POP3 access to the remote mailbox. 7.7.1. How Do I Do That? Fedora's Dovecot server provides IMAP and POP3 access. When freshly installed, Dovecot will not successfully start. Dovecot requires security certificates to enable encrypted communications. There are three solutions to this problem: Buy a certificate A certificate is signed by a certificate authority (CA), whotheoreticallyis trusted by both the client and server. The CA certifies that the parties to whom certificates are issued are who they say they are, therefore eliminating the possibility of a malicious party between the client and the server masquerading as the server.   Buying a certificate is not covered in this lab. Create your own certificate Because there is no way to verify the authenticity of the certificate (whether unsigned or self-signed) with a third party, most client programs will present a warning dialog every time a certificate of this type is encountered. However, the connection will still be encrypted. Disable encryption In all caseswhether encryption is disabled or notDovecot will accept unencrypted connections. If you are in a secure environment (for example, where the only client connecting to the Dovecot server is SquirrelMail on the local machine, or connections are made over a reasonably secure LAN such as a wired home network), you may decide to forgo encryption altogether. 7.7.1.1. Creating your own certificate First, edit the file /etc/pki/dovecot/dovecot-openssl.cnf and find the CN= and emailAddress= lines: [ req ] default_bits = 1024 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) #C=FI # State or Province Name (full name) #ST= # Locality Name (eg. city) #L=Helsinki # Organization (eg. company) #O=Dovecot # Organizational Unit Name (eg. section) OU=IMAP server # Common Name (*.example.com is also possible) CN=imap.example.com # E-mail contact emailAddress=postmaster@example.com [ cert_type ] nsCertType = server Edit these two lines to contain the hostname of the system and the mail administrator's email address: # Common Name (*.example.com is also possible) CN= bluesky.fedorabook.com # E-mail contact emailAddress= postmaster@fedorabook.com Then generate the certificates: # SSLDIR=/etc/pki/dovecot /usr/share/doc/dovecot-1.0/examples/mkcert.sh 7.7.1.2. Disabling Encryption To disable encryption, edit /etc/dovecot.conf and locate the ssl_disable line: # Disable SSL/TLS support. #ssl_disable = no Uncomment this line and change the value to yes : # Disable SSL/TLS support. ssl_disable = yes 7.7.1.3. Starting Dovecot Start the dovecot service using the Services tool or from the command line: # service dovecot start If you are going to use IMAP or POP3 remotely, you will need to open some ports in your firewall. For IMAP, open ports for the IMAPandIMAPSservices (TCP ports 143 and 220); for POP3, open the POP3 and POP3S ports (TCP ports 110 and 995). On the other hand, if you will be using the IMAP and POP3 services only with local applications such as SquirrelMailor local MTAs such as Evolution, you should close the IMAP and POP3 ports on your firewall. 7.7.2. How Does It Work? Dovecot enables MUAs to access mailboxes over a network connection using the POP3 or IMAP protocols. POP3 is primarily used to fetch mail from a mailbox so that it can be used elsewhere; IMAP is used to manipulate email messages and folders while leaving them on the server. Like SMTP, POP3 is a human-readable protocol, and you can use telnet to manually conduct a POP3 session to see how it works: $ telnet bluesky.fedorabook.com pop3 Trying 172.16.97.102... Connected to 172.16.97.102 (172.16.97.102). Escape character is '^]'. +OK Dovecot ready. USER chris +OK PASS bigsecret +OK Logged in. LIST +OK 2 messages: 1 615 2 609 . RETR 1 +OK 616 octets Return-Path: Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])  by localhost.localdomain (8.13.5/8.13.5) with ESMTP id k232Hf26026693  for ; Thu, 2 Mar 2006 21:17:41 -0500 Received: (from root@localhost)  by localhost.localdomain (8.13.5/8.13.5/Submit) id k232HfOb026692  for chris; Thu, 2 Mar 2006 21:17:41 -0500 Date: Thu, 2 Mar 2006 21:17:41 -0500 From: Jason Smith Message-Id: <200603030217.k232HfOb026692@localhost.localdomain> To: chris@localhost.localdomain Subject: Book Cover Nice! . QUIT +OK Logging out. IMAP is also human-readable, but a bit more complex. In its default configuration, Dovecot uses the input mailboxes in /var/spool/mail as the IMAP INBOX folder and the POP3 data source. This ensures that other applications (such as a local MUA like Evolution) can be used to access the same messages. 7.7.3. What About... 7.7.3.1. ...IMAP folders other than the INBOX? Dovecot creates these in the user's home directory. 7.7.4. Where Can I Learn More? /usr/share/doc/dovecot* openssl , the library that handles encryption for dovecot 7.8. Configuring Webmail When you're on the move, it's nice to have consistent access to your email. If you set up SquirrelMail, you'll be able to access your email from any web browser. 7.8.1. How Do I Do That? Before you set up SquirrelMail, you'll need a working Apache configuration and the Dovecot IMAP server. If you're using SELinux, you must permit web scripts to create network connections. Use the graphical SELinux configuration tool or enter this command: # setsebool -P httpd_can_network_connect 1   If Apachewas running before you installed SquirrelMail, you'll need to restart or reload it so that it notices the SquirrelMail alias directive: # service apache reload               Unless you have other computers on your local network that need to access IMAP, you can restrict remote access to the IMAP server using Fedora's firewall facilities.  You can now use SquirrelMail by accessing https:///webmail . The web page shown in Figure 7-21 should appear. If you are using the default Apache SSL certificate (which is automatically up by default), you will get a warning from your browser when you first connect using https. You can instead access http:///webmail to avoid that warning message, but your passwords and email may be read if someone intercepts your network communication.  Figure 7-21. SquirrelMail login page Once you enter your user ID and password, the main inbox display will appear, as shown in Figure 7-22 . Figure 7-22. SquirrelMail inbox page 7.8.2. How Does It Work? SquirrelMail is a set of PHP scripts that reside in the directory /usr/share/squirrelmail . The file /etc/httpd/conf.d/squirrelmail.conf contains an Alias directive, which aliases that directory to http:///webmail . When a user attempts to log in, the PHP scripts contact the local Dovecot IMAP server and tries to log in with the same user ID and password. Because the authentication information is passed directly to the IMAP server, SquirrelMail doesn't need an authentication mechanism of its own. Once connected to the IMAP server, SquirrelMail accesses your mailbox contents, reformats the messages into web pages, and passes them back to Apache for delivery to the browser. SquirrelMail also installs a daily cron job through the file /etc/cron.daily/squirrelmail. cron ; this cron job cleans up any temporary files that have been left lying around for more than 10 days. 7.8.3. What About... 7.8.3.1. ...changing the SquirrelMail configuration? You can change individual user preferences using the Option link within the SquirrelMail web interface. Global SquirrelMail configuration is performed by running the script /usr/share/squirrelmail/config/conf.pl . You will be greeted with a menu: # /usr/share/squirrelmail/config/conf.pl SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Main Menu -- 1. Organization Preferences 2. Server Settings 3. Folder Defaults 4. General Options 5. Themes 6. Address Books 7. Message of the Day (MOTD) 8. Plugins 9. Database 10. Languages D. Set pre-defined settings for specific IMAP servers C Turn color off S Save data Q Quit Command >> Type the number or letter of the option you wish to configure; then press Enter and follow the instructions on the screen. For example, to change the default theme: Command >> 5 SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Themes 1. Change Themes  Default Plain Blue  Sand Storm Deep Ocean ...(Lines snipped)...  Random (Changes every login) Midnight  Penguin 2. CSS File : R Return to Main Menu C Turn color off S Save data Q Quit Command >> 1 Define the themes that you wish to use. If you have added a theme of your own, just follow the instructions (?) about how to add them. You can also change the default theme. [theme] command (?=help) > ? .-------------------------. | t (detect themes)       | | + (add theme)           | | - N (remove theme)      | | m N (mark default)      | | l (list themes)         | | d (done)                | \Q-------------------------' [theme] command (?=help) > l * 0. Default (../themes/default_theme.php)   1. Plain Blue (../themes/plain_blue_theme.php)   2. Sand Storm (../themes/sandstorm_theme.php)   3. Deep Ocean (../themes/deepocean_theme.php)   4. Slashdot (../themes/slashdot_theme.php) ...(Lines snipped)...  31. Midnight (../themes/midnight.php)  32. Alien Glow (../themes/alien_glow.php)  33. Dark Green (../themes/dark_green.php)  34. Penguin (../themes/penguin.php) [theme] command (?=help) > m 32 [theme] command (?=help) > d SquirrelMail Configuration : Read: config.php (1.4.0) --------------------------------------------------------- Themes 1. Change Themes    Default Plain Blue    Sand Storm Deep Ocean ...(Lines snipped)...    Random (Changes every login) Midnight    Alien Glow Dark Green    Penguin 2. CSS File : R Return to Main Menu C Turn color off S Save data Q Quit Command >> s Data saved in config.php Press enter to continue...  [Enter] Command >> q Exiting conf.pl. You might want to test your configuration by browsing to http://your-squirrelmail-location/src/configtest.php Happy SquirrelMailing! 7.8.3.2. ...browsers that don't support JavaScript or ECMAScript? SquirrelMail has been designed to work regardless of whether JavaScript is enabled. 7.8.4. Where Can I Learn More? /usr/share/doc/squirrelmail* 7.9. Creating Databases and Accounts on a MySQL Server MySQL is an open source database system that has become very popular due to its high performance, lightweight design, and open source license. Many software packages, including web applications such as the Serendipity blog software ( http://www.s9y.org/ ), use MySQL to store data. In order to use these programs, you will need to create a MySQL database and access account. 7.9.1. How Do I Do That? First, you'll need to select names for your database and access account; for this example, let's use chrisblog for the database name and chris for the access account. Both names should start with a letter, contain no spaces, and be composed from characters that can be used in filenames. To create the database and account, use the mysql monitor program: # mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 to server version: 5.0.18 Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> create database chrisblog; Query OK, 1 row affected (0.01 sec) mysql> grant all privileges on chrisblog.* to 'chris' @'localhost' identified by 'SecretPassword' ; Query OK, 0 rows affected (0.00 sec) mysql> quit Bye Make sure that the mysqld service is running!  You can then enter the database, access account, and password information into the configuration of whatever software will use MySQL.   MySQL recommends that you add a password to root's access of the MySQL server. You can do that with these commands (\ indicates that text continues on the following line): # /usr/bin/mysqladmin -u root password 'Secret'                  # /usr/bin/mysqladmin -u root -h $(hostname) \                  password 'Secret'                 Secret is the root password that you wish to use. After you enable the root password, you'll need to use the -p option to mysql so that you are prompted for the password each time: # mysql -p For example, to install Serendipity: 1. Download the Serendipity software from http://www.s9y.com and place it in the /tmp directory. 2. Unpack the Serendipity software in the /var/www/html directory: 3. # cd /var/www/html 4. # tar xvzf /tmp/serendipity*.tar.gz 5. Access that directory through a web browser at http:///serendipity . You will see the initial verification page shown in Figure 7-23 . Figure 7-23. Serendipity Installation verification page   1. If there are any permission errors, correct them using the instructions on the page and then click the Recheck Installation link at the bottom of the page. Once the check is successful, click on the Simple Installation link. 2. As shown in Figure 7-24 , enter the database, hostname, access account (database user), and password that you created in the MySQL database. Fill in the other fields, such as the blog title and the username and password you wish to use to administer the blog, using values of your choosing. Click on the Complete Installation link at the bottom of the page. 3. Figure 7-25 shows the confirmation page that appears. Click on the link labeled "Visit your new blog here" to see your initial blog page, shown in Figure 7-26 . Figure 7-24. Serendipity Installation page   Figure 7-25. Serendipity Installation confirmation page Figure 7-26. Serendipity blog front page 7.9.2. How Does It Work? MySQL is a Structured Query Language (SQL) database server. It provides rapid access to large sets of structured data, such as customer lists, sports scores, student marks, product catalogs, blog comments, or event schedules. The MySQL database runs as a server daemon named mysqld , and many different types of software can connect to the server to access data. Connections to the database server are made through the network socket /var/lib/mysql/mysql.sock (local connections) or on the TCP port 3306 (remote connections). If the MySQL server is running on the same machine as your application, you should leave port 3306 closed in your firewall configuration, but you must open it if you separate the MySQL server and the application onto different machines (which you might do for performance reasons if you're using the database heavily). The mysql monitor command is a very simple command-line interface to the MySQL server. It permits you to enter commands to the server and to see the results of those commands on your screen. MySQL data is stored in /var/lib/mysql ; each database is stored in a separate subdirectory. 7.9.3. What About... 7.9.3.1. ...creating my own scripts and programs that access MySQL data? Most scripting and programming languages have modules to access MySQL data. For example, you can use the database driver (DBD) module DBD::mysql to access the basic database interface (DBI) abstraction layer to work with databases in Perl. For details on writing software that accesses a MySQL database, see Chapter 22 in the MySQL documentation ( http://dev.mysql.com/doc/refman/5.0/en/apis.html ). 7.9.4. Where Can I Learn More? mysqld , mysql , mysqladmin , mysqldump , and mysqlshow perldoc DBI 7.10. Installing and Configuring a Wiki A Wiki is a series of web pages that can be easily edited using only a web browsera simple and convenient way of producing a collaborative web site. Perhaps the most impressive examples of Wikis are those operated by the Wikimedia Foundation ( http://wikimedia.org ), including Wikipedia, the Wiktionary, and WikiBooks. Fedora Extras includes the Wiki software used by the Wikimedia Foundation, named MediaWiki. Once installed, it can be configured and ready for use in a few minutes. 7.10.1. How Do I Do That? MediaWiki requires a MySQL server. yum won't automatically install a MySQL server when you install MediaWiki because MySQL isn't truly a dependency: the database server doesn't have to be on the same computerbut for a small installation, that makes the most sense. To configure MediaWiki, start your web server (if it's not already running) and then, using a browser on the same computer as the MediaWiki software, go to http://localhost/mediawiki/ . You will see an introduction page like that in Figure 7-27 , informing you that the software must be configured before use. Figure 7-27. MediaWiki before initial configuration To configure the software, click on the link provided. The page shown in Figure 7-28 will appear. Figure 7-28. MediaWiki configuration page This page presents the results of some initial configuration tests, followed by a form that you must fill in with configuration information. The fields on this form are: Site name Input an opaque string (no spaces and no punctuation marks) of letters and numbers for the name of your Wiki. Contact email Enter an email address that can be used to contact the Wiki administrator. It is probably best to use an email alias here. Language The language for the Wiki prompts and messages (the content can be in any language, regardless of the value you choose here). Copyright/license metadata The license that will be used to tag the Wiki contents. You can choose not to tag your pages with license information, or you can use one of two types of open content licenses: GNU Free Documentation License (GNU FDL) or a Creative Commons license. If you are not sure what to use, select "no license metadata ." Sysop account name and password Enter the username of the system operator ( sysop ) or Wiki administrator. This user does not have to have a Fedora login account. The password must be entered twice to verify that it is typed correctly. Shared memory Use a memory cache system for performance acceleration. This is not necessary for small installations. E-mail (general) Enable all email operations. In almost all cases, this should be left on. User-to-user e-mail Enable users to send mail to each other; whether this makes sense depends on the intended use of your Wiki. E-mail notification Select the events that trigger an automatic notification email. Use the middle setting for most small-to-medium Wikis. E-mail address authentication If enabled, this feature sends a token to the email address of newly registered users to verify that the email address is valid. This presents a minor inconvenience to your users, but prevents email from being sent to invalid addresses and, more importantly, prevents a user from entering someone else's email address. MySQL server Leave this set to localhost if the MySQL server is on the same computer as the MediaWiki software. Database name, DB username, and DB password The name of the MySQL database, and the username and password for the MySQL access account, respectively. Leave the default values for the Database name and the DB username, and make up a new password (twice) for the DB password. Database table prefix If you are running more than one instance of MediaWiki, set this to a unique value for each instance. Otherwise, leave this field blank. Database charset Leave this value set to "Backwards-compatible UTF-8." Super user and Password The MySQL database and access account for the Wiki can be created by hand, or you can enter the user ID and MySQL password for the database administrator here, and MediaWiki will create the database and access account automatically. This is the MySQL administrator account (root) and the MySQL password for that account; do not enter the Fedora root password!  Once you have entered this information, click the Install button at the bottom of the page. You will see a confirmation page. At this point, copy the configuration file from the config directory to the main mediawiki directory: # cp -v /var/www/mediawiki/config/LocalSettings.php /var/www/mediawiki \Q/var/www/mediawiki/config/LocalSettings.php' -> \Q/var/www/mediawiki/LocalSettings.php' You can now click the link at the bottom of the confirmation page or go to http:///mediawiki/ to view the front page of the Wiki. The only other customization that is necessary is to install a new logo image. The image should be 155 pixels wide and 135 pixels tall and in .gif , .png , or .jpg format. Edit /var/www/mediawiki/LocalSettings.php and find the line that reads: $wgLogo = "$wgStylePath/common/images/wiki.png"; Change the path on the righthand side of the equal sign to the path of your image location, relative to the Apache Document Root. For example, if your image is in /var/www/mediawiki/images/draft-cover.png , edit this line to read: $wgLogo = " /mediawiki/images/draft-cover.png "; You can then edit the front page of your Wiki by clicking on the "edit" link at the top of the page; changes are made using the same Wikitext format used on Wikipedia. Figure 7-29 shows a fully configured MediaWiki installation. Figure 7-29. Configured MediaWiki front page  7.10.2. How Does It Work? MediaWiki is written as a collection of PHP scripts, with some Perl scripts for maintenance functions. The Fedora Extras MediaWiki package installs these files in /var/www/mediawiki , which is within the default Apache Document Root. The file /etc/httpd/conf.d/mediawiki.conf limits access to the mediawiki subdirectories, ensuring that only a browser on the same machine as the server can access the configuration page and making several other directories inaccessible through the Web. All of the Wiki content is stored in the MySQL database for fast, index-based access. Users indicate how they want text to appear by using Wikitext markings; most of these are converted to HTML when the page is displayed, but some (such as --~~~ , which is converted to the user's name) are translated when the page is saved. 7.10.3. What About... 7.10.3.1. ...changing the appearance of the Wiki? You can alter the appearance of the Wiki by editing the value of $wgDefaultSkin in /var/www/mediawiki/LocalSettings.php . This variable must be set to the name of one of the skin files in /var/www/mediawiki/skins/ ; for example, to use the simple skin, place this line in the LocalSettings.php file: $wgDefaultSkin="simple"; Additional skins are available from the Wikimedia "Gallery of user styles" ( http://meta.wikimedia.org/wiki/Gallery_of_user_styles ). 7.10.3.2. ...using a logo that isn't rectangular? Use a graphics tool such as the GIMP to create an image with transparency, so that the page background shows through the portions of the 155x135 logo rectangle that are not occupied by your logo image. For example, if you had an oval image, the space between the outer edge of the logo and the edge of the logo rectangle would be transparent. Save your image in PNG format. 7.10.3.3. ...moving or deleting a page, or protecting a page against edits? All of these operations can be performed by the sysop user. Go to the main page of the Wiki and log in using the sysop username and password created during the initial configuration of the Wiki, and you will see additional tabs on the top of each page for protecting, deleting, and moving. 7.10.4. Where Can I Learn More? /usr/share/doc/mediawiki*/docs 7.11. Configuring an FTP Server File Transfer Protocol (FTP) is a long-established Internet protocol for downloading files. In Fedora, you can use the Very Safe FTP program, vsftp , to serve data via FTP. 7.11.1. How Do I Do That? To serve content via FTP, just install the vsftpd package and place the content that you wish to make publicly available in the /var/ftp directory.   If you are using a firewall, you will need to open the FTP ports in the firewall To view the contents of /var/ftp with a browser, go to ftp:/// . To access files in a home directory, use the URL ftp://@/ (the browser will ask for your password) or ftp://:@/ . To access the contents of /var/ftp using a command-line FTP client program, log in as anonymous and use your email address as your password: $ ftp ftp> open ftp.fedorabook.com Connected to 172.16.97.100. 220 (vsFTPd 2.0.4) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.fedorabook.com:chris):  anonymous Password:  chris@fedorabook.com 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (172,16,97,100,237,192) 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 Mar 09 16:41 fedora-core-5 drwxr-xr-x 2 0 0 4096 Mar 09 16:41 fedora-core-6 drwxr-xr-x 2 0 0 4096 Mar 09 16:41 fedora-linux drwxr-xr-x 2 0 0 4096 Mar 09 16:42 images drwxr-xr-x 2 0 0 4096 Mar 09 04:46 pub drwxr-xr-x 2 0 0 4096 Mar 09 16:41 rawhide 226 Directory send OK. ftp> cd images 250-This directory contains images for the book "Fedora Linux". 250- 250 Directory successfully changed. ftp> ls *http* 227 Entering Passive Mode (172,16,97,100,240,225) 150 Here comes the directory listing. -rw-r--r-- 1 0 0 49931 Mar 09 16:44 fen-chapter07-system-config-httpd-tab2.png -rw-r--r-- 1 0 0 27119 Mar 09 16:44 fen-chapter07-system-config-httpd.png 226 Directory send OK. ftp> get fen-chapter07-system-config-httpd-tab2.png local: fen-chapter07-system-config-httpd-tab2.png remote: fen-chapter07-system-config-httpd-tab2.png 227 Entering Passive Mode (172,16,97,100,214,160) 150 Opening BINARY mode data connection for fen-chapter07-system-config-httpd-tab2.png (49931 bytes). 226 File send OK. 49931 bytes received in 0.017 seconds (2.9e+03 Kbytes/s) ftp> quit 221 Goodbye. To access a home directory using an FTP client, enter the user ID and password of the Fedora account. vsftpd is configured using the files in /etc/vsftpd . The main configuration file is /etc/vsftpd/vsftpd.conf and permits all local users (except for system users such as root , bin , and so forth) to have read/write access to their home directories, and all anonymous users to have read-only access to /var/ftp . These are the most commonly changed configuration entries, along with the default values (as set in the Fedora default configuration file or in the program's internal defaults): anonymous_enable= YES Enables anonymous login. Change the value to NO to disable access to /var/ftp . write_enable= YES Permits file uploads. anon_upload_enable= NO and anon_mkdir_write_enable= NO Permits anonymous users to upload files and create directories. write_enable=YES must also be present and at least one of the directories in /var/ftp must be writable in order for this to work. dirmessage_enable= NO and message_file= .message Enables the display of descriptive messages when a user enters a directory; this is usually used to explain the directory contents, usage instructions, contact information, or copyright and licensing details. There is an example of this in the character-mode transfer shown earlier, highlighted in bold. The text of the message is normally contained in the file .message within the directory, but the filename may be set to any value you choose. Some client programs will display these messages to the remote client, and somesuch as the Firefox web browserwill not. banner_file= filename Configures a file that contains a banner message that will be sent to clients when they connect to the server. ascii_upload_enable= NO and ascii_download_enable= NO FTP has the ability to automatically change end-of-line characters to compensate for differences between Linux/Unix, Windows, and Macintosh computers using ASCII mode. The author of vsftpd , Chris Evans, considers this to be a bug in the protocol rather than a feature, and it is true that ASCII mode has mangled many, many binary files. If you want to use ASCII mode, enable these options. ls_recurse_enable= NO Controls the use of recursive directory listings. Some very nice clients, such as ncftp , assume that this is enabled. use_localtime= NO Enables the display of times in the local time zone instead of GMT. You can restrict FTP access to specific local users by adding their usernames into the file /etc/vsftpd/ftpusers or /etc/vsftpd/user_list . 7.11.2. How Does It Work? FTP is a disaster from a security perspective, since transmitted data (including the username and password) are sent in plain text and can be intercepted by anyone snooping on the network. Nonetheless, it's a useful protocol for the public download of large files. vsftp was designed from the ground up to be as secure as possible because many of the preceding FTP servers were notoriously insecure. It uses simple code along with techniques such as changing the root directory ( chroot ) to limit the damage that can be caused if the server is compromised. FTP is a very old protocol, so old, in fact, that in its original form, it predates TCP/IP! In order to work around some network transport limitations, traditional FTP uses two connections between the client and the server: one for data and one for controlling commands and responses. The control connection originates at the client, and the data connection originates at the server. For years this architecture has caused headaches in firewall configuration. FTP also supports passive (PASV) operation, which uses a single connection for both control and data. Almost all modern client programs support passive operation as the default mode of operation, as an automatic fallback option, or as a manually configured option. vsftpd logs data transfers in the file /var/log/xferlog . 7.11.3. What About... 7.11.3.1. ...secure FTP? There are two types of secure FTP: SFTP An FTP extension to the secure shell ( SSH) protocol. This is installed by default on Fedora systems as part of the SSH service; the command name is sftp . SSH also provides secure copy ( scp ), which is in many cases more convenient than SFTP. FTPS FTP over the Secure Socket Layer (SSL). SSL is a general encryption layer that can be used to protect many types of connections, including HTTP, IMAP, and POP3 (which are known as HTTPS, IMAPS, and POP3S when used with SSL). I recommend the use of SFTP over FTPS, but vsftpd is capable of handling FTPS connections if security certificates are installed; refer to the vsftpd documentation for details. 7.11.4. Where Can I Learn More? vsftpd , vsftpd.conf , and ftp sshd , scp , and sftp 7.12. Analyzing Web and FTP Logs Fedora provides the Webalizer tool for analyzing Apache and vsftp logfiles, but the default configuration works only with the default Apache virtual host. With a few minutes of configuration, Webalizer can analyze the logfiles off all of your Apache virtual hosts as well as your vsftp server. 7.12.1. How Do I Do That? The default configuration for Webalizer analyzes the default Apache logfile at 4:02 a.m. each day, as long as that logfile is not empty. The results can be read by using a browser on the same machine and accessing http://localhost/usage/ , which displays the report page. A sample report page is shown in Figure 7-30 . Figure 7-30. Webalizer web usage report 7.12.1.1. Analyzing virtual host logfiles This configuration assumes that your Apache virtual host logfiles are named /var/log/httpd/- and are in combined format. To configure Webalizer to analyze your virtual host logfiles each day, create the file /etc/cron.daily/00webalizer-vhosts : #! /bin/bash # update access statistics for virtual hosts CONF=/etc/httpd/conf/httpd.conf for NAME in $(sed -n "s=^[^#]*CustomLog logs/\([^ ]*\)-.*=\1=p" $CONF) do  mkdir /var/www/usage/$NAME  chmod a+rx /var/www/usage/$NAME  LOG=/var/log/httpd/${NAME}-access_log  if [ -s $NAME ]  then   exec /usr/bin/webalizer -Q -o /var/www/usage/$NAME $LOG  fi done  Make this file readable and executable by root : # chmod u+rx /etc/cron.daily/00webalizer-vhosts Next, edit /etc/webalizer.conf and place a pound-sign character ( # ) at the start of the HistoryName and IncrementalName lines to comment them out: # HistoryName /var/lib/webalizer/webalizer.hist ...(Lines snipped)... # IncrementalName /var/lib/webalizer/webalizer.current This will ensure that a separate analysis history is maintained for each virtual host. The virtual host logfiles will be analyzed every morning at 4:02 a.m., and the reports will be accessible at http://localhost/usage/ . 7.12.1.2. Analyzing the FTP logfile To analyze the vsftp logfile each day, create the file /etc/cron.daily/00webalizer-ftp : #! /bin/bash # update access statistics for ftp if [ -s /var/log/xferlog ]; then  exec /usr/bin/webalizer -Q -F ftp -o /var/www/usage/ftp /var/log/xferlog fi Make this file readable and executable by root : # chmod u+rx /etc/cron.daily/00webalizer-ftp Then create the directory /var/www/usage/ftp : # mkdir /var/www/usage/ftp # chmod a+r /var/www/usage/ftp Make sure that you have made the changes to /etc/webalizer.conf noted previously. Your FTP usage statistics will now be analyzed each day at 4:02 a.m. along with your web statistics. The reports will be accessible at http://localhost/usage/ . 7.12.1.3. Accessing the usage statistics from another location It's often inconvenient to access the usage statistics from the same machine that is running Apache. To make the statistics password-protected and accessible from any system, edit the file /etc/httpd/conf.d/webalizer.conf to look like this: # # This configuration file maps the Webalizer log-analysis # results (generated daily) into the URL space. By default # these results are only accessible from the local host. # Alias /usage /var/www/usage  Order deny,allow  Allow from ALL  AuthType Basic  AuthName "usage statistics"  AuthUserFile /var/lib/webalizer/passwd  Require valid-user Create the password file with the htpasswd command: # htpasswd -c /var/lib/webalizer/passwd chris New password:  NeverGuess Re-type new password:  NeverGuess Adding password for user chris   The SELinux context of the directory containing the password file must be changed in order for this to work: # chcon -t httpd_sys_content_t /var/lib/webalizer/ The statistics reports should now be accessible using a web browser on any computer. 7.12.2. How Does It Work? The script /etc/cron.daily/00webalizer is started once a day (at around 4:02 a.m.) by crond . This script in turn starts up Webalizer; the default configuration file ( /var/webalizer.conf ) is preset to analyze the main Apache logfile ( /var/log/httpd/access_log ) and place the results in /var/www/usage . The script file 00webalizer-vhosts obtains the virtual host log filenames from /etc/httpd/conf/httpd.conf and runs Webalizer on each logfile after the main logfile has been processed. 00webalizer-ftp does the same thing for the vsftp logfile, /var/log/xferlog . The web directory /var/www/usage is initially protected by the file /var/httpd/conf.d/webalizer.conf so that Apache will serve it only to a browser running on the same computer. Webalizer analyzes web files and logfiles to determine usage patterns; it can process the Apache common and combined logfile formats, and the wuftp logfile formats (which is the same format used by vsftp ). It stores the generated statistics for the last year in the file webalizer.hist , and stores partial statistics for the current reporting period (month) in the file webalizer.current . The data from previous runs of the program is retrieved from those files and combined with data from the current logfile to generate the reports. By default, webalizer.hist and webalizer.current are stored in /var/lib/webalizer ; the changes to the configuration file cause these files to be stored in the output directories so that each report has its own, separate copy of these files. The generated reports are saved as HTML pages and PNG graphics. 7.12.3. Where Can I Learn More? webalizer , cron , and crontab Chapter 8. Securing Your System System security maintenance is an essential task when running a computer, but it's never been particularly glamorous or fun. The basic goal of system security is to ensure that the system provides the services it is supposed to provide, cannot be subverted to do things it was not intended to do, and to ensure that the services remain available for use. Effective security requires a multipronged approach, and Fedora provides effective tools to secure your system in several different ways: Filtering of network traffic System activity logging and automatic monitoring tools Discretionary access controls such as permissions and access control lists Mandatory access controls through SELinux Intrusion-detection tools and immutable file attributes to detect and prevent file alteration Tools to delegate specific system administration privileges to different users Together with automated software updates, these tools enable you to efficiently maintain your system security. 8.1. Prevent Unwanted Connections Most Fedora systems are connected to a TCP/IP network. You can guard against unwanted inbound connections to your system by using the built-in firewall. 8.1.1. How Do I Do That? To adjust the Fedora firewall graphically, select the menu option Systemroot password, the window shown in Figure 8-1 will appear. Figure 8-1. Firewall configuration tool The control at the top of this window enables and disables the firewall. When the firewall is enabled, the lower portion of this window can be used to permit connections to your system for selected services; simply select the checkboxes for the desired services. SSH should remain selected to permit secure remote administration. To permit connections to services that are not listed, click on the triangle for "Other ports." The display will change to reveal an additional section, as shown in Figure 8-2 . Figure 8-2. Configuring other ports To add additional ports, click the Add button, and the window shown on the right side of Figure 8-2 will pop up. Enter the port number or the service name, select TCP or UDP for the protocol, and click OK.   A list of most of the common services and their corresponding port numbers can be found in the file /etc/services. When the firewall is configured to your liking, click OK. 8.1.1.1. Configuring the firewall in text mode Enter this command: # lokkit The screen displayed in Figure 8-3 will appear. Use the Tab key to navigate among fields, the spacebar to select and deselect checkboxes, and Enter or the spacebar to activate buttons. Figure 8-3. Lokkit firewall configuration screen Enable or disable the firewall using the checkboxes. To customize the types of connections that are permitted through the firewall, tab to the Customize button and press Enter. The customization screen shown in Figure 8-4 will appear. Figure 8-4. Lokkit firewall customization screen The Trusted Devices and MASQUERADE Devices checkboxes are applicable only to systems with multiple network connections. Do not select either of those options on a system with a single network interface. The Trusted Devices checkbox will disable firewall protection for the selected interface!  Use the Allow Incoming checkboxes to select the services that will be permitted to connect to your system through the firewall. In almost all cases, SSH should be selected to permit secure remote connections for system administration. To allow incoming connections to services that are not listed, enter the port number or service, followed by a colon (:), and the protocol (TCP or UDP) into the "Other ports" field at the bottom of the screen. You will need to separate multiple entries with a space or comma. For example, to permit incoming connections to the VNC service as well as to a custom UDP service running on port 64447, use: vnc:tcp 64447:udp Select OK to return to the main screen ( Figure 8-3 ); select OK on that screen to save your settings and exit. 8.1.1.2. Temporarily disabling the firewall from the command line To disable the firewall until the next reboot, stop the iptables service: # service iptables stop To reset your firewall to the configured settings, restart the iptables service: # service iptables restart 8.1.2. How Does It Work? The Fedora firewall uses the kernel's iptables capability, which can filter packets based on their source, destination, port, protocol, contents, and current connection state. To view the current iptables configuration, use the -L option: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited There are four chains of rules defined here: INPUT Filters packets that are inbound to this system. FORWARD Filters packets that are passing through the system. This applies only if there is more than one network interface and IP forwarding is turned on to pass packets between the interfaces (for example, in a system serving as a router). OUTPUT Filters packets that are outbound from this system. RH-Firewall-1-INPUT This is the chain of rules configured by the firewall system. Notice that this chain is included into the chains for INPUT and FORWARD.   In this example, IPP (Internet Print Protocol, used by CUPS), MDNS (multicast DNS, used by Avahi), and SSH connections are all permitted; only SSH was configured for the firewall, demonstrating that not all services are configured through the firewall configuration tools. Since the policy for each chain is ACCEPT, flushing (clearing) the rules will result in all packets being accepted. This is exactly what the iptables -F command does, which is executed when the iptables service is stopped. The graphical firewall configuration tool is system-config-securitylevel (which, in recent versions, also handles SELinux configuration). The character-based version is system-config-securitylevel-tui , which is also known as lokkit . Both of these tools save the firewall configuration in /etc/sysconfig/system-config-securitylevel and, from that configuration, derive a set of iptables rules that are saved in /etc/sysconfig/iptables . That file, in turn, is used by the iptables service ( /etc/init.d/iptables ) to configure the firewall; options that control the operation of the iptables service are stored in /etc/sysconfig/iptables-config . iptables is actually an unusual service. Most other servicessuch as cups , httpd , or gpm have a server process that begins running when the service is started and that is stopped when the service is stopped; iptables , on the other hand, just configures the iptables facility in the kernel when the service is started or stopped, so there's no actual process running when the firewall is active. 8.1.3. What About... 8.1.3.1. ...more complex firewall rules? The firewall interface provided by Fedora's system-config-securitylevel supports only the filtering of inbound (and forwarded) packets and is quite simple. However, the iptables mechanism supports much more complex filtering. Fedora Extras provides several alternate tools for firewall configuration, including firestarter , fwbuilder , and shorewall . 8.1.4. Where Can I Learn More? iptables iptables at http://netfilter.org 8.2. Using SELinux Security Enhanced Linux (SELinux) is installed and enabled by default in Fedora Core. SELinux controls what a program is and is not allowed to do, enforcing security policy through the kernel. This prevents an attacker from using a compromised program to do something it was not intended to do. Although SELinux can at times be challenging to configure, it dramatically improves protection against some common system attacksso a little bit of effort can pay off in a big way. 8.2.1. How Do I Do That? SELinux is managed using the same graphical tool used to manage the firewall. Click System Figure 8-5. Graphical configuration tool for SELinux There are three possible values for SELinux Setting: Enforcing Fully enables SELinux. Any attempted operation that violates the current security policy is blocked. Permissive Enables SELinux security checks but does not enforce the security policy; operations that violate the current security policy are permitted, but an error message is logged to record the event. This is useful if you have previously disabled SELinux and want to evaluate the potential impact before you enable it. Disabled Completely disables SELinux. If you enable SELinux (using Enforcing or Permissive mode), expand the Modify SELinux Policy section by clicking the triangle. The SELinux policy configuration categories will appear, as shown in Figure 8-6 . Figure 8-6. SELinux policy configuration categories Each of these categories contains a number of options (represented as checkboxes) called booleans . Each boolean may be set on (checked) or off (unchecked). To expand the options in any category, click on the arrow in front of that category. In Figure 8-6 , the Admin category has been expanded, and the window width has been resized to fully show each option. After selecting or deselecting booleans as desired, click OK. Changes in boolean values will take effect immediately, but changing the SELinux setting to or from Disabled will take effect only when the system is booted. 8.2.1.1. Configuring SELinux from the command line SELinux can also be configured very easily from the command line. To enable SELinux, edit the file /etc/selinux/config and set the SELINUX value to enforcing , permissive , or disabled : # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted Changes made to this file will take effect when the system is booted. If SELinux is enabled, you can use the getenforce command to view the current mode, and you can use the setenforce command to immediately switch between enforcing and permissive modes: # getenforce Enforcing # setenforce permissive # getenforce Permissive # setenforce enforcing # getenforce Enforcing Boolean valuescorresponding to the checkboxes in the graphical Security Level configuration toolcan be viewed with the getsebool command, using the -a option to see all values: $ getsebool -a NetworkManager_disable_trans --> off allow_cvs_read_shadow --> off allow_execheap --> off allow_execmem --> on ...(Lines snipped)... ypserv_disable_trans --> off ypxfr_disable_trans --> off zebra_disable_trans --> off You can also specify a specific boolean: $ /usr/sbin/getsebool httpd_enable_cgi httpd_enable_cgi --> on To temporarily set a boolean value, use the setsebool command: # setsebool httpd_enable_cgi 1 # setsebool httpd_enable_homedirs=0 Notice that the on/off state of the boolean is expressed numerically, with 1 representing on and 0 representing off. Also note that the boolean name and value may be specified as two arguments (first example), or they may be specified as a single argument, joined with the = symbol (second example). If you use the second form, you can set multiple booleans with one command: # setsebool httpd_enable_cgi=1 httpd_enable_homedirs=0 Changes made to boolean values with setsebool take effect immediately but are not permanent; they will reset at the next boot. To make them permanent, add the -P argument: # setsebool -P httpd_enable_cgi=1 8.2.1.2. Determining which booleans to modify The default boolean settings for SELinux are reasonable for most systems, but they may need to be changed to relax the security policy for specific applications. For example, by default, web scripts are not permitted to communicate through the network; this prevents an untrusted script from somehow transferring private data to another host. But if your web scripts need to connect to an IMAP email server or an SQL database such as MySQL or PostgreSQL, you'll need to set the appropriate boolean. In this case, you can find the boolean in the graphical interface by expanding the HTTPD Service category and looking through the options. Select the checkbox for the boolean labeled "Allow HTTPD scripts and modules to connect to the network." There is also a manpage provided for each of the most popular servers protected by SELinux. These manpages are named service _selinux ; for example, to access a description of the SELinux booleans that affect httpd , view the httpd_selinux manpage: $ man httpd_selinux   To see a list of all the service-specific manpages for SELinux, enter the command: $ apropos _selinux In the BOOLEAN section you will find this text: httpd scripts by default are not allowed to connect out to the network.  This would prevent a hacker from breaking into you httpd server  and attacking other machines. If you need scripts to be able to  connect you can set the httpd_can_network_connect boolean on.  setsebool -P httpd_can_network_connect 1 To translate between the descriptions shown in the graphical Security Level Configuration tool and the boolean names used by setsebool and getsebool , use the file /usr/share/system-config-securitylevel/selinux.tbl , which looks like this: unlimitedUtils _("Admin") _("Allow privileged utilities like hotplug and insmod to run unconfined.") unlimitedRC _("Admin") _("Allow rc scripts to run unconfined, including any daemon started by an rc script that does not have a domain transition explicitly defined.") unlimitedRPM _("Admin") _("Allow rpm to run unconfined.") staff_read_sysadm_file _("Admin") _("Allow staff_r users to search the sysadm home dir and read files (such as ~/.bashrc)") direct_sysadm_daemon _("Admin") _("Allow sysadm_t to directly start daemons") ...(Lines snipped)... Each line consists of the boolean name used by setsebool / getsebool , followed by the configuration category and the description used by the Security Level Configuration tool. Use grep with a server name, boolean name, or a description from the configuration tool to quickly find values in this file: $ cd /usr/share/system-config-securitylevel $ grep httpd selinux.tbl httpd_enable_cgi _("HTTPD Service") _("Allow HTTPD cgi support") httpd_can_network_connect _("HTTPD Service") _("Allow HTTPD scripts and modules to connect to the network.") httpd_enable_homedirs _("HTTPD Service") _("Allow HTTPD to read home directories") httpd_ssi_exec _("HTTPD Service") _("Allow HTTPD to run SSI executables in the same domain as system CGI scripts.") httpd_builtin_scripting _("HTTPD Service") _("Allow HTTPD to support built-in scripting") httpd_disable_trans _("HTTPD Service") _("Disable SELinux protection for httpd daemon") httpd_suexec_disable_trans _("HTTPD Service") _("Disable SELinux protection for http suexec") httpd_unified _("HTTPD Service") _("Unify HTTPD handling of all content files.") httpd_tty_comm _("HTTPD Service") _("Unify HTTPD to communicate with the terminal. Needed for handling certificates.") $ grep "Allow ftp to read/write files in the user home directories" selinux.tbl ftp_home_dir _("FTP") _("Allow ftp to read/write files in the user home directories") $ grep unlimitedRPM selinux.tbl unlimitedRPM _("Admin") _("Allow rpm to run unconfined.") Table 8-1 contains some of the most commonly altered SELinux booleans. Table 8-1. Commonly altered SELinux booleans Boolean name Description in system-config-securitylevel Reason for altering Default value allow_ptrace  Allow sysadm_t to debug or ptrace applications. Permit root to use tools such as gdb for debugging. Off  allow_execmod  Allow the use of shared libraries with Text Relocation. Required to use Adobe Flash browser plug-in and Sun Java. Off  allow_ftp_anon_write    Permits the FTP server to write to files labeled with type public_content_rw_t, described in Table 8-2. Off  httpd_can_network_connect  Allow httpd scripts and modules to connect to the network. Enables web scripts to connect to databases and mail servers. Off  httpd_enable_homedirs Allow httpd to read home directories. Enables the use of ~/public_html for personal web pages. Off  httpd_tty_comm  Unify httpd to communicate with the terminal. Needed for handling certificates. Enables the use of certificates with passphrases (requires the passphrase to be entered on the terminal). Off  allow_httpd_anon_write    Permits Apache to write to files labeled with type public_content_rw_t (see Table 8-2). Off  named_write_master_zones  Allow named to overwrite master zone files. Required for dhcpd updating of zones. Off  nfs_export_all_ro  Allow reading on any NFS filesystem. Enables NFS file sharing (read-only). Off  nfs_export_all_rw  Allow read/write/create on any NFS filesystem. Enables NFS file sharing (read/write). Off  use_nfs_home_dirs  Support NFS home directories. Allows home directories (such as /home/chris) to be imported from an NFS server. Off  samba_enable_home_dirs Allow Samba to share users' home directories. Allows homes shares in smb.conf. Off  use_samba_home_dirs  Allow users to log in with CIFS home directories. Allows home directories (such as /home/chris) to be imported from a Samba or Windows server. Off  allow_samba_anon_write    Permits Samba to write to files labeled with type public_content_rw_t. Off  spamassasin_can_network  Allow Spam Assassin daemon network access. Enables the use of real-time blackhole lists (RBLs) by Spam Assassin. Off  ssh_sysadm_login  Allow SSH logins as sysadm_r:sysadm_t. Allows root login via SSH (otherwise, you'll need to log in as a regular user and then use su). This may be required if you're running remote backups via SSH. Off  subsystem_disable_trans  Disable SELinux protection for subsystem. Use this as a last alternative. It's better to disable SELinux protection for one subsystem than to turn it off entirely. Off  8.2.1.3. Using file labels SELinux uses file labels to specify an SELinux context for each file. To display the context labels, use the -Z or --context options to ls : $ ls -Z /etc -rw-r--r-- root root system_u:object_r:etc_t a2ps.cfg -rw-r--r-- root root system_u:object_r:etc_t a2ps-site.cfg drwxr-xr-x root root system_u:object_r:etc_t acpi -rw-r--r-- root root system_u:object_r:adjtime_t adjtime drwxr-xr-x root root system_u:object_r:etc_t alchemist -rw-r--r-- root root system_u:object_r:etc_aliases_t aliases -rw-r----- root smmsp system_u:object_r:etc_aliases_t aliases.db drwxr-xr-x root root system_u:object_r:etc_t alsa drwxr-xr-x root root system_u:object_r:etc_t alternatives -rw-r--r-- root root system_u:object_r:etc_t anacrontab -rw------- root root system_u:object_r:etc_t at.deny -rw-r--r-- root root system_u:object_r:automount_etc_t auto.master -rw-r--r-- root root system_u:object_r:automount_etc_t auto.misc -rwxr-xr-x root root system_u:object_r:automount_etc_t auto.net -rwxr-xr-x root root system_u:object_r:automount_etc_t auto.smb ...(Lines snipped)... The context label displayed on each line contains the text system_u:object_r: followed by the file type assigned to the file. In the output above, the aliases file has been given the file type etc_aliases_t (which is unique to that file), indicating that the SELinux policy treats that file specially.   All file types end in _t for easy identification. Files contained in your home directory are usually given the type user_home_t . The default policy will not permit web pages in ~/public_html to be accessed through the web server, even if the httpd_enable_homedirs boolean is turned on, unless the files being shared have the type httpd_sys_content_t . To change file contexts, use the chcon command: $ chcon -R -t httpd_sys_content_t ~/public_html The -R option causes chcon to recursively change the context of directories within ~/public_html , and -t httpd_sys_content_t sets the file type. The file context types most commonly used with chcon are shown in Table 8-2 . Table 8-2. Common nondefault file context types Type Description Examples httpd_sys_content_t Files that may be served by httpd Web pages, graphics, CSS files, client-side ECMAScript/JavaScript  httpd_sys_script_exec_t CGI scripts that may be executed by httpd Web scripts written in any external scripting language (e.g., scripts written in Perl when you are not using mod_perl)  httpd_unconfined_script_exec_t CGI scripts that will not be constrained by SELinux Dangerous!but may be required for some complex CGI scripts  httpd_sys_script_ro_t Datafiles that may be read (but not written) by CGI scripts Static CGI script datafiles  httpd_sys_script_ra_t Datafiles that may be read and appended (but not overwritten or truncated) by CGI scripts Script logfiles, guestbooks, nonrevisable order queues, survey and quiz records  httpd_sys_script_rw_t Datafiles that may be read/written by CGI scripts User profiles, session status, and other CGI datafiles  samba_share_t Enables sharing of the file by Samba (not required for home directories) Group Samba shares  public_content_t Enables sharing of the file (read only) by Samba, httpd, NFS, and rsync Files shared by multiple servers  public_content_rw_t Enables sharing of the file (read/write) by Samba, httpd, FTP, and rsync Files shared and updatable through multiple servers   A file label that has been changed manually may be changed back to the default value during a relabeling (discussed in the next section).  For example, if you have created the /var/samba directory and are using it for Samba group shares, it will need to be labeled with the type samba_share_t : # chcon -R -t samba_share_t /var/samba   To make that the default context label for /var/samba , edit /etc/selinux/targeted/contexts/files/file_contexts.local to contain this line: /var/samba(/.*)? system_u:object_r:samba_share_t The first field contains a regular expression specifying that this entry will match any filename starting with /var/samba . The context label in the second field (which must include the system_u:object_r: portion) configures the default label for files that match the regular expression. 8.2.1.4. Relabeling the system Some caution is in order: you may end up with a system where many file labels are wrong if you update your SELinux policy, mount your filesystems without SELinux support enabled (perhaps during rescue mode), or go wild with chcon . To relabel your system, you should create the empty file /.autorelabel and then boot the system: # touch /.autorelabel # shutdown -r now During system startup, your files will be relabeled to default values, except for files labeled with a type listed in /etc/selinux/targeted/contexts/customizable_types . The relabeling operation will typically take a few minutes on a desktop system or small server, and could take much longer on a large server or very old computer. 8.2.1.5. Viewing and interpreting SELinux messages SELinux policy messages are sent to syslog and usually end up in /var/log/messages . To find them among the other messages, search for the string avc : # grep avc: /var/log/messages May 2 16:32:56 laptop3 kernel: audit(1146601976.667:289): avc: denied { getattr } for pid=23807 comm="httpd" name="public_html" dev=dm-1 ino=192237 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir Here we see that an access request was denied between a subject with an scontext of user_u:system_r:httpd_t:s0 and a tcontext of user_u:object_r:user_home_t:s0 for the tclass dir (a filesystem directory). The additional fields provide a bit more information: the attempted operation was getattr (get attributes), the process ID of the subject was 23807, the command executing was httpd , the directory name was public_html , the storage device was dm-1 , and the inode number was 192237. The fact that the storage device name starts with dm (which stands for device mapper ) indicates that the directory is stored in a logical volume. You can find the device number from a detailed listing of the device node: $ ls -l /dev/dm-1 brw-r----- 1 root disk 253, 1 Apr 29 08:57 /dev/dm-1 The output indicates that the device number is 253, 1 . Compare this with the device nodes in /dev/mapper : $ ls -l /dev/mapper total 0 crw------- 1 root root 10, 63 Apr 29 08:57 control brw-rw---- 1 root disk 253, 1 Apr 29 08:57 main-home brw-rw---- 1 root disk 253, 3 Apr 29 08:57 main-remote brw-rw---- 1 root disk 253, 0 Apr 29 08:57 main-root brw-rw---- 1 root disk 253, 4 Apr 29 08:57 main-test brw-rw---- 1 root disk 253, 2 Apr 29 08:57 main-var According to this output, /dev/dm-1 corresponds to /dev/mapper/main-home , which refers to the logical volume home within the volume group main . The mount command shows the mount point for this volume: $ mount /dev/mapper/main-root on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hdc2 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) /dev/mapper/main-home on /home type ext3 (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) automount(pid10695) on /net type autofs (rw,fd=4,pgrp=10695,minproto=2,maxproto=4) We know that the directory filename is public_html , but we don't know the full pathname of the directory. Passing the mount point and inode number to find will reveal the pathname: # find /home -xdev -inum 192237 /home/chris/public_html   The -xdev argument limits the search to a single filesystem. So now we know that httpd (Apache) was unable to access the directory /home/chris/public_html . The command audit2why will attempt to decode SELinux error messages: # grep avc: /var/log/messages|audit2why May 2 16:32:56 laptop3 kernel: audit(1146601976.667:289): avc: denied { getattr } for pid=23807 comm="httpd" name="public_html" dev=dm-1 ino=192237 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=dir  Was caused by:   Missing or disabled TE allow rule.   Allow rules may exist but be disabled by boolean settings; check boolean settings.   You can see the necessary allow rules by running audit2allow with this audit message as input. This explanation is not very informative, but it does tell us that there is no type enforcement rule to allow this access, and that may be because of a boolean setting. Viewing the manpage for httpd_selinux gives information about the necessary boolean setting, along with the required context label: httpd by default is not allowed to access users home directories. If you want to allow access to users home directories you need to set the httpd_enable_homedirs boolean and change the context of the files that you want people to access off the home dir.  setsebool -P httpd_enable_homedirs 1  chcon -R -t httpd_sys_content_t ~user/public_html Issuing the commands given in the manpage fixes the problem. Here I've substituted the actual user's name into the chcon argument: # setsebool -P httpd_enable_homedirs # chcon -R -t httpd_sys_content_t ~chris /public_html Fedora Core 6 includes the first release of the setroubleshoot tool, which provides a desktop notification of AVC denials as well as a GUI program for analyzing AVC messages. To use this tool, install the setroubleshoot package. 8.2.2. How Does It Work? The Linux kernel provides the Linux Security Module (LSM) interface to enable additional access controls to be added to operations. These interfaces provide connections, or hooks , into the system call code used by processes to request that the kernel perform an operation, such as opening a file, sending a signal to another process, or binding to a network socket. SELinux uses these hooks to permit or deny requests made by a process ( subject ) on a resource (such as a file, network socket, or another process, called an object ). These controls are called mandatory access controls (MAC) because they enforce a consistent security policy across the entire system. This stands in contrast to the traditional Unix/Linux file permissions, which are considered discretionary access controls (DAC) because the access settings are left to each user's discretion.   SELinux does not override permissions; access to a resource must be permitted by all security mechanismsincluding SELinux, permission modes, ACLs, mount options, and filesystem attributesbefore it will be granted. An SELinux policy defines the rules used to make each access decision. There are three inputs into each decision: the security context of the source subject, and the security context and class of the target object. Each security context consists of four parts: a user , a role , a type , and a sensitivity . In order to track this information, SELinux assigns a label to each subject and object. You can view the context of processes by using the -Z (or --context ) argument with the ps command: $ ps -e -Z LABEL PID TTY TIME CMD system_u:system_r:init_t 1 ? 00:00:02 init system_u:system_r:kernel_t 2 ? 00:00:00 ksoftirqd/0 system_u:system_r:kernel_t 3 ? 00:00:00 watchdog/0 system_u:system_r:kernel_t 4 ? 00:00:00 events/0 ...Lines snipped... user_u:system_r:unconfined_t 24168 pts/2 00:00:00 bash user_u:system_r:unconfined_t 24228 pts/2 00:00:00 ps user_u:system_r:unconfined_t 24229 pts/2 00:00:00 tail This information is also displayed by the GNOME System Monitor, as shown in Figure 8-7 . If you've added the System Monitor applet to your GNOME panel, clicking on it will start the GNOME System Monitor. You can also start it using the menu entry ApplicationsSystem ToolsSystem Monitor, or by typing the command gnome-system-monitor.  Figure 8-7. GNOME System Monitor display showing the security contexts of processes The label on the init process (highlighted in Figure 8-7 ) indicates that the user is system_u , the role is system_r , and the type is init_t . The sensitivity is not shown in this output. This label defines the source security context ( scontext ) because the init process is a source of system access requests.   _t indicates a type, _r indicates a role, and _u indicates a user  When init attempts to read the configuration file /etc/inittab , the label on that file defines the target security context ( tcontext ): $ ls -Z /etc/inittab -rw-r--r-- root root system_u:object_r:etc_t /etc/inittab Context labels on files are stored in the file's attributes, and therefore SELinux can be used only on filesystems that support these attributes: ext2, ext3, and XFS. Other filesystems, such as ReiserFS, JFS, ISO9660, and VFAT do not support these attributes yet. You can view the context labels as a file attribute using the getfattr command, specifying the security.selinux attribute name: # getfattr -n security.selinux /etc/hosts getfattr: Removing leading '/' from absolute path names # file: etc/hosts security.selinux="system_u:object_r:etc_t:s0\000"   The last portion of the security.selinux attribute is the sensitivity level, which is used only for multilevel security (MLS) and multicategory security (MCS). The \000 at the end of the attribute indicates an ASCII NUL character, used to delimit the end of the attribute in traditional C style. The target class ( tclass ) associated with the object being accessed is determined by the type of object (and in some cases, how it is being accessed); in this example, where init is attempting to access /etc/inittab , the tclass is file . Therefore the SELinux policy is checked to see if access is permitted for an scontext of system_u:system_r:init_t , a tcontext of system_u:object_r:etc_t , and a tclass of file . To speed access, SELinux rules are cached in an area of memory called the access vector cache which explains why SELinux error messages are labeled avc . The Fedora project has three policies available: targeted The default policy installed with Fedora Core. This policy is targeted for the protection of the most frequently attacked portions of the system, including most network services. Programs that are not targeted are unconstrained by SELinux. strict This policy denies every action except those explicitly permitted. Although this should be more secure than the targeted policy, it's hard to create a policy that encompasses all possible configurations of all programs that can be installed on a Fedora system, and attempting to use this policy has frustrated many system administrators into turning off SELinux altogether. In other words, the targeted policy is often more secure simply because it's more likely to be used. MLS Experimental policy to support multilevel security ( MLS). This is important for some government certifications and is not widely used outside of government. (The future MCS framework appearing in the targeted policy will use specific features of MLS for a type of discretionary access control). In the default targeted policy, the role element of the security context is not used (all subjects are system_r, and all objects are object_r), and very few users are defined (just system_u , user_u , and root ). SELinux policies are difficult and time-consuming to write, and even more difficult to write well. Nonetheless, they have to be customized to suit the particular needs of each site. The SELinux booleans provide a compromise between complexity and flexibility, by enabling policy options to be configured without editing, compiling, and retesting the policy code. The SELinux technology was originally developed by the U.S. National Security Agency (NSA), with several partner organizations. The kernel components of SELinux have been incorporated into the main Linux kernel releases. The Fedora project utilizes those kernel components along with customized policy and some user tools (such as versions of ls and ps that include the -Z options, and SELinux-specific tools such as chcon and getenforce , and the graphical configuration tool system-config-securitylevel ). Red Hat is a major contributor to SELinux development. 8.2.3. What About... 8.2.3.1. ...using the strict or MLS policies? These alternate policies are provided as RPM packages and are installed using yum : # yum install selinux-policy-strict selinux-policy-mls Switch between the installed policies using the graphical configuration tool ( system-config-securitylevel from the command line, or Systemthat the policy change will cause the filesystem to be relabeled. Click Yes to approve the relabeling, and then click OK in the Security Level Configuration window. Reboot to activate the new policy. Figure 8-8. Selecting policy using the Security Level Configuration tool To change the policy from the command prompt, edit /etc/selinux/config and change the SELINUXTYPE value to the policy of your choice ( targeted , strict , or mls ): # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=enforcing # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=mls # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 Then create the empty file /.autorelabel to ensure that the filesystem will be relabeled when the system is booted: # touch /.autorelabel Reboot to activate the change. Fedora development is focused on the targeted policy. Changing the policy may lead to a number of unexpected system problems! 8.2.3.2. ...booting with SELinux disabled? If you have SELinux enabled, but your system cannot boot successfully due to an SELinux problem, you may need to temporarily disable it while you investigate. To boot with SELinux disabled, append selinux=0 to the boot options. 8.2.4. Where Can I Learn More? selinux , getsebool , setsebool , getenforce , setenforce , sestatus , semanage , selinuxenabled , restorecon , getfattr , and audit2why _selinux (for example, the manpage for samba_selinux for details of SELinux protection provided for the Samba server) 8.3. Using Access Control Lists Unix/Linux permission modes are very simple; they don't cover all security needs. But, because they are simple, they are actually used , which is more than can be said for many other access control technologies. But sometimes permissions just don't cut it, and a better system of discretionary access control is needed. Access control lists (ACLs) enable you to specify exactly which users and groups can access a file and in what ways. 8.3.1. How Do I Do That? In order to use ACLs on a filesystem, that filesystem must be mounted with the acl mount option. To check whether this option is active, use the mount command: $ mount /dev/mapper/main-root on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hdc2 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) /dev/mapper/main-home on /home type ext3 (rw) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) automount(pid10695) on /net type autofs (rw,fd=4,pgrp=10695,minproto=2,maxproto=4)   If you kept the default volume group and logical volume names during installation, you may see device paths such as /dev/mapper/VolGroup00-LogVol01. The mount options are shown in parentheses; none of these filesystems were mounted with the acl option. To add the acl mount option to a filesystem that is already mounted, use the mount command with the remount option: # mount -o remount,acl /home # mount -o remount,acl / # mount /dev/mapper/main-root on / type ext3 (rw,acl) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/hdc2 on /boot type ext3 (rw) tmpfs on /dev/shm type tmpfs (rw) /dev/mapper/main-home on /home type ext3 (rw,acl) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw) automount(pid10695) on /net type autofs (rw,fd=4,pgrp=10695,minproto=2,maxproto=4) Note that the /home and / filesystems are now mounted with the acl option. To make this option the default for future mounts of these filesystems, edit the file /etc/fstab and add it to the fourth column for these filesystems: /dev/main/root / ext3 defaults ,acl 1 1 LABEL=/boot /boot ext3 defaults 1 2 devpts /dev/pts devpts gid=5,mode=620 0 0 tmpfs /dev/shm tmpfs defaults 0 0 proc /proc proc defaults 0 0 sysfs /sys sysfs defaults 0 0 /dev/main/swap swap swap defaults 0 0 /dev/main/home /home ext3 defaults ,acl 1 2 Once the filesystem has been mounted with the correct option, the getfacl (get file ACL) command can be used to view the ACL of a file: $ touch test $ ls -l test -rw-rw-r-- 1 chris chris 0 May 6 20:52 test $ getfacl test # file: test # owner: chris # group: chris user::rw- group::rw- other::r-- The ACL displayed by getfacl exactly matches the permissions shown by ls : the user who owns the file ( chris ) can read and write the file, users in the group that owns the file ( chris ) can read and write the file, and all of the other users of the system can only read the file. Each entry in the ACL consists of three components separated by colons: type The keyword user , group , mask , or other . This may be abbreviated to u , g , m , or o when setting or changing ACL entries. qualifier The name of the user or group affected by this entry. User type entries with an empty qualifier apply to the user that owns the file; group type entries with an empty qualifier apply to the group that owns the file. mask and other enTRies always have an empty qualifier. permissions The permissions granted by the entry; any combination of r (read), w (write), and x (execute). When displayed by the getfacl command, the permissions are always shown in rwx order, and permissions that are not granted are replaced with a dash. To modify the ACL, use the setfacl command with the -m (modify) option. This command will limit the user thomas to just reading the file test : $ setfacl -m user:thomas:r test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- group::rw- mask::rw- other::r-- This additional ACL entry shows up on a line of its own. Notice that a mask entry is now displayed, showing the maximum permission available to users and groups identified by a qualifier; this mask value corresponds to the group permission of the traditional Linux permission mode, as displayed by ls . When ls is used to display detailed file information, the output is slightly modified: $ ls -l test -rw-rw-r--+ 1 chris chris 0 May 6 20:52 test The + after the file permissions indicates that an ACL is in effect in addition to the permissions shown. Changing the file mode using the chmod command alters the ACL mask value: $ chmod 644 test $ ls -l test -rw-r--r--+ 1 chris chris 0 May 6 20:52 test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- group::rw- #effective:r-- mask::r-- other::r-- The new group permission has been set to r-- (read-only), and this is also used as the mask value. Because the mask is more limiting than the group value in the ACL, the group permission has effectively changed to r-- , as indicated by the #effective:r-- comment in the output. This works both ways; changing the mask using setfacl also changes the group permission, as displayed by ls : $ ls -l test -rw-r--rwx+ 1 chris chris 0 May 6 20:52 test $ setfacl -m mask::rw test $ ls -l test -rw-rw-rwx+ 1 chris chris 0 May 6 20:52 test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- group::rw- mask::rw- other::rwx On the other hand, changing the default group ACL entry affects both that entry and the mask value: $ setfacl -m g::r test $ ls -l test -rw-r--r--+ 1 chris chris 0 May 6 20:52 test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- group::r-- mask::r-- other::r--   The g::r argument is a short form for group::r. To change multiple ACL entries at one time, separate them by commas: $ setfacl -m u:diane:rw,u:jim:r,g::r,m::rw test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:rw- user:jim:r-- group::r-- mask::rw- other::r-- To set a new ACL, discarding the previous ACL completely, use the --set argument instead of -m : $ setfacl --set u::rw,u:diane:r,u:thomas:r,u:gord:rw,u:jim:r,m::rw,g::-,o::- test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:gord:rw- user:jim:r-- group::--- mask::rw- other::--- Note the use of - to indicate no permissions in the ACL entries for group and other . When using --set , it is necessary to specify at least the permission for the file's owner, the file's group owner, and others, because these will be used to construct the legacy permission mode. Leaving one of those entries out results in an error message: $ setfacl --set u:diane:r,g::- test setfacl: test: Malformed access ACL \Quser:diane:r--,group::---,mask::r--': Missing or wrong entry at entry 1 To remove an ACL entry, use the -x option to setfacl and specify one or more ACL entries by the type and qualifier components (leave out the permissions): $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:gord:rw- user:jim:r-- group::--- mask::rw- other::--- $ setfacl -x user:gord test $ getfacl test # file: test # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:jim:r-- group::--- mask::r-- other::--- 8.3.1.1. Setting the default ACL for new files Each file has an access ACL , but directories can additionally have a default ACL that is used as the default for new files and subdirectories created within that directory. The default ACL is displayed when getfacl is run with the -d option. Initially the default ACL is empty: $ getfacl . # file: . # owner: chris # group: chris user::rwx group::rwx other::r-x $ getfacl -d . # file: . # owner: chris # group: chris To set the default ACL, use the setfacl command with the -d option: $ setfacl -d --set u::rw,u:thomas:rw,g::r,m::rw,o::- . $ getfacl -d . # file: . # owner: chris # group: chris user::rw- user:thomas:rw- group::r-- mask::rw- other::--- This ACL will then be applied automatically to new files: $ touch trial $ getfacl trial # file: trial # owner: chris # group: chris user::rw- user:thomas:rw- group::r-- mask::rw- other::--- 8.3.1.2. Copying and moving files with their ACLs To copy an ACL when copying a file, use the -p argument to cp : $ getfacl demo # file: demo # owner: chris # group: chris user::rw- group::rw- #effective:r-- mask::r-- other::--- $ cp -p demo demo2 $ getfacl demo2 # file: demo2 # owner: chris # group: chris user::rw- group::rw- #effective:r-- mask::r-- other::--- When moving a file (with mv ), the ACL is automatically preserved: $ mv demo2 demo3 $ getfacl demo3 # file: demo3 # owner: chris # group: chris user::rw- group::rw- #effective:r-- mask::r-- other::--- 8.3.1.3. Copying an ACL from one file to another It can be a lot of work setting up a complex ACL with many entries. To simplify the reuse of ACLs, setfacl provides the --set-file option, which sets an ACL from a text file. This file can be created by redirecting the output of getfacl , providing an easy way to copy an ACL from one file to another. This example writes the ACL from the file demo to the file /tmp/acl , and then applies that ACL to the file bar : $ getfacl demo >/tmp/acl $ setfacl --set-file /tmp/acl bar $ getfacl bar # file: bar # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:gord:rw- user:jim:rw- group::rw- mask::rw- other::--- Since --set-file accepts the filename - for standard input, you can also pipe the output of getfacl into setfacl to copy an ACL without using an intermediate file: $ getfacl demo | setfacl --set-file - bar 8.3.1.4. Improving the appearance of ACL listings getfacl provides a --tabular option, which presents the output in a format that is somewhat easier to read than the default output: $ getfacl bar # file: bar # owner: chris # group: chris user::rw- user:thomas:r-- user:diane:r-- user:gord:rw- #effective:r-- user:jim:rw- #effective:r-- group::rw- #effective:r-- mask::r-- other::--- $ getfacl --tabular bar # file: bar USER chris rw- user thomas r-- user diane r-- user gord rW- user jim rW- GROUP chris rW- mask r-- other --- Notice that permissions that are not effective due to the mask value are shown in (the name inserted into the qualifier column is the file's owner and group owner). It can be convenient to create an alias for viewing the tabular output: $ alias showacl=' getfacl --tabular' Don't name this alias getfacl, or you won't be able to copy ACLs between files; tabular output cannot be used as input to setfacl. 8.3.2. How Does It Work? ACLs are stored in a compressed format in a file's extended attributes, just like SELinux context labels. They can be viewed with the command getfattr using the name system.posix_acl_access : $ getfattr -n system.posix_acl_access yearend.ods # file: yearend.ods system.posix_acl_access=0sAgAAAAEABgD/////AgAEAPYBAAACAAQA9wEAAAIABg D4AQAAAgAGAPoBAAAEAAYA/////xAABgD/////IAAAAP////8= Obviously, the output of getfacl is much more useful! Like SELinux labels, ACLs work only on filesystems that support extended attributes, and therefore cannot be used on filesystems such as VFAT and ISO9660. On an ext2 or ext3 filesystem, all of the extended attributes must fit into one block , as defined at the time that the filesystem was created. To determine the block size of a filesystem, use dumpe2fs : # dumpe2fs /dev/mapper/main-home | grep 'Block size' dumpe2fs 1.38 (30-Jun-2005) Block size: 4096 In this case, the block size is 4,096 bytes (4 KB); the SELinux context, ACL, and any other extended attributes must fit within that 4 KB limit. When an ACL is changed, a new block is allocated, the new ACL is written to that block, and then the old block is freed. If no blocks are available on the filesystem (or if the user doesn't have access to any more blocks, which may be the case if you have enabled per-user storage quotas), then the ACL cannot be changed. Modification of an ACL may only be performed by the owner of the file and the superuser ( root ). 8.3.3. What About... 8.3.3.1. ...adjusting ACLs graphically? Unfortunately, Fedora Core does not include any tools that permits ACLs to be viewed or adjusted graphically. 8.3.3.2. ...saving and restoring the ACLs of a file subtree? The -R option to getfacl produces a recursive listing of all files in the named directory. setfacl has a --restore option that will use such a recursive listing to set the ACLs of a group of files. This can be used to save and restore ACLsuseful if a number of files are being transported between systems, or backed up and restored from tape or optical disk. For example, this command creates a file named acl.txt that contains all of the ACLs for all files and subdirectories in the current directory: $ getfacl -R . > acl.txt The entire directory can be copied to a CD or DVD, backed up to tape or a USB flash drive, or saved in a tarball and sent to another system. To restore the ACLs at a later date: # setfacl --restore acl.txt If the setfacl command is run as root , the ownerships and group ownerships will also be reset to their original values. 8.3.3.3. ...a version of tar that supports ACLs? Fedora Core provides the star package, which is an advanced replacement for tar . star can back up and restore ACLs along with files when the exustar archive format is used and the -acl option is specified. For example, to back up the /home directory with ACL information: # star cvzf /tmp/home-backup.star.gz -acl artype=exustar /home a /home/ directory a /home/john/ directory a /home/john/.bash_logout 24 bytes, 1 tape blocks a /home/john/.bash_profile 191 bytes, 1 tape blocks a /home/john/.bashrc 124 bytes, 1 tape blocks a /home/john/.gtkrc 120 bytes, 1 tape blocks ...(Lines snipped)... To restore from this archive: # star xvzf /tmp/home-backup.star.gz artype= exustar -acl star: WARNING: skipping leading '/' on filenames. Release star 1.5a69 (i386-redhat-linux-gnu) Archtype exustar Dumpdate 1146974078.733347 (Sat May 6 23:54:38 2006) Volno 1 Blocksize 20 x home/ directory x home/john/ directory x home/john/.bash_logout 24 bytes, 1 tape blocks x home/john/.bash_profile 191 bytes, 1 tape blocks x home/john/.bashrc 124 bytes, 1 tape blocks x home/john/.gtkrc 120 bytes, 1 tape blocks ...(Lines snipped)... 8.3.4. Where Can I Learn More? acl(5) , getfacl , and setfacl star and spax 8.4. Making Files Immutable Because the root user can override permissions, file permissions alone are not enough to ensure that a file will not be changed. But when a file is made immutable , it cannot be changed by anyone. 8.4.1. How Do I Do That? To make a file immutable, use the chattr (change attribute) command to add the i attribute to the file: # chattr +i foo # date >> foobash: foo: Permission denied # mv foo baz mv: cannot move \Qfoo' to \Qbaz': Operation not permitted # rm foo rm: cannot remove \Qfoo': Operation not permitted You can find out if the i attribute has been set by using the lsattr (list-attribute) command: # lsattr foo ----i-------- foo The presence of the i in the output indicates that the file foo has been made immutable. Removing the i attribute causes the file to act normally again: # chattr -i foo # date >>foo # mv foo baz # rm baz # ls baz ls: baz: No such file or directory 8.4.2. How Does It Work? The immutable capability is provided by the ext2/ext3 filesystems. Each file has an immutable flag that is part of the ext2/ext3 file attributes; when set, the ext2/ext3 code in the kernel will refuse to change the ownership, group, name, or permissions of the file, and will not permit writing, appending, or truncation of the file. By making configuration files and programs immutable, you can provide a small measure of protection against change. This can be used to guard against accidental changes to configuration files. It can also prevent a program from being subverted to change files it should not; although SELinux provides similar protection, you may add software to your system that is not covered by the SELinux targeted policy. Do not attempt to upgrade or remove software packages if you've made any of the files belonging to those packages immutable! Doing so may render your system unusable. Be particularly careful if you are using immutable files on a system that has automatic yum updates enabled.  8.4.3. What About... 8.4.3.1. ...making an entire subtree immutable? The -R option to chattr causes it to operate recursively over all of the files and subdirectories within a directory: # chattr -R +i /etc 8.4.3.2. ...other file attributes that might be useful? Although a number of file attributes have been defined for ext2/ext3 filesystems, very few of the interesting ones have been implemented! For example, attributes have been defined to enable per-file automatic data compression, automatic zeroing (enhanced security erasure) of deleted files, and save-for-undeletion, but none of those features have been implemented so far. But there is one other attribute that is occasionally useful: the append-only attribute, a . When applied to a file by chattr , this attribute provides all of the protection of the immutable attribute, except that it remains possible to append data to the file. This is ideal for logfiles, because it makes it impossible to alter or erase data that has been placed in the logfile. 8.4.4. Where Can I Learn More? chattr and lsattr 8.5. Using sudo to Delegate Privilege Sometimes it's useful to delegate superuser privilege to a Fedora user; however, giving him the superuser password gives him total control of the system. The sudo system enables superuser privilege to be delegated on a program-by-program basis. 8.5.1. How Do I Do That? There are two parts to sudo : the /etc/sudoers file, which controls who can do what, and the sudo command, which enables authorized users to run commands with superuser privilege. To configure /etc/sudoers , use the visudo utility, which will start vi so that you can edit the file. When you are done, it checks the syntax before installing it. If there is a syntax error, visudo will prompt you for a course of action; to see the available options, enter a question mark: # visudo >>> sudoers file: syntax error, line 17 <<< What now? ? Options are:  (e)dit sudoers file again  e(x)it without saving changes to sudoers file  (Q)uit and save changes to sudoers file (DANGER!) What now? x To enable the user chris to run the netstat and ifconfig commands as the superuser, add this entry to the sudoers file: chris ALL=/bin/netstat,/sbin/ifconfig This entry contains the username, the computers (in this case, ALL ) on which this user can execute this command (useful if the sudoers file is shared among several machines, either through a file-sharing protocol or by copying the file), and a list of commands that may be executed as root.   Be careful selecting the commands to include in the list: if any of the commands permit access to the shell, the user will be able to execute anything! Once this change has been made, the user chris can use sudo to execute the netstat command using the -p option (which requires superuser privilege to operate correctly): chris@bluesky$ sudo netstat -ap Password:  bigsecret Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:sunrpc *:* LISTEN 1488/portmap tcp 0 0 laptop3:smtp *:* LISTEN 1724/sendmail tcp 0 0 laptop3:x11-ssh-offset *:* LISTEN 20494/2 tcp 0 0 *:42365 *:* LISTEN 507/rpc.statd tcp 0 0 *:http *:* LISTEN 21393/httpd ...(Lines snipped)... Notice that a password is requested; this is the user's password, not the root password. The user can also execute ifconfig : $ sudo /sbin/ifconfig eth2 down   The full pathname of the command ( /sbin/ifconfig ) is required because /sbin is not in the user's normal search path.   It is reasonable idea to add /sbin and /usr/sbin to everyone's search path, since it makes both sudo and su more useful and provides easy access to the nonprivileged modes of the administration utilities. This time, no password is requested because it's been less than five minutes since the last time sudo asked for the user's password. To disable the password request entirely, add the keyword NOPASSWD: after the equal sign in the sudoers entry: chris ALL=NOPASSWD:/bin/netstat,/sbin/ifconfig By default, sudo enables the execution of the listed commands as root ; to enable execution as another user, place that user's name in parentheses after the equal sign in the configuration entry. For example, to permit chris to run the script /usr/local/bin/checkstatus as the user scott : chris ALL=(scott) NOPASSWD:/usr/local/bin/checkstatus chris can then use sudo with the -u option to specify the desired user ID: $ sudo -u scott checkstatus Replacing the command list with the word ALL will include all commands. For example, this entry permits chris to execute any command or script as root : chris ALL=ALL   Permitting unrestricted access to all commands through sudo is equivalent to giving away the root password. A root user can compromise the system at very basic levels, making it impossible to later secure the system, even if you cut off that user's access.  For convenience, you can define groups of users, hosts, or commands and then reference those in entries. This is done by using the User_Alias , Host_Alias , and Cmnd_Alias statements. For example, to define a group of administrators and permit them to run the ifconfig and route commands as root on any of a group of desktop systems, you could use a configuration file like this: User_Alias ADMINS=sally,harry,jason Host_Alias ADMINDESKTOPS=yellow.fedorabook.com,orange.fedorabook.com Cmnd_Alias NETCONFIG=ifconfig,route ADMINS ADMINDESKTOPS=NETCONFIG 8.5.2. How Does It Work? The sudo program executes with root privilege. If you view the permissions on the binary, you will see that the set-user-ID permission bit is enabled (note the s in the user community permissions): $ ls -l /usr/bin/sudo ---s--x--x 2 root root 106832 Feb 12 04:41 /usr/bin/sudo Since this bit is set and the file is owned by root , it executes with root 's privilege. sudo checks the /sbin/sudoers file to determine if and how it should run the requested command. It requests a password if necessary, and then either denies execution or changes the effective user ID to the specified value (or leaves it as root ) and executes the requested command. When the user is prompted forand successfully entersher password, sudo updates a timestamp file in /var/run/sudo . The next time sudo is executed, the timestamp is checked, and if it is less than five minutes old, the user is not prompted for her password again. The timestamp is then updated. The value of sudo lies in the ability to permit a user to execute specific commands with privilege. However, it's easy to accidentally misconfigure sudo to permit more access than intended. For example, if you wish to permit frank to view text files owned by jenny , you could create the sudoers entry: frank ALL=(jenny) NOPASSWD:/usr/bin/less But the less command permits the user to access the shell by typing ! , and frank can use this loophole to execute any command as though he were jenny : frank$ sudo -u jenny less /home/jenny/.bash_profile ...(Normal output of less)... ! $ id uid=508(jenny) gid=508(jenny) groups=508(jenny) $ mail -s boss@fedorabook.com Subject: I Quit I quit because you are a hateful, mean boss. -Jenny . Cc: Enter $ rm -rf /home/jenny/* $ exit ...(Normal output of less)... It can be useful to configure sudo for ALL commands for users that already have the root password because it encourages good practice, especially when used without the NOPASSWD option. The benefits of this configuration are: root privilege from time to time only when it is necessary, operating without root privilege the majority of the time. Compared to the use of a root shell, this practice reduces the likelihood that a command will accidentally be executed with privilege. root access is not exposed. sudo in front of privileged commands serves to remind the user to check the command carefully. 8.5.3. What About... 8.5.3.1. ...changing the password timeout? By default, sudo won't prompt the user for their password as long as they have entered it successfully in the last five minutes. To change this value, add this entry to the top of the /etc/sudoers file: Defaults timestamp_timeout= 2 The value for this timeout is expressed in minutes. 8.5.3.2. ...voluntarily giving up the password timestamp? The user can voluntarily give up the timestamp at any time using the -k option: $ sudo -k This is useful if the terminal will be unattended for a while. 8.5.3.3. ...disabling the root password entirely (like a Debian or Ubuntu system)? The Fedora community has discussed this idea and ultimately opted to keep a root password. Fedora's consolehelper PAM configuration relies on a root password, and using a root password can in some cases provide one additional obstacle to gaining superuser access. 8.5.4. Where Can I Learn More? sudo , sudoers , and visudo 8.6. Configuring PAM and consolehelper Fedora uses the Pluggable Authentication Module (PAM) system to handle user authentication and identity changes. As the name implies, PAM is modular and configurable, enabling you to change the authentication (and authorization) setup on your system without programming. 8.6.1. How Do I Do That? PAM configuration files are stored in /etc/pam.d , with one file per configured service. Each file is written in plain text and consists of at least three fields separated by spaces. The entries in these files are divided into four categories according to the first field, which identifies the module type . Possible values are: auth Authentication configuration (determining who is logging in). account Non-authentication-based access control, such as restricting activities by time of day. password Password changes or other authentication token updates (such as recording a new retinal scan or fingerprint). session Setup of the post-login session and environment. The entries for a given module type are executed in sequence. For example, when performing authentication, the modules listed on the auth lines are executed in sequence. The second field in each entry is called the control flag and determines the action taken when the module succeeds or fails. Possible values are: required The module must succeed for the module type to succeed. Regardless of whether the module fails or succeeds, processing will continue with the next line (other modules of the same module type will be executed), but at the end of all of the processing, a failure will be recorded. requisite The module must succeed for the module type to succeed. If it fails, processing stops immediately. If it succeeds, processing continues with the next line. sufficient If the module succeeds, then the module type succeeds and processing stops immediately. If it fails, processing continues with the next line. optional The module is executed, but the failure or success of the module is ignored. include In place of a module name, another configuration file is given. All of the lines of the same type from that configuration file are treated as if they were present in this configuration file. It is also possible to use a complex expression as a control flag, but this feature is not used in the default Fedora Core configuration. The remaining fields on the line contain the name of the module and any arguments to it (except when the control flag is include , in which case the third argument is the included file). Here's an example. This is the content of /etc/pam.d/sshd , the configuration file for the SSH server daemon: #%PAM-1.0 auth include system-auth account include system-auth password include system-auth session include system-auth session required pam_loginuid.so Authentication is carried out by the first line, which includes all of the auth lines from the file /etc/pam.d/system-auth , which looks like this: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so The first line highlighted in bold executes the pam_env.so module ( /lib/security/pam_env.so ), which sets up environment variables according to the configuration file /etc/security/pam_env.conf . The next lines use the pam_unix.so module to perform traditional Unix password checking, then deny access if the password check does not succeed. In this configuration, the pam_succeed_if.so lines do nothing! (They are used when a network authentication scheme is in effect, though.)  These are the account entries, as included into the sshd configuration file from the system-auth file: account required pam_nologin.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so The pam_nologin.so module checks for the existence of the file /etc/nologin and, if present, prevents anyone except root from logging in. This is useful during periods of system maintenance. The contents of /etc/nologin will be displayed as a message to the user in a dialog box when he attempts to log in using the graphical user interface. In the case of a character-mode login, the file will be displayed but the screen will be cleared immediately, making it nearly impossible to read the message. The SSH daemon will not display the message at all.  The pam_unix.so module (in this account mode) performs password maintenance checking, to see if the user should be forced to change her password, warned of imminent expiry, or locked out of the system. Finally, the pam_permit.so module sets up a default action of permit for the account section of the file. The password portion of the configuration controls password changes: password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so The first line executes pam_cracklib.so to ensure that any newly set password is sufficiently complex, and the second line updates the password files on the system. The last line ensures that a failure is recorded if the password update is not successful. Finally, we have the session entries, which set up the environment and perform logging after the user has authenticated: session required pam_limits.so session required pam_unix.so session required pam_loginuid.so The first two lines are included from /etc/pam.d/system-auth , while the last line is from /etc/pam.d/sshd . The pam_limits.so module can be used to configure ulimit values according to /etc/security/limits.conf , but the default version of that file contains only comments. You can use this module to limit the amount of memory, CPU time, simultaneous logins, or other resources available to specific users. The pam_unix.so module (in session mode) simply logs the fact that the user has authenticated using the syslog facility. The last module, pam_loginuid.so , records the fact that this is an initial login (as opposed to a switch of user ID performed using su or sudo ). 8.6.1.1. Using an authentication server Fedora can authenticate against an authentication server instead of (or in addition to) the local user and password database ( /etc/passwd , /etc/shadow , /etc/group , and /etc/gshadow ). Usable authentication and user information services include Kerberos, LDAP, Hesiod (DNS), Winbind (local Windows domain), and SMB (Windows domain server). To use an established authentication server, select the desktop menu option Systemsystem-config-authentication. The window shown in Figure 8-9 will appear. Select the User Information or Authentication tab, and then select the checkbox for the server type you wish to use. Click the Configure button to the right of the server type to enter the parameters specifically required by that server type (for example, for NIS you will need to enter the NIS domain and the server name). Click OK. system-config-authentication will then write a new version of the file /etc/pam.d/system-auth . Figure 8-9. Authentication Configuration window Using the Authentication Configuration tool will undo any customization that you have made in /etc/pam.d/system-auth. Authentication can also be configured from the command line using authconfig . 8.6.1.2. Adding a PAM module: restricting access by time and user We can tighten up the security of the system by adding additional modules into the configuration file. For example, you can restrict SSH access to certain times of day using the pam_time.so module.   Before editing any PAM configuration file, make a backup copy. You should also keep a root shell open in a virtual terminal or terminal window in case your changes accidentally lock you out of the system. Test the new configuration thoroughly before closing the root shell! Edit /etc/pam.d/sshd to add pam_time.so in the account section: #%PAM-1.0 auth include system-auth account required pam_time.so account include system-auth password include system-auth session include system-auth session required pam_loginuid.so   Notice that the sequence of the lines is critical; if you place the pam_time.so line after the file system-auth is included, it will be ignored for users with IDs less than 500 (such as root) due to the pam_succeed_if.so line in system-auth. The pam_time.so module restricts access based on the contents of the file /etc/security/time.conf , which is a text file with four semicolon-delimited fields per line. The fields are: service Must match the name of the service file in /etc/pam.d ( sshd in this example). tty Terminal device names (not useful in this context, so we'll use * to match all terminals). users A list of usernames, combined using ! (not), & (and), or | (or). times A list of days (any combination of Su , Mo , Tu , We , Th , Fr , or Sa or Wk for weekdays, Wd for weekends, or Al for all days) concatenated to a range of times, expressed in 24-hour format (such as 0600-1800 for 6 a.m. to 6 p.m., local time).   The default /etc/security/time.conf contains extensive notes on the line format. To prevent all users other than root from connecting via SSH during evenings and weekends, place these lines in /etc/security/time.conf : # Limit ssh for non-root users to 8 am to 5 pm on weekdays sshd;*;!root;Wk0800-1700 Note that if there is no line in /etc/security/time.conf that applies to a particular connection, it is permitted by default. These restrictions also apply only when a user logs in; once logged in, the user may stay connected for as long as he chooses. To place a time restriction on all types of loginwhether through SSH, a local character-mode virtual terminal, or the GUIplace the entry for the pam_time.so module in /etc/pam.d/system-auth instead of /etc/pam.d/sshd : #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_time.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so You can then create separate rules for each type of user access in /etc/security/time.conf : # Character-mode login - Only root is permitted (any time). login;*;!root;!Al0000-2400 # Remote login via ssh - Root is always permitted, other # users are permitted 8 am to 5 pm on weekdays. sshd;*;!root;Wk0800-1700 # Graphical-mode login - Not available to root. gdm;*;root;!Al0000-2400 # Switching user via 'su' command - not permitted unless # switching -to- the root user. Note that the root user # can switch to any other user because of the pam_rootok.so # module line in /etc/pam.d/su su;*;!root;!Al0000-2400 8.6.1.3. Automatic blacklisting of sites trying a brute-force password attack The PAM module pam_abl.so from Fedora Extras provides the ability to blacklist (block access from) users and hosts that repeatedly send an incorrect password. This is useful in guarding against brute-force password attacks, where a remote system will simply try to log in over and over again with different password guesses until it is successful. This module will not work successfully with gdm (graphical logins), so it must not be added to system-auth . To protect SSH logins (the best use of this module), add an entry for pam_abl.so module to /etc/pam.d/sshd : #%PAM-1.0 auth required pam_abl.so config=/etc/security/pam_abl.conf auth include system-auth account include system-auth password include system-auth session include system-auth session required pam_loginuid.so The file /etc/security/pam_abl.conf is installed by the pam_abl RPM and contains this configuration: # /etc/security/pam_abl.conf # debug host_db=/var/lib/abl/hosts.db host_purge=2d host_rule=*:10/1h,30/1d user_db=/var/lib/abl/users.db user_purge=2d user_rule=!root:10/1h,30/1d The host_rule line controls which hosts may be blacklisted and the number of failed login attempts that must be registered before blacklisting; the default configuration specifies that any host ( * ) may be blacklisted for more than 10 login failures in one hour ( 10/1h ), or more than 30 login failures in one day ( 30/1d ). The user_rule line similarly blacklists any user except root ( !root ) who has 10 failed login attempts in one hour or 30 failed login attempts in one day. The host_purge and user_purge lines configure how quickly a blacklist entry is revoked; the default for both is two days. When a login failure is recorded, the pam_abl.so module updates its database. You can query the database using the pam_abl command: # pam_abl Failed users:   Failed hosts:   Initially, no failed login attempts are recorded. As login failures occur, pam_abl will count and report them (in parenthesis): # pam_abl Failed users:  jane (1)   Not blocking Failed hosts:  darkday (1)   Not blocking Eventually, access from the host or user will be blocked: # pam_abl Failed users:  jane (11)   Blocking users [!root] Failed hosts:  darkday (11)   Blocking users [*] To re-enable access from a specific host or by a specific user, use the --okhost or --okuser arguments to pam_abl : # pam_abl --okhost darkday # pam_abl Failed users:  jane (11)   Blocking users [!root] Failed hosts:   8.6.1.4. PAM and consolehelper Fedora uses the consolehelper program to control access to a number of system administration tools. It's consolehelper that asks you for the root password when you use many of the configuration menu options such as Systemsystem-config-network from the shell). If you examine the system-config-network file, you'll see that it is actually a symbolic link to consolehelper : $ type system-config-network system-config-network is /usr/bin/system-config-network $ ls -l /usr/bin/system-config-network lrwxrwxrwx 1 root root 13 Mar 20 14:57 /usr/bin/system-config-network -> consolehelper When consolehelper is invoked with another command name, it uses the PAM configuration in /etc/pam.d with the same name as the command entered. If the user runs system-config-network , then the PAM configuration /etc/pam.d/system-config-network is invoked, which looks like this: #%PAM-1.0 auth include config-util account include config-util session include config-util This includes /etc/pam.d/config-util , which contains these lines: #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_timestamp.so auth include system-auth account required pam_permit.so session required pam_permit.so session optional pam_xauth.so session optional pam_timestamp.so The auth configuration will succeed if the current user is root ( pam_rootok.so ) or there is a recent timestamp file present ( pam_timestamp.so ). Failing that, the traditional Unix password authentication is performed (via the included system-auth file). The timestamp file that pam_timestamp.so checks is created by the last line, which invokes the pam_timestamp.so module in session mode. In other words, if the user successfully authenticates to the system as root in order to use one tool, she is permitted to run other tools without typing in her password for the next few minutes. Once the authentication has succeeded, consolehelper consults the file with the same name as the originally entered command in the directory /etc/security/console.apps ; in this example, the file would be /etc/security/console.apps/system-config-network , which contains: USER=root PROGRAM=/usr/sbin/system-config-network SESSION=true This instructs consolehelper to run /usr/sbin/system-config-network as the root user after performing the PAM session initialization (using the session lines in the PAM configuration file). You can adjust the PAM configuration to suit your needs. For example, to allow regular users to run system-config-network without entering the root password, edit the auth line in /etc/pam.d/system-config-network to use the permissive pam_permit.so module instead of including the config-util file: #%PAM-1.0 auth sufficient pam_permit.so account include config-util session include config-util It's often convenient to enable the console userthe person physically logged on to the system keyboard and displayto run any of the programs controlled by consolehelper without entering the root password. To do this, edit /etc/pam.d/config-util and add this line: #%PAM-1.0 auth sufficient pam_rootok.so auth sufficient pam_timestamp.so auth sufficient pam_console.so auth include system-auth account required pam_permit.so session required pam_permit.so session optional pam_xauth.so session optional pam_timestamp.so This will permit the current console owner to execute the configuration tools regardless of where he is executing them. For example, if the user joe is logged in on the console (either graphically or using a character-mode login), then joe can execute configuration tools both at the console and through a remote connection. 8.6.2. How Does It Work? PAM is simply a group of libraries used by applications. Each PAM-aware application uses those libraries to perform authentication, account control, the management of passwords (or other tokens), and session setup. Each PAM module is a shared object ( .so ) file conforming to the PAM specification. These files are stored in /lib/security and are accessed when needed according to the configuration files in /etc/pam.d . 8.6.3. What About... 8.6.3.1. ...other PAM modules? There are many PAM modules included in Fedora Core. For documentation, refer to the PAM Administrator's manual in /usr/share/doc/pam-*/html/. Some PAM modules not documented in that manual have their own manpages; use apropos pam_ to see a list of all of them. There are also a number of PAM modules available on the Internet and from hardware vendors, designed to support authentication using biometric devices, smart tokens, and more. 8.6.3.2. ...permitting the console user to use su without a password? Edit /etc/pam.d/su to add this line: #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth sufficient pam_console.so auth include system-auth account include system-auth password include system-auth session include system-auth session optional pam_xauth.so Then create the file /etc/security/console.apps/su : # touch /etc/security/console.apps/su You can now use su at the console without entering the root password. This is, obviously, a security risk. 8.6.4. Where Can I Learn More? pam , consolehelper , userhelper , and authconfig /usr/share/doc/pam*/html 8.7. Logging It's important to know what is going on on your system. Fedora provides a standardized, network-based logging system and tools to automatically monitor and trim logfiles. Understanding and using these tools effectively will allow you to keep your finger on the pulse of your system with minimal effort. 8.7.1. How Do I Do That? The syslog facility collects and routes messages in a Fedora system. The file /etc/syslog.conf configures the message routing; the default version of the file looks like this: # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log On the left side of each entry is a pattern that consists of selectors. Each selector contains one or more facilities (separated by commas), then a period, and then one or more levels (again, separated by commas). The facility indicates the origin of the log entry. Possible values are shown in Table 8-3 . Table 8-3. Facility values to indicate the origin of the log entry Value Description authpriv Security, authentication, or authorization systems. cron Task scheduler (crond and atd). daemon Server daemons that don't have a category of their own. ftp File-transfer-protocol daemon. kern Kernel messages. local0, local1, local2, local3, local4, local5, local6, and local7 Reserved for custom use on a distribution-by-distribution or site-by-site basis. Fedora uses local7 to log boot messages. lpr Printing system. mail Electronic mail. news Net news (Usenet). syslog Messages from syslogd itself. user User-level messages. uucp Unix-to-Unix copy messages (rarely used). The level consists of a priority level and can be any of the values listed in Table 8-4 , in increasing order of severity. Table 8-4. Priority-level values, in order of severity Value Description debug Informational software debugging messages. info General informational messages. notice Important normal messages that do not indicate an error or problem. warning Information about an unusual or impending situation. err Error messages, indicating that something is wrong. crit Critical conditions indicating imminent danger. alert Serious, emergency problems. emerg Emergency situation: the system is in crisis and failing. Specifying a level means any message of that level or higher (more severe), so the selector kern.crit would match messages from the kernel with a priority of crit , alert , or emerg . To match only crit , an equal sign is added: kern.=crit . An exclamation mark negates a match: kern.!crit matches kernel messages with a priority below crit , while kern.!=crit matches all kernel messages except those with a priority of crit . An asterisk indicates that the facility or level should be ignored. Therefore, authpriv.* matches messages from the authpriv facility regardless of the priority, and *.info matches messages from any facility which are at the info level or higher. Multiple facilities or priorities can be matched using commas (indicating an OR operation), so mail,local3.* matches any message from the mail or local3 facilities. Multiple selectors may be included in one entry, separated by semicolons, which indicates an AND operation. The special priority none matches no messages from the specified facility. Therefore *.crit;kern.none matches all messages that are of crit priority or higher, unless they come from the kernel. On the right side of each entry in /etc/syslog.conf is a destination for the messages. The destination may be: An absolute pathname Messages are placed in the specified file. The pathname may also point to a named pipe, providing a method for passing messages to another program, or to a device such as a terminal (such as /dev/tty3 ) or a printer ( /dev/lp0 ). Adding a hyphen in front of a pathname will prevent syslogd from flushing the buffers to disk after each write, a performance-eating behavior that increases the chance that a message describing the cause of a crash will make it onto the disk. @ host Messages are forwarded to syslogd on the remote host . user,user,user,... Messages are written to the terminals of any of these users who are currently logged in. * Messages are written to the terminals of all logged-in users. The order of the lines in the configuration file does not matter; every line is checked against each incoming message, so messages may be sent to multiple destinations. The default configuration file routes messages according to Table 8-5 ; as you can see, /var/log/messages is the prime source of information about the state of the system. Table 8-5. Message routing as configured in the default syslog configuration file Type of message Destination Everything except mail, authentication, and cron messages, with a priority of info or higher /var/log/messages Authentication messages (which may contain private information) /var/log/secure Mail /var/log/maillog Cron /var/log/cron All messages of emerg level or higher The terminals of all logged-in users UUCP and news messages of crit level or higher /var/log/spooler Boot messages /var/log/boot.log 8.7.1.1. Interpreting /var/log/messages The /var/log/messages logfile contains entries similar to this: May 31 10:40:58 laptop3 dhclient: DHCPREQUEST on eth0 to 172.16.97.254 port 67 May 31 10:40:58 laptop3 dhclient: DHCPACK from 172.16.97.254 May 31 10:40:58 laptop3 dhclient: bound to 172.16.97.100 -- renewal in 34387 seconds. May 31 20:14:05 laptop3 dhclient: DHCPREQUEST on eth0 to 172.16.97.254 port 67 May 31 20:14:05 laptop3 dhclient: DHCPACK from 172.16.97.254 May 31 20:14:05 laptop3 dhclient: bound to 172.16.97.100 -- renewal in 41631 seconds. Each entry consists of a date, time, hostname ( laptop3 in this example), program name or other prefix ( dhclient ), and a text message. Note that the facility and priority are not recorded in the logfile. Since the /var/log/message file can be very large, it's worthwhile using a tool such as grep to search for specific records. For example, you can view all of the kernel messages with the command: $ grep kernel /var/log/messages May 30 04:23:08 bluesky kernel: SELinux: initialized (dev hdd, type iso9660), uses genfs_contexts May 31 20:48:40 bluesky kernel: atkbd.c: Unknown key pressed (translated set 2, code 0x85 on isa0060/serio0). May 31 20:48:40 bluesky kernel: atkbd.c: Use 'setkeycodes e005 ' to make it known. May 31 21:14:54 bluesky kernel: cdrom: This disc doesn't have any tracks I recognize! 8.7.1.2. Creating your own logfile entries You can generate syslog messages using the logger command-line tool. Simply provide your text as arguments: $ logger Added host lightning to /etc/hosts The message recorded in /var/log/messages contains the username as the prefix: Jun 1 02:32:59 darkday chris: Added host lightning to /etc/hosts It's convenient to log information about changes you have made on the system in this way, entering them as you work. Your notes will be interleaved with system-generated log messages, making it easy to see the relationship between the changes that you have made and any messages that start or stop appearing in the log as a result. By default, logger uses the facility user and the priority notice . You can override this using the -p option, and you can override the insertion of the username by supplying an alternate tag with the -t option: $ logger -p local1.crit -t cooling Stopped water pump Which would result in this message being logged: Jun 1 09:54:49 darkday cooling: Stopped water pump An alias can be used to simplify logging from the command line: $ alias note='logger -p local4.notice ' $ note Ran yum update If you are logging a message that contains metacharacters, surround the message with quotation marks. By adding a custom rule to /etc/syslog.conf , the messages sent to the local1 facility can be placed in their own file (in addition to being logged in /var/log/messages ): local1.* /var/log/cooling The security context of any new logfiles must be set to the same context as /var/log/messages : # touch /var/log/cooling # ls -Z /var/log/messages /var/log/cooling -rw-r--r-- root root user_u:object_r:var_log_t /var/log/cooling -rw------- root root system_u:object_r:var_log_t /var/log/messages # chcon system_u:object_r:var_log_t /var/log/cooling # chmod 0600 /var/log/cooling # Optional! # ls -Z /var/log/messages /var/log/cooling -rw------- root root system_u:object_r:var_log_t /var/log/cooling -rw------- root root system_u:object_r:var_log_t /var/log/messages 8.7.1.3. Keeping an eye on logs The -f option to tail provides a convenient way to watch messages that are being appended to a file and is perfect for use with logfiles: # tail -f /var/log/messages Jun 1 08:47:14 darkday kernel: hub 1-0:1.0: over-current change on port 1 Jun 1 08:47:14 darkday kernel: hub 1-0:1.0: port 2 disabled by hub (EMI?), re-enabling... Jun 1 08:47:14 darkday kernel: hub 1-0:1.0: over-current change on port 2 Jun 1 08:47:14 darkday kernel: usb 1-2: USB disconnect, address 4 Jun 1 08:47:14 darkday kernel: usb 1-2: new low speed USB device using uhci_hcd and address 5 Jun 1 08:47:14 darkday kernel: usb 1-2: configuration #1 chosen from 1 choice Jun 1 08:47:14 darkday kernel: input: Logitech USB-PS/2 Optical Mouse as /class/input/input4 Jun 1 08:47:14 darkday kernel: input: USB HID v1.10 Mouse [Logitech USB-PS/2 Optical Mouse] on usb-0000:00:1f.2-2 Jun 1 09:54:49 darkday cooling: Water temperature exceeds 70C Jun 1 09:54:49 darkday cooling: Water temperature exceeds 85C ...(Additional lines are displayed as they are added to the logfile)...   /var/log/messages is normally readable only by root. Although making it readable by other users may reveal a small amount of information about your system (reducing security), it can also reduce the amount of time spent in superuser mode (which, in turn, increases security). To make the messages file accessible to everyone: # chmod a+r /var/log/messages This tail command will display the last 10 lines in the file, and then additional lines within a second of the time that they are appended to the file. It can be left running in a terminal window in the corner of the screen while you perform system administration tasks. 8.7.1.4. Configuring remote logging The syslog service was designed to facilitate remote logging. This is very useful in two circumstances: the log in addition to the system originally compromised. To configure a syslog network server, edit that host's /etc/sysconfig/syslog file, which initially looks like this: # Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0" # Options to klogd # -2 prints all kernel oops messages twice: once for klogd to decode, and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-x" # SYSLOG_UMASK=077 # set this to a umask value to use for all logfiles, as in umask(1). # By default, all permissions are removed for "group" and "other". Change the SYSLOGD_OPTIONS line to include -r (remote logging): SYSLOGD_OPTIONS="-m 0 -r" Then restart syslogd : # service syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ]   Ensure that your firewall configuration permits connections on UDP port 514. Next, edit the file /etc/syslog.conf on the machines that will be forwarding log messages to the syslog server, and add this line: *.* @ syslogserver   This will forward all messages to the remote host syslogserver (which may be an IP address or hostname). Restart syslogd to activate the changes.   It's important to leave local logging turned on in case the syslog server is unavailable, so don't remove the lines that write to the local logfiles. The result will be a combined log containing entries from both the syslog server and the host that is forwarding its log messages: Jun 1 02:52:33 darkday named[13255]: starting BIND 9.3.2 -u named Jun 1 02:52:33 darkday named[13255]: found 1 CPU, using 1 worker thread Jun 1 02:52:33 darkday named[13255]: loading configuration from '/etc/named.conf' Jun 1 02:52:33 darkday named[13255]: listening on IPv4 interface lo, 127.0.0.1#53 Jun 1 02:52:33 darkday named[13255]: listening on IPv4 interface eth0, 172.16.97.100#53 Jun 1 02:52:33 darkday named[13255]: command channel listening on 127.0.0.1#953 Jun 1 02:52:33 darkday named[13255]: zone 0.in-addr.arpa/IN: loaded serial 42 Jun 1 02:52:33 darkday named[13255]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700 Jun 1 02:52:33 darkday named[13255]: zone 255.in-addr.arpa/IN: loaded serial 42 Jun 1 02:52:33 darkday named[13255]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700 Jun 1 02:52:33 darkday named[13255]: zone localdomain/IN: loaded serial 42 Jun 1 02:52:33 darkday named[13255]: zone localhost/IN: loaded serial 42 Jun 1 02:52:33 darkday named[13255]: running Jun 1 02:57:22 bluesky chris: VNC service configured, restarting xinetd Jun 1 02:57:29 bluesky xinetd[15394]: Exiting... Jun 1 02:57:29 bluesky xinetd[15452]: xinetd Version 2.3.13 started with libwrap loadavg options compiled in. Jun 1 02:57:29 bluesky xinetd[15452]: Started working: 1 available service Notice that this log contains entries from darkday (the syslog server) as well as from bluesky (which is forwarding log messages to darkday ). Notice also the system administrator's note on bluesky , stating the reason that xinetd was being restarted. 8.7.1.5. Automated log watching There's not much point in collecting all this information if the logs are never read, but reading logfiles is boring, tedious work. Fortunately, the logwatch package automates this process, sending a daily summary email to alert you to important log entries. The daily summary is emailed to root on the local machine. Email to the root user should be redirected to a specific user or users by the /etc/aliases file. Edit this file and uncomment the entry for root found at the the end, inserting the name of a user who is responsible for administering the system (or a list of people separated by commas). In this example, all mail for root is redirected to chris@fedorabook.com : # Person who should get root's mail root: chris@fedorabook.com Here is a typical daily logwatch summary: From: root To: root@bluesky.fedorabook.com Subject: LogWatch for bluesky.fedorabook.com Date: Wed, 31 May 2006 04:02:17 -0400 ################### LogWatch 7.1 (11/12/05) #################### Processing Initiated: Thu Jun 1 02:52:14 2006 Date Range Processed: yesterday ( 2006-May-31 ) Period is day. Detail Level of Output: 10 Type of Output: unformatted Logfiles for Host: bluesky.fedorabook.com ################################################################## --------------------- httpd Begin ------------------------ A total of 3 unidentified 'other' records logged GET /level/16/exec/-///pwd HTTP/1.0 with response code(s)  2 404 responses POST /garethjones/photos/--WEBBOT-SELF-- HTTP/1.0 with response code(s)  1 404 responses GET http://bluesky.fedorabook.com/foo HTTP/1.1 with response code(s)  1 404 responses ---------------------- httpd End ------------------------- --------------------- SSHD Begin ------------------------ Users logging in through sshd:  chris:   172.16.97.2: 3 times --------------------- SSHD End ------------------------- --------------------- Disk Space Begin ------------------------ Filesystem Size Used Avail Use% Mounted on /dev/mapper/main-root 9.5G 2.9G 6.1G 33% / /dev/hda1 99M 9.7M 84M 11% /boot /dev/mapper/main-home 4.9G 24M 4.7G 1% /home ---------------------- Disk Space End ------------------------- ###################### LogWatch End ######################### This report will vary according to the services you have installed, but it provides a simple, easy-to-scan summary of log entries that may warrant attention. It also provides a summary of free disk space; if you methodically review these email messages, you won't be caught unaware when your storage needs start to inch upward. 8.7.1.6. Log rotation Logfiles can grow to be massive. The Fedora logrotate package automatically moves historical log data into history files and keeps a limited number of history files on hand. logrotate is configured through the master configuration file /etc/logrotate.conf : # see "man logrotate" for details # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) logfiles after rotating old ones create # uncomment this if you want your logfiles compressed #compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp -- we'll rotate them here /var/log/wtmp {  monthly  create 0664 root utmp  rotate 1 } # system-specific logs may be also be configured here. The most frequently altered lines are highlighted in bold: logrotate is initially configured to rotate logs every week and to save the last four historical logfiles in addition to the current log. If you have a lot of storage and wish to keep more history, edit the rotate line to increase the number of history files maintained, or change the weekly line to monthly to reduce the frequency of history snapshots (which can make it easier to analyze patterns over a longer period of time without merging data from several files). The default configuration results in five separate message files being present on the system: $ ls -l /var/log/messages* -rw------- 1 root root 86592 Jun 1 02:49 /var/log/messages -rw------- 1 root root 85053 May 30 02:03 /var/log/messages.1 -rw------- 1 root root 105491 May 26 23:51 /var/log/messages.2 -rw------- 1 root root 74062 May 7 04:12 /var/log/messages.3 -rw------- 1 root root 286194 May 2 13:00 /var/log/messages.4 logrotate also uses per-logfile configuration files in /etc/logrotate.d. These files are installed by various RPM packages that generate logfiles. 8.7.2. How Does It Work? The main system logging utility is named syslog . It is network-based and uses a server daemon, syslogd , which receives messages from all sorts of system programs through the Unix domain socket /var/log . These messages are matched against the lines in /etc/syslog.conf and written to the selected destinations. Kernel messages are stored in a buffer that is read by a helper daemon named klogd , either by reading the file /proc/kmesg or by using a kernel system call. klogd then forwards these messages to syslogd for inclusion in the system logs. A syslog network server listens to UDP port 514 and processes any messages received there through the normal routing decisions. One significant problem with the syslog implementation is that there is absolutely no authentication performed. Any application can log any message with any facility and priority. Therefore it is relatively easy to spoof log messages or to create a denial-of-service attack by sending huge numbers of logfile entries, eventually filling all available disk space and making it impossible to log further events. (For this reason, it is a good idea to use a separate filesystem for /var/log ). The logwatch and logrotate programs are activated by cron through their entries in /etc/cron.daily . 8.7.3. What About... 8.7.3.1. ...sending log messages to a program? The standard Fedora syslog program does not support output to a program such as a mailer. However, you can easily write a script that reads a logfile using the tail command and outputs new log entries to a program. This example emails log messages to a pager or cell phone text service: #!/bin/bash DESTINATION= 8885551234@pagercompany.example.com tail -0f /var/log/messages| while read LINE do  echo $LINE|  mail $DESTINATION done To use this script, place it in the file / usr/local/bin/log-mail and add read and execute permissions: # chmod u+rx /usr/local/bin/log-mail # log-mail   You may want to use this script with a lower-volume logfile than /var/log/messages, especially if you pay for each pager message. To filter messages by content, place a grep command between the tail and while lines in the script. You can also have log output read to you over the system's speakers: #!/bin/bash logger -t log-speak "Starting log reading." sleep 0.3 tail -1f /var/log/messages| while read LINE do  # The sed expressions remove the date/time and PIDs  # from messages to shorten the text.  echo $LINE|  sed -e "s/^.\{17\}[^ ]*//"  -e "s/\[.*\]//g"|  festival --tts done 8.7.3.2. ...outputting to a named pipe? A named pipe is a special type of file that can be used to pass messages between two programs. While syslog supports writing to named pipes, the default SELinux security policy prohibits it. To output to a named pipe, you must first disable SELinux protection for syslogd by setting the syslogd_disable_trans boolean and then create the named pipe with mkfifo : # setsebool -P syslogd_disable_trans=1 # mkfifo /var/log/messagepipe Next, create an entry in /etc/syslog.conf , placing a pipe symbol in front of the destination pathname: *.* |/var/log/messagepipe Restart syslogd . You can then follow the message output with a simple file read: # service syslog restart Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ] # cat /var/log/messagepipe ...(Messages appear as they are logged)... 8.7.3.3. ...logging messages from printers, routers, and other network devices? Most network hardware offers the option of logging messages to a syslog server. Simply enter the IP address of your syslog network server into the configuration settings of the device. 8.7.3.4. ...using patterns within the message text to determine message routing? The syslog-ng package from Fedora Extras can be used in place of the standard syslogd and klogd programs. It uses a different configuration file syntax, and it supports message-text matching and message routing to programs. The original syslogd and klogd programs are from the package sysklogd. 8.7.4. Where Can I Learn More? syslogd , syslog.conf , klogd , logrotate , and logwatch logwatch : http://www.logwatch.org 8.8. Detecting File Changes with AIDE The Advanced Intrusion Detection Environment (AIDE) is a program that takes a "fingerprint" of system files so that changes in those files can be detected. You can use it to detect a system intrusion, accidental file overwrites, and file corruption. 8.8.1. How Do I Do That? To initialize the AIDE fingerprint database, execute it with the --init option: # aide --init AIDE, version 0.11 ### AIDE database at /var/lib/aide/aide.db.new.gz initialized. It will take several minutes to run. When it is finished, a fingerprint database will be saved as /var/lib/aide/aide.db.new.gz . Rename it to /var/lib/aide/aide.db.gz to make it the active AIDE database: # mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz Once the fingerprint database is configured, you can check for file changes using the --check argument: # aide --check AIDE found differences between database and filesystem!! Start timestamp: 2006-06-01 12:50:01 Summary:  Total number of files: 127172  Added files: 2  Removed files: 0  Changed files: 4 --------------------------------------------------- Added files: --------------------------------------------------- added:/root/.xauth0VekVw added:/root/.xauthcvqPrt --------------------------------------------------- Changed files: --------------------------------------------------- changed:/root changed:/root/.lesshst changed:/bin changed:/bin/date -------------------------------------------------- Detailed information about changes: --------------------------------------------------- Directory: /root Mtime : 2006-06-01 09:51:05 , 2006-06-01 11:43:23 Ctime : 2006-06-01 09:51:05 , 2006-06-01 11:43:23 File: /root/.lesshst Mtime : 2006-06-01 10:57:21 , 2006-06-01 12:47:34 Ctime : 2006-06-01 10:57:21 , 2006-06-01 12:47:34 Directory: /bin Mtime : 2006-03-21 00:18:37 , 2006-06-01 12:49:18 Ctime : 2006-03-21 00:18:37 , 2006-06-01 12:49:18 File: /bin/date Size : 54684 , 2003 Bcount : 128 , 16 Permissions: -rwxr-xr-x , -rws--x--x Mtime : 2006-02-11 01:43:13 , 2006-06-01 12:49:18 Ctime : 2006-03-21 00:11:18 , 2006-06-01 12:49:32 Inode : 1986165 , 1977386 MD5 : sGkOBZz1ixmfifDWyS5PNw== , RUhh+HqFShK4bABDxePEtw== SHA1 : mY4z3oD64L+e36a7s2LQ32E4k+8= , NAkwd0kI05k8svWFerYN5k8C1t0=   A copy of this report is automatically saved in /var/log/aide.log. In this case, AIDE has detected a change in /bin/date and in /root/.lesshst (the history for the less command). The change to date is of particular note because that is a commonly used program, and the new version is configured with the set-user-ID bit set, meaning that any user typing date will execute a program with superuser privileges. Since some files are expected to change in specific ways, the qualities that AIDE checks for each file and directory are configurable. Table 8-6 summarizes the default configuration. Table 8-6. Default AIDE fingerprint configuration Pathnames Fingerprint qualities /boot/bin/sbin/lib/opt/usr /root/etc/exports/etc/fstab/etc/passwd/etc/group/etc/gshadow/etc/shadow Permissions inode number Number of links UserGroupSize Time of last modification Time of creation or last inode modification Block count MD5 checksum SHA1 checksum All other files in /etc (except /etc/mtab, which is not checked) Permissions inode number UserGroup /var/log Permissions Number of links UserGroup  AIDE is configured using the text file /etc/aide.conf ; the default contents of this file are: # Sample configuration file for AIDE. @@define DBDIR /var/lib/aide # The location of the database to be read database=file:@@{DBDIR}/aide.db.gz # The location of the database to be written #database_out=sql:host:port:database:login_name:passwd:table #database_out=file:aide.db.new database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes # Default verbose=5 report_url=file:/var/log/aide.log report_url=stdout #report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com #NOT IMPLEMENTED report_url=syslog:LOG_AUTH # These are the default rules # #p: permissions #i: inode: #n: number of links #u: user #g: group #s: size #b: block count #m: mtime #a: atime #c: ctime #S: check for growing size #md5: md5 checksum #sha1: sha1 checksum #rmd160: rmd160 checksum #tiger: tiger checksum #haval: haval checksum #gost: gost checksum #crc32: crc32 checksum #R: p+i+n+u+g+s+m+c+md5 #L: p+i+n+u+g #E: Empty group #>: Growing logfile p+u+g+i+n+S # You can create custom rules like this NORMAL = R+b+sha1 DIR = p+i+n+u+g # Next decide what directories/files you want in the database /boot NORMAL /bin NORMAL /sbin NORMAL /lib NORMAL /opt NORMAL /usr NORMAL /root NORMAL # Check only permissions, inode, user and group for /etc, but # cover some important files closely /etc p+i+u+g !/etc/mtab /etc/exports NORMAL /etc/fstab NORMAL /etc/passwd NORMAL /etc/group NORMAL /etc/gshadow NORMAL /etc/shadow NORMAL /var/log p+n+u+g # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future versions. # #=/lost\+found DIR #=/home DIR Most of this file consists of selection lines , which contain two fields. The first field is used to specify files to process or, if prepended with ! , files to exclude from processing. This field is evaluated as a regular expression, so the pattern /lib will match any filename starting with /lib , including files such as /lib/lsb/init-functions .   These regular expressions are treated as if they have ^ prepended (they match only at the start of filenames). To exactly match one filename, append $: /var/log/messages$ > The $ prevents this selection line from matching the logrotate history files (such as /var/log/messages.1). The second field is a list of fingerprint qualities, drawn from the list included in the file as comments, separated with + characters. The values NORMAL and DIR are configured as group definitions, permitting easy reference to commonly used combinations of fingerprint qualities. In this case, NORMAL is defined as R+b+sha1 , meaning the predefined fingerprint-qualities group R , block count, and SHA1 checksums. R in turn means permissions, inode number, number of links, user, group, size, modification time, creation/inode change time, and MD5 checksum. To add additional files to be fingerprinted, append entries to this file. For example, to verify that your web pages have not changed, append: /var/www/html NORMAL 8.8.2. How Does It Work? AIDE works by recording the fingerprint qualities in its database file as plain text (though the file is normally compressed using gzip ). Here is a sample of a fingerprint database: @@begin_db # This file was generated by Aide, version 0.11 # Time of generation was 2006-06-01 10:57:23 @@db_spec name lname attr perm bcount uid gid size mtime ctime inode lcount md5 sha1 /etc 0 541 40755 0 0 0 0 0 0 713153 0 0 0 /sbin 0 4029 40755 32 0 0 12288 MTE0MjkxODMyMg== MTE0MjkxODMyMg== 1880129 2 0 0 /root 0 4029 40750 16 0 0 4096 MTE0OTE2OTg2NQ== MTE0OTE2OTg2NQ== 1296641 8 0 0 /usr 0 4029 40755 16 0 0 4096 MTE0Mjg5MjIzOA== MTE0Mjg5MjIzOA== 1782881 14 0 0 ...(Lines snipped)... /boot/grub/grub.conf 0 16317 100600 4 0 0 599 MTE0Mjg5NTcwNw== MTE0Mjg5NTcwNw== 2011 1 zvjoV7HEEv/lHBdWPRNK9g== xJ2OrD9u9dqn9n3M2y/iKgxzoHk= /boot/grub/reiserfs_stage1_5 0 16317 100644 20 0 0 9056 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2022 1 3QMuqfoxpKu/nMsBGE554Q== 6fWY3Yrk7M4+aW0voaqzOIxyQY8= /boot/grub/jfs_stage1_5 0 16317 100644 18 0 0 8032 MTE0Mjg5NTcwOA== MTE0Mjg5NTcwOA== 2020 1 6favoJt1WCIN/dnckuHbfQ== aIlm2nFM9bVJSaE/rwLYehLgpRQ= @@end_db When run with the -C option, aide simply calculates a new fingerprint and compares the value with the old fingerprint, reporting any discrepancies. 8.8.3. What About... 8.8.3.1. ...an intruder altering the fingerprint database? This is a very real possibility. To guard against this, the fingerprint database should be recorded on read-only media (such as a CD-R), stored on a different system, or stored on removable media that the system administrator can secure against alteration. 8.8.3.2. ...automating AIDE scans? To automate daily AIDE scans, create the file /etc/cron.daily/50aide with these contents: #!/bin/bash /usr/sbin/aide --check 2>&1|mail -s "AIDE scan results" root Make the file executable by root : # chown root /etc/cron.daily/50aide # chmod u+rx /etc/cron.daily/50aide An AIDE scan will then be performed daily, and the results will be mailed to root on the local system (or the user who receives root mail, as defined in /etc/aliases ). 8.8.4. Where Can I Learn More? aide and aide.conf Chapter 9. The Fedora Community Despite the fact that it is supported and heavily financed by Red Hat, Fedora is truly a community project with a global scope. Effectively participating in that community is an important part of using Fedora. 9.1. Participating in the Fedora Mailing Lists Red Hat runs a large number of mailing lists for Fedora, which are the communication lifeblood of the Fedora projects and are the starting point for communicating with and becoming involved in the Fedora community. 9.1.1. How Do I Do That? The Red Hat mailing lists are accessed through the web page http://www.redhat.com/mailman/listinfo ; the Fedora lists have names starting with "fedora-". Clicking on a list title will take you to a page where you can join the list or view archives of previous messages sent to the list. The list archives are useful in two ways: Once you find a list that looks interesting to you, sign up by entering your email address, name, and password (twice), and then select digest or individual emails and click Subscribe. Consider using a disposable email address for your subscription because this address will be made public and will probably eventually receive some spam. See Lab 7.6, "Configuring the sendmail Server."  Receiving messages in digest form reduces the volume of email to one or two large messages a day; the nondigested form will pepper your mailbox with many small messages but will make it is easier to respond to one specific message.   Even though Fedora is used internationally, the Fedora mailing lists are in English, which serves as the lingua franca of the open source community. The exceptions are the lists used by translation projects, which are usually in the target language.  Your subscription request will generate an email like this one: Mailing list subscription confirmation notice for mailing list fedora-devel-list We have received a request for subscription of your email address, "chris@fedorabook.com", to the fedora-devel-list@redhat.com mailing list. To confirm that you want to be added to this mailing list, simply reply to this message, keeping the Subject: header intact. Or visit this web page:  https://www.redhat.com/mailman/confirm/fedora-devel-list/f1a901557 Or include the following line -- and only the following line -- in a message to fedora-devel-list-request@redhat.com:  confirm f1a901557 Note that simply sending a \Qreply' to this message should work from most mail readers, since that usually leaves the Subject: line in the right form (additional "Re:" text in the Subject: is okay). If you do not wish to be subscribed to this list, please simply disregard this message. If you think you are being maliciously subscribed to the list, or have any other questions, send them to fedora-devel-list-owner@redhat.com. To confirm the subscription, click on the link or send a reply email without editing the subject line. You'll receive a confirmation email: Welcome to the fedora-devel-list@redhat.com mailing list! To post to this list, send your email to:  fedora-devel-list@redhat.com General information about the mailing list is at:  https://www.redhat.com/mailman/listinfo/fedora-devel-list If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at:  https://www.redhat.com/mailman/options/fedora-devel-list/chris%40fedorabook.com You can also make such adjustments via email by sending a message to:  fedora-devel-list-request@redhat.com with the word \Qhelp' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe. It is:  superSecret Normally, Mailman will remind you of your redhat.com mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. Keep this email! To unsubscribe or change your digest option, go to the link contained in this message and enter your chosen password. 9.1.1.1. Posting on the mailing list When posting messages on the mailing list, you must send from the same address that you used to subscribe to the list, or your message will be rejected. Since your message will be read by hundreds or even thousands of people around the world, succinct, detailed, and informative messages are highly regarded, and off-topic and time-wasting messages are disparaged. This doesn't mean that you have to be an expert to post; most lists welcome messages from community members of all skill levels. Since most list members will only ever know you by your writing, the quality of that writing plays a key role in establishing your reputation within the community. Start your message with a clear subject line (remember that your messages are being archived by topic). "ACPI problem with Kernel 2.6.43" is a good title; "Power problem" is too vague, and "Please help!" is completely uninformative. The body of your message should contain a concise comment, suggestion, request for help, or announcement. Write in plain text; avoid the use of HTML, which bloats the message, since that bloat will be multiplied by the hundreds or thousands of inboxes in which your message will take residence. Tiny code fragments or extracts from logfiles or configuration files that illuminate the discussion should be included; long portions of code, screenshots, logfiles, complete configuration files, or sample data should be posted on the Web with a link to them included in your message.   Be sure to review any logfiles, configuration files, or screenshots for confidential information before posting them publicly. When replying to a previous posting in nondigest mode, leave enough of the previous poster's comments as a quotation so that the reader will know what you're replying to. Place your reply at the end of the quoted text: Mary Eleanor wrote: > When I change the hostname, I can't open > new windows on the GUI display. Does anyone > know what causes this? It's due to the fact that the new hostname breaks the cross-reference to authorization information ("magic cookies") in the ~/.Xauthority file. Before you change the hostname, execute this command:  xhost +localhost That will turn off authorization checking for GUI programs on the same computer as the display. Signature blocks are welcome, but should not exceed four lines in total; one or two lines is ideal. Bear in mind that any information you post will be permanently and publicly archived, so think carefully about any personal information (phone numbers, place of employment, instant messaging IDs) revealed in your signature block. If you are replying to a message that is part of a digest, it is important to edit your reply so that the subject line relates to the message to which you are replying and not to the entire digest. For example, here is the first part of a digest message on the fedora-devel-list : From: fedora-devel-list-request@redhat.com Reply-to: fedora-devel-list@redhat.com To: fedora-devel-list@redhat.com Subject: fedora-devel-list Digest, Vol 20, Issue 40 Date: Thu, 27 Oct 2005 08:38:38 -0400 (EDT) Send fedora-devel-list mailing list submissions to fedora-devel-list@redhat.com To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-devel-list or, via email, send a message with subject or body 'help' to fedora-devel-list-request@redhat.com You can reach the person managing the list at fedora-devel-list-owner@redhat.com When replying, please edit your Subject line so it is more specific than "Re: Contents of fedora-devel-list digest..." Today's Topics:   1. Re: Problems installing rawhide and reporting thereof   2. Re: Problems installing rawhide and reporting thereof   3. Re: Problems installing rawhide and reporting thereof   4. Re: Problems installing rawhide and reporting thereof   5. Re: Encouraging the use of multiple packaging systems on one systems, and the resulting problems   6. initrd stage: CAP_SYS_RAWIO on /dev/iscsictl fails . help   7. Re: rawhide report: 20051025 changes   8. Re: initrd stage: CAP_SYS_RAWIO on /dev/iscsictl fails . help   9. rawhide report: 20051027 changes (Build System)  10. UTF-8 & imap folder name handling If you reply to the digest, the subject line will read "Re: fedora-devel-list Digest, Vol 20, Issue 40." Change this to the subject of the particular posting to which you are replying; for example, if you are replying to message 10, set the subject to "Re: UTF-8 & imap folder name handling." You'll also have to do some editing to include only some quoted text from the original message (ideally including the poster's name) and no text from the other postings in the digest. 9.1.2. How Does It Work? The Fedora lists are managed by Mailman (the GNU mailing-list manager software), which in turn is available as part of Fedora Core. Mailing lists are used for communication because they are easy to use, asynchronous (users don't have to be logged in at the same time, which is important when crossing time zones), and not very bandwidth-intensive. They are also very flexible on the client side, providing access from a wide range of software and network configurations. 9.1.3. What About... 9.1.3.1. ...posting to a mailing list when a disposable email address is used to subscribe to the list? You will need to create an email account configuration that lets you post from the alias address. This requires an email client that can handle multiple sending accounts. To use the Evolution client to send email from a disposable address, add a new account under Edit 9.1.3.2. ...subscribing to a Fedora list in nondigest mode without having the list messages cluttering up my email inbox? Use your email client's filtering capabilities to move all of the list-related email to a separate mailbox. This will make it easy to scan the subject lines of the list postings and reply to individual messages without touching your main mailbox. To configure this using Evolution, select the menu option Toolsfedora-devel-list), then move the message to a folder that you have created (such as fedora-devel). 9.1.4. Where Can I Learn More? /usr/share/doc/mailman* 9.2. Using IRC Internet Relay Chat (IRC) is a network-based, multiserver chat/instant message system. While mailing lists provide asynchronous communication, IRC provides almost-immediate, synchronous communication. You can use it to participate in online planning meetings, discuss development, or exchange support advice. 9.2.1. How Do I Do That? There are many different IRC client programs available. To use the IRC client XChat, select the menu option Applicationsxchat. The window shown in Figure 9-1 will appear. Figure 9-1. XChat server-list window XChat will propose a first, second, and third nickname based on the username and actual name (GECOS field) of the account you're using. Edit these values if desired, select the FreeNode network, and click Connect. Figure 9-2 shows the main XChat window and introductory message that will appear. Figure 9-2. XChat main window To join a specific channel, select the menu option Windowfedora into the Regex Match field and click Apply. Select the channel you wish to join from the list and click Join Channel. Figure 9-3. XChat channel list The main XChat window will now show a list of users down the right side and a tab containing your selected channel at the bottom of the screen, as in Figure 9-4 . In some cases, the server will redirect you to an alternate channel such as fedora-join-instructions to assist you with registering or authenticating. Figure 9-4. XChat connected to a channel If you have never connected to the FreeNode network with your selected nickname, enter this command in the field at the bottom of the XChat window: /msg nickserv register yourSecretPassword This will send a private message to the nickserv program to register your nickname with the specified password. Don't use your system password for IRC because it could be read by a third party. Create a separate password exclusively for use with IRC.  If you're visiting the FreeNode network with a nickname that you have already registered, authenticate to nickserv by typing:   /msg nickserv identify yourSecretPassword If you were redirected to another channel such as fedora-join-instructions , you can switch to the channel you originally wanted to join now. Either select the channel from the list that appears after selecting the menu option Window /join # fedora You can now view messages in the large pane of the XChat window or enter messages in the text field at the bottom of the window. To find out about a specific user, right-click on that username and select the name from the pop-up list that will appear. XChat will display basic information about that user. To send a private message to another user, use the /msg command:  /msg susan Have you installed FC6 on your new laptop yet? In the message pane, when on a public channel, outbound private messages are identified by angle-brackets pointing at the username: >olgovie< | I don't think that will work. When other users send a private message to you, that message will appear in a separate tab at the bottom of the screen. The label text on a tab will turn red if there are unread messages on that tab, providing you with an easy way of monitoring multiple channels and several private conversations at the same time. Messages that you enter while a private tab is active are automatically private, even without the use of /msg user at the start of the line. IRC communication has a unique flavor. It's a good idea to lurk on a channel for a little while to get a sense of the discussion tone and key players before jumping into the conversation. Because IRC is immediate, answers to questions may not be as carefully reasoned out as those received through the mailing listsso beware! 9.2.2. How Does It Work? IRC works through a distributed network of servers that relay messages back and forth between connected clientshence the name Internet Relay Chat . The XChat program is one of many IRC clients available in Fedora; others include mozilla-chat , EPIC, Irssi, ninja , Konversation, and the multiprotocol clients Gaim and naim . The FreeNode network is a small, high-capacity IRC network operated by the Peer-Directed Projects Center (PDPC) in support of peer-directed projects, including many open source projects. Most of the FreeNode staff are volunteers. 9.2.3. What About... 9.2.3.1. ...saving an IRC discussion? There are two ways to save a discussion in XChat: you can enable logging, which automatically logs all discussion on all channels, or you can save text, which performs a one-time save of the current text (300 lines by default) in the current topic: Figure 9-5. XChat preferences window ~/.xchat2/xchatlogs , with one log per network/channel combination: cd ~/.xchat2/xchatlogs ls Since each log filename contains special characters and spaces, you will need to quote the filename when using it in a command: $ grep ctyler "FreeNode (formerly OpenProjects.net)-#fedora.log" 9.2.3.2. ...other ways of accessing IRC? From time to time, you may want to connect to IRC from a computer that does not have an IRC client when you don't have administrative permission to install oneat a friend's house or a library, for example. The ChatZilla extension to Firefox offers a chat client that runs within the Firefox browser. Since some systems permit users to install extensions without superuser privilege, you may be able to use this approach. Within Firefox, select Tools The other option is to use a webchat client through your web browser. Web sites offering webchat clients come and go; a few minutes of searching with Google will find several, but you will need to examine them individually to see if they support connecting to the FreeNode network (where the Fedora channels are hosted). 9.2.4. Where Can I Learn More? 9.3. Using Bugzilla Fedora consists of thousands of packages, with complex interactions between the packages. To keep track of bugs and problem reports, Fedora uses the Bugzilla bug-tracking database. You can directly query this database to get information about past and present issues, to submit bug reports of your own, and to add information to existing bug reports. 9.3.1. How Do I Do That? You can access the Fedora Bugzilla system with a web browser by visiting http://bugzilla.redhat.com . Figure 9-6 shows the main Bugzilla page, on which you will find a Quick Seach field. There, you can enter a bug number that you have heard mentioned elsewhere, or you can enter some keywords related to an issue or bug. Figure 9-6. Bugzilla main page In the Bugzilla system, the word bug is used loosely; any issue, patch, enhancement request, or trouble report is called a bug. The Query tab provides a more precise way of searching, as shown in Figure 9-7 . Using that interface, you can narrow your search to a specific package in a particular version of Fedora Core or Fedora Extras. For options that are even more detailed, click on the Advanced tab. Figure 9-7. Bugzilla query page Your query will yield a list of matching bugs with their summaries, as shown in Figure 9-8 . Clicking on a bug number will display a detailed description of the bug, as in Figure 9-9. The description includes the product, version, and package information, plus a detailed text description of the bug. Additional comments may be added by the originator of the report, the maintainer of the package in question, or any other registered user of Bugzilla. Figure 9-8. Query results Figure 9-9. Bug detail page If your query produces no matches, Bugzilla will helpfully inform you that "Zarro boogs" were found.  9.3.1.1. Creating a Bugzilla account In order to add to the comments on existing bugs or to report new bugs, you must have a Bugzilla account. To create an account, click the New Account link in the upper-right corner of the page, and then enter your email address and your full name.   You may want to use a disposable email address because the address will be made public (see Lab 7.6, "Configuring the sendmail Server," for more on disposable email addresses). Bugzilla will send you an email containing a temporary password: From: bugzilla@redhat.com To: jdoe@fedorabook.com Subject: Your Bugzilla password. Date: Fri, 14 Jul 2006 05:37:36 -0400 To use the wonders of Bugzilla, you can use the following: E-mail address: jdoe@fedorabook.com  Password: J8sCuid79D To change your password, go to: https://bugzilla.redhat.com/bugzilla/userprefs.cgi Follow the link in the email to set your password to a sane value. When you revisit Bugzilla, you can log in to your account using your email address and password. 9.3.1.2. Reporting a new bug If you have searched for reports of a particular issue and have not found any existing bugs, you can open a new bug report by clicking the New tab in the gray bar. You will be presented with a list of products, as shown in Figure 9-10 ; select the appropriate one from the Fedora portion of the list. Figure 9-10. Bugzilla product list Bugzilla will then present you with the main bug-entry form, as shown in Figure 9-11. Select the product version that you are using, and then select the component (package). Figure 9-11. Bugzilla new bug-detail form If the package you want is not in the component list, you may have selected the wrong productfor example, you may have selected Fedora Core for a package that is actually in Fedora Extras. Use the Back button on your browser to return to the product list and try another product. Select a platform and severity (the default is usually correct for both), and then enter a summary (title) for the bug. Choose one that succinctly describes the bug. Now enter the bug Description. Use as many of the preplaced headings as possible ("Description of problem," "How reproducable," "Steps to reproduce," "Expected results," "Actual results"). Ideally you should provide clear, step-by-step instructions that will reliably provoke symptoms that demonstrate the bug, as well as any relevant details about your system and use context. You also have the options of attaching a file (such as a configuration file or logfile) and marking the bug as a security-sensitive bug, which is not posted publicly. Click on Submit to file the bug report. You will be given a Bugzilla bug number that will enable you to rapidly find the bug for follow-up in the future. Each bug has a status that is initially set to New. This status will change as the bug is reviewed, assigned, commented upon, and eventually resolved. Each time a comment is added or the status changes, you will receive an email. 9.3.2. How Does It Work? Bugzilla was written by the Mozilla project to track bugs in the Mozilla browser and related software. It has since been adopted (and adapted) by a number of other open source projects, including the GNOME and KDE desktops. It's written in Perl, uses Apache for the web server, and can be used with either a MySQL or PostgreSQL database for bug storage and tracking. 9.3.3. What About... 9.3.3.1. ...receiving less (or more) email from Bugzilla? If you log in to Bugzilla and select the Account tab, you will see a preferences screen (which in turn has an E-mail tab). In that page, you will find controls that let you fine-tune the circumstances under which Bugzilla will send you email. 9.3.3.2. ...a bug that's not really a bug? You can add a comment to an existing bug that you have created and change its status. For example, if you find out that a bug that you reported is actually correct behavior, you can close the bug as resolved, setting the resolution indicator to NOTABUG. In your comment, you can explain the reason for the status change. 9.3.3.3. ...a bug due to problems in the upstream code? Since Fedora is a distribution , most of the code comes from other projects (such as GNOME, Apache, and OpenOffice.org). In many cases, the resolution of a bug will really be the responsibility of the upstream project. If you know that a particular problem is due to a code defect or issue with the underlying program code, rather than Fedora's packaging of that code or the interaction of that code with other Fedora packages, it is a good idea to register the bug in that project's Bugzilla database and add a cross-reference to the Fedora bug record. To facilitate this, there is a control labeled External Bug References on the Bugzilla entry screen; select the upstream Bugzilla system from the pull-down list and enter the bug number from that system. 9.3.3.4. ...referring to a Bugzilla bug on the mailing lists or in IRC? By convention, numbers prefixed with "BZ" are interpreted as Bugzilla numbers. 9.3.4. Where Can I Learn More? 9.4. Running Rawhide If you're interested in seeing the evolving future shape of Fedora Core and assisting with testing, you can run Rawhide, the constantly changing development version of Fedora Core. 9.4.1. How Do I Do That? First, a warning is in order. As the original Rawhide announcement noted: Raw Hide Can Be a Bit Tough to Chew on So Run at Your Own Risk (and Enjoyment) These releases have not been quality tested by Red Hat's Quality Assurance team. They may not boot. If they boot, they may not install. If they install, they may not do anything other then waste CPU cycles. If anything breaks, you most assuredly own the many fragments which will be littered across your floor. It may not be possible to upgrade from Fedora Core to Raw Hide, from Raw Hide to Fedora Core, or from Raw Hide to Raw Hide! If a stable upgrade path is important to you, please do not use Raw Hide. DO NOT USE THESE RELEASES FOR ANY WORK WHERE YOU CARE ABOUT YOUR APPLICATION RUNNING, THE ACCURACY OF YOUR DATA, THE INTEGRITY OF YOUR NETWORK, OR ANY OTHER PURPOSE FOR WHICH A RESPONSIBLE HUMAN WOULD USE A COMPUTER. (But then again what would be the fun of hacking Linux if there wasn't some risk involved. ;-)....) In other words, you should run Rawhide only on a secondary computer dedicated to testing because it's far from stable. Most Rawhide systems are updated daily. The nature of the development process ensures that features will break one day and then start working again a few days later. Menu options will shift around, and from time to time, your system will not boot normally. You may be frustrated, but you'll never be bored when running Rawhide! There are two ways to install Rawhide: by upgrading from a released version of Fedora Core, or by installing Rawhide directly. 9.4.1.1. Updating Fedora Core to Rawhide Rawhide is really just a yum repository of development packages. The repository information is distributed with Fedora Core but is disabled. Edit the file /etc/yum.repos.d/fedora-development.repo to enable the development repository by editing the first enabled line under [development] (highlighted in bold here) to read enabled=1 : # These packages are untested and still under development. This # repository is used for updates to test releases, and for # development of new releases. # # This repository can see significant daily turnover and major # functionality changes which cause unexpected problems with other # development packages. Please use these packages if you want to work # with the Fedora developers by testing these new development packages. # # fedora-test-list@redhat.com is available as a discussion forum for # testing and troubleshooting for development packages in conjunction # with new test releases. # # fedora-devel-list@redhat.com is available as a discussion forum for # testing and troubleshooting for development packages in conjunction # with developing new releases. # # More information is available at http://fedoraproject.org/wiki/Testing # # Reproducible and reportable issues should be filed at # http://bugzilla.redhat.com/. # # Product: Fedora Core # Version: devel [development] name=Fedora Core - Development #baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/development/$basearch/ mirrorlist=http://fedora.redhat.com/Download/mirrors/fedora-core-rawhide enabled=1 gpgcheck=0 [development-debuginfo] name=Fedora Core - Development - Debug #baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/development/$basearch/debug/ mirrorlist=http://fedora.redhat.com/Download/mirrors/fedora-core-rawhide-debug enabled=0 gpgcheck=0 [development-source] name=Fedora Core - Development - Source #baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/development/SRPMS/ mirrorlist=http://fedora.redhat.com/Download/mirrors/fedora-core-rawhide-source enabled=0 gpgcheck=0 You can optionally enable the development-debuginfo and development-source repositories as well, by setting enabled=1 there as well. Next, disable all of the other repositories by setting enabled=0 in their respective /etc/yum.repos.d/*.repo files. When you're done, enter these commands to confirm that only the development repositories are enabled: # cd /etc/yum.repos.d # grep enabled *.repo | grep 1 fedora-development.repo:enabled=1 If you see other repository files listed, edit those files to disable the additional repositories. Once you have set up the repositories, use yum to perform an update: # yum update Setting up Update Process Setting up repositories development 100% |=========================| 1.1 kB 00:00 Reading repository metadata in from local files Resolving Dependencies --> Populating transaction set with selected packages. Please wait. ---> Downloading header for newt-perl to pack into transaction set. newt-perl-1.08-9.2.2.i386 100% |=========================| 9.2 kB 00:00 ---> Package newt-perl.i386 0:1.08-9.2.2 set to be updated ---> Downloading header for words to pack into transaction set. words-3.0-8.1.1.noarch.rp 100% |=========================| 4.0 kB 00:00 ...(Lines snipped)... Once you have completed the update, reboot the system. Update the system frequently (daily updates are recommended) by rerunning yum update . 9.4.1.2. Installing Rawhide directly Rawhide can also be directly installed using the Fedora network installation method. Using a browser, select a nearby Fedora mirror server from the list at http://fedora.redhat.com/Download/mirrors.html and verify that it contains the os/development directory for your architecture (not all mirrors carry Rawhide) and that the development tree is reasonably up-to-date (i.e., that some of the files in the os/Fedora/RPMS directory are timestamped within the last 48 hours). From the images directory on the mirror, download the boot.iso file and burn it to a CD or DVD, or download the diskboot.img file and copy it to a USB flash drive (see Lab 10.3, "Preparing Alternate Installation Media "). Boot the target system from this disc or USB flash drive and perform a normal HTTP or FTP installation from the mirror that you selected (see Chapter 1). When installed in this way, the development repository is automatically enabled. Use yum to update the system periodicallyusually on a daily basis: # yum update It's not uncommon to see the yum update fail due to dependency issues. Usually the issues will be solved by the next Rawhide update, and the yum command will succeed the next day. It's recommended that you run yum manually rather than using the yum daily update service so that you can see the error messages explaining any conflicts. It's a good idea to periodically reinstall Rawhide from scratch to eliminate the "cruft" that accumulates with frequent unclean updates. 9.4.1.3. Creating a local Rawhide mirror If you're using Rawhide heavilytesting it on several systems, for example and you have a broadband Internet connection, it's worthwhile maintaining your own local development mirror. The rsync tool provides a convenient method of mirroring the development repository. To use it, select an rsync URI from the mirror list at http://fedora.redhat.com/Download/mirrors.html . Finding the correct directory within the rsync server may take a bit of experimentation because various mirror sites use different directory layouts. Use the rsync command to explore content on the mirror server: $ rsync -v rsync://ftp.muug.mb.ca/ Welcome to MUUG Online Network Access, courtesy of the Manitoba Unix User Group. For any questions, problems, or concerns about this site, please send e-mail to: . Look under the /pub directory and subdirectories for files to download. We are now also maintaining a mirror of selected sites (or a subset thereof), in the /mirror directory. Look at the README file there for details on what is being mirrored. ftp MUUG Online FTP area (more Gigs than you want to download!) pub MUUG Online pub area (more Gigs than you want to download!) mirror Mirror of various sites (more Gigs than you want to download!) redhat ftp.redhat.com mirror (more Gigs than you want to download!) redhat-contrib ftp.redhat.com mirror, contrib directory redhat-updates updates.redhat.com mirror fedora fedora.redhat.com mirror, top-level directory fedora-linux-core fedora.redhat.com mirror, core directory fedora-linux-core-updates fedora.redhat.com mirror, updates directory fedora-linux-core-development fedora.redhat.com mirror, development directory fedora-linux-core-test fedora.redhat.com mirror, (beta) test directory fedora-linux-extras fedora.redhat.com mirror, extras directory In this case, the introductory message indicates that fedora-linux-core-development contains the development tree. Use rsync again to view the contents of that directory: $ rsync -v rsync://ftp.muug.mb.ca/fedora-linux-core-development/ Welcome to MUUG Online Network Access, courtesy of the Manitoba Unix User Group. ...(Lines snipped)... drwxrwsr-x 4096 2006/07/13 18:43:37 . -rw-r--r-- 3101 2003/11/04 12:23:24 README drwxr-xr-x 4096 2006/07/13 15:21:37 i386 drwxrwsr-x 4096 2006/07/13 15:21:33 source sent 117 bytes received 544 bytes 440.67 bytes/sec total size is 3101 speedup is 4.69 Don't omit the final / on the rsync URI.  The i386 directory is the one we're interested in (it looks like you'd have to use a different mirror for other architectures): $ rsync -v rsync://ftp.muug.mb.ca/fedora-linux-core-development/i386/ Welcome to MUUG Online Network Access, courtesy of the Manitoba Unix User Group. ...(Lines snipped)... drwxr-xr-x 4096 2006/07/13 15:21:37 . drwxr-xr-x 81920 2006/07/13 15:37:52 debug drwxrwsr-x 4096 2006/07/12 08:09:49 iso drwxrwsr-x 4096 2006/07/13 15:49:37 os sent 123 bytes received 530 bytes 145.11 bytes/sec total size is 0 speedup is 0.00 The presence of the debug , iso , and os subdirectories indicates that this is the directory we're looking for. Armed with that information, create a script, /usr/local/bin/rawhide-rsync , on a stable (non-Rawhide) system with 10 GB or more free storage space: #!/bin/bash # # rawhide-rsync :: script to mirror the Fedora rawhide repo locally # MAILTO= alert # Person/alias to receive reports DIR= /var/www/html/rawhide # Mirror directory URI=rsync:// mirrorhost/directory / # Rsync URI if tty -s # If being run interactively, show progress then  XCMD='tee /dev/tty' else  XCMD='cat' fi (  cd $DIR || exit 2 # Abort if the cd fails (important!)  rsync --recursive --delete -v $URI . 2>&1  echo )|$XCMD|mail $MAILTO -s "Rawhide Rsync Report" Ensure that httpd and rsync are installed on the target system, and create a directory to hold the development mirror (replace user with the name of the non- root user account that you will be using to run the rawhide-repo script): # mkdir -p /var/www/html/rawhide/ # chown user /var/www/html/rawhide # chmod a+rx /var/www/html/rawhide   Finally, run the script: $ rawhide-rsync Welcome to MUUG Online Network Access, courtesy of the Manitoba Unix User Group. For any questions, problems, or concerns about this site, please send e-mail to: . Look under the /pub directory and subdirectories for files to download. We are now also maintaining a mirror of selected sites (or a subset thereof), in the /mirror directory. Look at the README file there for details on what is being mirrored. receiving file list ... done debug/ElectricFence-debuginfo-2.2.2-20.2.2.i386.rpm debug/ElectricFence-debuginfo-2.2.2-20.2.i386.rpm debug/GConf2-debuginfo-2.14.0-2.1.i386.rpm ...(Lines snipped)... os/repodata/repoview/zsh-html-0-4.2.5-1.2.2.html os/repodata/repoview/zulu-support.group.html sent 15296418 bytes received 706808440 bytes 166633.17 bytes/sec total size is 8112656832 speedup is 11.23 The server and the local rsync program will compare notes and modify the files and directories on the local system to match the server. The first time the script is run, it will transfer the entire repository, and the speedup value will be 1.0 . In subsequent runs, the speedup value will indicate the amount of time saved over transferring the entire repository (the preceding example indicates that the transfer took 1/11.23 of the time that a full transfer would take).  There is a high rate of change in the development repository, and from time to time, most or all of the repository will be freshly rebuilt, resulting in very large transfers. If you have a transfer-limited or capped Internet account and run the rawhide-rsync script often, be careful that you don't accidentally exceed your transfer limits. You can now automate the rsync process by adding a crontab entry. Using the non-root account that will be performing the mirroring, edit the crontab : $ crontab -e   Modify the crontab file to start the rawhide-rsync script at a convenient time: # Update the local rawhide repo 0 5 * * * /usr/local/bin/rawhide-rsync The rawhide-rsync reports will be mailed to you on a daily basis.   The rawhide-rsync reports are each over half a megabyte! Consider deleting them after reviewing the end of each report for errors.  To verify that the local mirror is accessible through HTTP, connect with a browser. For example, if the host containing the mirror were bluesky , you'd point your browser to http://bluesky/rawhide , on which you would see the Fedora , iso , and image directories. 9.4.1.4. Using a local Rawhide mirror To install from a local Rawhide mirror, simply specify that mirror during the installation process. To use the local mirror for yum updates, edit /etc/yum.repos.d on the Rawhide system, commenting out the mirrorlist entry and adding a baseurl entry pointing to the local mirror: [development] name=Fedora Core - Development #baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/development/$basearch/ # This line is commented by the addition of # at the start # of the line, which disables the use of repositories on the standard # mirrorlist #mirrorlist=http://fedora.redhat.com/Download/mirrors/fedora-core-rawhide # This line directs yum to the local mirror baseurl=http://bluesky /fedora/os/ enabled=1 gpgcheck=0 9.4.1.5. Rawhide-related mailing lists The fedora-devel-list and fedora-test-list discuss Rawhide-related developments and issues, and include automated reports describing changes that have been made to Rawhide packages. 9.4.2. How Does It Work? Rawhide is a standard yum repository. Package maintainers submit package source to the Fedora build system, which builds the packages periodically and emails a report to the fedora-devel-list and fedora-test-list . The report looks like this: Date: Fri, 14 Jul 2006 09:28:29 -0400 From: buildsys@redhat.com Subject: rawhide report: 20060714 changes To: fedora-devel-list@redhat.com, fedora-test-list@redhat.com Message-ID: <200607141328.k6EDSTJ5031177@hs20-bc2-6.build.redhat.com> New package xorg-x11-drv-amd  Xorg X11 AMD Geode video driver Updated Packages: ImageMagick-6.2.8.0-1.1 ----------------------- * Wed Jul 12 2006 Jesse Keating - 6.2.8.0-1.1 - rebuild anaconda-11.1.0.57-1 -------------------- * Thu Jul 13 2006 David Cantrell - 11.1.0.57-1 - Fix unknown error on shadow file (#196705, clumens) - Removed inet_calcGateway (clumens) - Don't guess gateway address in text network UI (#197578, clumens) - Change iutil.copyFile calls to shutil.copyfile (clumens) - Removed DRI enable/disable code from xsetup (clumens) - Removed copyFile, getArch, memInstalled, and rmrf from iutil (clumens) - Don't pass command as first argument to subprocess calls (clumens) - Added network debugging mode for readNetConfig( ) in loader - Removed "BOOTP" string from loader network config UI - Added new dialog for network device config in stage2 (katzj) - Write gateway address to correct struct in manualNetConfig - Removed IP_STRLEN macro since that's moved to libdhcp - Link and compile libisys with libdhcp - Added back 'confignetdevice' and 'pumpnetdevice' in iutil - Removed isys_calcNetmask and isys_calcNS (clumens) - Added xkeyboard-config to fix VT switching (katzj) ...(Lines snipped)... Broken deps for i386 ----------------------------------------------------------   anaconda-runtime - 11.1.0.57-1.i386 requires syslinux   gnucash - 2.0.0-2.1.i386 requires libgsf-gnome-1.so.114   mkbootdisk - 1.5.3-2.1.i386 requires syslinux   perl-suidperl - 4:5.8.8-6.1.i386 requires perl = 4:5.8.8-6   systemtap - 0.5.8-2.1.i386 requires libdw.so.1(ELFUTILS_0.120) Broken deps for ia64 ----------------------------------------------------------   gnucash - 2.0.0-2.1.ia64 requires libgsf-gnome-1.so.114( )(64bit)   perl-suidperl - 4:5.8.8-6.1.ia64 requires perl = 4:5.8.8-6   systemtap - 0.5.8-2.1.ia64 requires libdw.so.1(ELFUTILS_0.120)(64bit) ...(Lines snipped)... The report lists new and removed packages, the latest changelog entries from updated packages, and a list of broken dependencies for each architecture. Developers, package maintainers, and testers review this report daily, discussing the results on the mailing lists. The build system places the resulting RPMs on a master server, where they are periodically retrieved by the mirror servers and made accessible to the world. Individual systems use the standard yum client and transfer protocols (HTTP or FTP) to access files on the mirror servers. The rsync tool works by comparing files and directories on the client and server systems and transferring only the files that have changed. This comparison can use combinations of file-modification timestamp, file size, and checksum, depending on the command-line options selected. 9.4.3. What About... 9.4.3.1. ...testing upcoming Fedora Core versions without performing a network installation or update? The Fedora Core project produces at least three test releases before each Fedora Core release. These test releases are effectively clean snapshots of Rawhide released in ISO form; they can be installed from optical disc using the same method as Fedora Core releases (see Chapter 1 and Lab 10.3, "Preparing Alternate Installation Media "). You will find announcements of test releases on the Fedora web site and the fedora-announce-list . The test releases may be downloaded from test directories in the Fedora mirror servers; the releases are numbered in increments of 0.01 starting with a version number that is 0.1 less than the upcoming Fedora Core version numberso Fedora Core 7 test 1 will be found in the directory test/6.90 , and FC7t2 will be in test/6.91 . 9.4.3.2. ...using other repositories with the Rawhide development repository? That's not usually recommended. Repositories such as Livna (and even Fedora Extras) do not update their packages to work with new Fedora Core releases until just before the official release of a new Fedora Core version. 9.4.4. Where Can I Learn More? yum and rsync 9.5. Participating in Fedora Projects Within the Fedora Community, there are many different projects aimed at developing and improving various aspects of Fedora Linux. Regardless of your skill set, interests, or experience, there is probably a role that is perfect for you in one of the projects. Becoming directly involved in a Fedora project contributes back to the Fedora community and can build your skill and reputation. 9.5.1. How Do I Do That? A list of Fedora Projects is maintained at http://fedoraproject.org/wiki/Projects . Each project has separate standards and requirements for participation, so a good place to start is by reading the project outline to determine the participation requirements, then joining the relevant mailing lists to meet and get to know other project members. Here are some projects to consider: 9.5.1.1. Fedora Documentation The Fedora Docs project ( http://fedoraproject.org/wiki/DocsProject ) produces release notes, installation and configuration guides, and other documentation, and is always looking for writers, editors, and readers willing to provide feedback. Other members of the Fedora Docs team develop the tool chain used to manage the documentation and transform it into various forms. 9.5.1.2. Fedora Translation Since Fedora software is used globally, messages and controls within the software, documentation, and web sites all require translation into many languages. The Fedora Translation project exists to do this translation and to develop and refine the tools necessary to manage translated text. The Fedora Translation web site is found at http://fedoraproject.org/wiki/L10N . L10N in the Translation URI stands for localization (translation into specific languages). I18N stands for internationalization (technologies that enable use of software in multiple locales). The numbers in the abbreviations refer to the quantity of letters removed. 9.5.1.3. Fedora Extras If you have RPM packages that aren't included in Fedora Core or Fedora Extras, you can become a Fedora Extras contributor and make those packages available to other Fedora users. The Fedora Extras project has set up strict standards and a rigorous review process to protect the quality of the Extras repository, so participating in this project requires a certain level of skill and commitment. To streamline the process, Fedora Extras uses a sponsorship process, which pairs experienced members with newcomers during their first package submission. The web site http://fedoraproject.org/wiki/Extras/Contributors describes the process of becoming a Fedora Extras contributor. 9.5.2. What About... 9.5.2.1. ...Fedora-related projects that have sprung up outside of the official Fedora community? There are a number of Fedora-related projects that are not part of the official Fedora project, and these projects are also staffed by volunteers: Derivative distributions There are over 60 Linux distributions derived from Fedora Linux, and yet others that are derived from Red Hat Enterprise Linux (Red Hat's enterprise Linux distribution, which shares a common root with Fedora). These distributions tailor Fedora to meet specific community, linguistic, or hardware requirements. Other repositories The Livna, ATrpms, and RPMforge repositories interoperate with the Fedora Core and Extras repositories (although not necessarily with each other). The Fedora Unity project Fedora Unity provides web sites with guides and technical notes on various Fedora-related issues. It also produces what it terms respins of the Fedora Core CDs and DVDs, incorporating updates released since the official Fedora Core release dates. 9.5.3. Where Can I Learn More? Chapter 10. Advanced Installation There are thousands of different computer configurations, and thousands of different ways in which computers are used. The Fedora installer, Anaconda, is up to the challenge: although the default installation procedure is straightforward, Anaconda can also perform automated installations, set up complex storage layouts involving RAID and LVM, handle different types of installation media and network installation servers, and provide a rescue mode for the recovery of disabled systems. This chapter deals with these advanced installation features. It also looks at GParted, a partition resizing tool, and GRUB, the bootloader used by Fedora that can be extensively customized. 10.1. Resizing a Windows Partition Many computers are sold with some version of Microsoft Windows preinstalled, claiming the entire disk. In order to install Fedora in a dual-boot configuration, it is necessary to reduce the size of the Windows partition to free up some space. 10.1.1. How Do I Do That? Fedora does not provide a good tool for resizing Windows partitions. Fortunately, there is a very good open source tool available, GParted.   Always back up your data before adjusting partitions. Download the 26 MB GParted LiveCD from http://gparted.sourceforge.net/livecd.php and burn it onto a CD or DVD. Insert the disc into the system to be resized, and then start (or restart) the system; the screen shown in Figure 10-1 will appear. Figure 10-1. GParted LiveCD boot screen   You may need to adjust the BIOS boot options to force the system to boot from the disc.  Press Enter. The system will ask you to select your language, as shown in Figure 10-2 , and then to select the keyboard type, as shown in Figure 10-3 . Figure 10-2. Language selection screen   Figure 10-3. Keyboard selection screen  The software will then prompt you for your display resolution, as shown in Figure 10-4 ; select the default unless you're using an old monitor.   Do not select 640x480 resolution; the GParted window will not fit on the screen.  Figure 10-4. Display resolution selection screen   You should also select the default for the display color depth, as shown in Figure 10-5 , unless you find that the default does not work with your system. Figure 10-5. Display color-depth selection screen   The GParted screen in Figure 10-6 will now appear, displaying a list of all of the partitions on the first hard disk drive. If you wish to edit the partitions on another drive, click on the drive menu in the upper-right corner of the screen and select that drive. Figure 10-6. GParted main window Click on the partition that you wish to resize, and then click on the Resize/Move button at the top of the window. In the resizing dialog shown in Figure 10-7 , select the new size for the partition by dragging the end of the partition, by entering the new partition size, or by entering the amount of free space that you wish to have after repartitioning. Click Next. Figure 10-7. Entering a new partition size   The resize option will appear in a list of queued tasks at the bottom of the main window. Click the Apply button at the top of the window, and then click Apply on the confirmation dialog shown in Figure 10-8 . Figure 10-8. Pending-operations confirmation dialog  A progress display will appear while the partition is resized; click Close when the resize has finished. Close the GParted window; then right-click on the display background and select Reboot. 10.1.2. How Does It Work? The GParted LiveCD is a combination of open source software from several separate projects: the libparted partition-manipulation libraries from the GNU parted partition editor, filesystem-manipulation utilities from various filesystem projects, the GParted GNOME graphical parted interface, and a Live CD version of Slackware Linux. The GParted LiveCD boots using a process very similar to the Fedora Core installation disc. Once the kernel and initrd (ramdisk) are loaded, startup scripts request the language, keyboard, resolution, and color-depth information, and then start Xvesa, a version of the X Window server that communicates with the graphics card through lowest-common-denominator standards set by the Video Electronics Standards Association (VESA). This enables the use of almost any modern video card in a low-performance mode (perfectly acceptable for this application) without requiring card-specific drivers. The only application started is the GParted graphical interface, which communicates with other tools as necessary to perform requested tasks. Windows uses two different filesystem types: FAT32, a simple filesystem based on the original DOS 2.0 filesystem, and NTFS, an advanced filesystem with a database-like structure. Filesystem manipulation is handled by tools from the dosfstools and linux-ntfs packages. Then partition resizing is accomplished using the linux-ntfs tools or libparted libraries (depending on the partition type). 10.1.3. What About... 10.1.3.1. ...one or two small partitions that appear at the end of my disk drive? Those partitions are for system diagnostic software and for returning your system to a factory-fresh state, and are especially common on notebook computers. It is best to leave those partitions alone. 10.1.4. Where Can I Learn More? parted web site: http://www.gnu.org/software/parted/ linux-ntfs project: http://www.linux-ntfs.org/ dosfstools distribution site: ftp://ftp.uni-erlangen.de/pub/Linux/LOCAL/dosfstools/ 10.2. Configuring RAID and LVM During Installation Fedora Core's default storage layout works well for many systems, but one approach doesn't suit all situations. The Anaconda installer lets you configure complex storage layouts incorporating RAID and LVM to suit advanced needs. Back up any important data on your disk drive(s) before installing Fedora Core! Be sure to read Chapter 6 before reading this lab. 10.2.1. How Do I Do That? Start a normal installation as described in Chapter 1 . When you get to the disk and partition strategy screen shown in Figure 10-9 , choose "Create custom layout" and select the checkbox for each of the disk drives that you wish to use. Figure 10-9. Selecting a custom layout as the partitioning strategy Click Next to proceed to the Disk Druid screen shown in Figure 10-10 , which gives an overview of the drive partitions in the top portion of the screen; the details of drive partitions, RAID devices, and LVM configuration in the lower portion of the screen; and action buttons in the center. Figure 10-10. Disk Druid screen Start by scrolling through the partition list in the lower half of the window. Delete any existing partition that you no longer want by clicking on the partition to select it and then clicking the Delete button; confirm the deletion in the warning dialog that appears. 10.2.1.1. Creating a boot filesystem The GRUB bootloader used by Fedora can boot only from simple disk partitions, not Logical Volumes or RAID stripes. However, when a RAID 1 (mirroring) array contains a filesystem, each partition that is an element of that array contains a full copy of the filesystem, and GRUB can boot from that. Therefore, if you're using RAID levels other than RAID 1, or if you're using LVM, you must create a separate boot filesystem. The mount point for this filesystem is /boot , and the recommended size is 100 MB. If you are not using RAID, create a small partition to hold the boot filesystem. In Disk Druid click the New button, which will bring up the Add Partition dialog shown in Figure 10-11 . Enter a mount point of /boot , deselect the checkboxes for all of the drives except the first one, and then click Next. This will create a 100 MB ext3 partition on the first disk drive. Figure 10-11. Add Partition window If you are using RAID, follow the steps in the next section to create a boot partition. 10.2.1.2. Creating RAID devices Table 10-1 shows RAID level recommendations for various numbers of disk drives. ( Table 6-3 describes the RAID levels supported by Fedora.) Table 10-1. RAID recommendations based on the number of same-sized disk drives # of disk drives Possible RAID levels Recoverable failure Notes 1 Cannot use RAID None   2 RAID 0 None Improves performance but also increases the risk of data loss. It provides storage capacity equal to two drives. RAID 1 1 drive Provides storage capacity equal to one drive. This is the only RAID level that can be used for the /boot filesystem. 3 RAID 5 1 drive Provides storage capacity equal to two drives. 4 or more RAID 5 with no hot spares 1 drive Provides storage capacity equal to the number of drives minus one. RAID 5 with hot spare(s) 1 drive at a time to a sequential maximum failure of 1 + the number of hot spares Provides storage capacity equal to the number of drives minus the number of hot spares minus one. RAID 6 with no hot spares 2 drives Provides storage capacity equal to the number of drives minus two. 5 or more RAID 6 with hot spare(s) 2 drives at a time to a maximum of 2 + the number of hot spares Provides storage capacity equal to the number of drives minus the number of hot spares minus two. To create a RAID array (device), you must first create the partitions that will make up the elements of the array. Start by creating a RAID 1 boot partition of about 100 MB on each drive. Although it's tempting to create a giant RAID partition to use the rest of the space, I recommend that you divide the space on each drive into five partitions of roughly equal size. For example, if you are using 120 GB disk drives, create five partitions of 24 GB; if you are using 10 GB drives, create five partitions of 2 GB. Combine these partitions into five RAID arrays, each incorporating one partition from each drive, and then combine those five RAID arrays into a single volume group. The advantage to this approach is that it enables you to migrate to a different RAID level as long as a minimum of 20 percent of the VG space is free (see Lab 6.1, "Using Logical Volume Management "). To create a partition to serve as a RAID array element, click the New button in Disk Druid's main window. The Add Partition dialog will appear, as in Figure 10-12 . Figure 10-12. Adding a RAID partition   Another way to create a RAID partition is by clicking on the RAID button; the dialog in Figure 10-13 will appear, asking what you want to do next. Select the option "Create a software RAID partition" and click OK. For the File System Type, select "software RAID." Deselect all of the Allowable Drives checkboxes except one to indicate the drive on which you wish to create the partition. Enter the Size in megabytes, and select "Fixed size." Click OK to proceed. Repeat this process to create partitions for the other elements of the RAID array on other drives. For example, when creating a 2 GB RAID 1 array that spans two drives, create a 2 GB software RAID partition on each of the two drives. Once you have created all of the partitions for the array, click the RAID button to view the RAID Options window, as shown in Figure 10-13 . Figure 10-13. RAID Options window   Select the option to "Create a RAID device" and click OK. The Make RAID Device window will appear, as shown in Figure 10-14 . Figure 10-14. Make RAID Device window  To use this RAID array as a boot filesystem, enter the mount point /boot , set the File System Type to ext3, set the RAID Level to RAID 1, and then select the checkboxes of the RAID partitions that will serve as elements of the array. Click OK to create the filesystem.   When creating a RAID array, use partitions that are exactly or almost exactly the same size because the size of the smallest element defines the amount of space that will be used in each of the elements; any differences between the size of the smallest element and the sizes of each of the other elements is wasted space.   To create a RAID array that will serve as a Physical Volume in an LVM Volume Group, set the File System Type to "Physical volume (LVM)," select the RAID Level, and select the checkboxes of the RAID partitions that will serve as elements of this array. Click OK to create the array. 10.2.1.3. Creating an LVM layout Whether you're using RAID or not, LVM is the best way to set up partitioning: the overhead is minuscule, and the flexibility that it buys is valuable. In order to configure LVM during installation, you need to create one or more partitions that will serve as physical volumes. There are two ways to do this: It usually doesn't make sense to combine RAID and disk partition PVs in the same volume group because you will lose the data protection provided by the RAID array. Once you have created the physical volumes, click the LVM button. The window shown in Figure 10-15 will be displayed. Figure 10-15. Make LVM Volume Group window Enter a descriptive volume group name, such as main for your primary volume group. The default physical extent size is 32 MB, which is a reasonable choice for most applications. If you have a good reason to use a different extent size, set it now because it cannot be easily changed after installation.   Reducing the physical extent size increases the size of the LVM data structures but gives a finer granularity for assigning storage to logical volumes. Increasing the physical extent size slightly reduces the LVM overhead, increasing performance.  Select the checkbox of all of the physical volumes you wish to use in this volume group. The next step is to create a logical volume to hold each filesystem you wish to create. Table 10-2 contains a list of recommended filesystems. Table 10-2. Recommended filesystems for Fedora Core Mount point Recommended size Notes / 10 GB Required /home 10 GB or more, depending on how much data your users will be personally storing Strongly recommended for any system where users will be logging in on the console or via remote SSH access (e.g., desktop systems, servers with personal user accounts), and systems that are acting as file servers for personal files such as a Samba server (see Lab 7.1, "Configuring Samba to Share Files with Windows Systems"). By separating the users' home directories onto a separate filesystem, you can reinstall the operating system in the future without affecting users' files. /var 2 GB to 1 TB depending on the applications in use The /var filesystem holds data that is variable but that is not stored in the users' home directories for example, databases, email, web pages, and queued print requests. Creating a separate filesystem segregates it for backup and makes it easier to reinstall the operating system without affecting this data.  To create each logical volume and filesystem, click the Add button at the bottom of the screen to access the Make Logical Volume window shown in Figure 10-16 . Figure 10-16. Make Logical Volume window Enter the chosen Mount Point and a descriptive logical volume name; then enter the desired size (leaving the File System Type set to the default, "ext3"). Click OK to return to the Make LVM Volume Group window; note that the LV size you entered is rounded to a multiple of the physical extent size in the Logical Volumes display. Repeat this process for the other logical volumes. It is best to leave some space within the VG unassigned so that you can use LVM snapshots and so that you can add space to a crowded filesystem without having to unmount another filesystem to reduce its size.  Finally, create a swap LV by clicking on the Add button in the Make LVM Volume Group window; when the Make Logical Volume window appears ( Figure 10-16 ), set the File System Type to "swap," and enter the desired swap size. Although traditional wisdom dictates a swap size twice as large as the system memory, it's reasonable to give a system with more memory less swapspace, and a system with less memory more swapspace. If in doubt, use the traditional figure as a starting point, since it can be changed later. The swapspace should be at least as large as the installed RAM (Disk Druid will warn you if it is not). Once you have configured all of the logical volumes, click OK in the Make LVM Volume Group window, and then click Next in the main Disk Druid window. Proceed with the installation as outlined in Chapter 1 . 10.2.2. How Does It Work? Like most of the Fedora system administration tools, Disk Druid (and Anaconda) are largely written in Python and interface with other open source tools such as parted , libparted , and lvm . The purpose of Disk Druid is to improve the installation experience by taking care of many of the partitioning, RAID configuration, and LVM setup details automatically. While other partitioning tools such as fdisk and parted require the user to keep track of partition numbers and starting and ending locations, and to use cylinders as a unit of measure, Disk Druid handles partition numbering automatically (even including drive selection, where appropriate). On a PC, the first sector of each disk drive stores a Master Boot Record (MBR). The last 64 bytes of the MBR contain a partition table , which can hold a maximum of four entries; each entry contains a starting and ending cylinder number, boot flag, and partition type code. If more than four partitions are required, one of the MBR entries is configured to point to an extended partition , which contains its own extended partition table . The extended partition table can contain a maximum of one partition entry and one additional extended partition entry, both of which must be located within the extended partition. In this way, any number of partitions may be created. 10.2.3. What About... 10.2.3.1. ...disk partitions on non-PC systems? There are many different types of disklabels , or disk partition table types, used on different types of systems. Of particular note for Fedora users is the fact that Mac systems use a different, more capable disk partition table. parted is able to display, create, and manipulate nine different types of disklabels, including those for IBM AIX Unix systems, Macs, PCs (called msdos in the parted documentation), Sun systems, and many others. 10.2.4. Where Can I Learn More? parted , fdisk , lvm , and mdadm 10.3. Preparing Alternate Installation Media The Fedora Core installation process is usually booted from CD or DVD, but it may also be booted from a USB flash disk or hard disk drive, or from a PXE boot server. In addition, Fedora Core permits the use of an FTP or HTTP server as the package source during installation. These alternate installation media must be specially prepared before use. 10.3.1. How Do I Do That? Before preparing alternate boot media, check that the target system can boot from the media you wish to use. Examine the BIOS of the system on which Fedora will be installed to see if it supports booting from a USB flash drive or a PXE server; if not, select a different installation medium. 10.3.1.1. Preparing a USB drive To configure a USB drive for booting, download the USB boot image by selecting a mirror site from the web page http://fedora.redhat.com/Download/mirrors.html and going to that mirror with a web browser. Select the directory for the desired Fedora Core version number (e.g., 6 ), then the directory for your machine architecture ( i386 , PPC , or x86_64 ), then select the os directory, and then select the images subdirectory. Download the file named diskboot.img (you can also find this in the /images directory of the Fedora Core DVD or the first disc of the CD set).   The directory layout varies slightly among the mirror sites. Once you have obtained the diskboot.img file, transfer it to your USB flash drive using a Linux system. First, insert the drive into the system; you should see an icon appear on the desktop. This procedure will wipe out everything on your USB flash drive! Back up the drive contents before proceeding.  Use the df command to determine the drive's device name: $ df -h Filesystem             Size Used Avail Use% Mounted on /dev/mapper/main-root 30G   14G  15G 48% / /dev/md0             251M   41M  197M 18% /boot /dev/shm             506M     0  506M  0% /dev/shm /dev/mapper/main-home 14G   6.6G  7.0G 49% /home /dev/mapper/main-var  65G   56G  8.0G 88% /var /dev/hdb1             99M   24M   71M 26% /mnt/oldboot /dev/hdb3            109G   75G   29G 73% /mnt/oldroot /dev/hda6             14G  4.1G  8.5G 33% /mnt/x-root /dev/sdb1            8.0M  6.4M  1.7M 80% /media/usbdisk1 In this case, the device name is /dev/sdb1 . Unmount that device: # umount /dev/sdb1 (Notice that there is only one n in umount .) Now copy the boot image to the USB flash drive: # dd if=diskboot.img of= /dev/sdb1 16384+0 records in 16384+0 records out Flush the system disk buffers to ensure that the data is written out to the drive before you unplug it: # sync   The USB flash drive is now ready for booting. Insert the drive into the target system, turn it on, and use the BIOS options to specify that the system is to be booted from the USB drive; the rest of the process will be identical to booting from a CD or DVD. When you're done using the drive to install Fedora Core, you'll find that it looks like an 8 MB drive, regardless of its actual drive capacity. To restore its full capacity, format it with a FAT32 filesystem: # mkdosfs /dev/sdb1 mkdosfs 2.10 (22 Sep 2003) 10.3.1.2. Preparing a network installation server You can use any FTP, HTTP, or NIS server for network installation, but of these three, HTTP is the easiest to set up and has the least overhead. You'll need the full set of installation files. You can copy the entire contents of the DVD (or each of the five CDs) to a directory shared by your web server: # mkdir /var/www/fedora # cp -R /media/discname /var/www/fedora Replace /media/diskname with the disc mount point (see the output of df ). Instead of copying the files, you could leave the DVD in your drive (this won't work with CDs, since you need several of them) and create a symbolic link from your web server's document root to the DVD mount point: # ln -s /media/ disk /var/www/html/fedora Since the DVD's filesystem does not support file attributesnecessary to assign an SELinux contextyou will have to disable SELinux enforcement for HTTPD before using it to serve files from a DVD. Alternatively, you can download the files directory to your web server directory. Go to the web page http://fedora.redhat.com/Download/mirrors.html , select an rsync , HTTP, or FTP mirror site for download, and download the entire distribution (all of the files and subdirectories in the os directory for your platform). The directory layout varies from mirror to mirror. Use a browser to connect to your selected mirror site to confirm the directory names for the following commands.  On an existing Fedora Core system, you can do this by first creating a directory that is web-accessible: # mkdir /var/www/fedora Then fetch all of the files into that directory: # cd /var/www/fedora # wget -nH --cut-dirs= 4 -r http://less.cogeco.net/pub/fedora/linux/core/6/ Note that the URL here is taken from the mirror list, but has the Fedora Core release number ( 6 ) added to the end (replace this URL with that of a mirror close to you). The --cut-dirs= 4 option removes four leading directory names ( pub/fedora/linux/core ) from the retrieved files before saving them. The downloaded tree will include the ISO files. If you'd rather not download them, use the -X option when you run wget : # cd /var/www/fedora # wget -nH -X '/*/*/*/*/*/*/iso' --cut-dirs= 4 -r \ http://less.cogeco.net/pub/fedora/linux/core/6/   (The \ indicates that the command continues on the next line; you can leave it out and type everything on one line.) The downloaded directory indexes will be saved as files starting with index.html ; these can be deleted using the find command: # find /var/www/fedora -name 'index.html*' -print -exec rm {} \;   The wget command can also be used with FTP sites: # cd /var/www/fedora # wget -X '/*/*/*/*/*/*/iso' -nH -X index.html --cut-dirs= 4 -r \ ftp://ftp.muug.mb.ca/pub/fedora/linux/core/5/ To fetch files from an rsync mirror, use the rsync command: # cd /var/www/fedora # rsync -v --recursive rsync://fedora.cat.pdx.edu/fedora-linux-core/4 . Don't miss the . at the end of the line!  Ensure that the httpd service is started (see Lab 7.5, "Using the Apache Web Server "), and then start the installation on the target system using your choice of boot media (disc, PXE boot, or USB drive). 10.3.1.3. Preparing a PXE Boot Server To configure a PXE boot server, you will need the tftp-server , xinetd , system-config-netboot , and dhcp packages. You will also need a working network installation server, as described in the previous section.   Before configuring a PXE Boot Server, confirm that the installation target machines use the PXE protocol for network booting. To configure the PXE server, select the menu option System Figure 10-17. Network boot-type selection  Click on the Network Install button, and the Network Installation Dialog in Figure 10-18 will appear. Figure 10-18. Network Installation Dialog   Enter fc6 as the operating system identifier, type an easily readable description of the OS to be installed, select the protocol for installation, and then enter the IP address and the server directory in which the software is installed. Leave the Kickstart field blank (even if you're using a Kickstart file). Click OK to proceed. You will now see the main window of the netboot configuration tool, shown in Figure 10-19 . This window is used to associate the operating system identifier of the configuration you just created ( fc6 ) with a particular range of IP addresses. Figure 10-19. Main netboot configuration window   Click New to add a new IP entry in the dialog shown in Figure 10-20 . To configure one specific computer, enter that computer's hostname or IP address; to configure an entire subnet, enter the subnet. Figure 10-20. Entering the netboot configuration for a new IP address or subnet The format for entering the subnet is a bit unusual; you must enter just the network part of the address. For example, the IP address 172.16.97.32 with a netmask of 255.255.255.0 yields a network number of 172.16.97 and a host number of 32, so you would enter 172.16.97 into the IP Address Subnet field. If you have created more than one network installation profile, select the correct value for the Operating System field. Enter the Kickstart URL, if any, into the Kickstart File field, and then click OK. The main system-config-netboot window will show the new entry; you can now close the window. The next step is to configure a DHCP server using the file /etc/dhcpd.conf . In addition to the regular configuration options, you will need to add one additional statement. If you don't otherwise need DHCP, use this minimal configuration file: # /etc/dhcpd.conf file for PXE booting ddns-update-style none; subnet 192.168.1.0 netmask 255.255.255.0 {  range 192.168.1.16 192.168.1.250 ;  filename "linux-install/pxelinux.0"; } The additional statement (highlighted in bold) identifies the name of the file to be loaded via TFTP. linux-install/pxelinux.0 is the Linux bootloader; the path is relative to /tftpboot on the server.   You can run the DHCP and TFTP servers on different machines if you add a next-server line to the DHCP configuration: next-server 192.168.1.3; This configures the next phase of the boot process to use the TFTP server at the IP address 192.168.1.3. Do not run more than one DHCP server on your LAN. If you have a DHCP server on a router or gateway device, disable it while using the PXE boot server.  Finally, configure the tftp Xinetd service and start the xinetd and dhcpd services (see Lab 7.2, "Configuring a DHCP Server "). To use the PXE boot server, start the target system and select Network Boot using the BIOS options. A boot display similar to that shown in Figure 10-21 should appear. Figure 10-21. PXE boot process The system will then proceed with the normal Fedora Core installation process. 10.3.2. How Does It Work? All Fedora Core boot media use one of the bootloaders from the isolinux / syslinux / pxelinux family. These programs have been specifically tailored for booting from optical disk, removable disk drives, and PXE boot servers. Each of them uses text files to configure the available boot options. The USB boot image diskboot.img is a complete image of a bootable 8 MB VFAT (MS-DOS FAT with long filenames) filesystem. This filesystem contains the isolinux bootloader, the kernel, the initrd ramdisk image, and configuration files. The Intel Preboot Execution Environment (PXE) specification is used for network booting of Fedora systems. The PXE boot process uses the pxelinux bootloader, which is retrieved from /tftpboot/linux-install/pxelinux.0 on the TFTP server. Once it is running, pxelinux searches for an appropriate configuration file in /tftpboot/linux-install/pxelinux.cfg , first trying for a file named with the hardware MAC address of the target system's Ethernet adapter, then a series of filenames generated from the target's IP address written in hexadecimal, and then finally the file default . The system-config-netboot tool is executed when you select the menu option System/tftpboot/linux-install/pxelinux.cfg named according to the network address specified in the GUI. For example, if the user specifies a certain configuration for the IP network 192.168.1, the configuration is stored in the file /tftpboot/linux-install/pxelinux.cfg/C0A801 because 192.168.1 in decimal corresponds to C0A801 in hexadecimal. system-config-netboot obtains the pxelinux bootloader, Linux kernel, and initrd files from the specified network installation server (the pxelinux bootloader is found in the /images directory on the network installation server). A network installation server is not intended to provide boot files for the installation, so its only purpose is to provide the package files and other information needed to install Fedora Core after the installation environment has loaded. While FTP, NFS, and HTTP are all available, NFS and FTP use multiple ports (NFS actually relies on multiple server programs), whereas HTTP uses a single server on a single port. 10.3.3. What About... 10.3.3.1. ...installing from a public HTTP or FTP server?  It is possible to install directly from a public Fedora Core HTTP or FTP mirror; simply enter the mirror URL as the server for the HTTP or FTP installation methods. However, doing so generates a lot of Internet traffic, resulting in a long installation time, and the likelihood of a network error aborting the entire installation partway through is higher than it would be on a local LAN. If you are going to install more than once, it's a better idea to download the files onto a local machine for speed. 10.3.3.2. ...booting the installer from a mini-CD? The normal Fedora Core CD 1 is too large to fit on a mini-CD, but the boot image in /images/boot.iso on that CD (or the Fedora Core mirror servers) is under 8 MB in size and will easily fit on an 8 cm mini-CD or a "business card" CD. 10.3.3.3. ...booting the installer from floppy disk? Unfortunately, the Fedora Core installation boot files are now too large to fit on a 1.44 MB floppy disk. However, you may be able to use the 8 MB USB disk image file ( diskboot.img ) with a larger removable disk, such as a Zip or LS-120 disk. 10.3.3.4. ...configuring a PXE installation from the command line? Although system-config-netboot is recommended for PXE configuration, you can also use the pxeos and pxeboot commands to configure PXE from the command line. To configure a version of Fedora Core for PXE booting: # pxeos -a -i " Fedora Core 6 " -p HTTP -D 0 -s 192.168.1.2 -L /fedora fc6 These are the arguments used: -a Add to the existing configuration -i " Fedora Core 6 " The descriptive identification for this entry -p HTTP Installation protocol (can be HTTP , FTP , or NFS ) -D 0 Sets this up as an installation instead of a diskless boot -s 192.168.1.2 The HTTP, FTP, or NFS server address -L /fedora The pathname on the server; in this example, the -p , -s , and -L options combine to be equivalent to http://192.168.1.2/fedora fc6 The operating system identifier To configure specific hosts to use the fc6 boot image: # pxeboot -a -O fc6 192.168.1 This will configure all hosts that have an IP address beginning with 192.168.1 to use the fc6 configuration. To configure the use of a Kickstart file (see the next lab), add the option -K followed by the Kickstart URL. 10.3.4. Where Can I Learn More? dd , httpd , mkdosfs , rsync , wget , system-config-netboot , dhcpd , dhcpd.conf , tftpd , pxeos , and pxeboot system-config-netboot : file:///usr/share/doc/system-config-netboot-0.1.38/index.html syslinux home page (which includes the isolinux and pxelinux bootloaders): http://syslinux.zytor.com/ 10.4. Installing with Kickstart In a normal Fedora Core installation, Anaconda asks a number of questions before beginning the actual installation procedure, which then runs without any user intervention (except for changing CDs, if that is the chosen installation method). Kickstart is a Fedora installation option that uses a text file to supply basic configuration information so that Anaconda can skip all of the questions normally asked during installation. 10.4.1. How Do I Do That? To use Kickstart, you must create a Kickstart file using any regular text editor. A Kickstart file contains a number of options, one per line, with arguments. These options are required: auth or authconfig Configures the authentication system. For normal password authentication, use the arguments --enableshadow --enablemd5 . bootloader The GRUB installation location and password. For an upgrade, use --upgrade ; for a new installation, use --location=mbr --md5pass= encryptedpassword (I cover how to generate encrypted passwords shortly). lang Selects the language to be used during installation. Possible values are listed in /usr/share/system-config-language/locale-list ; for U.S. English, use the argument en_US . keyboard The keyboard type to be used. Specify us for a standard North American English keyboard, or use one of the codes found in /usr/lib/python2.4/site-packages/rhpl/keyboard_models.py (such as cf for Canadian French). rootpw The root password. Use the arguments --iscrypted encryptedpassword . timezone The time zone for the system. The third column of /usr/share/zoneinfo/zone.tab lists possible values, such as America/Toronto or Asia/Shanghai . Add the argument --utc if the system clock is in UTC (recommended except when the system is dual-boot and you are in a time zone that has daylight savings time). To encrypt a password for the bootloader and root access, use the openssl command: $ openssl passwd -1 -salt " RaNDoMjuNk " " MySecretPassword " $1$RaNDoMju$OS0p7cTCbvCJ2ITUfcovM1 Replace RaNDoMjuNK with any garbage characters you want to use, and MySecretPassword with the desired password. Cut and paste the result into the Kickstart file as the encrypted password. Here is a basic configuration using these options: auth --enableshadow --enablemd5 bootloader --location=mbr --md5pass=$1$RaNDoMju$OS0p7cTCbvCJ2ITUfcovM1 lang en_US keyboard us rootpw --iscrypted $1$RaNDoMju$OS0p7cTCbvCJ2ITUfcovM1 timezone America/Toronto Next, specify the installation source and networking: cdrom Installation from the first optical disk drive on the system (CD or DVD). url HTTP or FTP installation. Use the argument --url http: // host/directory or --url ftp:// host/directory to specify the location of the installation files. nfs NFS installation. Use --server= ip_address and --dir= directory to specify the server host and directory that contain the installation files. harddrive Installation from a VFAT or ext2/ext3 partition on a local hard drive. Use the arguments --partition= partitionId and --dir= /directory to specify the location of the installation files. The partitionId must be one of the hard drive device names from Table 1-4 , with the partition number appended without the /dev/ directory (for example, hda2 for partition 2 on the IDE/ATA primary slave drive). network Configures IP networking for the installed system. If the system already has networking enabled (for example, because it booted from a PXE server), then that configuration is used for the rest of the installation, but if no network configuration has been set up for the installation and one is required, this configuration is used. The argument --bootproto= method sets the network configuration method: dhcp , bootp , or static . If you specify static , use the options --ip= ip_address --netmask= subnetmask --gateway= router_ip --nameserver= nameserver_ip to configure the network interface. If you have more than one network interface, use the --device= devicename option; to configure the interface to be inactive at boot, use --onboot=off . Note that the directory specified for the url or nfs options must contain the fedora directory of the installation tree; in other words, it must be equivalent to the root directory of the Fedora Core CD or DVD. To specify HTTP as the installation method on a system with two network interfacesone configured with DHCP and one with a static IPuse a configuration like this: url --url=http://192.168.1.2/fc6/ network --bootproto=dhcp --device eth0 network --bootproto=static --device eth1 \ --ip 10.2.97.33 --netmask=255.255.255.0 If a Kickstartoption line ends with \, it is continued on the next line. If you are using Kickstart to perform an upgrade instead of an installation, use the upgrade option. Otherwise, use these options to lay out the storage: zerombr Clears any invalid partition tables. Use this option with just one argument: yes . autopart Sets up the default partition structure, which includes a /boot filesystem and a volume group with logical volumes for swap and the root filesystem. If part options are also present, they will selectively override the default setup for the same mount point. clearpart Clears existing partition table entries. Use the argument --all to clear all partitions, --linux to clear all Linux partitions, --drives= drive1,drive2 to specify the drive or drives to be cleared, and --initlabel to enable the creation of disk labels (partition tables) on empty drives. part or partition Creates a disk partition. Provide an option identifying the mount point (such as /boot ) or one of the keywords swap , raid. NN , or pv. NN , where NN is a RAID or physical volume number (0199). Then use the arguments --size= size and --maxsize= maxsize to set the minimum and maximum partition sizes in megabytes, and --grow to indicate that the filesystem can be expanded to fill the maximum size if it is specified (or all of the remaining free space if a maximum is not specified). --ondrive= drive can be used to force the use of a particular drive; use drive names from Table 1-4 . Use --fstype= filesystem to configure the filesystem type ( ext2 , ext3 , or vfat ). raid Creates a RAID device from partitions defined with the part option. Use the argument --level= raidlevel to set the RAID level to 0 , 1 , 5 , or 6 , and the argument --device= devicename to set the RAID device name (such as md0 or md12 ). If the array will have hot spares, specify the number of hot spares with the argument --spares= S . Set the filesystem type with --fstype= filesystem , and then list the mount point (or swap for a swap device, or pv. NN for physical volume number NN ). Finally, list the partition names ( raid. NN ) that will make up the elements of this array. volgroup Creates a volume group. Supply the volume group name (such as main ) and a list of physical volumes ( pv. NN ) as arguments. logvol Creates a logical volume. Use the --vgname= volumegroup argument to select the volume group, --size= size to set the LV size in megabytes, and --name= lvname to set the name. Specify the mount point (or swap for a swap partition) as a separate argument. For example, if you had a system with two 200 GB disks (as the master IDE/ATA drives on the primary and secondary disk controllers) with RAID 1 and LVM (see Lab 6.2, "Managing RAID "), the storage layout options would look like this: # General partitioning options clearpart --all --initlabel --drives=hda,hdc zerombr yes # Partitions # Two IDE disk drives, hda and hdc part raid.01 --size 100 --ondrive=hda part raid.02 --size 40000 --ondrive=hda part raid.03 --size 40000 --ondrive=hda part raid.04 --size 40000 --ondrive=hda part raid.05 --size 40000 --ondrive=hda part raid.06 --size 1 --ondrive=hda --grow part raid.07 --size 100 --ondrive=hdc part raid.08 --size 40000 --ondrive=hdc part raid.09 --size 40000 --ondrive=hdc part raid.10 --size 40000 --ondrive=hdc part raid.11 --size 40000 --ondrive=hdc part raid.12 --size 1 --ondrive=hdc --grow # RAID arrays # Six RAID arrays, all RAID 1: # - one is 100 MB /boot array # - five are 40GB PV arrays # (4 * 40000 MB, remaining space in last array) raid /boot --device md0 --level=RAID1 raid.01 raid.07 --fstype ext3 raid pv.01 --device md1 --level=RAID1 raid.02 raid.08 raid pv.02 --device md2 --level=RAID1 raid.03 raid.09 raid pv.03 --device md3 --level=RAID1 raid.04 raid.10 raid pv.04 --device md4 --level=RAID1 raid.05 raid.11 raid pv.05 --device md5 --level=RAID1 raid.06 raid.12 # Volume Group 'main' volgroup main pv.01 pv.02 pv.03 pv.04 pv.05 # LVs for root (10GB), /home (35GB), /var (35GB), and swap (1GB), # leaving about 20 GB available for snapshots and future expansion # of the LVs logvol swap --vgname=main --size=1024 --name=swap logvol / --vgname=main --size=10000 --name=root --fstype=ext3 logvol /home --vgname=main --size=35000 --name=home --fstype=ext3 logvol /var --vgname=main --size=35000 --name=var --fstype=ext3 You can now specify the user interface mode during installation: text Install in full-screen text mode. cmdline Install in text mode without the full-screen display. interactive Present the normal interactive prompts at the start of the installation process, but use the values from the Kickstart file as the defaults. The user can then override the values. autostep Run through the interactive prompts automatically, like a slideshow; this may be helpful for debugging. You can also include instructions on how the final user interface is to be configured: skipx Don't configure the X Window System. xconfig Although you can specify many arguments for the X Window configuration, in most cases it's best to let Anaconda discover your hardware configuration by probing. Set the screen resolution with --resolution= WxH , and set the maximum color depth with --depth=24 . To configure the system to start in runlevel 5 instead of runlevel 3 (see Lab 4.5, "Using Runlevels "), use the argument --startxonboot . Putting these options together for a text based, hands-off installation configured so that the installed system will start up with a graphical login prompt (1024x768 resolution, 16-million-color display), use: text xconfig --startxonboot --depth=24 --resolution=1024x768 Next comes security: firewall Configures the network firewall. Use --enabled to turn the firewall on or --disabled to turn it off. If you have multiple network interfaces and don't want to firewall some of them, use a --trust= ethN argument for each unprotected interface. To permit connections on particular ports, use the argument --port= port:proto,port:proto , or select a combination of the abbreviations --http , --smtp , --ftp , --telnet , and --ssh . selinux Disables SELinux if used with the --disabled argument, or produces warning messages but does not enforce security policy if --permissive is specified. This is a typical configuration: firewall --enabled --port=5900:tcp --ssh --http --smtp TCP port 5900 is the port used for VNC. You can now specify what should happen after the installation is complete: firstboot Enables the interactive post-installation configuration during the first boot of the new system. Normally, this is not performed after a Kickstart installation. Use the --enable option to enable a normal first-boot session or --reconfig to enable additional settings to be changed (including the keyboard, language, and network settings). poweroff Turns the system off after installation (if the system can be turned off by the kernel). halt Halts the system after installation but doesn't turn the power off. reboot Restarts the computer after installation. If the installation media is still present or you used PXE booting to start the installation process, this may lead to an endless cycle of installations. To shut the system down and allow for reconfiguration when the system is first turned on, use: firstboot --reconfig poweroff At the very end of the Kickstart file, place the option %packages , followed by a list of packages to be installed, one per line. To see the available package names, look in the Fedora directory of the installation tree (e.g., the installation DVD or network installation server). Instead of selecting packages individually, you can choose groups of packages as shown in Table 10-3 . Table 10-3. Package groups available in Fedora Core 6 Category Available package groups Desktop environments @gnome-desktop @kde-desktop Applications @authoring-and-publishing @editors @engineering-and-scientific @games @graphical-internet @graphics @office @sound-and-video @text-internet Development @development-libs @development-tools @eclipse @gnome-software-development @java-development @kde-software-development @legacy-software-development @ruby @x-software-development Servers @dns-server @ftp-server @legacy-network-server @mail-server @mysql @network-server @news-server @printing @server-cfg @smb-server@ sql-server @web-server Base system @admin-tools @base @base-x @dialup @dns-server @java @legacy-software-support @system-tools Languages @arabic-support @assamese-support @bengali-support @bulgarian-support @chinese-support @croatian-support @czech-support @estonian-support @gujarati-support @hebrew-support @hindi-support @hungarian-support @japanese-support @korean-support @polish-support @punjabi-support @romanian-support @russian-support @serbian-support @slovak-support @slovenian-support @tamil-support @thai-support @ukrainian-support Use * to select all available packages (dependencies and conflicts permitting). On the other extreme, use the special package group @core to install a very minimal, text-based system (almost too small to be usable but a good starting point for very compact systems) or @base to install a small text-based system with enough basic software to be useful. To exclude a package, prepend a minus sign: -hdparm For example, if you wanted GNOME, office applications, Samba, printing capability, support for Russian, the GIMP graphics editor, and the Tomboy note program, place these lines at the end of the Kickstart file: %packages @gnome-desktop @office @smb-server @printing @russian-support gimp tomboy Putting this all together, we get this Kickstart file: auth --enableshadow --enablemd5 bootloader --location=mbr --md5pass=$1$RaNDoMju$OS0p7cTCbvCJ2ITUfcovM1 lang en_US keyboard us rootpw --iscrypted $1$RaNDoMju$OS0p7cTCbvCJ2ITUfcovM1 timezone America/Torontourl --url=http://192.168.1.2/fc6/ url --url=http://192.168.1.2/fc6/ network --bootproto=dhcp --device eth0 network --bootproto=static --device eth1 \ --ip 10.2.97.33 --netmask=255.255.255.0 # General partitioning options clearpart --all --initlabel zerombr yes # Partitions # Two IDE disk drives, hda and hdc part raid.01 --size 100 --ondrive=hda part raid.02 --size 40000 --ondrive=hda part raid.03 --size 40000 --ondrive=hda part raid.04 --size 40000 --ondrive=hda part raid.05 --size 40000 --ondrive=hda part raid.06 --size 1 --ondrive=hda --grow part raid.07 --size 100 --ondrive=hdc part raid.08 --size 40000 --ondrive=hdc part raid.09 --size 40000 --ondrive=hdc part raid.10 --size 40000 --ondrive=hdc part raid.11 --size 40000 --ondrive=hdc part raid.12 --size 1 --ondrive=hdc --grow # RAID arrays # Six RAID arrays, all RAID 1: # - one is 100 MB /boot array # - five are 40GB PV arrays # (4 * 4000 MB, remaining space in last array) raid /boot --device md0 --level=RAID1 raid.01 raid.07 --fstype ext3 raid pv.01 --device md1 --level=RAID1 raid.02 raid.08 raid pv.02 --device md2 --level=RAID1 raid.03 raid.09 raid pv.03 --device md3 --level=RAID1 raid.04 raid.10 raid pv.04 --device md4 --level=RAID1 raid.05 raid.11 raid pv.05 --device md5 --level=RAID1 raid.06 raid.12 # Volume Group 'main' volgroup main pv.01 pv.02 pv.03 pv.04 pv.05 # LVs for root (10GB), /home (35GB), /var (35GB), and swap (1GB), # leaving about 20 GB available for snapshots and future expansion # of the LVs logvol swap --vgname=main --size=1024 --name=swap logvol / --vgname=main --size=10000 --name=root --fstype=ext3 logvol /home --vgname=main --size=35000 --name=home --fstype=ext3 logvol /var --vgname=main --size=35000 --name=var --fstype=ext3 text xconfig --startxonboot --depth=24 --resolution=1024x768 firewall --enabled --port=5900:tcp --ssh --http --smtp firstboot --reconfig poweroff %packages @gnome-desktop @office @smb-server @printing @russian-support gimp tomboy  10.4.1.1. Using a Kickstart file To use a Kickstart file, make it accessible to the installation target system by placing it on an HTTP, FTP, or NFS server, or put it on a floppy disk. To use a Kickstart file on floppy disk, add ks=floppy to the boot string encountered when booting from a USB key or optical disc: : linux ks=floppy   It is assumed that the Kickstart file is named ks.cfg , that it is in the root directory of the floppy disk, and that the floppy disk is formatted with an MS-DOS ( VFAT) or ext2 filesystem. To make the Kickstart file available through the web server on a Fedora Core system, use these commands (assuming that the file is named ks.cfg and is in the current directory): # mkdir -p /var/www/ kickstart # cp ks.cfg /var/www/ kickstart You can then access the Kickstart file by URL at the installation boot prompt: : linux ks=http:// 192.168.1.2 /kickstart/ks.cfg   (Replace 192.168.1.2 with the actual address of your server.) However, when booting from a PXE boot server, no boot prompt is provided. Instead, you must configure the Kickstart file by entering the URL into the system-config-netboot window for a particular IP address or range ( Figure 10-20 ) or using the -K argument to the pxeboot command: # pxeboot -a -O fc6 192.168.1 -K http://192.168.1.2/kickstart/ks.cfg 10.4.2. How Does It Work? Fedora's Anaconda installer is written in Python and uses a library called the Red Hat Python Library, or rhpl . Before commencing the installation process, Anaconda must load the data structures that control the installation. These data structures can be filled with data from user input or from the Kickstart file. 10.4.3. What About... 10.4.3.1. ...creating a Kickstart file using a graphical tool? Fedora Core provides the system-config-kickstart utility for graphically editing a Kickstart file. Unfortunately, the version of system-config-kickstart shipped with Fedora Core 6 has some show-stopping bugs that cause it to create defective Kickstart files, and it is not able to configure LVM systems. However, you can use it to create a rough Kickstart file to use as a starting point for further customization. 10.4.3.2. ...creating a Kickstart file that dynamically adjusts according to properties of the installation target? Kickstart files can include a script that is run before installation, and the output of that script can be included into the Kickstart configuration. For example, to configure swapspace to be double the memory size, you can add this script to the Kickstart file: %pre # Calculate twice the size of the installed memory, in MB MEM=$(cat /proc/meminfo|sed -n "s/MemTotal: *\([0-9]\+\) kB/\1/p") SIZE=$(( $MEM * 2 / 1024 )) # Create the file /tmp/swap.cfg echo "logvol swap --vgname=main --size=$SIZE --name=swap" >/tmp/swap.cfg The %pre option identifies this part of the file as a preinstallation script. Place this script at the end of the Kickstart file; it will produce the file /tmp/swap.cfg containing the appropriate logvol line for the swap partition. You can then replace the swap partition line in the Kickstart file with an option that refers to the /tmp/swap.cfg file using %include : # LVs for root (10GB), /home (35GB), /var (35GB), and swap (RAM * 2), # leaving about 20 GB available for snapshots and future expansion # of the LVs. %include /tmp/swap.cfg logvol / --vgname=main --size=10000 --name=root --fstype=ext3 logvol /home --vgname=main --size=35000 --name=home --fstype=ext3 logvol /var --vgname=main --size=35000 --name=var --fstype=ext3 Preinstallation scripts cannot change the installation source. 10.4.3.3. ...performing customization after installation? The Kickstart file can also include a script that is run after installation, using the %post option. Here is an example: % post # Add aliases to /etc/bashrc: echo "alias l='ls -l'" >>/etc/bashrc echo "alias cls='clear'" >>/etc/bashrc # Change the login welcome message for text consoles echo "Welcome to Fedora Core!" >/etc/issue # Place a copy of acceptable-use-policy.txt # in /etc/skel so that it will be copied to each # new user's home diretory. cd /etc/skel wget http://192.168.1.2/text/acceptable-use-policy.txt # Configure httpd to start automatically on boot /sbin/chkconfig httpd on Post-installation scripts cannot reliably use hostnames; any IP addresses must be specified numerically. 10.4.3.4. ...installing a system with the same configuration as another, previously installed system? Whenever you install a system, the configuration used for that system is written into the file /root/anaconda-ks.cfg . This is a standard Kickstart file with the disk layout commented out (every line has a # prepended). If you uncomment the disk layout and then use this as the Kickstart file for another system, it will produce an identical configuration (note that the hardware must be sufficiently similar for this to work). 10.4.4. Where Can I Learn More? RHEL 4 System Administration Guide (see Chapter 1; RHEL uses a version of Anaconda similar to that used by Fedora): http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/sysadmin-guide/ 10.5. Configuring the GRUB Bootloader GRUB is a powerful bootloader that can be used to boot Linux, Windows, DOS, and other operating systems as well as the Xen virtualization system. By mastering its configuration file and command-line options, you can configure GRUB to boot exactly the way you want. 10.5.1. How Do I Do That? GRUB is configured through the file /boot/grub/grub.conf ; typical contents of this file look like this: # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/main/root # initrd /initrd-version.img #boot=/dev/hda default= 0 timeout= 5 splashimage= (hd0,1)/grub/splash.xpm.gz hiddenmenu title Fedora Core (2.6.31-1.3420_fc6)  root (hd0,1)  kernel /vmlinuz-2.6.31-1.3420_fc6 ro root=/dev/main/root rhgb quiet  initrd /initrd-2.6.31-1.3420_fc6.img title Other  rootnoverify (hd0,0)  chainloader +1 This configuration file specifies two menu options, identified by the title keywords: Fedora Core and Windows (which Anaconda labels Other by default). Lines that start with a pound sign are comments. The first lines after the initial comments set up the appearance of the bootloader at startup time: default= 0 Configures the first title enTRy as the default entry (they are numbered starting at 0 )in this case, Fedora Core. timeout= 5 Sets the delay in seconds before the default entry is booted. splashimage=( hd0,1)/grub/splash.xpm.gz Loads a graphical background for the boot display. hiddenmenu Does not display the boot menu unless the user presses a key during the timeout period, in which case all of the available operating system entries are shown. The filename given in the splashimage line is in a special, GRUB-specific form: (hd0,1) specifies the first hard disk, second partition ( /dev/hda2 in Linux terminology), and /grub/splash.xpm.gz identifies the pathname on that drive. Because /dev/hda1 is normally mounted on /boot , the full pathname within the Fedora system is /boot/grub/splash.xpm.gz . GRUB numbers partitions starting at 0, while Linux numbers them starting at 1.  The remainder of this file configures the two menu options. The first one consists of these four lines: title Fedora Core (2.6.31-1.3420_fc6 )  root (hd0,1)  kernel /vmlinuz-2.6.31-1.3420_fc6 ro root=/dev/main/root rhgb quiet  initrd /initrd-2.6.31-1.3420_fc6.img Each line provides specific information: title Fedora Core (2.6.31-1.3420_fc6) The title displayed on the menu. The number in parentheses is the kernel version number; since it's standard practice to keep the second-most-recent kernel installed when the kernel is updated, just in case the new kernel does not boot properly, this information enables you to identify which kernel is newer. root (hd0,1) The root filesystem for the boot process, written using GRUB notation. Note that this may not be the root directory of the Fedora Core installation; it's usually the filesystem mounted at /boot when the system is running. kernel /vmlinuz-2.6.31-1.3420_fc6 ro root=/dev/main/root rhgb quiet The kernel location within the root filesystem, plus boot options. These boot options specify that the root filesystem for Linux is /dev/main/root (logical volume root in volume group main ), and the root filesystem will be mounted read-only ( ro ), that the Red Hat Graphical Boot ( rhgb ) display is enabled, and that noncritical kernel boot messages will be suppressed ( quiet ). initrd /initrd-2.6.31-1.3420_fc6.img The location of the initrd ramdisk file. This file contains a compressed filesystem image that contains all of the files other than the kernel necessary for the initial phases of the Fedora system startup, including device drivers, programs, and scripts. The other title entry is simpler: title Other  rootnoverify (hd0,0)  chainloader +1 The lines in this entry invoke the Windows Stage 2 bootloader, found at the start of the Windows partition: rootnoverify (hd0,0) Similar to the root option in the Fedora Core entry, except that this partition will not be mounted, and therefore files cannot be accessed within the partition by GRUB. chainloader +1 Specifies that the boot process should be turned over to the bootloader found in sector 1 of the partition. 10.5.1.1. Customizing the GRUB menu You can directly edit the GRUB configuration file to change the appearance of the boot process. To eliminate the boot menu entirely and directly boot the default entry, set the timeout value to zero: timeout=0 This is a useful setting for end-user, single-boot systems with a stable kernel. On the other hand, if you have several operating systems installed, it may be convenient to remove the hiddenmenu line and use a longer timeout: timeout=20 To turn the timeout off and wait indefinitely for the user to select the operating system, remove the timeout line from the file. 10.5.1.2. Using your own splash image You can also customize or replace the boot image to include your company logo or a personalized message. Use the GIMP graphics editor to create a 640x480 image. Reduce the number of colors by using the GIMP menu option Image When converting an existing image to 14 colors, the result may look better if you select the No Dithering option, especially if the original image contains large areas of solid color. If you are creating a new image, select the indexed mode before you start drawing.  Save the image in the /boot/grub directory, using the file extension .xpm.gz . Another way to generate a splash image is to convert an existing landscape-oriented digital photo or a desktop wallpaper file using the ImageMagick convert program: # convert -resize 640x480 -colors 14 photo.jpg /boot/grub/new_splash.xpm.gz Finally, edit the splashimage line to point to your new creation: splashimage=(hd0,1)/grub/new_splash.xpm.gz An example of a modified splash image is shown in Figure 10-22 . Figure 10-22. Modified splash image   10.5.1.3. Creating additional boot entries Creating additional boot entries is simply a matter of entering additional lines with the options that you want. For example, you could create two separate entries for Fedora Coreone for runlevel 5 (GUI) and one for runlevel 3 (text mode): title Fedora Core - Graphical Login ( 2.6.31-1.3420_fc6 )  root (hd0,1)  kernel /vmlinuz- 2.6.31-1.3420_fc6 ro root=/dev/main/root rhgb quiet  initrd /initrd- 2.6.31-1.3420_fc6 .img title Fedora Core - Text Login ( 2.6.31-1.3420_fc6 )  root (hd0,1)  kernel /vmlinuz- 2.6.31-1.3420_fc6 ro root=/dev/main/root rhgb quiet 3  initrd /initrd- 2.6.31-1.3420_fc6 .img These two options are identical except for the descriptions on the title lines and the addition of the number 3 to the end of the kernel line for text-mode entry. Installing a new kernel RPM will add an additional boot option and make it the default. If you are using yum to perform updating, a maximum of two versions of the kernel will be installed at once (configurable in /etc/yum/pluginconf.d/installonlyn.conf), so old kernel versions and their corresponding GRUB entries may be removed from the menu by yum when updating. 10.5.1.4. Installing GRUB's boot record from Fedora Anaconda normally installs the GRUB boot record on the first disk drive automatically. There are two situations where it may be necessary to manually install GRUB on an existing system: /boot partition, Anaconda will install the Grub boot record only on the first disk drive. Having a mirrored copy of /boot won't help if the first disk drive fails and you can't boot from the second drivea situation easily remedied by installing the GRUB boot record on the second drive as well. The easiest way to install GRUB is to use the grub-install script: # grub-install --root-directory= /boot /dev/hda Installation finished. No error reported. This is the contents of the device map /boot/boot/grub/device.map. Check if this is correct or not. If any of the lines is incorrect, fix it and re-run the script \Qgrub-install'. (fd0) /dev/fd0 (hd0) /dev/hda (hd1) /dev/hdb (hd2) /dev/hdc (hd3) /dev/sdb The --root-directory argument specifies the root directory for the boot files and should be used only if /boot is a mount point for a separate boot partition. The drive argument at the end of the line ( /dev/hda ) specifies the hard drive that GRUB will be installed on. grub-install uses Linux disk names, such as /dev/hdc, instead of Grub disk names such as (hd2). 10.5.1.5. Installing GRUB's boot record from a GRUB DVD or floppy disk Sometimes the GRUB boot record gets damaged, making it impossible to boot the system normally. It may be necessary to boot from a GRUB DVD or floppy disk to fix this type of problem. To create a GRUB DVD on a Fedora system (obviously not the one that won't boot!), enter these commands: # cd /usr/share/grub/ # growisofs -Z /dev/cdrom -R -b stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table i386-redhat Type the entire growisofs command on one continuous line.  To create a bootable floppy instead of a DVD: # cd /usr/share/grub/i386-redhat # cat stage1 stage2 >/dev/fd0   It's worthwhile keeping a GRUB DVD or floppy with your system manuals just in case you ever find that you can't boot your system due to bootloader problems.  Boot your system with this disc or floppy. A GRUB command prompt will appear, as shown in Figure 10-23 . Figure 10-23. GRUB command prompt from a CD/DVD boot   At this prompt, search for your stage1 file: grub> find /boot/grub/stage1 Error 15: File not found grub> find /grub/stage1  (hd0,0) If your boot files are in your root filesystem, GRUB will find /boot/grub/stage1 , but if you have a separate /boot partition, GRUB will find /grub/stage1 . In the previous example, the partition (hd0,0) contains the stage1 file. Make this partition your root partition: grub> root (hd0,0)  Filesystem type is ext2fs, partition type 0x83 Now instruct GRUB to set up the boot record on that drive: grub> setup (hd0)  Checking if "/boot/grub/stage1" exists... no  Checking if "/grub/stage1" exists... yes  Checking if "/grub/stage2" exists... yes  Checking if "/grub/e2fs_stage1_5" exists... yes  Running "embed /grub/e2fs_stage1_5 (hd0)"... 15 sectors are embedded. succeeded  Running "install /grub/stage1 (hd0) (hd0)1+15 p (hd0,0)/grub/stage2 /grub/grub .conf"... succeeded. Done  Note that the setup command was given the drive (hd0) instead of the partition (hd0,0) to install the boot record at the start of the drive instead of the start of the boot partition. You can now remove the GRUB disc/floppy and boot directly from the hard drive. 10.5.1.6. Editing boot options To temporarily override a GRUB menu option, select a menu option on the boot menu using the up/down arrow keys, and then press E (for edit). The screen shown in Figure 10-24 will be displayed. If you have a bootloader password configured, you will be prompted for it at this point.  Figure 10-24. Selecting a menu-entry line to edit   Use the arrow keys to select the line you wish to edit, and then press E again. You can now move across the line using the arrow keys, as shown in Figure 10-25 . Type new text to insert it into the line, or use the Backspace/Delete keys to remove text. Press Enter when done. Figure 10-25. Edit a line in a menu entry   Press Enter to accept your changes or Esc to undo them. In either case you will return to the menu-entry display shown in Figure 10-24 ; press B to boot, or press Esc to return to the boot menu. As a shortcut, if you are adding boot options only to an existing menu entry, select the entry using the up/down arrow keys, then press A (for append). You can then type the additional option(s), such as a runlevel. Press Enter to proceed with booting or Esc to cancel and return to the boot menu. 10.5.1.7. Installing or changing a GRUB password To protect against the unauthorized use of runlevel S or other boot options, it's a good idea to add a password entry to the boot menu. If you didn't do this during the installation, you can add the password at any time by following these steps: Generate an encrypted password with the grub-md5-crypt command: $ grub-md5-crypt Password:  bigsecret Retype password:  bigsecret $1$f1z061$j/UEYyBn0e0996w0gjq4k/ The line in bold at the bottom of the listing is the encrypted (scrambled) version of the password. Next, edit the /boot/grub/grub.conf file and add this line at the top, substituting the password you just generated: password --md5 $1$f1z061$j/UEYyBn0e0996w0gjq4k/ When you boot the system, you will still be able to select a boot menu entry, but to perform any advanced operations (such as appending runlevel information to a boot entry), you will need to enter the password. 10.5.2. How Does It Work? GRUB actually consists of four pieces of software, plus some utilities: stage 1 The boot record. This tiny piece of code is less than 512 bytes long. stage 1.5 Additional drivers for filesystems, such as ext2, to enable GRUB to find the stage 2 files. stage 2 The standalone GRUB command shell and menu program. /sbin/grub A version of the GRUB command shell that can be executed inside a running Fedora system. During boot, the system BIOS loads stage 1 as the boot record and executes it, which then loads stage 1.5 (if necessary) and finds stage 2 . stage 2 then seeks out the GRUB configuration file menu.lst (a symbolic link to grub.conf , which the Fedora developers apparently consider to be a better name). The GRUB command shell supports over three dozen commands; most of these are never used except by experts and developers. Instead, most users interact with the GRUB menu. The grub.conf file permits a set of boot options to be presented to the user as a menu entry, removing most of the complexity from the user's view. A typical Linux entry in grub.conf sets the root filesystem, which is mounted by GRUB to enable access to the kernel and other boot drives. The entry also specifies the name of the kernel and initrd ramdisk to be loaded into memory, and also indicates any configuration options that are to be passed to the kernel. 10.5.3. What About... 10.5.3.1. ...an archive of GRUB splash images? The author of the splash-image code maintains a small gallery of tested splash images at http://ruslug.rutgers.edu/~mcgrof/grub-images/images/ and an archive at http://ruslug.rutgers.edu/~mcgrof/grub-images/images/working-splashimages/ . 10.5.3.2. ...dual-booting between different Linux distributions? This works well. Simply add the entries for the other Linux distributions to the active /boot/grub/grub.conf (or /boot/grub/menu.lst ) file. This can be done by specifying that the second Linux distribution install GRUB at the start of that distribution's root filesystem partition instead of placing it in the master boot record for the drive. Then copy the /boot/grub/grub.conf entries from the second Linux distribution to the first one. 10.5.4. Where Can I Learn More? info document in Fedora Core) /usr/share/doc/grub-0.95/menu.lst convert 10.6. Using Rescue Mode on an Installation Disc The Fedora Core installation DVDor disc 1 of the CD setcan be used to boot into a rescue mode , which lets you access a Fedora system installed on a hard disk without booting from that hard disk. This can be used to recover from many types of system failure or badly misconfigured startup scripts. 10.6.1. How Do I Do That? Inset your Fedora installation disc (DVD or CD 1) into the system and boot from it. At the boot prompt, enter: boot: linux rescue You will be presented with the standard language and keyboard menus (see Figures 1-5 and 1-6 in Chapter 1), and then the question shown in Figure 10-26 will be displayed. Figure 10-26. Network interface question If you want to be able to transfer files to and from the system (for example, to back up critical data), answer Yes; otherwise, answer No. If you answer Yes, the standard network configuration dialog will appear, enabling you to select DHCP network configuration or manually enter the network details. Figure 10-27 shows the next screen, which offers to mount your hard disk directories for you. If you need to access files on your hard disk, select Continue; if you need to access files on your hard disk but want to avoid the possibility of damaging any files, select Read-Only; and if you do not want to mount the hard disk filesystems (for example, because you want to work on the filesystems first, resizing or repairing them), select Skip. Figure 10-27. Hard disk mounting dialog Figure 10-28 shows the final dialog that will be displayed before a root shell is opened, which informs you whether the hard disk filesystems were mounted. Select OK to proceed to a root shell. Figure 10-28. Final dialog before the rescue-mode shell A minimal environment is available in the rescue-mode shell, providing access to the most important system administration commands. If you requested that the hard disk filesystems be mounted, the mount point will be /mnt/sysimage , and the mounts will be cascaded properly. Therefore, if you have separate /boot and /home filesystems, they will be mounted under /mnt/sysimage/boot and /mnt/sysimage/home . If you selected a read/write mount, you can temporarily make the root directory of the hard disk your root directory using the chroot command: sh-3.1# chroot /mnt/sysimage You can now access directories in their usual locations ( /etc , /home , and so forth), and you'll have access to all of the software installed on the hard disk. When you issue the chroot command, you will no longer be accessing the software on the installation disc. Therefore, if the commands installed on the hard disk filesystems are corrupted or damaged, you will be using the corrupted or damaged versions. Likewise, if the software on your hard disk is newer than the software on the installation disc, you will be using the newer versions.  Press Ctrl-D (for done) to exit from the chroot shell and return to the normal rescue shell. If you chose not to mount your hard disk filesystems, any LVM volume groups on your hard disks will be inaccessible. To access the VGs, issue these commands: sh-3.1# lvm vgscan Reading all physical volumes. This may take a while... Found volume group "main" using metadata type lvm2 sh-3.1# lvm vgchange -ay 2 logical volumes in volume group "main" now active You can then access the logical volumes as /dev// (for example, /dev/main/root ). When you are finished with the shell, press Ctrl-D. The system will automatically reboot. 10.6.2. How Does It Work? Rescue mode uses the same Linux kernel, initrd ramdisk, and device probing that are used during the installation process to create a minimal work environment using only software loaded from the installation disc. The same code that is used to detect and mount existing Fedora partitions for an upgrade installation is used to mount the partitions during rescue mode. The chroot command changes the definition of the root directory for one processin this case, a shelland any processes started by that shell. Changing the root directory effectively changes the PATH so that the software installed in the chroot environment (software on the hard disk) is used while the chroot is active. When you exit from the chroot shell, the root directory reverts to the root directory of the installation session, which is a ramdisk. 10.6.3. What About... 10.6.3.1. ...copying files to or from another machine while in rescue mode? The scp command is available in rescue mode and can be used to copy files to or from another Fedora system (or other Linux host). You must enable the network interfaces in order for this to work. To copy a file from an FTP or HTTP server, use wget : sh-3.1# wget http://192.168.1.2/help.txt 10.6.3.2. ...using a GUI while in rescue mode? Unfortunately, there's not enough of the supporting infrastructure in place in rescue mode to support the use of a GUI. 10.6.3.3. ...accessing software from the hard disk without using chroot? Set your path to include directories on the mounted hard disk filesystems: sh-3.1# PATH=$PATH:/mnt/sysimage/bin:/mnt/sysimage/usr/bin: /mnt/sysimage/sbin:/mnt/sysimage/usr/sbin:/mnt/sysimage/usr/local/bin Type this command on one line. 10.6.4. Where Can I Learn More? chroot , wget , scp , and lvm 10.7. Installing Xen Virtual Machines Xen is a technology that permits one physical computer to act as two or more virtual machines (or domains ). Each domain is isolated from other domains, so administration privilege can be safely delegated; you can designate a system administrator for one domain and give him the root password for total control of that system, confident that he will not be able to touch the configuration of other domains. Virtualization technology is also very helpful when testing multiple software versions or configurations, and since virtual machines can be migrated between physical systems, it provides a lot of flexibility for server deployment and management. To use Xen, you must install a special kernel and utilities on your existing Fedora system, which then becomes your primary domain ( Domain-0 ). You can then install Fedora on as many additional domains as you want. 10.7.1. How Do I Do That? To set up for Xen, install the kernel-xen and xen packages using Pirut or this command : # yum -y install kernel-xen xen Reboot your system. When the GRUB boot screen appears, press the spacebar to display the boot menu. Select the new xen kernel using the cursor keys, and then press Enter to boot. To make your system boot the Xen kernel by default, edit /boot/grub/grub.conf (see Lab 10.5, "Configuring the GRUB Bootloader")  You can confirm that you are running the Xen kernel by using the uname command: # uname -r 2.6.17-1.2564.fc6xen The xend service should also be running, which you can confirm using the service command: # service xend status service xend is running The Fedora installation that you are using is Domain-0 , the master domain. Additional virtual machines, called guest domains , must be installed from a network installation server. If you do not have one, you can quickly set up one within Domain-0 by inserting a Fedora Core DVD and typing: # yum -y install httpd ...(Lines snipped)... # setenforce 0 # ln -s /media/ disk /var/www/html/fedora # service httpd start Starting httpd: [ OK ] The setenforce command just shown disables SELinux protection for your system, which presents a security risk. Re-enable SELinux as soon as you are finished using the network installation server: # setenforce 1   To start the guest domain installation: # xenguest-install What is the name of your virtual machine? fedora How much RAM should be allocated (in megabytes)? 256 What would you like to use as the disk (path)? /var/xen/fedora How large would you like the disk to be (in gigabytes)? 2 Would you like to enable graphics support (yes or no) no What is the install location? http://192.168.2.48/fedora The name of the virtual machine can be any value that meets the requirements for a filename. The disk path and size requested are used to set up a file that will act as the hard disk for the guest domain. The install location is the URL of the network installation server; if you're using an HTTP server on Domain-0 , use the full IP address of that system instead of the loopback address 127.0.0.1 (since, inside a guest domain, the loopback destination is the guest domain itself, not Domain-0 ). A regular Fedora installation will now start in text mode within the guest domain. After prompting you for the language and keyboard, the installer will give you the option of continuing with a text mode installation or using VNC for a graphical installation, as shown in Figure 10-29 . Figure 10-29. Text mode and VNC installation options     This message indicates that the installer was unable to start X. This is normal, since the guest domain does not have a video card. Choose one of the two options: 192.168.2.112:1 to begin the install... for a shell vncviewer program to connect to the indicated address and port: vncviewer 192.168.2.112:1 You can then proceed with a regular Fedora installation into the guest domain. When the installation is finished, you can start your guest domain with this command: # xm create fedora Using config file "/etc/xen/fedora". Going to boot Fedora Core (2.6.17-1.2517.fc6xen)  kernel: /vmlinuz-2.6.17-1.2517.fc6xen  initrd: /initrd-2.6.17-1.2517.fc6xen Started domain fedora This will boot the guest domain. You can view the current domains using xm list : # xm list Name ID Mem(MiB) VCPUs State Time(s) Domain-0 0 510 2 r----- 247.8 fedora 5 256 1 -b---- 9.5 This display shows that the domains Domain-0 and fedora are both running, and displays the domain ID number, memory, virtual CPUs, and CPU usage in seconds for each domain. So what's going on in the guest domain? Good question! You can see the guest console by using xm console : # xm console fedora The first time your guest domain boots, you will see a text version of the firstboot configuration.   To start a guest domain and connect to its console immediately, use xm create with the -c (console) option: # xm create -c fedora After the first boot, you may find it just as easy to use SSH to connect to the guest domain as though it were a remote server: $ ssh -X 192.168.2.112 The -XC option enables the remote display of X clients, so that you can use graphical administration tools such as system-config-printer within the guest domain and display the window on your Domain-0 screen. To shut down a guest domain, either initiate a shutdown within the domain (for example, by executing the shutdown command), or use the xm shutdown command in Domain-0 : # xm shutdown fedora The shutdown will take up to a few minutes, just like the shutdown of a physical system. If a guest domain is stuck in an unrecoverable state, you can forcefully stop it (although this is the equivalent of turning off the power on the virtual machine, so it may result in data loss): # xm destroy fedora 10.7.2. How Does It Work? Xen boots a small program called a hypervisor before booting Domain-0 . The hypervisor masks the underlying hardware and presents a modified virtual environment to each domain. Domain-0 has direct access to certain hardware, such as network interface cards and other peripherals, and the standard device drivers are used to access those devices. Inside Domain-0 , a service daemon named xend provides monitoring and control functions for the guest domains and communication between the guest domains and certain types of hardware (such as network interfaces). The Xen environment is different from the normal PC environment, and the operating system must be modified to run in this special environment; this is called paravirtualization because it requires some cooperation on the part of the guest operating system. The advantage to this approach is higher performance and the ability to control the guest operating system in certain ways (such as sending the guest OS a shutdown message when xm shutdown is used). Xen is developed as an open source project; XenSource is a company formed by the original Xen researchers to offer an enhanced, commercially supported version of Xen. The Fedora Xen guest installation tool, xenguest-install , is a Python script that interfaces with Fedora's Anaconda system and python libraries. The configuration files generated by xenguest-install are stored in /etc/xen. 10.7.3. What About... 10.7.3.1. ...starting Xen guest domains automatically at boot time? Xen configuration files created with xenguest-install are installed in /etc/xen , and the filenames match the guest domain names. If these files are symlinked to the /etc/xen/auto directory, they will be started automatically at boot time by the xendomains service. For example, to start the fedora guest domain automatically at each boot, link its configuration file using ln -s : # ln -s /etc/xen/ fedora /etc/xen/auto 10.7.3.2. ...hardware support for virtualization? CPU makers are starting to build support for virtualization into their CPUs. AMD's technology is named Pacifica, while Intel's is named VT-X. Xen can take advantage of either technology to boost performance and to provide full virtualization to unmodified operating systems. 10.7.3.3. ...using other network or storage configurations? Xen is very configurable, but the Fedora Xen guest installation script handles only a small subset of the possibilities. To use alternate configurations it is necessary to manually edit the configuration files in /etc/xen (see the Xen documentation and the sample configuration files in /etc/xen for details). 10.7.3.4. ...booting other operating systems? It is possible to install other Linux distributions and (soon) other operating systems into guest domains, but they must be installed manually; Fedora's Xen installer only works with Fedora Core at this point. For information on installing other Xen guests, see the XenSource web site ( http://www.xensource.com ) and the documentation for the Xen guest you wish to install. Microsoft Windows and other unmodified operating systems can be used as Xen guests only with hardware virtualization support. 10.7.3.5. ...monitoring the resource usage and activity of Xen domains? Xen provides the xentop tool for domain monitoring, shown in Figure 10-30 . As the name implies, it provides a top -like display of domain activity, updated every three seconds. Figure 10-30. Xentop display Fedora Core also includes the Virtual Machine Manager ( virt-manager ) application, but the version released with Fedora Core 6 is at a very early stage of development. It is designed to provide an effective way of managing virtual machines through a graphical user interface; you can follow development on the fedora-xen list (see Lab 9.1, "Participating in the Fedora Mailing Lists "). 10.7.4. Where Can I Learn More? Colophon The image on the cover of Fedora Linux is a cowboy roping a calf. In the Old West, horseback cowboys entrapped and retrieved fugitive cattle with the help of a lasso, or lariat, a rigid noose that could be tossed over a wayward animal's neck and easily tightened with a pull of the rope. The stiffness of the rope ensured that the noose maintained its wide aperture in midair. Today, this activity is an official rodeo event called tie-down roping , sanctioned by the Professional Rodeo Cowboys Association. In this competition, a calf is released from a narrow holding pen, referred to as the bucking chute , into the rodeo arena. After giving his conquest a brief head start, the cowboy chases after the calf on his specially trained horse and attempts to rope it as quickly as possible. He then must expeditiously tip the animal on its side, a maneuver known as flanking , and use another tiny piece of rope, the pigging string , to bind together any three of its four legs. If the calf is unable to break free from its fetters in six seconds or less, the cowboy's attempt is a success, and his official time is registered. Leading professional ropers can ensnare and immobilize a calf in approximately seven seconds. The cover image and chapter opening graphics are from the Dover Pictorial Archive. The cover font is Adobe ITC Garamond. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. See more books in http://www.e-reading.life