Вы находитесь на странице: 1из 458

Ubuntu Server

Ubuntu Server
2012

Ubuntu Server! ,

Ubuntu . ,
.


Ubuntu (https://wiki.ubuntu.com/
DocumentationTeam). .
Creative Commons ShareAlike 3.0 (CC-BY-SA).
,
Ubuntu. .
, , -
;
, .
1

: Creative Commons ShareAlike License .


:

Ubuntu
3

Ubuntu Server

- Ubuntu

bzr serverguide ubuntu6


docs , Launchpad.

1
2
3
4
5
6

http://creativecommons.org/licenses/by-sa/3.0/
https://launchpad.net/~ubuntu-core-doc
https://launchpad.net/~ubuntu-server
https://help.ubuntu.com/community/
https://code.launchpad.net/serverguide
https://code.launchpad.net/ubuntu-docs


1. ........................................................................................................ 1
1. .............................................................................................. 2
2. ....................................................................................................... 3
1. ........................................................................ 4
2. CD ....................................................................................... 6
3. ........................................................................................... 10
4. ...................................................................... 11
5. ......................................................................... 20
3. ................................................................................. 24
1. ............................................................................................... 25
2. dpkg ....................................................................................................... 26
3. Apt-Get .................................................................................................. 28
4. Aptitude ................................................................................................. 30
5. ............................................................... 33
6. ...................................................................................... 35
7. .................................................................................................. 37
4. .............................................................................................. 38
1. .................................................................................... 39
2. TCP/IP ..................................................................................................... 49
3. (Dynamic Host
Configuration Protocol, DHCP) .................................................................... 54
4. NTP ........................................................... 57
5. (DM-Multipath) ............................ 59
1. (Device Mapper
Multipathing) .............................................................................................. 60
2. ................................................................ 64
3. DM-Multipath ............................................................ 68
4. DM-Multipath .............................................. 72
5. DM-Multipath ................ 87
6. ................................................................. 93
1. OpenSSH ................................................................................... 94
2. Puppet .................................................................................................... 98
3. Zentyal ................................................................................................. 101
7. ......................................................................... 106
1. OpenLDAP ............................................................................... 107
2. Samba LDAP ..................................................................................... 135
3. Kerberos ............................................................................................... 142
4. Kerberos LDAP .................................................................................. 151
8. (DNS) ................................................................. 158
1. ............................................................................................ 159
iii

Ubuntu Server
2. ....................................................................................
3. ..........................................................................
4. ................................................................................................
9. .......................................................................................................
1. .............................................................
2. .......................................................................
3. .........................................................................................
4. AppArmor .............................................................................................

160
166
170
171
172
179
180
189

1. HTTPD - Apache2 ..............................................................


2. PHP5 ....................................................................
3. - Squid ..........................................................................
4. Ruby on Rails .......................................................................................
5. Apache Tomcat .....................................................................................
............................................................................................
1. MySQL ..................................................................................................
2. PostgreSQL ...........................................................................................
LAMP ...................................................................................
1. ...................................................................................................
2. Moin Moin ............................................................................................
3. MediaWiki .............................................................................................
4. phpMyAdmin ........................................................................................
- ..........................................................................................
1. FTP- ...........................................................................................
2. (NFS) ......................................................
3. iSCSI- ..................................................................................
4. CUPS ......................................................................
..................................................................
1. Postfix ..................................................................................................
2. Exim4 ...................................................................................................
3. Dovecot Server ....................................................................................
4. Mailman ...............................................................................................
5. .............................................................................
.............................................................................
1. ...................................................................................................
2. IRC- ...........................................................................................

213
223
226
229
231
236
237
243
246
247
249
251
253
255
256
261
263
266
270
271
279
283
286
293
301
302
303

5. ......................................................................................
6. eCryptfs ...............................................................................................
10. .............................................................................................
1. ...................................................................................................
2. Nagios ..................................................................................................
3. Munin ...................................................................................................
11. - .............................................................................................

12.

13.

14.

15.

16.

iv

194
200
203
204
205
210
212

Ubuntu Server
3. Jabber .............................................
17. ......................................................................
1. Bazaar ..................................................................................................
2. Subversion ...........................................................................................
3. CVS .........................................................................................
4. ................................................................................................
18. Windows .................................................................
1. .............................................................................................

2. Samba ...................................................................
3. Samba ........................................................................
4. Samba ................
5. Samba ...........................................
6. Samba Active Directory ................................................
19. ..........................................................................
1. Shell ....................................................................................
2. ................................................................................
3. Bacula ..................................................................................................
20. ........................................................................................
1. ...................................................................
2. JeOS vmbuilder .................................................................................
3. UEC ......................................................................................................
4. Ubuntu ....................................................................................
5. LXC .......................................................................................................
21. ........................................................................................
1. DRBD ....................................................................................................
22. VPN ...........................................................................................................
1. OpenVPN ..............................................................................................
23. ...............................................................
1. pam_motd ............................................................................................
2. etckeeper .............................................................................................
3. Byobu ...................................................................................................
4. ................................................................................................
A. ...............................................................................................
1. Ubuntu Server Edition ............................

305
307
308
310
316
319
320
321

322
325
327
333
338
341
342

347
351
357
358
364
374
387
395
420
421
424
425
439
440
442
444
446
447
448


2.1. .......................................... 4
5.1. ................................... 60
5.2. DM-Multipath ........................................................................ 62
5.3. Multipath ........................................................ 76
5.4. ................................................................... 81
5.5. ................................................................................. 84
5.6. multipath ....................................................... 90
17.1. ................................................................................... 311
20.1. UEC .......................................... 375
20.2. UEC ........................................................................ 375
20.3. ................................................. 409

vi

1.
Ubuntu Server!
,
. ,

.

Ubuntu. 2,
[3],
Ubuntu
1
Ubuntu .
HTML-
2
Ubuntu .

1
2

https://help.ubuntu.com/12.04/installation-guide/
https://help.ubuntu.com

1.
Ubuntu Server Edition:
.
( ) Canonical Ltd.

.
3

Canonical Services .

,
, Ubuntu
. , IRC, , , , ..
.
4
Ubuntu Support

3
4

http://www.canonical.com/services/support
http://www.ubuntu.com/support

2.
,
Ubuntu 12.04 LTS Server Edition.
1
, , Ubuntu .

https://help.ubuntu.com/12.04/installation-guide/

1.
,
.

1.1.
Ubuntu 12.04 LTS Server Edition (3)
: Intel x86, AMD64 ARM.
.
, ,
. ,
,
.

2.1.

300

128

500

Server Edition .
, :
, -, ..
Ubuntu Enterprise Cloud (UEC) .
3.2.1,
[374], UEC
3.2.2, [375].

1.2.
Ubuntu Server Edition Ubuntu Desktop
Edition. ,
apt,
Desktop Edition, Server Edition.

(X window environment) Server Edition,
(Kernel).


1.2.1. :
Ubuntu 10.10
.
Ubuntu -server -generic.
-generic,
.
64- Ubuntu 64-
.
, /
2
boot/config-3.2.0-server. , Linux Kernel in a Nutshell
.

1.3.
Ubuntu Server Edition ,
.
19, [341].
-
,
, Ubuntu.
,
, -
. , ,
, ,
.

http://www.kroah.com/lkn/

2. CD
Ubuntu Server Edition CD ,
-.
Desktop Edition, Server Edition
. Server Edition .
, ISO
3

- Ubuntu .

-.
.

Ubuntu Server Edition.
Ubuntu Server, -
, ,
, .
,
.
.
.


.

DHCP.
DHCP, "",
" ".
, (hostname)
.

. ,
. ,
LVM,
.
LVM, .
4,
[11].
Ubuntu.
3

http://www.ubuntu.com/download/server/download


; root
sudo.
, ,
(home).
,
. :
:
.

:
unattended-upgrades,
.
5,
[33].
Landscape: Landscape ,
Canonical,
Ubuntu.
4
Landscape .

, ,
. 2.1,
() [8] . ,
aptitude, .
4,
Aptitude [30].
, ,
UTC.
-
,
,
.

-
, .
F1.
, ,
5
Ubuntu .

4
5

http://www.canonical.com/projects/landscape
https://help.ubuntu.com/12.04/installation-guide/

2.1. ()
Server Edition
CD.
.

DNS : DNS- BIND .


LAMP : Linux/
Apache/MySQL/PHP.
: ,
.
OpenSSH : ,
OpenSSH.
PostgreSQL:
PostgreSQL.
: .
Samba: ,
Samba, ,
Windows, Linux .
Tomcat Java : Apache Tomcat .
Virtual Machine host: ,
KVM.
: aptitude,
.
() tasksel.
Ubuntu ( Debian)
GNU/Linux , ,
,
. ,
, ,
.
,
, :
tasksel --list-tasks

,
Ubuntu, Kubuntu Edubuntu.
, tasksel ,
.
8


,
--task-packages. , ,
DNS , :
tasksel --task-packages dns-server

:
bind9-doc
bind9utils
bind9

- , ,
, LAMP DNS-,
CD :
sudo tasksel install dns-server

3.
Ubuntu
.
.

3.1. do-release-upgrade
Server Edition
do-release-upgrade.
update-manager-core,
.
, Debian,
apt-get dist-upgrade.
do-release-upgrade ,
.
:
do-release-upgrade

do-release-upgrade
Ubuntu. d:
do-release-upgrade -d

, ,
.

10

4.
4.1. RAID
(Redundant Array of Independent
Disks, RAID)

/ /
RAID. RAID
(
), (
,
).
RAID,

Linux ( Ubuntu), 'mdadm'


, , , RAID. Ubuntu
Server Edition, RAID (RAID 1),
, / (
), swap.
4.1.1.
,
, :
1.

2.


" ?".
,
RAID .

3.

" "
" ".

4.

, .
,
RAM. ,
, .

(RAM) ,
RAM.
11


,
.
5.

" :" .
" Ext4",
" RAID" "
".

6.

/ " "

7.


, .

8.

, , "
:" " RAID".
" :" "on".
" ".

9.

" ".

4.1.2. RAID
:
1.

" ",
" RAID" .

2.

"" .

3.

" MD ".

4.

"RAID1",
, (RAID0 RAID1 RAID5).
RAID5 .
RAID0 RAID1 .

5.

"2",
, .
"".

6.

, "0" ,
"".

7.

. sda1, sdb1,
sdc1, .. ,
.
sda1 sdb1. ""
.
12


8.

/, sda2
sdb2.

9.

"".

4.1.3.
RAID-.

RAID-. RAID-
,
.
1.

"#1" "RAID1 #0".

2.

" :". " ",


" ".

3.

"#1" "RAID1 #1".

4.

" :". "


Ext4".

5.

" " "/


".
" ".

6.

, "
".

RAID-,
,
.
4.1.4, RAID [13] .
.
4.1.4. RAID

. ,
RAID,
(degraded state).
, ,
Ubuntu Server Edition 30
. , 50
,
.
, ,
13


. :
dpkg-reconfigure
,

, .
, .
mdadm :
sudo dpkg-reconfigure mdadm

dpkg-reconfigure mdadm
/etc/initramfs-tools/conf.d/mdadm.

:
BOOT_DEGRADED=true




:
Shift Grub.
e .
.
"bootdegraded=true" ( ) .
Ctrl+x .
,
( 4.1.5, RAID [14]),

.
4.1.5. RAID
mdadm ,
, .:
:
sudo mdadm -D /dev/md0

-D mdadm
/dev/md0. /dev/md0 RAID
.
14


:
sudo mdadm -E /dev/sda1

mdadm -D, /dev/sda1


.
:
sudo mdadm --remove /dev/md0 /dev/sda1

/dev/md0 /dev/sda1 RAID .


:
sudo mdadm --add /dev/md0 /dev/sda1

.
.
.
, .
/proc/mdstat RAID
:
cat /proc/mdstat
Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10]
md0 : active raid1 sda1[0] sdb1[1]
10016384 blocks [2/2] [UU]
unused devices: <none>


:
watch -n1 cat /proc/mdstat

Ctrl+c .
,
grub.
grub :
sudo grub-install /dev/md0

/dev/md0 .
15


4.1.6.
RAID -
RAID.
:

Ubuntu Wiki Articles on RAID .


Software RAID HOWTO

Managing RAID on Linux

4.2. (LVM)
, LVM,
. LVM
RAID,
. ,

.
4.2.1.
LVM
. , LVM,
.
(Physical Volume PV): ,
RAID, LVM PV.
(Volume Group VG):
. VG PV. VG
,
.
(Logical Volume LV):

LVM. LV,
(EXT3, XFS, JFS .)
.

4.2.2.
Ubuntu Server Edition
/srv LVM.
(PV) (VG).
6

https://help.ubuntu.com/community/Installation#raid
http://www.faqs.org/docs/Linux-HOWTO/Software-RAID-HOWTO.html
8
http://oreilly.com/catalog/9781565927308/
7

16


PV , VG
.
LVM, "
LVM"
LVM, "
LVM",
LVM .

LVM,
.
1.

,
, :

2.

" " "".

3.

""
" ".

4.

/boot, swap, /
, .

5.

/srv LVM, .
" " " LVM",
" ".

6.

" "
"" .

7.

" LVM"
" ". VG vg01, -
. ,
LVM, "Continue".

8.

" LVM" "


".
LV, , srv,
. ,
, .
"Finish"
" ".

9.

LVM.
"LVM VG vg01, LV srv" ,
.
, /srv .
" ".

10. "
". .
17


LVM:
pvdisplay: .
vgdisplay: .
lvdisplay: .
4.2.3.
srv, LVM,
, (PV),
(VG), srv
. ,
.
/dev/sdb,
(
).
, /dev/sdb ,
.
, .
1.

, :
sudo pvcreate /dev/sdb

2.

(VG):
sudo vgextend vg01 /dev/sdb

3.

vgdisplay
(PE) Free PE / size (, ). ,
511 PE ( 2 PE 4 )
.
PE / .

(LV)
, PE
LV:
sudo lvextend /dev/vg01/srv -l +511

-l LV, PE. -L
LV , , ..
4.

, ext3
ext4 ,
18


,

( ).
EXT3 EXT4.
, ,
.
sudo umount /srv
sudo e2fsck -f /dev/vg01/srv

-f e2fsck
.
5.

, :
sudo resize2fs /dev/vg01/srv

6.

:
mount /dev/vg01/srv /srv && df -h /srv

4.2.4.
9

Ubuntu Wiki LVM .


LVM HOWTO

10

.
11

Managing Disk Space with LVM


O'Reilly's linuxdevcenter.com.


12

fdisk fdisk man page .

https://help.ubuntu.com/community/Installation#lvm
http://tldp.org/HOWTO/LVM-HOWTO/index.html
11
http://www.linuxdevcenter.com/pub/a/linux/2006/04/27/managing-disk-space-with-lvm.html
12
http://manpages.ubuntu.com/manpages/precise/en/man8/fdisk.8.html
10

19

5.
5.1.
(Kernel Crash Dump)
(RAM), ,
.
:
(Kernel Panic)
(NMI)
(MCE)


(Kernel Panic, NMI)
kexec.
.
, - ,
.
.

5.2.
,
kexec
,
.
.

5.3.

:
sudo apt-get install linux-crashdump

5.4.
,
.
20

5.5.
, ,
. -, ,
crashkernel (, ,
):
cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.2.0-17-server root=/dev/mapper/PreciseS-root ro
crashkernel=384M-2G:64M,2G-:128M

crashkernel :
crashkernel=<range1>:<size1>[,<range2>:<size2>,...][@offset]
range=start-[end] 'start' is inclusive and 'end' is exclusive.

crashkernel, /proc/cmdline
:
crashkernel=384M-2G:64M,2G-:128M

:
384, (
)
384 2 (),
64
2, 128
-, ,
kdump , :
dmesg | grep -i crash
...
[

0.000000] Reserving 64MB of memory at 800MB for crashkernel (System RAM: 1023MB)

5.6.

.
21


, .
, ,
.
, SysRQ ,
/proc/sys/kernel/sysrq:
cat /proc/sys/kernel/sysrq

0, .
:
sudo sysctl -w kernel.sysrq=1

,
(root), sudo.
root echo c > /proc/sysrqtrigger. ,
. .
.
:
sudo -s
[sudo] password for ubuntu:
# echo c > /proc/sysrq-trigger
[
[

31.659002] SysRq : Trigger a crash


31.659749] BUG: unable to handle kernel NULL pointer dereference at

[
[

31.662668] IP: [<ffffffff8139f166>] sysrq_handle_crash+0x16/0x20


31.662668] PGD 3bfb9067 PUD 368a7067 PMD 0

31.662668] Oops: 0002 [#1] SMP

(null)

[
31.662668] CPU 1
....

,
- :
Begin: Saving vmcore from kernel crash ...

.
/var/
crash:
ls /var/crash
linux-image-3.0.0-12-server.0.crash

22

5.7.
,
Linux. :
13

kdump .
14

crash

15

Linux ( Fedora,

)

13

http://www.kernel.org/doc/Documentation/kdump/kdump.txt
http://people.redhat.com/~anderson/
15
http://www.dedoimedo.com/computers/crash-analyze.html
14

23

3.
Ubuntu
, , .
35000
Ubuntu,

.

Ubuntu, ,
,
,
Ubuntu.

24

1.
,
Debian GNU/Linux.
, ,

Ubuntu.
Debian '.deb' , ,
,
, CD-ROM, .
,
.
.
,
. , festival
libasound2,
ALSA, . festival ,
.
Ubuntu .

25

2. dpkg
dpkg , Debian.
, ,
,
.
dpkg :

,
:
dpkg -l

,
. grep,
, :
dpkg -l | grep apache2

apache2 ,
.
, ,
ufw, :
dpkg -L ufw

, , dpkg -S
. :
dpkg -S /etc/host.conf
base-files: /etc/host.conf

, /etc/host.conf base-files.

, , dpkg -S
, .
.deb-, :
sudo dpkg -i zip_3.0-4_i386.deb

zip_3.0-4_i386.deb .deb-,
.
:
26

sudo dpkg -r zip

dpkg
.
, ,
.
, dpkg -r zip zip, ,
,
.
dpkg : man dpkg.

27

3. Apt-Get
apt-get ,
Ubuntu Advanced Packaging Tool (APT), ,
,
,
Ubuntu.
, apt-get

Ubuntu .
SSH
, , ,
cron.
apt-get:
: apt-get
. , nmap, :
sudo apt-get install nmap

: ( ) .
, , :
sudo apt-get remove nmap

:
, .
--purge apt-get remove
. ,

, .
: APT
, , /
etc/apt/sources.list /etc/apt/sources.list.d.
,
, :
sudo apt-get update

: -

(, , ).
28


, ,
, :
sudo apt-get upgrade

Ubuntu 3,
[10].
apt-get, ,
/var/log/dpkg.log
APT
1
Debian APT
:
apt-get help

http://www.debian.org/doc/user-manuals#apt-howto

29

4. Aptitude
Aptitude

Advanced Packaging Tool (APT).


, ,
, Aptitude ,
.
Aptitude ,
.
Aptitude ,
:
sudo aptitude

Aptitude ,
. ,
.
, .
Aptitude
,
.
, Aptitude:
:

ENTER.
+.
, ,
. g
. g ,
. ENTER
.
. , g
. ENTER
.

:

ENTER. ,
-.
, , .
g .
30


g ,
. ENTER .
.
, g , ENTER ,
.
:
u,

. ENTER
.
. .
ENTER, .

:
, , U,
. g
. g
. ENTER
.
. , g
. ENTER
.

, ,
,
:
i:
c: ,
p:
v:
B:
u: ,
C:

H:

Aptitude, q
. Aptitude,
F10.

31

4.1. Aptitude
Aptitude ,
apt-get. nmap ,
apt-get, :
sudo aptitude install nmap

, :
sudo aptitude remove nmap

man-
Aptitude.

32

5.
unattended-upgrades


. -, ,
:
sudo apt-get install unattended-upgrades

unattended-upgrades, /etc/apt/
apt.conf.d/50unattended-upgrades ,
:
Unattended-Upgrade::Allowed-Origins {
"Ubuntu precise-security";
//
};

"Ubuntu precise-updates";

"" ,
. "" :
Unattended-Upgrade::Package-Blacklist {
//
//

"vim";
"libc6";

//
//

"libc6-dev";
"libc6-i686";

};

// , ,
"//", .
, /etc/apt/
apt.conf.d/10periodic
apt:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

,
.
.
apt
//etc/cron.daily/apt.
33


unattended-upgrades /var/log/unattendedupgrades.

5.1.
Unattended-Upgrade::Mail /etc/apt/apt.conf.d/50unattended-upgrades
unattended-upgrades
,
.

apticron. apticron cron



, ,
.
apticron :
sudo apt-get install apticron

/etc/apticron/apticron.conf,
:
EMAIL="root@example.com"

34

6.
Advanced Packaging Tool (APT)
/etc/apt/sources.list /etc/apt/sources.list.d.

.
2

/etc/apt/
sources.list.
.
, Ubuntu

, :
# no more prompting for CD-ROM please
# deb cdrom:[Ubuntu 12.04 _Precise Pangolin_ - Release i386 (20111013.1)]/ precise main restricted

6.1.

Ubuntu , ,
,
.
Universe Multiverse.
Ubuntu, , ,

Ubuntu.
Multiverse ,

,
, .

, , Universe
Multiverse, .
,
.
,
(,
,
).
2

../sample/sources.list

35


.
, , ,
, ,
.
, Universe Multiverse ,
, /etc/apt/sources.list
:
deb http://archive.ubuntu.com/ubuntu precise universe multiverse
deb-src http://archive.ubuntu.com/ubuntu precise universe multiverse
deb http://us.archive.ubuntu.com/ubuntu/ precise universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise universe
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ precise multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise multiverse
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb http://security.ubuntu.com/ubuntu precise-security universe
deb-src http://security.ubuntu.com/ubuntu precise-security universe
deb http://security.ubuntu.com/ubuntu precise-security multiverse
deb-src http://security.ubuntu.com/ubuntu precise-security multiverse

36

7.
, ,
man, .
3

Wiki- Ubuntu
.
dpkg
4
man dpkg .
5

APT HOWTO man apt-get


apt-get.

man aptitude
.
8

HOWTO (Ubuntu Wiki)


.

3
4
5
6
7
8

https://help.ubuntu.com/community/InstallingSoftware
http://manpages.ubuntu.com/manpages/precise/en/man1/dpkg.1.html
http://www.debian.org/doc/manuals/apt-howto/
http://manpages.ubuntu.com/manpages/precise/en/man8/apt-get.8.html
http://manpages.ubuntu.com/manpages/precise/man8/aptitude.8.html
https://help.ubuntu.com/community/Repositories/Ubuntu

37

4.
, , ,
,
,

.

,
.

38

1.
Ubuntu
.

.

1.1. Ethernet
Ethernet ethX, X
. Ethernet eth0, eth1,
.
1.1.1. Ethernet

ifconfig, .
ifconfig -a | grep eth
eth0

Link encap:Ethernet

HWaddr 00:15:c5:4a:16:5a

,
lshw .
lshw Ethernet
eth0 ,
.
sudo lshw -class network
*-network
description: Ethernet interface
product: BCM4401-B0 100Base-TX
vendor: Broadcom Corporation
physical id: 0
bus info: pci@0000:03:00.0
logical name: eth0
version: 02
serial: 00:15:c5:4a:16:5a
size: 10MB/s
capacity: 100MB/s
width: 32 bits
clock: 33MHz
capabilities: (snipped for brevity)
configuration: (snipped for brevity)
resources: irq:17 memory:ef9fe000-ef9fffff

39


1.1.2. Ethernet
/etc/udev/rules.d/70persistent-net.rules. ,
, ,
MAC- , NAME=ethX
.
.
1.1.3. Ethernet
ethtool ,
, (auto-negotiation),
, Wake-on-LAN (
). ,
.
sudo apt-get install ethtool

,
Ethernet.
sudo ethtool eth0
Settings for eth0:
Supported ports: [ TP ]
Supported link modes:

10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full

1000baseT/Half 1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes:

10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full

Advertised auto-negotiation: Yes


Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Current message level: 0x000000ff (255)
Link detected: yes

, ethtool,
. ,
ethtool pre-up /etc/
network/interfaces.
40


, , eth0,
1000 /
.
auto eth0
iface eth0 inet static
pre-up /sbin/ethtool -s eth0 speed 1000 duplex full

, ,
, ,
DHCP.
pre-up
.

1.2. IP
IP-
,
.
1.2.1. IP-

, ip, ifconfig route,
GNU/Linux.
, ,
.
IP-
ifconfig . IP-
.
sudo ifconfig eth0 10.0.0.100 netmask 255.255.255.0

IP- eth0
ifconfig :
ifconfig eth0
eth0
Link encap:Ethernet
inet addr:10.0.0.100

HWaddr 00:15:c5:4a:16:5a
Bcast:10.0.0.255

Mask:255.255.255.0

inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link


UP BROADCAST RUNNING MULTICAST

MTU:1500

Metric:1

RX packets:466475604 errors:0 dropped:0 overruns:0 frame:0


TX packets:403172654 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2574778386 (2.5 GB)

TX bytes:1618367329 (1.6 GB)

41


Interrupt:16

route
.
.
sudo route add default gw 10.0.0.1 eth0

route
:
route -n
Kernel IP routing table
Destination
Gateway
10.0.0.0
0.0.0.0
0.0.0.0
10.0.0.1

Genmask
255.255.255.0
0.0.0.0

Flags Metric Ref


U
1
0
UG
0
0

Use Iface
0 eth0
0 eth0

DNS ,
IP- DNS- /etc/resolv.conf.
DNS- /etc/resolv.conf,
.
DNS
.
nameserver 8.8.8.8
nameserver 8.8.4.4


IP , ip
flush :
ip addr flush eth0

IP ip
/etc/resolv.conf.
.
1.2.2. IP- ( DHCP)
DHCP
, dhcp inet
/etc/network/interfaces.
, Ethernet,
eth0.

42


auto eth0
iface eth0 inet dhcp

,
ifup, DHCP
dhclient.
sudo ifup eth0


ifdown, DHCP
.
sudo ifdown eth0

1.2.3. IP-

IP- static inet
/etc/network/interfaces. ,
Ethernet,
eth0. , ,
.
auto eth0
iface eth0 inet static
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.1

,
ifup.
sudo ifup eth0


ifdown.
sudo ifdown eth0

1.2.4. Loopback ( )
loopback lo
127.0.0.1. ifconfig.
ifconfig lo

43


lo

Link encap:Local Loopback


inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2718 errors:0 dropped:0 overruns:0 frame:0
TX packets:2718 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:183308 (183.3 KB) TX bytes:183308 (183.3 KB)

/etc/network/interfaces
, loopback.
,
.
.
auto lo
iface lo inet loopback

1.3.
IP-
IP- ,
. ,
DNS
.
1.3.1. DNS
/etc/resolv.conf ,

DHCP .
resolvconf

.
,
, , . Resolvconf
,
.
, /etc/resolv.conf
resolveconf.
resolveconf DHCP /etc/network/
interfaces ,
/etc/resolv.conf, :
/etc/resolv.conf -> ../run/resolvconf/resolv.conf

44


IP- ,
, /etc/network/interfaces.
DNS
.
resolv.conf
dns-.
:
iface eth0 inet static
address 192.168.3.3
netmask 255.255.255.0
gateway 192.168.3.1
dns-search example.com
dns-nameservers 192.168.3.45 192.168.8.10

search ,
DNS- ,
. ,
: example.com ,
sales.example.com dev.example.com.
, ,
:
iface eth0 inet static
address 192.168.3.3
netmask 255.255.255.0
gateway 192.168.3.1
dns-search example.com sales.example.com dev.example.com
dns-nameservers 192.168.3.45 192.168.8.10

ping server1,
DNS
(FQDN) :
1. server1.example.com
2. server1.sales.example.com
3. server1.dev.example.com
, DNS notfound
DNS .
1.3.2.

- IP, /etc/hosts. ,
45


hosts, DNS. ,
/etc/hosts,
DNS. ,
, ,
,
DNS.
hosts,
,
(FQDN).
127.0.0.1
127.0.1.1
10.0.0.11
10.0.0.12

localhost
ubuntu-server
server1 vpn server1.example.com
server2 mail server2.example.com

10.0.0.13 server3 www server3.example.com


10.0.0.14 server4 file server4.example.com

,
.
Server1 vpn, server2 mail,
server3 www, and server4 file.
1.3.3.
,
IP
(NSS) /etc/nsswitch.conf.
, ,
/etc/hosts,
DNS. ,
/etc/hosts.
hosts:

files mdns4_minimal [NOTFOUND=return] dns mdns4

files /etc/hosts.
mdns4_minimal
(multicast) DNS.
[NOTFOUND=return] , notfound,
mdns4_minimal
(),
.
dns (legacy unicast)
DNS-.
46


mdns4 (multicast) DNS-.

hosts:

. ,
DNS DNS, /etc/nsswitch.conf
:
hosts:

files dns [NOTFOUND=return] mdns4_minimal mdns4

1.4.
,
.

(firewall)
.

.
.
bridgeutils. :
sudo apt-get install bridge-utils

, /etc/network/interfaces:
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 192.168.0.10
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off


.
47


:
sudo /etc/init.d/networking restart

.
application>brctl

1.5.
1

Ubuntu Wiki Network


.
2

man- resolvconf resolvconf.


3

man- interfaces
/etc/network/interfaces.
4

man- dhclient
DHCP.

DNS-
5
resolver man page . 6 O'Reilly
6
Linux
.
man7
8
brctl Net:Bridge Linux Foundation.

1
2
3
4
5
6
7
8

https://help.ubuntu.com/community/Network
http://manpages.ubuntu.com/manpages/man8/resolvconf.8.html
http://manpages.ubuntu.com/manpages/man5/interfaces.5.html
http://manpages.ubuntu.com/manpages/man8/dhclient.8.html
http://manpages.ubuntu.com/manpages/man5/resolver.5.html
http://oreilly.com/catalog/linag2/book/ch06.html
http://manpages.ubuntu.com/manpages/man8/brctl.8.html
http://www.linuxfoundation.org/en/Net:Bridge

48

2. TCP/IP
(TCP/IP)
, 70-
(DARPA)
.
TCP/IP,
.

2.1. TCP/IP
TCP/IP
. "IP" TCP/IP
,
, IP- ()
. IP-
. "TCP" TCP/IP
,
. TCP ,
,
, .

2.2. TCP/IP
TCP/IP ,
,

(Dynamic Host Configuration Protocol, DHCP),
, ,
TCP/IP .
,
Ubuntu .
TCP/IP :
IP . IP ,

(0) (255), ;
(8) ,
(32) . dotted quad
notation ( ).
(Netmask). ( , netmask)
, , IP49


, , , (subnetwork).
, C,
255.255.255.0, IP-
IP-
.
( ). ( )
, IP-.
, 12.128.1.2 A 12.0.0.0
, 12
IP- ( ), (0)
. ,
IP- 192.168.1.100, , ,
192.168.1.0,
192.168.1 C (0)
.

. IP,
.
IP- 255.255.255.255,

,
.
, . ,
192.168.1.0 C,
192.168.1.255.
, ARP (Address Resolution
Protocol ) RIP (Routing Information
Protocol ).
(Gateway Address). IP-,
, , .


, ,
(gateway).
, ,
,
, .
,
, .

. IP-
(DNS),
IP-. ,
50


: ,
.

IP-, ,
TCP/IP .

,
, , Level3 (Verizon)
4.2.2.1 4.2.2.6.

IP-, , ,

/etc/network/interfaces.
nameserver /etc/
resolv.conf.
interfaces resolv.conf,
, :

interfaces :
man interfaces


resolv.conf :
man resolv.conf

2.3. IP-
IP

TCP/IP, .

,
,
. IP-:
.

IP- .
route.
,
, (
51


, ,
),
.
, .
,
.
,
.

IP-
. ,
RIP (Router Information Protocol
),
,
.

. ,
.
, ,

.
-
. ,
, , ,

,
, .

2.4. TCP UDP


TCP ,

(flow control). ,

,
(collisions). TCP ,
.
(UDP User Datagram
Protocol), ,
,
,
. UDP
52


,
TCP -
, .

2.5. ICMP
(Internet Control
Messaging Protocol, ICMP) -
(IP), RFC#792 (Request For Comments),
,
, . ICMP
, , ping,

. , ,
ICMP, ,
, (Destination
Unreachable) (Time Exceeded).

2.6.
, , ,

, .
; , ,
Ubuntu,
.
Hyper Text Transport Protocol Daemon (httpd),
-, Secure SHell Daemon (sshd),

Internet Message Access Protocol Daemon (imapd),
.

2.7.
9

10

TCP IP ,
.
11

TCP/IP Tutorial and Technical Overview


IBM.

O'Reilly TCP/IP Network


12
Administration .
9

http://manpages.ubuntu.com/manpages/precise/en/man7/tcp.7.html
http://manpages.ubuntu.com/manpages/precise/man7/ip.7.html
11
http://www.redbooks.ibm.com/abstracts/gg243376.html
12
http://oreilly.com/catalog/9780596002978/
10

53

3.
(Dynamic Host Configuration Protocol, DHCP)
DHCP ( ) ,

. ,
DHCP , ,
DHCP ,
.
, , DHCP
, :
IP-

IP-
IP- DNS

, DHCP
, :

DHCP- ,
, , DNS-,
DHCP-.
DHCP-
DHCP-.
, ,
IP-.
IP-.
DHCP ,
:
( MAC-)
DHCP
,
,
, DHCP-
DHCP-, . ,

MAC-.
54


( )
DHCP IP-
( )
( ), ,
, .
,
.
DHCP ,


DHCP-. ,
.
.


, DHCP
IP-, .
DHCP , DHCP
.

DHCP-
. ,
, ,
. Ubuntu DHCP- .
dhcpd (
). , Ubuntu dhclient,
, .

.

3.1.
dhcpd :
sudo apt-get install isc-dhcp-server

,
/etc/dhcp/dhcpd.conf
.
/etc/default/isc-dhcp-server
, dhcpd.
: dhcpd syslog.
.
55

3.2.
, ,
,
:
, IP-.
:
# minimal sample /etc/dhcp/dhcpd.conf
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.150 192.168.1.200;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "mydomain.example";
}

DHCP- IP-
192.168.1.150-192.168.1.200. IP- 600
, - .
() 7200 .
, 192.168.1.254
192.168.1.1 192.168.1.2
DNS.

dhcpd:
sudo /etc/init.d/isc-dhcp-server restart

3.3.
dhcp3-server Ubuntu Wiki

13

/etc/dhcp/dhcpd.conf man-
14
dhcpd.conf .
15

ISC dhcp-server

13

https://help.ubuntu.com/community/dhcp3-server
http://manpages.ubuntu.com/manpages/precise/en/man5/dhcpd.conf.5.html
15
http://www.isc.org/software/dhcp
14

56

4. NTP
NTP TCP/IP .
,
.


NTP-, ,

. ,
,
,
, . , ,
!
Ubuntu ntpdate ntpd.

4.1. ntpdate
Ubuntu ntpdate,
, NTP Ubuntu.
ntpdate -s ntp.ubuntu.com

4.2. ntpd
ntpd
, ,
, , .
,
.

4.3.
ntpd, :
sudo apt-get install ntp

4.4.
/etc/ntp.conf, .
:

57


# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org


ntpd:

sudo /etc/init.d/ntp reload

4.5.
ntpq, :
# sudo ntpq -p
remote

refid

st t when poll reach

delay

offset

jitter

==============================================================================
+stratum2-2.NTP. 129.70.130.70
2 u
5
64 377
68.461 -44.274 110.334
+ntp2.m-online.n 212.18.1.106

2 u

64

377

54.629

-27.318

78.882

*145.253.66.170 .DCFa.
+stratum2-3.NTP. 129.70.130.70

1 u
2 u

10
5

64
64

377
357

83.607
68.795

-30.159 68.343
-68.168 104.612

+europium.canoni 193.79.237.14

2 u

63

64

337

81.534

-67.968

92.792

4.6.
16

- Ubuntu Time .
ntp.org, Network Time Protocol

16
17

https://help.ubuntu.com/community/UbuntuTime
http://www.ntp.org/

58

17

5.
(DMMultipath)

59


(DM-Multipath)

1.
(Device Mapper Multipathing)
(DM-Multipath)
/
. /
(SAN),
, .
/,
, .
DM-Multipath,
Ubuntu Server 12.04.
DM-Multipath ,
DM-Multipath.

1.1. Ubuntu Server


12.04
multipath-0.4.8 multipath-0.4.9.
1.1.1. 0.4.8

, .
.
prio_callout prio,
, . :
device {
vendor "NEC"
product "DISK ARRAY"
prio_callout mpath_prio_alua /dev/%n
prio

alua

. [60],
.

5.1.

v0.4.8

v0.4.9

prio_callout mpath_prio_emc /dev/%n


60

prio emc


(DM-Multipath)
v0.4.8

v0.4.9

prio_callout mpath_prio_alua /dev/%n

prio alua

prio_callout mpath_prio_netapp /dev/%n

prio netapp

prio_callout mpath_prio_rdac /dev/%n

prio rdac

prio_callout mpath_prio_hp_sw /dev/%n

prio hp_sw

prio_callout mpath_prio_hds_modular %b

prio hds


/, ,
prio_callout prio,
prio .
prio_calliout
.

1.2.
DM-Multipath :
. DM-Multipath
/ . /

/. - / (,
) , DM-Multipath
.
. DM-Multipath
/ , /
. DMMultipath /
.

1.3.
DM-Multipath
, DM-Multipath.
multipath.conf.defaults.
DM-Multipath
,
DM-Multipath multipath.conf.
DM-Multipath The DM-Multipath Configuration
File.
/ .
.
61


(DM-Multipath)

1.4. DM-Multipath
DM-Multipath DMMultipath.

5.2. DM-Multipath


dm_multipath

/
failover .

multipath

multipath.
/etc/rc.sysinit,
udev ,
,
initramfs.

multipathd ;
,
.
multipath.

/etc/multipath.conf .
kpartx


.
DOS- DMMultipath. kpartx
, multipath-tools
.

1.5. DM-Multipath
DM-Multipath ,
.
DM-Multipath .
DM-Multipath :
1. multipath-tools multipath-tools-boot.
2. /etc/multipath.conf,

3. ,
multipath.conf .
4. multipath
5. ramdisk
62


(DM-Multipath)
multipath Setting
Up DM-Multipath.

63


(DM-Multipath)

2.
DM-Multipath
,
/
. DM-Multipath
/
.

2.1.


(WWID),
.
WWID.
user_friendly_names ,
DM-Multipath node-unique
mpathn . , (HBA),

(FC), : /dev/sda,
/dev/sdb, /dev/sdc /dev/sdd. DM-Multipath
WWID, /
.
user_friendly_names yes,
mpathn.
DM-Multipath,
/dev: /dev/mapper/mpathn /dev/dm-n.
/dev/mapper .
,
, .

/dev/dm-n
.

, user_friendly_names,
DM-Multipath. ,
multipath ,
alias multipaths
multipath. multipaths
multipath .
.
64


(DM-Multipath)

2.2.

user_friendly_names yes,
,
, . ,
alias multipaths
multipath.conf,
. LVM
,
,
user_friendly_names no
. , user_friendly_names
yes ,
WWID, .
,
, :
1. .
2. ,
:
# service multipath-tools stop
# multipath -F

3. /etc/multipath/bindings
.
4. multipathd
:
# service multipath-tools start

,
.
, ,
, ,
/etc/multipath.conf ,
:
1. multipath.conf
.
2. ,
:
# service multipath-tools stop
# multipath -F

65


(DM-Multipath)
3. multipath.conf
.
4. multipathd
:
# service multipath-tools start

, .

2.3.
user_friendly_names alias,
.
multipaths,
multipath .
multipaths "
".

2.4.

,
LVM. , /dev/mapper/
mpatha, /dev/mapper/mpatha
:
# pvcreate /dev/mapper/mpatha

LVM
LVM ,
.
LVM ,
, pvcreate
.

LVM,
/
,
lvm.conf ,
. ,
[] /

, LVM ,
. / ,

66


(DM-Multipath)
, LVM .
SCSI LVM (lvm.conf),
devices :
filter = [ "r/block/", "r/disk/", "r/sd.*/", "a/.*/" ]

/etc/lvm.conf, initrd ,
, ,
. :
update-initramfs -u -k all

, /etc/lvm.conf /etc/multipath.conf, initrd


.
,
.

67


(DM-Multipath)

3. DM-Multipath
DMMultipath. :
DM-Multipath

3.1. DM-Multipath
DM-Multipath ,
multipath-tools.
(SAN),
multipath-tools-boot.
/etc/multipath.conf .
multpath /etc/multipath.conf,
,
. multipath -ll

(multipaths),
, -
.
(SAN), multipath,
/usr/share/doc/multipath-tools/examples,
multipathd:
# echo 'show config' | multipathd -k > multipath.conf-live

multipathd, /etc/
multipath.conf, ,
/etc/multipath.conf .
/etc/multipath.conf,
touch, ,
:
defaults {
user_friendly_names no
}

multipathd:
# service multipath-tools restart

"show config" .
68


(DM-Multipath)

3.2.

1

install disk-detect/multipath/enable=true

. ,
/dev/mapper/mpath<X>.

3.3.

SCSI
. DM-Multipath .
multipath
.

1. , ,
. /dev/sda .
,
multipath, multipath -v2
/dev/sda .
multipath
Multipath Command Output.
# multipath -v2
create: SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1 undef WINSYS,SF2372
size=33 GB features="0" hwhandler="0" wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 0:0:0:0 sda 8:0 [--------device-mapper ioctl cmd 9 failed: Invalid argument
device-mapper ioctl cmd 14 failed: No such device or address
create: 3600a0b80001327d80000006d43621677 undef WINSYS,SF2372
size=12G features='0' hwhandler='0' wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 2:0:0:0 sdb 8:16 undef ready running
`- 3:0:0:0 sdf 8:80 undef ready running
create: 3600a0b80001327510000009a436215ec undef WINSYS,SF2372
size=12G features='0' hwhandler='0' wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 2:0:0:1 sdc 8:32 undef ready running
`- 3:0:0:1 sdg 8:96 undef ready

running

http://wiki.debian.org/DebianInstaller/MultipathSupport

69


(DM-Multipath)
create: 3600a0b80001327d800000070436216b3 undef WINSYS,SF2372
size=12G features='0' hwhandler='0' wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 2:0:0:2 sdd 8:48 undef ready running
`- 3:0:0:2 sdg 8:112 undef ready running
create: 3600a0b80001327510000009b4362163e undef WINSYS,SF2372
size=12G features='0' hwhandler='0' wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 2:0:0:3 sdd 8:64 undef ready running
`- 3:0:0:3 sdg 8:128 undef ready running

2. /dev/sda
multipath, blacklist /etc/multipath.conf
.
sda devnode,
, , /dev/sda
.
, WWID. ,
multipath -v2 WWID /dev/sda
SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1.
, /etc/multipath.conf.
blacklist {
wwid SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1
}

3. /etc/multipath.conf,
multipathd .
/etc/
multipath.conf.
# service multipath-tools reload

4.
:
# multipath -f SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1

5. , ,
multipath -ll
multipath. multipath -ll
Multipath Queries with multipath Command. ,
,
multipath, .
multipath v2,
-v.

70


(DM-Multipath)
# multipath
create: 3600a0b80001327d80000006d43621677 undef WINSYS,SF2372
size=12G features='0' hwhandler='0' wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 2:0:0:0 sdb 8:16 undef ready running
`- 3:0:0:0 sdf 8:80 undef ready running
create: 3600a0b80001327510000009a436215ec undef WINSYS,SF2372
size=12G features='0' hwhandler='0' wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 2:0:0:1 sdc 8:32 undef ready running
`- 3:0:0:1 sdg 8:96 undef ready

running

create: 3600a0b80001327d800000070436216b3 undef WINSYS,SF2372


size=12G features='0' hwhandler='0' wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 2:0:0:2 sdd 8:48 undef ready running
`- 3:0:0:2 sdg 8:112 undef ready running
create: 3600a0b80001327510000009b4362163e undef WINSYS,SF2372
size=12G features='0' hwhandler='0' wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 2:0:0:3 sdd 8:64 undef ready

running

`- 3:0:0:3 sdg 8:128 undef ready

running

3.4.
DM-Multipath
, DM-Multipath.
,
, multipath.conf.defaults.
, ,
/etc/multipath.conf
.
, HP Open-V series
, %n :
devices {
device {
vendor "HP"
product "OPEN-V."
getuid_callout "/lib/udev/scsi_id --whitelisted --device=/dev/%n"
}
}


[83].

71


(DM-Multipath)

4. DM-Multipath
DM-Multipath
. DM-Multipath
,
DM-Multipath.
multipath.conf.defaults.

DM-Multipath, /etc/multipath.conf.
, ,
, .
multipath.conf.
:
[72]
" " [73]
[75]
[81]
[83]
multipath
, ,
,
multipath.conf.defaults. ,
,
, ,
.
.

/usr/share/doc/multipath-tools/examples/multipath.conf.annotated.gz.

4.1.
multipath :
blacklist
,
multipath.
blacklist_exceptions
,
blacklist.
72


(DM-Multipath)
defaults
DM-Multipath.
multipath

. ,
defaults devices.
devices
.
, defaults.
,
,
devices.
,
multipath, devices,
.

4.2. " "


blacklist multipath
, ,
. , ,
.
,
, :
WWID, WWID [73]
,
[74]
,
[74]

blacklist .
[74]
4.2.1. WWID

(WWID) wwid
blacklist .
,
WWID 26353900f02796769.
73


(DM-Multipath)
blacklist {
wwid 26353900f02796769
}

4.2.2.
,
,
devnode blacklist.
,
SCSI ,
sd*.
blacklist {
devnode "^sd[a-z]"
}

devnode blacklist

. , , ,
, udev,

. ,
/dev/sda /dev/sdb.
devnode
blacklist. , ,
DM-Multipath.
,
blacklist_exceptions
[75]
blacklist {
devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
devnode "^hd[a-z]"
}

4.2.3.
blacklist
device.
IBM DS4200 HP.
blacklist {
device {

74


(DM-Multipath)
vendor "IBM"
product "3S42"

#DS4200 Product 10

}
device {
vendor

"HP"

product "*"
}
}

4.2.4.
blacklist_exceptions
,
.
,
( WWID 3600d0230000000000e13955cc3757803), ,
,
,
/etc/multipath.conf.
blacklist {
wwid "*"
}
blacklist_exceptions {
wwid "3600d0230000000000e13955cc3757803"
}

blacklist_exceptions
,
, blacklist. , WWID
, blacklist devnode,
WWID.
devnode devnode,
device device.

4.3.
/etc/multipath.conf defaults,
user_friendly_names yes, :
defaults {
user_friendly_names yes
}

user_friendly_names
.
75


(DM-Multipath)
.
:
#defaults {
#
udev_dir

/dev

#
#

polling_interval
selector

5
"round-robin 0"

#
#

path_grouping_policy
getuid_callout

failover
"/lib/dev/scsi_id --whitelisted --device=/dev/%n"

#
#
#
#
#

prio
const
path_checker directio
rr_min_io 1000
rr_weight uniform
failback manual

# no_path_retry fail
# user_friendly_names no
#}



defaults . ,
path_grouping_policy multibus
failover,
, :
defaults {
user_friendly_names
path_grouping_policy

yes
multibus

Multipath [76] ,
defaults multipath.conf.
DM-Multipath,
, devices multipaths
multipath.conf.

5.3. Multipath

polling_interval


.
,
(4 * polling_interval).
5.

udev_dir

, udev.
/dev.
76


(DM-Multipath)

multipath_dir

,
.
, /lib/multipath.

verbosity

.

. 0 6.
2.

path_selector


/ .
:
round-robin 0:
, .
queue-length 0:

.
service-time 0:
,

/
.
round-robin 0.

path_grouping_policy


. :
failover = 1
multibus = 1

group_by_serial = 1

group_by_prio = 1

group_by_node_name = 1

failover.

77


(DM-Multipath)

getuid_callout


.
.
/lib/udev/scsi_id --whitelisted
--device=/dev/%n.

prio


. , ALUA
SPC-3
prio. :
const: 1
.
emc:
EMC.
alua:
ALUA SCSI-3.
netapp:
NetApp.
rdac:
LSI/Engenio RDAC.
hp_sw:
Compaq/HP /
.
hds:
Hitachi HDS Modular.
const.

prio_args

, prio.
prio .
datacore .
, "timeout=1000 preferredsds=foo".
(null) "".

features


.
- queue_if_no_path,
no_path_retry queue.
,
,
"Issues with queue_if_no_path feature".
78


(DM-Multipath)

path_checker


. :
readsector0: .
tur: TEST UNIT READY .
emc_clariion: EMC Clariion
EVPD 0xC0.
hp_sw:

HP
/.

rdac:
.
directio: .
directio.
failback


.
immediate

, .
manual ,


.
0

.
manual.

rr_min_io

/

.
1000.

rr_weight

priorities, rr_min_io
,
path_selector,
,
rr_min_io. uniform,
.
79


(DM-Multipath)

uniform.

no_path_retry



.
immediate ,
. queue

.
0.

user_friendly_names
yes, ,
/etc/multipath/bindings
alias
multipath mpathn.
no, WWID
alias multipath. ,

multipaths .
no.
queue_without_daemon
no, multipathd
, .
yes.
flush_on_last_del

yes, multipath
,
.
no.

max_fds


, multipath
multipathd.
ulimit -n.
/proc/sys/fs/nr_open.
,

,
1024. ,
+ 32,
1024.

80


(DM-Multipath)

checker_timer

,
SCSI ,
.
/sys/block/sdx/
device/timeout, 30 .
Ubuntu 12.04 LTS.

fast_io_fail_tmo

, SCSI

(FC)
/ .
,
dev_loss_tmo. off
.

.

dev_loss_tmo

, SCSI

(FC)
. infinity
2147483647 . (68 ).

.

4.4.
[81] ,

multipaths multipath.conf.

. DM-Multipath
, defaults devices
multipath.conf.

5.4.

wwid

WWID multipath,
multipath.
multipath.conf.
81


(DM-Multipath)

alias


multipath,
multipath. user_friendly_names,
mpathn.


.


multipath section
path_grouping_policy
path_selector
failback
prio
prio_args
no_path_retry
rr_min_io
rr_weight
flush_on_last_del
,
.
WWID 3600508b4000156d70001200000b0000
yellow.
WWID of 1DEC_____321816758474
red. rr_weight
priorities.
multipaths {
multipath {
wwid

3600508b4000156d70001200000b0000

alias

yellow

path_grouping_policy

multibus

path_selector

"round-robin 0"

failback
rr_weight

manual
priorities

no_path_retry

}
multipath {
wwid
alias

1DEC_____321816758474
red

rr_weight

priorities

82


(DM-Multipath)
}
}

4.5.
[84] ,

devices multipath.conf.
DM-Multipath
multipaths multipath.conf ,
.
defaults multipath.conf.
, ,
multipath.
, ,
multipath.conf.defaults. ,
, ,
, ,
.
multipath.conf.annotated.gz ,
, multipath.conf.synthetic
, .

,
,
vendor product. ,
/sys/block/device_name/device/vendor /sys/block/
device_name/device/model, device_name ,
, :
# cat /sys/block/sda/device/vendor
WINSYS
# cat /sys/block/sda/device/model
SF2372


. /, , ,
.
path_grouping_policy multibus. ,
, , no_path_retry and
rr_min_io, [81].
/,
/ ,
83


(DM-Multipath)
, /
(
). ,
path_checker tur; SCSI ,
Test Unit Ready, .

,

.
emc. , , ,
multipath.

5.5.

vendor


,
, , COMPAQ.

product

,
, , HSV110
(C)COMPAQ.

revision

product_blacklist

hardware_handler ,
,

/.
:
1 emc: EMC.
1 alua: SCSI-3 ALUA.
1 hp_sw: Compaq/HP.
1 rdac: LSI/Engenio
RDAC.

device
path_grouping_policy
getuid_callout
path_selector
84


(DM-Multipath)
path_checker
features
failback
prio
prio_args
no_path_retry
rr_min_io
rr_weight
fast_io_fail_tmo
dev_loss_tmo
flush_on_last_del
Whenever a hardware_handler is specified, it is your responsibility to
ensure that the appropriate kernel module is loaded to support the
specified interface. These modules can be found in /lib/modules/`uname r`/kernel/drivers/scsi/device_handler/ . The requisite module should be
integrated into the initrd to ensure the necessary discovery and failoverfailback capacity is available during boot time. Example,
# cat scsi_dh_alua >> /etc/initramfs-tools/modules

## append module to file

# update-initramfs -u -k all

device
multipath:
#devices {
# device {
# vendor

"COMPAQ

"

#
#

product
"MSA1000
"
path_grouping_policy multibus

path_checker

rr_weight

tur

priorities

# }
#}

, vendor, product, revision


, multipath
, SCSI,
2
Standard INQUIRY . , vendor, product
revision .
. ,
, multipath
2

http://en.wikipedia.org/wiki/SCSI_Inquiry_Command

85


(DM-Multipath)
.
,
, :
vendor: 8
product: 16
revision: 4

. ^ $ [ ] . * ?
+.
multipath multipath.conf ,
/usr/share/doc/multipath-tools/examples:
# echo 'show config' | multipathd -k

86


(DM-Multipath)

5. DM-Multipath

5.1.


, :
1.

.
.

2.


(LUN):
# multipath -l

3.

. SCSI 1 rescan
SCSI ,
:
# echo 1 > /sys/block/device_name/device/rescan

4.


multipathd:
# multipathd -k 'resize map mpatha'

5.

(,
LVM DOS ):
# resize2fs /dev/mapper/mpatha

5.2.

UUID
. multipathtools-boot . ramdisk
multipath
UUID.
multipath.conf initrd
update-initramfs -u -k all.
multipath.conf ramdisk
blacklist
device.
87


(DM-Multipath)

5.3.

,

.

5.4. Multipath
multipath, ,
multipath , " DM-Multipath".
multipathd ,
multipathd .
multipathd
multipathd, .

5.5. queue_if_no_path
features "1 queue_if_no_path" /
etc/multipath.conf, , -,
, .
no_path_retry N /etc/
multipath.conf.
no_path_retry,
features "1 queue_if_no_path" /etc/multipath.conf.
,
features "1 queue_if_no_path" ,
SAN, features "0"
.
devices ( ),
/usr/share/doc/multipath-tools/examples/multipath.conf.annotated.gz /etc/
multipath.conf

features "1 queue_if_no_path"


,
LUN (..
). ,
mpathc "queue_if_no_path"
"fail_if_no_path" :
# dmsetup message mpathc 0 "fail_if_no_path"

mpathN .

88


(DM-Multipath)

5.6. multipath
,
, .
. :

action_if_any: alias (wwid_if_different_from_alias) dm_device_name_if_known vendor,product


size=size features='features' hwhandler='hardware_handler' wp=write_permission_if_known

:
-+- policy='scheduling_policy' prio=prio_if_known
status=path_group_status_if_known

:
`- host:channel:id:lun devnode major:minor dm_status_if_known path_status
online_status

, multipath :
3600d0230000000000e13955cc3757800 dm-1 WINSYS,SF2372
size=269G features='0' hwhandler='0' wp=rw
|-+- policy='round-robin 0' prio=1 status=active
| `- 6:0:0:0 sdb 8:16 active ready running
`-+- policy='round-robin 0' prio=1 status=enabled
`- 7:0:0:0 sdf 8:80

active ready

running

-, ready
() ghost (). , faulty
() shaky ().
multipathd ,
/etc/multipath.conf.
dm , .
dm : failed, faulty,
active, .
dm .
online_status running offline. offline
, SCSI .
,
, dm , dm
. .

5.7. multipath
-l -ll multipath
multipath. -l multipath,
sysfs . -ll
89


(DM-Multipath)
, -l,
.
multipath ,

-v multipath. v0 . -v1
,
, kpartx.
-v2 ,
.
verbosity multipath 2
verbosity defaults
multipath.conf.
multipath -l.
# multipath -l
3600d0230000000000e13955cc3757800 dm-1 WINSYS,SF2372
size=269G features='0' hwhandler='0' wp=rw
|-+- policy='round-robin 0' prio=1 status=active
| `- 6:0:0:0 sdb 8:16 active ready running
`-+- policy='round-robin 0' prio=1 status=enabled
`- 7:0:0:0 sdf 8:80

active ready

running

multipath -ll.
# multipath -ll
3600d0230000000000e13955cc3757801 dm-10 WINSYS,SF2372
size=269G features='0' hwhandler='0' wp=rw
|-+- policy='round-robin 0' prio=1 status=enabled
| `- 19:0:0:1 sdc 8:32

active ready

running

`-+- policy='round-robin 0' prio=1 status=enabled


`- 18:0:0:1 sdh 8:112 active ready running
3600d0230000000000e13955cc3757803 dm-2 WINSYS,SF2372
size=125G features='0' hwhandler='0' wp=rw
`-+- policy='round-robin 0' prio=1 status=active
|- 19:0:0:3 sde 8:64

active ready

running

`- 18:0:0:3 sdj 8:144 active ready

running

5.8. multipath
multipath [90]
multipath, .

5.6. multipath

-l

multipath,
sysfs .
90


(DM-Multipath)

-ll

multipath,
sysfs,
.

-f device

-F

5.9.
dmsetup
dmsetup ,

.

. dm
. , 3
/dev/dm-3.
# dmsetup ls
mpathd (253, 4)
mpathep1
(253, 12)
mpathfp1
(253, 11)
mpathb (253, 3)
mpathgp1

(253, 14)

mpathhp1
(253, 13)
mpatha (253, 2)
mpathh
mpathg

(253, 9)
(253, 8)

VolGroup00-LogVol01

(253, 1)

mpathf (253, 7)
VolGroup00-LogVol00

(253, 0)

mpathe

(253, 6)

mpathbp1
mpathd

(253, 10)

(253, 5)

5.10.
multipathd

multipathd -k
multipathd.
multipath. help
91


(DM-Multipath)
, CTRL-D
.
multipathd
, . ,

multipath, , . IBM
3
"Tricks with Multipathd" .
# multipathd -k
> > show config
> > CTRL-D

multipath
multipath.conf.
# multipathd -k
> > reconfigure
> > CTRL-D

, ,
.
# multipathd -k
> > show paths
> > CTRL-D

stdin multipathd,
:
# echo 'show config' | multipathd -k

http://www-01.ibm.com/support/docview.wss?uid=isg3T1011985

92

6.

Linux.
:
OpenSSH Puppet.

93

1. OpenSSH
1.1.
Ubuntu Server

, OpenSSH.
,
OpenSSH, , Ubuntu.

OpenSSH

Secure Shell (SSH).
, , telnet rcp,
.
OpenSSH
,
, .
OpenSSH, sshd,
.
, sshd ,
. ,
ssh,
OpenSSH .
scp,
OpenSSH
. OpenSSH
, ,
Kerberos.

1.2.
OpenSSH .
OpenSSH Ubuntu
:
sudo apt-get install openssh-client

OpenSSH
:

94


sudo apt-get install openssh-server

openssh-server
Server Edition.

1.3.

OpenSSH, sshd, /etc/ssh/sshd_config.
,
,
, :
man sshd_config

sshd,
,
. ,
/etc/ssh/sshd_config.

.
, ,
.
/etc/ssh/sshd_config ,
:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original

,
:
OpenSSH TCP
2222, TCP 22, Port
:
Port 2222
sshd
, ,
:
PubkeyAuthentication yes
, , .
95


OpenSSH /etc/issue.net
,
:
Banner /etc/issue.net
/etc/ssh/sshd_config.
/etc/ssh/sshd_config, ,
,
sshd, :
sudo /etc/init.d/ssh restart

sshd
.

,
ssh, sshd /etc/ssh/
sshd_config, ,
. ,
, sshd
, ,
.

1.4. SSH
SSH
. SSH
: .
, :
ssh-keygen -t dsa

Digital Signature
Algorithm (DSA).
. Enter .
~/.ssh/id_dsa.pub,
~/.ssh/id_dsa. id_dsa.pub
~/.ssh/authorized_keys :
ssh-copy-id username@remotehost

96


authorized_keys.

. , :
chmod 600 .ssh/authorized_keys

SSH
.

1.5.
1

SSH Ubuntu Wiki .


OpenSSH

2
3

Wiki OpenSSH

https://help.ubuntu.com/community/SSH
http://www.openssh.org/
3
https://wiki.ubuntu.com/AdvancedOpenSSH
2

97

2. Puppet
Puppet ,

. :

. Puppet

,
. puppet
/.
Puppet
/. , Apache
Puppet.

2.1.
Puppet :
sudo apt-get install puppetmaster

( ), :
sudo apt-get install puppet

2.2.
puppet, , ,
DNS CNAME puppet.example.com, example.com .
Puppet DNS puppet.example.com
puppet (Puppet Master). 8,
(DNS) [158]
DNS.
DNS,
/etc/hosts . , /etc/hosts
Puppet :
127.0.0.1 localhost.localdomain localhost puppet
192.168.1.17 meercat02.example.com meercat02

Puppet :
192.168.1.16 meercat.example.com meercat puppet

98


IP-

.
apache2. /etc/
puppet/manifests/site.pp, :
package {
'apache2':
ensure => installed
}
service {
'apache2':
ensure => true,
enable => true,
require => Package['apache2']
}

/etc/puppet/manifests/nodes.pp :
node 'meercat02.example.com' {
include apache2
}

meercat02.example.com
Puppet.
Puppet
:
sudo /etc/init.d/puppetmaster restart

Puppet ,
.
Puppet . /etc/
default/puppet, START yes:
START=yes

:
sudo /etc/init.d/puppet start

Puppet
:
99

sudo puppetca --sign meercat02.example.com

/var/log/syslog -
. , apache2
Puppet.

Puppet.
2.3, [100].

2.3.
4

Puppet .
5

Pro Puppet .
Ubuntu Wiki
6
Puppet .

http://docs.puppetlabs.com/
http://www.apress.com/9781430230571
6
https://help.ubuntu.com/community/Puppet
5

100

3. Zentyal
Zentyal Linux- ,
(Gateway),
(Infrastructure Manager), (Unified Threat Manager),
(Office Server), (Unified Communication
Server) . ,
Zentyal, , .
,
, , . Zentyal
, GNU General Public License (GPL)
Ubuntu GNU/Linux.

Zentyal ( ),
-
. Redis , , ,
OpenLDAP .
-,
, .
Zentyal : ,

.

3.1.
Zentyal 2.3 Ubuntu 12.04 Universe.
:
zentyal-core zentyal-common: Zentyal
.
,
.
zentyal-network: .
( IP, DHCP, VLAN, PPPoE)
,
, ,
DNS.
zentyal-objects zentyal-services:
(, LAN 192.168.1.0/24)
(, HTTP 80/TCP).

101


zentyal-firewall: iptables
, (NAT)
.
zentyal-ntp: NTP,

.
zentyal-dhcp: ISC DHCP, ,
, NTP,
WINS, DNS
PXE.

zentyal-dns: DNS- ISC Bind9


,
DNS- (DNS forwarder)
(authoritative server) .
A, CNAME, MX, NS, TXT SRV.
zentyal-ca: Zentyal
,
, OpenVPN.
zentyal-openvpn: VPN
, OpenVPN
Quagga.
zentyal-users:
OpenLDAP. Zentyal
LDAP,
.
, Microsoft Active Directory.
zentyal-squid: Squid Dansguardian
.
zentyal-samba: Samba
LDAP.
,
.
zentyal-printers: CUPS Samba
,
LDAP.
Zentyal (
<zentyal-module
sudo apt-get install <zentyal-module>

102


Zentyal ( ),

Ubuntu LTS.
(, 2.2, 3.0), (2.1, 2.3). Ubuntu 12.04
Zentyal 2.3.
, Ubuntu 12.04,
7
Zentyal Team PPA .

, 2.3
Precise, .


8
PPA, (PPA) .
9

Zentyal Team PPA ,


Ubuntu Universe:

zentyal-antivirus: ClamAV
, ,
.
zentyal-asterisk: Asterisk
PBX (Private branch exchange, ) LDAP.
zentyal-bwmonitor:
.
zentyal-captiveportal: captive portal (
) (firewall),
LDAP.
zentyal-ebackup:
,
duplicity.
zentyal-ftp: FTP-
LDAP.
zentyal-ids: .
zentyal-ipsec: IPsec
OpenSwan.
zentyal-jabber: XMPP- ejabberd
LDAP.
7

https://launchpad.net/~zentyal/
https://help.ubuntu.com/12.04/ubuntu-help/addremove-ppa.html
9
https://launchpad.net/~zentyal/
8

103


zentyal-thinclients: (LTSP) ""
.
zentyal-mail: , Postfix Dovecot
LDAP.
zentyal-mailfilter: amavisd
.
zentyal-monitor: collectd

zentyal-pptp: PPTP VPN .


zentyal-radius: FreeRADIUS
LDAP.
zentyal-software:
Zentyal .
zentyal-trafficshaping:
.
zentyal-usercorner:
LDAP, -.
zentyal-virt:
libvirt.
zentyal-webmail: ,
- Roundcube.
zentyal-webserver: Apache
.
zentyal-zarafa: Zarafa
Zentyal LDAP.

3.2.
, sudo,
- Zentyal.
, ,
sudo .
sudo,
:
sudo adduser username sudo

- Zentyal https://
localhost/ ( IP- ). Zentyal
104


SSL,
.
, (dashboard)
.
, .
,
Save changes,

. ,
, Module Status
. ,

.
-
(

) , Zentyal,
Zentyal (hooks) /
etc/zentyal/hooks/<module>.<action>.

3.3.
Zentyal

10

Zentyal
12

11

,
, .

10

http://doc.zentyal.org/
http://trac.zentyal.org/wiki/Documentation
12
http://forum.zentyal.org/
11

105

7.

LDAP
.

106

1. OpenLDAP
Lightweight Directory Access Protocol (LDAP)
X.500, TCP/IP.
1
LDAP LDAPv3, RFC4510 ,
LDAP Ubuntu OpenLDAP, 2.4.25 (Oneiric) (2.4.28
Precise . ).
, LDAP.
:
LDAP ,
, (Directory
Information Tree, DIT).
.
(/) .

(objectClass).
(
).

(Distinguished Name, DN).
(RDN),
DN.
DN . .
, , and (node)
, ,
, .
, , 11 . DN
"cn=John Doe,dc=example,dc=com"; RDN "cn=John Doe";
DN "dc=example,dc=com".
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
mail: john@example.com
manager: cn=Larry Smith,dc=example,dc=com
1

http://tools.ietf.org/html/rfc4510

107


objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top

LDIF (LDAP Data Interchange Format,


LDAP). ,
DIT, .
2
RFC2849 .
,
, LDAP ,
,
(:) .
,
.

1.1.
OpenLDAP
LDAP. slapd ldap-utils, .
slapd . ,
,
. ( DN)
localhost.
- , /etc/hosts
. ,
dc=example,dc=com, :
127.0.1.1

hostname.example.com hostname

.

dc=example,dc=com.
:
sudo apt-get install slapd ldap-utils

Ubuntu 8.10 slapd ,


, DIT .
2

http://tools.ietf.org/html/rfc2849

108


slapd .
LDIF, /etc/ldap/slapd.d.
: slapd-config, RTC- ( Real Time
Configuration ) cn=config.

(slapd.conf), ;
.
Ubuntu slapd-config
slapd, .

. LDAP- rootDN
. DN :
cn=admin,dc=example,dc=com.
slapd-config
, ,
LDAP . ,
, .
(cosine, nis, inetorgperson)
slapd. (core) ,
.

1.2.
DIT. slapd-config
(dc=example,dc=com). :
, (DIT) slapd-config.
, LDIF /etc/ldap/slapd.d:

/etc/ldap/slapd.d/
cn=config

cn=module{0}.ldif

cn=schema

cn={0}core.ldif

cn={1}cosine.ldif

cn={2}nis.ldif
cn={3}inetorgperson.ldif

cn=schema.ldif

olcBackend={0}hdb.ldif

olcDatabase={0}config.ldif

olcDatabase={-1}frontend.ldif

109

olcDatabase={1}hdb.ldif
cn=config.ldif

slapd-config .
LDAP ().
, slapd-config LDAP :
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}hdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}hdb,cn=config

:
cn=config:
cn=module{0},cn=config:
cn=schema,cn=config:

cn={0}core,cn=schema,cn=config:
(core)
cn={1}cosine,cn=schema,cn=config: cosine
cn={2}nis,cn=schema,cn=config: nis
cn={3}inetorgperson,cn=schema,cn=config: inetorgperson
olcBackend={0}hdb,cn=config: 'hdb'
olcDatabase={-1}frontend,cn=config: ,

110


olcDatabase={0}config,cn=config: slapd
(cn=config)
olcDatabase={1}hdb,cn=config:
(dc=examle,dc=com)

dc=example,dc=com:
ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com

:
dc=example,dc=com: (DIT)
cn=admin,dc=example,dc=com: (rootDN)
( )

1.3. /
. :
(node) People ( )
Groups ( )
miners
john
LDIF add_content.ldif:
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount

111


uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john

, uid gid
. ,
, , 5000. uid
gid ldap
, ldap.
.
:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif
Enter LDAP Password: ********
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Groups,dc=example,dc=com"
adding new entry "cn=miners,ou=Groups,dc=example,dc=com"
adding new entry "uid=john,ou=People,dc=example,dc=com"


ldapsearch:
ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber
dn: uid=john,ou=People,dc=example,dc=com
cn: John Doe
gidNumber: 5000

:
-x: "" ; SASL

-LLL:
uid=john: john
112


cn gidNumber: (
)

1.4. slapd
(DIT) slapd-config .
.
ldapmodify ( DbIndex)
{1}hdb,cn=config (dc=example,dc=com).
uid_index.ldif :
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: uid eq,pres,sub

:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif
modifying entry "olcDatabase={1}hdb,cn=config"

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcDatabase={1}hdb)' olcDbIndex


dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uid eq,pres,sub

.
LDIF.
/etc/ldap/schema.
slapd-config .
.
,
( ,
" "):
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=schema,cn=config dn
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config

113

dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config

CORBA.
1.

schema_convert.conf,
:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema

2.

ldif_output.

3.

:
slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema
cn={1}corba,cn=schema,cn=config

slapd DN,
.
: {X}.
4.

slapcat :

slapcat -f schema_convert.conf -F ldif_output -n0 -H \ ldap:///cn={1}corba,cn=schema,cn=confi

() cn=corba.ldif
5.

cn=corba.ldif :
dn: cn=corba,cn=schema,cn=config
...

114


cn: corba

:
structuralObjectClass: olcSchemaConfig
entryUUID: 52109a02-66ab-1030-8be2-bbf166230478
creatorsName: cn=config
createTimestamp: 20110829165435Z
entryCSN: 20110829165435.935248Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110829165435Z

.
6.

, ldapadd
slapd-config:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=corba.ldif
adding new entry "cn=corba,cn=schema,cn=config"

7.

:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}corba,cn=schema,cn=config

LDAP
, .
.

1.5.
slapd ,
OpenLDAP,
.
115


. , slapd,
slapd-config.
OpenLDAP ()

,
(). ,
3
stats. slapd-config
.
logging.ldif :
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats

:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif


.

(rsyslog) ,
:
rsyslogd-2177: imuxsock lost 228 messages from pid 2547 due to rate-limiting

rsyslog. /etc/rsyslog.conf
:
# Disable rate limiting
# (default is 200 messages in 5 seconds; below we make the 5 become 0)
$SystemLogRateLimitInterval 0

rsyslog:
sudo service rsyslog restart

1.6.
LDAP ,
.
3

http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html

116


( )
LDAP , .
LDAP.
Syncrepl.
- .
,
, : refreshAndPersist
delta-syncrepl.
, ,
, .
1.6.1.
.
1.

LDIF
provider_sync.ldif:
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=example,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.

117


dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00

rootDN LDIF .
2.

apparmor slapd
accesslog. /etc/apparmor.d/local/
usr.sbin.slapd, :
/var/lib/ldap/accesslog/ r,
/var/lib/ldap/accesslog/** rwk,

,
apparmor:
sudo -u openldap mkdir /var/lib/ldap/accesslog
sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog
sudo service apparmor reload

3.

, apparmor,
:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif
sudo service slapd restart

.
118


1.6.2.
.
1.

1.1,
[108]. , slapd-config
. ,
.

2.

LDIF
consumer_sync.ldif:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
add: olcSyncRepl

olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=exa


credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
type=refreshAndPersist retry="60 +" syncdata=accesslog
add: olcUpdateRef
olcUpdateRef: ldap://ldap01.example.com

, :
provider (hostname IP)
binddn (DN , )
credentials ( DN , )
searchbase ( , )
olcUpdateRef (hostname IP )
rid (Replica ID, ,
. rid)
3.

:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif

! (: dc=example,dc=com)
.
119


1.6.3.
, :
ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base contextCSN
dn: dc=example,dc=com
contextCSN: 20120201193408.178454Z#000000#000#000000

, .
(20120201193408.178454Z#000000#000#000000 )
, . ,
,
.
/ LDAP ,
contextCSN
. , ,
contextCSN .
contextCSN
,
. slapd (syslog
) ,

(
ldapsearch).
, , DN
:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com dn

'john' 'miners',
'People' 'Groups'.

1.7.
, (, .)
, .

(access control lists, ACL).
slapd, ACL
.
120


, , , ACL
.
ACL LDAP
ACL
.
ACL, , ,
.
ACL
ACL.
ACL hdb ("dc=example,dc=com")
:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcDatabase={1}hdb)' olcAccess


dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous
auth by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by *
read

rootDN .
ACL ,
slapd.

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcDatabase={-1}frontend)' olcAcc


dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read

ACL :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous
auth by dn="cn=admin,dc=example,dc=com" write by * none

- :
to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write

121


by * none
to attrs=shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
by * none

ACL ( ) :
'auth' userPassword
. counterintuitively 'by anonymous auth' DIT
. ,
(. ).
,
( 'by self write') userPassword.
userPassword
rootDN, .

,
passwd , shadowLastChange
.
DIT - 'by * read'
ACL:
to *
by self write
by dn="cn=admin,dc=example,dc=com" write
by * read

, ACL.
(bind)
( ACL)
'olcRequire: authc'.
, slapd-config
.
SASL, .
localhost (root/sudo). :
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

ACL slapd-config:

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcDatabase={0}config)' olcAccess

122

dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break

SASL , SASL,
LDAP ,
. (EXTERNAL) .
. :
1.

sudo root, ACL


.

2.

EXTERNAL IPC ( UNIX).


, ldapi (URI).

ACL :

sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcAccess=*)' olcAccess olcSuffix

.
4
slapd.access .

1.8. TLS
OpenLDAP ,
, .
(TLS).
(Certificate
Authority CA)
LDAP CA. slapd
gnutls,
certtool.
1.

gnutls-bin ssl-cert:
sudo apt-get install gnutls-bin ssl-cert

2.


sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"

3.

/etc/ssl/ca.info CA:
cn = Example Company

http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html

123


ca
cert_signing_key

4.

sudo certtool --generate-self-signed \ --load-privkey /etc/ssl/private/cakey.pem \ --template /

5.

sudo certtool --generate-privkey \ --bits 1024 \ --outfile /etc/ssl/private/ldap01_slapd_key.pe

ldap01
(hostname). ,
,
.
6.

/etc/ssl/ldap01.info, :
organization = Example Company
cn = ldap01.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650

10 .
.
7.

sudo certtool --generate-certificate \ --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \ -

certinfo.ldif (
, https://www.cacert.org):
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem

ldapmodify, slapd
TLS slapd-config:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif

124


,
ldaps:// /etc/default/slapd .
:
SLAPD_SERVICES="ldap:/// ldapi:///"

LDAP TLS/SSL (ldaps://) StartTLS.


LDAP
( TCP 389), TLS/SSL
LDAPS, HTTPS, -- , TCP 636.
:
sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem

OpenLDAP:
sudo service slapd restart

(/var/log/syslog), ,
.

1.9. TLS
,
(StartTLS)
.
, .
TLS-.
,
1.6, [116]
TLS ,
1.8, TLS [123].
, ( )
LDAP. TLS
, .
. ,

.
125


,
.
1.

:
(
) :
mkdir ldap02-ssl
cd ldap02-ssl
sudo certtool --generate-privkey \ --bits 1024 \ --outfile ldap02_slapd_key.pem

ldap02.info ;
:
organization = Example Company
cn = ldap02.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650

sudo certtool --generate-certificate \ --load-privkey ldap02_slapd_key.pem \ --load-ca-certific

CA:
cp /etc/ssl/certs/cacert.pem .

. ldap02-ssl .
scp ( ):
cd ..
scp -r ldap02-ssl user@consumer:

2.

:
TLS-:
sudo apt-get install ssl-cert
sudo adduser openldap ssl-cert
sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs
sudo cp ldap02_slapd_key.pem /etc/ssl/private
sudo chgrp ssl-cert /etc/ssl/private/ldap02_slapd_key.pem
sudo chmod g+r /etc/ssl/private/ldap02_slapd_key.pem
sudo chmod o-r /etc/ssl/private/ldap02_slapd_key.pem

126


/etc/ssl/certinfo.ldif
( ):
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem

slapd-config:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif

/etc/default/slapd (SLAPD_SERVICES).
3.

:
TLS .
olcSyncrepl TLS .
, .
consumer_sync_tls.ldif :
dn: olcDatabase={1}hdb,cn=config
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple
binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
starttls=critical tls_reqcert=demand

, ,
StartTLS CA
. LDIF
('replace').
:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif

slapd:

127


sudo service slapd restart

4.

:
, TLS . /var/log/syslog,
'conns',
:
slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389)
slapd[3620]:
slapd[3620]:
slapd[3620]:
slapd[3620]:

conn=1047
conn=1047
conn=1047
conn=1047

op=0 EXT oid=1.3.6.1.4.1.1466.20037


op=0 STARTTLS
op=0 RESULT oid= err=0 text=
fd=20 TLS established tls_ssf=128 ssf=128

slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128


slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text

1.10. LDAP
LDAP ,
, ,
() . Ubuntu
libnss-ldap ,
.
:
sudo apt-get install libnss-ldap

LDAP .
, , :
sudo dpkg-reconfigure ldap-auth-config

/etc/ldap.conf.
, , .
LDAP NSS:
sudo auth-client-config -t nss -p lac_ldap

LDAP :
sudo pam-auth-update

, LDAP ,
.
128


,
LDAP.
LDAP ,

. /etc/ldap.conf - :
uri ldap://ldap01.example.com ldap://ldap02.example.com


(ldap02), (ldap01) .
LDAP
SAMBA, SAMBA LDAP.
2, Samba LDAP [135] .
libnss-ldap libnss-ldapd.
nscd, , , .
.

1.11.
ldap-utils
,
. ldapscripts
(wrapper scripts) ,
.
:
sudo apt-get install ldapscripts

/etc/ldapscripts/ldapscripts.conf,
- :
SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000

ldapscripts.passwd
:
129

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"


sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

secret rootDN
.
.
:
:
sudo ldapadduser george example

uid george gid example


.
:
sudo ldapsetpasswd george
Changing password for user uid=george,ou=People,dc=example,dc=com
New Password:
New Password (verify):

:
sudo ldapdeleteuser george

:
sudo ldapaddgroup qa

:
sudo ldapdeletegroup qa

:
sudo ldapaddusertogroup george qa

memberUid qa
george.
:
sudo ldapdeleteuserfromgroup george qa

memberUid qa.
130


ldapmodifyuser ,
. ,
ldapmodify. :
sudo ldapmodifyuser george
# About to modify the following entry :
dn: uid=george,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: george
uid: george
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/george
loginShell: /bin/bash
gecos: george
description: User account
userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=
# Enter your modifications here, end with CTRL-D.
dn: uid=george,ou=People,dc=example,dc=com
replace: gecos
gecos: George Carlin

gecos George Carlin.


ldapscripts .
,
. ,
, /etc/ldapscripts/ldapscripts.conf, :
UTEMPLATE="/etc/ldapscripts/ldapadduser.template"

/etc/ldapscripts .
ldapadduser.template.sample /etc/ldapscripts/
ldapadduser.template:

sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \ /etc/ldapscripts/ldapad

.

inetOrgPerson:
dn: uid=<user>,<usuffix>,<suffix>
objectClass: inetOrgPerson
objectClass: posixAccount
cn: <user>
sn: <ask>

131


uid: <user>
uidNumber: <uid>
gidNumber: <gid>
homeDirectory: <home>
loginShell: <shell>
gecos: <user>
description: User account
title: Employee

<ask>, sn.
ldapadduser .
, .
:
5

ldaprenamemachine
6
ldapadduser
7
ldapdeleteuserfromgroup
8

ldapfinger
9
ldapid
10

ldapgid
11
ldapmodifyuser
12

ldaprenameuser
13

lsldap
14
ldapaddusertogroup
15

ldapsetpasswd
16
ldapinit

17

ldapaddgroup

18

ldapdeletegroup
19
ldapmodifygroup

20

ldapdeletemachine
21
ldaprenamegroup
22

ldapaddmachine

http://manpages.ubuntu.com/manpages/en/man1/ldaprenamemachine.1.html
http://manpages.ubuntu.com/manpages/en/man1/ldapadduser.1.html
7
http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuserfromgroup.1.html
8
http://manpages.ubuntu.com/manpages/en/man1/ldapfinger.1.html
9
http://manpages.ubuntu.com/manpages/en/man1/ldapid.1.html
10
http://manpages.ubuntu.com/manpages/en/man1/ldapgid.1.html
11
http://manpages.ubuntu.com/manpages/en/man1/ldapmodifyuser.1.html
12
http://manpages.ubuntu.com/manpages/en/man1/ldaprenameuser.1.html
13
http://manpages.ubuntu.com/manpages/en/man1/lsldap.1.html
14
http://manpages.ubuntu.com/manpages/en/man1/ldapaddusertogroup.1.html
15
http://manpages.ubuntu.com/manpages/en/man1/ldapsetpasswd.1.html
16
http://manpages.ubuntu.com/manpages/en/man1/ldapinit.1.html
17
http://manpages.ubuntu.com/manpages/en/man1/ldapaddgroup.1.html
18
http://manpages.ubuntu.com/manpages/en/man1/ldapdeletegroup.1.html
19
http://manpages.ubuntu.com/manpages/en/man1/ldapmodifygroup.1.html
20
http://manpages.ubuntu.com/manpages/en/man1/ldapdeletemachine.1.html
21
http://manpages.ubuntu.com/manpages/en/man1/ldaprenamegroup.1.html
22
http://manpages.ubuntu.com/manpages/en/man1/ldapaddmachine.1.html
6

132


23

ldapmodifymachine
24
ldapsetprimarygroup
25

ldapdeleteuser

1.12.
, .
:
,
ldap, (cn=config)
(dc=example,dc=com). , ,
/export/backup, slapcat
/usr/local/bin/ldapbackup:
#!/bin/bash
BACKUP_PATH=/export/backup
SLAPCAT=/usr/sbin/slapcat
nice ${SLAPCAT} -n 0 > ${BACKUP_PATH}/config.ldif
nice ${SLAPCAT} -n 1 > ${BACKUP_PATH}/example.com.ldif
nice ${SLAPCAT} -n 2 > ${BACKUP_PATH}/access.ldif
chmod 640 ${BACKUP_PATH}/*.ldif

,
ldap , ,
. /export/backup

.
, .
cron
, .
. .
cron, /etc/cron.d/ldapbackup,
22:45:
MAILTO=backup-emails@domain.com
45 22 * * *

root

/usr/local/bin/ldapbackup

.
23

http://manpages.ubuntu.com/manpages/en/man1/ldapmodifymachine.1.html
http://manpages.ubuntu.com/manpages/en/man1/ldapsetprimarygroup.1.html
25
http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuser.1.html
24

133


ldap;
: sudo service slapd stop
sudo service slapd stop
sudo mkdir /var/lib/ldap/accesslog
sudo slapadd -F /etc/ldap/slapd.d -n 0 -l /export/backup/config.ldif
sudo
sudo
sudo
sudo

slapadd -F /etc/ldap/slapd.d -n 1 -l /export/backup/domain.com.ldif


slapadd -F /etc/ldap/slapd.d -n 2 -l /export/backup/access.ldif
chown -R openldap:openldap /etc/ldap/slapd.d/
chown -R openldap:openldap /var/lib/ldap/

sudo service slapd start

1.13.
: www.openldap.org

26

slapd.
,
:
27

slapd

28

slapd-config

29

slapd.access
30
slapo-syncprov

man-:
31

auth-client-config
32

pam-auth-update

33

LDAP for Rocket Scientists Zytrax; ,


LDAP.
OpenLDAP wiki

34

Ubuntu .

LDAP System Administration


36

Mastering OpenLDAP

26
27
28
29
30
31
32
33
34
35
36

35

O'Reilly (, 2003)

Packt (, 2007)

http://www.openldap.org/
http://manpages.ubuntu.com/manpages/en/man8/slapd.8.html
http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html
http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html
http://manpages.ubuntu.com/manpages/en/man5/slapo-syncprov.5.html
http://manpages.ubuntu.com/manpages/en/man8/auth-client-config.8.html
http://manpages.ubuntu.com/manpages/en/man8/pam-auth-update.8.html
http://www.zytrax.com/books/ldap/
https://help.ubuntu.com/community/OpenLDAPServer
http://www.oreilly.com/catalog/ldapsa/
http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book

134

2. Samba LDAP
Samba LDAP.
Samba , LDAP
,

( 3 ).
OpenLDAP ,
.
1, OpenLDAP [107].
,
Samba, .

2.1.
Samba LDAP : samba, samba-doc
smbldap-tools.
, smbldap-tools , ,
Samba
(, , ) LDAP,
.
:
sudo apt-get install samba samba-doc smbldap-tools

2.2. LDAP
LDAP-, Samba.
:
1.

2.

3.

2.2.1. Samba
OpenLDAP Samba,
(DIT) ,
Samba.
Samba LDAP. .

1.4, slapd [113].
135


1.

samba-doc.
/etc/ldap/schema:
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema
sudo gzip -d /etc/ldap/schema/samba.schema.gz

2.

schema_convert.conf,
:
include
include
include
include

/etc/ldap/schema/core.schema
/etc/ldap/schema/collective.schema
/etc/ldap/schema/corba.schema
/etc/ldap/schema/cosine.schema

include
include
include
include

/etc/ldap/schema/duaconf.schema
/etc/ldap/schema/dyngroup.schema
/etc/ldap/schema/inetorgperson.schema
/etc/ldap/schema/java.schema

include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema
include /etc/ldap/schema/samba.schema

3.

ldif_output .

4.

:
slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema
dn: cn={14}samba,cn=schema,cn=config

5.

LDIF:

slapcat -f schema_convert.conf -F ldif_output -n0 -H \ ldap:///cn={14}samba,cn=schema,cn=config

6.

cn=samba.ldif,
, :
dn: cn=samba,cn=schema,cn=config
...
cn: samba

:
structuralObjectClass: olcSchemaConfig
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
creatorsName: cn=config

136


createTimestamp: 20080827045234Z
entryCSN: 20080827045234.341425Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20080827045234Z

.
7.

:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=samba.ldif

:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'

2.2.2. Samba
, slapd Samba,
.
,
(DIT).
samba_indices.ldif :
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

ldapmodify :
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif

, ,
ldapsearch:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H \ ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex

137


2.2.3. Samba LDAP
smbldap-tools
. ,
.
:
sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
sudo perl /usr/share/doc/smbldap-tools/configure.pl

strict pragma
configure.pl.
, ,
/etc/smbldap-tools/smbldap.conf /etc/smbldap-tools/smbldap_bind.conf.
- ,
.
smbldap-populate LDAP,
Samba.
slapcat:
sudo slapcat -l backup.ldif

, :
sudo smbldap-populate

LDIF, Samba,
sudo smbldap-populate -e samba.ldif.
, , .
, '-e'.
LDIF .
LDAP
Samba.

2.3. Samba
Samba.
18,
Windows [320]. Samba
LDAP, /etc/samba/smb.conf,
passdb backend
, LDAP:
138

passdb backend = tdbsam

# LDAP Settings
passdb backend = ldapsam:ldap://hostname
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap
ldap
ldap
ldap

machine suffix = ou=Computers


idmap suffix = ou=Idmap
admin dn = cn=admin,dc=example,dc=com
ssl = start tls

ldap passwd sync = yes


...
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"

.
samba, :
sudo restart smbd
sudo restart nmbd

Samba rootDN (
slapd):
sudo smbpasswd -w password

LDAP,
Samba,
. smbpasswd
( ()
NSS;
libnss-ldapd libnss-ldap):
sudo smbpasswd -a username

.
. ,
.
,
, smbldaptools. :
:
sudo smbldap-useradd -a -P username

139


-a Samba, -P smbldappasswd, ,
.
:
sudo smbldap-userdel username

-r
.
:
sudo smbldap-groupadd -a groupname

smbldap-useradd, -a Samba.
:
sudo smbldap-groupmod -m username groupname

-m ,
.
:
sudo smbldap-groupmod -x username groupname

Samba :
sudo smbldap-useradd -t 0 -w username

username . -t 0
, -w
. ,
add machine script /etc/samba/smb.conf ,
smbldap-useradd.
smbldap-tools , .
:
37

smbldap-groupadd

38

smbldap-groupdel

39

smbldap-groupmod

37

http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupadd.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupdel.8.html
39
http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupmod.8.html
38

140


40

smbldap-groupshow
41
smbldap-passwd

42

smbldap-populate

43

smbldap-useradd
44
smbldap-userdel

45

smbldap-userinfo
46
smbldap-userlist
47
smbldap-usermod
48

smbldap-usershow

2.4.

Samba 18,
Windows [320] .
, LDAP Samba
49
Samba HOWTO Collection .
50

, passdb section .
(2007 ), Linux Samba-OpenLDAP HOWTO
.
52

51

Samba Ubuntu community documentation


, .

40
41
42
43
44
45
46
47
48
49
50
51
52

http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupshow.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-passwd.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-populate.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-useradd.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-userdel.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-userinfo.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-userlist.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-usermod.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-usershow.8.html
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html
http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/
https://help.ubuntu.com/community/Samba#samba-ldap

141

3. Kerberos
Kerberos ,
.
, .
Kerberos, , ,
(Single Sign On SSO).
Kerberos,
.

3.1.
Kerberos,
.
(Principal): , ,
, ,
Kerberos.

(Instances):
.
(Realms): ,
Kerberos.
, .
Ubuntu DNS (EXAMPLE.COM)
.
(KDC): :
,
.
KDC.
(TGT): ,
TGT ,
KDC.

(TGS):
.
(Tickets): .
, ,
. ,

.
(Keytab Files): ,
KDC
.
142


: KDC,
,
.
, Kerberos
, KDC (TGT).
,
,
Kerberos, (TGS).

.

3.2. Kerberos
3.2.1.
Kerberos

(MIT), MIT Kerberos.


(. ). MIT Kerberos
( ):
Realm: EXAMPLE.COM
Primary KDC: kdc01.example.com (192.168.0.1)
Secondary KDC: kdc02.example.com (192.168.0.2)
: steve
: steve/admin
,
uid
(, 5000).
Kerberos DNS-

. Kerberos
, EXAMPLE.COM,
Primary Master 2.3,
[161].
, Kerberos , .

5 ( ),
.
Network Time Protocol
(NTP). NTP 4,
NTP [57].
143


Kerberos krb5kdc krb5-admin-server. :
sudo apt-get install krb5-kdc krb5-admin-server

Kerberos
,
.
KDC.
kdb5_newrealm:
sudo krb5_newrealm

3.2.2.
, ,
/etc/krb5.conf.
KDC, krb5-kdc.
Kerberos , ,
, , :
sudo dpkg-reconfigure krb5-kdc

1.

KDC ,
.
,
. kadmin.local
:
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc steve/admin
WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "steve/admin@EXAMPLE.COM":
Re-enter password for principal "steve/admin@EXAMPLE.COM":
Principal "steve/admin@EXAMPLE.COM" created.
kadmin.local: quit

steve , /admin ,
@EXAMPLE.COM . "" ,
steve@EXAMPLE.COM;
.
144


EXAMPLE.COM steve
.
2.

, -
ACL. /
etc/krb5kdc/kadm5.acl:
steve/admin@EXAMPLE.COM

steve/admin
.
,
,
, Kerberos.
, (man) kadm5.acl.
3.

krb5-admin-server, ACL:
sudo /etc/init.d/krb5-admin-server restart

4.


kinit:
kinit steve/admin
steve/admin@EXAMPLE.COM's Password:

klist,
(TGT):
klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: steve/admin@EXAMPLE.COM
Issued

Expires

Jul 13 17:53:34

Jul 14 03:53:34

Principal
krbtgt/EXAMPLE.COM@EXAMPLE.COM

krb5cc_1000 krb5cc_
(UID), 1000.
/etc/hosts KDC,
. :
192.168.0.1

kdc01.example.com

kdc01

192.168.0.1 IP- KDC. ,


Kerberos ,
.

145


5.

KDC
SRV- DNS.
/etc/named/db.example.com:
_kerberos._udp.EXAMPLE.COM.

IN SRV 1

0 88

kdc01.example.com.

_kerberos._tcp.EXAMPLE.COM.
_kerberos._udp.EXAMPLE.COM.

IN SRV 1 0 88
IN SRV 10 0 88

kdc01.example.com.
kdc02.example.com.

_kerberos._tcp.EXAMPLE.COM.
IN SRV 10 0 88 kdc02.example.com.
_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM.
IN SRV 1 0 464 kdc01.example.com.

EXAMPLE.COM, kdc01, kdc02 ,


KDC
8, (DNS) [158]
DNS.
Kerberos .

3.3. KDC
(KDC) ,
KDC ,
. ,
Kerberos (
, NAT),
KDC .
1.

Kerberos
KDC:
sudo apt-get install krb5-kdc krb5-admin-server

2.

,
KDC. :
kadmin -q "addprinc -randkey host/kdc02.example.com"

, kadmin,
username/
admin@EXAMPLE.COM.
3.

keytab:
kadmin -q "ktadd -norandkey -k keytab.kdc02 host/kdc02.example.com"

4.

keytab.kdc02, /
etc/krb5.keytab:

146

sudo mv keytab.kdc02 /etc/krb5.keytab

keytab.kdc02 , .
keytab,
,
klist:
sudo klist -k /etc/krb5.keytab

-k , keytab .
5.

KDC kpropd.acl,
KDC .
KDC /etc/krb5kdc/kpropd.acl:
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM

6.

KDC:
sudo kdb5_util -s create

7.

kpropd,
kprop. kprop
:
sudo kpropd -S

8.

KDC
:
sudo kdb5_util dump /var/lib/krb5kdc/dump

9.

keytab KDC /etc/


krb5.keytab:
kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com"
sudo mv keytab.kdc01 /etc/krb5.keytab

, host kdc01.example.com,
Keytab.
10. kprop, KDC:
sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com

147


SUCCEEDED,
.
, /var/log/syslog KDC
.
cron
KDC. ,
( ,
):
# m h dom mon dow
command
0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump &&
/usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com

11. Secondary KDC, stash (stash)


Kerberos master key ( Kerberos):
sudo kdb5_util stash

12. krb5-kdc KDC:


sudo /etc/init.d/krb5-kdc start

KDC
. , krb5kdc KDC kinit
, KDC.
/var/log/syslog /var/log/auth.log KDC.

3.4. Kerberos Linux


Kerberos Linux.
,
.
3.4.1.
Kerberos, krb5user libpam-krb5, ,
, .
:
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config

auth-client-config PAM
, libpam-ccreds

148


, ,
(KDC) .
,
Kerberos ,
.
3.4.2.
:
sudo dpkg-reconfigure krb5-config

Kerberos. , DNS Kerberos SRV,


(KDC)
.
dpkg-reconfigure /etc/krb5.conf .
, :
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = }
kdc = 192.168.0.1
admin_server = 192.168.0.1
}

uid
5000,
3.2.1, [143], pam
Kerberos uid
> 5000:

# Kerberos should only be applied to ldap/kerberos users, not local ones. for i in common-a

()
Kerberos
passwd.
kinit.
:
kinit steve@EXAMPLE.COM
Password for steve@EXAMPLE.COM:

149


, klist:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: steve@EXAMPLE.COM
Valid starting

Expires

Service principal

07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM


renew until 07/25/08 05:18:57

Kerberos 4 ticket cache: /tmp/tkt1000


klist: You have no tickets cached

auth-client-config libpam-krb5
:
sudo auth-client-config -a -p kerberos_example

3.5.
MIT Kerberos
53
MIT Kerberos .
54

Ubuntu Wiki Kerberos

55

O'Reilly

Kerberos: The Definitive Guide


Kerberos.

56

IRC- #ubuntu-server #kerberos Freenode ,


Kerberos.

53

http://web.mit.edu/Kerberos/
https://help.ubuntu.com/community/Kerberos
55
http://oreilly.com/catalog/9780596004033/
56
http://freenode.net/
54

150

4. Kerberos LDAP
Kerberos ;
(Kerberos),
().
, LDAP.
() Kerberos

. , MIT
Kerberos LDAP
.
Kerberos
OpenLDAP .
MIT
Kerberos OpenLDAP.

4.1. OpenLDAP
, schema OpenLDAP ,
KDC.
,
LDAP, , .
OpenLDAP 1, OpenLDAP [107].
OpenLDAP TLS SSL-,
KDC LDAP .
1.8, TLS [123] .
,
ldap. RootDN.
.
cn=admin,cn=config

LDAP, LDAP krb5-kdcldap. :


sudo apt-get install krb5-kdc-ldap

kerberos.schema.gz:
sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/

151


kerberos cn=config.
slapd 1.4,
slapd [113].
1.

schema_convert.conf
, :
include
include
include
include
include

/etc/ldap/schema/core.schema
/etc/ldap/schema/collective.schema
/etc/ldap/schema/corba.schema
/etc/ldap/schema/cosine.schema
/etc/ldap/schema/duaconf.schema

include
include
include
include
include

/etc/ldap/schema/dyngroup.schema
/etc/ldap/schema/inetorgperson.schema
/etc/ldap/schema/java.schema
/etc/ldap/schema/misc.schema
/etc/ldap/schema/nis.schema

include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/kerberos.schema

2.

LDIF :
mkdir /tmp/ldif_output

3.

slapcat :

slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \ "cn={12}kerberos,cn=schema,cn=con


, .
4.

/tmp/cn\=kerberos.ldif,
:
dn: cn=kerberos,cn=schema,cn=config
...
cn: kerberos

:
structuralObjectClass: olcSchemaConfig
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
creatorsName: cn=config
createTimestamp: 20090111203515Z
entryCSN: 20090111203515.326445Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20090111203515Z

152


, ,
.
5.

ldapadd:
ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=kerberos.ldif

6.

krb5principalname:
ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub
modifying entry "olcDatabase={1}hdb,cn=config"

7.

(ACL):
ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by
dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
add: olcAccess
olcAccess: to dn.base="" by * read
add: olcAccess
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
modifying entry "olcDatabase={1}hdb,cn=config"

, LDAP
Kerberos.

4.2. KDC
OpenLDAP KDC.
, :
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

/etc/krb5.conf,
:
[libdefaults]

153


default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
kdc = kdc02.example.com
admin_server = kdc01.example.com
admin_server = kdc02.example.com
default_domain = example.com
database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM

...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
ldap_conns_per_server = 5
}

example.com, dc=example,dc=com,
cn=admin,dc=example,dc=com, ldap01.example.com
, LDAP LDAP .
kdb5_ldap_util :

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \ dc=example,dc=com -r EXAMPLE

, LDAP. ldap_kdc_dn ldap_kadmin_dn


/etc/krb5.conf:
154

sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f \ /etc/krb5kdc/service.keyfile cn

CA LDAP:
scp ldap01:/etc/ssl/certs/cacert.pem .
sudo cp cacert.pem /etc/ssl/certs

/etc/ldap/ldap.conf :
TLS_CACERT /etc/ssl/certs/cacert.pem

KDC,
LDAP- LDAPS.
Kerberos LDAP,
LDAP-, .
kadmin.local
:
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:

addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve

WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy


Enter password for principal "steve@EXAMPLE.COM":
Re-enter password for principal "steve@EXAMPLE.COM":
Principal "steve@EXAMPLE.COM" created.

krbPrincipalName, krbPrincipalKey,
krbLastPwdChange krbExtraData
uid=steve,ou=people,dc=example,dc=com. kinit klist
, .
, -x dn="..."
Kerberos.
.

4.3. KDC
KDC LDAP
Kerberos.
1.

-, . :
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap

2.

/etc/krb5.conf LDAP:
155

[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
kdc = kdc02.example.com
admin_server = kdc01.example.com
admin_server = kdc02.example.com
default_domain = example.com
database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights on
# the realm container, principal container and realm sub-trees
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
ldap_conns_per_server = 5
}

3.

LDAP:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f \ /etc/krb5kdc/service.keyfile

4.

KDC /etc/krb5kdc/.k5.EXAMPLE.COM
KDC. ,
, scp
.

156


sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~
sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/

EXAMPLE.COM .
5.

Secondary KDC, () ldap


:
sudo service slapd restart

6.

krb5-kdc:
sudo /etc/init.d/krb5-kdc start

7.

, LDAP- ( kerberos )
.

KDC, LDAP
, LDAP
, Kerberos LDAP Kerberos
.

4.4.
Kerberos Admin Guide

57

kdb5_ldap_util Section 5.6


59
kdb5_ldap_util man page .

58

60

krb5.conf man page .


61

Kerberos and LDAP

Ubuntu wiki.

57

http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAPback_002dend
58
http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAPDatabase
59
http://manpages.ubuntu.com/manpages/precise/en/man8/kdb5_ldap_util.8.html
60
http://manpages.ubuntu.com/manpages/precise/en/man5/krb5.conf.5.html
61
https://help.ubuntu.com/community/Kerberos#kerberos-ldap

157

8.
(DNS)
(Domain Name Service, DNS)
, IP-
(Fully Qualified Domain Names, FQDN). ,
DNS IP-. ,
DNS, . Ubuntu
BIND (Berkley Internet Naming Daemon),
Linux.

158

(DNS)

1.
bind :
sudo apt-get install bind9

DNS
dnsutils. ,
/ dnsutils :
sudo apt-get install dnsutils

159

(DNS)

2.
BIND9.
,
.
BIND9 ,
,
.

BIND9
.
BIND9 ()
, .

2.1.
DNS /etc/bind.
/etc/bind/named.conf.
include ,
DNS. directory /etc/bind/named.conf.options DNS,
. , BIND,
.
/etc/bind/db.root .
, /etc/bind/db.root
.
bind9. zone ,
, file.

, .
Authority (Start of Authority, SOA) ,
,
(LAN).

2.2.

. ,
IP- DNS- -.
/etc/bind/named.conf.options:

160

(DNS)
forwarders {
1.2.3.4;
5.6.7.8;
};

1.2.3.4 5.6.7.8 IP- .


DNS- .
:
sudo service bind9 restart

3.1.2, dig [166]


DNS-.

2.3.
BIND9
example.com. example.com FQDN (Fully Qualified
Domain Name).
2.3.1.
DNS BIND9,
, /etc/bind/named.conf.local:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};


/etc/bind/db.example.com:
sudo cp /etc/bind/db.local /etc/bind/db.example.com

/etc/bind/db.example.com, localhost.
FQDN , "." .
127.0.0.1 IP- root.localhost
, "." "@", "."
. ,
.
A example.com.
A ns.example.com :
161

(DNS)

;
; BIND data file for example.com
;
$TTL

604800

IN

;
@
@
@
ns

SOA

example.com. root.example.com. (
2
; Serial
604800
; Refresh

IN

86400
2419200
604800 )
192.168.1.10

IN
IN
IN
IN

NS
A
AAAA
A

ns.example.com.
192.168.1.10
::1
192.168.1.10

; Retry
; Expire
; Negative Cache TTL

(Serial) ,

.
BIND9, Serial
.
DNS .
4.1, [170].

(Serial)
2012010100, yyyymmddss
( ss )
,
BIND9 :
sudo service bind9 restart

2.3.2.
, IP-,
. DNS
IP-.
/etc/bind/named.conf.local :
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};

162

(DNS)
1.168.192 ,
. /etc/bind/db.192
.
/etc/bind/db.192:
sudo cp /etc/bind/db.127 /etc/bind/db.192

/etc/bind/db.192, ,
/etc/bind/db.example.com:
;
; BIND reverse data file for local 192.168.1.XXX net
;
$TTL
604800
@
IN
SOA
ns.example.com. root.example.com. (
2
604800
86400
2419200
604800 )
;
@

IN

NS

ns.

10

IN

PTR

ns.example.com.

; Serial
; Refresh
; Retry
; Expire
; Negative Cache TTL

(Serial)
. A, /etc/
bind/db.example.com, ,
PTR /etc/bind/db.192.
BIND9:
sudo service bind9 restart

2.4.
(Primary Master) ,
Secondary Master ,
.
.
allow-transfer /
etc/bind/named.conf.local:
zone "example.com" {
type master;

163

(DNS)
file "/etc/bind/db.example.com";
allow-transfer { 192.168.1.11; };
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
allow-transfer { 192.168.1.11; };
};

192.168.1.11 IP- .
BIND9 :
sudo service bind9 restart

, bind9 ,
. /etc/bind/named.conf.local
:
zone "example.com" {
type slave;
file "db.example.com";
masters { 192.168.1.10; };
};
zone "1.168.192.in-addr.arpa" {
type slave;
file "db.192";
masters { 192.168.1.10; };
};

192.168.1.10 IP- .
BIND9 :
sudo service bind9 restart

/var/log/syslog (
):
client 192.168.1.10#39448: received notify for zone '1.168.192.in-addr.arpa'
zone 1.168.192.in-addr.arpa/IN: Transfer started.
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
connected using 192.168.1.11#37531
zone 1.168.192.in-addr.arpa/IN: transferred serial 5
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:

164

(DNS)
Transfer completed: 1 messages,
6 records, 212 bytes, 0.002 secs (106000 bytes/sec)
zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 5)
client 192.168.1.10#20329: received notify for zone 'example.com'
zone example.com/IN: Transfer started.
transfer of 'example.com/IN' from 192.168.1.10#53: connected using 192.168.1.11#38577
zone example.com/IN: transferred serial 5
transfer of 'example.com/IN' from 192.168.1.10#53: Transfer completed: 1 messages,
8 records, 225 bytes, 0.002 secs (112500 bytes/sec)

,
(Serial)
. , DNS
DNS ,
also-notify { ipaddress; }; /etc/bind/named.conf.local,
:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
allow-transfer { 192.168.1.11; };
also-notify { 192.168.1.11; };
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
allow-transfer { 192.168.1.11; };
also-notify { 192.168.1.11; };
};

/var/
cache/bind/. AppArmor
named .
AppArmor 4, AppArmor [189].

165

(DNS)

3.
,
DNS BIND9.

3.1.
3.1.1. resolv.conf
BIND9 IP-
.
, , .
/etc/resolv.conf, :
nameserver 192.168.1.10
nameserver 192.168.1.11

IP-
.
3.1.2. dig
dnsutils, ,
DNS dig:
BIND9 dig
(loopback), , 53 .
:
dig -x 127.0.0.1

, :
;; Query time: 1 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)

BIND9 , "dig"
:
dig ubuntu.com

:
;; Query time: 49 msec

dig :
166

(DNS)

;; Query time: 1 msec

3.1.3. ping
, DNS
, ping ICMP. :
ping example.com

, ns.example.com IP. :
PING ns.example.com (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms

3.1.4. named-checkzone

named-checkzone, bind9.
BIND9
.

:
named-checkzone example.com /etc/bind/db.example.com

, , :
zone example.com/IN: loaded serial 6
OK

, :
named-checkzone 1.168.192.in-addr.arpa /etc/bind/db.192

:
zone 1.168.192.in-addr.arpa/IN: loaded serial 3
OK

(Serial) .

167

(DNS)

3.2.
BIND9 .
. channel ,
, category ,
.

, :
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};

, BIND9
, DNS , .
(channel) ,
. /etc/bind/named.conf.local
:
logging {
channel query.log {
file "/var/log/query.log";
severity debug 3;
};
};

(category) DNS
:
logging {
channel query.log {
file "/var/log/query.log";
severity debug 3;
};
category queries { query.log; };
};

debug,
1 3. ,
1.
named daemon bind,
/var/log/query.log :
sudo touch /var/log/query.log
sudo chown bind /var/log/query.log

168

(DNS)
, named ,
AppArmor. /etc/
apparmor.d/usr.sbin.named, :
/var/log/query.log w,

:
cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r

AppArmor 4,
AppArmor [189]
BIND9 :
sudo service bind9 restart

/var/log/query.log,
.
BIND9.
4.2, [170].

169

(DNS)

4.
4.1.
DNS.
A: IP- (hostname).
www

IN

192.168.1.12

CNAME: (alias) A.
CNAME, CNAME.
web

IN

CNAME

www

MX: ,
. A, CNAME.

mail

IN

MX

IN

mail.example.com.
192.168.1.13

NS: ,
. A, CNAME.
.
IN
IN

NS
NS

ns.example.com.
ns2.example.com.

ns

IN

192.168.1.10

ns2

IN

192.168.1.11

4.2.
1

DNS HOWTO
BIND9.
2

DNS BIND9 Bind9.net .


3

DNS and BIND .


BIND9
4
Ubuntu Server IRC #ubuntu-server freenode .
5

BIND9 Server HOWTO Ubutu wiki.

http://www.tldp.org/HOWTO/DNS-HOWTO.html
http://www.bind9.net/
3
http://www.oreilly.com/catalog/dns5/index.html
4
http://freenode.net
5
https://help.ubuntu.com/community/BIND9ServerHowto
2

170

9.
,
.
, Ubuntu
,
, ,
.
, ,
Ubuntu 12.04 LTS Server Edition,
,
.

171

1.

.
. , ,
,
.

1.1. root?
Ubuntu
root
Ubuntu. , root
. ,
, root
.
,
sudo. Sudo
,
root.


,
.
- root,
:
sudo passwd

Sudo ,
root, :
[sudo] password for username: ( )
Enter new UNIX password: ( root)
Retype new UNIX password: ( root)
passwd: password updated successfully

root
passwd:
sudo passwd -l root

Sudo, man-.

172


man sudo

, Ubuntu
"admin", /etc/sudoers

sudo.
root sudo,
admin.

1.2.


GNU/Linux. Ubuntu ,
Debian,
"adduser".
,
,
, ,
.
sudo adduser username

,
:
sudo deluser username


. ,
.
, , UID/GID,
, ,
.
UID/GID -
, root, , ,
.
sudo chown -R root:root /home/username/
sudo mkdir /home/archived_users/
sudo mv /home/username /home/archived_users/


, :
173

sudo passwd -l username


sudo passwd -u username

,
:
sudo addgroup groupname
sudo delgroup groupname

, :
sudo adduser username groupname

1.3.
, adduser
, /home/username.
, /etc/
skel, .
,

, . ,
Ubuntu
/ . ,

. .

, :
ls -ld /home/username

, /
home/username .
drwxr-xr-x

2 username username

4096 2007-10-02 20:03 username

,
:
sudo chmod 0750 /home/username


(-R),
174


,
.

.


adduser. /etc/adduser.conf
DIR_MODE - ,
.
DIR_MODE=0750


, ,
:
ls -ld /home/username

,
:
drwxr-x---

2 username username

4096 2007-10-02 20:03 username

1.4.

.
.

, ,
,
.
1.4.1.
Ubuntu 6 ,
.
/etc/pam.d/common-password :
password

[success=2 default=ignore]

pam_unix.so obscure sha512

8 ,
min=8. :

175


password

[success=2 default=ignore]

pam_unix.so obscure sha512 min=8

()
,
sudo .
1.4.2.

,
.

,
:
sudo chage -l username


, , :
: 20 2008
:
:
:
, ( ): 0
, ( ): 99999
, : 7

,
:
sudo chage username

,
(-E) 01/31/2008,
(-m) 5 , 90 ,
(-l) 5
(-W) 14 .
sudo chage -E 01/31/2011 -m 5 -M 90 -I 30 -W 14 username

, ,
:
sudo chage -l username

,
:

176

: 20 2008
: 19 2008
: 19 2008
: 31 2008
, ( ): 5
, ( ): 90
, : 14

1.5.
,

. ,

.
1.5.1. SSH

,

RSA.
.
,
SSH, /home/username/.ssh/
authorized_keys.
.ssh/
,
SSH.
SSH ,
, ,
. ,
.
SSH ,
. , "sshlogin"
, AllowGroups,
/etc/ssh/sshd_config.
AllowGroups sshlogin

, SSH,
"sshlogin" SSH.
177

sudo adduser username sshlogin


sudo service ssh restart

1.5.2.

.

, ,
.
, .

178

2.
,
,
,
- , ,
, , ..


.
"" (screen door)
,

.

, .

2.1. Ctrl+Alt+Delete
, , ,
Ctrl+Alt+Delete
. ,
, -
.
,
.
Ctrl+Alt+Delete
/etc/init/control-altdelete.conf.
#exec shutdown -r now "Control-Alt-Delete pressed"

179

3.
3.1.
Linux Netfilter,
,
. Linux
.

.
iptables.
, Netfilter ,
, ,
iptables. ,
iptables ,
. ,
.

3.2. ufw Uncomplicated Firewall


, Ubuntu
ufw.
iptables, ufw
IPv4 IPv6,
.
ufw . man- ufw:
ufw
, ,

. ,
, .
ufw:
ufw. :
sudo ufw enable

, ( ssh), :
sudo ufw allow 22

180


:
sudo ufw insert 1 allow 80

, , :
sudo ufw deny 22

, delete , , :
sudo ufw delete deny 22


. ssh
192.168.0.2 IP- :
sudo ufw allow proto tcp from 192.168.0.2 to any port 22

192.168.0.2 192.168.0.0/24,
ssh .
--dry-run ufw,
. ,
, HTTP:
sudo ufw --dry-run allow http

*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### ###
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### ###
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
-A ufw-user-forward -j RETURN
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT]: "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
COMMIT

ufw, :
181

sudo ufw disable

:
sudo ufw status


:
sudo ufw status verbose

:
sudo ufw status numbered

, ,
/etc/services,
.
22 ssh.
ufw. ,
ufw .
3.2.1. ufw
, , ufw ,
, .
/etc/ufw/applications.d ,
.

:
sudo ufw app list

,
, :
sudo ufw allow Samba

:
ufw allow from 192.168.0.0/24 to any app Samba

Samba 192.168.0.0/24
.
182


, ..
. ,
, app .
, .. ,
:
sudo ufw app info Samba

, ,
ufw, ,
,
Launchpad.
ubuntu-bug _

3.3. IP
IP ,
, IP-,
, . ,
, ,
, .
, IP-
, , IP-
( ), . Linux
Connection Tracking (conntrack) ,
,
. , , ,
"", ,
. Microsoft
Internet Connection Sharing.
3.3.1. ufw
IP
ufw. , - ufw
iptables-restore , /etc/ufw/*.rules.
iptables
ufw, .
: ,
ufw, ,
ufw .

183


, ufw.
: /etc/default/
ufw DEFAULT_FORWARD_POLICY ACCEPT:
DEFAULT_FORWARD_POLICY="ACCEPT"

/etc/ufw/sysctl.conf :
net/ipv4/ip_forward=1

, IPv6,
net/ipv6/conf/default/forwarding=1

/etc/ufw/before.rules.
,

nat.
, :
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT

,
. ,
/etc/ufw, ,
:
# "COMMIT",
COMMIT


COMMIT. nat filter,
raw mangle.
eth0, eth1 192.168.0.0/24
IP.
, ufw ,
:
184

sudo ufw disable && sudo ufw enable

IP .

FORWARD /etc/ufw/before.rules.
ufw-before-forward.
3.3.2. iptables
iptables .
ufw,
IPv4. /etc/sysctl.conf

net.ipv4.ip_forward=1

IPv6, :
net.ipv6.conf.default.forwarding=1

sysctl
:
sudo sysctl -p

IP iptables,
,
:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

,
192.168.0.0/16, , ppp0.
:
-t nat NAT
-A POSTROUTING , (-A) POSTROUTING
-s 192.168.0.0/16 ,

-o ppp0 ,

-j MASQUERADE , ,
"jump" (-j) (MASQUERADE)
,
185


, ( ,
)
ACCEPT,
, DROP
REJECT.
FORWARD, , :
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state \
--state ESTABLISHED,RELATED -i ppp0 -j ACCEPT


, , ,
, .
, ,
, /etc/rc.local
. ,
:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

3.4.
,

.
,
(,
: ACCEPT, DROP, or REJECT)
ufw, ,
:
sudo ufw logging on

ufw on off
.
iptables ufw, :
sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 \
-j LOG --log-prefix "NEW_HTTP_CONN: "

186


, 80 ,
dmesg, (
, ):
[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP
SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0

/var/log/
messages, /var/log/syslog

/var/log/kern.log. ,
/etc/syslog.conf
ulogd ULOG LOG.
ulogd , ,


, PostgreSQL MySQL. ,
, ,
logwatch, fwanalog, fwlogwatch lire.

3.5.
,
- iptables. GUI:
1

fwbuilder , ,
, ,
Checkpoint FireWall-1.

:
2

Shorewall ,
.

3.6.
3

- Ubuntu Firewall
c ufw..
ufw
: man ufw.
iptables
4
packet-filtering-HOWTO
1

http://www.fwbuilder.org/
http://www.shorewall.net/
3
https://wiki.ubuntu.com/UncomplicatedFirewall
4
http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
2

187

nat-HOWTO
.
6

IPTables HowTo Ubuntu .

5
6

http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
https://help.ubuntu.com/community/IptablesHowTo

188

4. AppArmor
AppArmor Linux (LSM)
. AppArmor

, 1003.1e posix.

AppArmor .
, ,
.
,
apparmor-profiles.
apparmor-profiles :
sudo apt-get install apparmor-profiles

AppArmor :
/ (Complaining/Learning):
. .
/ (Enforced/Confined):
.

4.1. AppArmor
apparmor-utils ,
AppArmor,
, ..
apparmor_status
AppArmor.
sudo apparmor_status

aa-complain .
sudo aa-complain /path/to/bin

aa-enforce .
sudo aa-enforce /path/to/bin

/etc/apparmor.d AppArmor.
.
:

189


sudo aa-complain /etc/apparmor.d/*

:
sudo aa-enforce /etc/apparmor.d/*

apparmor_parser .

-r. :
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r

/etc/init.d/apparmor
:
sudo /etc/init.d/apparmor reload

/etc/apparmor.d/disable
apparmor_parser -R .
sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name


/etc/apparmor.d/disable/.
-a.
sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a

AppArmor ,
, :
sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove

AppArmor :
sudo /etc/init.d/apparmor start
sudo update-rc.d apparmor defaults

profile.name ,
. /path/to/bin/
. , ping /bin/ping

190

4.2.
AppArmor ,
/etc/apparmor.d/.
"/" ".". , /etc/apparmor.d/
bin.ping AppArmor /bin/ping.
:
Path entries: ,
.
Capability entries: ,
.
, /etc/apparmor.d/bin.ping:
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}

#include <tunables/global>: .
,
.
/bin/ping flags=(complain): ,
complain
capability net_raw,: CAP_NET_RAW Posix.1e.
/bin/ping mixr,:
.

. 4.1,
AppArmor [189] .
4.2.1.
-: ,
. -
191


.
, .
:
.
.
.
, init.
: aa-genprof,
. :
sudo aa-genprof executable

:
sudo aa-genprof slapd

apparmor-profiles,
7
Launchpad AppArmor :
.
.
4.2.2.
,
. aa-logprof
AppArmor,
. :
sudo aa-logprof

4.3.

8
AppArmor
, AppArmor
9
Ubuntu, AppArmor Community Wiki .
AppArmor OpenSUSE
10
AppArmor .
7

https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug
http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/index.html?page=/documentation/
apparmor/apparmor201_sp10_admin/data/book_apparmor_admin.html
9
https://help.ubuntu.com/community/AppArmor
10
http://en.opensuse.org/SDB:AppArmor_geeks
8

192


AppArmor,
11
Ubuntu Server IRC #ubuntu-server freenode .

11

http://freenode.net

193

5.

.

. .

.


Secure Socket Layer
(SSL) Transport Layer Security (TLS). ,
Apache HTTPS ( HTTP SSL).
, ,
.
,
,
.
(CA).
, , ,
, .

5.1.

, ,
( ),
(CA).

.
.

,
.
HTTPS, CA
, :
()
.
CA
, - .
194


- ,
SSL, ,
. ,
,
. ,

.
CA .
:
1. , .
2. , .
,
.
3. ,
, CA.
, .
, ,
.
CA, ,
.
4. CA , , ,
.
5.
.

5.2.
(Certificate Signing Request, CSR)

CA ,
.

,
Apache, Postfix, Dovecot .., .
,
.
, .
,
.
,

195


.
.
(CSR)
:
openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus


..........................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:

.
.
.
/ .
, .

.
,
server.key.
, ,
:
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

server.key,
CSR .
CSR :
openssl req -new -key server.key -out server.csr

(
- . .). ,
, , .
, CSR
server.csr.
CSR- CA . CA,
CSR-, . ,
196


, CSR.

5.3.
, ,
:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

.

server.crt.

, , , ,
CA.
.

5.4.
server.key
server.crt, , CA,
:
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private

,
,
. , Apache HTTPS, Dovecot IMAPS
POP3S ..

5.5.

,
(CA). ,
CA,
,
CA.
1.

CA
:

197


sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

2.

CA :
, CA (
),
, :
sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

3.

CA.
, ,
. /etc/ssl/openssl.cnf
[ CA_default ] :
dir = /etc/ssl/ #
database = $dir/CA/index.txt # index.
certificate = $dir/certs/cacert.pem # CA
serial = $dir/CA/serial #
private_key = $dir/private/cakey.pem#

4.

:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

.
5.

:
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

6.

. ,
, (CSR),
5.2,
(Certificate Signing Request, CSR) [195].
CSR, ,
:
sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf

,
, .

.
7.

/etc/ssl/newcerts/01.pem,
, .

198


, -----BEGIN CERTIFICATE-----
----END CERTIFICATE----- ,
, . , mail.example.com.crt
.
02.pem, 03.pem, ..
mail.example.com.crt .
8.

, ,
,
.
/etc/ssl/certs.

.
, CA,
/etc/ssl/certs/cacert.pem /etc/ssl/
certs/ .

5.6.

12
SSL Certificates HOWTO tlpd.org
HTTPS
HTTPS

13

OpenSSL
14
OpenSSL .
Network Security with
15
OpenSSL O'Reilly.

12

http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html
http://ru.wikipedia.org/wiki/Https
14
http://www.openssl.org/
15
http://oreilly.com/catalog/9780596002701/
13

199

6. eCryptfs
eCryptfs POSIX-
Linux.
, eCryptfs
, .
/
home.

,
, .
/srv
eCryptfs.

6.1. eCryptfs
. :
sudo apt-get install ecryptfs-utils

:
sudo mount -t ecryptfs /srv /srv

, ecryptfs
.
, , /srv,
/etc/default /srv:
sudo cp -r /etc/default /srv

/srv :
sudo umount /srv
cat /srv/default/cron

/srv ecryptfs
.

6.2.

,
ecryptfs, .
200


/root/.ecryptfsrc, ,
, USB .
/root/.ecryptfsrc, :
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=5826dd62cf81c615
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n

ecryptfs_sig /
root/.ecryptfs/sig-cache.txt.
/mnt/usb/passwd_file.txt:
passphrase_passwd=[secrets]

/etc/fstab:
/dev/sdb1

/mnt/usb

ext3

ro

0 0

/srv /srv ecryptfs defaults 0 0

, USB-
.
, /srv
eCryptfs.

6.3.
ecryptfs-utils :
ecryptfs-setup-private: ~/Private,
.
,
.
ecryptfs-mount-private ecryptfs-umount-private:
~/Private.
ecryptfs-add-passphrase: ecryptfs-add-passphrase:
.
ecryptfs-manager: eCryptfs, .
ecryptfs-stat: ecryptfs .
201

6.4.
eCryptfs
16
Launchpad .
17

Linux Journal , eCryptfs.


ecryptfs
18
man ecryptfs. .
19

eCryptfs Ubuntu Wiki

16

https://launchpad.net/ecryptfs
http://www.linuxjournal.com/article/9400
18
http://manpages.ubuntu.com/manpages/precise/en/man7/ecryptfs.7.html
19
https://help.ubuntu.com/community/eCryptfs
17

202

10.

203

1.

.
,
. Nagios
Munin .
,
server01 server02. Server01 Nagios
server02. server01
munin .
munin-node, server02 server01.
,
.

204

2. Nagios
2.1.
server01 nagios.
:
sudo apt-get install nagios3 nagios-nrpe-plugin

nagiosadmin.
/etc/nagios3/htpasswd.users.
nagiosadmin
CGI Nagios
htpasswd, apache2-utils. apache2-utils.
, nagiosadmin
:
sudo htpasswd /etc/nagios3/htpasswd.users nagiosadmin

:
sudo htpasswd /etc/nagios3/htpasswd.users steve

, server02 nagios-nrpe-server.
server02 :
sudo apt-get install nagios-nrpe-server

NRPE
.
, Nagios,
.

2.2.
,
Nagios .
/etc/nagios3:
nagios, CGI-, .
/etc/nagios-plugins: .
/etc/nagios:
nagios-nrpe-server.
205


/usr/lib/nagios/plugins/: .
-h.
: /usr/lib/nagios/plugins/check_dhcp -h
Nagios,
. NagiosNagios
, DNS,
MySQL. DNS
server02, MySQL server01,
server02.
1, HTTPD - Apache2 [213]
Apache, 8,
(DNS) [158] DNS, 1, MySQL [237]
MySQL.
,
Nagios:
Host: , , ..,
.
Host Group: .
-, ..
Service: , . HTTP,
DNS, NFS ..
: .
-.
: , - .
Nagios email, SMS- ..
Nagios HTTP, ,
SSH, ,
(localhost). Nagios
ping.
Nagios .
, ,
,
.

2.3.
1.


server02. ,
server01. :
206

sudo cp /etc/nagios3/conf.d/localhost_nagios2.cfg \ /etc/nagios3/conf.d/server02.cfg

"server01", "server02", 172.18.100.100 172.18.100.101


IP- .
2.

/etc/nagios3/conf.d/server02.cfg:
define host{
use

generic-host

host_name
alias
address

; Name of host template to use

server02
Server 02
172.18.100.101

}
# check DNS service.
define service {
use

generic-service

host_name
service_description

server02
DNS

check_command

check_dns!172.18.100.101

3.

nagios :
sudo /etc/init.d/nagios3 restart

1.

MySQL
/etc/nagios3/conf.d/services_nagios2.cfg:
# check MySQL servers.
define service {
hostgroup_name

mysql-servers

service_description
check_command

MySQL
check_mysql_cmdlinecred!nagios!secret!$HOSTADDRESS

use

generic-service

notification_interval 0 ; set > 0 if you want to be renotified


}

2.

mysql-servers.
/etc/nagios3/conf.d/hostgroups_nagios2.cfg,
:
# MySQL hostgroup.
define hostgroup {
hostgroup_name
alias
members

mysql-servers
MySQL servers
localhost, server02

207


3.

Nagios MySQL.
nagios MySQL :
mysql -u root -p -e "create user nagios identified by 'secret';"

nagios
mysql-servers.
4.

nagios MySQL.
sudo /etc/init.d/nagios3 restart

1.

, NRPE
server02.
server01 /etc/nagios3/conf.d/
server02.cfg:
# NRPE disk check.
define service {
use
host_name

generic-service
server02

service_description

nrpe-disk

check_command

check_nrpe_1arg!check_all_disks!172.18.100.101

2.

server02 /etc/nagios/nrpe.cfg:
allowed_hosts=172.18.100.100

:
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -e

3.

nagios-nrpe-server:
sudo /etc/init.d/nagios-nrpe-server restart

4.

server01 nagios:
sudo /etc/init.d/nagios3 restart


Nagios CGI. http://server01/
nagios3.
nagiosadmin.
208

2.4.
Nagios.
nagios-plugins-extra nagios-snmp-plugins
.

1
Nagios .
2

- .
3

Nagios .
4

Nagios Ubuntu Wiki .

http://www.nagios.org/
http://nagios.sourceforge.net/docs/3_0/
3
http://www.nagios.org/propaganda/books/
4
https://help.ubuntu.com/community/Nagios
2

209

3. Munin
3.1.
Munin server01 -
apache2.
munin. apache2,
1, HTTPD - Apache2 [213].
server01 munin. :
sudo apt-get install munin

server02 munin-node:
sudo apt-get install munin-node

3.2.
server01 /etc/munin/munin.conf IP-
server02:
## First our "normal" host.
[server02]
address 172.18.100.101

server02 172.18.100.101 IP-


.
munin-node server02. /etc/
munin/munin-node.conf server01:
allow ^172\.18\.100\.100$

^172\.18\.100\.100$ IP- munin.


munin-node server02 :
sudo /etc/init.d/munin-node restart

, http://server01/munin,
, muninplugins , , .
210


,
- .

3.3.
munin-plugins-extra
, DNS, DHCP, Samba ..
:
sudo apt-get install munin-plugins-extra

, ,
.

3.4.
5

Munin .
6

Munin
, ..
Open
7
Source Press: Munin Graphisches Netzwerk- und System-Monitoring .
8

Munin Ubuntu Wiki .

http://munin.projects.linpro.no/
http://munin.projects.linpro.no/wiki/Documentation
7
https://www.opensourcepress.de/index.php?26&backPID=178&tt_products=152
8
https://help.ubuntu.com/community/Munin
6

211

11. -
- , HTTP , -, HTTP ,
-, HTML
( ..).

212

1. HTTPD - Apache2
Apache -
Linux. - , .
-
, Firefox, Opera, Chromium Mozilla.
Uniform Resource Locator (URL),
- Fully Qualified Domain Name (FQDN)
. ,
1
- Ubuntu , FQDN:
www.ubuntu.com
2

community , FQDN,
:
www.ubuntu.com/community

- HTTP
(Hyper Text Transfer Protocol). ,
HTTP over Secure Sockets Layer (HTTPS) Transfer Protocol (FTP),
.
- Apache
MySQL, PHP
Python Perl.
LAMP (Linux, Apache, MySQL, Perl/Python/PHP)
-.

1.1.
- Apache2 Ubuntu Linux. Apache2:

:
sudo apt-get install apache2

1
2

http://www.ubuntu.com
http://www.ubuntu.com/community

213

1.2.
Apache2
.
:
apache2.conf: Apache2.
, Apache2.
conf.d: ,
Apache2 . , Apache2
,
.
envvars: , Apache2.
httpd.conf: Apache2,
httpd. , , ,

.
Apache2.
mods-available:
. ,
.
mods-enabled: /etc/apache2/
mods-available.
,
apache2.
ports.conf: , , TCP
Apache2 .
sites-available:
(Virtual Hosts) Apache2.
Apache2 ,
.

sites-enabled: mods-enabled, sites-enabled


/etc/apache2/sites-available. ,
sites-available ,
, Apache2 .
,
, Include.
.

.
Apache2 .
214

-
, mime- ;
TypesConfig, , /etc/apache2/
mods-available/mime.conf,
, /etc/mime.types .
1.2.1.

3
Apache2. Apache2
.
Apache 2 ,
.
( VirtualHost),
, ,
, .
, ,
, ,
, URL, ,
(..
ServerName).
, /etc/apache2/sitesavailable/default.
, ,
,
.

,
. ,

.
,
, . :
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mynewsite

, ,
, .
ServerAdmin
, .
webmaster@localhost.
3

http://httpd.apache.org/docs/2.2/

215

-
(
). ,
Apache2 ,
.
, /etc/apache2/
sites-available.
Listen , , IP-,

Apache2. IP- , Apache2


IP-, , .
80.
127.0.0.1:80, Apache2
. , ,
81
.
/etc/apache2/ports.conf

ServerName ,
FQDN .
ServerName,
,
ServerName .
ubunturocks.com Ubuntu, ServerName
ubunturocks.com.
,
(/etc/apache2/sites-available/mynewsite).
, www.ubunturocks.com,

www. ServerAlias.
ServerAlias .
,
, .ubunturocks.com.
ServerAlias *.ubunturocks.com

DocumentRoot , Apache2 ,
. /var/www,
/etc/apache2/sites-available/default. ,
,
!

216

-
VirtualHost, a2ensite,
Apache2:
sudo a2ensite mynewsite
sudo service apache2 restart

mynewsite
VirtualHost. ,
ServerName VirtualHost.
, a2dissite .

.
sudo a2dissite mynewsite
sudo service apache2 restart

1.2.2.
Apache2 .
, , ,
, .
.
DirectoryIndex () ,
,
(/) .
, http://
www.example.com/this_directory/, DirectoryIndex,
, ,
indexes,
(Permission Denied). ,
DirectoryIndex .
, Options
Indexes ,
HTML .
/etc/apache2/mods-available/dir.conf "index.html index.cgi index.pl
index.php index.xhtml index.htm". , Apache2
, ,
.
ErrorDocument Apache2
. ,
, 404. Apache2
217

-
HTTP 404. /etc/apache2/conf.d/localizederror-pages ErrorDocument,
.

/var/log/apache2/access.log.
CustomLog
, ,
, /etc/apache2/conf.d/other-vhosts-access-log.
, ,
ErrorLog, /var/log/apache2/
error.log. ,
Apache2.
LogLevel ( "warn")
LogFormat ( /etc/apache2/apache2.conf
).
, .
Options. Directory XML
:
<Directory /var/www/mynewsite>
...
</Directory>

Options Directory
( ),
:
ExecCGI CGI-. CGI-
, .
Includes .
HTML-
4
. Apache SSI ( Ubuntu)
.

IncludesNOEXEC
, #exec #include CGI .
Indexes
,
( index.html).

, ,
DocumentRoot.
4

https://help.ubuntu.com/community/ServerSideIncludes

218

-
, ,
,
.
Multiview
;
. Apache2
5
.
SymLinksIfOwnerMatch
, /
.
1.2.3. httpd
httpd
LockFile LockFile lock-
, ,
USE_FCNTL_SERIALIZED_ACCEPT USE_FLOCK_SERIALIZED_ACCEPT.
.
,
NFS.
(root).
PidFile PidFile ,
(process ID pid).
(root).
.
User User
(userid), .
. ,
, .
User: "www-data".
, ,
User root.
(root) -
.
Group Group User. Group
, .
Group: "www-data".
5

http://httpd.apache.org/docs/2.2/mod/mod_negotiation.html#multiviews

219

-
1.2.4. Apache2
Apache2 . ,
.
, Apache2. ,
.

,
LoadModule. , Apache2
/ .
Ubuntu Apache2
.

<IfModule>.
Apache2
-. ,
, MySQL
Authentication:
sudo apt-get install libapache2-mod-auth-mysql

/etc/apache2/mods-available.
, a2enmod:
sudo a2enmod auth_mysql
sudo service apache2 restart

, a2dismod :
sudo a2dismod auth_mysql
sudo service apache2 restart

1.3. HTTPS
mod_ssl Apache2
. ,
SSL,
URL https://.
mod_ssl apache2-common.
mod_ssl:
220

sudo a2enmod ssl

HTTPS /etc/apache2/sites-available/
default-ssl.

Apache2 HTTPS
. HTTPS
, ssl-cert.
,
.
5, [194].
Apache2 HTTPS, :
sudo a2ensite default-ssl

/etc/ssl/certs /etc/ssl/private .
,
, SSLCertificateFile SSLCertificateKeyFile
.
Apache2 HTTPS, ,
:
sudo service apache2 restart

, ,
Apache2.
,
https://your_hostname/url/.

1.4.

, ,
.
/var/www "webmasters".
sudo chgrp -R webmasters /var/www
sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
sudo find /var/www -type f -exec chmod g=rws "{}" \;


, (ACL).
221

1.5.
6

Apache2 Documentation
Apache2. apache2doc, Apache2.
7

Mod SSL Documentation


SSL.
8

Apache Cookbook O'Reilly


Apache2.
Ubuntu Apache2
9
IRC #ubuntu-server freenode.net .
PHP MySQL Apache MySQL PHP Ubuntu
10
Wiki .

http://httpd.apache.org/docs/2.2/
http://www.modssl.org/docs/
8
http://oreilly.com/catalog/9780596001919/
9
http://freenode.net/
10
https://help.ubuntu.com/community/ApacheMySQLPHP
7

222

2. PHP5
PHP , . PHP HTML.

, PHP5 Ubuntu Apache2


MySQL.
, -
Apache2 MySQL. ,
Apache2 MySQL ,
Apache2 MySQL, .

2.1.
PHP5 Ubuntu Linux. python perl,
, PHP .

PHP5,
:
sudo apt-get install php5 libapache2-mod-php5

PHP5 .
, php5-cli.
:
sudo apt-get install php5-cli

PHP5
PHP5 Apache. ,
php5-cgi. :
sudo apt-get install php5-cgi

, MySQL PHP5,
php5-mysql. php5-mysql
:
sudo apt-get install php5-mysql

, PostgerSQL PHP5,
php5-pgsql. php5-pgsql
:

223

-
sudo apt-get install php5-pgsql

2.2.
PHP5, PHP5
. php5-cli,
PHP5 .
, - Apache 2
PHP5. , PHP5
, . ,
/etc/apache2/mods-enabled/php5.conf /etc/apache2/mods-enabled/php5.load.
,
a2ebmod.
, PHP5
PHP5 Apache2, Web Apache2, PHP5 .
-:
sudo service apache2 restart

2.3.
,
PHP5 phpinfo :
<?php
phpinfo();
?>

phpinfo.php
DocumentRoot - Apache2.
http://hostname/phpinfo.php,
PHP5.

2.4.

11
php.net .
PHP.
12
13
O'Reilly Learning PHP 5 and the PHP Cook Book .
11

http://www.php.net/docs.php
http://oreilly.com/catalog/9780596005603/
13
http://oreilly.com/catalog/9781565926813/
12

224

-
, Apache MySQL PHP Ubuntu Wiki
.

14

https://help.ubuntu.com/community/ApacheMySQLPHP

225

14

3. - Squid
Squid -,
HTTP, FTP

. Squid SSL
DNS ,
. Squid
, Internet Cache Protocol (ICP), Hyper Text Caching
Protocol (HTCP), Cache Array Routing Protocol (CARP) Web Cache Coordination
Protocol (WCCP).
/ Squid ,
.

,
Simple Network
Management Protocol (SNMP).
Squid ,
, Squid
.

3.1.

Squid:
sudo apt-get install squid

3.2.
Squid
/etc/squid/squid.conf .
,
Squid. Squid
.

- ,
.
/etc/squid/squid.conf
:

226

-
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original
sudo chmod a-w /etc/squid/squid.conf.original

, , Squid,
8888 ( 3128),
http_port :
http_port 8888

visible_hostname
Squid. , Squid
. weezie
visible_hostname weezie

Squid,
- Squid
IP-. ,
192.168.42.0/24:
ACL /etc/squid/
squid.conf:
acl fortytwo_network src 192.168.42.0/24

http_access /
etc/squid/squid.conf:
http_access allow fortytwo_network

Squid,
.
, 9:00 17:00,
, 10.1.42.0/24:
ACL /etc/squid/
squid.conf:
acl biz_network src 10.1.42.0/24
acl biz_hours time M T W T F 9:00-17:00

http_access /
etc/squid/squid.conf:
http_access allow biz_network biz_hours

227

-
/etc/squid/squid.conf,
, , squid
, .
sudo /etc/init.d/squid restart

3.3.
15

- Squid

16

Ubuntu Wiki Squid .

15
16

http://www.squid-cache.org/
https://help.ubuntu.com/community/Squid

228

4. Ruby on Rails
Ruby on Rails -
- .
,
,
.

4.1.
Rails Apache MySQL.
Apache, , 1, HTTPD -
Apache2 [213]. MySQL,
1, MySQL [237].
Apache MySQL, Ruby on Rails.
Ruby Ruby on Rails,
:
sudo apt-get install rails

4.2.
/etc/apache2/sites-available/default
.
, DocumentRoot:
DocumentRoot /path/to/rails/application/public

, <Directory "/path/to/rails/application/public">:
<Directory "/path/to/rails/application/public">
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride All
Order allow,deny
allow from all
AddHandler cgi-script .cgi
</Directory>

Apache mod_rewrite.
:
sudo a2enmod rewrite

229

-
, /path/
to/rails/application/public /path/to/rails/application/tmp ,
Apache:
sudo chown -R www-data:www-data /path/to/rails/application/public
sudo chown -R www-data:www-data /path/to/rails/application/tmp

! Ruby on
Rails.

4.3.
17

- Ruby on Rails .
18

Agile Development with Rails .


19

Ruby on Rails Ubuntu Wiki .

17

http://rubyonrails.org/
http://pragprog.com/titles/rails3/agile-web-development-with-rails-third-edition
19
https://help.ubuntu.com/community/RubyOnRails
18

230

5. Apache Tomcat
Apache Tomcat -, Java Servlets JSP (Java Server Pages).
Tomcat 6.0 Ubuntu Tomcat.

,
tomcat6.
,
,
.
,
Tomcat.

5.1.
Tomcat
:
sudo apt-get install tomcat6

Tomcat -
ROOT, "It works".

5.2.
Tomcat /etc/tomcat6.
,
20
Tomcat 6.0
5.2.1.
Tomcat 6.0 HTTP 8080
AJP 8009. , ,
,
. /etc/tomcat6/
server.xml:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
20

http://tomcat.apache.org/tomcat-6.0-doc/index.html

231

-
...
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

5.2.2. JVM
Tomcat OpenJDK-6, Sun's
JVM, JVM. JVM,
, , JAVA_HOME /
etc/default/tomcat6:
JAVA_HOME=/usr/lib/jvm/java-6-sun

5.2.3.
, ()
Servlet. Tomcat 6.0 /etc/
tomcat6/tomcat-users.xml:
<role rolename="admin"/>
<user username="tomcat" password="s3cret" roles="admin"/>

5.3. - Tomcat
Tomcat -,
,
.
5.3.1. Tomcat
tomcat6-docs Tomcat 6.0,
-,
http://yourserver:8080/docs. ,
:
sudo apt-get install tomcat6-docs

5.3.2. - Tomcat
tomcat6-admin -,
Tomcat
-. ,
:
sudo apt-get install tomcat6-admin

232

-
- manager,
http://yourserver:8080/manager/html.
web-.
manager :
"manager" /etc/tomcat6/tomcatusers.xml , .
- host-manager,
http://yourserver:8080/host-manager/html.
.
host-manager :
"admin" /etc/tomcat6/
tomcat-users.xml , .
tomcat6
/etc/tomcat6.
- ( ,
) .
,
, tomcat6 :
sudo chgrp -R tomcat6 /etc/tomcat6
sudo chmod -R g+w /etc/tomcat6

5.3.3. - Tomcat
tomcat6-examples -,
Servlets
JSP, http://yourserver:8080/examples.
, :
sudo apt-get install tomcat6-examples

5.4.
Tomcat
,
. Tomcat 6.0
Ubuntu ,
, (
) ,
.
233

-
,
TCP.
5.4.1.
,
:
sudo apt-get install tomcat6-user

5.4.2.
,
:
tomcat6-instance-create my-instance

my-instance
. , ,
lib/ -
webapps/. - .
5.4.3.
Tomcat ,
conf/. , ,
conf/server.xml ,
Tomcat,
.
5.4.4. /
,
(,
my-instance)
my-instance/bin/startup.sh

logs/ .
java.net.BindException: Address already in
use<null>:8080, , ,
.
,
(, myinstance)
234

my-instance/bin/shutdown.sh

5.5.
21

Apache Tomcat .
22

Tomcat: The Definitive Guide


- Tomcat.
23

Tomcat Books .
24

, Ubuntu Wiki Apache Tomcat .

21

http://tomcat.apache.org/
http://oreilly.com/catalog/9780596003180/
23
http://wiki.apache.org/tomcat/Tomcat/Books
24
https://help.ubuntu.com/community/ApacheTomcat5
22

235

12.
Ubuntu . :
MySQL
PostgreSQL
().

, :

236

1. MySQL
MySQL , ,
SQL- .
,
.

1.1.
MySQL :
sudo apt-get install mysql-server

Ubuntu 12.04, MySQL 5.5 .


100% MySQL 5.1,
5.1 (
MySQL 5.1 ),
mysql-server-5.1.
root
MySQL.
, MySQL
. , ,
MySQL , :
sudo netstat -tap | grep mysql

, ,
:
tcp

0 localhost:mysql

*:*

LISTEN

2556/mysqld

,
:
sudo service mysql restart

1.2.
/etc/mysql/my.cnf
, . ,
MySQL ,
bind-address IP- :
237

bind-address

= 192.168.0.5

192.168.0.5 .
/etc/mysql/my.cnf MySQL :
sudo service mysql restart

root MySQL,
:
sudo dpkg-reconfigure mysql-server-5.5

MySQL .

1.3.
MySQL,
Ubuntu,
, ,
.
MySQL , -.
( engines)
, . ,
: InnoDB MyISAM.
() . MySQL
- , ,
,
.
.

,
,

.
MyISAM . InnoDB
,
. -
MyISAM ( ,
InnoDB). MyISAM
238


FULLTEXT,
. MyISAM
. ,

. ,
, (
scales), .
,
.
1
MyISAM on a production database .

InnoDB , ACID
2
compliant ,
.
.
.

,
. ACID
.

.

MySQL 5.5, InnoDB


MyISAM,
, .

1.4.
1.4.1. my.cnf
,
MySQL,
.
3
Percona's my.cnf generating tool .
my.cnf,
.
my.cnf ,
.
, ,
, MySQL.
1

http://www.mysqlperformanceblog.com/2006/06/17/using-myisam-in-production/
http://en.wikipedia.org/wiki/ACID
3
http://tools.percona.com/members/wizard
2

239


,
mysqldump :
mysqldump --all-databases --all-routines -u root -p > ~/fulldump.sql

root
. ,
.

, .
.
, MySQL:
sudo service mysql stop

my.cnf :
sudo cp /etc/my.cnf /etc/my.cnf.backup
sudo cp /path/to/new/my.cnf /etc/my.cnf

,
MySQL:
sudo rm -rf /var/lib/mysql/*
sudo mysql_install_db
sudo chown -R mysql: /var/lib/mysql
sudo service start mysql

, .
, ,
'Pipe Viewer' (pv). ,
pv , ,
pv cat .
ETA ( ), pv,

,
mysqldumps:
sudo apt-get install pv
pv ~/fulldump.sql | mysql

, !
my.cnf.
,
, .
240



.
1.4.2. MySQL Tuner
MySQL Tuner ,
MySQL ,
. ,
mysqltuner.
24 , .
mysqltuner Ubuntu:
sudo apt-get install mysqltuner

:
mysqltuner

.
,
,
my.cnf.
. MySQL (
) , " ".
, ,
:
-------- Recommendations ----------------------------------------------------General recommendations:
Run OPTIMIZE TABLE to defragment tables for better performance
Increase table_cache gradually to avoid file descriptor limits
Variables to adjust:
key_buffer_size (> 1.4G)
query_cache_size (> 32M)
table_cache (> 64)
innodb_buffer_pool_size (>= 22G)

:
,
.
, Wordpress,
Drupal, Joomla .
, ,
..

241


.
,

, ,
.

1.5.
4

MySQL Home Page .


,
5
MySQL Developers portal
6

SQL Using SQL Special Edition Rafe


Colburn.
7

Apache MySQL PHP Ubuntu Wiki


.

http://www.mysql.com/
http://dev.mysql.com/doc/
6
http://www.informit.com/store/product.aspx?isbn=0768664128
7
https://help.ubuntu.com/community/ApacheMySQLPHP
5

242

2. PostgreSQL
PostgreSQL - ,

,
DBMS . (DBMS DataBase Management System
. ).

2.1.
, PostgreSQL,
:
sudo apt-get install postgresql

PostgreSQL
.

2.2.
TCP/IP . PostgreSQL
.
IDENT postgres
, - . the PostgreSQL
Administrator's Guide, -
8
Kerberos. .
,
TCP/IP
MD5. PostgreSQL /etc/postgresql/
<version>/main. , PostgreSQL 8.4,
/etc/postgresql/8.4/main.
ident /
etc/postgresql/8.4/main/pg_ident.conf.
.
TCP/IP, /etc/
postgresql/8.4/main/postgresql.conf.
#listen_addresses = 'localhost' :
listen_addresses = 'localhost'
8

http://www.postgresql.org/docs/8.4/static/admin.html

243



PostgreSQL , 'localhost' IP-
, , 0.0.0.0,
.
,
!
PostgreSQL.
, PostgreSQL,
postgres.

PostgreSQL:
sudo -u postgres psql template1

PostgreSQL template1
postgres. PostgreSQL,
SQL .
SQL psql postgres.
ALTER USER postgres with encrypted password 'your_password';

, /etc/postgresql/8.4/main/pg_hba.conf
MD5 postgres:
local

all

postgres

md5

PostgreSQL
.
PostgreSQL:
sudo /etc/init.d/postgresql-8.4 restart

.
9
the PostgreSQL Administrator's Guide
.

2.3.
10

, Administrator's Guide .
postgresql-doc-8.4.
:
9

http://www.postgresql.org/docs/8.4/static/admin.html
http://www.postgresql.org/docs/8.4/static/admin.html

10

244

sudo apt-get install postgresql-doc-8.4

, file:///usr/share/doc/postgresqldoc-8.4/html/index.html .
SQL Using SQL Special Edition
Colburn.
PostgreSQL Ubuntu Wiki
.

11
12

http://www.informit.com/store/product.aspx?isbn=0768664128
https://help.ubuntu.com/community/PostgreSQL

245

12

11

Rafe

13. LAMP

246

LAMP

1.
LAMP (Linux + Apache + MySQL + PHP/Perl/Python)
Ubuntu.
,
LAMP. LAMP wiki, (CMS)
, phpMyAdmin.

LAMP
, - .
MySQL PostgreSQL SQLite. Python, Perl Ruby
PHP. Nginx, Cherokee Lighttpd Apache.
LAMP
tasksel. Tasksel Debian/Ubuntu,
"".
LAMP :

:
sudo tasksel install lamp-server

LAMP
:
, .
, -.
, , -
.
.
(script)
, .
, , ,
.

,
.
.
,
.
247

LAMP
, LAMP Ubuntu
, (-LAMP) .

.
, LAMP.

248

LAMP

2. Moin Moin
MoinMoin Wiki- Python,
Wiki PikiPiki GNU GPL.

2.1.
MoinMoin
:

udo apt-get install python-moinmoin

- apache2. ,
1.1, [213] 1,
HTTPD - Apache2 [213].

2.2.
Wiki
. , Wiki mywiki:
cd /usr/share/moin
sudo mkdir mywiki
sudo cp -R data mywiki
sudo cp -R underlay mywiki
sudo cp server/moin.cgi mywiki
sudo chown -R www-data.www-data mywiki
sudo chmod -R ug+rwX mywiki
sudo chmod -R o-rwx mywiki

MoinMoin
Wiki mywiki. MoinMoin /etc/moin/mywiki.py
:
data_dir = '/org/mywiki/data'

data_dir = '/usr/share/moin/mywiki/data'

data_dir data_underlay_dir:
data_underlay_dir='/usr/share/moin/mywiki/underlay'

/etc/moin/mywiki.py ,
/usr/share/moin/config/wikifarm/mywiki.py /etc/moin/mywiki.py
, .
249

LAMP
Wiki my_wiki_name,
("my_wiki_name", r".*") /etc/moin/farmconfig.py
("mywiki", r".*").
, MoinMoin mywiki,
apache2 Wiki-.
/etc/apache2/sites-available/default
<VirtualHost *>:

### moin
ScriptAlias /mywiki "/usr/share/moin/mywiki/moin.cgi"
alias /moin_static193 "/usr/share/moin/htdocs"
<Directory /usr/share/moin/htdocs>
Order allow,deny
allow from all
</Directory>
### end moin

, - apache2
Wiki, .
, - apache2:
sudo service apache2 restart

2.3.
Wiki , ,
URL:
http://localhost/mywiki
1

- MoinMoin .

2.4.
2

moinmoin Wiki .
3

Ubuntu Wiki MoinMoin .

http://moinmo.in/
http://moinmo.in/
3
https://help.ubuntu.com/community/MoinMoin
2

250

LAMP

3. MediaWiki
MediaWiki - Wiki-,
PHP.
MySQL PostgreSQL.

3.1.
MediaWiki Apache2,
PHP5 . MySQL
PostgreSQL. , . ,

.
MediaWiki
:
sudo apt-get install mediawiki php5-gd

MediaWiki mediawikiextensions.

3.2.
Apache mediawiki.conf MediaWiki
/etc/apache2/conf.d/.
MediaWiki.
# Alias /mediawiki /var/lib/mediawiki

, ,
Apache MediaWiki
URL:

http://localhost/mediawiki/config/index.php

, ...
. ,
.
LocalSettings.php
/etc/mediawiki:
sudo mv /var/lib/mediawiki/config/LocalSettings.php /etc/mediawiki/

251

LAMP
/etc/mediawiki/LocalSettings.php,
( ):
ini_set( 'memory_limit', '64M' );

3.3.

MediaWiki. wiki
MediaWiki .
MediaWiki
Subversion. /var/
lib/mediawiki/extensions.
: /etc/mediawiki/LocalSettings.php.
require_once "$IP/extensions/ExtentionName/ExtentionName.php";

3.4.

4
MediaWiki .
5

MediaWiki Administrators Tutorial Guide


MediaWiki.
6

Ubuntu Wiki MediaWiki .

http://www.mediawiki.org
http://www.packtpub.com/Mediawiki/book
6
https://help.ubuntu.com/community/MediaWiki
5

252

LAMP

4. phpMyAdmin
phpMyAdmin LAMP,
MySQL. PHP
-, phpMyAdmin
.

4.1.
phpMyAdmin
MySQL , phpMyAdmin,
, .
1, MySQL [237]. :
sudo apt-get install phpmyadmin

, - phpMyAdmin.
-
Apache2.
http://servername/phpmyadmin,
serveranme .
root ,
MySQL, ,
MySQL.
,
root, , /
, .

4.2.
phpMyAdmin /etc/phpmyadmin.
/etc/phpmyadmin/config.inc.php.
,
phpMyAdmin.
phpMyAdmin
MySQL, , /etc/
phpmyadmin/config.inc.php:
$cfg['Servers'][$i]['host'] = 'db_server';

253

LAMP
db_server IP-
. , phpMyAdmin
.
phpMyAdmin ,
.
config.header.inc.php config.footer.inc.php

HTML- phpMyAdmin.
/etc/phpmyadmin/
apache.conf, /etc/apache2/conf.d/
phpmyadmin.conf Apache2
phpMyAdmin. PHP,
.
Apache2 1, HTTPD -
Apache2 [213].

4.3.
phpMyAdmin
phpMyAdmin Documentation ( )
phpMyAdmin.
7
phpMyAdmin .
8

Mastering phpMyAdmin .
9

phpMyAdmin Ubuntu Wiki .

http://www.phpmyadmin.net/home_page/docs.php
http://www.packtpub.com/phpmyadmin-3rd-edition/book
9
https://help.ubuntu.com/community/phpMyAdmin
8

254

14. -
, -
.
FTP, NFS CUPS.

255

1. FTP-
(FTP) TCP
.
, ,
,
. ,
,
OpenSSH 6, [93].

FTP /.
FTP. FTP-
.
. ,
FTP.
FTP- :


FTP,
anonymous ftp
.
.
.
, SFTP
OpenSSH . FTP
, .
, FTP FTP ,
FTP.
.

1.1. vsftpd FTP-


vsftpd FTP, Ubuntu. ,
. vsftpd
:
sudo apt-get install vsftpd

256

1.2. FTP
vsftpd .
, /etc/vsftpd.conf
:

anonymous_enable=Yes

ftp /
srv/ftp. FTP.
, , /srv/files/
ftp,
ftp:
sudo mkdir /srv/files/ftp
sudo usermod -d /srv/files/ftp ftp

vsftpd:
sudo restart vsftpd

,
FTP, /srv/files/ftp, /srv/ftp,
.

1.3. FTP
vsftpd
.
, /etc/
vsftpd.conf:
write_enable=YES

vsftpd:
sudo restart vsftpd

FTP
, ,
..
,
FTP-.
vsftpd:
257

anon_upload_enable=YES

.

.
.

.

man 5 vsftpd.conf .

1.4. FTP
/etc/vsftpd.conf , vsftpd
. ,
, :
chroot_local_user=YES

,
:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

, /etc/vsftpd.chroot_list,
.
vsftpd:
sudo restart vsftpd

, /etc/ftpusers ,
FTP. root, daemon, nobody
.. FTP ,
.
FTP FTPS.
SFTP, FTPS FTP SSL. SFTP , FTP,
SSH . ,
SFTP
shell nologin.

, - .
258

-
SFTP
. OpenSSH
.
FTPS, /etc/vsftpd.conf :
ssl_enable=Yes

:
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

,
ssl-cert.
, .
5,
[194].
vsftpd
FTPS:
sudo restart vsftpd

/usr/sbin/nologin
FTP, shell , /etc/shells,
nologin:
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
/usr/sbin/nologin

, vsftpd
PAM, /etc/pam.d/vsftpd :

259

-
auth

required

pam_shells.so

PAM shells ,
/etc/shells.
FTP
FTPS. FTP- lftp
FTPS.

1.5.
1

vsftpd website .
/etc/vsftpd.conf man-
2
vsftpd.conf .

1
2

http://vsftpd.beasts.org/vsftpd_conf.html
http://manpages.ubuntu.com/manpages/precise/en/man5/vsftpd.conf.5.html

260

2. (NFS)
NFS

. NFS,
,
.
, NFS:

,
.

, .
NFS
.
, -,
- USB-,
.
.

2.1.
NFS :
sudo apt-get install nfs-kernel-server

2.2.
, /etc/
exports. :
/ubuntu *(ro,sync,no_root_squash)
/home *(rw,sync,no_root_squash)

* .
, ,
NFS.
NFS :
sudo /etc/init.d/nfs-kernel-server start

261

2.3. NFS
mount NFS,
. ,
.
sudo mount example.hostname.com:/ubuntu /local/ubuntu

/local/ubuntu . /
local/ubuntu .
NFS,
, /
etc/fstab. NFS-,
, ,
,
NFS.

/etc/fstab :
example.hostname.com:/ubuntu /local/ubuntu nfs rsize=8192,wsize=8192,timeo=14,intr

NFS-, ,
nfs-common .
nfs-common :
sudo apt-get install nfs-common

2.4.
NFS FAQ

Ubuntu Wiki NFS Howto

3
4

http://nfs.sourceforge.net/
https://help.ubuntu.com/community/NFSv4Howto

262

3. iSCSI-
iSCSI (Internet Small Computer System Interface) ,
SCSI . iSCSI
(Storage Area Network SAN),
.
iSCSI , iSCSI .
Ubuntu
iSCSI, ().
iSCSI.
, iSCSI-
.
iSCSI- ,

iSCSI-.

3.1. iSCSI
Ubuntu iSCSI
open-iscsi. :
sudo apt-get install open-iscsi

3.2. iSCSI
open-iscsi , /etc/iscsi/
iscsid.conf, :
node.startup = automatic

, ,
iscsiadm. :
sudo iscsiadm -m discovery -t st -p 192.168.0.10

-m: , iscsiadm.
-t: .
-p: , IP- .
192.168.0.10 IP- .
, , :
263

192.168.0.10:3260,1 iqn.1992-05.com.emc:sl7b92030000520000-2

iqn IP- ,
.
iSCSI ,

, , ,
. iSCSI:
sudo iscsiadm -m node --login

, dmesg:
dmesg | grep sd
[

4.322384] sd 2:0:0:0: Attached scsi generic sg1 type 0

[
[

4.322797] sd 2:0:0:0: [sda] 41943040 512-byte logical blocks: (21.4 GB/20.0 GiB)
4.322843] sd 2:0:0:0: [sda] Write Protect is off

4.322846] sd 2:0:0:0: [sda] Mode Sense: 03 00 00 00

[
[

4.322896] sd 2:0:0:0: [sda] Cache data unavailable


4.322899] sd 2:0:0:0: [sda] Assuming drive cache: write through

[
[

4.323230] sd 2:0:0:0: [sda] Cache data unavailable


4.323233] sd 2:0:0:0: [sda] Assuming drive cache: write through

4.325312]

[
[

4.325729] sd 2:0:0:0: [sda] Cache data unavailable


4.325732] sd 2:0:0:0: [sda] Assuming drive cache: write through

sda: sda1 sda2 < sda5 >

[
4.325735] sd 2:0:0:0: [sda] Attached SCSI disk
[ 2486.941805] sd 4:0:0:3: Attached scsi generic sg3 type 0
[ 2486.952093] sd 4:0:0:3: [sdb] 1126400000 512-byte logical blocks: (576 GB/537 GiB)
[ 2486.954195] sd 4:0:0:3: [sdb] Write Protect is off
[ 2486.954200] sd 4:0:0:3: [sdb] Mode Sense: 8f 00 00 08
[ 2486.954692] sd 4:0:0:3: [sdb] Write cache: disabled, read cache: enabled, doesn't
support DPO or FUA
[ 2486.960577]

sdb: sdb1

[ 2486.964862] sd 4:0:0:3: [sdb] Attached SCSI disk

sdb iSCSI . ,
; .
,
iSCSI . :
sudo fdisk /dev/sdb
n
p

264

-
enter
w

, , fdisk;
man fdisk .
cfdisk .
, , /srv:
sudo mkfs.ext4 /dev/sdb1
sudo mount /dev/sdb1 /srv

/etc/fstab iSCSI
:
/dev/sdb1

/srv

ext4

defaults,auto,_netdev 0 0

, ,
.

3.3.
5

Open-iSCSI

Debian Open-iSCSI

5
6

http://www.open-iscsi.org/
http://wiki.debian.org/SAN/iSCSI/open-iscsi

265

4. CUPS
Ubuntu Common UNIX Printing
System (CUPS). ,
,
Linux.
CUPS ,
, ,
(Internet Printing Protocol, IPP).
, . CUPS
PostScript (PostScript Printer
Description, PPD) - ,
- .

4.1.
, CUPS , sudo
apt-get
. CUPS ,
.
CUPS :
sudo apt-get install cups

,
. CUPS
.
,
CUPS : /var/log/cups/error_log.
-
, CUPS
LogLevel ( ) debug
debug2 info,
. ,
,
.

4.2.
CUPS ,
/etc/cups/cupsd.conf. CUPS
, HTTP Apache,
266

-
, Apache,
CUPS.
, , ,
, .

,
,
.
/etc/cups/cupsd.conf
,
:
sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original
sudo chmod a-w /etc/cups/cupsd.conf.original

ServerAdmin:
CUPS,
/etc/cups/cupsd.conf
ServerAdmin .
, CUPS
'bjoy@somebigco.com', ServerAdmin
:
ServerAdmin bjoy@somebigco.com

Listen: Ubuntu CUPS


127.0.0.1.
CUPS IP- ,
IP-/
Listen. ,
IP- 192.168.10.250,
, /etc/cups/cupsd.conf,
Listen, :
Listen 127.0.0.1:631 # Listen loopback
Listen /var/run/cups/cups.sock # Listen
Listen 192.168.10.250:631 # Listen LAN, 631 (IPP)


loopback- (127.0.0.1), , cupsd
Ethernet-
. ,
267

-
loopback, ,
Listen socrates :
Listen socrates:631

# Listen on all interfaces for the hostname 'socrates'

Listen Port,
Port 631

# Listen on port 631 on all interfaces


CUPS,
, :
man cupsd.conf

/etc/cups/cupsd.conf,
CUPS ,
:
sudo /etc/init.d/cups restart

4.3. -
CUPS , http://
localhost:631/admin. -
.
-,
root ,
lpadmin.
CUPS .
lpadmin,
:
sudo usermod -aG lpadmin username

Documentation/Help
-.
7

http://www.cups.org/

268

4.4.
7

CUPS

Debian Open-iSCSI

http://wiki.debian.org/SAN/iSCSI/open-iscsi

269

15.


. ,
.
(Mail User Agent, MUA) ,

(Mail Transfer Agents, MTA),
(Mail Delivery Agent, MDA)
,
, POP3 IMAP.

270

1. Postfix
Ubuntu (Mail Transfer Agent (MTA))
Postfix. , .

MTA sendmail. ,
postfix. , SMTP-
( ).

postfix.
1.7.3,
[277].

1.1.
postfix, :
sudo apt-get install postfix

, ,
.

1.2.
postfix, :
sudo dpkg-reconfigure postfix

.
:

mail.example.com
steve

mail.example.com, localhost.localdomain, localhost


No

127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24


0


mail.example.com ,
email, 192.168.0.0/24
steve .
271


,
. , Postfix mbox,
.
, postconf
postfix.
/etc/postfix/main.cf. ,
, ,
.
Maildir:
sudo postconf -e 'home_mailbox = Maildir/'

/home/username/Maildir,
(MDA)
.

1.3. SMTP
SMTP-AUTH
(SASL). (TLS)
.
SMTP .
1.

Postfix SMTP-AUTH SASL (Dovecot SASL):


sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth-client'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = \
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

smtpd_sasl_path ,
Postfix.
2.

TLS.
5, [194].
(CA).
CA 5.5,
[197].
(MUA),
TLS,
272


, TLS.

, ,
. TLS
MTA ( )

.
, ,
.
5.3,
[197].
3.

, Postfix
TLS- ,
:
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/server.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/server.crt'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'myhostname = mail.example.com'

4.

,
:
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'

, 5,
[194].
Postfix SMTP-AUTH
TLS .
1

, /etc/postfix/main.cf .
postfix .
postfix:
sudo /etc/init.d/postfix restart

../sample/postfix_configuration

273

Postfix SMTP-AUTH RFC2554 .


3
SASL . - ,
SMTP-AUTH.

1.4. SASL
Postfix SASL: Cyrus SASL Dovecot SASL.
Dovecot SASL, dovecotcommon. :
sudo apt-get install dovecot-common

/etc/dovecot/dovecot.conf.
auth default socket listen
:
socket listen {
#master {
# Master socket provides access to userdb information. It's typically
# used to give Dovecot's local delivery agent access to userdb so it
# can find mailbox locations.
#path = /var/run/dovecot/auth-master
#mode = 0600
# Default user/group is the one who started dovecot-auth (root)
#user =
#group =
#}
client {
# The client socket is generally safe to export to everyone. Typical use
# is to export it to your SMTP server so it can do SMTP AUTH lookups
# using it.
path = /var/spool/postfix/private/auth-client
mode = 0660
user = postfix
group = postfix
}
}

SMTP-AUTH Outlook, auth


default /etc/dovecot/dovecot.conf "login":
mechanisms = plain login

, Dovecot , :

2
3

http://www.ietf.org/rfc/rfc2554.txt
http://www.ietf.org/rfc/rfc2222.txt

274


sudo /etc/init.d/dovecot restart

1.5.
Postfix SMTP-AUTH
mail-stack-delivery ( dovecot-postfix).
Dovecot Postfix
SASL (MDA).
Dovecot IMAP, IMAPS, POP3 POP3S.
IMAP, IMAPS,
POP3, POP3S . ,
,
..
Postfix
SMTP_AUTH.
, :
sudo apt-get install mail-stack-delivery

, ,
, , . ,
ssl-cert , ,
, .
5, [194]
.
, ,
/etc/postfix/main.cf:
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key

Postfix:
sudo /etc/init.d/postfix restart

1.6.
SMTP-AUTH .
.
, SMTP-AUTH TLS ,
:

275


telnet mail.example.com 25

postfix :
ehlo mail.example.com

,
. quit .
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME

1.7.

.
1.7.1. chroot
postfix Ubuntu chroot
.
.
chroot,
/etc/postfix/master.cf:
smtp inet n - - - - smtpd

:
smtp inet n - n - - smtpd

Postfix
. :
sudo /etc/init.d/postfix restart

1.7.2.
Postfix /var/log/mail.log.

, /var/log/mail.err
/var/log/mail.warn, .

tail -f:
276

tail -f /var/log/mail.err

, , .

, .

TLS ,
smtpd_tls_loglevel 1 4.
sudo postconf -e 'smtpd_tls_loglevel = 4'


, debug_peer_list.
sudo postconf -e 'debug_peer_list = problem.domain'

Postfix
/etc/postfix/master.cf, -v
. smtp:
smtp

unix

smtp -v

,
, Postfix
: sudo /etc/init.d/postfix reload

SASL, /etc/dovecot/dovecot.conf
auth_debug=yes
auth_debug_passwords=yes

Postfix, Dovecot,
: sudo /etc/init.d/dovecot reload.

, .

.
,
.
1.7.3.
Postfix .
- Ubuntu
.
277


, Postfix
Ubuntu Server community IRC- #ubuntu-server
4
5
freenode . - .
Postfix Ubuntu
6
The Book of Postfix .
7

, - Postfix
.

, Ubuntu Wiki Postifx


.

http://freenode.net
http://www.ubuntu.com/support/community/webforums
6
http://www.postfix-book.com/
7
http://www.postfix.org/documentation.html
8
https://help.ubuntu.com/community/Postfix
5

278

2. Exim4
Exim4 (MTA),
Unix,
. Exim sendmail,
exim sendmail.

2.1.
exim4, :
sudo apt-get install exim4

2.2.
Exim4 :
sudo dpkg-reconfigure exim4-config

.
. , Exim4
.
,
.
,
/etc/exim4/update-exim4.conf.
- , ,
.

:
sudo update-exim4.conf

/var/lib/exim4/
config.autogenerated.
, ,
/var/lib/exim4/config.autogenerated.
,
update-exim4.conf

Exim4.
279

sudo /etc/init.d/exim4 start

2.3. SMTP
, Exim4 SMTPAUTH TLS SASL.
TLS.
:
sudo /usr/share/doc/exim4-base/examples/exim-gencert

Exim4 TLS. /etc/exim4/conf.d/


main/03_exim4-config_tlsoptions, :
MAIN_TLS_ENABLE = yes

Exim4 saslauthd
. /etc/exim4/
conf.d/auth/30_exim4-config_examples
plain_saslauthd_server login_saslauthd_server:
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
#
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
# don't send system passwords over unencrypted connections
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif

,
exim,
exim, :

280


sudo /usr/share/doc/exim4/examples/exim-adduser


:
sudo chown root:Debian-exim /etc/exim4/passwd
sudo chmod 640 /etc/exim4/passwd

Exim4 :
sudo update-exim4.conf
sudo /etc/init.d/exim4 restart

2.4. SASL
saslauthd,
Exim4.
sasl2-bin. :
sudo apt-get install sasl2-bin

saslauthd, /etc/default/
saslauthd START=no :
START=yes

Debian-exim sasl,
Exim4 saslauthd:
sudo adduser Debian-exim sasl

saslauthd:
sudo /etc/init.d/saslauthd start

Exim4 SMTP-AUTH TLS SASL


.

2.5.
9

exim.org .
10

Exim4 Book .
9

http://www.exim.org/
http://www.uit.co.uk/content/exim-smtp-mail-server

10

281


Exim4 Ubuntu Wiki

11

https://help.ubuntu.com/community/Exim4

282

11

3. Dovecot Server
Dovecot ,
. : mbox
Maildir. ,
imap pop3.

3.1.
dovecot :
sudo apt-get install dovecot-imapd dovecot-pop3d

3.2.
dovecot, /etc/
dovecot/dovecot.conf. , .
pop3, pop3s ( pop3), imap imaps (
imap). ,
.
12
13
POP3 IMAP .
IMAPS POP3S , IMAP POP3,
SSL- .
, /etc/dovecot/dovecot.conf:
protocols = pop3 pop3s imap imaps

,
. Dovecot maildir mbox.
14
, Dovecot .
, /etc/dovecot/dovecot.conf (/
etc/dovecot/conf.d/10-mail.conf) :
mail_location = maildir:~/Maildir # (for maildir)
or
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u # (for mbox)

(MTA, Mail
Transport Agent)
, , .
12

http://en.wikipedia.org/wiki/POP3
http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
14
http://wiki.dovecot.org/MailboxFormat
13

283


dovecot, dovecot,
:
sudo /etc/init.d/dovecot restart

imap pop3,
telnet localhost pop3 telnet localhost imap2.
-, ,
:
bhuvan@rainbow:~$ telnet localhost pop3
127.0.0.1...
localhost.localdomain.
'^]'.
+OK Dovecot .

3.3. Dovecot: SSL


dovecot SSL,
/etc/dovecot/dovecot.conf
:
ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
ssl_disable = no
disable_plaintext_auth = no

SSL
.
, SMTP-
. 5,
[194], .
, .
, /etc/
dovecot/dovecot.conf.

3.4.

.
IMAP - 143
IMAPS - 993
POP3 - 110
POP3S - 995
284

3.5.
15

Dovecot website

.
16

Dovecot Ubuntu Wiki

15
16

http://www.dovecot.org/
https://help.ubuntu.com/community/Dovecot

285

4. Mailman
Mailman
, ,
.
17
( Ubuntu mailing lists ) Mailman
. ,
.

4.1.
Mailman -
,
.
:

Postfix
Exim
Sendmail
Qmail

, Mailman -
Apache, Postfix Exim.
Mailman , ,
, .
Postfix
Ubuntu .
4.1.1. Apache2
apache2,
1.1, [213].
4.1.2. Postfix
Postfix 1,
Postfix [271]
4.1.3. Exim4
Exim4 2, Exim4 [279].
exim4 ,
/etc/exim4. In Ubuntu exim4
17

http://lists.ubuntu.com

286


. ,
/etc/exim4/update-exim4.conf:
dc_use_split_config='true'

4.1.4. Mailman
Mailman, :
sudo apt-get install mailman

/var/lib/mailman.
CGI- /usr/lib/cgi-bin/mailman,
Linux list list. mailman
.

4.2.
, mailman,
apache2, postfix exim4. .
4.2.1. Apache2
Apache Mailman
/etc/mailman/apache.conf. Apache ,
/etc/apache2/sites-available:
sudo cp /etc/mailman/apache.conf /etc/apache2/sites-available/mailman.conf

VirtualHost Apache
Mailman. Apache:
sudo a2ensite mailman.conf
sudo service apache2 restart

Mailman apache2 CGI-. CGI-


Mailman /usr/lib/cgi-bin/mailman.
mailman http://hostname/cgi-bin/mailman/.
/etc/apache2/sites-available/mailman.conf,
.
4.2.2. Postfix
Postfix lists.example.com
. , lists.example.com
.
287


postconf
/etc/postfix/main.cf:
sudo postconf -e 'relay_domains = lists.example.com'
sudo postconf -e 'transport_maps = hash:/etc/postfix/transport'
sudo postconf -e 'mailman_destination_recipient_limit = 1'

/etc/postfix/master.cf ,
:
mailman
unix n
n
pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

postfix-to-mailman.py,
.
lists.example.com Mailman
. /etc/postfix/transport:
lists.example.com

mailman:

Postfix ,
:
sudo postmap -v /etc/postfix/transport

Postfix, :
sudo /etc/init.d/postfix restart

4.2.3. Exim4
Exim4 , Exim,
:
sudo /etc/init.d/exim4 start

mailman Exim4, Exim4.


, Exim4
18
. Exim .
mailman,
:
18

http://www.exim.org

288

Exim ,
.
.
4.2.4.
/etc/exim4/
conf.d/main/. 04_exim4-config_mailman
:
# start
# Home dir for your Mailman installation -- aka Mailman's prefix
# directory.
# On Ubuntu this should be "/var/lib/mailman"
# This is normally the same as ~mailman
MM_HOME=/var/lib/mailman
#
# User and group for Mailman, should match your --with-mail-gid
# switch to Mailman's configure script. Value is normally "mailman"
MM_UID=list
MM_GID=list
#
# Domains that your lists are in - colon separated list
# you may wish to add these into local_domains as well
domainlist mm_domains=hostname.com
#
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#
# These values are derived from the ones above and should not need
# editing unless you have munged your mailman installation
#
# The path of the Mailman mail wrapper script
MM_WRAP=MM_HOME/mail/mailman
#
# The path of the list config file (used as a required file when
# verifying list addresses)
MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck
# end

4.2.5.
, ,
/etc/exim4/conf.d/transport/.
40_exim4-config_mailman :

289


mailman_transport:
driver = pipe
command = MM_WRAP \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
{post}}' \
$local_part
current_directory = MM_HOME
home_directory = MM_HOME
user = MM_UID
group = MM_GID

4.2.6.
, ,
/etc/exim4/conf.d/router/. 101_exim4config_mailman :
mailman_router
driver = accept
require_files = MM_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : \
-confirm+* : -join : -leave : \
-owner : -request : -admin
transport = mailman_transport

.
, .
200_exim4config_primary.
. .
,
.
4.2.7. Mailman
mailman,
:
sudo /etc/init.d/mailman start

mailman ,
. ,
:
sudo /usr/sbin/newlist mailman

290

Enter the email address of the person running the list: bhuvan at ubuntu.com
Initial mailman password:
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases' program:
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
Hit enter to notify mailman owner...
#

Postfix, Exim4
mailman.
/etc/aliases. -
,
.
Exim4 (aliases)
Mailman,
discover.
, MTA=None
/etc/mailman/mm_cfg.py.

4.3.
, . CGI mailman' /usr/lib/cgi-bin/mailman/.
Mailman .
:
http://hostname/cgi-bin/mailman/admin
, mailman.
,
. ,
.

291


(/usr/sbin/newlist).
-.

4.4.
Mailman -.
, URL:
http://hostname/cgi-bin/mailman/listinfo

"mailman". ,
. d
, ( ) . d
. ,
, .

4.5.
GNU Mailman

19
20

HOWTO Exim 4 Mailman 2.1


21

Mailman Ubuntu Wiki .

19

http://www.list.org/mailman-install/index.html
http://www.exim.org/howto/mailman21.html
21
https://help.ubuntu.com/community/Mailman
20

292

5.

(Unsolicited Bulk Email UBE).
, ,
. ,

.
Amavisd-new, Spamassassin
ClamAV (MTA) Postfix. Postfix Postfix

. ,

. opendkim
python-policyd-spf.
Amavisd-new -,
,
..
Spamassassin
.
ClamAV .
opendkim Sendmail DKIM
(, ).
python-policyd-spf SPF (
) Postfix.
, :
Postfix.
,
opendkim python-policyd-spf.
Amavisd-new.
ClamAV .
, Postfix .
Spamassassin
. Spamassassin X-Header,
Amavisd-new .
, ,
,
293


.
(MUA)
.

5.1.
1, Postfix [271] Postfix.
, :
sudo apt-get install amavisd-new spamassassin clamav-daemon
sudo apt-get install opendkim postfix-policyd-spf-python

, Spamassassin
:
sudo apt-get install pyzor razor


:
sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip zip

- , ,
multiverse /etc/apt/sources.list
, ,
sudo apt-get update .

5.2.
, .
5.2.1. ClamAV
ClamAV .
/
etc/clamav.
clamav amavis, Amavisd-new
:
sudo adduser clamav amavis
sudo adduser amavis clamav

294


5.2.2. Spamassassin
Spamassassin
, . ,
pyzor razor.
/etc/default/spamassassin
Spamassassin. ENABLED=0 :
ENABLED=1

:
sudo /etc/init.d/spamassassin start

5.2.3. Amavisd-new
Amavisd-new,
/etc/amavis/conf.d/15-content_filter_mode:
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);

#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1;

# insure a defined return

,
. , /etc/amavis/
conf.d/20-debian_defaults $final_spam_destiny D_DISCARD
D_BOUNCE, :
295

$final_spam_destiny

= D_DISCARD;


:
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 4; # spam level beyond which a DSN is not sent

(hostname) MX- ,
$myhostname.
, ,
@local_domains_acl . /etc/amavis/
conf.d/50-user:
$myhostname = 'mail.example.com';
@local_domains_acl = ( "example.com", "example.org" );

,
/etc/amavis/conf.d/50-user
@local_domains_acl = qw(.);

Amavisd-new :
sudo /etc/init.d/amavis restart

5.2.3.1. DKIM
Amavisd-new
Whitelist .
/etc/amavis/conf.d/40policy_banks.

:
'example.com' => 'WHITELIST',:
"example.com".
'.example.com' => 'WHITELIST',:
"example.com",
.
'.example.com/@example.com' => 'WHITELIST',:
"example.com",
example.com.
296


'./@example.com' => 'WHITELIST',: ,
"example.com".
, .
.
amavisd-new:
sudo /etc/init.d/amavis restart

, ,
- .
,
.
5.2.4. Postfix
Postfix, :
sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'

/etc/postfix/master.cf,
:
smtp-amavis
unix
-o smtp_data_done_timeout=1200

smtp

smtpd

-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet

-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

297



"pickup":
-o content_filter=
-o receive_override_options=no_header_body_checks

,
.
Postfix:
sudo /etc/init.d/postfix restart

.
5.2.5. Amavisd-new Spamassassin
Amavisd-new Spamassassin,
, /etc/spamassassin/local.cf,
cron ,
,
amavis cron amavisd-new.
:
MDA ,
.
/usr/sbin/amavisd-new-cronjob , use_bayes
0. , /usr/sbin/amavisd-new-cronjob,
:
egrep -q "^[ \t]*use_bayes[ \t]*0" /etc/spamassassin/local.cf && exit 0

5.3.
, Amavisd-new SMTP :
telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
^]

, ,
:
298

X-Spam-Level:
X-Virus-Scanned: Debian amavisd-new at example.com
X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0 tests=AWL, BAYES_00
X-Spam-Level:

, ,
X-Virus-Scanned X-Spam-Status.

5.4.
, -
.
Postfix 1.7,
[276].
Amavisd-new Syslog /var/log/
mail.log. , $log_level
/etc/amavis/conf.d/50-user 1 5.
$log_level = 2;

Amavisd-new ,
Spamassassin .
ClamAV
/etc/clamav/clamd.conf :
LogVerbose true

ClamAV /var/log/clamav/
clamav.log.

.

.

5.5.

:
22

Amavisd-new
23

ClamAV

ClamAV Wiki

24

22

http://www.ijs.si/software/amavisd/amavisd-new-docs.html
http://www.clamav.net/doc/latest/html/
24
http://wiki.clamav.net/Main/WebHome
23

299


Spamassassin Wiki

25
26

Pyzor

Razor
DKIM.org

27

28

Postfix Amavis New

29

#ubuntu-server IRC
30

freenode .

25
26
27
28
29
30

http://wiki.apache.org/spamassassin/
http://sourceforge.net/apps/trac/pyzor/
http://razor.sourceforge.net/
http://dkim.org/
https://help.ubuntu.com/community/PostfixAmavisNew
http://freenode.net

300

16.

301

1.
, IRC- ircdirc2.
Jabber.

302

2. IRC-
Ubuntu IRC (Internet Relay Chat).
,
IRC- ircd-irc2.

2.1.
ircd-irc2, :
sudo apt-get install ircd-irc2

/etc/ircd.
/usr/share/doc/ircd-irc2.

2.2.
IRC /etc/ircd/
ircd.conf. ,
:
M:irc.localhost::Debian ircd default configuration::000A

, , DNS
IRC-. ,
IRC irc.livecipher.com, , irc.livecipher.com
DNS-. IRC
.
IRC
:
A:Organization, IRC dept.:Daemon <ircd@example.irc.org>:Client Server::IRCnet:


IRC, ,
..
/usr/share/doc/ircd-irc2/ircd.conf.example.gz.
IRC, IRC
, /etc/ircd/ircd.motd.
,
IRC, :
303

sudo /etc/init.d/ircd-irc2 restart

2.3.
IRC-,
Ubuntu. ircd-ircu ircd-hybrid.
1

IRCD FAQ IRC-.

http://www.irc.org/tech_docs/ircnet/faq.html

304

3. Jabber
Jabber ,
XMPP, ,
.
Jabberd 2 .

.

3.1.
jabberd2 :
sudo apt-get install jabberd2

3.2.
XML
jabberd2 Berkeley
DB. jabberd2 LDAP, MySQL,
PostgreSQL . .
/etc/jabberd2/sm.xml, :
<id>jabber.example.com</id>

jabber.example.com
.
<storage> <driver> :
<driver>db</driver>

/etc/jabberd2/c2s.xml <local>:
<id>jabber.example.com</id>

<authreg> <module>:
<module>db</module>

jabberd2 :
sudo /etc/init.d/jabberd2 restart

305


, Jabber-,
, Pidgin.
Berkeley DB ,

.
,
.

3.3.
2

Jabberd2 Web Site Jabberd2.


Jabberd2 Install
3
Guide .
4

Setting Up Jabber Server Ubuntu Wiki


.

http://codex.xiaoka.com/wiki/jabberd2:start
http://www.jabberdoc.org/
4
https://help.ubuntu.com/community/SettingUpJabberServer
3

306

17.

.
,
, ,
, .

. ,

307

1. Bazaar
Bazaar , Canonical,
, Ubuntu. Subversion
CVS, ,
Bazaar ,
. , Bazaar

.

1.1.
bzr, :
sudo apt-get install bzr

1.2.
bzr, whoami :
$ bzr whoami 'Joe Doe <joe.doe@gmail.com>'

1.3. Bazaar
Bazaar ,
/usr/share/doc/bzr/html. ""
. bzr :
$ bzr help

foo:
$ bzr help foo

1.4. Launchpad
, , Bazaar
1
Launchpad ,
, Canonical
,
Ubuntu. , Bazaar
1

https://launchpad.net/

308


Launchpad
2
, : http://bazaar-vcs.org/LaunchpadIntegration .

http://bazaar-vcs.org/LaunchpadIntegration/

309

2. Subversion
Subversion .
Subversion,
. ,
, ,
.

2.1.
Subversion HTTP
-. Apache2
Subversion. Apache2
HTTP Apache2.
Subversion HTTPS
- Apache2.

HTTPS Apache2.
Subversion :
sudo apt-get install subversion libapache2-svn

2.2.
, ,
. ,
Subversion
2.2.1. Subversion
Subversion , :
svnadmin create /path/to/repos/project

2.2.2.
,
. :
svn import //// file://////

2.3.
Subversion

310


. URL. ,
URL .

17.1.

file://

( )

http://

WebDAV Apache2,
Subversion

https://

, http://, SSL

svn://

svnserve

svn+ssh:// , svn://, SSH


, Subversion
. .
3
, svn .
2.3.1. (file://)
.
Subversion.
Subversion . ,
, :
svn co file:///path/to/repos/project

svn co file://localhost/path/to/repos/project

, (///)
( ), .
, (//).

.
/

2.3.2. WebDAV (http://)
Subversion WebDAV
Apache2.
emphasis><VirtualHost>
3

http://svnbook.red-bean.com/

311

<Location /svn>
DAV svn
SVNPath /home/svn
AuthType Basic
AuthName "Your repository name"
AuthUserFile /etc/subversion/passwd
Require valid-user
</Location>

,
Subversion /home/svn/
svnadmin. http://hostname/
svn/repos_name.
Subversion
HTTP, HTTP.
Ubuntu www-data.

:
sudo chown -R www-data:www-data ///

www-data,
,
svn import file:/// , wwwdata, .
, /etc/subversion/passwd,
.
(
):
sudo htpasswd -c /etc/subversion/passwd _

"-c",
. :
sudo htpasswd /etc/subversion/passwd user_name

.
. ,
, :
svn co http:///svn

. ,
,
312


SSL.
.
2.3.3. WebDAV SSL (https://)
Subversion WebDAV SSL
(https://) http://, ,
Apache2.
SSL Subversion ,
, /etc/apache2/sites-available/default-ssl.
Apache2 SSL 1.3,
HTTPS [220].
,
.
.
,
- Apache 2.
Subversion
! ,
. https://
Subversion.
2.3.4. (svn://)
Subversion ,
.
/////conf/svnserve.conf. ,
:
# [general]
# password-db = passwd

,
passwd. ,
passwd , ,
.
username = password

, .
, Subversion svn://
, Subversion,
svnserve. :
$ svnserve -d --foreground -r ///

313


# -d -- daemon ()
# --foreground -- ( )
# -r --
:
$ svnserve --help

Subversion 3690.
, , :
svn co svn:/// --username _

, .
Subversion.

update. :
cd _ ; svn update

,
Subversion. ,
"co", :
svn co help

2.3.5. SSL (svn+ssh://)


svn://.
. ,
Subversion,
svnserve
, SSH
. ,

, SSH.
, .
, ,
.
svn+ssh:// ,
Subversion, SSL.
.
:
svn co svn+ssh://hostname/var/svn//

314


Subversion,
, (////
).
, .
, SSH. ,
Subversion.

315

3. CVS
CVS .
.

3.1.
CVS,
:
sudo apt-get install cvs

cvs, xinetd /
cvs .
xinetd:
sudo apt-get install xinetd

3.2.
cvs
. /
srv/cvs. :
cvs -d /your/new/cvs/repo init

,
xinetd CVS ,
/etc/xinetd.d/cvspserver.
service cvspserver
{
port = 2401
socket_type = stream
protocol = tcp
user = root
wait = no
type = UNLISTED
server = /usr/bin/cvs
server_args = -f --allow-root /srv/cvs pserver
disable = no
}

, ,
(/srv/cvs).
316


xinetd cvs
:
sudo /etc/init.d/xinetd restart

, CVS , :
sudo netstat -tap | grep cvs

, ,
:
tcp 0 0 *:cvspserver *:* LISTEN

,
CVS.
CVS
. ,
Linux CVS,
.
CVS.

3.3.
, CVS.

.
CVS:
cd your/project
cvs -d :pserver:username@hostname.com:/srv/cvs import -m \
"Importing my project to CVS repository" . new_project start

CVSROOT,
CVS.
-d cvs .
new_project , start
(). , CVS
, .
, CVS
CVS (/srv/cvs).
src CVS.
317



CVS.

318

4.
Bazaar

Launchpad

Subversion
7

Subversion

CVS

Easy Bazaar Ubuntu Wiki

109

Subversion Ubuntu Wiki

1211

http://bazaar.canonical.com/en/
https://launchpad.net/
6
http://subversion.tigris.org/
7
http://svnbook.red-bean.com/
8
http://ximbiot.com/cvs/manual/cvs-1.11.21/cvs_toc.html
10
https://help.ubuntu.com/community/EasyBazaar
9
https://help.ubuntu.com/community/EasyBazaar
12
https://help.ubuntu.com/community/Subversion
11
https://help.ubuntu.com/community/Subversion
5

319

18.
Windows
.
,

Ubuntu ,
Ubuntu MicrosoftWindows,
. ,
Ubuntu
Windows-.

320

Windows

1.
Ubuntu Windows ,
Windows.

,
:

.
(SMB)
, , ,
.
.
,
(LDAP) Microsoft Active
Directory.

.
,

, Kerberos.
, Ubuntu
Windows .
Ubuntu,
Windows, Samba,
SMB.
Ubuntu Server
Samba, ,
. , ,
1
Samba Samba .

http://www.samba.org

321

Windows

2. Samba

Ubuntu Windows Samba
.
Samba Windows-.

.
, 4,
Samba [327]

2.1.
samba. :
sudo apt-get install samba

.
Samba .

2.2.
Samba : /etc/samba/smb.conf.

, .
.
man smb.conf
2
Samba HOWTO
.
1.

/
[global] /etc/samba/smb.conf:
workgroup = EXAMPLE
...
security = user

security [global]
.
EXAMPLE.
2

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/

322

Windows
2.


:
[share]
comment = Ubuntu File Server Share
path = /srv/samba/share
browsable = yes
guest ok = yes
read only = no
create mask = 0755

comment: . .
path: ,
/srv/samba/sharename,
3
(FHS) /srv
, .
Samba
,
, - .
browsable: Windows-
Windows Explorer.
guest ok:
.
read only: , ,
.
, no,
. yes,
(read only).
create mask: .
3.

, Samba ,
. :
sudo mkdir -p /srv/samba/share
sudo chown nobody.nogroup /srv/samba/share/

-p mkdir ,
.
4.

, samba,
.

http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM

323

Windows
sudo restart smbd
sudo restart nmbd

,
.
, 4,
Samba [327].
Windows-

Ubuntu Server.
,
IP- (, \\192.168.1.1) Windows.
, ,
Windows.
[dir]
/etc/samba/smb.conf Samba. ,
, ,
.
"[share]" /srv/samba/share
.
, .
,
. [qa]
/srv/samba/qa.

2.3.
Samba,
4
Samba HOWTO Collection .
5

.
6

O'Reilly Samba
.
7

Ubuntu Wiki Samba .

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://www.amazon.com/exec/obidos/tg/detail/-/0131882228
6
http://www.oreilly.com/catalog/9780596007690/
7
https://help.ubuntu.com/community/Samba
5

324

Windows

3. Samba
Samba
,
Ubuntu . , 2,
Samba [322], Samba,

.
, 4,
Samba [327].

3.1.
Samba
CUPS. 4, CUPS
[266]
samba :
sudo apt-get install samba

3.2.
Samba /etc/samba/smb.conf.
workgroup , security user:
workgroup = EXAMPLE
...
security = user

[printers] guest ok yes:


browsable = yes
guest ok = yes

smb.conf Samba:
sudo restart smbd
sudo restart nmbd

Samba .

Windows.
325

Windows

3.3.
Samba,
8
Samba HOWTO Collection .
9

.
10

O'Reilly Samba
.

11

- CUPS ,
CUPS.
Ubuntu Wiki Samba

12

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://www.amazon.com/exec/obidos/tg/detail/-/0131882228
10
http://www.oreilly.com/catalog/9780596007690/
11
http://www.cups.org/
12
https://help.ubuntu.com/community/Samba
9

326

Windows

4.
Samba
4.1. Samba
CIFS (Common Internet Filesystem)
.
Samba ,

:
security = user:
.
Samba ,
libpam-smbpass
Samba.

security = domain:. Samba


Windows- (PDC),
(BDC) - (DMS).
5, Samba
[333].
security = ADS: Samba Active
Directory . 6,
Samba Active Directory [338].
security = server:. , Samba
-,
13
.
Samba .
security = share:
.
,
, Samba.

4.2. Security = User


Samba,
2, Samba [322] 3,
Samba [325], , .
13

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id349531

327

Windows
libpam-smbpass,

Samba.
sudo apt-get install libpam-smbpass

Samba Server ,
libpam-smbpass .
/etc/samba/smb.conf, [share]:
guest ok = no

, Samba, :
sudo restart smbd
sudo restart nmbd

,
.
,
,

, , .

4.3.

.
, [share].
4.3.1.
,
,

. , qa
freda, danika rob, support
danika, jeremy vincent, ,
qa,
freda, danika, rob, jeremy vincent.
danika , qa support,
, ,
,
, .
328

Windows
Samba ,
/etc/group, ,
. ,
, 1.2,
[173].
Samba /etc/samba/smb.conf
"@". ,
sysadmin /etc/samba/
smb.conf, @sysadmin.
4.3.2.

,
.
/etc/samba/smb.conf
.
, Samba share,
- qa,
sysadmin vincent,
/etc/samba/smb.conf,
[share]:
read list = @qa
write list = @sysadmin, vincent

Samba
, .
,
, ,
.
, melissa
share, /etc/samba/smb.conf
[share]:
admin users = melissa

/etc/samba/smb.conf, Samba,
:
sudo restart smbd
sudo restart nmbd

329

Windows
, ,
Samba security = share
, Samba
,
.
Linux
(ACL) Windows NT. , ACL POSIX,
Ubuntu,
. , ACL /srv
EXT3, /etc/fstab, acl:
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv

ext3

noatime,relatime,acl 0

:
sudo mount -v -o remount /srv

, /srv
. /srv
/,
.
Samba, sysadmin
, /srv/samba/
share, qa ,
melissa. :
sudo chown -R melissa /srv/samba/share/
sudo chgrp -R sysadmin /srv/samba/share/
sudo setfacl -R -m g:qa:rx /srv/samba/share/

setfacl
/srv/samba/share,
.
, Windows-, ,
.
man acl setfacl POSIX
ACL.

4.4. Samba AppArmor


Ubuntu AppArmor,
. AppArmor
330

Windows
Samba .
AppArmor
4, AppArmor [189].
AppArmor /usr/sbin/smbd /usr/sbin/
nmbd, Samba. apparmorprofiles. :
sudo apt-get install apparmor-profiles apparmor-utils


.
, smbd nmbd
(complain), Samba ,
. smbd
(enforce) , Samba , ,
,
.
/etc/apparmor.d/usr.sbin.smbd,
[share] :
/srv/samba/share/ r,
/srv/samba/share/** rwkix,

:
sudo aa-enforce /usr/sbin/smbd
cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r

,
, smbd binary
. ,
Samba.
/var/log/syslog.

4.5.
Samba,
14
Samba HOWTO Collection .
15

.
14
15

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://www.amazon.com/exec/obidos/tg/detail/-/0131882228

331

Windows
O'Reilly Using Samba
17

18

16

HOWTO Samba .

Samba ACL
18

ACL Samba .

Ubuntu Wiki Samba

19

16

http://www.oreilly.com/catalog/9780596007690/
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html
18
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id397568
19
https://help.ubuntu.com/community/Samba
17

332

Windows

5. Samba
, Samba
Active Directory,
Windows NT4.

. Samba
().

5.1.
Samba
smbpasswd.
1.

Samba, libpam-smbpass
, :
sudo apt-get install samba libpam-smbpass

2.

Samba, /etc/samba/smb.conf.
security user, workgroup
:
workgroup = EXAMPLE
...
security = user

3.

Domains
( ,
):
domain logons = yes
logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d
/var/lib/samba -s /bin/false %u

,
logon home logon path .
domain logons: netlogon, Samba
.
333

Windows
logon path:
Windows .
[profiles] .
logon drive: .
logon home: .
logon script: ,
.
[netlogon].
add machine script: ,
Machine Trust Account,
.
machines
addgroup. :
1.2, [173].
4.

[homes], logon
home.
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S

5.


[netlogon]. , , :
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no

netlogon /home/samba/netlogon,
,
(FHS), ,
20
, /srv .
6.
20

netlogon () logon.cmd:

http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM

334

Windows
sudo mkdir -p /srv/samba/netlogon
sudo touch /srv/samba/netlogon/logon.cmd

Windows
logon.cmd

7.

Samba, :
sudo restart smbd
sudo restart nmbd

8.

, ,
.
root ,
Domain
Admins Windows. Domain Admins,
:
sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin rid=512 type=d

sysadmin , .
, ,
, sysadmin
admin. admin
sudo.
Samba,
smbpasswd, ,
, sysadmin:
sudo smbpasswd -a sysadmin


Domain Admins , add machine script
( ).
:

net rpc rights grant -U sysadmin "EXAMPLE\Domain Admins" SeMachineAccountPrivilege \ SePrintOpe

9.

Windows- ,
NT4 Windows.

335

Windows

5.2.
(PDC)
(BDC).
, PDC .

Samba BDC
PDC.
: scp, rsync LDAP
passdb.

LDAP
,
. ,
LDAP
.
2, Samba LDAP [135].
1.

samba libpam-smbpass. :
sudo apt-get install samba libpam-smbpass

2.

/etc/samba/smb.conf
[global]:
workgroup = EXAMPLE
...
security = user

3.

Domains
:
domain logons = yes
domain master = no

4.

, /var/lib/samba.
, , admin
scp , :
sudo chgrp -R admin /var/lib/samba

5.

, scp,
/var/lib/samba PDC:
sudo scp -r username@pdc:/var/lib/samba /var/lib

336

Windows
username pdc
IP- PDC.
6.

, samba:
sudo restart smbd
sudo restart nmbd

,
Samba PDC, Windows, .

, :
logon home PDC, PDC
Home .
logon home , PDC BDC.

5.3.
Samba,
21
Samba HOWTO Collection .
22

.
O'Reilly Using Samba

23

24

4 HOWTO Samba
.
25

5 HOWTO Samba
.
Ubuntu Wiki Samba

21
22
23
24
25
26

26

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://www.amazon.com/exec/obidos/tg/detail/-/0131882228
http://www.oreilly.com/catalog/9780596007690/
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html
https://help.ubuntu.com/community/Samba

337

Windows

6. Samba Active Directory


6.1. Samba
Samba
Windows. Active Directory, Samba
.
AD
Likewise-open.
27
Likewise Open .
Active Directory,
:
sudo apt-get install samba smbfs smbclient

/etc/samba/smb.conf, :
workgroup = EXAMPLE
...
security = ads
realm = EXAMPLE.COM
...
idmap backend = lwopen
idmap uid = 50-9999999999
idmap gid = 50-9999999999

samba, :
sudo restart smbd
sudo restart nmbd

Samba
Windows-. ,
AD .
4,
Samba [327].

6.2. Windows
, Samba Active Directory,
Windows.
27

http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html

338

Windows
Windows, :
mount.cifs //fs01.example.com/share mount_point

,
AD,
.

/etc/fstab, :
//192.168.0.5/share /mnt/windows cifs auto,username=steve,password=secret,rw 0

Windows
smbclient.
Windows, :
smbclient //fs01.example.com/share -k -c "ls"

, :
smbclient //fs01.example.com/share -k -c "get file.txt"

file.txt .
:
smbclient //fs01.example.com/share -k -c "put /etc/hosts hosts"
/etc/hosts

//fs01.example.com/share/hosts.

-c, ,
smbclient.
. smb:
\>,
, FTP, :
smbclient //fs01.example.com/share -k

fs01.example.com/share, //192.168.0.5/
share, username=steve,password=secret file.txt IP-
, , /
,
.

339

Windows

6.3.
smbclient : man
28
smbclient, .
29

mount.cifs
.
Ubuntu Wiki Samba

30

28

http://manpages.ubuntu.com/manpages/precise/en/man1/smbclient.1.html
http://manpages.ubuntu.com/manpages/precise/en/man8/mount.cifs.8.html
30
https://help.ubuntu.com/community/Samba
29

340

19.

Ubuntu.

, ,
.

.

341

1. Shell

shell script. ,
, ,
tar,
.
.
, NFS.
tar
.tar ,
.

1.1. Shell
shell tar
.
.
#!/bin/sh
####################################
#
# Backup to NFS mount script.
#
####################################
# What to backup.
backup_files="/home /var/spool/mail /etc /root /boot /opt"
# Where to backup to.
dest="/mnt/backup"
# Create archive filename.
day=$(date +%A)
hostname=$(hostname -s)
archive_file="$hostname-$day.tgz"
# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
date
echo
# Backup the files using tar.
tar czf $dest/$archive_file $backup_files
# Print end status message.
echo

342


echo "Backup finished"
date
# Long listing of files in $dest to check file sizes.
ls -lh $dest

$backup_files: ,
. .
$day: , .
,
.
, date.
$hostname: , .

.
$archive_file: .
$dest: .

. 2,
(NFS) [261] NFS.
status messages: ,
echo.
tar czf $dest/$archive_file $backup_files: tar,
.
c: .
z: gzip.
f: . tar
STDOUT.
ls -lh $dest: , -l
-h .
.
.
,
, . 1.4,
[346] ,
shell .

343

1.2.
1.2.1.

. , backup.sh.
:
sudo bash backup.sh

, ,
.
1.2.2. cron
cron
. cron
.
cron crontab. crontab
:
# m h dom mon dow

command

m: , 0 59.
h: , 0 23.
dom: .
mon: .
dow: , 0 7.
0 7, .
command: .
crontab
crontab -e. , crontab
crontab -l.
backup.sh cron,
:
sudo crontab -e

sudo crontab -e
root.
, root.
344


crontab: crontab:
# m h dom mon dow
command
0 0 * * * bash /usr/local/bin/backup.sh

backup.sh .
backup.sh /usr/local/
bin/, .
,
crontab.
crontab 1.4,
[346].

1.3.
, .
, ,
.
, :
tar -tzvf /mnt/backup/host-Monday.tgz

, :
tar -xzvf /mnt/backup/host-Monday.tgz -C /tmp etc/hosts

-C tar
. /etc/hosts /
tmp/etc/hosts. tar
.
"/"
.
, :
cd /
sudo tar -xzvf /mnt/backup/host-Monday.tgz

, .

345

1.4.
shell
1
Advanced Bash-Scripting Guide
2

Teach Yourself Shell Programming in 24 Hours


shell .
3

CronHowto Wiki Page


cron.
4

GNU tar Manual


tar.
5

Backup Rotation Scheme


.
Shell tar ,
, . :
6

cpio : .
7

dd : coreutils. ,
.
8

rsnapshot : ,
.
9

rsync : ,
( ).

1
2
3
4
5
6
7
8
9

http://tldp.org/LDP/abs/html/
http://safari.samspublishing.com/0672323583
https://help.ubuntu.com/community/CronHowto
http://www.gnu.org/software/tar/manual/index.html
http://en.wikipedia.org/wiki/Backup_rotation_scheme
http://www.gnu.org/software/cpio/
http://www.gnu.org/software/coreutils/
http://www.rsnapshot.org/
http://www.samba.org/ftp/rsync/rsync.html

346

2.
Shell 1, Shell [342]
7 . ,
, .
,
.

2.1. NFS
shell
'--' (-):

.
,
.
,
,
.
:
#!/bin/bash
####################################
#
# Backup to NFS mount script with
# grandfather-father-son rotation.
#
####################################
# What to backup.
backup_files="/home /var/spool/mail /etc /root /boot /opt"
# Where to backup to.
dest="/mnt/backup"
# Setup variables for the archive filename.
day=$(date +%A)
hostname=$(hostname -s)
# Find which week of the month 1-4 it is.
day_num=$(date +%d)
if (( $day_num <= 7 )); then
week_file="$hostname-week1.tgz"
elif (( $day_num > 7 && $day_num <= 14 )); then
week_file="$hostname-week2.tgz"

347


elif (( $day_num > 14 && $day_num <= 21 )); then
week_file="$hostname-week3.tgz"
elif (( $day_num > 21 && $day_num < 32 )); then
week_file="$hostname-week4.tgz"
fi
# Find if the Month is odd or even.
month_num=$(date +%m)
month=$(expr $month_num % 2)
if [ $month -eq 0 ]; then
month_file="$hostname-month2.tgz"
else
month_file="$hostname-month1.tgz"
fi
# Create archive filename.
if [ $day_num == 1 ]; then
archive_file=$month_file
elif [ $day != "Saturday" ]; then
archive_file="$hostname-$day.tgz"
else
archive_file=$week_file
fi
# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
date
echo
# Backup the files using tar.
tar czf $dest/$archive_file $backup_files
# Print end status message.
echo
echo "Backup finished"
date
# Long listing of files in $dest to check file sizes.
ls -lh $dest/

, 1.2,
[344].

.
shell NFS . , NFS-
.
,
(WAN) ,
.
348



, .
,

.
, .

2.2.
, ,
NFS.
,
.
,
, ,
.
.
mt, cpio.
,
:
#!/bin/bash
####################################
#
# Backup to tape drive script.
#
####################################
# What to backup.
backup_files="/home /var/spool/mail /etc /root /boot /opt"
# Where to backup to.
dest="/dev/st0"
# Print start status message.
echo "Backing up $backup_files to $dest"
date
echo
# Make sure the tape is rewound.
mt -f $dest rewind
# Backup the files using tar.
tar czf $dest $backup_files
# Rewind and eject the tape.

349


mt -f $dest rewoffl
# Print end status message.
echo
echo "Backup finished"
date

SCSI /dev/st0.
.
,
.
. , /etc/hosts /tmp/etc/
hosts :
mt -f /dev/st0 rewind
tar -xzf /dev/st0 -C /tmp etc/hosts

350

3. Bacula
Bacula ,
, .
Bacula Linux, Windows Mac OS X,
- .

3.1.
Bacula Bacula
, :
Bacula Director: ,
, , .
Bacula Console: , Director.
Console:
, .
(GUI) Gnome,
GTK+.
wxWidgets.
Bacula File: , Bacula Client.
,
, ,
Director.
Bacula Storage: ,
.
Bacula Catalog:
,
. Catalog
: MySQL, PostgreSQL SQLite.
Bacula Monitor: Director File
Storage. Monitor GTK+ GUI
.

,
.

3.2.
MySQL PostgreSQL ,
.Bacula
.
351


,
Bacula. Bacula :
sudo apt-get install bacula

bacula
MySQL Catalog. SQLite PostgreSQL,
bacula-director-sqlite3 bacula-directorpgsql.

bacula.
.
1, MySQL [237].

3.3.
Bacula ,
directives, {}.
Bacula /etc/bacula.
Bacula
. password. ,
Storage /etc/bacula/bacula-dir.conf
Director /etc/bacula/bacula-sd.conf.

Client1 Bacula.
,
- .
/etc/bacula/bacula-dir.conf:
#
# Define the main nightly save backup job
#
By default, this job will back up to disk in
Job {
Name = "BackupServer"
JobDefs = "DefaultJob"
Write Bootstrap = "/var/lib/bacula/Client1.bsr"
}

BackupServer
. BackupServer

.
352


Console Director ,
non-root Console,
bacula. bacula,
:
sudo adduser $username bacula

$username . ,
,
, .

3.4.

.
. /
etc/bacula/bacula-sd.conf,

Device {
Name = "Tape Drive"
Device Type = tape
Media Type = DDS-4
Archive Device = /dev/st0
Hardware end of medium = No;
AutomaticMount = yes;

# when device opened, read it

AlwaysOpen = Yes;
RemovableMedia = yes;
RandomAccess = no;
Alert Command = "sh -c 'tapeinfo -f %c | grep TapeAlert'"
}

DDS-4. Media Type


Archive Device .

.
/etc/bacula/bacula-sd.conf Storage
:
sudo /etc/init.d/bacula-sd restart

Storage /etc/bacula/bacula-dir.conf
:
# Definition of "Tape Drive" storage device
Storage {

353


Name = TapeDrive
# Do not use "localhost" here
Address = backupserver

# N.B. Use a fully qualified name here

SDPort = 9103
Password = "Cv70F6pf1t6pBopT4vQOnigDrR0v3LT3Cgkiyjc"
Device = "Tape Drive"
Media Type = tape
}

Address

(FQDN) . backupserver
.
, ,
/etc/bacula/bacula-sd.conf.
,
:
# .
FileSet {
Name = "LocalhostFiles"
Include {
Options {
signature = MD5
compression=GZIP
}
File = /etc
File = /home
}
}

FileSet /etc /
home. Options FileSet
MD5
GZIP.

# -- .
Schedule {
Name = "LocalhostDaily"
Run = Full daily at 00:01
}

00:01 12:01.

, :

354


# .
Job {
Name = "LocalhostBackup"
JobDefs = "DefaultJob"
Enabled = yes
Level = Full
FileSet = "LocalhostFiles"
Schedule = "LocalhostDaily"
Storage = TapeDrive
Write Bootstrap = "/var/lib/bacula/LocalhostBackup.bsr"
}


.
.
, Bacula . ,
, Console, :
bconsole

Bacula :

Storage:

: MyCatalog
"MyCatalog"
: MyCatalog
Using Catalog "MyCatalog"
:
1:
2:
(1-2):2

Volume:

:
Defined Pools:
1: Default
2: Scratch

Sunday .
Pool:

355


Select the Pool (1-2): 1
Connecting to Storage daemon TapeDrive at backupserver:9103 ...
Sending label command for Volume "Sunday" Slot 0 ...

, Bacula localhost
.

3.5.
Bacula
10
Bacula
Bacula
Bacula.

11


12

, Bacula Ubuntu Wiki .

10

http://www.bacula.org/en/rel-manual/index.html
http://www.bacula.org/
12
https://help.ubuntu.com/community/Bacula
11

356

20.
.
, ,
,
. ,

, .
Ubuntu KVM.
KVM
Intel AMD. Xen Ubuntu. Xen
,
,
. Qemu
.

357

1.
libvirt ,

. libvirt, ,
KVM.
:
kvm-ok

,
.
,
, BIOS.

1.1.

.
,
SLIRP, NAT
.

, .

,
. 1.4,
[47].

1.2.
, :
sudo apt-get install kvm libvirt-bin

libvirt-bin ,
, libvirtd.
.
:
sudo adduser $USER libvirtd

358


- ,
,
.
.
,
.
, ,
.

(GUI) .
GUI
VNC virt-viewer.
1.6, [362]
.
,
Ubuntu, , preseeds, kickstart ..
1
Ubuntu .
Ubuntu
ubuntu-vm-builder.
,
.. : 2, JeOS vmbuilder [364]
Libvirt Xen.
Xen Ubuntu,
.

1.3. virt-install
virt-install virtinst.
:
sudo apt-get install virtinst

, virt-install.
:

sudo virt-install -n web_devel -r 256 \ --disk path=/var/lib/libvirt/images/web_devel.img,bus=virti

-n web_devel:
web_devel
1

https://help.ubuntu.com/12.04/installation-guide/

359


-r 256: , ,
.
--disk path=/var/lib/libvirt/images/web_devel.img,size=4:
, ,
. web_devel.img,
/var/lib/libvirt/images/, 4
virtio .
-c jeos.iso: , CD-ROM.
ISO- CD-ROM .
--accelerate: .
--network ,
. default,
virtio.
--vnc:
VNC.
--noautoconsole:
.
-v: .
virt-install
, ,
virt-viewer.

1.4. virt-clone
virt-clone
. :

sudo virt-clone -o web_devel -n database_devel -f /path/to/database_devel.img \ --connect=qemu:///s

-o: .
-n: .
-f: ,
.
--connect: .
-d --debug
virt-clone.
web_devel database_devel
.
360

1.5.
1.5.1. virsh
,
libvirt. virsh
. :
:
virsh -c qemu:///system list

:
virsh -c qemu:///system start web_devel

, :
virsh -c qemu:///system autostart web_devel

:
virsh -c qemu:///system reboot web_devel


.
,
:
virsh -c qemu:///system save web_devel web_devel-022708.state

.

:
virsh -c qemu:///system restore web_devel-022708.state

, :
virsh -c qemu:///system shutdown web_devel

CD-ROM
:
virsh -c qemu:///system attach-disk web_devel /dev/cdrom /media/cdrom

361


web_devel
, web_devel-022708.state
.
1.5.2.
virt-manager
. virtmanager :

sudo apt-get install virt-manager

virt-manager
(GUI),
, .
libvirt :
virt-manager -c qemu:///system

libvirt, ,
:
virt-manager -c qemu+ssh://virtnode1.mydomain.com/system

, SSH
virtnode1.mydomain.com
SSH .
SSH , libvirt
. SSH 1,
OpenSSH [94]

1.6.
virt-viewer
. virt-viewer
.
virt-viewer, :
sudo apt-get install virt-viewer

,
, :

362


virt-viewer -c qemu:///system web_devel

virt-manager, virt-viewer
, SSH , :
virt-viewer -c qemu+ssh://virtnode1.mydomain.com/system web_devel

web_devel .
,
SSH .
1, OpenSSH [94] and 1.4,
[47] .

1.7.
2

KVM .
libvirt
3
libvirt
4


virt-manager.
5

, IRC #ubuntu-virt freenode


Ubuntu.
6

: Ubuntu Wiki KVM .


Xen, Xen libvirt,
7
, Ubuntu Wiki Xen .

2
3
4
5
6
7

http://kvm.qumranet.com/kvmwiki
http://libvirt.org/
http://virt-manager.et.redhat.com/
http://freenode.net/
https://help.ubuntu.com/community/KVM
https://help.ubuntu.com/community/Xen

363

2. JeOS vmbuilder
2.1.
2.1.1. JeOS
Ubuntu JeOS ( "") Ubuntu
Server, .
CD-ROM ISO, :

Server Edition ISO ( F4


" ",
, JeOS).
Ubuntu vmbuilder,
.
JeOS Ubuntu Server Edition

, ,
.
Ubuntu JeOS ,

VMware.

Ubuntu JeOS Edition
.
ISV ,
,
, . ,
,
, ,
, .

, , JeOS,
,
.
2.1.2. vmbuilder
vmbuilder JeOS ISO.
vmbuilder
. vmbuilder
,
Linux (VM).
: KVM Xen
364



, , Ubuntu,
..
, tmpdir /dev/shm tmpfs,
, .
ubuntu-vm-builder Ubuntu 8.04 LTS.


.
Ubuntu,

. (
Ubuntu, ),
Intrepid python,
:
,
.
,

.
-
.
.

2.2.
, libvirt KVM ,
. , , :
1, [358]
8

KVM Wiki.
, ,
, nano vi.
,
9
PowerUsersTextEditors .
KVM,
.
8
9

https://help.ubuntu.com/community/KVM
https://help.ubuntu.com/community/PowerUsersTextEditors

365


2.2.1. vmbuilder
, python-vm-builder.
:
sudo apt-get install python-vm-builder

Hardy,

, ,
ubuntu-vm-builder,
.

2.3.
vmbuilder' Ubuntu
, :
, ,
,
, ,
,
, . ,
.
,
.
vmbuilder 2 :
() .
, , :
vmbuilder kvm ubuntu --help

2.3.1.
KVM Ubuntu 12.04 LTS (Precise Pangolin),
, ,
, vmbuilder :

sudo vmbuilder kvm ubuntu --suite precise --flavour virtual --arch i386 \ -o --libvirt qemu:///syst

--suite Ubuntu, --flavour ,


(, JeOS), --arch
, 32- , -o
vmbuilder' --libvirt

.
366


:
- , vmbuilder,
root, sudo
3 ,
64- (--arch amd64).
Ubuntu 8.10 32-
, 64- Hardy,
--flavour server.
2.3.2. JeOS
2.3.2.1. JeOS
2.3.2.1.1. IP .

, , .
, ,
,
IP- ,
.
192.168.0.0/255
:
--ip ADDRESS: IP- (
dhcp, )
--hostname NAME: NAME, .
--mask VALUE: IP- ( 255.255.255.0)
--net VALUE: IP- ( X.X.X.0)
--bcast VALUE: IP ( X.X.X.255)
--gw ADDRESS: ( ...1)
--dns ADDRESS: DNS ( X.X.X.1)
, ,
:

sudo vmbuilder kvm ubuntu --suite precise --flavour virtual --arch i386 \ -o --libvirt qemu:///syst

2.3.2.1.2.
,
, libvirt ,
367


. --bridge
:

sudo vmbuilder kvm ubuntu --suite precise --flavour virtual --arch i386 \ -o --libvirt qemu:///syst


,
1.4, [47] . ,
, br0
.
2.3.2.2.
,
.
,
/var.
vmbuilder --part:
--part PATH
Allows you to specify a partition table in a partition file, located at PATH. Each
line of the partition file should specify (root first):
mountpoint size
where size is in megabytes. You can have up to 4 virtual disks, a new disk starts
on a line with ---.
root 1000

ie :

/opt 1000
swap 256
--/var 2000
/log 1500

vmbuilder.partition,
:
root 8000
swap 4000
--/var 20000

, ,
, ,
.
:

sudo vmbuilder kvm ubuntu --suite precise --flavour virtual --arch i386 \ -o --libvirt qemu:///syst

368


"\"
.
2.3.2.3.
,
,
,
. ,
, ,
, ,
. 'user'
'default' .
:
--user USERNAME: . -:
ubuntu.
--name FULLNAME: . : Ubuntu.
--pass PASSWORD: . -: ubuntu.
:

sudo vmbuilder kvm ubuntu --suite precise --flavour virtual --arch i386 \ -o --libvirt qemu:///syst

2.3.3.
(Limesurvey),
MySQL -.
:
Apache
PHP
MySQL
OpenSSH
Limesurvey ( , )
vmbuilder --addpkg
:
--addpkg PKG
PKG ( )

, - vmbuilder,

369


. Limesurvey,
, .
, debconf, , mysqlserver, , ,
.
, ,
main, ,
--comp --ppa:
--components COMP1,COMP2,...,COMPN
A comma separated list of distro components to include (e.g. main,universe).
This defaults to "main"
--ppa=PPA Add ppa belonging to PPA to the vm's sources.list.

Limesurvey ,
PPA ( ),
/etc/apt/source.list .
:

--addpkg apache2 --addpkg apache2-mpm-prefork --addpkg apache2-utils \ --addpkg apache2.2-common --

2.3.4.
2.3.4.1.
vmbuilder ,
,
,
,
.
, (
, apt-mirror)
-, apt-proxy.
, ,
. :
sudo apt-get install apt-proxy

()
http://mirroraddress:9999
Ubuntu /ubuntu. , vmbuilder ,
--mirror:

370


--mirror=URL

URL Ubuntu ,
http://archive.ubuntu.com/ubuntu
http://ports.ubuntu.com/ubuntu-ports

:
--mirror http://mirroraddress:9999/ubuntu

/etc/
apt/sources.list ,
,
.
2.3.4.2.
,
Ubuntu. apt-mirror
, .
20
.
apt-mirror /etc/apt/
mirror.list.
.
, ,
deb, deb /deb-{arch}, arch
i386, amd64 .. , amd64
i386,
( ,
):
deb

http://archive.ubuntu.com/ubuntu precise main restricted universe multiverse

/deb-i386
deb

http://archive.ubuntu.com/ubuntu precise main restricted universe multiverse

http://archive.ubuntu.com/ubuntu precise-updates main restricted universe multiverse

/deb-i386

http://archive.ubuntu.com/ubuntu precise-updates main

restricted universe multiverse


deb http://archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
/deb-i386

http://archive.ubuntu.com/ubuntu precise-backports main

restricted universe multiverse


deb http://security.ubuntu.com/ubuntu precise-security main restricted universe multiverse
/deb-i386 http://security.ubuntu.com/ubuntu precise-security main
restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu precise main/debian-installer

371


restricted/debian-installer universe/debian-installer multiverse/debian-installer
/deb-i386 http://archive.ubuntu.com/ubuntu precise main/debian-installer
restricted/debian-installer universe/debian-installer multiverse/debian-installer

, ,
, ,
, .
, (

), Apache,
( /var/spool/apt-mirror, )
Apache.
Apache 1, HTTPD - Apache2 [213].

2.4.
:

Debian.
,

10
Ubuntu .
, .
11
Debian
.
/opt,
12
FHS .
, Limesurvey, , .
, PPA
( ).

2.5.
2.5.1.
,
, unattendedupgrades, :

10

https://wiki.ubuntu.com/PackagingGuide
http://www.debian-administration.org/articles/286
12
http://www.pathname.com/fhs/
11

372


--addpkg unattended-upgrades

PPA,
, ,
PPA.
2.5.2. ACPI
,

, acpid.
:
--addpkg acpid

2.6.
, :

sudo vmbuilder kvm ubuntu --suite precise --flavour virtual --arch i386 -o \ --libvirt qemu:///syst

2.7.
,
, Ubuntu Server :
IRC: #ubuntu-server on freenode
: ubuntu-server at lists.ubuntu.com

13
14

, JeOSVMBuilder Ubuntu Wiki .

13
14

https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
https://help.ubuntu.com/community/JeOSVMBuilder

373

3. UEC
3.1.
UEC (Ubuntu Enterprise Cloud Ubuntu)
UC (Ubuntu Cloud
Ubuntu). Eucalyptus,
Openstack. .
UEC -
Ubuntu 12.04 LTS Server
, ,
" ", .
, , ,

, "front-end"
.
,
.

3.2.
,
:

.
,
. , ,
.
3.2.1.
,
:
(CLC)
(CC)
Walrus ( S3)
(SC)

374

20.1. UEC

2 x 2 -

5400 /
IDE

7200 / ,
SATA

- Java
,

40

200

40
,
.., Eucalyptus

100

1000
/

3.2.2.
, :
(NC)

20.2. UEC

VT, 64-bit,
64-
VT

i386, amd64 ;
, Eucalyptus
(VM)
.
375

5400 / 7200 /
IDE SATA
SCSI


,

Eucalyptus
; /

40

100

;
Eucalyptus

100

1000 /

3.3. //
/Walrus
1.

Ubuntu 12.04 LTS Server


-.

2.

, Ubuntu
.
Eucalyptus

3.

, ,
15

4.

,
,

5.


cluster1.
IP- ,

192.168.1.200-192.168.1.249.

3.4. ()
. ,
, /
15

https://help.ubuntu.com/community/UEC/Topologies

376


1.

()

2.

, Ubuntu
.

3.

Ubuntu

4.

5.

6.

3.5. ()
1.

UEC,

,
:
a. SSH .
b.
c. uec-component-listener .
d. .
a e
16
UEC/PackageInstall . ,
,
, "a"
"e".

2.


eucalyptus SSH
Walrus, , ,
eucalyptus.
ssh :

eucalyptus:
sudo passwd eucalyptus

, :
16

https://help.ubuntu.com/community/UEC/PackageInstall

377

sudo -u eucalyptus ssh-copy-id -i ~eucalyptus/.ssh/id_rsa.pub \ eucalyptus@<IP_OF_NODE>

, ,
eucalyptus :
sudo passwd -d eucalyptus

3.


:
:
CC_NAME /etc/eucalyptus/eucalyptuscc.conf

CC_IP_ADDR /etc/eucalyptus/
eucalyptus-ipaddr.conf IP-,

Walrus:
WALRUS_IP_ADDR /etc/eucalyptus/
eucalyptus-ipaddr.conf IP-
:
:
CC_NAME /etc/eucalyptus/eucalyptuscc.conf

SC_IP_ADDR /etc/eucalyptus/
eucalyptus-ipaddr.conf IP-,

4.


Walrus:
sudo start eucalyptus-walrus-publication

:
sudo start eucalyptus-cc-publication

:
sudo start eucalyptus-sc-publication

378

sudo start eucalyptus-nc-publication

5.


:
sudo start uec-component-listener

6.


cat /var/log/eucalyptus/registration.log
2010-04-08
2010-04-08
2010-04-08
2010-04-08
2010-04-08

15:46:36-05:00
15:46:36-05:00
15:48:47-05:00
15:48:51-05:00
15:49:04-05:00

|
|
|
|
|

24243
24243
25858
25858
26237

->
->
->
->
->

Calling node cluster1 node 10.1.1.75


euca_conf --register-nodes returned 0
Calling walrus Walrus 10.1.1.71
euca_conf --register-walrus returned 0
Calling cluster cluster1 10.1.1.71

2010-04-08 15:49:08-05:00 | 26237 -> euca_conf --register-cluster returned 0


2010-04-08 15:49:17-05:00 | 26644 -> Calling storage cluster1 storage 10.1.1.71
2010-04-08 15:49:18-05:00 | 26644 -> euca_conf --register-sc returned 0

3.6.

.
-, .
3.6.1.
1.

- ( Ubuntu)
URL-:
https://<cloud-controller-ip-address>:8443/

,
, -
"https", "http".
.
. ,
Eucalyptus
2.

'admin' 'admin' ,
( )

3.


admin

379


4.

,
" ",

5.

' '
.

6.

~/.euca.

7.

zip- (~/.euca).
unzip -d ~/.euca mycreds.zip

3.6.2.

, ,
:
mkdir -p ~/.euca
chmod 700 ~/.euca
cd ~/.euca
sudo euca_conf --get-credentials mycreds.zip
unzip mycreds.zip
ln -s ~/.euca/eucarc ~/.eucarc
cd -

3.6.3.
EC2 API AMI ,
X.509.
1.

:
sudo apt-get install euca2ools

2.

, , ,
:
. ~/.euca/eucarc
euca-describe-availability-zones verbose
AVAILABILITYZONE

myowncloud

192.168.1.1

AVAILABILITYZONE

|- vm types

free / max

cpu

ram

disk

AVAILABILITYZONE

|- m1.small

0004 / 0004

128

AVAILABILITYZONE
AVAILABILITYZONE

|- c1.medium
|- m1.large

0004 / 0004
0002 / 0002

1
2

256
512

5
10

AVAILABILITYZONE

|- m1.xlarge

0002 / 0002

1024

20

AVAILABILITYZONE

|- c1.xlarge

0001 / 0001

2048

20


e .
380

3.7.
.
, Bundle their
17
own image .
UEC
- UEC.
1.

- URL (
https):
https://<cloud-controller-ip-address>:8443/

2.

( , ,
, ).

3.

4.

5.

, "
?",
() .
"".

3.8.
UEC:
.
UEC ,
Landscape
18

ElasticFox

Firefox.

:
1.

,
( ssh), ,
root, .
, .
:

17
18

https://help.ubuntu.com/community/UEC/BundlingImages
https://help.ubuntu.com/community/UEC/ElasticFox

381

if [ ! -e ~/.euca/mykey.priv ]; then
mkdir -p -m 700 ~/.euca
touch ~/.euca/mykey.priv
chmod 0600 ~/.euca/mykey.priv
euca-add-keypair mykey > ~/.euca/mykey.priv
fi

'mykey'), , .
, euca-describekeypairs ,
.
2.

22:
euca-authorize default -P tcp -p 22 -s 0.0.0.0/0

3.

,
:
euca-run-instances $EMI -k mykey -t m1.small

image_id,
"
"
.
4.


, .
,
.
:
watch -n5 euca-describe-instances

, .

''
5.

,
''. , IP-
, :
IPADDR=$(euca-describe-instances | grep $EMI | grep running | \ tail -n1 | awk '{print $4}')
ssh -i ~/.euca/mykey.priv ubuntu@$IPADDR

382


6.

, SSH,
:

INSTANCEID=$(euca-describe-instances | grep $EMI | grep running | \ tail -n1 | awk '{print $2}'
euca-terminate-instances $INSTANCEID

3.8.1.
cloud-init

ssh ~ubuntu/.ssh/
authorized_keys.
, ,
.

, .
, cloud-init,
19
(user-data) ,
.
cloud-init:
sudo apt-get install cloud-init

(user-data) '#!',
root
( 'rc.local').
.
, ud.txt, :
#!/bin/sh
echo ========== Hello World: $(date) ==========
echo "I have been up for $(cut -d\ -f 1 < /proc/uptime) sec"

--user-data-file:
euca-run-instances $EMI -k mykey -t m1.small --user-data-file=ud.txt

, , .
, :

19

http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1085

383


euca-get-console-output $EMI | grep --after-context=1 Hello
========== Hello World: Mon Mar 29 18:05:05 UTC 2010 ==========
I have been up for 28.26 sec

.
.
(user-data)
, (#!/bin/sh, #!/usr/
bin/python, #!/usr/bin/perl, #!/usr/bin/awk ... ).

. cloud-init "cloud-config"
, .
cloud-config (user-data)
'#cloud-config'.
, cloud-config.txt, :
#cloud-config
apt_upgrade: true
apt_sources:
- source: "ppa:ubuntu-server-edgers/server-edgers-apache "
packages:
- build-essential
- pastebinit
runcmd:
- echo ======= Hello World =====
- echo "I have been up for $(cut -d\

-f 1 < /proc/uptime) sec"

:
euca-run-instances $EMI -k mykey -t m1.small --user-data-file=cloud-config.txt

, , :
Apache Edgers PPA

'build-essential' 'pastebinit'
,
Apache Edgers PPA
Apache
. PPA
384


, , ,
. 20
Ubuntu Server Edgers .
'runcmd' ,
'#!' .
, cloud-config.
,
21
cloud-config, doc/examples .

3.9.

22

eucalyptus:
sudo service eucalyptus [start|stop|restart] ( CLC/CC/SC/Walrus)
sudo service eucalyptus-nc [start|stop|restart] ( )
:

/var/log/eucalyptus
:
/etc/eucalyptus
:
/var/lib/eucalyptus/db
:
/var/lib/eucalyptus
/var/lib/eucalyptus/.ssh
~/.euca/eucarc
.

3.10.
Eucalyptus
23
Wiki .
24

Eucalyptus (, , ) .
20

https://launchpad.net/~ubuntu-server-edgers
http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/files/head:/doc/examples/
22
https://help.ubuntu.com/community/UEC/StorageController
23
https://help.ubuntu.com/community/Eucalyptus
24
http://open.eucalyptus.com/
21

385


25

Eucalyptus Launchpad (, ) .
26

Eucalyptus (1.5) .
RightScale

27

IRC- #ubuntu-virt,
28
#eucalyptus, #ubuntu-server Freenode .

25

https://launchpad.net/eucalyptus/
http://open.eucalyptus.com/wiki/EucalyptusTroubleshooting_v1.5
27
http://support.rightscale.com/2._References/02-Cloud_Infrastructures/Eucalyptus/03-Administration_Guide/
Register_with_RightScale
28
http://freenode.net
26

386

4. Ubuntu
(cloud computing) ,

. , ,
, ,

.
, ,
, , .
Ubuntu
OpenStack
, .

4.1.
OpenStack - Ubuntu
12.04 LTS Server Edition

" ". ,
,
Ubuntu
OpenStack.

4.2.
Ubuntu ,
, :
.
(
).
, (VT),
KVM.
, QEMU, UML, Vmware ESX / ESXi XEN. LXC (Linux
Containers) Libvirt.
, kvm, sudo kvm-ok
linux.
" ",
, :
, nova (
387


compute) , nova-compute.
,
(SPoF).

4.3.
OpenStack, ,
, MySQL,

(ntp). , .
" " 10.0.0.0/24
eth1. ,
" " 10.153.107.0/29
eth0.
4.3.1.
sudo apt-get install bridge-utils

4.3.2. NTP
sudo apt-get install ntp

/etc/ntp.conf.
server 127.127.1.0
fudge 127.127.1.0 stratum 10

ntp
sudo service ntp restart

4.3.3. MySQL
sudo apt-get install mysql-server

mysql OpenStack
sudo mysql -uroot -ppassword -e "CREATE DATABASE nova;"
sudo mysql -uroot -ppassword -e "GRANT ALL ON nova.* TO novauser@localhost \
IDENTIFIED BY 'novapassword' ";

"\" ,
.
388

4.4. OpenStack Compute (Nova)


OpenStack (Nova)
( IaaS
). Python
Eventlet Twisted
AMQP, SQLAlchemy .
OpenStack Nova
sudo apt-get install nova-api nova-network nova-volume nova-objectstore nova-scheduler \
nova-compute euca2ools unzip

libvirt-bin, , libvirtd
ebtables.
sudo service libvirt-bin restart

RabbitMQ AMQP (Advanced Message


Queuing Protocol)
sudo apt-get install rabbitmq-server

/etc/nova/nova.conf, :
# Nova config FlatDHCPManager
--sql_connection=mysql://novauser:novapassword@localhost/nova
--flat_injected=true
--network_manager=nova.network.manager.FlatDHCPManager
--fixed_range=10.0.0.0/24
--floating_range=10.153.107.72/29
--flat_network_dhcp_start=10.0.0.2
--flat_network_bridge=br100
--flat_interface=eth1
--public_interface=eth0

OpenStack
for i in nova-api nova-network nova-objectstore nova-scheduler nova-volume nova-compute; \
do sudo stop $i; sleep 2; done

for i in nova-api nova-network nova-objectstore nova-scheduler nova-volume nova-compute; \


do sudo start $i; sleep 2; done

Nova sqlite MySQL.


.
389

sudo nova-manage db sync

,
. IP,
nova.conf .

sudo nova-manage network create --fixed_range_v4 10.0.0.0/24 --label private \


--bridge_interface br100

6 ()
IP- ,
10.153.107.72.
sudo nova-manage floating create --ip_range=10.153.107.72/29

(user1), (project1),
.
cd ; mkdir nova ; cd nova
sudo nova-manage user admin user1
sudo nova-manage project create project1 user1
sudo nova-manage project zipfile project1 user1
unzip nova.zip
source novarc

OpenStack Compute, :
sudo nova-manage service list
sudo nova-manage version list

Nova ,
OpenStack, .
,
.

4.5. (Glance)
Nova Glance
, . Glance
,
, S3 (Simple Storage Service) . Glance
: glance-api and glance-registry.
.
mysql.
390


Glance
sudo apt-get install glance

glance
sudo mysql -uroot -ppassword -e "CREATE DATABASE glance;"
sudo mysql -uroot -ppassword -e "GRANT ALL ON glance.* TO glanceuser@localhost \
IDENTIFIED BY 'glancepassword' ";

/etc/glance/glance-registry.conf,
, "sql_connection =", :
sql_connection = mysql://glanceuser:glancepassword@localhost/glance

sqlite
rm -rf /var/lib/glance/glance.sqlite

glance-registry , /etc/glance/glanceregistry.conf. MySQL .


sudo restart glance-registry

, /var/log/glance/api.log
/var/log/glance/registry.log.

4.6.
,
.
, .
, ,
. , ,
e OpenStack Nova:
, Ubuntu
distro=lucid
wget http://cloud-images.ubuntu.com/$distro/current/$distro-server-cloudimg-amd64.tar.gz
cloud-publish-tarball "$distro"-server-cloudimg-amd64.tar.gz "$distro"_amd64


:
cd ~/nova

391


source novarc
euca-add-keypair user1 > user1.priv
chmod 0600 user1.priv

icmp (ping) ssh :


euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
euca-authorize -P icmp -t -1:-1 default


ami=`euca-describe-images | awk {'print $2'} | grep -m1 ami`
euca-run-instances $ami -k user1 -t m1.tiny
euca-describe-instances

.
euca-allocate-address
euca-associate-address -i instance_id public_ip_address
euca-describe-instances

instance_id (ami) public_ip_address,


euca-describe-instances euca-allocate-address.
SSH
ssh -i user1.priv ubuntu@ipaddress


euca-terminate-instances instance_id

4.7. (Swift)
Swift , ,

(eventually consistent) /.
OpenStack, S3,
. S3 API
Amazon.
Swift ,
,
API
, Swift.
Swift ,
.
392


OpenStack (Swift)
,
'Swift ' Ubuntu.
: http://
29
swift.openstack.org/development_saio.html .

4.8.

OpenStack
Wiki OpenStack

30

31

Launchpad

32

IRC #openstack freenode.

4.9.
.

33

34

OpenStack

35

OpenStack

OpenStack Object Storage

36

37

OpenStack Object Storage Ubuntu


http://cloudglossary.com/

4.10.
Ubuntu ,
.
.
(Cloud) ,
,
.
IaaS ( ) ,

29

http://swift.openstack.org/development_saio.html
https://launchpad.net/~openstack
31
http://wiki.openstack.org
32
https://bugs.launchpad.net/nova
33
http://en.wikipedia.org/wiki/Cloud_computing#Service_Models
34
docs.openstack.org/trunk/openstack-compute/
35
http://docs.openstack.org/diablo/openstack-compute/starter/content/GlanceMS-d2s21.html
36
OpenStack Object Storage Administration Guide
37
http://docs.openstack.org/trunk/openstack-object-storage/admin/content/installing-openstack-object-storage-onubuntu.html
30

393


.
, .
EBS - .
EC2 - .
, Amazon
.
(Node) ,

(node controller).
Ubuntu , (CPU)
(VT)
KVM.

S3 Simple Storage Service ( ). Amazon


EC2.
Ubuntu Cloud Ubuntu.
Ubuntu, OpenStack.

VM .
VT .
, .

394

5. LXC

. chroot
Qemu VMware,
,
, .

(zones) Solaris (jails) BSD. Linuxvserver OpenVZ -


Linux. ,
vserver and OpenVZ.
vserver OpenVZ
,
Linux ,
.
,
. Libvirt
LXC,
'lxc:///'. , ,
. , 'LXC',
libvirt,
.
, ,
.
lxc.
, libvirt LXC.
, CN, C1, C2.

5.1.
lxc
sudo apt-get install lxc

,
cgroup-lite, lvm2, debootstrap. libvirtlxc, libvirt-bin. LXC libvirt-lxc
.

395

5.2.
5.2.1. LXC
,
LXC.
:
/etc/init/lxc-net.conf: ,
/etc/default/lxc USE_LXC_BRIDGE (
true). NAT
.

/etc/init/lxc.conf: LXC_AUTO ( true)


/etc/default/lxc. /etc/lxc/auto/

,
.

/etc/lxc/lxc.conf:
/etc/lxc/lxc.conf,
LXC bridge, lxc-net upstart.
,
.

/usr/share/doc/lxc/examples. ,
macvlan, vlan, .

/usr/bin.
/usr/lib/lxc/lxc-init
, lxc-execute.
, ,
, /proc, .
.
/usr/lib/lxc/templates/ `',

.
.
/etc/apparmor.d/lxc/lxc-default Apparmor
,
.
5.2.6, Apparmor [398].
/etc/apparmor.d/usr.bin.lxc-start
lxc-start .
396


/etc/apparmor.d/lxc-containers , /etc/
apparmor.d/lxc, .
man-
LXC, lxc.conf.

/var/lib/lxc
.
/var/cache/lxc
.
5.2.2. lxcbr0
USE_LXC_BRIDGE true /etc/default/lxc (
), lxcbr0
. 10.0.3.1,
10.0.3.0/24.
dnsmasq , dnsmasq

lxc-net, lxc-net lxcbr0 .
, , virbr0 libvirt
br0 ,
lxcbr0 .
5.2.3.

LXC
( ) /var/lib/lxc.

/var/cache/lxc.
/var, ,
.
, ,
/var/lib/lxc.
, /srv,
. , /
srv ,
:

sudo mkdir /srv/lxclib /srv/lxccache sudo rm -rf /var/lib/lxc /var/cache/lxc sudo ln -s /srv/lxclib

, :
397

sudo mkdir /srv/lxclib /srv/lxccache sudo sed -i '$a \ /srv/lxclib /var/lib/lxc none defaults,bind

5.2.4. lvm
LVM
. , ,
.
VG ( ) lxc,
VG
. LV ( ) ,
/var/lib/lxc/CN/config,
(lxc.rootfs)
, .. /dev/lxc/CN.
LVM
.
5.2.5. Btrfs
/var btrfs,
LXC
btrfs.
5.2.6. Apparmor
LXC Apparmor,

. ,
/proc/sysrq-trigger
/sys.
usr.bin.lxc-start lxc-start.

lxc-start
. init
, LXC .
lxc-container-default /
etc/apparmor.d/lxc/lxc-default.
.
, lxc-start -
, Apparmor,
lxc-start :
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start

398


sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/

lxc-start ,
.
,
usr.bin.lxc-start,
:
lxc.aa_profile = unconfined

,
/etc/apparmor.d/lxc/.
lxc- lxc-start .
, , :
sudo apparmor_parser -r /etc/apparmor.d/lxc-containers

,
/etc/apparmor.d/lxc-containers. ,
CN lxc-CN-profile,
:
lxc.aa_profile = lxc-CN-profile

lxc-execute Apparmor, ,
, .
5.2.7.
(cgroups)
,
cgroup.
(block
and character device) () .

/, CPU
CPU .
LXC cgrouplite, cgroup
. cgroup-lite cgroup
/sys/fs/cgroup/SS, SS . ,
freezer /sys/fs/cgroup/freezer.
LXC /sys/fs/cgroup/SS/INIT/lxc, INIT
399


. /,
freezer CN /sys/fs/cgroup/freezer/lxc/CN.
5.2.8.

. lxc-setup

,
. ,
,
. lxcsetup LXC lxcsetup, LXC
,
LTS-,
() ,
,
.
5.2.9. LXC
, lxc .
, lxc-net, , , lxc,
, .
USE_LXC_BRIDGE /etc/defaults/lxc,
. , LXC
, lxc . lxc-net LXC ,
, .
lxc 2-5 .

LXC_AUTO true, /etc/lxc ,


. lxc ,
0, 1 6,
.

/etc/default/lxc/name.conf,
. ,
CN /var/lib/lxc/CN/config.
, :
sudo ln -s /var/lib/lxc/CN/config /etc/lxc/auto/CN.conf

400

5.3.
5.3.1.
lxc-create.
/usr/lib/
lxc/templates/ chroots /
var/lib/lxc/CN/rootfs, /var/lib/lxc/CN/fstab
/var/lib/lxc/CN/config,

CN .


:
sudo lxc-create -t ubuntu -n CN

lxc-create ubuntu (-t ubuntu)


CN (-n CN). (
`-f file'),
/etc/lxc/lxc.conf.
veth, lxcbr0.
.
--. :
sudo lxc-create -t ubuntu -n oneiric1 -- -r oneiric

'-r oneiric1' ubuntu.


5.3.1.1.
lxc-create , lxc-create -h.
.

sudo lxc-create -t ubuntu -h

lxc-create ,
ubuntu. ,
lxc-create.
5.3.1.2. ubuntu
ubuntu
Ubuntu , 10.04 LTS. debootstrap
,
.
401


,
-F (flush),
:
sudo lxc-create -t ubuntu -n CN -- -F

Ubuntu, , ,
, -r, :
sudo lxc-create -t ubuntu -n CN -- -r lucid

32- 64- ,
-a i386.
qemu-user-static, ,
, qemu-user-static.
ubuntu ubuntu,
sudo.
ubuntu, -S sshkey.pub.
bind ()
, -b jdoe.
shadow jdoe , ,
, sudo
(bind-mount)
.
release-updates
sources.list , .
12.04 LTS,
lxcguest.
--trim, lxcguest
.
, , , .
5.3.1.3. ubuntu-cloud
ubuntu-cloud Ubuntu,
Ubuntu.
ubuntu, -r release, -S sshkey.pub, -a arch,
-F .
. -C cloud ,
metedata. -u

. -L,
402


. -T
(tarball)
. ,
-i id cloud-init,
.
5.3.1.4.
ubuntu ubuntu-cloud .
. debian Debian,
debootstrap , ubuntu.
debian squeeze.
SUITE:
sudo SUITE=sid lxc-create -t debian -n d1

debian ,
debian --trim
ubuntu.

--clean:
sudo SUITE=sid /usr/lib/lxc/templates/lxc-debian --clean

fedora,
fedora 14. fedora, 15, systemd,
,
. fedora,
, yum curl. fedora 12
:
sudo lxc-create -t fedora -n fedora12 -- -R 12

OpenSuSE, zypper
. , OpenSuSE
.
.
busybox ,
busybox. sshd
, sshd .

, /home /root. ,
ssh , :
403

sudo lxc-create -t sshd -n ssh1 ssh-keygen -f id sudo mkdir /var/lib/lxc/ssh1/rootfs/root/.ssh sudo

5.3.1.5.
, lxc-create
/var/lib/lxc/CN/rootfs.
LVM. lxc
lvm CN,
:

sudo lxc-create -t ubuntu -n CN -B lvm

schroots
xfs 5 , :
sudo lxc-create -t ubuntu -n CN -B lvm --vgname schroots --fssize 5G --fstype xfs

5.3.2.
canonical

. lxcclone. C1, C2
:
sudo lxc-clone -o C1 -n C2

/var/lib/lxc btrfs, lxc-clone


C2 C1.
lvm, -s
rootfs lvm :
sudo lxc-clone -s -o C1 -n C2

lvm btrfs
.
5.3.3.
, lxc-start -n CN.
lxc-start /sbin/init .
,
lxc-start:

404


sudo lxc-start -n container /sbin/init loglevel=debug

-d (daemon ),
( /dev/console, 5.3.5,
[407] )
. -d, , lxcstart ,
. lxcwait lxc-monitor ( 5.3.4,
[406]) , .
LXC -o filename -l
debuglevel, :
sudo lxc-start -o lxc.debug -l DEBUG -n container

, , s.
.
-f
.
lxc-start /sbin/init, lxcexecute lxc-init,
/proc, /dev/mqueue, /dev/shm,
, , . lxcstart system containers,
38
lxc-execute application containers ( this article
).
.
shutdown, poweroff reboot
. (..
), sudo lxc-shutdown
-n CN. .
, SIGPWR
. , , , sudo lxc-shutdown -n
CN -t 10,
. , ,
(kill) , .
(
), sudo lxc-stop -n CN. ,
38

https://www.ibm.com/developerworks/linux/library/l-lxc-containers/

405


lxc-kill
.

() , :
$ sudo poweroff
[sudo] password for ubuntu: =
$ =
Broadcast message from ubuntu@cn1
(/dev/lxc/console) at 18:17 ...
The system is going down for power off NOW!
* Asking all remaining processes to terminate...
...done.
* All processes ended within 1 seconds....
...done.
* Deconfiguring network interfaces...
...done.
* Deactivating swap...
...fail!
umount: /run/lock: not mounted
umount: /dev/shm: not mounted
mount: / is busy
* Will now halt

, "" sudo lxc-freeze


-n CN. ,
"" sudo lxc-unfreeze -n CN.
5.3.4.
.
lxc-monitor
. -n,

posix, . lxcmonitor .
lxc-wait
. ,
sudo lxc-monitor -n cont[0-5]*

,
,

406


sudo lxc-wait -n cont1 -s 'STOPPED|FROZEN'

, cont1 STOPPED
FROZEN .
5.3.5.
.
/dev/console. ,
lxc-start, -d. /dev/
console -c
console-file lxc-start.
lxc.tty, 4. /dev/ttyN
(for 1 <= N <= 4). 3

sudo lxc-console -n container -t 3

, -t N ,
.
Ctrl-a q. ,
lxc-start -d.
Unix98 pty
pty ( )
/dev/ttyN /dev/console. ,

4:N,
getty LXC . (
getty, ,
). ,
/dev.
5.3.6.

. lxc-ls
. lxc-list
,
. lxc-ps
. ps
lxc-ps, --. ,

sudo lxc-ps -n plain -- -ef

407


lxc-info pid .
lxc-cgroup
.
,
cgroup. , ,
, :
sudo lxc-cgroup -n CN devices.list

mknod, read write /dev/sda,


sudo lxc-cgroup -n CN devices.allow "b 8:* rwm"

300M:
lxc-cgroup -n CN memory.limit_in_bytes 300000000

lxc-netstat netstat ,
.
lxc-backup
(
lvm-based ), rsync /var/lib/
lxc/CN/rootfs.backup.1.
lxc-restore , lxc-backup lxcrestore , ,
.
5.3.7.
lxc-destroy .
sudo lxc-destroy -n CN

, lxc-destroy

sudo lxc-destroy -n CN -f

5.3.8.
Linux, LXC
, .

ID . ( 5.9,
[418] ).
408


,
,
.
LXC lxc-unshare
.
. ,
sudo lxc-unshare -s 'MOUNT|PID' /bin/bash

shell pid .

root@ubuntu:~# mount -t proc proc /proc
root@ubuntu:~# ps -ef
UID
PID PPID C STIME TTY
root
root

1
110

0
1

6 10:20 pts/9
0 10:20 pts/9

TIME CMD
00:00:00 /bin/bash
00:00:00 ps -ef

, ps .
5.3.9.
( ephemeral)
. CN,
, CN,
jdoe , :
lxc-start-ephemeral -b jdoe -o CN -- /home/jdoe/run_my_job

, .
5.3.10.
:

20.3.

lxc-attach

( )

lxc-backup


, lvm

lxc-cgroup

lxc-checkconfig

409

lxc-checkpoint

( )

lxc-clone

lxc-console

lxc-create

lxc-destroy

lxc-execute

()

lxc-freeze

lxc-info

lxc-kill

lxc-list

lxc-ls


, lxc-list

lxc-monitor

lxc-netstat

netstat

lxc-ps

lxc-restart

( ) ,

lxc-restore

,
lxc-backup

lxc-setcap

( )
(file capabilities) LXC

lxc-setuid

( ) setuid
LXC

lxc-shutdown

lxc-start

lxc-start-ephemeral

()

lxc-stop

410

lxc-unfreeze

lxc-unshare

lxc-version

LXC

lxc-wait

5.4.
LXC . Ubuntulxc
, Ubuntu
, .
,
.
lxc.conf(5) man.
, , ubuntu
, .
5.4.1.
LXC.
:

.
,
.
.
/var/lib/lxc/CN/config,
.
lxc-start
-f filename

lxc-start -s key=value.
.
5.4.2.
LXC .
lxc.network.type .
411


, .
, ,
IP- . lxc.network.type
, ( 2) .
firewall.
lxc.network.type:
lxc.network.type=empty:
, loopback.
lxc.network.type=veth: ,
ubuntu ubuntu-cloud, veth
.
,
.
lxc.network.type=veth
. , ,
lxc.network.link = lxcbr0.
lxc.network.type=phys (.. eth2)
.
, , vlan macvlan,
.
:
lxc.network.flags up
, .
lxc.network.hwaddr MAC-
.
lxc.network.ipv4 lxc.network.ipv6 IP, .
lxc.network.name .
, (.. eth0
).

lxc.network.lxcscript.up ,
.
lxc.conf(5) man .
5.4.3.
cgroup llxc.cgroup.
lxc.cgroup.subsystem.item = value LXC
item subsystem value.
,
412


. ,
320M
lxc.cgroup.memory.limit_in_bytes = 320000000

320000000 /sys/fs/cgroup/memory/lxc/
CN/limit_in_bytes.
5.4.4. Rootfs, fstab

.

:

lxc.rootfs = /var/lib/lxc/CN/rootfs lxc.mount.entry=proc /var/lib/lxc/CN/rootfs/proc proc nodev,noe

,
/var/lib/lxc/CN/rootfs.
( LVM),
.
lxc.mount.entry
fstab.
/var/lib/lxc/CN/rootfs, lxc.rootfs
.
, lxc.mount fstab,
. ,

.

.

5.4.5.
lxc.cap.drop
. ,
lxc.cap.drop = sys_admin

,
, cap_sys_admin.
capabilities(7) man
.
413


lxc.aa_profile = lxc-CN-profile
Apparmor . 5.2.6,
Apparmor [398] .
lxc.console=/path/to/consolefile
.
lxc.arch , , x86 x86_64.
lxc.tty=5 , 5 (
/dev/console). , /
dev/tty1 /dev/tty1. ubuntu 4.
lxc.pts=1024 ,
(Unix98) devpts. ,
( ) /dev/pts
, . 1024 , 1024
pty ,
. , LXC (
)
sudo mount -t devpts -o newinstance devpts /dev/pts

. ,
devpts .

/dev/pts.
sudo mount -t devpts devpts /dev/pts

devpts .
newinstance,
() .
, LXC.
pty , Apparmor

devpts .
lxc.devttydir /dev, LXC
. ,
pty /dev/console /dev/ttyN.

rm -f mknod .
( ),
. lxc.devttydir LXC,
, LXC pty /dev/
lxc/console /dev/lxc/ttyN
414


/dev/console /dev/ttyN.
, -
gettys .
.

5.5. Ubuntu
- , ,
. ,
,
.
, .
, chroot
,
chroot.
,
, :
,
--trim.
, lxcguest. , /lib/init/fstab
, mountall,
,
.
pty
udev.
Apparmor cgroup
.
, lxc.cap.drop,
.

5.6. Libvirt LXC


Libvirt
( ),
Qemu, Xen LXC,
. libvirt LXC
, LXC. :
XML
,
/dev/console
415


()

5.6.1. LXC libvirt-lxc


5.3.1, [401] ,
LXC . LXC
, libvirt. xml
:
wget http://people.canonical.com/~serge/o1.xml

,
.
:
virsh -c lxc:/// define o1.xml

5.6.2.

LXC, ubuntu,
xml libvirt LXC. ,
Ubuntu 12.04 LTS
:

url1=`ubuntu-cloudimg-query precise daily $arch --format "%{url}\n"` url=`echo $url1 | sed -e 's/.t

, , :
mkdir $HOME/c1 cd $HOME/c1 sudo tar zxf $filename

xml:
wget http://people.canonical.com/~serge/o1.xml

o1 c1 /var/lib/lxc/o1/rootfs
$HOME/c1. :
virsh define o1.xml

5.6.3. libvirt
, libvirt-lxc :

416


virsh -c lxc:/// define container.xml

container :
virsh -c lxc:/// start container

:
virsh -c lxc:/// destroy container

, lxc-destroy ,
virsh destroy .
:
virsh -c lxc:/// undefine container

:
virsh -c lxc:/// console container

Ctrl-].

5.7. lxcguest
Ubuntu 11.04 (Natty) 11.10 (Oneiric)
lxcguest.
,
lxcguest
Xen, kvm VMware.
12.04 LTS, ,
lxcguest, , lxcguest .
, 12.04 LTS
,
Xen, kvm VMware.
lxcguest .

5.8.
.
(id),
, .
,
. , IPC (
) .
417


,

.
LXC
Apparmor . ,
, 12.04 LTS
Apparmor
,
.
LXC security wiki

39

5.8.1.

. ,
, .
,
, .

5.9.
DeveloperWorks LXC: Linux container tools
.

40

41

Secure Containers Cookbook


.
:
4342

capabilities
45 44
lxc.conf .

46

LXC Sourceforge .
the LXC
47
Security wiki page
Linux
: S.Bhattiprolu, E.W.Biederman, S.E.Hallyn, and D.Lezcano. Virtual
39
40
41
43
42
45
44
46
47

http://wiki.ubuntu.com/LxcSecurity
https://www.ibm.com/developerworks/linux/library/l-lxc-containers/
http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html
http://manpages.ubuntu.com/manpages/en/man7/capabilities.7.html
http://manpages.ubuntu.com/manpages/en/man7/capabilities.7.html
http://manpages.ubuntu.com/manpages/en/man5/lxc.conf.5.html
http://manpages.ubuntu.com/manpages/en/man5/lxc.conf.5.html
http://lxc.sf.net
http://wiki.ubuntu.com/LxcSecurity

418


Servers and Checkpoint/Restart in Mainstream Linux. SIGOPS Operating
Systems Review, 42(5), 2008.

419

21.

420

1. DRBD
(Distributed Replicated
Block Device DRBD)
. ()
. : ,
, RAID , .. .
drbd .
:
sudo apt-get install drbd8-utils


, drbd.
,
linux-server .
drbd
/srv ext3 .
,
.

1.1.
drbd01 drbd02.
, DNS
/etc/hosts. 8,
(DNS) [158].
drbd /etc/drbd.conf:
global { usage-count no; }
common { syncer { rate 100M; } }
resource r0 {
protocol C;
startup {
wfc-timeout 15;
degr-wfc-timeout 60;
}
net {
cram-hmac-alg sha1;
shared-secret "secret";
}
on drbd01 {
device /dev/drbd0;

421


disk /dev/sdb1;
address 192.168.0.1:7788;
meta-disk internal;
}
on drbd02 {
device /dev/drbd0;
disk /dev/sdb1;
address 192.168.0.2:7788;
meta-disk internal;
}
}

/etc/drbd.conf,
.
/etc/drbd.conf :
scp /etc/drbd.conf drbd02:~

drbd02 /etc:
sudo mv drbd.conf /etc/

drbdadm
. :
sudo drbdadm create-md r0

drbd:
sudo /etc/init.d/drbd start

drbd01 , ,
:
sudo drbdadm -- --overwrite-data-of-peer primary all


. ,
drbd02 :
watch -n1 cat /proc/drbd

Ctrl+c.
, /dev/drbd0 :
sudo mkfs.ext3 /dev/drbd0
sudo mount /dev/drbd0 /srv

422

1.2.
,
, drbd01 ( )
/srv:
sudo cp -r /etc/default /srv

, /srv:
sudo umount /srv

:
sudo drbdadm secondary r0

role:
sudo drbdadm primary r0

, :
sudo mount /dev/drbd0 /srv

ls /srv/default,
drbd01.

1.3.
1

DRBD DRBD web site .


2

drbd.conf man page


, .
3

drbdadm .
DRBD Ubuntu
4
Wiki .

http://www.drbd.org/
http://manpages.ubuntu.com/manpages/precise/en/man5/drbd.conf.5.html
3
http://manpages.ubuntu.com/manpages/precise/en/man8/drbdadm.8.html
4
https://help.ubuntu.com/community/DRBD
2

423

22. VPN
OpenVPN ,
(VPN), Ubuntu.
SSL/TLS VPN ( IPSec VPN).
OpenVPN VPN.

424

VPN

1. OpenVPN
, pre-shared OpenVPN

(PKI), SSL/TLS
VPN- . OpenVPN
VPN
UDP TCP.
, 1194.
. VPN
, Linux, OS X, Windows WLAN OpenWRT.

1.1.
openvpn :
sudo apt-get install openvpn

1.2.
OpenVPN
(Public Key Infrastructure). PKI :
( )
,
(CA), ,
.
OpenVPN
, ,

.

,

, ,
( ).
1.2.1.
(CA)
OpenVPN
425

VPN
easy-rsa /etc/openvpn.
,
.
root :
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/

/etc/openvpn/easy-rsa/vars,
:
export
export
export
export

KEY_COUNTRY="US"
KEY_PROVINCE="NC"
KEY_CITY="-"
KEY_ORG="Example Company"

export KEY_EMAIL="steve@example.com"


(CA) :
cd /etc/openvpn/easy-rsa

./clean-all
./build-ca

1.2.2.
, :
./build-key-server myservername

,
.
: "Sign the certificate? [y/n]" "1 out of 1 certificate requests certified,
commit? [y/n]".
OpenVPN

./build-dh

keys/.
/etc/openvpn/:
cd keys/

426

VPN
cp myservername.crt myservername.key ca.crt dh1024.pem /etc/openvpn/

1.2.3.
VPN
. .
, ,
root:
cd /etc/openvpn/easy-rsa

./build-key client1

:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

, .

1.3.
OpenVPN
( , ):
root@server:/# ls -l /usr/share/doc/openvpn/examples/sample-config-files/
total 68
-rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf
-rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz

server.conf.gz /etc/openvpn/
server.conf.
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz

/etc/openvpn/server.conf , ,
,
.
ca ca.crt
cert myservername.crt
key myservername.key
dh dh1024.pem

427

VPN
OpenVPN.

server.conf. .
syslog.
root@server:/etc/openvpn# /etc/init.d/openvpn start
* Starting virtual private network daemon(s)...
*

Autostarting VPN 'server'

[ OK ]

, OpenVPN tun0:
root@server:/etc/openvpn# ifconfig tun0
tun0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
[...]

1.4.
OpenVPN GUI .
.
OpenVPN Ubuntu,
, .
openvpn :
sudo apt-get install openvpn

client.conf /etc/openvpn/:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/

CA ,
, , /etc/openvpn/ /etc/openvpn/client.conf,
, .
/etc/openvpn/, .
ca ca.crt
cert client1.crt
key client1.key

OpenVPN.
,
client. .

428

VPN
client
remote vpnserver.example.com 1194

OpenVPN:
root@client:/etc/openvpn# /etc/init.d/openvpn start
* Starting virtual private network daemon(s)...
*

Autostarting VPN 'client'

[ OK ]

, tun0:
root@client:/etc/openvpn# ifconfig tun0
tun0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

ping OpenVPN:
root@client:/etc/openvpn# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.920 ms

OpenVPN
, IP ping.
, /24,
, .1. P-t-P,
ifconfig , ping.
:
root@client:/etc/openvpn# netstat -rn
Kernel IP routing table
Destination
10.8.0.5
10.8.0.1

Gateway
0.0.0.0
10.8.0.5

Genmask
Flags
255.255.255.255 UH
255.255.255.255 UGH

MSS Window
0 0
0 0

irtt Iface
0 tun0
0 tun0

192.168.42.0

0.0.0.0

255.255.255.0

0 0

0 eth0

0.0.0.0

192.168.42.1

0.0.0.0

UG

0 0

0 eth0

1.5.
- , , ,
:
, , grep -i vpn /var/
log/syslog
? ,
? .
429

VPN
, .
UDP 1194, proto config
,
comp-lzo config

, server
server-bridge config

1.6.
1.6.1. VPN
VPN.
VPN
.
- , .
,
192.168.0.0/16, .
-
VPN .

VPN ,
(firewall) .
.

. ,
OpenVPN
(10.8.0.0/24), OpenVPN :
push "route 10.0.0.0 255.0.0.0"

,
VPN,
, - DNS
, VPN ( OpenVPN
firewall NAT
TUN/TAP , ):
push "redirect-gateway def1 bypass-dhcp"

VPN, OpenVPN
. 10.8.0.1,
430

VPN
.

10.8.0.1. ,
:
server 10.8.0.0 255.255.255.0

IP-
. OpenVPN ,
IP-,
:
ifconfig-pool-persist ipp.txt

DNS :
push "dhcp-option DNS 10.0.0.2"
push "dhcp-option DNS 10.1.0.2"

.
client-to-client

VPN .
comp-lzo

keepalive ping
, ,
.
; , ,
3 .
keepalive 1 3

OpenVPN
.
user nobody
group nogroup

OpenVPN 2.0 ,
OpenVPN
,
431

VPN
.
, auth-user-pass
. OpenVPN "
/" TLS-.
# client config!
auth-user-pass

OpenVPN /,
, PAM-. ,
, Kerberos.
plugin /usr/lib/openvpn/openvpn-auth-pam.so login

,
1
OpenVPN.
1.6.2. VPN
OpenVPN
VPN. OSI Layer-2 Layer-3 VPN.
VPN Layer-2, Ethernet
VPN , VPN
Layer-3 . ,
, Broadcast, DHCP-, ARP ..,
VPN ,
.
1.6.2.1.

, bridge-utils:
sudo apt-get install bridge-utils

OpenVPN ,
. ,
eth0 eth1
, , .
/etc/network/
interfaces:
auto eth0
1

http://openvpn.net/index.php/open-source/documentation/howto.html#security

432

VPN
iface eth0 inet static
address 1.2.3.4
netmask 255.255.255.248
default 1.2.3.1
auto eth1
iface eth1 inet static
address 10.0.0.4
netmask 255.255.255.0

,
eth1 br0.
, br0 eth1.
, eth1 ,

, .
auto eth0
iface eth0 inet static
address 1.2.3.4
netmask 255.255.255.248
default 1.2.3.1
auto eth1
iface eth1 inet manual
up ip link set $IFACE up promisc on
auto br0
iface br0 inet static
address 10.0.0.4
netmask 255.255.255.0
bridge_ports eth1

. ,
, ,
. , ,
.
sudo /etc/init.d/network restart

1.6.2.2.
/etc/openvpn/server.conf :
;dev tun
dev tap
up "/etc/openvpn/up.sh br0 eth1"
;server 10.8.0.0 255.255.255.0
server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254

433

VPN
, , tap
, , eth1 .
/etc/openvpn/up.sh:
#!/bin/sh
BR=$1
ETHDEV=$2
TAPDEV=$3
/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV

:
sudo chmod 755 /etc/openvpn/up.sh

, openvpn, :
sudo /etc/init.d/openvpn restart

1.6.2.3.
openvpn :
sudo apt-get install openvpn


/etc/openvpn/, ,
.
:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn

/etc/openvpn/client.conf,
:
dev tap
;dev tun

, openvpn:
sudo /etc/init.d/openvpn restart


VPN.
434

VPN

1.7.
1.7.1. Linux OpenVPN
Linux, Ubuntu
, Network Manager
.
VPN-. , networkmanager-openvpn. ,
:
root@client:~# apt-get install network-manager-openvpn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
liblzo2-2 libpkcs11-helper1 network-manager-openvpn-gnome openvpn
Suggested packages:
resolvconf
The following NEW packages will be installed:
liblzo2-2 libpkcs11-helper1 network-manager-openvpn
network-manager-openvpn-gnome openvpn
0 upgraded, 5 newly installed, 0 to remove and 631 not upgraded.
Need to get 700 kB of archives.
After this operation, 3,031 kB of additional disk space will be used.
Do you want to continue [Y/n]?

network-manager ,
:
root@client:~# restart network-manager
network-manager start/running, process 3078

Network Manager, VPN, "".


OpenVPN VPN "".

OpenVPN " " "


(TLS)" " ",
, "CA ",
CA " ", .
,
, .
VPN.
1.7.2. OpenVPN GUI Mac OS X: Tunnelblick
Tunnelblick , GUI OpenVPN
OS X. http://code.google.com/p/tunnelblick/.
435

VPN
OS X .
client.ovpn
/Users/username/Library/Application Support/Tunnelblick/
Configurations/ Tunnelblick
# sample client.ovpn for Tunnelblick
client
remote blue.example.com
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
auth-user-pass
auth-nocache
auth-retry interact
comp-lzo yes
verb 3
ca ca.crt
cert client.crt
key client.key

1.7.3. OpenVPN GUI Win 7


OpenVPN Windows
2
Installer .
OpenVPN 2.2.1.
Open VPN Windows. OpenVPN MI GUI http://openvpn-migui.inside-security.de Windows 7.
,
20110624.
OpenVPN. : > >
> > . OpenVPN
. .
OpenVPN GUI MI
.
.
OpenVPN
C:\Program Files\OpenVPN\config\client.ovpn
CA.
, .

http://www.openvpn.net/index.php/open-source/downloads.html

436

VPN
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote server.example.com
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
auth-user-pass
auth-retry interact
comp-lzo yes
verb 3
ca ca.crt
cert "C:\\Users\\username\\My Documents\\openvpn\\client.crt"
key "C:\\Users\\username\\My Documents\\openvpn\\client.key"
management 127.0.0.1 1194
management-hold
management-query-passwords
auth-retry interact

1.7.4. OpenVPN OpenWRT


OpenWRT Linux
, WLAN .
WLAN-, OpenWRT.
OpenWRT ,
, OpenVPN ,

VPN . OpenVPN
3
OpenWRT . OpenWRT-: http://openwrt.org
OpenWRT OpenVPN:
opkg update
opkg install openvpn

/etc/config/openvpn .
/etc/openvpn/.
config openvpn client1
option enable 1
option client 1
#

option dev tap


option dev tun
option proto udp
option ca /etc/openvpn/ca.crt

http://wiki.openwrt.org/doc/howto/vpn.overview

437

VPN
option cert /etc/openvpn/client.crt
option key /etc/openvpn/client.key
option comp_lzo 1

OpenVPN:
/etc/init.d/openvpn restart

, ,
.

1.8.
4

OpenVPN .
OpenVPN

, Pakt:
6
OpenVPN: Building and Integrating Virtual Private Networks .

http://openvpn.net/
http://openvpn.net/index.php/open-source/documentation/howto.html#security
6
http://www.packtpub.com/openvpn/book
5

438

23.

,
Ubuntu Server Team ,
Ubuntu Server Edition, .
,
Ubuntu ( Ubuntu )
.

439

1. pam_motd
Ubuntu
(Informative Message Of The Day MOTD).
:

landscape-common:: landscapeclient,
- Landscape. /usr/
bin/landscape-sysinfo, ,
MOTD.

update-notifier-common::
MOTD pam_motd.
pam_motd /etc/update-motd.d ,
. /var/run/motd
/etc/motd.tail.

MOTD. , :
weather-util:
sudo apt-get install weather-util

weather METAR National Oceanic and


Atmospheric Administration National Weather Service.
4-
ICAO.
1
National Weather Service .
, National Weather Service
,
.
.

/usr/local/bin/local-weather, shell ,
weather ICAO :
#!/bin/sh
#
#
# Prints the local weather information for the MOTD.
#
#
1

http://www.weather.gov/tg/siteloc.shtml

440

# Replace KINT with your local weather station.


# Local stations can be found here: http://www.weather.gov/tg/siteloc.shtml
echo
weather -i KINT
echo

:
sudo chmod 755 /usr/local/bin/local-weather

/etc/update-motd.d/98-local-weather:
sudo ln -s /usr/local/bin/local-weather /etc/update-motd.d/98-local-weather

, ,
MOTD.

,
. , application>local-weather

441

2. etckeeper
etckeeper /etc
(VCS). apt
/etc
. /etc
, etckeeper
, .
etckeeper, :
sudo apt-get install etckeeper

, /etc/etckeeper/etckeeper.conf,
. VSC .
etckeeper

bzr. (
) .
, :
sudo etckeeper uninit

etckeeper /
etc .
AVOID_DAILY_AUTOCOMMITS.
.
,
:
sudo etckeeper commit "..Reason for configuration change.."

VCS /etc:
sudo bzr log /etc/passwd

,
postfix:
sudo apt-get install postfix

, postfix
:
Committing to: /etc/
added aliases.db

442


modified group
modified groupmodified gshadow
modified gshadowmodified passwd
modified passwdadded postfix
added resolvconf
added rsyslog.d
modified shadow
modified shadowadded init.d/postfix
added
added
added
added
added

network/if-down.d/postfix
network/if-up.d/postfix
postfix/dynamicmaps.cf
postfix/main.cf
postfix/master.cf

added postfix/post-install
added postfix/postfix-files
added postfix/postfix-script
added postfix/sasl
added ppp/ip-down.d
added ppp/ip-down.d/postfix
added ppp/ip-up.d/postfix
added rc0.d/K20postfix
added rc1.d/K20postfix
added rc2.d/S20postfix
added rc3.d/S20postfix
added rc4.d/S20postfix
added rc5.d/S20postfix
added rc6.d/K20postfix
added resolvconf/update-libc.d
added resolvconf/update-libc.d/postfix
added rsyslog.d/postfix.conf
added ufw/applications.d/postfix
Committed revision 2.

, etckeeper ,
/etc/hosts. /etc/hosts
:
sudo bzr status /etc/
modified:
hosts

:
sudo etckeeper commit "new host"

bzr 1,
Bazaar [308].
443

3. Byobu

screen.
. screen

, byobu.
byobu F9 .
:

Byobu
Byobu





Byobu ()
,
, , ..
: f-keys screen-escape-keys.
,
none.
byobu , Ubuntu,
, , .
.
"Byobu
()" byobu ,
. byobu
.
byobu .
F7 .

, vi. :
h
j
444


k
l
0
$
G (
)
/
?
n ,

445

4.
2

man update-motd
update-motd.
3

Debian Package of the Day weather


weather.
4

etckeeper
etckeeper.

etckeeper Ubuntu Wiki

bzr bzr

screen screen .
8

screen Ubuntu Wiki .


byobu
.

2
3
4
5
6
7
8
9

http://manpages.ubuntu.com/manpages/precise/en/man1/update-motd.1.html
http://debaday.debian.net/2007/10/04/weather-check-weather-conditions-and-forecasts-on-the-command-line/
http://kitenet.net/~joey/code/etckeeper/
https://help.ubuntu.com/community/etckeeper
http://bazaar-vcs.org/
http://www.gnu.org/software/screen/
https://help.ubuntu.com/community/Screen
https://launchpad.net/byobu

446

A.

447

1. Ubuntu Server
Edition
Ubuntu
,
. ,
1
. Ubuntu Launchpad
.
2
Ubuntu Server Launchpad, .

1.1. ubuntu-bug

ubuntu-bug. ubuntu-bug
,

, ,
Launchpad. Ubuntu
, ,
, ubuntu-bug:
ubuntu-bug _

, openssh-server,
:
ubuntu-bug openssh-server

ubuntu-bug ,
. , openssh-server ,
openssh-server,
openssh:
ubuntu-bug openssh

Ubuntu, 3,
[24].
ubuntu-bug ,
, ,
:
1
2

https://launchpad.net/
https://help.launchpad.net/YourAccount/NewAccount

448

ubuntu-bug postgresql
*** Collecting problem information
The collected information can be sent to the developers to improve the
application. This might take a few minutes.
..........
*** Send problem report to the developers?
After the problem report has been sent, please fill out the form in the
automatically opened web browser.
What would you like to do? Your options are:
S: Send report (1.7 KiB)
V: View report
K: Keep report file for sending later or copying to somewhere else
C: Cancel
Please choose (S/V/K/C):

:
Send Report.
Launchpad, .
,
.
*** Uploading problem information
The collected information is being sent to the bug tracking system.
This might take a few minutes.
91%
*** To continue, you must visit the following URL:
https://bugs.launchpad.net/ubuntu/+source/postgresql-8.4/+filebug/kc6eSnTLnLxF8u0t3e56EukFeqJ?
You can launch a browser now, or copy this URL into a browser on another
computer.
Choices:
1: Launch a browser now
C: Cancel
Please choose (1/C):

,
- w3m
. URL
-.
449


View Report.
.
Package: postgresql 8.4.2-2
PackageArchitecture: all
Tags: lucid
ProblemType: Bug
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
Uname: Linux 2.6.32-16-server x86_64
Dependencies:
adduser 3.112ubuntu1
base-files 5.0.0ubuntu10
base-passwd 3.5.22
coreutils 7.4-2ubuntu2
...


, .
Keep Report File.
.

Ubuntu. ,
ubuntu-bug:
What would you like to do? Your options are:
S: Send report (1.7 KiB)
V: View report
K: Keep report file for sending later or copying to somewhere else
C: Cancel
Please choose (S/V/K/C): k
Problem report file: /tmp/apport.postgresql.v4MQas.apport
ubuntu-bug /tmp/apport.postgresql.v4MQas.apport
*** Send problem report to the developers?
...

Cancel. ,
.

1.2.
, ubuntu-bug (apport),
.
,
450


,
, apport .
apport
. gdb;
Ubuntu Server Edition.
sudo apt-get install gdb

3, [24]
Ubuntu.
, gdb , /etc/default/
apport enabled 1,
:
# set this to 0 to disable apport, or to 1 to enable it
# you can temporarily override this with
# sudo service apport start force_start=1
enabled=1
# set maximum core dump file size (default: 209715200 bytes == 200 MB)
maxsize=209715200

, /etc/default/apport,
apport:
sudo start apport

apport-cli
:
apport-cli
*** dash closed unexpectedly on 2010-03-11 at 21:40:59.
If you were not doing anything confidential (entering passwords or other
private information), you can help to improve the application by
reporting
the problem.
What would you like to do? Your options are:
R: Report Problem...
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (R/I/C):

451


Report Problem ( ) ,
ubuntu-bug.
, (private)
Launchpad,
.
,
.

1.3.
3

wiki Reporting Bugs .


4

, Apport .
.

3
4

https://help.ubuntu.com/community/ReportingBugs
https://wiki.ubuntu.com/Apport

452