Руководство По Ubuntu Server

Ubuntu Server
Ubuntu Server
2012
Ubuntu Server! ,

Ubuntu . ,
.

Ubuntu (https://wiki.ubuntu.com/
DocumentationTeam). .
Creative Commons ShareAlike 3.0 (CC-BY-SA).
,
Ubuntu. .
, , -
;
, .
1
: Creative Commons ShareAlike License .

:
Ubuntu
3
Ubuntu Server
- Ubuntu
bzr serverguide ubuntu6

docs , Launchpad.
1
2
3
4
5
6
http://creativecommons.org/licenses/by-sa/3.0/
https://launchpad.net/~ubuntu-core-doc
https://launchpad.net/~ubuntu-server
https://help.ubuntu.com/community/
https://code.launchpad.net/serverguide
https://code.launchpad.net/ubuntu-docs

1. ........................................................................................................ 1
1. .............................................................................................. 2
2. ....................................................................................................... 3
1. ........................................................................ 4
2. CD ....................................................................................... 6
3. ........................................................................................... 10
4. ...................................................................... 11
5. ......................................................................... 20
3. ................................................................................. 24
1. ............................................................................................... 25
2. dpkg ....................................................................................................... 26
3. Apt-Get .................................................................................................. 28
4. Aptitude ................................................................................................. 30
5. ............................................................... 33
6. ...................................................................................... 35
7. .................................................................................................. 37
4. .............................................................................................. 38
1. .................................................................................... 39
2. TCP/IP ..................................................................................................... 49
3. (Dynamic Host
Configuration Protocol, DHCP) .................................................................... 54
4. NTP ........................................................... 57
5. (DM-Multipath) ............................ 59
1. (Device Mapper
Multipathing) .............................................................................................. 60
2. ................................................................ 64
3. DM-Multipath ............................................................ 68
4. DM-Multipath .............................................. 72
5. DM-Multipath ................ 87
6. ................................................................. 93
1. OpenSSH ................................................................................... 94
2. Puppet .................................................................................................... 98
3. Zentyal ................................................................................................. 101
7. ......................................................................... 106
1. OpenLDAP ............................................................................... 107
2. Samba LDAP ..................................................................................... 135
3. Kerberos ............................................................................................... 142
4. Kerberos LDAP .................................................................................. 151
8. (DNS) ................................................................. 158
1. ............................................................................................ 159
iii
Ubuntu Server
2. ....................................................................................
3. ..........................................................................
4. ................................................................................................
9. .......................................................................................................
1. .............................................................
2. .......................................................................
3. .........................................................................................
4. AppArmor .............................................................................................
160
166
170
171
172
179
180
189
1. HTTPD - Apache2 ..............................................................

2. PHP5 ....................................................................
3. - Squid ..........................................................................
4. Ruby on Rails .......................................................................................
5. Apache Tomcat .....................................................................................
............................................................................................
1. MySQL ..................................................................................................
2. PostgreSQL ...........................................................................................
LAMP ...................................................................................
1. ...................................................................................................
2. Moin Moin ............................................................................................
3. MediaWiki .............................................................................................
4. phpMyAdmin ........................................................................................
- ..........................................................................................
1. FTP- ...........................................................................................
2. (NFS) ......................................................
3. iSCSI- ..................................................................................
4. CUPS ......................................................................
..................................................................
1. Postfix ..................................................................................................
2. Exim4 ...................................................................................................
3. Dovecot Server ....................................................................................
4. Mailman ...............................................................................................
5. .............................................................................
.............................................................................
1. ...................................................................................................
2. IRC- ...........................................................................................
213
223
226
229
231
236
237
243
246
247
249
251
253
255
256
261
263
266
270
271
279
283
286
293
301
302
303
5. ......................................................................................
6. eCryptfs ...............................................................................................
10. .............................................................................................
1. ...................................................................................................
2. Nagios ..................................................................................................
3. Munin ...................................................................................................
11. - .............................................................................................
12.
13.
14.
15.
16.
iv
194
200
203
204
205
210
212
Ubuntu Server
3. Jabber .............................................
17. ......................................................................
1. Bazaar ..................................................................................................
2. Subversion ...........................................................................................
3. CVS .........................................................................................
4. ................................................................................................
18. Windows .................................................................
1. .............................................................................................
2. Samba ...................................................................
3. Samba ........................................................................
4. Samba ................
5. Samba ...........................................
6. Samba Active Directory ................................................
19. ..........................................................................
1. Shell ....................................................................................
2. ................................................................................
3. Bacula ..................................................................................................
20. ........................................................................................
1. ...................................................................
2. JeOS vmbuilder .................................................................................
3. UEC ......................................................................................................
4. Ubuntu ....................................................................................
5. LXC .......................................................................................................
21. ........................................................................................
1. DRBD ....................................................................................................
22. VPN ...........................................................................................................
1. OpenVPN ..............................................................................................
23. ...............................................................
1. pam_motd ............................................................................................
2. etckeeper .............................................................................................
3. Byobu ...................................................................................................
4. ................................................................................................
A. ...............................................................................................
1. Ubuntu Server Edition ............................
305
307
308
310
316
319
320
321
322
325
327
333
338
341
342
347
351
357
358
364
374
387
395
420
421
424
425
439
440
442
444
446
447
448

2.1. .......................................... 4
5.1. ................................... 60
5.2. DM-Multipath ........................................................................ 62
5.3. Multipath ........................................................ 76
5.4. ................................................................... 81
5.5. ................................................................................. 84
5.6. multipath ....................................................... 90
17.1. ................................................................................... 311
20.1. UEC .......................................... 375
20.2. UEC ........................................................................ 375
20.3. ................................................. 409
vi
1.
Ubuntu Server!
,
. ,

.

Ubuntu. 2,
[3],
Ubuntu
1
Ubuntu .
HTML-
2
Ubuntu .
1
2
https://help.ubuntu.com/12.04/installation-guide/
https://help.ubuntu.com
1.
Ubuntu Server Edition:
.
( ) Canonical Ltd.

.
3
Canonical Services .
,
, Ubuntu
. , IRC, , , , ..
.
4
Ubuntu Support
3
4
http://www.canonical.com/services/support
http://www.ubuntu.com/support
2.
,
Ubuntu 12.04 LTS Server Edition.
1
, , Ubuntu .
1.
,
.
1.1.
Ubuntu 12.04 LTS Server Edition (3)
: Intel x86, AMD64 ARM.
.
, ,
. ,
,
.
2.1.

300
128
500
Server Edition .
, :
, -, ..
Ubuntu Enterprise Cloud (UEC) .
3.2.1,
[374], UEC
3.2.2, [375].
1.2.
Ubuntu Server Edition Ubuntu Desktop
Edition. ,
apt,
Desktop Edition, Server Edition.

(X window environment) Server Edition,
(Kernel).

1.2.1. :
Ubuntu 10.10
.
Ubuntu -server -generic.
-generic,
.
64- Ubuntu 64-
.
, /
2
boot/config-3.2.0-server. , Linux Kernel in a Nutshell
.
1.3.
Ubuntu Server Edition ,
.
19, [341].
-
,
, Ubuntu.
,
, -
. , ,
, ,
.
http://www.kroah.com/lkn/
2. CD
Ubuntu Server Edition CD ,
-.
Desktop Edition, Server Edition
. Server Edition .
, ISO
3
- Ubuntu .
-.
.

Ubuntu Server Edition.
Ubuntu Server, -
, ,
, .
,
.
.
.

.

DHCP.
DHCP, "",
" ".
, (hostname)
.

. ,
. ,
LVM,
.
LVM, .
4,
[11].
Ubuntu.
3
http://www.ubuntu.com/download/server/download

; root
sudo.
, ,
(home).
,
. :
:
.
:
unattended-upgrades,
.
5,
[33].
Landscape: Landscape ,
Canonical,
Ubuntu.
4
Landscape .
, ,
. 2.1,
() [8] . ,
aptitude, .
4,
Aptitude [30].
, ,
UTC.
-
,
,
.
-
, .
F1.
, ,
5
Ubuntu .
4
5
http://www.canonical.com/projects/landscape
2.1. ()
Server Edition
CD.
.
DNS : DNS- BIND .

LAMP : Linux/
Apache/MySQL/PHP.
: ,
.
OpenSSH : ,
OpenSSH.
PostgreSQL:
PostgreSQL.
: .
Samba: ,
Samba, ,
Windows, Linux .
Tomcat Java : Apache Tomcat .
Virtual Machine host: ,
KVM.
: aptitude,
.
() tasksel.
Ubuntu ( Debian)
GNU/Linux , ,
,
. ,
, ,
.
,
, :
tasksel --list-tasks
,
Ubuntu, Kubuntu Edubuntu.
, tasksel ,
.
8

,
--task-packages. , ,
DNS , :
tasksel --task-packages dns-server
:
bind9-doc
bind9utils
bind9
- , ,
, LAMP DNS-,
CD :
sudo tasksel install dns-server
3.
Ubuntu
.
.
3.1. do-release-upgrade
Server Edition
do-release-upgrade.
update-manager-core,
.
, Debian,
apt-get dist-upgrade.
do-release-upgrade ,
.
:
do-release-upgrade
do-release-upgrade
Ubuntu. d:
do-release-upgrade -d
, ,
.
10
4.
4.1. RAID
(Redundant Array of Independent
Disks, RAID)

/ /
RAID. RAID
(
), (
,
).
RAID,
Linux ( Ubuntu), 'mdadm'

, , , RAID. Ubuntu
Server Edition, RAID (RAID 1),
, / (
), swap.
4.1.1.
,
, :
1.
2.

" ?".
,
RAID .
3.
" "
" ".
4.
, .
,
RAM. ,
, .

(RAM) ,
RAM.
11

,
.
5.
" :" .
" Ext4",
" RAID" "
".
6.
/ " "
7.

, .
8.
, , "
:" " RAID".
" :" "on".
" ".
9.
" ".
4.1.2. RAID
:
1.
" ",
" RAID" .
2.
"" .
3.
" MD ".
4.
"RAID1",
, (RAID0 RAID1 RAID5).
RAID5 .
RAID0 RAID1 .
5.
"2",
, .
"".
6.
, "0" ,
"".
7.
. sda1, sdb1,
sdc1, .. ,
.
sda1 sdb1. ""
.
12

8.
/, sda2
sdb2.
9.
"".
4.1.3.
RAID-.

RAID-. RAID-
,
.
1.
"#1" "RAID1 #0".
2.
" :". " ",

" ".
3.
"#1" "RAID1 #1".
4.
" :". "

Ext4".
5.
" " "/

".
" ".
6.
, "
".
RAID-,
,
.
4.1.4, RAID [13] .
.
4.1.4. RAID

. ,
RAID,
(degraded state).
, ,
Ubuntu Server Edition 30
. , 50
,
.
, ,
13

. :
dpkg-reconfigure
,
, .
, .
mdadm :
sudo dpkg-reconfigure mdadm
dpkg-reconfigure mdadm
/etc/initramfs-tools/conf.d/mdadm.

:
BOOT_DEGRADED=true

:
Shift Grub.
e .
.
"bootdegraded=true" ( ) .
Ctrl+x .
,
( 4.1.5, RAID [14]),

.
4.1.5. RAID
mdadm ,
, .:
:
sudo mdadm -D /dev/md0
-D mdadm
/dev/md0. /dev/md0 RAID
.
14

:
sudo mdadm -E /dev/sda1
mdadm -D, /dev/sda1

.
:
sudo mdadm --remove /dev/md0 /dev/sda1
/dev/md0 /dev/sda1 RAID .

:
sudo mdadm --add /dev/md0 /dev/sda1
.
.
.
, .
/proc/mdstat RAID
:
cat /proc/mdstat
Personalities : [linear] [multipath] [raid0] [raid1] [raid6] [raid5] [raid4] [raid10]
md0 : active raid1 sda1[0] sdb1[1]
10016384 blocks [2/2] [UU]
unused devices: <none>

:
watch -n1 cat /proc/mdstat
Ctrl+c .
,
grub.
grub :
sudo grub-install /dev/md0
/dev/md0 .
15

4.1.6.
RAID -
RAID.
:
Ubuntu Wiki Articles on RAID .

Software RAID HOWTO
Managing RAID on Linux
4.2. (LVM)
, LVM,
. LVM
RAID,
. ,

.
4.2.1.
LVM
. , LVM,
.
(Physical Volume PV): ,
RAID, LVM PV.
(Volume Group VG):
. VG PV. VG
,
.
(Logical Volume LV):
LVM. LV,
(EXT3, XFS, JFS .)
.
4.2.2.
Ubuntu Server Edition
/srv LVM.
(PV) (VG).
6
https://help.ubuntu.com/community/Installation#raid
http://www.faqs.org/docs/Linux-HOWTO/Software-RAID-HOWTO.html
8
http://oreilly.com/catalog/9781565927308/
7
16

PV , VG
.
LVM, "
LVM"
LVM, "
LVM",
LVM .
LVM,
.
1.
,
, :
2.
" " "".
3.
""
" ".
4.
/boot, swap, /
, .
5.
/srv LVM, .
" " " LVM",
" ".
6.
" "
"" .
7.
" LVM"
" ". VG vg01, -
. ,
LVM, "Continue".
8.
" LVM" "

".
LV, , srv,
. ,
, .
"Finish"
" ".
9.
LVM.
"LVM VG vg01, LV srv" ,
.
, /srv .
" ".
10. "
". .
17

LVM:
pvdisplay: .
vgdisplay: .
lvdisplay: .
4.2.3.
srv, LVM,
, (PV),
(VG), srv
. ,
.
/dev/sdb,
(
).
, /dev/sdb ,
.
, .
1.
, :
sudo pvcreate /dev/sdb
2.
(VG):
sudo vgextend vg01 /dev/sdb
3.
vgdisplay
(PE) Free PE / size (, ). ,
511 PE ( 2 PE 4 )
.
PE / .
(LV)
, PE
LV:
sudo lvextend /dev/vg01/srv -l +511
-l LV, PE. -L
LV , , ..
4.
, ext3
ext4 ,
18

,

( ).
EXT3 EXT4.
, ,
.
sudo umount /srv
sudo e2fsck -f /dev/vg01/srv
-f e2fsck
.
5.
, :
sudo resize2fs /dev/vg01/srv
6.
:
mount /dev/vg01/srv /srv && df -h /srv
4.2.4.
9
Ubuntu Wiki LVM .

LVM HOWTO
10
.
11
Managing Disk Space with LVM

O'Reilly's linuxdevcenter.com.

12
fdisk fdisk man page .
https://help.ubuntu.com/community/Installation#lvm
http://tldp.org/HOWTO/LVM-HOWTO/index.html
11
http://www.linuxdevcenter.com/pub/a/linux/2006/04/27/managing-disk-space-with-lvm.html
12
http://manpages.ubuntu.com/manpages/precise/en/man8/fdisk.8.html
10
19
5.
5.1.
(Kernel Crash Dump)
(RAM), ,
.
:
(Kernel Panic)
(NMI)
(MCE)

(Kernel Panic, NMI)
kexec.
.
, - ,
.
.
5.2.
,
kexec
,
.
.
5.3.

:
sudo apt-get install linux-crashdump
5.4.
,
.
20
5.5.
, ,
. -, ,
crashkernel (, ,
):
cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.2.0-17-server root=/dev/mapper/PreciseS-root ro
crashkernel=384M-2G:64M,2G-:128M
crashkernel :
crashkernel=<range1>:<size1>[,<range2>:<size2>,...][@offset]
range=start-[end] 'start' is inclusive and 'end' is exclusive.
crashkernel, /proc/cmdline
:
crashkernel=384M-2G:64M,2G-:128M
:
384, (
)
384 2 (),
64
2, 128
-, ,
kdump , :
dmesg | grep -i crash
...
[
0.000000] Reserving 64MB of memory at 800MB for crashkernel (System RAM: 1023MB)
5.6.

.
21

, .
, ,
.
, SysRQ ,
/proc/sys/kernel/sysrq:
cat /proc/sys/kernel/sysrq
0, .
:
sudo sysctl -w kernel.sysrq=1
,
(root), sudo.
root echo c > /proc/sysrqtrigger. ,
. .
.
:
sudo -s
[sudo] password for ubuntu:
# echo c > /proc/sysrq-trigger
[
[
31.659002] SysRq : Trigger a crash

31.659749] BUG: unable to handle kernel NULL pointer dereference at
[
[
31.662668] IP: [<ffffffff8139f166>] sysrq_handle_crash+0x16/0x20

31.662668] PGD 3bfb9067 PUD 368a7067 PMD 0
31.662668] Oops: 0002 [#1] SMP
(null)
[
31.662668] CPU 1
....
,
- :
Begin: Saving vmcore from kernel crash ...
.
/var/
crash:
ls /var/crash
linux-image-3.0.0-12-server.0.crash
22
5.7.
,
Linux. :
13
kdump .
14
crash
15
Linux ( Fedora,

)
13
http://www.kernel.org/doc/Documentation/kdump/kdump.txt
http://people.redhat.com/~anderson/
15
http://www.dedoimedo.com/computers/crash-analyze.html
14
23
3.
Ubuntu
, , .
35000
Ubuntu,

.

Ubuntu, ,
,
,
Ubuntu.
24
1.
,
Debian GNU/Linux.
, ,

Ubuntu.
Debian '.deb' , ,
,
, CD-ROM, .
,
.
.
,
. , festival
libasound2,
ALSA, . festival ,
.
Ubuntu .
25
2. dpkg
dpkg , Debian.
, ,
,
.
dpkg :
,
:
dpkg -l
,
. grep,
, :
dpkg -l | grep apache2
apache2 ,
.
, ,
ufw, :
dpkg -L ufw
, , dpkg -S
. :
dpkg -S /etc/host.conf
base-files: /etc/host.conf
, /etc/host.conf base-files.

, , dpkg -S
, .
.deb-, :
sudo dpkg -i zip_3.0-4_i386.deb
zip_3.0-4_i386.deb .deb-,
.
:
26
sudo dpkg -r zip
dpkg
.
, ,
.
, dpkg -r zip zip, ,
,
.
dpkg : man dpkg.
27
3. Apt-Get
apt-get ,
Ubuntu Advanced Packaging Tool (APT), ,
,
,
Ubuntu.
, apt-get

Ubuntu .
SSH
, , ,
cron.
apt-get:
: apt-get
. , nmap, :
sudo apt-get install nmap
: ( ) .
, , :
sudo apt-get remove nmap
:
, .
--purge apt-get remove
. ,
, .
: APT
, , /
etc/apt/sources.list /etc/apt/sources.list.d.
,
, :
sudo apt-get update
: -

(, , ).
28

, ,
, :
sudo apt-get upgrade
Ubuntu 3,
[10].
apt-get, ,
/var/log/dpkg.log
APT
1
Debian APT
:
apt-get help
http://www.debian.org/doc/user-manuals#apt-howto
29
4. Aptitude
Aptitude
Advanced Packaging Tool (APT).

, ,
, Aptitude ,
.
Aptitude ,
.
Aptitude ,
:
sudo aptitude
Aptitude ,
. ,
.
, .
Aptitude
,
.
, Aptitude:
:

ENTER.
+.
, ,
. g
. g ,
. ENTER
.
. , g
. ENTER
.
:

ENTER. ,
-.
, , .
g .
30

g ,
. ENTER .
.
, g , ENTER ,
.
:
u,
. ENTER
.
. .
ENTER, .
:
, , U,
. g
. g
. ENTER
.
. , g
. ENTER
.
, ,
,
:
i:
c: ,
p:
v:
B:
u: ,
C:
H:
Aptitude, q
. Aptitude,
F10.
31
4.1. Aptitude
Aptitude ,
apt-get. nmap ,
apt-get, :
sudo aptitude install nmap
, :
sudo aptitude remove nmap
man-
Aptitude.
32
5.
unattended-upgrades

. -, ,
:
sudo apt-get install unattended-upgrades
unattended-upgrades, /etc/apt/
apt.conf.d/50unattended-upgrades ,
:
Unattended-Upgrade::Allowed-Origins {
"Ubuntu precise-security";
//
};
"Ubuntu precise-updates";
"" ,
. "" :
Unattended-Upgrade::Package-Blacklist {
//
//
"vim";
"libc6";
//
//
"libc6-dev";
"libc6-i686";
};
// , ,
"//", .
, /etc/apt/
apt.conf.d/10periodic
apt:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
,
.
.
apt
//etc/cron.daily/apt.
33

unattended-upgrades /var/log/unattendedupgrades.
5.1.
Unattended-Upgrade::Mail /etc/apt/apt.conf.d/50unattended-upgrades
unattended-upgrades
,
.
apticron. apticron cron

, ,
.
apticron :
sudo apt-get install apticron
/etc/apticron/apticron.conf,
:
EMAIL="root@example.com"
34
6.
Advanced Packaging Tool (APT)
/etc/apt/sources.list /etc/apt/sources.list.d.

.
2
/etc/apt/
sources.list.
.
, Ubuntu

, :
# no more prompting for CD-ROM please
# deb cdrom:[Ubuntu 12.04 _Precise Pangolin_ - Release i386 (20111013.1)]/ precise main restricted
6.1.

Ubuntu , ,
,
.
Universe Multiverse.
Ubuntu, , ,

Ubuntu.
Multiverse ,

,
, .
, , Universe
Multiverse, .
,
.
,
(,
,
).
2
../sample/sources.list
35

.
, , ,
, ,
.
, Universe Multiverse ,
, /etc/apt/sources.list
:
deb http://archive.ubuntu.com/ubuntu precise universe multiverse
deb-src http://archive.ubuntu.com/ubuntu precise universe multiverse
deb http://us.archive.ubuntu.com/ubuntu/ precise universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise universe
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ precise multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise multiverse
deb http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ precise-updates multiverse
deb http://security.ubuntu.com/ubuntu precise-security universe
deb-src http://security.ubuntu.com/ubuntu precise-security universe
deb http://security.ubuntu.com/ubuntu precise-security multiverse
deb-src http://security.ubuntu.com/ubuntu precise-security multiverse
36
7.
, ,
man, .
3
Wiki- Ubuntu
.
dpkg
4
man dpkg .
5
APT HOWTO man apt-get

apt-get.
man aptitude
.
8
HOWTO (Ubuntu Wiki)

.
3
4
5
6
7
8
https://help.ubuntu.com/community/InstallingSoftware
http://manpages.ubuntu.com/manpages/precise/en/man1/dpkg.1.html
http://www.debian.org/doc/manuals/apt-howto/
http://manpages.ubuntu.com/manpages/precise/en/man8/apt-get.8.html
http://manpages.ubuntu.com/manpages/precise/man8/aptitude.8.html
https://help.ubuntu.com/community/Repositories/Ubuntu
37
4.
, , ,
,
,

.

,
.
38
1.
Ubuntu
.

.
1.1. Ethernet
Ethernet ethX, X
. Ethernet eth0, eth1,
.
1.1.1. Ethernet

ifconfig, .
ifconfig -a | grep eth
eth0
Link encap:Ethernet
HWaddr 00:15:c5:4a:16:5a
,
lshw .
lshw Ethernet
eth0 ,
.
sudo lshw -class network
*-network
description: Ethernet interface
product: BCM4401-B0 100Base-TX
vendor: Broadcom Corporation
physical id: 0
bus info: pci@0000:03:00.0
logical name: eth0
version: 02
serial: 00:15:c5:4a:16:5a
size: 10MB/s
capacity: 100MB/s
width: 32 bits
clock: 33MHz
capabilities: (snipped for brevity)
configuration: (snipped for brevity)
resources: irq:17 memory:ef9fe000-ef9fffff
39

1.1.2. Ethernet
/etc/udev/rules.d/70persistent-net.rules. ,
, ,
MAC- , NAME=ethX
.
.
1.1.3. Ethernet
ethtool ,
, (auto-negotiation),
, Wake-on-LAN (
). ,
.
sudo apt-get install ethtool
,
Ethernet.
sudo ethtool eth0
Settings for eth0:
Supported ports: [ TP ]
Supported link modes:
10baseT/Half 10baseT/Full
Supports auto-negotiation: Yes
Advertised link modes:
Advertised auto-negotiation: Yes

Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Current message level: 0x000000ff (255)
Link detected: yes
, ethtool,
. ,
ethtool pre-up /etc/
network/interfaces.
40

, , eth0,
1000 /
.
auto eth0
iface eth0 inet static
pre-up /sbin/ethtool -s eth0 speed 1000 duplex full
, ,
, ,
DHCP.
pre-up
.
1.2. IP
IP-
,
.
1.2.1. IP-

, ip, ifconfig route,
GNU/Linux.
, ,
.
IP-
ifconfig . IP-
.
sudo ifconfig eth0 10.0.0.100 netmask 255.255.255.0
IP- eth0
ifconfig :
ifconfig eth0
eth0
Link encap:Ethernet
inet addr:10.0.0.100
HWaddr 00:15:c5:4a:16:5a
Bcast:10.0.0.255
Mask:255.255.255.0
inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link

UP BROADCAST RUNNING MULTICAST
MTU:1500
Metric:1
RX packets:466475604 errors:0 dropped:0 overruns:0 frame:0

TX packets:403172654 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2574778386 (2.5 GB)
TX bytes:1618367329 (1.6 GB)
41

Interrupt:16
route
.
.
sudo route add default gw 10.0.0.1 eth0
route
:
route -n
Kernel IP routing table
Destination
Gateway
10.0.0.0
0.0.0.0
0.0.0.0
10.0.0.1
Genmask
255.255.255.0
0.0.0.0
Flags Metric Ref

U
1
0
UG
0
0
Use Iface
0 eth0
0 eth0
DNS ,
IP- DNS- /etc/resolv.conf.
DNS- /etc/resolv.conf,
.
DNS
.
nameserver 8.8.8.8
nameserver 8.8.4.4

IP , ip
flush :
ip addr flush eth0
IP ip
/etc/resolv.conf.
.
1.2.2. IP- ( DHCP)
DHCP
, dhcp inet
/etc/network/interfaces.
, Ethernet,
eth0.
42

auto eth0
iface eth0 inet dhcp
,
ifup, DHCP
dhclient.
sudo ifup eth0

ifdown, DHCP
.
sudo ifdown eth0
1.2.3. IP-

IP- static inet
/etc/network/interfaces. ,
Ethernet,
eth0. , ,
.
auto eth0
address 10.0.0.100
netmask 255.255.255.0
gateway 10.0.0.1
,
ifup.
sudo ifup eth0

ifdown.
sudo ifdown eth0
1.2.4. Loopback ( )
loopback lo
127.0.0.1. ifconfig.
ifconfig lo
43

lo
Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2718 errors:0 dropped:0 overruns:0 frame:0
TX packets:2718 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:183308 (183.3 KB) TX bytes:183308 (183.3 KB)
/etc/network/interfaces
, loopback.
,
.
.
auto lo
iface lo inet loopback
1.3.
IP-
IP- ,
. ,
DNS
.
1.3.1. DNS
/etc/resolv.conf ,

DHCP .
resolvconf

.
,
, , . Resolvconf
,
.
, /etc/resolv.conf
resolveconf.
resolveconf DHCP /etc/network/
interfaces ,
/etc/resolv.conf, :
/etc/resolv.conf -> ../run/resolvconf/resolv.conf
44

IP- ,
, /etc/network/interfaces.
DNS
.
resolv.conf
dns-.
:
address 192.168.3.3
netmask 255.255.255.0
gateway 192.168.3.1
dns-search example.com
dns-nameservers 192.168.3.45 192.168.8.10
search ,
DNS- ,
. ,
: example.com ,
sales.example.com dev.example.com.
, ,
:
address 192.168.3.3
netmask 255.255.255.0
gateway 192.168.3.1
dns-search example.com sales.example.com dev.example.com
dns-nameservers 192.168.3.45 192.168.8.10
ping server1,
DNS
(FQDN) :
1. server1.example.com
2. server1.sales.example.com
3. server1.dev.example.com
, DNS notfound
DNS .
1.3.2.

- IP, /etc/hosts. ,
45

hosts, DNS. ,
/etc/hosts,
DNS. ,
, ,
,
DNS.
hosts,
,
(FQDN).
127.0.0.1
127.0.1.1
10.0.0.11
10.0.0.12
localhost
ubuntu-server
server1 vpn server1.example.com
server2 mail server2.example.com
10.0.0.13 server3 www server3.example.com

10.0.0.14 server4 file server4.example.com
,
.
Server1 vpn, server2 mail,
server3 www, and server4 file.
1.3.3.
,
IP
(NSS) /etc/nsswitch.conf.
, ,
/etc/hosts,
DNS. ,
/etc/hosts.
hosts:
files mdns4_minimal [NOTFOUND=return] dns mdns4
files /etc/hosts.
mdns4_minimal
(multicast) DNS.
[NOTFOUND=return] , notfound,
mdns4_minimal
(),
.
dns (legacy unicast)
DNS-.
46

mdns4 (multicast) DNS-.

hosts:
. ,
DNS DNS, /etc/nsswitch.conf
:
hosts:
files dns [NOTFOUND=return] mdns4_minimal mdns4
1.4.
,
.

(firewall)
.

.
.
bridgeutils. :
sudo apt-get install bridge-utils
, /etc/network/interfaces:
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
address 192.168.0.10
network 192.168.0.0
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1
bridge_ports eth0
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off

.
47

:
sudo /etc/init.d/networking restart
.
application>brctl
1.5.
1
Ubuntu Wiki Network

.
2
man- resolvconf resolvconf.

3
man- interfaces
4
man- dhclient
DHCP.
DNS-
5
resolver man page . 6 O'Reilly
6
Linux
.
man7
8
brctl Net:Bridge Linux Foundation.
1
2
3
4
5
6
7
8
https://help.ubuntu.com/community/Network
http://manpages.ubuntu.com/manpages/man8/resolvconf.8.html
http://manpages.ubuntu.com/manpages/man5/interfaces.5.html
http://manpages.ubuntu.com/manpages/man8/dhclient.8.html
http://manpages.ubuntu.com/manpages/man5/resolver.5.html
http://oreilly.com/catalog/linag2/book/ch06.html
http://manpages.ubuntu.com/manpages/man8/brctl.8.html
http://www.linuxfoundation.org/en/Net:Bridge
48
2. TCP/IP
(TCP/IP)
, 70-
(DARPA)
.
TCP/IP,
.
2.1. TCP/IP
TCP/IP
. "IP" TCP/IP
,
, IP- ()
. IP-
. "TCP" TCP/IP
,
. TCP ,
,
, .
2.2. TCP/IP
TCP/IP ,
,

(Dynamic Host Configuration Protocol, DHCP),
, ,
TCP/IP .
,
Ubuntu .
TCP/IP :
IP . IP ,

(0) (255), ;
(8) ,
(32) . dotted quad
notation ( ).
(Netmask). ( , netmask)
, , IP49

, , , (subnetwork).
, C,
255.255.255.0, IP-
IP-
.
( ). ( )
, IP-.
, 12.128.1.2 A 12.0.0.0
, 12
IP- ( ), (0)
. ,
IP- 192.168.1.100, , ,
192.168.1.0,
192.168.1 C (0)
.
. IP,
.
IP- 255.255.255.255,

,
.
, . ,
192.168.1.0 C,
192.168.1.255.
, ARP (Address Resolution
Protocol ) RIP (Routing Information
Protocol ).
(Gateway Address). IP-,
, , .

, ,
(gateway).
, ,
,
, .
,
, .
. IP-
(DNS),
IP-. ,
50

: ,
.

IP-, ,
TCP/IP .

,
, , Level3 (Verizon)
4.2.2.1 4.2.2.6.
IP-, , ,

nameserver /etc/
resolv.conf.
interfaces resolv.conf,
, :

interfaces :
man interfaces

resolv.conf :
man resolv.conf
2.3. IP-
IP
TCP/IP, .

,
,
. IP-:
.

IP- .
route.
,
, (
51

, ,
),
.
, .
,
.
,
.

IP-
. ,
RIP (Router Information Protocol
),
,
.
. ,
.
, ,

.
-
. ,
, , ,

,
, .
2.4. TCP UDP

TCP ,

(flow control). ,

,
(collisions). TCP ,
.
(UDP User Datagram
Protocol), ,
,
,
. UDP
52

,
TCP -
, .
2.5. ICMP
(Internet Control
Messaging Protocol, ICMP) -
(IP), RFC#792 (Request For Comments),
,
, . ICMP
, , ping,

. , ,
ICMP, ,
, (Destination
Unreachable) (Time Exceeded).
2.6.
, , ,

, .
; , ,
Ubuntu,
.
Hyper Text Transport Protocol Daemon (httpd),
-, Secure SHell Daemon (sshd),

Internet Message Access Protocol Daemon (imapd),
.
2.7.
9
10
TCP IP ,
.
11
TCP/IP Tutorial and Technical Overview

IBM.
O'Reilly TCP/IP Network

12
Administration .
9
http://manpages.ubuntu.com/manpages/precise/en/man7/tcp.7.html
http://manpages.ubuntu.com/manpages/precise/man7/ip.7.html
11
http://www.redbooks.ibm.com/abstracts/gg243376.html
12
10
53
3.
(Dynamic Host Configuration Protocol, DHCP)
DHCP ( ) ,

. ,
DHCP , ,
DHCP ,
.
, , DHCP
, :
IP-
IP-
IP- DNS
, DHCP
, :

DHCP- ,
, , DNS-,
DHCP-.
DHCP-
DHCP-.
, ,
IP-.
IP-.
DHCP ,
:
( MAC-)
DHCP
,
,
, DHCP-
DHCP-, . ,

MAC-.
54

( )
DHCP IP-
( )
( ), ,
, .
,
.
DHCP ,

DHCP-. ,
.
.

, DHCP
IP-, .
DHCP , DHCP
.

DHCP-
. ,
, ,
. Ubuntu DHCP- .
dhcpd (
). , Ubuntu dhclient,
, .

.
3.1.
dhcpd :
sudo apt-get install isc-dhcp-server
,
/etc/dhcp/dhcpd.conf
.
/etc/default/isc-dhcp-server
, dhcpd.
: dhcpd syslog.
.
55
3.2.
, ,
,
:
, IP-.
:
# minimal sample /etc/dhcp/dhcpd.conf
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.150 192.168.1.200;
option routers 192.168.1.254;
option domain-name-servers 192.168.1.1, 192.168.1.2;
option domain-name "mydomain.example";
}
DHCP- IP-
192.168.1.150-192.168.1.200. IP- 600
, - .
() 7200 .
, 192.168.1.254
192.168.1.1 192.168.1.2
DNS.

dhcpd:
sudo /etc/init.d/isc-dhcp-server restart
3.3.
dhcp3-server Ubuntu Wiki
13
/etc/dhcp/dhcpd.conf man-
14
dhcpd.conf .
15
ISC dhcp-server
13
https://help.ubuntu.com/community/dhcp3-server
http://manpages.ubuntu.com/manpages/precise/en/man5/dhcpd.conf.5.html
15
http://www.isc.org/software/dhcp
14
56
4. NTP
NTP TCP/IP .
,
.

NTP-, ,

. ,
,
,
, . , ,
!
Ubuntu ntpdate ntpd.
4.1. ntpdate
Ubuntu ntpdate,
, NTP Ubuntu.
ntpdate -s ntp.ubuntu.com
4.2. ntpd
ntpd
, ,
, , .
,
.
4.3.
ntpd, :
sudo apt-get install ntp
4.4.
/etc/ntp.conf, .
:
57

# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board
# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for
# more information.
server 0.ubuntu.pool.ntp.org

ntpd:
sudo /etc/init.d/ntp reload
4.5.
ntpq, :
# sudo ntpq -p
remote
refid
st t when poll reach
delay
offset
jitter
==============================================================================
+stratum2-2.NTP. 129.70.130.70
2 u
5
64 377
68.461 -44.274 110.334
+ntp2.m-online.n 212.18.1.106
2 u
64
377
54.629
-27.318
78.882
*145.253.66.170 .DCFa.
+stratum2-3.NTP. 129.70.130.70
1 u
2 u
10
5
64
64
377
357
83.607
68.795
-30.159 68.343
-68.168 104.612
+europium.canoni 193.79.237.14
2 u
63
64
337
81.534
-67.968
92.792
4.6.
16
- Ubuntu Time .
ntp.org, Network Time Protocol
16
17
https://help.ubuntu.com/community/UbuntuTime
http://www.ntp.org/
58
17
5.
(DMMultipath)
59

(DM-Multipath)
1.
(Device Mapper Multipathing)
(DM-Multipath)
/
. /
(SAN),
, .
/,
, .
DM-Multipath,
Ubuntu Server 12.04.
DM-Multipath ,
DM-Multipath.
1.1. Ubuntu Server

12.04
multipath-0.4.8 multipath-0.4.9.
1.1.1. 0.4.8

, .
.
prio_callout prio,
, . :
device {
vendor "NEC"
product "DISK ARRAY"
prio_callout mpath_prio_alua /dev/%n
prio
alua
. [60],
.
5.1.
v0.4.8
v0.4.9
prio_callout mpath_prio_emc /dev/%n

60
prio emc

(DM-Multipath)
v0.4.8
v0.4.9
prio_callout mpath_prio_alua /dev/%n
prio alua
prio_callout mpath_prio_netapp /dev/%n
prio netapp
prio_callout mpath_prio_rdac /dev/%n
prio rdac
prio_callout mpath_prio_hp_sw /dev/%n
prio hp_sw
prio_callout mpath_prio_hds_modular %b
prio hds

/, ,
prio_callout prio,
prio .
prio_calliout
.
1.2.
DM-Multipath :
. DM-Multipath
/ . /

/. - / (,
) , DM-Multipath
.
. DM-Multipath
/ , /
. DMMultipath /
.
1.3.
DM-Multipath
, DM-Multipath.
multipath.conf.defaults.
DM-Multipath
,
DM-Multipath multipath.conf.
DM-Multipath The DM-Multipath Configuration
File.
/ .
.
61

(DM-Multipath)
1.4. DM-Multipath
DM-Multipath DMMultipath.
5.2. DM-Multipath

dm_multipath
/
failover .
multipath
multipath.
/etc/rc.sysinit,
udev ,
,
initramfs.
multipathd ;
,
.
multipath.

/etc/multipath.conf .
kpartx

.
DOS- DMMultipath. kpartx
, multipath-tools
.
1.5. DM-Multipath
DM-Multipath ,
.
DM-Multipath .
DM-Multipath :
1. multipath-tools multipath-tools-boot.
2. /etc/multipath.conf,

3. ,
multipath.conf .
4. multipath
5. ramdisk
62

(DM-Multipath)
multipath Setting
Up DM-Multipath.
63

(DM-Multipath)
2.
DM-Multipath
,
/
. DM-Multipath
/
.
2.1.

(WWID),
.
WWID.
user_friendly_names ,
DM-Multipath node-unique
mpathn . , (HBA),

(FC), : /dev/sda,
/dev/sdb, /dev/sdc /dev/sdd. DM-Multipath
WWID, /
.
user_friendly_names yes,
mpathn.
DM-Multipath,
/dev: /dev/mapper/mpathn /dev/dm-n.
/dev/mapper .
,
, .
/dev/dm-n
.

, user_friendly_names,
DM-Multipath. ,
multipath ,
alias multipaths
multipath. multipaths
multipath .
.
64

(DM-Multipath)
2.2.
user_friendly_names yes,
,
, . ,
alias multipaths
multipath.conf,
. LVM
,
,
user_friendly_names no
. , user_friendly_names
yes ,
WWID, .
,
, :
1. .
2. ,
:
# service multipath-tools stop
# multipath -F
3. /etc/multipath/bindings
.
4. multipathd
:
# service multipath-tools start
,
.
, ,
, ,
/etc/multipath.conf ,
:
1. multipath.conf
.
2. ,
:
# service multipath-tools stop
# multipath -F
65

(DM-Multipath)
3. multipath.conf
.
4. multipathd
:
# service multipath-tools start
, .
2.3.
user_friendly_names alias,
.
multipaths,
multipath .
multipaths "
".
2.4.

,
LVM. , /dev/mapper/
mpatha, /dev/mapper/mpatha
:
# pvcreate /dev/mapper/mpatha
LVM
LVM ,
.
LVM ,
, pvcreate
.
LVM,
/
,
lvm.conf ,
. ,
[] /

, LVM ,
. / ,

66

(DM-Multipath)
, LVM .
SCSI LVM (lvm.conf),
devices :
filter = [ "r/block/", "r/disk/", "r/sd.*/", "a/.*/" ]
/etc/lvm.conf, initrd ,
, ,
. :
update-initramfs -u -k all
, /etc/lvm.conf /etc/multipath.conf, initrd

.
,
.
67

(DM-Multipath)
3. DM-Multipath
DMMultipath. :
DM-Multipath

3.1. DM-Multipath
DM-Multipath ,
multipath-tools.
(SAN),
multipath-tools-boot.
multpath /etc/multipath.conf,
,
. multipath -ll

(multipaths),
, -
.
(SAN), multipath,
/usr/share/doc/multipath-tools/examples,
multipathd:
# echo 'show config' | multipathd -k > multipath.conf-live
multipathd, /etc/
multipath.conf, ,
/etc/multipath.conf,
touch, ,
:
defaults {
user_friendly_names no
}
multipathd:
# service multipath-tools restart
"show config" .
68

(DM-Multipath)
3.2.

1

install disk-detect/multipath/enable=true
. ,
/dev/mapper/mpath<X>.
3.3.

SCSI
. DM-Multipath .
multipath
.
1. , ,
. /dev/sda .
,
multipath, multipath -v2
/dev/sda .
multipath
Multipath Command Output.
# multipath -v2
create: SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1 undef WINSYS,SF2372
size=33 GB features="0" hwhandler="0" wp=undef
`-+- policy='round-robin 0' prio=1 status=undef
|- 0:0:0:0 sda 8:0 [--------device-mapper ioctl cmd 9 failed: Invalid argument
device-mapper ioctl cmd 14 failed: No such device or address
create: 3600a0b80001327d80000006d43621677 undef WINSYS,SF2372
size=12G features='0' hwhandler='0' wp=undef
|- 2:0:0:0 sdb 8:16 undef ready running
`- 3:0:0:0 sdf 8:80 undef ready running
create: 3600a0b80001327510000009a436215ec undef WINSYS,SF2372
|- 2:0:0:1 sdc 8:32 undef ready running
`- 3:0:0:1 sdg 8:96 undef ready
running
http://wiki.debian.org/DebianInstaller/MultipathSupport
69

(DM-Multipath)
create: 3600a0b80001327d800000070436216b3 undef WINSYS,SF2372
|- 2:0:0:2 sdd 8:48 undef ready running
`- 3:0:0:2 sdg 8:112 undef ready running
create: 3600a0b80001327510000009b4362163e undef WINSYS,SF2372
2. /dev/sda
multipath, blacklist /etc/multipath.conf
.
sda devnode,
, , /dev/sda
.
, WWID. ,
multipath -v2 WWID /dev/sda
SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1.
, /etc/multipath.conf.
blacklist {
wwid SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1
}
3. /etc/multipath.conf,
multipathd .
/etc/
multipath.conf.
# service multipath-tools reload
4.
:
# multipath -f SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1
5. , ,
multipath -ll
multipath. multipath -ll
Multipath Queries with multipath Command. ,
,
multipath, .
multipath v2,
-v.
70

(DM-Multipath)
# multipath
create: 3600a0b80001327d80000006d43621677 undef WINSYS,SF2372
|- 2:0:0:0 sdb 8:16 undef ready running
`- 3:0:0:0 sdf 8:80 undef ready running
create: 3600a0b80001327510000009a436215ec undef WINSYS,SF2372
|- 2:0:0:1 sdc 8:32 undef ready running
running
create: 3600a0b80001327d800000070436216b3 undef WINSYS,SF2372

create: 3600a0b80001327510000009b4362163e undef WINSYS,SF2372
|- 2:0:0:3 sdd 8:64 undef ready
running
running
3.4.
DM-Multipath
, DM-Multipath.
,
, multipath.conf.defaults.
, ,
/etc/multipath.conf
.
, HP Open-V series
, %n :
devices {
device {
vendor "HP"
product "OPEN-V."
getuid_callout "/lib/udev/scsi_id --whitelisted --device=/dev/%n"
}
}

[83].
71

(DM-Multipath)
4. DM-Multipath
DM-Multipath
. DM-Multipath
,
DM-Multipath.
multipath.conf.defaults.

DM-Multipath, /etc/multipath.conf.
, ,
, .
multipath.conf.
:
[72]
" " [73]
[75]
[81]
[83]
multipath
, ,
,
multipath.conf.defaults. ,
,
, ,
.
.

/usr/share/doc/multipath-tools/examples/multipath.conf.annotated.gz.
4.1.
multipath :
blacklist
,
multipath.
blacklist_exceptions
,
blacklist.
72

(DM-Multipath)
defaults
DM-Multipath.
multipath

. ,
defaults devices.
devices
.
, defaults.
,
,
devices.
,
multipath, devices,
.
4.2. " "

blacklist multipath
, ,
. , ,
.
,
, :
WWID, WWID [73]
,
[74]
,
[74]

blacklist .
[74]
4.2.1. WWID

(WWID) wwid
blacklist .
,
WWID 26353900f02796769.
73

(DM-Multipath)
blacklist {
wwid 26353900f02796769
}
4.2.2.
,
,
devnode blacklist.
,
SCSI ,
sd*.
blacklist {
devnode "^sd[a-z]"
}
devnode blacklist

. , , ,
, udev,

. ,
/dev/sda /dev/sdb.
devnode
blacklist. , ,
DM-Multipath.
,
[75]
blacklist {
devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
devnode "^hd[a-z]"
}
4.2.3.
blacklist
device.
IBM DS4200 HP.
blacklist {
device {
74

(DM-Multipath)
vendor "IBM"
product "3S42"
#DS4200 Product 10
}
device {
vendor
"HP"
product "*"
}
}
4.2.4.
,
.
,
( WWID 3600d0230000000000e13955cc3757803), ,
,
,
/etc/multipath.conf.
blacklist {
wwid "*"
}
blacklist_exceptions {
wwid "3600d0230000000000e13955cc3757803"
}
,
, blacklist. , WWID
, blacklist devnode,
WWID.
devnode devnode,
device device.
4.3.
/etc/multipath.conf defaults,
user_friendly_names yes, :
defaults {
user_friendly_names yes
}
user_friendly_names
.
75

(DM-Multipath)
.
:
#defaults {
#
udev_dir
/dev
#
#
polling_interval
selector
5
"round-robin 0"
#
#
path_grouping_policy
getuid_callout
failover
"/lib/dev/scsi_id --whitelisted --device=/dev/%n"
#
#
#
#
#
prio
const
path_checker directio
rr_min_io 1000
rr_weight uniform
failback manual
# no_path_retry fail
# user_friendly_names no
#}

defaults . ,
path_grouping_policy multibus
failover,
, :
defaults {
user_friendly_names
yes
multibus
Multipath [76] ,
defaults multipath.conf.
DM-Multipath,
, devices multipaths
multipath.conf.
5.3. Multipath
polling_interval

.
,
(4 * polling_interval).
5.
udev_dir
, udev.
/dev.
76

(DM-Multipath)
multipath_dir
,
.
, /lib/multipath.
verbosity
.

. 0 6.
2.
path_selector

/ .
:
round-robin 0:
, .
queue-length 0:

.
service-time 0:
,

/
.
round-robin 0.

. :
failover = 1
multibus = 1

group_by_serial = 1

group_by_prio = 1

group_by_node_name = 1

failover.
77

(DM-Multipath)
getuid_callout

.
.
/lib/udev/scsi_id --whitelisted
--device=/dev/%n.
prio

. , ALUA
SPC-3
prio. :
const: 1
.
emc:
EMC.
alua:
ALUA SCSI-3.
netapp:
NetApp.
rdac:
LSI/Engenio RDAC.
hp_sw:
Compaq/HP /
.
hds:
Hitachi HDS Modular.
const.
prio_args
, prio.
prio .
datacore .
, "timeout=1000 preferredsds=foo".
(null) "".
features

.
- queue_if_no_path,
no_path_retry queue.
,
,
"Issues with queue_if_no_path feature".
78

(DM-Multipath)
path_checker

. :
readsector0: .
tur: TEST UNIT READY .
emc_clariion: EMC Clariion
EVPD 0xC0.
hp_sw:
HP
/.
rdac:
.
directio: .
directio.
failback

.
immediate

, .
manual ,

.
0

.
manual.
rr_min_io
/

.
1000.
rr_weight
priorities, rr_min_io
,
path_selector,
,
rr_min_io. uniform,
.
79

(DM-Multipath)
uniform.
no_path_retry

.
immediate ,
. queue

.
0.
user_friendly_names
yes, ,
/etc/multipath/bindings
alias
multipath mpathn.
no, WWID
alias multipath. ,

multipaths .
no.
queue_without_daemon
no, multipathd
, .
yes.
flush_on_last_del
yes, multipath
,
.
no.
max_fds

, multipath
multipathd.
ulimit -n.
/proc/sys/fs/nr_open.
,

,
1024. ,
+ 32,
1024.
80

(DM-Multipath)
checker_timer
,
SCSI ,
.
/sys/block/sdx/
device/timeout, 30 .
Ubuntu 12.04 LTS.
fast_io_fail_tmo
, SCSI

(FC)
/ .
,
dev_loss_tmo. off
.

.
dev_loss_tmo
, SCSI

(FC)
. infinity
2147483647 . (68 ).

.
4.4.
[81] ,

multipaths multipath.conf.

. DM-Multipath
, defaults devices
multipath.conf.
5.4.
wwid
WWID multipath,
multipath.
multipath.conf.
81

(DM-Multipath)
alias

multipath,
multipath. user_friendly_names,
mpathn.

.

multipath section
path_selector
failback
prio
prio_args
no_path_retry
rr_min_io
rr_weight
flush_on_last_del
,
.
WWID 3600508b4000156d70001200000b0000
yellow.
WWID of 1DEC_____321816758474
red. rr_weight
priorities.
multipaths {
multipath {
wwid
3600508b4000156d70001200000b0000
alias
yellow
multibus
path_selector
"round-robin 0"
failback
rr_weight
manual
priorities
no_path_retry
}
multipath {
wwid
alias
1DEC_____321816758474
red
rr_weight
priorities
82

(DM-Multipath)
}
}
4.5.
[84] ,

devices multipath.conf.
DM-Multipath
multipaths multipath.conf ,
.
defaults multipath.conf.
, ,
multipath.
, ,
multipath.conf.defaults. ,
, ,
, ,
.
multipath.conf.annotated.gz ,
, multipath.conf.synthetic
, .
,
,
vendor product. ,
/sys/block/device_name/device/vendor /sys/block/
device_name/device/model, device_name ,
, :
# cat /sys/block/sda/device/vendor
WINSYS
# cat /sys/block/sda/device/model
SF2372

. /, , ,
.
path_grouping_policy multibus. ,
, , no_path_retry and
rr_min_io, [81].
/,
/ ,
83

(DM-Multipath)
, /
(
). ,
path_checker tur; SCSI ,
Test Unit Ready, .

,
.
emc. , , ,
multipath.
5.5.
vendor

,
, , COMPAQ.
product
,
, , HSV110
(C)COMPAQ.
revision
product_blacklist
hardware_handler ,
,

/.
:
1 emc: EMC.
1 alua: SCSI-3 ALUA.
1 hp_sw: Compaq/HP.
1 rdac: LSI/Engenio
RDAC.

device
getuid_callout
path_selector
84

(DM-Multipath)
path_checker
features
failback
prio
prio_args
no_path_retry
rr_min_io
rr_weight
fast_io_fail_tmo
dev_loss_tmo
flush_on_last_del
Whenever a hardware_handler is specified, it is your responsibility to
ensure that the appropriate kernel module is loaded to support the
specified interface. These modules can be found in /lib/modules/ùname r`/kernel/drivers/scsi/device_handler/ . The requisite module should be
integrated into the initrd to ensure the necessary discovery and failoverfailback capacity is available during boot time. Example,
# cat scsi_dh_alua >> /etc/initramfs-tools/modules
## append module to file
# update-initramfs -u -k all
device
multipath:
#devices {
# device {
# vendor
"COMPAQ
"
#
#
product
"MSA1000
"
path_grouping_policy multibus
path_checker
rr_weight
tur
priorities
# }
#}
, vendor, product, revision

, multipath
, SCSI,
2
Standard INQUIRY . , vendor, product
revision .
. ,
, multipath
2
http://en.wikipedia.org/wiki/SCSI_Inquiry_Command
85

(DM-Multipath)
.
,
, :
vendor: 8
product: 16
revision: 4

. ^ $ [ ] . * ?
+.
multipath multipath.conf ,
/usr/share/doc/multipath-tools/examples:
# echo 'show config' | multipathd -k
86

(DM-Multipath)
5. DM-Multipath

5.1.

, :
1.
.
.
2.

(LUN):
# multipath -l
3.
. SCSI 1 rescan
SCSI ,
:
# echo 1 > /sys/block/device_name/device/rescan
4.

multipathd:
# multipathd -k 'resize map mpatha'
5.
(,
LVM DOS ):
# resize2fs /dev/mapper/mpatha
5.2.

UUID
. multipathtools-boot . ramdisk
multipath
UUID.
multipath.conf initrd
update-initramfs -u -k all.
multipath.conf ramdisk
blacklist
device.
87

(DM-Multipath)
5.3.

,

.
5.4. Multipath
multipath, ,
multipath , " DM-Multipath".
multipathd ,
multipathd .
multipathd
multipathd, .
5.5. queue_if_no_path
features "1 queue_if_no_path" /
etc/multipath.conf, , -,
, .
no_path_retry N /etc/
multipath.conf.
no_path_retry,
features "1 queue_if_no_path" /etc/multipath.conf.
,
features "1 queue_if_no_path" ,
SAN, features "0"
.
devices ( ),
/usr/share/doc/multipath-tools/examples/multipath.conf.annotated.gz /etc/
multipath.conf
features "1 queue_if_no_path"

,
LUN (..
). ,
mpathc "queue_if_no_path"
"fail_if_no_path" :
# dmsetup message mpathc 0 "fail_if_no_path"
mpathN .
88

(DM-Multipath)
5.6. multipath
,
, .
. :
action_if_any: alias (wwid_if_different_from_alias) dm_device_name_if_known vendor,product

size=size features='features' hwhandler='hardware_handler' wp=write_permission_if_known
:
-+- policy='scheduling_policy' prio=prio_if_known
status=path_group_status_if_known
:
`- host:channel:id:lun devnode major:minor dm_status_if_known path_status
online_status
, multipath :
3600d0230000000000e13955cc3757800 dm-1 WINSYS,SF2372
size=269G features='0' hwhandler='0' wp=rw
|-+- policy='round-robin 0' prio=1 status=active
| `- 6:0:0:0 sdb 8:16 active ready running
`-+- policy='round-robin 0' prio=1 status=enabled
`- 7:0:0:0 sdf 8:80
active ready
running
-, ready
() ghost (). , faulty
() shaky ().
multipathd ,
/etc/multipath.conf.
dm , .
dm : failed, faulty,
active, .
dm .
online_status running offline. offline
, SCSI .
,
, dm , dm
. .
5.7. multipath
-l -ll multipath
multipath. -l multipath,
sysfs . -ll
89

(DM-Multipath)
, -l,
.
multipath ,
-v multipath. v0 . -v1
,
, kpartx.
-v2 ,
.
verbosity multipath 2
verbosity defaults
multipath.conf.
multipath -l.
# multipath -l
3600d0230000000000e13955cc3757800 dm-1 WINSYS,SF2372
|-+- policy='round-robin 0' prio=1 status=active
| `- 6:0:0:0 sdb 8:16 active ready running
`- 7:0:0:0 sdf 8:80
active ready
running
multipath -ll.
# multipath -ll
3600d0230000000000e13955cc3757801 dm-10 WINSYS,SF2372
|-+- policy='round-robin 0' prio=1 status=enabled
| `- 19:0:0:1 sdc 8:32
active ready
running

`- 18:0:0:1 sdh 8:112 active ready running
3600d0230000000000e13955cc3757803 dm-2 WINSYS,SF2372
`-+- policy='round-robin 0' prio=1 status=active
|- 19:0:0:3 sde 8:64
active ready
running
`- 18:0:0:3 sdj 8:144 active ready
running
5.8. multipath
multipath [90]
multipath, .
5.6. multipath
-l
multipath,
sysfs .
90

(DM-Multipath)
-ll
multipath,
sysfs,
.
-f device
-F
5.9.
dmsetup
dmsetup ,

.

. dm
. , 3
/dev/dm-3.
# dmsetup ls
mpathd (253, 4)
mpathep1
(253, 12)
mpathfp1
(253, 11)
mpathb (253, 3)
mpathgp1
(253, 14)
mpathhp1
(253, 13)
mpatha (253, 2)
mpathh
mpathg
(253, 9)
(253, 8)
VolGroup00-LogVol01
(253, 1)
mpathf (253, 7)
VolGroup00-LogVol00
(253, 0)
mpathe
(253, 6)
mpathbp1
mpathd
(253, 10)
(253, 5)
5.10.
multipathd
multipathd -k
multipathd.
multipath. help
91

(DM-Multipath)
, CTRL-D
.
multipathd
, . ,

multipath, , . IBM
3
"Tricks with Multipathd" .
# multipathd -k
> > show config
> > CTRL-D
multipath
multipath.conf.
# multipathd -k
> > reconfigure
> > CTRL-D
, ,
.
# multipathd -k
> > show paths
> > CTRL-D
stdin multipathd,
:
# echo 'show config' | multipathd -k
http://www-01.ibm.com/support/docview.wss?uid=isg3T1011985
92
6.
Linux.
:
OpenSSH Puppet.
93
1. OpenSSH
1.1.
Ubuntu Server

, OpenSSH.
,
OpenSSH, , Ubuntu.
OpenSSH

Secure Shell (SSH).
, , telnet rcp,
.
OpenSSH
,
, .
OpenSSH, sshd,
.
, sshd ,
. ,
ssh,
OpenSSH .
scp,
OpenSSH
. OpenSSH
, ,
Kerberos.
1.2.
OpenSSH .
OpenSSH Ubuntu
:
sudo apt-get install openssh-client
OpenSSH
:
94

sudo apt-get install openssh-server
openssh-server
Server Edition.
1.3.

OpenSSH, sshd, /etc/ssh/sshd_config.
,
,
, :
man sshd_config
sshd,
,
. ,
/etc/ssh/sshd_config.

.
, ,
.
/etc/ssh/sshd_config ,
:
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo chmod a-w /etc/ssh/sshd_config.original
,
:
OpenSSH TCP
2222, TCP 22, Port
:
Port 2222
sshd
, ,
:
PubkeyAuthentication yes
, , .
95

OpenSSH /etc/issue.net
,
:
Banner /etc/issue.net
/etc/ssh/sshd_config, ,
,
sshd, :
sudo /etc/init.d/ssh restart
sshd
.
,
ssh, sshd /etc/ssh/
sshd_config, ,
. ,
, sshd
, ,
.
1.4. SSH
SSH
. SSH
: .
, :
ssh-keygen -t dsa
Digital Signature
Algorithm (DSA).
. Enter .
~/.ssh/id_dsa.pub,
~/.ssh/id_dsa. id_dsa.pub
~/.ssh/authorized_keys :
ssh-copy-id username@remotehost
96

authorized_keys.

. , :
chmod 600 .ssh/authorized_keys
SSH
.
1.5.
1
SSH Ubuntu Wiki .

OpenSSH
2
3
Wiki OpenSSH
https://help.ubuntu.com/community/SSH
http://www.openssh.org/
3
https://wiki.ubuntu.com/AdvancedOpenSSH
2
97
2. Puppet
Puppet ,

. :

. Puppet
,
. puppet
/.
Puppet
/. , Apache
Puppet.
2.1.
Puppet :
sudo apt-get install puppetmaster
( ), :
sudo apt-get install puppet
2.2.
puppet, , ,
DNS CNAME puppet.example.com, example.com .
Puppet DNS puppet.example.com
puppet (Puppet Master). 8,
(DNS) [158]
DNS.
DNS,
/etc/hosts . , /etc/hosts
Puppet :
127.0.0.1 localhost.localdomain localhost puppet
192.168.1.17 meercat02.example.com meercat02
Puppet :
192.168.1.16 meercat.example.com meercat puppet
98

IP-

.
apache2. /etc/
puppet/manifests/site.pp, :
package {
'apache2':
ensure => installed
}
service {
'apache2':
ensure => true,
enable => true,
require => Package['apache2']
}
/etc/puppet/manifests/nodes.pp :
node 'meercat02.example.com' {
include apache2
}
meercat02.example.com
Puppet.
Puppet
:
sudo /etc/init.d/puppetmaster restart
Puppet ,
.
Puppet . /etc/
default/puppet, START yes:
START=yes
:
sudo /etc/init.d/puppet start
Puppet
:
99
sudo puppetca --sign meercat02.example.com
/var/log/syslog -
. , apache2
Puppet.

Puppet.
2.3, [100].
2.3.
4
Puppet .
5
Pro Puppet .
Ubuntu Wiki
6
Puppet .
http://docs.puppetlabs.com/
http://www.apress.com/9781430230571
6
https://help.ubuntu.com/community/Puppet
5
100
3. Zentyal
Zentyal Linux- ,
(Gateway),
(Infrastructure Manager), (Unified Threat Manager),
(Office Server), (Unified Communication
Server) . ,
Zentyal, , .
,
, , . Zentyal
, GNU General Public License (GPL)
Ubuntu GNU/Linux.
Zentyal ( ),
-
. Redis , , ,
OpenLDAP .
-,
, .
Zentyal : ,

.
3.1.
Zentyal 2.3 Ubuntu 12.04 Universe.
:
zentyal-core zentyal-common: Zentyal
.
,
.
zentyal-network: .
( IP, DHCP, VLAN, PPPoE)
,
, ,
DNS.
zentyal-objects zentyal-services:
(, LAN 192.168.1.0/24)
(, HTTP 80/TCP).
101

zentyal-firewall: iptables
, (NAT)
.
zentyal-ntp: NTP,

.
zentyal-dhcp: ISC DHCP, ,
, NTP,
WINS, DNS
PXE.
zentyal-dns: DNS- ISC Bind9

,
DNS- (DNS forwarder)
(authoritative server) .
A, CNAME, MX, NS, TXT SRV.
zentyal-ca: Zentyal
,
, OpenVPN.
zentyal-openvpn: VPN
, OpenVPN
Quagga.
zentyal-users:
OpenLDAP. Zentyal
LDAP,
.
, Microsoft Active Directory.
zentyal-squid: Squid Dansguardian
.
zentyal-samba: Samba
LDAP.
,
.
zentyal-printers: CUPS Samba
,
LDAP.
Zentyal (
<zentyal-module
sudo apt-get install <zentyal-module>
102

Zentyal ( ),

Ubuntu LTS.
(, 2.2, 3.0), (2.1, 2.3). Ubuntu 12.04
Zentyal 2.3.
, Ubuntu 12.04,
7
Zentyal Team PPA .

, 2.3
Precise, .

8
PPA, (PPA) .
9
Zentyal Team PPA ,

Ubuntu Universe:
zentyal-antivirus: ClamAV
, ,
.
zentyal-asterisk: Asterisk
PBX (Private branch exchange, ) LDAP.
zentyal-bwmonitor:
.
zentyal-captiveportal: captive portal (
) (firewall),
LDAP.
zentyal-ebackup:
,
duplicity.
zentyal-ftp: FTP-
LDAP.
zentyal-ids: .
zentyal-ipsec: IPsec
OpenSwan.
zentyal-jabber: XMPP- ejabberd
LDAP.
7
https://launchpad.net/~zentyal/
https://help.ubuntu.com/12.04/ubuntu-help/addremove-ppa.html
9
https://launchpad.net/~zentyal/
8
103

zentyal-thinclients: (LTSP) ""
.
zentyal-mail: , Postfix Dovecot
LDAP.
zentyal-mailfilter: amavisd
.
zentyal-monitor: collectd
zentyal-pptp: PPTP VPN .

zentyal-radius: FreeRADIUS
LDAP.
zentyal-software:
Zentyal .
zentyal-trafficshaping:
.
zentyal-usercorner:
LDAP, -.
zentyal-virt:
libvirt.
zentyal-webmail: ,
- Roundcube.
zentyal-webserver: Apache
.
zentyal-zarafa: Zarafa
Zentyal LDAP.
3.2.
, sudo,
- Zentyal.
, ,
sudo .
sudo,
:
sudo adduser username sudo
- Zentyal https://
localhost/ ( IP- ). Zentyal
104

SSL,
.
, (dashboard)
.
, .
,
Save changes,
. ,
, Module Status
. ,

.
-
(
) , Zentyal,
Zentyal (hooks) /
etc/zentyal/hooks/<module>.<action>.
3.3.
Zentyal
10
Zentyal
12
11
,
, .
10
http://doc.zentyal.org/
http://trac.zentyal.org/wiki/Documentation
12
http://forum.zentyal.org/
11
105
7.
LDAP
.
106
1. OpenLDAP
Lightweight Directory Access Protocol (LDAP)
X.500, TCP/IP.
1
LDAP LDAPv3, RFC4510 ,
LDAP Ubuntu OpenLDAP, 2.4.25 (Oneiric) (2.4.28
Precise . ).
, LDAP.
:
LDAP ,
, (Directory
Information Tree, DIT).
.
(/) .

(objectClass).
(
).

(Distinguished Name, DN).
(RDN),
DN.
DN . .
, , and (node)
, ,
, .
, , 11 . DN
"cn=John Doe,dc=example,dc=com"; RDN "cn=John Doe";
DN "dc=example,dc=com".
dn: cn=John Doe,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
telephoneNumber: +1 888 555 6789
telephoneNumber: +1 888 555 1232
mail: john@example.com
manager: cn=Larry Smith,dc=example,dc=com
1
http://tools.ietf.org/html/rfc4510
107

objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
LDIF (LDAP Data Interchange Format,

LDAP). ,
DIT, .
2
RFC2849 .
,
, LDAP ,
,
(:) .
,
.
1.1.
OpenLDAP
LDAP. slapd ldap-utils, .
slapd . ,
,
. ( DN)
localhost.
- , /etc/hosts
. ,
dc=example,dc=com, :
127.0.1.1
hostname.example.com hostname
.

dc=example,dc=com.
:
sudo apt-get install slapd ldap-utils
Ubuntu 8.10 slapd ,

, DIT .
2
http://tools.ietf.org/html/rfc2849
108

slapd .
LDIF, /etc/ldap/slapd.d.
: slapd-config, RTC- ( Real Time
Configuration ) cn=config.

(slapd.conf), ;
.
Ubuntu slapd-config
slapd, .

. LDAP- rootDN
. DN :
cn=admin,dc=example,dc=com.
slapd-config
, ,
LDAP . ,
, .
(cosine, nis, inetorgperson)
slapd. (core) ,
.
1.2.
DIT. slapd-config
(dc=example,dc=com). :
, (DIT) slapd-config.
, LDIF /etc/ldap/slapd.d:
/etc/ldap/slapd.d/
cn=config
cn=module{0}.ldif
cn=schema
cn={0}core.ldif
cn={1}cosine.ldif
cn={2}nis.ldif
cn={3}inetorgperson.ldif
cn=schema.ldif
olcBackend={0}hdb.ldif
olcDatabase={0}config.ldif
olcDatabase={-1}frontend.ldif
109
olcDatabase={1}hdb.ldif
cn=config.ldif
slapd-config .
LDAP ().
, slapd-config LDAP :
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}hdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}hdb,cn=config
:
cn=config:
cn=module{0},cn=config:
cn=schema,cn=config:

cn={0}core,cn=schema,cn=config:
(core)
cn={1}cosine,cn=schema,cn=config: cosine
cn={2}nis,cn=schema,cn=config: nis
cn={3}inetorgperson,cn=schema,cn=config: inetorgperson
olcBackend={0}hdb,cn=config: 'hdb'
olcDatabase={-1}frontend,cn=config: ,

110

olcDatabase={0}config,cn=config: slapd
(cn=config)
olcDatabase={1}hdb,cn=config:
(dc=examle,dc=com)
dc=example,dc=com:
ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com
:
dc=example,dc=com: (DIT)
cn=admin,dc=example,dc=com: (rootDN)
( )
1.3. /
. :
(node) People ( )
Groups ( )
miners
john
LDIF add_content.ldif:
dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: cn=miners,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: miners
gidNumber: 5000
dn: uid=john,ou=People,dc=example,dc=com
objectClass: posixAccount
objectClass: shadowAccount
111

uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
, uid gid
. ,
, , 5000. uid
gid ldap
, ldap.
.
:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif
Enter LDAP Password: ********
adding new entry "ou=People,dc=example,dc=com"
adding new entry "ou=Groups,dc=example,dc=com"
adding new entry "cn=miners,ou=Groups,dc=example,dc=com"
adding new entry "uid=john,ou=People,dc=example,dc=com"

ldapsearch:
ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber
dn: uid=john,ou=People,dc=example,dc=com
cn: John Doe
gidNumber: 5000
:
-x: "" ; SASL
-LLL:
uid=john: john
112

cn gidNumber: (
)
1.4. slapd
(DIT) slapd-config .
.
ldapmodify ( DbIndex)
{1}hdb,cn=config (dc=example,dc=com).
uid_index.ldif :
add: olcDbIndex
olcDbIndex: uid eq,pres,sub
:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif
modifying entry "olcDatabase={1}hdb,cn=config"
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcDatabase={1}hdb)' olcDbIndex

olcDbIndex: objectClass eq
.
LDIF.
/etc/ldap/schema.
slapd-config .
.
,
( ,
" "):
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=schema,cn=config dn
113
CORBA.
1.
schema_convert.conf,
:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema
2.
ldif_output.
3.
:
slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema
cn={1}corba,cn=schema,cn=config
slapd DN,
.
: {X}.
4.
slapcat :
slapcat -f schema_convert.conf -F ldif_output -n0 -H \ ldap:///cn={1}corba,cn=schema,cn=confi
() cn=corba.ldif
5.
cn=corba.ldif :
dn: cn=corba,cn=schema,cn=config
...
114

cn: corba
:
structuralObjectClass: olcSchemaConfig
entryUUID: 52109a02-66ab-1030-8be2-bbf166230478
creatorsName: cn=config
createTimestamp: 20110829165435Z
entryCSN: 20110829165435.935248Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110829165435Z
.
6.
, ldapadd
slapd-config:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=corba.ldif
adding new entry "cn=corba,cn=schema,cn=config"
7.
:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
dn: cn={4}corba,cn=schema,cn=config
LDAP
, .
.
1.5.
slapd ,
OpenLDAP,
.
115

. , slapd,
slapd-config.
OpenLDAP ()
,
(). ,
3
stats. slapd-config
.
logging.ldif :
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats
:
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif

.

(rsyslog) ,
:
rsyslogd-2177: imuxsock lost 228 messages from pid 2547 due to rate-limiting
rsyslog. /etc/rsyslog.conf
:
# Disable rate limiting
# (default is 200 messages in 5 seconds; below we make the 5 become 0)
$SystemLogRateLimitInterval 0
rsyslog:
sudo service rsyslog restart
1.6.
LDAP ,
.
3
http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html
116

( )
LDAP , .
LDAP.
Syncrepl.
- .
,
, : refreshAndPersist
delta-syncrepl.
, ,
, .
1.6.1.
.
1.
LDIF
provider_sync.ldif:
# Add indexes to the frontend db.
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=example,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
117

dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
rootDN LDIF .
2.
apparmor slapd
accesslog. /etc/apparmor.d/local/
usr.sbin.slapd, :
/var/lib/ldap/accesslog/ r,
/var/lib/ldap/accesslog/** rwk,
,
apparmor:
sudo -u openldap mkdir /var/lib/ldap/accesslog
sudo -u openldap cp /var/lib/ldap/DB_CONFIG /var/lib/ldap/accesslog
sudo service apparmor reload
3.
, apparmor,
:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f provider_sync.ldif
sudo service slapd restart
.
118

1.6.2.
.
1.
1.1,
[108]. , slapd-config
. ,
.
2.
LDIF
consumer_sync.ldif:
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
changetype: modify
add: olcDbIndex
olcDbIndex: entryUUID eq
add: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple binddn="cn=admin,dc=exa

credentials=secret searchbase="dc=example,dc=com" logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" schemachecking=on
type=refreshAndPersist retry="60 +" syncdata=accesslog
add: olcUpdateRef
olcUpdateRef: ldap://ldap01.example.com
, :
provider (hostname IP)
binddn (DN , )
credentials ( DN , )
searchbase ( , )
olcUpdateRef (hostname IP )
rid (Replica ID, ,
. rid)
3.
:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif
! (: dc=example,dc=com)
.
119

1.6.3.
, :
ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base contextCSN
dn: dc=example,dc=com
contextCSN: 20120201193408.178454Z#000000#000#000000
, .
(20120201193408.178454Z#000000#000#000000 )
, . ,
,
.
/ LDAP ,
contextCSN
. , ,
contextCSN .
contextCSN
,
. slapd (syslog
) ,

(
ldapsearch).
, , DN
:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com dn
'john' 'miners',
'People' 'Groups'.
1.7.
, (, .)
, .

(access control lists, ACL).
slapd, ACL
.
120

, , , ACL
.
ACL LDAP
ACL
.
ACL, , ,
.
ACL
ACL.
ACL hdb ("dc=example,dc=com")
:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcDatabase={1}hdb)' olcAccess

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous
auth by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by *
read
rootDN .
ACL ,
slapd.
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcDatabase={-1}frontend)' olcAcc

dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
ACL :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous
auth by dn="cn=admin,dc=example,dc=com" write by * none
- :
to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
121

by * none
to attrs=shadowLastChange
by self write
by anonymous auth
by * none
ACL ( ) :
'auth' userPassword
. counterintuitively 'by anonymous auth' DIT
. ,
(. ).
,
( 'by self write') userPassword.
userPassword
rootDN, .
,
passwd , shadowLastChange
.
DIT - 'by * read'
ACL:
to *
by self write
by * read
, ACL.
(bind)
( ACL)
'olcRequire: authc'.
, slapd-config
.
SASL, .
localhost (root/sudo). :
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
ACL slapd-config:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcDatabase={0}config)' olcAccess
122
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,
cn=external,cn=auth manage by * break
SASL , SASL,
LDAP ,
. (EXTERNAL) .
. :
1.
sudo root, ACL

.
2.
EXTERNAL IPC ( UNIX).

, ldapi (URI).
ACL :
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \ cn=config '(olcAccess=*)' olcAccess olcSuffix
.
4
slapd.access .
1.8. TLS
OpenLDAP ,
, .
(TLS).
(Certificate
Authority CA)
LDAP CA. slapd
gnutls,
certtool.
1.
gnutls-bin ssl-cert:
sudo apt-get install gnutls-bin ssl-cert
2.

sudo sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
3.
/etc/ssl/ca.info CA:
cn = Example Company
http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html
123

ca
cert_signing_key
4.
sudo certtool --generate-self-signed \ --load-privkey /etc/ssl/private/cakey.pem \ --template /
5.
sudo certtool --generate-privkey \ --bits 1024 \ --outfile /etc/ssl/private/ldap01_slapd_key.pe
ldap01
(hostname). ,
,
.
6.
/etc/ssl/ldap01.info, :
organization = Example Company
cn = ldap01.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650
10 .
.
7.
sudo certtool --generate-certificate \ --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \ -
certinfo.ldif (
, https://www.cacert.org):
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap01_slapd_key.pem
ldapmodify, slapd
TLS slapd-config:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ssl/certinfo.ldif
124

,
ldaps:// /etc/default/slapd .
:
SLAPD_SERVICES="ldap:/// ldapi:///"
LDAP TLS/SSL (ldaps://) StartTLS.

LDAP
( TCP 389), TLS/SSL
LDAPS, HTTPS, -- , TCP 636.
:
sudo adduser openldap ssl-cert
sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
sudo chmod o-r /etc/ssl/private/ldap01_slapd_key.pem
OpenLDAP:
(/var/log/syslog), ,
.
1.9. TLS
,
(StartTLS)
.
, .
TLS-.
,
1.6, [116]
TLS ,
1.8, TLS [123].
, ( )
LDAP. TLS
, .
. ,

.
125

,
.
1.
:
(
) :
mkdir ldap02-ssl
cd ldap02-ssl
sudo certtool --generate-privkey \ --bits 1024 \ --outfile ldap02_slapd_key.pem
ldap02.info ;
:
organization = Example Company
cn = ldap02.example.com
tls_www_server
encryption_key
signing_key
expiration_days = 3650
sudo certtool --generate-certificate \ --load-privkey ldap02_slapd_key.pem \ --load-ca-certific
CA:
cp /etc/ssl/certs/cacert.pem .
. ldap02-ssl .
scp ( ):
cd ..
scp -r ldap02-ssl user@consumer:
2.
:
TLS-:
sudo apt-get install ssl-cert
sudo adduser openldap ssl-cert
sudo cp ldap02_slapd_cert.pem cacert.pem /etc/ssl/certs
sudo cp ldap02_slapd_key.pem /etc/ssl/private
sudo chgrp ssl-cert /etc/ssl/private/ldap02_slapd_key.pem
sudo chmod g+r /etc/ssl/private/ldap02_slapd_key.pem
sudo chmod o-r /etc/ssl/private/ldap02_slapd_key.pem
126

/etc/ssl/certinfo.ldif
( ):
dn: cn=config
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap02_slapd_cert.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap02_slapd_key.pem
slapd-config:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f certinfo.ldif
/etc/default/slapd (SLAPD_SERVICES).
3.
:
TLS .
olcSyncrepl TLS .
, .
consumer_sync_tls.ldif :
replace: olcSyncRepl
olcSyncRepl: rid=0 provider=ldap://ldap01.example.com bindmethod=simple
binddn="cn=admin,dc=example,dc=com" credentials=secret searchbase="dc=example,dc=com"
logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog
starttls=critical tls_reqcert=demand
, ,
StartTLS CA
. LDIF
('replace').
:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f consumer_sync_tls.ldif
slapd:
127

4.
:
, TLS . /var/log/syslog,
'conns',
:
slapd[3620]: conn=1047 fd=20 ACCEPT from IP=10.153.107.229:57922 (IP=0.0.0.0:389)
slapd[3620]:
slapd[3620]:
slapd[3620]:
slapd[3620]:
conn=1047
conn=1047
conn=1047
conn=1047
op=0 EXT oid=1.3.6.1.4.1.1466.20037

op=0 STARTTLS
op=0 RESULT oid= err=0 text=
fd=20 TLS established tls_ssf=128 ssf=128
slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" method=128

slapd[3620]: conn=1047 op=1 BIND dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
slapd[3620]: conn=1047 op=1 RESULT tag=97 err=0 text
1.10. LDAP
LDAP ,
, ,
() . Ubuntu
libnss-ldap ,
.
:
sudo apt-get install libnss-ldap
LDAP .
, , :
sudo dpkg-reconfigure ldap-auth-config
/etc/ldap.conf.
, , .
LDAP NSS:
sudo auth-client-config -t nss -p lac_ldap
LDAP :
sudo pam-auth-update
, LDAP ,
.
128

,
LDAP.
LDAP ,
. /etc/ldap.conf - :
uri ldap://ldap01.example.com ldap://ldap02.example.com

(ldap02), (ldap01) .
LDAP
SAMBA, SAMBA LDAP.
2, Samba LDAP [135] .
libnss-ldap libnss-ldapd.
nscd, , , .
.
1.11.
ldap-utils
,
. ldapscripts
(wrapper scripts) ,
.
:
sudo apt-get install ldapscripts
/etc/ldapscripts/ldapscripts.conf,
- :
SERVER=localhost
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
GIDSTART=10000
UIDSTART=10000
MIDSTART=10000
ldapscripts.passwd
:
129
sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd"

sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd
secret rootDN
.
.
:
:
sudo ldapadduser george example
uid george gid example

.
:
sudo ldapsetpasswd george
Changing password for user uid=george,ou=People,dc=example,dc=com
New Password:
New Password (verify):
:
sudo ldapdeleteuser george
:
sudo ldapaddgroup qa
:
sudo ldapdeletegroup qa
:
sudo ldapaddusertogroup george qa
memberUid qa
george.
:
sudo ldapdeleteuserfromgroup george qa
memberUid qa.
130

ldapmodifyuser ,
. ,
ldapmodify. :
sudo ldapmodifyuser george
# About to modify the following entry :
dn: uid=george,ou=People,dc=example,dc=com
objectClass: account
cn: george
uid: george
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/george
loginShell: /bin/bash
gecos: george
description: User account
userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=
# Enter your modifications here, end with CTRL-D.
dn: uid=george,ou=People,dc=example,dc=com
replace: gecos
gecos: George Carlin
gecos George Carlin.

ldapscripts .
,
. ,
, /etc/ldapscripts/ldapscripts.conf, :
UTEMPLATE="/etc/ldapscripts/ldapadduser.template"
/etc/ldapscripts .
ldapadduser.template.sample /etc/ldapscripts/
ldapadduser.template:
sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \ /etc/ldapscripts/ldapad
.

inetOrgPerson:
dn: uid=<user>,<usuffix>,<suffix>
cn: <user>
sn: <ask>
131

uid: <user>
uidNumber: <uid>
gidNumber: <gid>
homeDirectory: <home>
loginShell: <shell>
gecos: <user>
description: User account
title: Employee
<ask>, sn.
ldapadduser .
, .
:
5
ldaprenamemachine
6
ldapadduser
7
ldapdeleteuserfromgroup
8
ldapfinger
9
ldapid
10
ldapgid
11
ldapmodifyuser
12
ldaprenameuser
13
lsldap
14
ldapaddusertogroup
15
ldapsetpasswd
16
ldapinit
17
ldapaddgroup
18
ldapdeletegroup
19
ldapmodifygroup
20
ldapdeletemachine
21
ldaprenamegroup
22
ldapaddmachine
http://manpages.ubuntu.com/manpages/en/man1/ldaprenamemachine.1.html
http://manpages.ubuntu.com/manpages/en/man1/ldapadduser.1.html
7
http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuserfromgroup.1.html
8
http://manpages.ubuntu.com/manpages/en/man1/ldapfinger.1.html
9
http://manpages.ubuntu.com/manpages/en/man1/ldapid.1.html
10
http://manpages.ubuntu.com/manpages/en/man1/ldapgid.1.html
11
http://manpages.ubuntu.com/manpages/en/man1/ldapmodifyuser.1.html
12
http://manpages.ubuntu.com/manpages/en/man1/ldaprenameuser.1.html
13
http://manpages.ubuntu.com/manpages/en/man1/lsldap.1.html
14
http://manpages.ubuntu.com/manpages/en/man1/ldapaddusertogroup.1.html
15
http://manpages.ubuntu.com/manpages/en/man1/ldapsetpasswd.1.html
16
http://manpages.ubuntu.com/manpages/en/man1/ldapinit.1.html
17
http://manpages.ubuntu.com/manpages/en/man1/ldapaddgroup.1.html
18
http://manpages.ubuntu.com/manpages/en/man1/ldapdeletegroup.1.html
19
http://manpages.ubuntu.com/manpages/en/man1/ldapmodifygroup.1.html
20
http://manpages.ubuntu.com/manpages/en/man1/ldapdeletemachine.1.html
21
http://manpages.ubuntu.com/manpages/en/man1/ldaprenamegroup.1.html
22
http://manpages.ubuntu.com/manpages/en/man1/ldapaddmachine.1.html
6
132

23
ldapmodifymachine
24
ldapsetprimarygroup
25
ldapdeleteuser
1.12.
, .
:
,
ldap, (cn=config)
(dc=example,dc=com). , ,
/export/backup, slapcat
/usr/local/bin/ldapbackup:
#!/bin/bash
BACKUP_PATH=/export/backup
SLAPCAT=/usr/sbin/slapcat
nice ${SLAPCAT} -n 0 > ${BACKUP_PATH}/config.ldif
nice ${SLAPCAT} -n 1 > ${BACKUP_PATH}/example.com.ldif
nice ${SLAPCAT} -n 2 > ${BACKUP_PATH}/access.ldif
chmod 640 ${BACKUP_PATH}/*.ldif
,
ldap , ,
. /export/backup

.
, .
cron
, .
. .
cron, /etc/cron.d/ldapbackup,
22:45:
MAILTO=backup-emails@domain.com
45 22 * * *
root
/usr/local/bin/ldapbackup
.
23
http://manpages.ubuntu.com/manpages/en/man1/ldapmodifymachine.1.html
http://manpages.ubuntu.com/manpages/en/man1/ldapsetprimarygroup.1.html
25
http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuser.1.html
24
133

ldap;
: sudo service slapd stop
sudo service slapd stop
sudo mkdir /var/lib/ldap/accesslog
sudo slapadd -F /etc/ldap/slapd.d -n 0 -l /export/backup/config.ldif
sudo
sudo
sudo
sudo
slapadd -F /etc/ldap/slapd.d -n 1 -l /export/backup/domain.com.ldif

slapadd -F /etc/ldap/slapd.d -n 2 -l /export/backup/access.ldif
chown -R openldap:openldap /etc/ldap/slapd.d/
chown -R openldap:openldap /var/lib/ldap/
sudo service slapd start
1.13.
: www.openldap.org
26
slapd.
,
:
27
slapd
28
slapd-config
29
slapd.access
30
slapo-syncprov
man-:
31
auth-client-config
32
pam-auth-update
33
LDAP for Rocket Scientists Zytrax; ,

LDAP.
OpenLDAP wiki
34
Ubuntu .
LDAP System Administration

36
Mastering OpenLDAP
26
27
28
29
30
31
32
33
34
35
36
35
O'Reilly (, 2003)
Packt (, 2007)
http://www.openldap.org/
http://manpages.ubuntu.com/manpages/en/man8/slapd.8.html
http://manpages.ubuntu.com/manpages/en/man5/slapd-config.5.html
http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html
http://manpages.ubuntu.com/manpages/en/man5/slapo-syncprov.5.html
http://manpages.ubuntu.com/manpages/en/man8/auth-client-config.8.html
http://manpages.ubuntu.com/manpages/en/man8/pam-auth-update.8.html
http://www.zytrax.com/books/ldap/
https://help.ubuntu.com/community/OpenLDAPServer
http://www.oreilly.com/catalog/ldapsa/
http://www.packtpub.com/OpenLDAP-Developers-Server-Open-Source-Linux/book
134
2. Samba LDAP
Samba LDAP.
Samba , LDAP
,

( 3 ).
OpenLDAP ,
.
1, OpenLDAP [107].
,
Samba, .
2.1.
Samba LDAP : samba, samba-doc
smbldap-tools.
, smbldap-tools , ,
Samba
(, , ) LDAP,
.
:
sudo apt-get install samba samba-doc smbldap-tools
2.2. LDAP
LDAP-, Samba.
:
1.
2.
3.
2.2.1. Samba
OpenLDAP Samba,
(DIT) ,
Samba.
Samba LDAP. .

1.4, slapd [113].
135

1.
samba-doc.
/etc/ldap/schema:
sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz /etc/ldap/schema
sudo gzip -d /etc/ldap/schema/samba.schema.gz
2.
schema_convert.conf,
:
include
include
include
include
/etc/ldap/schema/core.schema
/etc/ldap/schema/collective.schema
/etc/ldap/schema/corba.schema
/etc/ldap/schema/cosine.schema
include
include
include
include
/etc/ldap/schema/duaconf.schema
/etc/ldap/schema/dyngroup.schema
/etc/ldap/schema/inetorgperson.schema
/etc/ldap/schema/java.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/pmi.schema
include /etc/ldap/schema/samba.schema
3.
ldif_output .
4.
:
slapcat -f schema_convert.conf -F ldif_output -n 0 | grep samba,cn=schema
dn: cn={14}samba,cn=schema,cn=config
5.
LDIF:
slapcat -f schema_convert.conf -F ldif_output -n0 -H \ ldap:///cn={14}samba,cn=schema,cn=config
6.
cn=samba.ldif,
, :
dn: cn=samba,cn=schema,cn=config
...
cn: samba
:
entryUUID: b53b75ca-083f-102d-9fff-2f64fd123c95
136

entryCSN: 20080827045234.341425Z#000000#000#000000
.
7.
:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\=samba.ldif
:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'cn=*samba*'
2.2.2. Samba
, slapd Samba,
.
,
(DIT).
samba_indices.ldif :
changetype: modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
ldapmodify :
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f samba_indices.ldif
, ,
ldapsearch:
sudo ldapsearch -Q -LLL -Y EXTERNAL -H \ ldapi:/// -b cn=config olcDatabase={1}hdb olcDbIndex
137

2.2.3. Samba LDAP
smbldap-tools
. ,
.
:
sudo gzip -d /usr/share/doc/smbldap-tools/configure.pl.gz
sudo perl /usr/share/doc/smbldap-tools/configure.pl
strict pragma
configure.pl.
, ,
/etc/smbldap-tools/smbldap.conf /etc/smbldap-tools/smbldap_bind.conf.
- ,
.
smbldap-populate LDAP,
Samba.
slapcat:
sudo slapcat -l backup.ldif
, :
sudo smbldap-populate
LDIF, Samba,
sudo smbldap-populate -e samba.ldif.
, , .
, '-e'.
LDIF .
LDAP
Samba.
2.3. Samba
Samba.
18,
Windows [320]. Samba
LDAP, /etc/samba/smb.conf,
passdb backend
, LDAP:
138
passdb backend = tdbsam
# LDAP Settings
passdb backend = ldapsam:ldap://hostname
ldap suffix = dc=example,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap
ldap
ldap
ldap
machine suffix = ou=Computers

idmap suffix = ou=Idmap
admin dn = cn=admin,dc=example,dc=com
ssl = start tls
ldap passwd sync = yes

...
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
.
samba, :
sudo restart smbd
sudo restart nmbd
Samba rootDN (
slapd):
sudo smbpasswd -w password
LDAP,
Samba,
. smbpasswd
( ()
NSS;
libnss-ldapd libnss-ldap):
sudo smbpasswd -a username
.
. ,
.
,
, smbldaptools. :
:
sudo smbldap-useradd -a -P username
139

-a Samba, -P smbldappasswd, ,
.
:
sudo smbldap-userdel username
-r
.
:
sudo smbldap-groupadd -a groupname
smbldap-useradd, -a Samba.
:
sudo smbldap-groupmod -m username groupname
-m ,
.
:
sudo smbldap-groupmod -x username groupname
Samba :
sudo smbldap-useradd -t 0 -w username
username . -t 0
, -w
. ,
add machine script /etc/samba/smb.conf ,
smbldap-useradd.
smbldap-tools , .
:
37
smbldap-groupadd
38
smbldap-groupdel
39
smbldap-groupmod
37
http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupadd.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupdel.8.html
39
http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupmod.8.html
38
140

40
smbldap-groupshow
41
smbldap-passwd
42
smbldap-populate
43
smbldap-useradd
44
smbldap-userdel
45
smbldap-userinfo
46
smbldap-userlist
47
smbldap-usermod
48
smbldap-usershow
2.4.

Samba 18,
Windows [320] .
, LDAP Samba
49
Samba HOWTO Collection .
50
, passdb section .
(2007 ), Linux Samba-OpenLDAP HOWTO
.
52
51
Samba Ubuntu community documentation

, .
40
41
42
43
44
45
46
47
48
49
50
51
52
http://manpages.ubuntu.com/manpages/en/man8/smbldap-groupshow.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-passwd.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-populate.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-useradd.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-userdel.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-userinfo.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-userlist.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-usermod.8.html
http://manpages.ubuntu.com/manpages/en/man8/smbldap-usershow.8.html
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html
http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/
https://help.ubuntu.com/community/Samba#samba-ldap
141
3. Kerberos
Kerberos ,
.
, .
Kerberos, , ,
(Single Sign On SSO).
Kerberos,
.
3.1.
Kerberos,
.
(Principal): , ,
, ,
Kerberos.
(Instances):
.
(Realms): ,
Kerberos.
, .
Ubuntu DNS (EXAMPLE.COM)
.
(KDC): :
,
.
KDC.
(TGT): ,
TGT ,
KDC.
(TGS):
.
(Tickets): .
, ,
. ,

.
(Keytab Files): ,
KDC
.
142

: KDC,
,
.
, Kerberos
, KDC (TGT).
,
,
Kerberos, (TGS).

.
3.2. Kerberos
3.2.1.
Kerberos
(MIT), MIT Kerberos.

(. ). MIT Kerberos
( ):
Realm: EXAMPLE.COM
Primary KDC: kdc01.example.com (192.168.0.1)
Secondary KDC: kdc02.example.com (192.168.0.2)
: steve
: steve/admin
,
uid
(, 5000).
Kerberos DNS-
. Kerberos
, EXAMPLE.COM,
Primary Master 2.3,
[161].
, Kerberos , .

5 ( ),
.
Network Time Protocol
(NTP). NTP 4,
NTP [57].
143

Kerberos krb5kdc krb5-admin-server. :
sudo apt-get install krb5-kdc krb5-admin-server
Kerberos
,
.
KDC.
kdb5_newrealm:
sudo krb5_newrealm
3.2.2.
, ,
/etc/krb5.conf.
KDC, krb5-kdc.
Kerberos , ,
, , :
sudo dpkg-reconfigure krb5-kdc
1.
KDC ,
.
,
. kadmin.local
:
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: addprinc steve/admin
WARNING: no policy specified for steve/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "steve/admin@EXAMPLE.COM":
Re-enter password for principal "steve/admin@EXAMPLE.COM":
Principal "steve/admin@EXAMPLE.COM" created.
kadmin.local: quit
steve , /admin ,
@EXAMPLE.COM . "" ,
steve@EXAMPLE.COM;
.
144

EXAMPLE.COM steve
.
2.
, -
ACL. /
etc/krb5kdc/kadm5.acl:
steve/admin@EXAMPLE.COM
steve/admin
.
,
,
, Kerberos.
, (man) kadm5.acl.
3.
krb5-admin-server, ACL:
sudo /etc/init.d/krb5-admin-server restart
4.

kinit:
kinit steve/admin
steve/admin@EXAMPLE.COM's Password:
klist,
(TGT):
klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: steve/admin@EXAMPLE.COM
Issued
Expires
Jul 13 17:53:34
Jul 14 03:53:34
Principal
krbtgt/EXAMPLE.COM@EXAMPLE.COM
krb5cc_1000 krb5cc_
(UID), 1000.
/etc/hosts KDC,
. :
192.168.0.1
kdc01.example.com
kdc01
192.168.0.1 IP- KDC. ,

Kerberos ,
.
145

5.
KDC
SRV- DNS.
/etc/named/db.example.com:
_kerberos._udp.EXAMPLE.COM.
IN SRV 1
0 88
kdc01.example.com.
_kerberos._tcp.EXAMPLE.COM.
_kerberos._udp.EXAMPLE.COM.
IN SRV 1 0 88
IN SRV 10 0 88
kdc01.example.com.
kdc02.example.com.
_kerberos._tcp.EXAMPLE.COM.
IN SRV 10 0 88 kdc02.example.com.
_kerberos-adm._tcp.EXAMPLE.COM. IN SRV 1 0 749 kdc01.example.com.
_kpasswd._udp.EXAMPLE.COM.
IN SRV 1 0 464 kdc01.example.com.
EXAMPLE.COM, kdc01, kdc02 ,

KDC
8, (DNS) [158]
DNS.
Kerberos .
3.3. KDC
(KDC) ,
KDC ,
. ,
Kerberos (
, NAT),
KDC .
1.
Kerberos
KDC:
sudo apt-get install krb5-kdc krb5-admin-server
2.
,
KDC. :
kadmin -q "addprinc -randkey host/kdc02.example.com"
, kadmin,
username/
admin@EXAMPLE.COM.
3.
keytab:
kadmin -q "ktadd -norandkey -k keytab.kdc02 host/kdc02.example.com"
4.
keytab.kdc02, /
etc/krb5.keytab:
146
sudo mv keytab.kdc02 /etc/krb5.keytab
keytab.kdc02 , .
keytab,
,
klist:
sudo klist -k /etc/krb5.keytab
-k , keytab .
5.
KDC kpropd.acl,
KDC .
KDC /etc/krb5kdc/kpropd.acl:
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
6.
KDC:
sudo kdb5_util -s create
7.
kpropd,
kprop. kprop
:
sudo kpropd -S
8.
KDC
:
sudo kdb5_util dump /var/lib/krb5kdc/dump
9.
keytab KDC /etc/

krb5.keytab:
kadmin -q "ktadd -k keytab.kdc01 host/kdc01.example.com"
sudo mv keytab.kdc01 /etc/krb5.keytab
, host kdc01.example.com,
Keytab.
10. kprop, KDC:
sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
147

SUCCEEDED,
.
, /var/log/syslog KDC
.
cron
KDC. ,
( ,
):
# m h dom mon dow
command
0 * * * * /usr/sbin/kdb5_util dump /var/lib/krb5kdc/dump &&
/usr/sbin/kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
11. Secondary KDC, stash (stash)

Kerberos master key ( Kerberos):
sudo kdb5_util stash
12. krb5-kdc KDC:

sudo /etc/init.d/krb5-kdc start
KDC
. , krb5kdc KDC kinit
, KDC.
/var/log/syslog /var/log/auth.log KDC.
3.4. Kerberos Linux

Kerberos Linux.
,
.
3.4.1.
Kerberos, krb5user libpam-krb5, ,
, .
:
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
auth-client-config PAM
, libpam-ccreds
148

, ,
(KDC) .
,
Kerberos ,
.
3.4.2.
:
sudo dpkg-reconfigure krb5-config
Kerberos. , DNS Kerberos SRV,

(KDC)
.
dpkg-reconfigure /etc/krb5.conf .
, :
[libdefaults]
default_realm = EXAMPLE.COM
...
[realms]
EXAMPLE.COM = }
kdc = 192.168.0.1
admin_server = 192.168.0.1
}
uid
5000,
3.2.1, [143], pam
Kerberos uid
> 5000:
# Kerberos should only be applied to ldap/kerberos users, not local ones. for i in common-a
()
Kerberos
passwd.
kinit.
:
kinit steve@EXAMPLE.COM
Password for steve@EXAMPLE.COM:
149

, klist:
klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: steve@EXAMPLE.COM
Valid starting
Expires
Service principal
07/24/08 05:18:56 07/24/08 15:18:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM

renew until 07/25/08 05:18:57
Kerberos 4 ticket cache: /tmp/tkt1000

klist: You have no tickets cached
auth-client-config libpam-krb5
:
sudo auth-client-config -a -p kerberos_example
3.5.
MIT Kerberos
53
MIT Kerberos .
54
Ubuntu Wiki Kerberos
55
O'Reilly
Kerberos: The Definitive Guide

Kerberos.
56
IRC- #ubuntu-server #kerberos Freenode ,

Kerberos.
53
http://web.mit.edu/Kerberos/
https://help.ubuntu.com/community/Kerberos
55
56
http://freenode.net/
54
150
4. Kerberos LDAP
Kerberos ;
(Kerberos),
().
, LDAP.
() Kerberos

. , MIT
Kerberos LDAP
.
Kerberos
OpenLDAP .
MIT
Kerberos OpenLDAP.
4.1. OpenLDAP
, schema OpenLDAP ,
KDC.
,
LDAP, , .
OpenLDAP 1, OpenLDAP [107].
OpenLDAP TLS SSL-,
KDC LDAP .
1.8, TLS [123] .
,
ldap. RootDN.
.
cn=admin,cn=config
LDAP, LDAP krb5-kdcldap. :

sudo apt-get install krb5-kdc-ldap
kerberos.schema.gz:
sudo gzip -d /usr/share/doc/krb5-kdc-ldap/kerberos.schema.gz
sudo cp /usr/share/doc/krb5-kdc-ldap/kerberos.schema /etc/ldap/schema/
151

kerberos cn=config.
slapd 1.4,
slapd [113].
1.
schema_convert.conf
, :
include
include
include
include
include
/etc/ldap/schema/core.schema
/etc/ldap/schema/collective.schema
/etc/ldap/schema/corba.schema
/etc/ldap/schema/cosine.schema
/etc/ldap/schema/duaconf.schema
include
include
include
include
include
/etc/ldap/schema/dyngroup.schema
/etc/ldap/schema/inetorgperson.schema
/etc/ldap/schema/java.schema
/etc/ldap/schema/misc.schema
/etc/ldap/schema/nis.schema
include /etc/ldap/schema/kerberos.schema
2.
LDIF :
mkdir /tmp/ldif_output
3.
slapcat :
slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s \ "cn={12}kerberos,cn=schema,cn=con

, .
4.
/tmp/cn\=kerberos.ldif,
:
dn: cn=kerberos,cn=schema,cn=config
...
cn: kerberos
:
entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc
entryCSN: 20090111203515.326445Z#000000#000#000000
152

, ,
.
5.
ldapadd:
ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=kerberos.ldif
6.
krb5principalname:
ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub
7.
(ACL):
ldapmodify -x -D cn=admin,cn=config -W
Enter LDAP Password:
replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by
dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
add: olcAccess
olcAccess: to dn.base="" by * read
add: olcAccess
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
, LDAP
Kerberos.
4.2. KDC
OpenLDAP KDC.
, :
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap
/etc/krb5.conf,
:
[libdefaults]
153

...
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
admin_server = kdc01.example.com
default_domain = example.com
database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
# the realm container, principal container and realm sub-trees
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights on
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
ldap_conns_per_server = 5
}
example.com, dc=example,dc=com,
cn=admin,dc=example,dc=com, ldap01.example.com
, LDAP LDAP .
kdb5_ldap_util :
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \ dc=example,dc=com -r EXAMPLE
, LDAP. ldap_kdc_dn ldap_kadmin_dn

/etc/krb5.conf:
154
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f \ /etc/krb5kdc/service.keyfile cn
CA LDAP:
scp ldap01:/etc/ssl/certs/cacert.pem .
sudo cp cacert.pem /etc/ssl/certs
/etc/ldap/ldap.conf :
TLS_CACERT /etc/ssl/certs/cacert.pem
KDC,
LDAP- LDAPS.
Kerberos LDAP,
LDAP-, .
kadmin.local
:
sudo kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:
addprinc -x dn="uid=steve,ou=people,dc=example,dc=com" steve
WARNING: no policy specified for steve@EXAMPLE.COM; defaulting to no policy

Enter password for principal "steve@EXAMPLE.COM":
Re-enter password for principal "steve@EXAMPLE.COM":
Principal "steve@EXAMPLE.COM" created.
krbPrincipalName, krbPrincipalKey,
krbLastPwdChange krbExtraData
uid=steve,ou=people,dc=example,dc=com. kinit klist
, .
, -x dn="..."
Kerberos.
.
4.3. KDC
KDC LDAP
Kerberos.
1.
-, . :
sudo apt-get install krb5-kdc krb5-admin-server krb5-kdc-ldap
2.
/etc/krb5.conf LDAP:
155
[libdefaults]
...
[realms]
EXAMPLE.COM = {
default_domain = example.com
database_module = openldap_ldapconf
}
...
[domain_realm]
.example.com = EXAMPLE.COM
...
[dbdefaults]
ldap_kerberos_container_dn = dc=example,dc=com
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read rights on
ldap_kadmind_dn = "cn=admin,dc=example,dc=com"
# this object needs to have read and write rights on
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_servers = ldaps://ldap01.example.com ldaps://ldap02.example.com
ldap_conns_per_server = 5
}
3.
LDAP:
sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f \ /etc/krb5kdc/service.keyfile
4.
KDC /etc/krb5kdc/.k5.EXAMPLE.COM
KDC. ,
, scp
.
156

sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~
sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/
EXAMPLE.COM .
5.
Secondary KDC, () ldap

:
6.
krb5-kdc:
sudo /etc/init.d/krb5-kdc start
7.
, LDAP- ( kerberos )
.
KDC, LDAP
, LDAP
, Kerberos LDAP Kerberos
.
4.4.
Kerberos Admin Guide
57
kdb5_ldap_util Section 5.6

59
kdb5_ldap_util man page .
58
60
krb5.conf man page .

61
Kerberos and LDAP
Ubuntu wiki.
57
http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAPback_002dend
58
http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Global-Operations-on-the-Kerberos-LDAPDatabase
59
http://manpages.ubuntu.com/manpages/precise/en/man8/kdb5_ldap_util.8.html
60
http://manpages.ubuntu.com/manpages/precise/en/man5/krb5.conf.5.html
61
https://help.ubuntu.com/community/Kerberos#kerberos-ldap
157
8.
(DNS)
(Domain Name Service, DNS)
, IP-
(Fully Qualified Domain Names, FQDN). ,
DNS IP-. ,
DNS, . Ubuntu
BIND (Berkley Internet Naming Daemon),
Linux.
158
(DNS)
1.
bind :
sudo apt-get install bind9
DNS
dnsutils. ,
/ dnsutils :
sudo apt-get install dnsutils
159
(DNS)
2.
BIND9.
,
.
BIND9 ,
,
.
BIND9
.
BIND9 ()
, .
2.1.
DNS /etc/bind.
/etc/bind/named.conf.
include ,
DNS. directory /etc/bind/named.conf.options DNS,
. , BIND,
.
/etc/bind/db.root .
, /etc/bind/db.root
.
bind9. zone ,
, file.

, .
Authority (Start of Authority, SOA) ,
,
(LAN).
2.2.

. ,
IP- DNS- -.
/etc/bind/named.conf.options:
160
(DNS)
forwarders {
1.2.3.4;
5.6.7.8;
};
1.2.3.4 5.6.7.8 IP- .

DNS- .
:
sudo service bind9 restart
3.1.2, dig [166]

DNS-.
2.3.
BIND9
example.com. example.com FQDN (Fully Qualified
Domain Name).
2.3.1.
DNS BIND9,
, /etc/bind/named.conf.local:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};

/etc/bind/db.example.com:
sudo cp /etc/bind/db.local /etc/bind/db.example.com
/etc/bind/db.example.com, localhost.
FQDN , "." .
127.0.0.1 IP- root.localhost
, "." "@", "."
. ,
.
A example.com.
A ns.example.com :
161
(DNS)
;
; BIND data file for example.com
;
$TTL
604800
IN
;
@
@
@
ns
SOA
example.com. root.example.com. (
2
; Serial
604800
; Refresh
IN
86400
2419200
604800 )
192.168.1.10
IN
IN
IN
IN
NS
A
AAAA
A
ns.example.com.
192.168.1.10
::1
192.168.1.10
; Retry
; Expire
; Negative Cache TTL
(Serial) ,
.
BIND9, Serial
.
DNS .
4.1, [170].

(Serial)
2012010100, yyyymmddss
( ss )
,
BIND9 :
2.3.2.
, IP-,
. DNS
IP-.
/etc/bind/named.conf.local :
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};
162
(DNS)
1.168.192 ,
. /etc/bind/db.192
.
/etc/bind/db.192:
sudo cp /etc/bind/db.127 /etc/bind/db.192
/etc/bind/db.192, ,
/etc/bind/db.example.com:
;
; BIND reverse data file for local 192.168.1.XXX net
;
$TTL
604800
@
IN
SOA
ns.example.com. root.example.com. (
2
604800
86400
2419200
604800 )
;
@
IN
NS
ns.
10
IN
PTR
ns.example.com.
; Serial
; Refresh
; Retry
; Expire
; Negative Cache TTL
(Serial)
. A, /etc/
bind/db.example.com, ,
PTR /etc/bind/db.192.
BIND9:
2.4.
(Primary Master) ,
Secondary Master ,
.
.
allow-transfer /
etc/bind/named.conf.local:
type master;
163
(DNS)
allow-transfer { 192.168.1.11; };
};
type master;
allow-transfer { 192.168.1.11; };
};
192.168.1.11 IP- .
BIND9 :
, bind9 ,
. /etc/bind/named.conf.local
:
type slave;
file "db.example.com";
masters { 192.168.1.10; };
};
type slave;
file "db.192";
masters { 192.168.1.10; };
};
192.168.1.10 IP- .
BIND9 :
/var/log/syslog (
):
client 192.168.1.10#39448: received notify for zone '1.168.192.in-addr.arpa'
zone 1.168.192.in-addr.arpa/IN: Transfer started.
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
connected using 192.168.1.11#37531
zone 1.168.192.in-addr.arpa/IN: transferred serial 5
transfer of '100.18.172.in-addr.arpa/IN' from 192.168.1.10#53:
164
(DNS)
Transfer completed: 1 messages,
6 records, 212 bytes, 0.002 secs (106000 bytes/sec)
zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 5)
client 192.168.1.10#20329: received notify for zone 'example.com'
zone example.com/IN: Transfer started.
transfer of 'example.com/IN' from 192.168.1.10#53: connected using 192.168.1.11#38577
zone example.com/IN: transferred serial 5
transfer of 'example.com/IN' from 192.168.1.10#53: Transfer completed: 1 messages,
8 records, 225 bytes, 0.002 secs (112500 bytes/sec)
,
(Serial)
. , DNS
DNS ,
also-notify { ipaddress; }; /etc/bind/named.conf.local,
:
type master;
allow-transfer { 192.168.1.11; };
also-notify { 192.168.1.11; };
};
type master;
allow-transfer { 192.168.1.11; };
also-notify { 192.168.1.11; };
};
/var/
cache/bind/. AppArmor
named .
AppArmor 4, AppArmor [189].
165
(DNS)
3.
,
DNS BIND9.
3.1.
3.1.1. resolv.conf
BIND9 IP-
.
, , .
/etc/resolv.conf, :
nameserver 192.168.1.10
nameserver 192.168.1.11
IP-
.
3.1.2. dig
dnsutils, ,
DNS dig:
BIND9 dig
(loopback), , 53 .
:
dig -x 127.0.0.1
, :
;; Query time: 1 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
BIND9 , "dig"
:
dig ubuntu.com
:
dig :
166
(DNS)
3.1.3. ping
, DNS
, ping ICMP. :
ping example.com
, ns.example.com IP. :
PING ns.example.com (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.800 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.813 ms
3.1.4. named-checkzone

named-checkzone, bind9.
BIND9
.

:
named-checkzone example.com /etc/bind/db.example.com
, , :
zone example.com/IN: loaded serial 6
OK
, :
named-checkzone 1.168.192.in-addr.arpa /etc/bind/db.192
:
zone 1.168.192.in-addr.arpa/IN: loaded serial 3
OK
(Serial) .
167
(DNS)
3.2.
BIND9 .
. channel ,
, category ,
.
, :
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};
, BIND9
, DNS , .
(channel) ,
. /etc/bind/named.conf.local
:
logging {
channel query.log {
file "/var/log/query.log";
severity debug 3;
};
};
(category) DNS
:
logging {
channel query.log {
file "/var/log/query.log";
severity debug 3;
};
category queries { query.log; };
};
debug,
1 3. ,
1.
named daemon bind,
/var/log/query.log :
sudo touch /var/log/query.log
sudo chown bind /var/log/query.log
168
(DNS)
, named ,
AppArmor. /etc/
apparmor.d/usr.sbin.named, :
/var/log/query.log w,
:
cat /etc/apparmor.d/usr.sbin.named | sudo apparmor_parser -r
AppArmor 4,
AppArmor [189]
BIND9 :
/var/log/query.log,
.
BIND9.
4.2, [170].
169
(DNS)
4.
4.1.
DNS.
A: IP- (hostname).
www
IN
192.168.1.12
CNAME: (alias) A.
CNAME, CNAME.
web
IN
CNAME
www
MX: ,
. A, CNAME.
mail
IN
MX
IN
mail.example.com.
192.168.1.13
NS: ,
. A, CNAME.
.
IN
IN
NS
NS
ns.example.com.
ns2.example.com.
ns
IN
192.168.1.10
ns2
IN
192.168.1.11
4.2.
1
DNS HOWTO
BIND9.
2
DNS BIND9 Bind9.net .

3
DNS and BIND .

BIND9
4
Ubuntu Server IRC #ubuntu-server freenode .
5
BIND9 Server HOWTO Ubutu wiki.
http://www.tldp.org/HOWTO/DNS-HOWTO.html
http://www.bind9.net/
3
http://www.oreilly.com/catalog/dns5/index.html
4
http://freenode.net
5
https://help.ubuntu.com/community/BIND9ServerHowto
2
170
9.
,
.
, Ubuntu
,
, ,
.
, ,
Ubuntu 12.04 LTS Server Edition,
,
.
171
1.

.
. , ,
,
.
1.1. root?
Ubuntu
root
Ubuntu. , root
. ,
, root
.
,
sudo. Sudo
,
root.

,
.
- root,
:
sudo passwd
Sudo ,
root, :
[sudo] password for username: ( )
Enter new UNIX password: ( root)
Retype new UNIX password: ( root)
passwd: password updated successfully
root
passwd:
sudo passwd -l root
Sudo, man-.
172

man sudo
, Ubuntu
"admin", /etc/sudoers
sudo.
root sudo,
admin.
1.2.

GNU/Linux. Ubuntu ,
Debian,
"adduser".
,
,
, ,
.
sudo adduser username
,
:
sudo deluser username

. ,
.
, , UID/GID,
, ,
.
UID/GID -
, root, , ,
.
sudo chown -R root:root /home/username/
sudo mkdir /home/archived_users/
sudo mv /home/username /home/archived_users/

, :
173
sudo passwd -l username

sudo passwd -u username
,
:
sudo addgroup groupname
sudo delgroup groupname
, :
sudo adduser username groupname
1.3.
, adduser
, /home/username.
, /etc/
skel, .
,

, . ,
Ubuntu
/ . ,

. .

, :
ls -ld /home/username
, /
home/username .
drwxr-xr-x
2 username username
4096 2007-10-02 20:03 username
,
:
sudo chmod 0750 /home/username

(-R),
174

,
.

.

adduser. /etc/adduser.conf
DIR_MODE - ,
.
DIR_MODE=0750

, ,
:
ls -ld /home/username
,
:
drwxr-x---
2 username username
4096 2007-10-02 20:03 username
1.4.

.
.

, ,
,
.
1.4.1.
Ubuntu 6 ,
.
/etc/pam.d/common-password :
password
[success=2 default=ignore]
pam_unix.so obscure sha512
8 ,
min=8. :
175

password
[success=2 default=ignore]
pam_unix.so obscure sha512 min=8
()
,
sudo .
1.4.2.

,
.
,
:
sudo chage -l username

, , :
: 20 2008
:
:
:
, ( ): 0
, ( ): 99999
, : 7
,
:
sudo chage username
,
(-E) 01/31/2008,
(-m) 5 , 90 ,
(-l) 5
(-W) 14 .
sudo chage -E 01/31/2011 -m 5 -M 90 -I 30 -W 14 username
, ,
:
sudo chage -l username
,
:
176
: 20 2008
: 19 2008
: 19 2008
: 31 2008
, ( ): 5
, ( ): 90
, : 14
1.5.
,

. ,

.
1.5.1. SSH

,

RSA.
.
,
SSH, /home/username/.ssh/
authorized_keys.
.ssh/
,
SSH.
SSH ,
, ,
. ,
.
SSH ,
. , "sshlogin"
, AllowGroups,
AllowGroups sshlogin
, SSH,
"sshlogin" SSH.
177
sudo adduser username sshlogin

sudo service ssh restart
1.5.2.

.

, ,
.
, .
178
2.
,
,
,
- , ,
, , ..

.
"" (screen door)
,

.

, .
2.1. Ctrl+Alt+Delete
, , ,
Ctrl+Alt+Delete
. ,
, -
.
,
.
Ctrl+Alt+Delete
/etc/init/control-altdelete.conf.
#exec shutdown -r now "Control-Alt-Delete pressed"
179
3.
3.1.
Linux Netfilter,
,
. Linux
.

.
iptables.
, Netfilter ,
, ,
iptables. ,
iptables ,
. ,
.
3.2. ufw Uncomplicated Firewall

, Ubuntu
ufw.
iptables, ufw
IPv4 IPv6,
.
ufw . man- ufw:
ufw
, ,

. ,
, .
ufw:
ufw. :
sudo ufw enable
, ( ssh), :
sudo ufw allow 22
180

:
sudo ufw insert 1 allow 80
, , :
sudo ufw deny 22
, delete , , :
sudo ufw delete deny 22

. ssh
192.168.0.2 IP- :
sudo ufw allow proto tcp from 192.168.0.2 to any port 22
192.168.0.2 192.168.0.0/24,
ssh .
--dry-run ufw,
. ,
, HTTP:
sudo ufw --dry-run allow http
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### ###
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### ###
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
-A ufw-user-forward -j RETURN
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT]: "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
COMMIT

ufw, :
181
sudo ufw disable
:
sudo ufw status

:
sudo ufw status verbose
:
sudo ufw status numbered
, ,
/etc/services,
.
22 ssh.
ufw. ,
ufw .
3.2.1. ufw
, , ufw ,
, .
/etc/ufw/applications.d ,
.

:
sudo ufw app list
,
, :
sudo ufw allow Samba
:
ufw allow from 192.168.0.0/24 to any app Samba
Samba 192.168.0.0/24
.
182

, ..
. ,
, app .
, .. ,
:
sudo ufw app info Samba
, ,
ufw, ,
,
Launchpad.
ubuntu-bug _
3.3. IP
IP ,
, IP-,
, . ,
, ,
, .
, IP-
, , IP-
( ), . Linux
Connection Tracking (conntrack) ,
,
. , , ,
"", ,
. Microsoft
Internet Connection Sharing.
3.3.1. ufw
IP
ufw. , - ufw
iptables-restore , /etc/ufw/*.rules.
iptables
ufw, .
: ,
ufw, ,
ufw .
183

, ufw.
: /etc/default/
ufw DEFAULT_FORWARD_POLICY ACCEPT:
DEFAULT_FORWARD_POLICY="ACCEPT"
/etc/ufw/sysctl.conf :
net/ipv4/ip_forward=1
, IPv6,
net/ipv6/conf/default/forwarding=1
/etc/ufw/before.rules.
,
nat.
, :
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
,
. ,
/etc/ufw, ,
:
# "COMMIT",
COMMIT

COMMIT. nat filter,
raw mangle.
eth0, eth1 192.168.0.0/24
IP.
, ufw ,
:
184
sudo ufw disable && sudo ufw enable
IP .
FORWARD /etc/ufw/before.rules.
ufw-before-forward.
3.3.2. iptables
iptables .
ufw,
IPv4. /etc/sysctl.conf

net.ipv4.ip_forward=1
IPv6, :
net.ipv6.conf.default.forwarding=1
sysctl
:
sudo sysctl -p
IP iptables,
,
:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
,
192.168.0.0/16, , ppp0.
:
-t nat NAT
-A POSTROUTING , (-A) POSTROUTING
-s 192.168.0.0/16 ,

-o ppp0 ,

-j MASQUERADE , ,
"jump" (-j) (MASQUERADE)
,
185

, ( ,
)
ACCEPT,
, DROP
REJECT.
FORWARD, , :
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state \
--state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

, , ,
, .
, ,
, /etc/rc.local
. ,
:
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
3.4.
,

.
,
(,
: ACCEPT, DROP, or REJECT)
ufw, ,
:
sudo ufw logging on
ufw on off
.
iptables ufw, :
sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 \
-j LOG --log-prefix "NEW_HTTP_CONN: "
186

, 80 ,
dmesg, (
, ):
[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP
SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0
/var/log/
messages, /var/log/syslog
/var/log/kern.log. ,
/etc/syslog.conf
ulogd ULOG LOG.
ulogd , ,

, PostgreSQL MySQL. ,
, ,
logwatch, fwanalog, fwlogwatch lire.
3.5.
,
- iptables. GUI:
1
fwbuilder , ,
, ,
Checkpoint FireWall-1.

:
2
Shorewall ,
.
3.6.
3
- Ubuntu Firewall
c ufw..
ufw
: man ufw.
iptables
4
packet-filtering-HOWTO
1
http://www.fwbuilder.org/
http://www.shorewall.net/
3
https://wiki.ubuntu.com/UncomplicatedFirewall
4
http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html
2
187
nat-HOWTO
.
6
IPTables HowTo Ubuntu .
5
6
http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
https://help.ubuntu.com/community/IptablesHowTo
188
4. AppArmor
AppArmor Linux (LSM)
. AppArmor

, 1003.1e posix.
AppArmor .
, ,
.
,
apparmor-profiles.
apparmor-profiles :
sudo apt-get install apparmor-profiles
AppArmor :
/ (Complaining/Learning):
. .
/ (Enforced/Confined):
.
4.1. AppArmor
apparmor-utils ,
AppArmor,
, ..
apparmor_status
AppArmor.
sudo apparmor_status
aa-complain .
sudo aa-complain /path/to/bin
aa-enforce .
sudo aa-enforce /path/to/bin
/etc/apparmor.d AppArmor.
.
:
189

sudo aa-complain /etc/apparmor.d/*
:
sudo aa-enforce /etc/apparmor.d/*
apparmor_parser .

-r. :
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
/etc/init.d/apparmor
:
sudo /etc/init.d/apparmor reload
/etc/apparmor.d/disable
apparmor_parser -R .
sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/profile.name

/etc/apparmor.d/disable/.
-a.
sudo rm /etc/apparmor.d/disable/profile.name
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
AppArmor ,
, :
sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove
AppArmor :
sudo /etc/init.d/apparmor start
sudo update-rc.d apparmor defaults
profile.name ,
. /path/to/bin/
. , ping /bin/ping
190
4.2.
AppArmor ,
/etc/apparmor.d/.
"/" ".". , /etc/apparmor.d/
bin.ping AppArmor /bin/ping.
:
Path entries: ,
.
Capability entries: ,
.
, /etc/apparmor.d/bin.ping:
#include <tunables/global>
/bin/ping flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice>
capability net_raw,
capability setuid,
network inet raw,
/bin/ping mixr,
/etc/modules.conf r,
}
#include <tunables/global>: .
,
.
/bin/ping flags=(complain): ,
complain
capability net_raw,: CAP_NET_RAW Posix.1e.
/bin/ping mixr,:
.

. 4.1,
AppArmor [189] .
4.2.1.
-: ,
. -
191

.
, .
:
.
.
.
, init.
: aa-genprof,
. :
sudo aa-genprof executable
:
sudo aa-genprof slapd
apparmor-profiles,
7
Launchpad AppArmor :
.
.
4.2.2.
,
. aa-logprof
AppArmor,
. :
sudo aa-logprof
4.3.

8
AppArmor
, AppArmor
9
Ubuntu, AppArmor Community Wiki .
AppArmor OpenSUSE
10
AppArmor .
7
https://bugs.launchpad.net/ubuntu/+source/apparmor/+filebug
http://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/index.html?page=/documentation/
apparmor/apparmor201_sp10_admin/data/book_apparmor_admin.html
9
https://help.ubuntu.com/community/AppArmor
10
http://en.opensuse.org/SDB:AppArmor_geeks
8
192

AppArmor,
11
Ubuntu Server IRC #ubuntu-server freenode .
11
http://freenode.net
193
5.

.

. .

.

Secure Socket Layer
(SSL) Transport Layer Security (TLS). ,
Apache HTTPS ( HTTP SSL).
, ,
.
,
,
.
(CA).
, , ,
, .
5.1.

, ,
( ),
(CA).

.
.
,
.
HTTPS, CA
, :
()
.
CA
, - .
194

- ,
SSL, ,
. ,
,
. ,

.
CA .
:
1. , .
2. , .
,
.
3. ,
, CA.
, .
, ,
.
CA, ,
.
4. CA , , ,
.
5.
.
5.2.
(Certificate Signing Request, CSR)
CA ,
.
,
Apache, Postfix, Dovecot .., .
,
.
, .
,
.
,

195

.
.
(CSR)
:
openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus

..........................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
.
.
.
/ .
, .
.
,
server.key.
, ,
:
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
server.key,
CSR .
CSR :
openssl req -new -key server.key -out server.csr
(
- . .). ,
, , .
, CSR
server.csr.
CSR- CA . CA,
CSR-, . ,
196

, CSR.
5.3.
, ,
:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
.

server.crt.

, , , ,
CA.
.
5.4.
server.key
server.crt, , CA,
:
sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private
,
,
. , Apache HTTPS, Dovecot IMAPS
POP3S ..
5.5.

,
(CA). ,
CA,
,
CA.
1.
CA
:
197

sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts
2.
CA :
, CA (
),
, :
sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt
3.
CA.
, ,
. /etc/ssl/openssl.cnf
[ CA_default ] :
dir = /etc/ssl/ #
database = $dir/CA/index.txt # index.
certificate = $dir/certs/cacert.pem # CA
serial = $dir/CA/serial #
private_key = $dir/private/cakey.pem#
4.
:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
.
5.
:
sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/
6.
. ,
, (CSR),
5.2,
(Certificate Signing Request, CSR) [195].
CSR, ,
:
sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
,
, .

.
7.
/etc/ssl/newcerts/01.pem,
, .
198

, -----BEGIN CERTIFICATE-----
----END CERTIFICATE----- ,
, . , mail.example.com.crt
.
02.pem, 03.pem, ..
mail.example.com.crt .
8.
, ,
,
.
/etc/ssl/certs.

.
, CA,
/etc/ssl/certs/cacert.pem /etc/ssl/
certs/ .
5.6.

12
SSL Certificates HOWTO tlpd.org
HTTPS
HTTPS
13
OpenSSL
14
OpenSSL .
Network Security with
15
OpenSSL O'Reilly.
12
http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html
http://ru.wikipedia.org/wiki/Https
14
http://www.openssl.org/
15
13
199
6. eCryptfs
eCryptfs POSIX-
Linux.
, eCryptfs
, .
/
home.
,
, .
/srv
eCryptfs.
6.1. eCryptfs
. :
sudo apt-get install ecryptfs-utils
:
sudo mount -t ecryptfs /srv /srv
, ecryptfs
.
, , /srv,
/etc/default /srv:
sudo cp -r /etc/default /srv
/srv :
sudo umount /srv
cat /srv/default/cron
/srv ecryptfs
.
6.2.
,
ecryptfs, .
200

/root/.ecryptfsrc, ,
, USB .
/root/.ecryptfsrc, :
key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt
ecryptfs_sig=5826dd62cf81c615
ecryptfs_cipher=aes
ecryptfs_key_bytes=16
ecryptfs_passthrough=n
ecryptfs_enable_filename_crypto=n
ecryptfs_sig /
root/.ecryptfs/sig-cache.txt.
/mnt/usb/passwd_file.txt:
passphrase_passwd=[secrets]
/etc/fstab:
/dev/sdb1
/mnt/usb
ext3
ro
0 0
/srv /srv ecryptfs defaults 0 0
, USB-
.
, /srv
eCryptfs.
6.3.
ecryptfs-utils :
ecryptfs-setup-private: ~/Private,
.
,
.
ecryptfs-mount-private ecryptfs-umount-private:
~/Private.
ecryptfs-add-passphrase: ecryptfs-add-passphrase:
.
ecryptfs-manager: eCryptfs, .
ecryptfs-stat: ecryptfs .
201
6.4.
eCryptfs
16
Launchpad .
17
Linux Journal , eCryptfs.

ecryptfs
18
man ecryptfs. .
19
eCryptfs Ubuntu Wiki
16
https://launchpad.net/ecryptfs
http://www.linuxjournal.com/article/9400
18
http://manpages.ubuntu.com/manpages/precise/en/man7/ecryptfs.7.html
19
https://help.ubuntu.com/community/eCryptfs
17
202
10.
203
1.

.
,
. Nagios
Munin .
,
server01 server02. Server01 Nagios
server02. server01
munin .
munin-node, server02 server01.
,
.
204
2. Nagios
2.1.
server01 nagios.
:
sudo apt-get install nagios3 nagios-nrpe-plugin
nagiosadmin.
/etc/nagios3/htpasswd.users.
nagiosadmin
CGI Nagios
htpasswd, apache2-utils. apache2-utils.
, nagiosadmin
:
sudo htpasswd /etc/nagios3/htpasswd.users nagiosadmin
:
sudo htpasswd /etc/nagios3/htpasswd.users steve
, server02 nagios-nrpe-server.
server02 :
sudo apt-get install nagios-nrpe-server
NRPE
.
, Nagios,
.
2.2.
,
Nagios .
/etc/nagios3:
nagios, CGI-, .
/etc/nagios-plugins: .
/etc/nagios:
nagios-nrpe-server.
205

/usr/lib/nagios/plugins/: .
-h.
: /usr/lib/nagios/plugins/check_dhcp -h
Nagios,
. NagiosNagios
, DNS,
MySQL. DNS
server02, MySQL server01,
server02.
1, HTTPD - Apache2 [213]
Apache, 8,
(DNS) [158] DNS, 1, MySQL [237]
MySQL.
,
Nagios:
Host: , , ..,
.
Host Group: .
-, ..
Service: , . HTTP,
DNS, NFS ..
: .
-.
: , - .
Nagios email, SMS- ..
Nagios HTTP, ,
SSH, ,
(localhost). Nagios
ping.
Nagios .
, ,
,
.
2.3.
1.

server02. ,
server01. :
206
sudo cp /etc/nagios3/conf.d/localhost_nagios2.cfg \ /etc/nagios3/conf.d/server02.cfg
"server01", "server02", 172.18.100.100 172.18.100.101

IP- .
2.
/etc/nagios3/conf.d/server02.cfg:
define host{
use
generic-host
host_name
alias
address
; Name of host template to use
server02
Server 02
172.18.100.101
}
# check DNS service.
define service {
use
generic-service
host_name
service_description
server02
DNS
check_command
check_dns!172.18.100.101
3.
nagios :
sudo /etc/init.d/nagios3 restart
1.
MySQL
/etc/nagios3/conf.d/services_nagios2.cfg:
# check MySQL servers.
define service {
hostgroup_name
mysql-servers
service_description
check_command
MySQL
check_mysql_cmdlinecred!nagios!secret!$HOSTADDRESS
use
generic-service
notification_interval 0 ; set > 0 if you want to be renotified

}
2.
mysql-servers.
/etc/nagios3/conf.d/hostgroups_nagios2.cfg,
:
# MySQL hostgroup.
define hostgroup {
hostgroup_name
alias
members
mysql-servers
MySQL servers
localhost, server02
207

3.
Nagios MySQL.
nagios MySQL :
mysql -u root -p -e "create user nagios identified by 'secret';"
nagios
mysql-servers.
4.
nagios MySQL.
1.
, NRPE
server02.
server01 /etc/nagios3/conf.d/
server02.cfg:
# NRPE disk check.
define service {
use
host_name
generic-service
server02
service_description
nrpe-disk
check_command
check_nrpe_1arg!check_all_disks!172.18.100.101
2.
server02 /etc/nagios/nrpe.cfg:
allowed_hosts=172.18.100.100
:
command[check_all_disks]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -e
3.
nagios-nrpe-server:
sudo /etc/init.d/nagios-nrpe-server restart
4.
server01 nagios:

Nagios CGI. http://server01/
nagios3.
nagiosadmin.
208
2.4.
Nagios.
nagios-plugins-extra nagios-snmp-plugins
.

1
Nagios .
2
- .
3
Nagios .
4
Nagios Ubuntu Wiki .
http://www.nagios.org/
http://nagios.sourceforge.net/docs/3_0/
3
http://www.nagios.org/propaganda/books/
4
https://help.ubuntu.com/community/Nagios
2
209
3. Munin
3.1.
Munin server01 -
apache2.
munin. apache2,
1, HTTPD - Apache2 [213].
server01 munin. :
sudo apt-get install munin
server02 munin-node:
sudo apt-get install munin-node
3.2.
server01 /etc/munin/munin.conf IP-
server02:
## First our "normal" host.
[server02]
address 172.18.100.101
server02 172.18.100.101 IP-

.
munin-node server02. /etc/
munin/munin-node.conf server01:
allow ^172\.18\.100\.100$
^172\.18\.100\.100$ IP- munin.

munin-node server02 :
sudo /etc/init.d/munin-node restart
, http://server01/munin,
, muninplugins , , .
210

,
- .
3.3.
munin-plugins-extra
, DNS, DHCP, Samba ..
:
sudo apt-get install munin-plugins-extra
, ,
.
3.4.
5
Munin .
6
Munin
, ..
Open
7
Source Press: Munin Graphisches Netzwerk- und System-Monitoring .
8
Munin Ubuntu Wiki .
http://munin.projects.linpro.no/
http://munin.projects.linpro.no/wiki/Documentation
7
https://www.opensourcepress.de/index.php?26&backPID=178&tt_products=152
8
https://help.ubuntu.com/community/Munin
6
211
11. -
- , HTTP , -, HTTP ,
-, HTML
( ..).
212
1. HTTPD - Apache2
Apache -
Linux. - , .
-
, Firefox, Opera, Chromium Mozilla.
Uniform Resource Locator (URL),
- Fully Qualified Domain Name (FQDN)
. ,
1
- Ubuntu , FQDN:
www.ubuntu.com
2
community , FQDN,
:
www.ubuntu.com/community
- HTTP
(Hyper Text Transfer Protocol). ,
HTTP over Secure Sockets Layer (HTTPS) Transfer Protocol (FTP),
.
- Apache
MySQL, PHP
Python Perl.
LAMP (Linux, Apache, MySQL, Perl/Python/PHP)
-.
1.1.
- Apache2 Ubuntu Linux. Apache2:
:
sudo apt-get install apache2
1
2
http://www.ubuntu.com
http://www.ubuntu.com/community
213
1.2.
Apache2
.
:
apache2.conf: Apache2.
, Apache2.
conf.d: ,
Apache2 . , Apache2
,
.
envvars: , Apache2.
httpd.conf: Apache2,
httpd. , , ,

.
Apache2.
mods-available:
. ,
.
mods-enabled: /etc/apache2/
mods-available.
,
apache2.
ports.conf: , , TCP
Apache2 .
sites-available:
(Virtual Hosts) Apache2.
Apache2 ,
.
sites-enabled: mods-enabled, sites-enabled

/etc/apache2/sites-available. ,
sites-available ,
, Apache2 .
,
, Include.
.

.
Apache2 .
214
-
, mime- ;
TypesConfig, , /etc/apache2/
mods-available/mime.conf,
, /etc/mime.types .
1.2.1.

3
Apache2. Apache2
.
Apache 2 ,
.
( VirtualHost),
, ,
, .
, ,
, ,
, URL, ,
(..
ServerName).
, /etc/apache2/sitesavailable/default.
, ,
,
.

,
. ,

.
,
, . :
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mynewsite
, ,
, .
ServerAdmin
, .
webmaster@localhost.
3
http://httpd.apache.org/docs/2.2/
215
-
(
). ,
Apache2 ,
.
, /etc/apache2/
sites-available.
Listen , , IP-,
Apache2. IP- , Apache2

IP-, , .
80.
127.0.0.1:80, Apache2
. , ,
81
.
/etc/apache2/ports.conf
ServerName ,
FQDN .
ServerName,
,
ServerName .
ubunturocks.com Ubuntu, ServerName
ubunturocks.com.
,
(/etc/apache2/sites-available/mynewsite).
, www.ubunturocks.com,

www. ServerAlias.
ServerAlias .
,
, .ubunturocks.com.
ServerAlias *.ubunturocks.com
DocumentRoot , Apache2 ,
. /var/www,
/etc/apache2/sites-available/default. ,
,
!
216
-
VirtualHost, a2ensite,
Apache2:
sudo a2ensite mynewsite
sudo service apache2 restart
mynewsite
VirtualHost. ,
ServerName VirtualHost.
, a2dissite .

.
sudo a2dissite mynewsite
1.2.2.
Apache2 .
, , ,
, .
.
DirectoryIndex () ,
,
(/) .
, http://
www.example.com/this_directory/, DirectoryIndex,
, ,
indexes,
(Permission Denied). ,
DirectoryIndex .
, Options
Indexes ,
HTML .
/etc/apache2/mods-available/dir.conf "index.html index.cgi index.pl
index.php index.xhtml index.htm". , Apache2
, ,
.
ErrorDocument Apache2
. ,
, 404. Apache2
217
-
HTTP 404. /etc/apache2/conf.d/localizederror-pages ErrorDocument,
.

/var/log/apache2/access.log.
CustomLog
, ,
, /etc/apache2/conf.d/other-vhosts-access-log.
, ,
ErrorLog, /var/log/apache2/
error.log. ,
Apache2.
LogLevel ( "warn")
LogFormat ( /etc/apache2/apache2.conf
).
, .
Options. Directory XML
:
<Directory /var/www/mynewsite>
...
</Directory>
Options Directory
( ),
:
ExecCGI CGI-. CGI-
, .
Includes .
HTML-
4
. Apache SSI ( Ubuntu)
.
IncludesNOEXEC
, #exec #include CGI .
Indexes
,
( index.html).

, ,
DocumentRoot.
4
https://help.ubuntu.com/community/ServerSideIncludes
218
-
, ,
,
.
Multiview
;
. Apache2
5
.
SymLinksIfOwnerMatch
, /
.
1.2.3. httpd
httpd
LockFile LockFile lock-
, ,
USE_FCNTL_SERIALIZED_ACCEPT USE_FLOCK_SERIALIZED_ACCEPT.
.
,
NFS.
(root).
PidFile PidFile ,
(process ID pid).
(root).
.
User User
(userid), .
. ,
, .
User: "www-data".
, ,
User root.
(root) -
.
Group Group User. Group
, .
Group: "www-data".
5
http://httpd.apache.org/docs/2.2/mod/mod_negotiation.html#multiviews
219
-
1.2.4. Apache2
Apache2 . ,
.
, Apache2. ,
.

,
LoadModule. , Apache2
/ .
Ubuntu Apache2
.

<IfModule>.
Apache2
-. ,
, MySQL
Authentication:
sudo apt-get install libapache2-mod-auth-mysql
/etc/apache2/mods-available.
, a2enmod:
sudo a2enmod auth_mysql
, a2dismod :
sudo a2dismod auth_mysql
1.3. HTTPS
mod_ssl Apache2
. ,
SSL,
URL https://.
mod_ssl apache2-common.
mod_ssl:
220
sudo a2enmod ssl
HTTPS /etc/apache2/sites-available/
default-ssl.
Apache2 HTTPS
. HTTPS
, ssl-cert.
,
.
5, [194].
Apache2 HTTPS, :
sudo a2ensite default-ssl
/etc/ssl/certs /etc/ssl/private .
,
, SSLCertificateFile SSLCertificateKeyFile
.
Apache2 HTTPS, ,
:
, ,
Apache2.
,
https://your_hostname/url/.
1.4.

, ,
.
/var/www "webmasters".
sudo chgrp -R webmasters /var/www
sudo find /var/www -type d -exec chmod g=rwxs "{}" \;
sudo find /var/www -type f -exec chmod g=rws "{}" \;

, (ACL).
221
1.5.
6
Apache2 Documentation
Apache2. apache2doc, Apache2.
7
Mod SSL Documentation

SSL.
8
Apache Cookbook O'Reilly

Apache2.
Ubuntu Apache2
9
IRC #ubuntu-server freenode.net .
PHP MySQL Apache MySQL PHP Ubuntu
10
Wiki .
http://httpd.apache.org/docs/2.2/
http://www.modssl.org/docs/
8
9
10
https://help.ubuntu.com/community/ApacheMySQLPHP
7
222
2. PHP5
PHP , . PHP HTML.
, PHP5 Ubuntu Apache2

MySQL.
, -
Apache2 MySQL. ,
Apache2 MySQL ,
Apache2 MySQL, .
2.1.
PHP5 Ubuntu Linux. python perl,
, PHP .
PHP5,
:
sudo apt-get install php5 libapache2-mod-php5
PHP5 .
, php5-cli.
:
sudo apt-get install php5-cli
PHP5
PHP5 Apache. ,
php5-cgi. :
sudo apt-get install php5-cgi
, MySQL PHP5,
php5-mysql. php5-mysql
:
sudo apt-get install php5-mysql
, PostgerSQL PHP5,
php5-pgsql. php5-pgsql
:
223
-
sudo apt-get install php5-pgsql
2.2.
PHP5, PHP5
. php5-cli,
PHP5 .
, - Apache 2
PHP5. , PHP5
, . ,
/etc/apache2/mods-enabled/php5.conf /etc/apache2/mods-enabled/php5.load.
,
a2ebmod.
, PHP5
PHP5 Apache2, Web Apache2, PHP5 .
-:
2.3.
,
PHP5 phpinfo :
<?php
phpinfo();
?>
phpinfo.php
DocumentRoot - Apache2.
http://hostname/phpinfo.php,
PHP5.
2.4.

11
php.net .
PHP.
12
13
O'Reilly Learning PHP 5 and the PHP Cook Book .
11
http://www.php.net/docs.php
13
12
224
-
, Apache MySQL PHP Ubuntu Wiki
.
14
225
14
3. - Squid
Squid -,
HTTP, FTP
. Squid SSL
DNS ,
. Squid
, Internet Cache Protocol (ICP), Hyper Text Caching
Protocol (HTCP), Cache Array Routing Protocol (CARP) Web Cache Coordination
Protocol (WCCP).
/ Squid ,
.

,
Simple Network
Management Protocol (SNMP).
Squid ,
, Squid
.
3.1.

Squid:
sudo apt-get install squid
3.2.
Squid
/etc/squid/squid.conf .
,
Squid. Squid
.

- ,
.
/etc/squid/squid.conf
:
226
-
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.original
sudo chmod a-w /etc/squid/squid.conf.original
, , Squid,
8888 ( 3128),
http_port :
http_port 8888
visible_hostname
Squid. , Squid
. weezie
visible_hostname weezie
Squid,
- Squid
IP-. ,
192.168.42.0/24:
ACL /etc/squid/
squid.conf:
acl fortytwo_network src 192.168.42.0/24
http_access /
etc/squid/squid.conf:
http_access allow fortytwo_network
Squid,
.
, 9:00 17:00,
, 10.1.42.0/24:
ACL /etc/squid/
squid.conf:
acl biz_network src 10.1.42.0/24
acl biz_hours time M T W T F 9:00-17:00
http_access /
etc/squid/squid.conf:
http_access allow biz_network biz_hours
227
-
/etc/squid/squid.conf,
, , squid
, .
sudo /etc/init.d/squid restart
3.3.
15
- Squid
16
Ubuntu Wiki Squid .
15
16
http://www.squid-cache.org/
https://help.ubuntu.com/community/Squid
228
4. Ruby on Rails
Ruby on Rails -
- .
,
,
.
4.1.
Rails Apache MySQL.
Apache, , 1, HTTPD -
Apache2 [213]. MySQL,
1, MySQL [237].
Apache MySQL, Ruby on Rails.
Ruby Ruby on Rails,
:
sudo apt-get install rails
4.2.
/etc/apache2/sites-available/default
.
, DocumentRoot:
DocumentRoot /path/to/rails/application/public
, <Directory "/path/to/rails/application/public">:
<Directory "/path/to/rails/application/public">
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride All
Order allow,deny
allow from all
AddHandler cgi-script .cgi
</Directory>
Apache mod_rewrite.
:
sudo a2enmod rewrite
229
-
, /path/
to/rails/application/public /path/to/rails/application/tmp ,
Apache:
sudo chown -R www-data:www-data /path/to/rails/application/public
sudo chown -R www-data:www-data /path/to/rails/application/tmp
! Ruby on
Rails.
4.3.
17
- Ruby on Rails .
18
Agile Development with Rails .

19
Ruby on Rails Ubuntu Wiki .
17
http://rubyonrails.org/
http://pragprog.com/titles/rails3/agile-web-development-with-rails-third-edition
19
https://help.ubuntu.com/community/RubyOnRails
18
230
5. Apache Tomcat
Apache Tomcat -, Java Servlets JSP (Java Server Pages).
Tomcat 6.0 Ubuntu Tomcat.

,
tomcat6.
,
,
.
,
Tomcat.
5.1.
Tomcat
:
sudo apt-get install tomcat6
Tomcat -
ROOT, "It works".
5.2.
Tomcat /etc/tomcat6.
,
20
Tomcat 6.0
5.2.1.
Tomcat 6.0 HTTP 8080
AJP 8009. , ,
,
. /etc/tomcat6/
server.xml:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
20
http://tomcat.apache.org/tomcat-6.0-doc/index.html
231
-
...
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
5.2.2. JVM
Tomcat OpenJDK-6, Sun's
JVM, JVM. JVM,
, , JAVA_HOME /
etc/default/tomcat6:
JAVA_HOME=/usr/lib/jvm/java-6-sun
5.2.3.
, ()
Servlet. Tomcat 6.0 /etc/
tomcat6/tomcat-users.xml:
<role rolename="admin"/>
<user username="tomcat" password="s3cret" roles="admin"/>
5.3. - Tomcat
Tomcat -,
,
.
5.3.1. Tomcat
tomcat6-docs Tomcat 6.0,
-,
http://yourserver:8080/docs. ,
:
sudo apt-get install tomcat6-docs
5.3.2. - Tomcat
tomcat6-admin -,
Tomcat
-. ,
:
sudo apt-get install tomcat6-admin
232
-
- manager,
http://yourserver:8080/manager/html.
web-.
manager :
"manager" /etc/tomcat6/tomcatusers.xml , .
- host-manager,
http://yourserver:8080/host-manager/html.
.
host-manager :
"admin" /etc/tomcat6/
tomcat-users.xml , .
tomcat6
/etc/tomcat6.
- ( ,
) .
,
, tomcat6 :
sudo chgrp -R tomcat6 /etc/tomcat6
sudo chmod -R g+w /etc/tomcat6
5.3.3. - Tomcat
tomcat6-examples -,
Servlets
JSP, http://yourserver:8080/examples.
, :
sudo apt-get install tomcat6-examples
5.4.
Tomcat
,
. Tomcat 6.0
Ubuntu ,
, (
) ,
.
233
-
,
TCP.
5.4.1.
,
:
sudo apt-get install tomcat6-user
5.4.2.
,
:
tomcat6-instance-create my-instance
my-instance
. , ,
lib/ -
webapps/. - .
5.4.3.
Tomcat ,
conf/. , ,
conf/server.xml ,
Tomcat,
.
5.4.4. /
,
(,
my-instance)
my-instance/bin/startup.sh
logs/ .
java.net.BindException: Address already in
use<null>:8080, , ,
.
,
(, myinstance)
234
my-instance/bin/shutdown.sh
5.5.
21
Apache Tomcat .
22
Tomcat: The Definitive Guide

- Tomcat.
23
Tomcat Books .
24
, Ubuntu Wiki Apache Tomcat .
21
http://tomcat.apache.org/
23
http://wiki.apache.org/tomcat/Tomcat/Books
24
https://help.ubuntu.com/community/ApacheTomcat5
22
235
12.
Ubuntu . :
MySQL
PostgreSQL
().
, :
236
1. MySQL
MySQL , ,
SQL- .
,
.
1.1.
MySQL :
sudo apt-get install mysql-server
Ubuntu 12.04, MySQL 5.5 .

100% MySQL 5.1,
5.1 (
MySQL 5.1 ),
mysql-server-5.1.
root
MySQL.
, MySQL
. , ,
MySQL , :
sudo netstat -tap | grep mysql
, ,
:
tcp
0 localhost:mysql
*:*
LISTEN
2556/mysqld
,
:
sudo service mysql restart
1.2.
/etc/mysql/my.cnf
, . ,
MySQL ,
bind-address IP- :
237
bind-address
= 192.168.0.5
192.168.0.5 .
/etc/mysql/my.cnf MySQL :
sudo service mysql restart
root MySQL,
:
sudo dpkg-reconfigure mysql-server-5.5
MySQL .
1.3.
MySQL,
Ubuntu,
, ,
.
MySQL , -.
( engines)
, . ,
: InnoDB MyISAM.
() . MySQL
- , ,
,
.
.

,
,

.
MyISAM . InnoDB
,
. -
MyISAM ( ,
InnoDB). MyISAM
238

FULLTEXT,
. MyISAM
. ,

. ,
, (
scales), .
,
.
1
MyISAM on a production database .
InnoDB , ACID
2
compliant ,
.
.
.
,
. ACID
.

.
MySQL 5.5, InnoDB

MyISAM,
, .
1.4.
1.4.1. my.cnf
,
MySQL,
.
3
Percona's my.cnf generating tool .
my.cnf,
.
my.cnf ,
.
, ,
, MySQL.
1
http://www.mysqlperformanceblog.com/2006/06/17/using-myisam-in-production/
http://en.wikipedia.org/wiki/ACID
3
http://tools.percona.com/members/wizard
2
239

,
mysqldump :
mysqldump --all-databases --all-routines -u root -p > ~/fulldump.sql
root
. ,
.
, .
.
, MySQL:
sudo service mysql stop
my.cnf :
sudo cp /etc/my.cnf /etc/my.cnf.backup
sudo cp /path/to/new/my.cnf /etc/my.cnf
,
MySQL:
sudo rm -rf /var/lib/mysql/*
sudo mysql_install_db
sudo chown -R mysql: /var/lib/mysql
sudo service start mysql
, .
, ,
'Pipe Viewer' (pv). ,
pv , ,
pv cat .
ETA ( ), pv,

,
mysqldumps:
sudo apt-get install pv
pv ~/fulldump.sql | mysql
, !
my.cnf.
,
, .
240

.
1.4.2. MySQL Tuner
MySQL Tuner ,
MySQL ,
. ,
mysqltuner.
24 , .
mysqltuner Ubuntu:
sudo apt-get install mysqltuner
:
mysqltuner
.
,
,
my.cnf.
. MySQL (
) , " ".
, ,
:
-------- Recommendations ----------------------------------------------------General recommendations:
Run OPTIMIZE TABLE to defragment tables for better performance
Increase table_cache gradually to avoid file descriptor limits
Variables to adjust:
key_buffer_size (> 1.4G)
query_cache_size (> 32M)
table_cache (> 64)
innodb_buffer_pool_size (>= 22G)
:
,
.
, Wordpress,
Drupal, Joomla .
, ,
..

241

.
,

, ,
.
1.5.
4
MySQL Home Page .

,
5
MySQL Developers portal
6
SQL Using SQL Special Edition Rafe

Colburn.
7
Apache MySQL PHP Ubuntu Wiki

.
http://www.mysql.com/
http://dev.mysql.com/doc/
6
http://www.informit.com/store/product.aspx?isbn=0768664128
7
5
242
2. PostgreSQL
PostgreSQL - ,

,
DBMS . (DBMS DataBase Management System
. ).
2.1.
, PostgreSQL,
:
sudo apt-get install postgresql
PostgreSQL
.
2.2.
TCP/IP . PostgreSQL
.
IDENT postgres
, - . the PostgreSQL
Administrator's Guide, -
8
Kerberos. .
,
TCP/IP
MD5. PostgreSQL /etc/postgresql/
<version>/main. , PostgreSQL 8.4,
/etc/postgresql/8.4/main.
ident /
etc/postgresql/8.4/main/pg_ident.conf.
.
TCP/IP, /etc/
postgresql/8.4/main/postgresql.conf.
#listen_addresses = 'localhost' :
listen_addresses = 'localhost'
8
http://www.postgresql.org/docs/8.4/static/admin.html
243

PostgreSQL , 'localhost' IP-
, , 0.0.0.0,
.
,
!
PostgreSQL.
, PostgreSQL,
postgres.

PostgreSQL:
sudo -u postgres psql template1
PostgreSQL template1
postgres. PostgreSQL,
SQL .
SQL psql postgres.
ALTER USER postgres with encrypted password 'your_password';
, /etc/postgresql/8.4/main/pg_hba.conf
MD5 postgres:
local
all
postgres
md5
PostgreSQL
.
PostgreSQL:
sudo /etc/init.d/postgresql-8.4 restart
.
9
the PostgreSQL Administrator's Guide
.
2.3.
10
, Administrator's Guide .
postgresql-doc-8.4.
:
9
10
244
sudo apt-get install postgresql-doc-8.4
, file:///usr/share/doc/postgresqldoc-8.4/html/index.html .
SQL Using SQL Special Edition
Colburn.
PostgreSQL Ubuntu Wiki
.
11
12
http://www.informit.com/store/product.aspx?isbn=0768664128
https://help.ubuntu.com/community/PostgreSQL
245
12
11
Rafe
13. LAMP
246
LAMP
1.
LAMP (Linux + Apache + MySQL + PHP/Perl/Python)
Ubuntu.
,
LAMP. LAMP wiki, (CMS)
, phpMyAdmin.
LAMP
, - .
MySQL PostgreSQL SQLite. Python, Perl Ruby
PHP. Nginx, Cherokee Lighttpd Apache.
LAMP
tasksel. Tasksel Debian/Ubuntu,
"".
LAMP :
:
sudo tasksel install lamp-server
LAMP
:
, .
, -.
, , -
.
.
(script)
, .
, , ,
.

,
.
.
,
.
247
LAMP
, LAMP Ubuntu
, (-LAMP) .

.
, LAMP.
248
LAMP
2. Moin Moin
MoinMoin Wiki- Python,
Wiki PikiPiki GNU GPL.
2.1.
MoinMoin
:
udo apt-get install python-moinmoin
- apache2. ,
1.1, [213] 1,
HTTPD - Apache2 [213].
2.2.
Wiki
. , Wiki mywiki:
cd /usr/share/moin
sudo mkdir mywiki
sudo cp -R data mywiki
sudo cp -R underlay mywiki
sudo cp server/moin.cgi mywiki
sudo chown -R www-data.www-data mywiki
sudo chmod -R ug+rwX mywiki
sudo chmod -R o-rwx mywiki
MoinMoin
Wiki mywiki. MoinMoin /etc/moin/mywiki.py
:
data_dir = '/org/mywiki/data'
data_dir = '/usr/share/moin/mywiki/data'
data_dir data_underlay_dir:
data_underlay_dir='/usr/share/moin/mywiki/underlay'
/etc/moin/mywiki.py ,
/usr/share/moin/config/wikifarm/mywiki.py /etc/moin/mywiki.py
, .
249
LAMP
Wiki my_wiki_name,
("my_wiki_name", r".*") /etc/moin/farmconfig.py
("mywiki", r".*").
, MoinMoin mywiki,
apache2 Wiki-.
/etc/apache2/sites-available/default
<VirtualHost *>:
### moin
ScriptAlias /mywiki "/usr/share/moin/mywiki/moin.cgi"
alias /moin_static193 "/usr/share/moin/htdocs"
<Directory /usr/share/moin/htdocs>
Order allow,deny
allow from all
</Directory>
### end moin
, - apache2
Wiki, .
, - apache2:
2.3.
Wiki , ,
URL:
http://localhost/mywiki
1
- MoinMoin .
2.4.
2
moinmoin Wiki .
3
Ubuntu Wiki MoinMoin .
http://moinmo.in/
http://moinmo.in/
3
https://help.ubuntu.com/community/MoinMoin
2
250
LAMP
3. MediaWiki
MediaWiki - Wiki-,
PHP.
MySQL PostgreSQL.
3.1.
MediaWiki Apache2,
PHP5 . MySQL
PostgreSQL. , . ,

.
MediaWiki
:
sudo apt-get install mediawiki php5-gd
MediaWiki mediawikiextensions.
3.2.
Apache mediawiki.conf MediaWiki
/etc/apache2/conf.d/.
MediaWiki.
# Alias /mediawiki /var/lib/mediawiki
, ,
Apache MediaWiki
URL:
http://localhost/mediawiki/config/index.php
, ...
. ,
.
LocalSettings.php
/etc/mediawiki:
sudo mv /var/lib/mediawiki/config/LocalSettings.php /etc/mediawiki/
251
LAMP
/etc/mediawiki/LocalSettings.php,
( ):
ini_set( 'memory_limit', '64M' );
3.3.

MediaWiki. wiki
MediaWiki .
MediaWiki
Subversion. /var/
lib/mediawiki/extensions.
: /etc/mediawiki/LocalSettings.php.
require_once "$IP/extensions/ExtentionName/ExtentionName.php";
3.4.

4
MediaWiki .
5
MediaWiki Administrators Tutorial Guide

MediaWiki.
6
Ubuntu Wiki MediaWiki .
http://www.mediawiki.org
http://www.packtpub.com/Mediawiki/book
6
https://help.ubuntu.com/community/MediaWiki
5
252
LAMP
4. phpMyAdmin
phpMyAdmin LAMP,
MySQL. PHP
-, phpMyAdmin
.
4.1.
phpMyAdmin
MySQL , phpMyAdmin,
, .
1, MySQL [237]. :
sudo apt-get install phpmyadmin
, - phpMyAdmin.
-
Apache2.
http://servername/phpmyadmin,
serveranme .
root ,
MySQL, ,
MySQL.
,
root, , /
, .
4.2.
phpMyAdmin /etc/phpmyadmin.
/etc/phpmyadmin/config.inc.php.
,
phpMyAdmin.
phpMyAdmin
MySQL, , /etc/
phpmyadmin/config.inc.php:
$cfg['Servers'][$i]['host'] = 'db_server';
253
LAMP
db_server IP-
. , phpMyAdmin
.
phpMyAdmin ,
.
config.header.inc.php config.footer.inc.php
HTML- phpMyAdmin.
/etc/phpmyadmin/
apache.conf, /etc/apache2/conf.d/
phpmyadmin.conf Apache2
phpMyAdmin. PHP,
.
Apache2 1, HTTPD -
Apache2 [213].
4.3.
phpMyAdmin
phpMyAdmin Documentation ( )
phpMyAdmin.
7
phpMyAdmin .
8
Mastering phpMyAdmin .
9
phpMyAdmin Ubuntu Wiki .
http://www.phpmyadmin.net/home_page/docs.php
http://www.packtpub.com/phpmyadmin-3rd-edition/book
9
https://help.ubuntu.com/community/phpMyAdmin
8
254
14. -
, -
.
FTP, NFS CUPS.
255
1. FTP-
(FTP) TCP
.
, ,
,
. ,
,
OpenSSH 6, [93].
FTP /.
FTP. FTP-
.
. ,
FTP.
FTP- :

FTP,
anonymous ftp
.
.
.
, SFTP
OpenSSH . FTP
, .
, FTP FTP ,
FTP.
.
1.1. vsftpd FTP-

vsftpd FTP, Ubuntu. ,
. vsftpd
:
sudo apt-get install vsftpd
256
1.2. FTP
vsftpd .
, /etc/vsftpd.conf
:
anonymous_enable=Yes
ftp /
srv/ftp. FTP.
, , /srv/files/
ftp,
ftp:
sudo mkdir /srv/files/ftp
sudo usermod -d /srv/files/ftp ftp
vsftpd:
sudo restart vsftpd
,
FTP, /srv/files/ftp, /srv/ftp,
.
1.3. FTP
vsftpd
.
, /etc/
vsftpd.conf:
write_enable=YES
vsftpd:
sudo restart vsftpd
FTP
, ,
..
,
FTP-.
vsftpd:
257
anon_upload_enable=YES
.

.
.
.

man 5 vsftpd.conf .
1.4. FTP
/etc/vsftpd.conf , vsftpd
. ,
, :
chroot_local_user=YES
,
:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
, /etc/vsftpd.chroot_list,
.
vsftpd:
sudo restart vsftpd
, /etc/ftpusers ,
FTP. root, daemon, nobody
.. FTP ,
.
FTP FTPS.
SFTP, FTPS FTP SSL. SFTP , FTP,
SSH . ,
SFTP
shell nologin.

, - .
258
-
SFTP
. OpenSSH
.
FTPS, /etc/vsftpd.conf :
ssl_enable=Yes
:
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
,
ssl-cert.
, .
5,
[194].
vsftpd
FTPS:
sudo restart vsftpd
/usr/sbin/nologin
FTP, shell , /etc/shells,
nologin:
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
/usr/sbin/nologin
, vsftpd
PAM, /etc/pam.d/vsftpd :
259
-
auth
required
pam_shells.so
PAM shells ,
/etc/shells.
FTP
FTPS. FTP- lftp
FTPS.
1.5.
1
vsftpd website .
/etc/vsftpd.conf man-
2
vsftpd.conf .
1
2
http://vsftpd.beasts.org/vsftpd_conf.html
http://manpages.ubuntu.com/manpages/precise/en/man5/vsftpd.conf.5.html
260
2. (NFS)
NFS
. NFS,
,
.
, NFS:

,
.

, .
NFS
.
, -,
- USB-,
.
.
2.1.
NFS :
sudo apt-get install nfs-kernel-server
2.2.
, /etc/
exports. :
/ubuntu *(ro,sync,no_root_squash)
/home *(rw,sync,no_root_squash)
* .
, ,
NFS.
NFS :
sudo /etc/init.d/nfs-kernel-server start
261
2.3. NFS
mount NFS,
. ,
.
sudo mount example.hostname.com:/ubuntu /local/ubuntu
/local/ubuntu . /
local/ubuntu .
NFS,
, /
etc/fstab. NFS-,
, ,
,
NFS.
/etc/fstab :
example.hostname.com:/ubuntu /local/ubuntu nfs rsize=8192,wsize=8192,timeo=14,intr
NFS-, ,
nfs-common .
nfs-common :
sudo apt-get install nfs-common
2.4.
NFS FAQ
Ubuntu Wiki NFS Howto
3
4
http://nfs.sourceforge.net/
https://help.ubuntu.com/community/NFSv4Howto
262
3. iSCSI-
iSCSI (Internet Small Computer System Interface) ,
SCSI . iSCSI
(Storage Area Network SAN),
.
iSCSI , iSCSI .
Ubuntu
iSCSI, ().
iSCSI.
, iSCSI-
.
iSCSI- ,

iSCSI-.
3.1. iSCSI
Ubuntu iSCSI
open-iscsi. :
sudo apt-get install open-iscsi
3.2. iSCSI
open-iscsi , /etc/iscsi/
iscsid.conf, :
node.startup = automatic
, ,
iscsiadm. :
sudo iscsiadm -m discovery -t st -p 192.168.0.10
-m: , iscsiadm.
-t: .
-p: , IP- .
192.168.0.10 IP- .
, , :
263
192.168.0.10:3260,1 iqn.1992-05.com.emc:sl7b92030000520000-2
iqn IP- ,
.
iSCSI ,
, , ,
. iSCSI:
sudo iscsiadm -m node --login
, dmesg:
dmesg | grep sd
[
4.322384] sd 2:0:0:0: Attached scsi generic sg1 type 0
[
[
4.322797] sd 2:0:0:0: [sda] 41943040 512-byte logical blocks: (21.4 GB/20.0 GiB)
4.322843] sd 2:0:0:0: [sda] Write Protect is off
4.322846] sd 2:0:0:0: [sda] Mode Sense: 03 00 00 00
[
[
4.322896] sd 2:0:0:0: [sda] Cache data unavailable

4.322899] sd 2:0:0:0: [sda] Assuming drive cache: write through
[
[

4.325312]
[
[

sda: sda1 sda2 < sda5 >
[
4.325735] sd 2:0:0:0: [sda] Attached SCSI disk
[ 2486.941805] sd 4:0:0:3: Attached scsi generic sg3 type 0
[ 2486.952093] sd 4:0:0:3: [sdb] 1126400000 512-byte logical blocks: (576 GB/537 GiB)
[ 2486.954195] sd 4:0:0:3: [sdb] Write Protect is off
[ 2486.954200] sd 4:0:0:3: [sdb] Mode Sense: 8f 00 00 08
[ 2486.954692] sd 4:0:0:3: [sdb] Write cache: disabled, read cache: enabled, doesn't
support DPO or FUA
[ 2486.960577]
sdb: sdb1
[ 2486.964862] sd 4:0:0:3: [sdb] Attached SCSI disk
sdb iSCSI . ,
; .
,
iSCSI . :
sudo fdisk /dev/sdb
n
p
264
-
enter
w
, , fdisk;
man fdisk .
cfdisk .
, , /srv:
sudo mkfs.ext4 /dev/sdb1
sudo mount /dev/sdb1 /srv
/etc/fstab iSCSI
:
/dev/sdb1
/srv
ext4
defaults,auto,_netdev 0 0
, ,
.
3.3.
5
Open-iSCSI
Debian Open-iSCSI
5
6
http://www.open-iscsi.org/
http://wiki.debian.org/SAN/iSCSI/open-iscsi
265
4. CUPS
Ubuntu Common UNIX Printing
System (CUPS). ,
,
Linux.
CUPS ,
, ,
(Internet Printing Protocol, IPP).
, . CUPS
PostScript (PostScript Printer
Description, PPD) - ,
- .
4.1.
, CUPS , sudo
apt-get
. CUPS ,
.
CUPS :
sudo apt-get install cups
,
. CUPS
.
,
CUPS : /var/log/cups/error_log.
-
, CUPS
LogLevel ( ) debug
debug2 info,
. ,
,
.
4.2.
CUPS ,
/etc/cups/cupsd.conf. CUPS
, HTTP Apache,
266
-
, Apache,
CUPS.
, , ,
, .

,
,
.
/etc/cups/cupsd.conf
,
:
sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original
sudo chmod a-w /etc/cups/cupsd.conf.original
ServerAdmin:
CUPS,
/etc/cups/cupsd.conf
ServerAdmin .
, CUPS
'bjoy@somebigco.com', ServerAdmin
:
ServerAdmin bjoy@somebigco.com
Listen: Ubuntu CUPS

127.0.0.1.
CUPS IP- ,
IP-/
Listen. ,
IP- 192.168.10.250,
, /etc/cups/cupsd.conf,
Listen, :
Listen 127.0.0.1:631 # Listen loopback
Listen /var/run/cups/cups.sock # Listen
Listen 192.168.10.250:631 # Listen LAN, 631 (IPP)

loopback- (127.0.0.1), , cupsd
Ethernet-
. ,
267
-
loopback, ,
Listen socrates :
Listen socrates:631
# Listen on all interfaces for the hostname 'socrates'
Listen Port,
Port 631
# Listen on port 631 on all interfaces

CUPS,
, :
man cupsd.conf
/etc/cups/cupsd.conf,
CUPS ,
:
sudo /etc/init.d/cups restart
4.3. -
CUPS , http://
localhost:631/admin. -
.
-,
root ,
lpadmin.
CUPS .
lpadmin,
:
sudo usermod -aG lpadmin username
Documentation/Help
-.
7
http://www.cups.org/
268
4.4.
7
CUPS
Debian Open-iSCSI
http://wiki.debian.org/SAN/iSCSI/open-iscsi
269
15.

. ,
.
(Mail User Agent, MUA) ,

(Mail Transfer Agents, MTA),
(Mail Delivery Agent, MDA)
,
, POP3 IMAP.
270
1. Postfix
Ubuntu (Mail Transfer Agent (MTA))
Postfix. , .
MTA sendmail. ,
postfix. , SMTP-
( ).

postfix.
1.7.3,
[277].
1.1.
postfix, :
sudo apt-get install postfix
, ,
.
1.2.
postfix, :
sudo dpkg-reconfigure postfix
.
:

mail.example.com
steve
mail.example.com, localhost.localdomain, localhost

No
127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24

0

mail.example.com ,
email, 192.168.0.0/24
steve .
271

,
. , Postfix mbox,
.
, postconf
postfix.
/etc/postfix/main.cf. ,
, ,
.
Maildir:
sudo postconf -e 'home_mailbox = Maildir/'
/home/username/Maildir,
(MDA)
.
1.3. SMTP
SMTP-AUTH
(SASL). (TLS)
.
SMTP .
1.
Postfix SMTP-AUTH SASL (Dovecot SASL):

sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth-client'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = \
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
smtpd_sasl_path ,
Postfix.
2.
TLS.
5, [194].
(CA).
CA 5.5,
[197].
(MUA),
TLS,
272

, TLS.

, ,
. TLS
MTA ( )

.
, ,
.
5.3,
[197].
3.
, Postfix
TLS- ,
:
sudo postconf -e 'smtp_tls_security_level = may'
sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/server.key'
sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/server.crt'
sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes'
sudo postconf -e 'myhostname = mail.example.com'
4.
,
:
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
, 5,
[194].
Postfix SMTP-AUTH
TLS .
1
, /etc/postfix/main.cf .
postfix .
postfix:
sudo /etc/init.d/postfix restart
../sample/postfix_configuration
273
Postfix SMTP-AUTH RFC2554 .

3
SASL . - ,
SMTP-AUTH.
1.4. SASL
Postfix SASL: Cyrus SASL Dovecot SASL.
Dovecot SASL, dovecotcommon. :
sudo apt-get install dovecot-common
/etc/dovecot/dovecot.conf.
auth default socket listen
:
socket listen {
#master {
# Master socket provides access to userdb information. It's typically
# used to give Dovecot's local delivery agent access to userdb so it
# can find mailbox locations.
#path = /var/run/dovecot/auth-master
#mode = 0600
# Default user/group is the one who started dovecot-auth (root)
#user =
#group =
#}
client {
# The client socket is generally safe to export to everyone. Typical use
# is to export it to your SMTP server so it can do SMTP AUTH lookups
# using it.
path = /var/spool/postfix/private/auth-client
mode = 0660
user = postfix
group = postfix
}
}
SMTP-AUTH Outlook, auth

default /etc/dovecot/dovecot.conf "login":
mechanisms = plain login
, Dovecot , :
2
3
http://www.ietf.org/rfc/rfc2554.txt
http://www.ietf.org/rfc/rfc2222.txt
274

sudo /etc/init.d/dovecot restart
1.5.
Postfix SMTP-AUTH
mail-stack-delivery ( dovecot-postfix).
Dovecot Postfix
SASL (MDA).
Dovecot IMAP, IMAPS, POP3 POP3S.
IMAP, IMAPS,
POP3, POP3S . ,
,
..
Postfix
SMTP_AUTH.
, :
sudo apt-get install mail-stack-delivery
, ,
, , . ,
ssl-cert , ,
, .
5, [194]
.
, ,
/etc/postfix/main.cf:
smtpd_tls_cert_file = /etc/ssl/certs/ssl-mail.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-mail.key
Postfix:
1.6.
SMTP-AUTH .
.
, SMTP-AUTH TLS ,
:
275

telnet mail.example.com 25
postfix :
ehlo mail.example.com
,
. quit .
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
1.7.

.
1.7.1. chroot
postfix Ubuntu chroot
.
.
chroot,
/etc/postfix/master.cf:
smtp inet n - - - - smtpd
:
smtp inet n - n - - smtpd
Postfix
. :
1.7.2.
Postfix /var/log/mail.log.

, /var/log/mail.err
/var/log/mail.warn, .

tail -f:
276
tail -f /var/log/mail.err
, , .

, .
TLS ,
smtpd_tls_loglevel 1 4.
sudo postconf -e 'smtpd_tls_loglevel = 4'

, debug_peer_list.
sudo postconf -e 'debug_peer_list = problem.domain'
Postfix
/etc/postfix/master.cf, -v
. smtp:
smtp
unix
smtp -v
,
, Postfix
: sudo /etc/init.d/postfix reload

SASL, /etc/dovecot/dovecot.conf
auth_debug=yes
auth_debug_passwords=yes
Postfix, Dovecot,
: sudo /etc/init.d/dovecot reload.

, .

.
,
.
1.7.3.
Postfix .
- Ubuntu
.
277

, Postfix
Ubuntu Server community IRC- #ubuntu-server
4
5
freenode . - .
Postfix Ubuntu
6
The Book of Postfix .
7
, - Postfix
.
, Ubuntu Wiki Postifx

.
http://freenode.net
http://www.ubuntu.com/support/community/webforums
6
http://www.postfix-book.com/
7
http://www.postfix.org/documentation.html
8
https://help.ubuntu.com/community/Postfix
5
278
2. Exim4
Exim4 (MTA),
Unix,
. Exim sendmail,
exim sendmail.
2.1.
exim4, :
sudo apt-get install exim4
2.2.
Exim4 :
sudo dpkg-reconfigure exim4-config
.
. , Exim4
.
,
.
,
/etc/exim4/update-exim4.conf.
- , ,
.

:
sudo update-exim4.conf
/var/lib/exim4/
config.autogenerated.
, ,
/var/lib/exim4/config.autogenerated.
,
update-exim4.conf

Exim4.
279
sudo /etc/init.d/exim4 start
2.3. SMTP
, Exim4 SMTPAUTH TLS SASL.
TLS.
:
sudo /usr/share/doc/exim4-base/examples/exim-gencert
Exim4 TLS. /etc/exim4/conf.d/

main/03_exim4-config_tlsoptions, :
MAIN_TLS_ENABLE = yes
Exim4 saslauthd
. /etc/exim4/
conf.d/auth/30_exim4-config_examples
plain_saslauthd_server login_saslauthd_server:
plain_saslauthd_server:
driver = plaintext
public_name = PLAIN
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
#
login_saslauthd_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
# don't send system passwords over unencrypted connections
server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
,
exim,
exim, :
280

sudo /usr/share/doc/exim4/examples/exim-adduser

:
sudo chown root:Debian-exim /etc/exim4/passwd
sudo chmod 640 /etc/exim4/passwd
Exim4 :
sudo update-exim4.conf
sudo /etc/init.d/exim4 restart
2.4. SASL
saslauthd,
Exim4.
sasl2-bin. :
sudo apt-get install sasl2-bin
saslauthd, /etc/default/
saslauthd START=no :
START=yes
Debian-exim sasl,
Exim4 saslauthd:
sudo adduser Debian-exim sasl
saslauthd:
sudo /etc/init.d/saslauthd start
Exim4 SMTP-AUTH TLS SASL

.
2.5.
9
exim.org .
10
Exim4 Book .
9
http://www.exim.org/
http://www.uit.co.uk/content/exim-smtp-mail-server
10
281

Exim4 Ubuntu Wiki
11
https://help.ubuntu.com/community/Exim4
282
11
3. Dovecot Server
Dovecot ,
. : mbox
Maildir. ,
imap pop3.
3.1.
dovecot :
sudo apt-get install dovecot-imapd dovecot-pop3d
3.2.
dovecot, /etc/
dovecot/dovecot.conf. , .
pop3, pop3s ( pop3), imap imaps (
imap). ,
.
12
13
POP3 IMAP .
IMAPS POP3S , IMAP POP3,
SSL- .
, /etc/dovecot/dovecot.conf:
protocols = pop3 pop3s imap imaps
,
. Dovecot maildir mbox.
14
, Dovecot .
, /etc/dovecot/dovecot.conf (/
etc/dovecot/conf.d/10-mail.conf) :
mail_location = maildir:~/Maildir # (for maildir)
or
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%u # (for mbox)
(MTA, Mail
Transport Agent)
, , .
12
http://en.wikipedia.org/wiki/POP3
http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol
14
http://wiki.dovecot.org/MailboxFormat
13
283

dovecot, dovecot,
:
sudo /etc/init.d/dovecot restart
imap pop3,
telnet localhost pop3 telnet localhost imap2.
-, ,
:
bhuvan@rainbow:~$ telnet localhost pop3
127.0.0.1...
localhost.localdomain.
'^]'.
+OK Dovecot .
3.3. Dovecot: SSL

dovecot SSL,
/etc/dovecot/dovecot.conf
:
ssl_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
ssl_disable = no
disable_plaintext_auth = no
SSL
.
, SMTP-
. 5,
[194], .
, .
, /etc/
dovecot/dovecot.conf.
3.4.

.
IMAP - 143
IMAPS - 993
POP3 - 110
POP3S - 995
284
3.5.
15
Dovecot website
.
16
Dovecot Ubuntu Wiki
15
16
http://www.dovecot.org/
https://help.ubuntu.com/community/Dovecot
285
4. Mailman
Mailman
, ,
.
17
( Ubuntu mailing lists ) Mailman
. ,
.
4.1.
Mailman -
,
.
:
Postfix
Exim
Sendmail
Qmail
, Mailman -
Apache, Postfix Exim.
Mailman , ,
, .
Postfix
Ubuntu .
4.1.1. Apache2
apache2,
1.1, [213].
4.1.2. Postfix
Postfix 1,
Postfix [271]
4.1.3. Exim4
Exim4 2, Exim4 [279].
exim4 ,
/etc/exim4. In Ubuntu exim4
17
http://lists.ubuntu.com
286

. ,
/etc/exim4/update-exim4.conf:
dc_use_split_config='true'
4.1.4. Mailman
Mailman, :
sudo apt-get install mailman
/var/lib/mailman.
CGI- /usr/lib/cgi-bin/mailman,
Linux list list. mailman
.
4.2.
, mailman,
apache2, postfix exim4. .
4.2.1. Apache2
Apache Mailman
/etc/mailman/apache.conf. Apache ,
/etc/apache2/sites-available:
sudo cp /etc/mailman/apache.conf /etc/apache2/sites-available/mailman.conf
VirtualHost Apache
Mailman. Apache:
sudo a2ensite mailman.conf
Mailman apache2 CGI-. CGI-

Mailman /usr/lib/cgi-bin/mailman.
mailman http://hostname/cgi-bin/mailman/.
/etc/apache2/sites-available/mailman.conf,
.
4.2.2. Postfix
Postfix lists.example.com
. , lists.example.com
.
287

postconf
/etc/postfix/main.cf:
sudo postconf -e 'relay_domains = lists.example.com'
sudo postconf -e 'transport_maps = hash:/etc/postfix/transport'
sudo postconf -e 'mailman_destination_recipient_limit = 1'
/etc/postfix/master.cf ,
:
mailman
unix n
n
pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
postfix-to-mailman.py,
.
lists.example.com Mailman
. /etc/postfix/transport:
lists.example.com
mailman:
Postfix ,
:
sudo postmap -v /etc/postfix/transport
Postfix, :
4.2.3. Exim4
Exim4 , Exim,
:
sudo /etc/init.d/exim4 start
mailman Exim4, Exim4.

, Exim4
18
. Exim .
mailman,
:
18
http://www.exim.org
288
Exim ,
.
.
4.2.4.
/etc/exim4/
conf.d/main/. 04_exim4-config_mailman
:
# start
# Home dir for your Mailman installation -- aka Mailman's prefix
# directory.
# On Ubuntu this should be "/var/lib/mailman"
# This is normally the same as ~mailman
MM_HOME=/var/lib/mailman
#
# User and group for Mailman, should match your --with-mail-gid
# switch to Mailman's configure script. Value is normally "mailman"
MM_UID=list
MM_GID=list
#
# Domains that your lists are in - colon separated list
# you may wish to add these into local_domains as well
domainlist mm_domains=hostname.com
#
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#
# These values are derived from the ones above and should not need
# editing unless you have munged your mailman installation
#
# The path of the Mailman mail wrapper script
MM_WRAP=MM_HOME/mail/mailman
#
# The path of the list config file (used as a required file when
# verifying list addresses)
MM_LISTCHK=MM_HOME/lists/${lc::$local_part}/config.pck
# end
4.2.5.
, ,
/etc/exim4/conf.d/transport/.
40_exim4-config_mailman :
289

mailman_transport:
driver = pipe
command = MM_WRAP \
'${if def:local_part_suffix \
{${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
{post}}' \
$local_part
current_directory = MM_HOME
home_directory = MM_HOME
user = MM_UID
group = MM_GID
4.2.6.
, ,
/etc/exim4/conf.d/router/. 101_exim4config_mailman :
mailman_router
driver = accept
require_files = MM_HOME/lists/$local_part/config.pck
local_part_suffix_optional
local_part_suffix = -bounces : -bounces+* : \
-confirm+* : -join : -leave : \
-owner : -request : -admin
transport = mailman_transport
.
, .
200_exim4config_primary.
. .
,
.
4.2.7. Mailman
mailman,
:
sudo /etc/init.d/mailman start
mailman ,
. ,
:
sudo /usr/sbin/newlist mailman
290
Enter the email address of the person running the list: bhuvan at ubuntu.com
Initial mailman password:
To finish creating your mailing list, you must edit your /etc/aliases (or
equivalent) file by adding the following lines, and possibly running the
`newaliases' program:
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
Hit enter to notify mailman owner...
#
Postfix, Exim4
mailman.
/etc/aliases. -
,
.
Exim4 (aliases)
Mailman,
discover.
, MTA=None
/etc/mailman/mm_cfg.py.
4.3.
, . CGI mailman' /usr/lib/cgi-bin/mailman/.
Mailman .
:
http://hostname/cgi-bin/mailman/admin
, mailman.
,
. ,
.

291

(/usr/sbin/newlist).
-.
4.4.
Mailman -.
, URL:
http://hostname/cgi-bin/mailman/listinfo

"mailman". ,
. d
, ( ) . d
. ,
, .
4.5.
GNU Mailman
19
20
HOWTO Exim 4 Mailman 2.1

21
Mailman Ubuntu Wiki .
19
http://www.list.org/mailman-install/index.html
http://www.exim.org/howto/mailman21.html
21
https://help.ubuntu.com/community/Mailman
20
292
5.

(Unsolicited Bulk Email UBE).
, ,
. ,

.
Amavisd-new, Spamassassin
ClamAV (MTA) Postfix. Postfix Postfix

. ,

. opendkim
python-policyd-spf.
Amavisd-new -,
,
..
Spamassassin
.
ClamAV .
opendkim Sendmail DKIM
(, ).
python-policyd-spf SPF (
) Postfix.
, :
Postfix.
,
opendkim python-policyd-spf.
Amavisd-new.
ClamAV .
, Postfix .
Spamassassin
. Spamassassin X-Header,
Amavisd-new .
, ,
,
293

.
(MUA)
.
5.1.
1, Postfix [271] Postfix.
, :
sudo apt-get install amavisd-new spamassassin clamav-daemon
sudo apt-get install opendkim postfix-policyd-spf-python
, Spamassassin
:
sudo apt-get install pyzor razor

:
sudo apt-get install arj cabextract cpio lha nomarch pax rar unrar unzip zip
- , ,
multiverse /etc/apt/sources.list
, ,
sudo apt-get update .
5.2.
, .
5.2.1. ClamAV
ClamAV .
/
etc/clamav.
clamav amavis, Amavisd-new
:
sudo adduser clamav amavis
sudo adduser amavis clamav
294

5.2.2. Spamassassin
Spamassassin
, . ,
pyzor razor.
/etc/default/spamassassin
Spamassassin. ENABLED=0 :
ENABLED=1
:
sudo /etc/init.d/spamassassin start
5.2.3. Amavisd-new
Amavisd-new,
/etc/amavis/conf.d/15-content_filter_mode:
use strict;
# You can modify this file to re-enable SPAM checking through spamassassin
# and to re-enable antivirus checking.
#
# Default antivirus checking mode
# Uncomment the two lines below to enable it
#
@bypass_virus_checks_maps = (
\%bypass_virus_checks, \@bypass_virus_checks_acl, \$bypass_virus_checks_re);
#
# Default SPAM checking mode
# Uncomment the two lines below to enable it
#
@bypass_spam_checks_maps = (
\%bypass_spam_checks, \@bypass_spam_checks_acl, \$bypass_spam_checks_re);
1;
# insure a defined return
,
. , /etc/amavis/
conf.d/20-debian_defaults $final_spam_destiny D_DISCARD
D_BOUNCE, :
295
$final_spam_destiny
= D_DISCARD;

:
$sa_tag_level_deflt = -999; # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 6.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 21.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 4; # spam level beyond which a DSN is not sent
(hostname) MX- ,
$myhostname.
, ,
@local_domains_acl . /etc/amavis/
conf.d/50-user:
$myhostname = 'mail.example.com';
@local_domains_acl = ( "example.com", "example.org" );
,
/etc/amavis/conf.d/50-user
@local_domains_acl = qw(.);
Amavisd-new :
sudo /etc/init.d/amavis restart
5.2.3.1. DKIM
Amavisd-new
Whitelist .
/etc/amavis/conf.d/40policy_banks.
:
'example.com' => 'WHITELIST',:
"example.com".
'.example.com' => 'WHITELIST',:
"example.com",
.
'.example.com/@example.com' => 'WHITELIST',:
"example.com",
example.com.
296

'./@example.com' => 'WHITELIST',: ,
"example.com".
, .
.
amavisd-new:
sudo /etc/init.d/amavis restart
, ,
- .
,
.
5.2.4. Postfix
Postfix, :
sudo postconf -e 'content_filter = smtp-amavis:[127.0.0.1]:10024'
/etc/postfix/master.cf,
:
smtp-amavis
unix
-o smtp_data_done_timeout=1200
smtp
smtpd
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
297

"pickup":
-o content_filter=
-o receive_override_options=no_header_body_checks
,
.
Postfix:
.
5.2.5. Amavisd-new Spamassassin
Amavisd-new Spamassassin,
, /etc/spamassassin/local.cf,
cron ,
,
amavis cron amavisd-new.
:
MDA ,
.
/usr/sbin/amavisd-new-cronjob , use_bayes
0. , /usr/sbin/amavisd-new-cronjob,
:
egrep -q "^[ \t]*use_bayes[ \t]*0" /etc/spamassassin/local.cf && exit 0
5.3.
, Amavisd-new SMTP :
telnet localhost 10024
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 [127.0.0.1] ESMTP amavisd-new service ready
^]
, ,
:
298
X-Spam-Level:
X-Virus-Scanned: Debian amavisd-new at example.com
X-Spam-Status: No, hits=-2.3 tagged_above=-1000.0 required=5.0 tests=AWL, BAYES_00
X-Spam-Level:
, ,
X-Virus-Scanned X-Spam-Status.
5.4.
, -
.
Postfix 1.7,
[276].
Amavisd-new Syslog /var/log/
mail.log. , $log_level
/etc/amavis/conf.d/50-user 1 5.
$log_level = 2;
Amavisd-new ,
Spamassassin .
ClamAV
/etc/clamav/clamd.conf :
LogVerbose true
ClamAV /var/log/clamav/
clamav.log.

.

.
5.5.

:
22
Amavisd-new
23
ClamAV
ClamAV Wiki
24
22
http://www.ijs.si/software/amavisd/amavisd-new-docs.html
http://www.clamav.net/doc/latest/html/
24
http://wiki.clamav.net/Main/WebHome
23
299

Spamassassin Wiki
25
26
Pyzor
Razor
DKIM.org
27
28
Postfix Amavis New
29
#ubuntu-server IRC
30
freenode .
25
26
27
28
29
30
http://wiki.apache.org/spamassassin/
http://sourceforge.net/apps/trac/pyzor/
http://razor.sourceforge.net/
http://dkim.org/
https://help.ubuntu.com/community/PostfixAmavisNew
http://freenode.net
300
16.
301
1.
, IRC- ircdirc2.
Jabber.
302
2. IRC-
Ubuntu IRC (Internet Relay Chat).
,
IRC- ircd-irc2.
2.1.
ircd-irc2, :
sudo apt-get install ircd-irc2
/etc/ircd.
/usr/share/doc/ircd-irc2.
2.2.
IRC /etc/ircd/
ircd.conf. ,
:
M:irc.localhost::Debian ircd default configuration::000A
, , DNS
IRC-. ,
IRC irc.livecipher.com, , irc.livecipher.com
DNS-. IRC
.
IRC
:
A:Organization, IRC dept.:Daemon <ircd@example.irc.org>:Client Server::IRCnet:

IRC, ,
..
/usr/share/doc/ircd-irc2/ircd.conf.example.gz.
IRC, IRC
, /etc/ircd/ircd.motd.
,
IRC, :
303
sudo /etc/init.d/ircd-irc2 restart
2.3.
IRC-,
Ubuntu. ircd-ircu ircd-hybrid.
1
IRCD FAQ IRC-.
http://www.irc.org/tech_docs/ircnet/faq.html
304
3. Jabber
Jabber ,
XMPP, ,
.
Jabberd 2 .

.
3.1.
jabberd2 :
sudo apt-get install jabberd2
3.2.
XML
jabberd2 Berkeley
DB. jabberd2 LDAP, MySQL,
PostgreSQL . .
/etc/jabberd2/sm.xml, :
<id>jabber.example.com</id>
jabber.example.com
.
<storage> <driver> :
<driver>db</driver>
/etc/jabberd2/c2s.xml <local>:
<id>jabber.example.com</id>
<authreg> <module>:
<module>db</module>
jabberd2 :
sudo /etc/init.d/jabberd2 restart
305

, Jabber-,
, Pidgin.
Berkeley DB ,

.
,
.
3.3.
2
Jabberd2 Web Site Jabberd2.

Jabberd2 Install
3
Guide .
4
Setting Up Jabber Server Ubuntu Wiki

.
http://codex.xiaoka.com/wiki/jabberd2:start
http://www.jabberdoc.org/
4
https://help.ubuntu.com/community/SettingUpJabberServer
3
306
17.
.
,
, ,
, .

. ,

307
1. Bazaar
Bazaar , Canonical,
, Ubuntu. Subversion
CVS, ,
Bazaar ,
. , Bazaar

.
1.1.
bzr, :
sudo apt-get install bzr
1.2.
bzr, whoami :
$ bzr whoami 'Joe Doe <joe.doe@gmail.com>'
1.3. Bazaar
Bazaar ,
/usr/share/doc/bzr/html. ""
. bzr :
$ bzr help
foo:
$ bzr help foo
1.4. Launchpad
, , Bazaar
1
Launchpad ,
, Canonical
,
Ubuntu. , Bazaar
1
https://launchpad.net/
308

Launchpad
2
, : http://bazaar-vcs.org/LaunchpadIntegration .
http://bazaar-vcs.org/LaunchpadIntegration/
309
2. Subversion
Subversion .
Subversion,
. ,
, ,
.
2.1.
Subversion HTTP
-. Apache2
Subversion. Apache2
HTTP Apache2.
Subversion HTTPS
- Apache2.

HTTPS Apache2.
Subversion :
sudo apt-get install subversion libapache2-svn
2.2.
, ,
. ,
Subversion
2.2.1. Subversion
Subversion , :
svnadmin create /path/to/repos/project
2.2.2.
,
. :
svn import //// file://////
2.3.
Subversion

310

. URL. ,
URL .
17.1.
file://
( )
http://
WebDAV Apache2,
Subversion
https://
, http://, SSL
svn://
svnserve
svn+ssh:// , svn://, SSH

, Subversion
. .
3
, svn .
2.3.1. (file://)
.
Subversion.
Subversion . ,
, :
svn co file:///path/to/repos/project
svn co file://localhost/path/to/repos/project
, (///)
( ), .
, (//).
.
/

2.3.2. WebDAV (http://)
Subversion WebDAV
Apache2.
emphasis><VirtualHost>
3
http://svnbook.red-bean.com/
311
<Location /svn>
DAV svn
SVNPath /home/svn
AuthType Basic
AuthName "Your repository name"
AuthUserFile /etc/subversion/passwd
Require valid-user
</Location>
,
Subversion /home/svn/
svnadmin. http://hostname/
svn/repos_name.
Subversion
HTTP, HTTP.
Ubuntu www-data.

:
sudo chown -R www-data:www-data ///
www-data,
,
svn import file:/// , wwwdata, .
, /etc/subversion/passwd,
.
(
):
sudo htpasswd -c /etc/subversion/passwd _
"-c",
. :
sudo htpasswd /etc/subversion/passwd user_name
.
. ,
, :
svn co http:///svn
. ,
,
312

SSL.
.
2.3.3. WebDAV SSL (https://)
Subversion WebDAV SSL
(https://) http://, ,
Apache2.
SSL Subversion ,
, /etc/apache2/sites-available/default-ssl.
Apache2 SSL 1.3,
HTTPS [220].
,
.
.
,
- Apache 2.
Subversion
! ,
. https://
Subversion.
2.3.4. (svn://)
Subversion ,
.
/////conf/svnserve.conf. ,
:
# [general]
# password-db = passwd
,
passwd. ,
passwd , ,
.
username = password
, .
, Subversion svn://
, Subversion,
svnserve. :
$ svnserve -d --foreground -r ///
313

# -d -- daemon ()
# --foreground -- ( )
# -r --
:
$ svnserve --help
Subversion 3690.
, , :
svn co svn:/// --username _
, .
Subversion.

update. :
cd _ ; svn update
,
Subversion. ,
"co", :
svn co help
2.3.5. SSL (svn+ssh://)

svn://.
. ,
Subversion,
svnserve
, SSH
. ,
, SSH.
, .
, ,
.
svn+ssh:// ,
Subversion, SSL.
.
:
svn co svn+ssh://hostname/var/svn//
314

Subversion,
, (////
).
, .
, SSH. ,
Subversion.
315
3. CVS
CVS .
.
3.1.
CVS,
:
sudo apt-get install cvs
cvs, xinetd /
cvs .
xinetd:
sudo apt-get install xinetd
3.2.
cvs
. /
srv/cvs. :
cvs -d /your/new/cvs/repo init
,
xinetd CVS ,
/etc/xinetd.d/cvspserver.
service cvspserver
{
port = 2401
socket_type = stream
protocol = tcp
user = root
wait = no
type = UNLISTED
server = /usr/bin/cvs
server_args = -f --allow-root /srv/cvs pserver
disable = no
}
, ,
(/srv/cvs).
316

xinetd cvs
:
sudo /etc/init.d/xinetd restart
, CVS , :
sudo netstat -tap | grep cvs
, ,
:
tcp 0 0 *:cvspserver *:* LISTEN
,
CVS.
CVS
. ,
Linux CVS,
.
CVS.
3.3.
, CVS.

.
CVS:
cd your/project
cvs -d :pserver:username@hostname.com:/srv/cvs import -m \
"Importing my project to CVS repository" . new_project start
CVSROOT,
CVS.
-d cvs .
new_project , start
(). , CVS
, .
, CVS
CVS (/srv/cvs).
src CVS.
317

CVS.
318
4.
Bazaar
Launchpad
Subversion
7
Subversion
CVS
Easy Bazaar Ubuntu Wiki
109
Subversion Ubuntu Wiki
1211
http://bazaar.canonical.com/en/
6
http://subversion.tigris.org/
7
http://svnbook.red-bean.com/
8
http://ximbiot.com/cvs/manual/cvs-1.11.21/cvs_toc.html
10
https://help.ubuntu.com/community/EasyBazaar
9
https://help.ubuntu.com/community/EasyBazaar
12
https://help.ubuntu.com/community/Subversion
11
https://help.ubuntu.com/community/Subversion
5
319
18.
Windows
.
,
Ubuntu ,
Ubuntu MicrosoftWindows,
. ,
Ubuntu
Windows-.
320
Windows
1.
Ubuntu Windows ,
Windows.

,
:
.
(SMB)
, , ,
.
.
,
(LDAP) Microsoft Active
Directory.
.
,

, Kerberos.
, Ubuntu
Windows .
Ubuntu,
Windows, Samba,
SMB.
Ubuntu Server
Samba, ,
. , ,
1
Samba Samba .
http://www.samba.org
321
Windows
2. Samba

Ubuntu Windows Samba
.
Samba Windows-.

.
, 4,
Samba [327]
2.1.
samba. :
sudo apt-get install samba
.
Samba .
2.2.
Samba : /etc/samba/smb.conf.

, .
.
man smb.conf
2
Samba HOWTO
.
1.
/
[global] /etc/samba/smb.conf:
workgroup = EXAMPLE
...
security = user
security [global]
.
EXAMPLE.
2
322
Windows
2.

:
[share]
comment = Ubuntu File Server Share
path = /srv/samba/share
browsable = yes
guest ok = yes
read only = no
create mask = 0755
comment: . .
path: ,
/srv/samba/sharename,
3
(FHS) /srv
, .
Samba
,
, - .
browsable: Windows-
Windows Explorer.
guest ok:
.
read only: , ,
.
, no,
. yes,
(read only).
create mask: .
3.
, Samba ,
. :
sudo mkdir -p /srv/samba/share
sudo chown nobody.nogroup /srv/samba/share/
-p mkdir ,
.
4.
, samba,
.
http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM
323
Windows
sudo restart smbd
sudo restart nmbd
,
.
, 4,
Samba [327].
Windows-
Ubuntu Server.
,
IP- (, \\192.168.1.1) Windows.
, ,
Windows.
[dir]
/etc/samba/smb.conf Samba. ,
, ,
.
"[share]" /srv/samba/share
.
, .
,
. [qa]
/srv/samba/qa.
2.3.
Samba,
4
5
.
6
O'Reilly Samba
.
7
Ubuntu Wiki Samba .
http://www.amazon.com/exec/obidos/tg/detail/-/0131882228
6
http://www.oreilly.com/catalog/9780596007690/
7
https://help.ubuntu.com/community/Samba
5
324
Windows
3. Samba
Samba
,
Ubuntu . , 2,
Samba [322], Samba,

.
, 4,
Samba [327].
3.1.
Samba
CUPS. 4, CUPS
[266]
samba :
sudo apt-get install samba
3.2.
Samba /etc/samba/smb.conf.
workgroup , security user:
workgroup = EXAMPLE
...
security = user
[printers] guest ok yes:

browsable = yes
guest ok = yes
smb.conf Samba:
sudo restart smbd
sudo restart nmbd
Samba .

Windows.
325
Windows
3.3.
Samba,
8
9
.
10
O'Reilly Samba
.
11
- CUPS ,
CUPS.
Ubuntu Wiki Samba
12
10
11
http://www.cups.org/
12
9
326
Windows
4.
Samba
4.1. Samba
CIFS (Common Internet Filesystem)
.
Samba ,

:
security = user:
.
Samba ,
libpam-smbpass
Samba.
security = domain:. Samba

Windows- (PDC),
(BDC) - (DMS).
5, Samba
[333].
security = ADS: Samba Active
Directory . 6,
Samba Active Directory [338].
security = server:. , Samba
-,
13
.
Samba .
security = share:
.
,
, Samba.
4.2. Security = User

Samba,
2, Samba [322] 3,
Samba [325], , .
13
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id349531
327
Windows
libpam-smbpass,

Samba.
sudo apt-get install libpam-smbpass
Samba Server ,
libpam-smbpass .
/etc/samba/smb.conf, [share]:
guest ok = no
, Samba, :
sudo restart smbd
sudo restart nmbd
,
.
,
,

, , .
4.3.

.
, [share].
4.3.1.
,
,

. , qa
freda, danika rob, support
danika, jeremy vincent, ,
qa,
freda, danika, rob, jeremy vincent.
danika , qa support,
, ,
,
, .
328
Windows
Samba ,
/etc/group, ,
. ,
, 1.2,
[173].
Samba /etc/samba/smb.conf
"@". ,
sysadmin /etc/samba/
smb.conf, @sysadmin.
4.3.2.

,
.
/etc/samba/smb.conf
.
, Samba share,
- qa,
sysadmin vincent,
/etc/samba/smb.conf,
[share]:
read list = @qa
write list = @sysadmin, vincent
Samba
, .
,
, ,
.
, melissa
share, /etc/samba/smb.conf
[share]:
admin users = melissa
/etc/samba/smb.conf, Samba,
:
sudo restart smbd
sudo restart nmbd
329
Windows
, ,
Samba security = share
, Samba
,
.
Linux
(ACL) Windows NT. , ACL POSIX,
Ubuntu,
. , ACL /srv
EXT3, /etc/fstab, acl:
UUID=66bcdd2e-8861-4fb0-b7e4-e61c569fe17d /srv
ext3
noatime,relatime,acl 0
:
sudo mount -v -o remount /srv
, /srv
. /srv
/,
.
Samba, sysadmin
, /srv/samba/
share, qa ,
melissa. :
sudo chown -R melissa /srv/samba/share/
sudo chgrp -R sysadmin /srv/samba/share/
sudo setfacl -R -m g:qa:rx /srv/samba/share/
setfacl
/srv/samba/share,
.
, Windows-, ,
.
man acl setfacl POSIX
ACL.
4.4. Samba AppArmor

Ubuntu AppArmor,
. AppArmor
330
Windows
Samba .
AppArmor
4, AppArmor [189].
AppArmor /usr/sbin/smbd /usr/sbin/
nmbd, Samba. apparmorprofiles. :
sudo apt-get install apparmor-profiles apparmor-utils

.
, smbd nmbd
(complain), Samba ,
. smbd
(enforce) , Samba , ,
,
.
/etc/apparmor.d/usr.sbin.smbd,
[share] :
/srv/samba/share/ r,
/srv/samba/share/** rwkix,
:
sudo aa-enforce /usr/sbin/smbd
cat /etc/apparmor.d/usr.sbin.smbd | sudo apparmor_parser -r
,
, smbd binary
. ,
Samba.
/var/log/syslog.
4.5.
Samba,
14
15
.
14
15
331
Windows
O'Reilly Using Samba
17
18
16
HOWTO Samba .
Samba ACL
18
ACL Samba .
Ubuntu Wiki Samba
19
16
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/securing-samba.html
18
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html#id397568
19
17
332
Windows
5. Samba
, Samba
Active Directory,
Windows NT4.

. Samba
().
5.1.
Samba
smbpasswd.
1.
Samba, libpam-smbpass
, :
sudo apt-get install samba libpam-smbpass
2.
Samba, /etc/samba/smb.conf.
security user, workgroup
:
workgroup = EXAMPLE
...
security = user
3.
Domains
( ,
):
domain logons = yes
logon path = \\%N\%U\profile
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add machine script = sudo /usr/sbin/useradd -N -g machines -c Machine -d
/var/lib/samba -s /bin/false %u
,
logon home logon path .
domain logons: netlogon, Samba
.
333
Windows
logon path:
Windows .
[profiles] .
logon drive: .
logon home: .
logon script: ,
.
[netlogon].
add machine script: ,
Machine Trust Account,
.
machines
addgroup. :
1.2, [173].
4.
[homes], logon
home.
[homes]
comment = Home Directories
browseable = no
read only = no
create mask = 0700
directory mask = 0700
valid users = %S
5.

[netlogon]. , , :
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = yes
read only = yes
share modes = no
netlogon /home/samba/netlogon,
,
(FHS), ,
20
, /srv .
6.
20
netlogon () logon.cmd:
http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM
334
Windows
sudo mkdir -p /srv/samba/netlogon
sudo touch /srv/samba/netlogon/logon.cmd
Windows
logon.cmd
7.
Samba, :
sudo restart smbd
sudo restart nmbd
8.
, ,
.
root ,
Domain
Admins Windows. Domain Admins,
:
sudo net groupmap add ntgroup="Domain Admins" unixgroup=sysadmin rid=512 type=d
sysadmin , .
, ,
, sysadmin
admin. admin
sudo.
Samba,
smbpasswd, ,
, sysadmin:
sudo smbpasswd -a sysadmin

Domain Admins , add machine script
( ).
:
net rpc rights grant -U sysadmin "EXAMPLE\Domain Admins" SeMachineAccountPrivilege \ SePrintOpe
9.
Windows- ,
NT4 Windows.
335
Windows
5.2.
(PDC)
(BDC).
, PDC .
Samba BDC
PDC.
: scp, rsync LDAP
passdb.
LDAP
,
. ,
LDAP
.
2, Samba LDAP [135].
1.
samba libpam-smbpass. :
sudo apt-get install samba libpam-smbpass
2.
/etc/samba/smb.conf
[global]:
workgroup = EXAMPLE
...
security = user
3.
Domains
:
domain logons = yes
domain master = no
4.
, /var/lib/samba.
, , admin
scp , :
sudo chgrp -R admin /var/lib/samba
5.
, scp,
/var/lib/samba PDC:
sudo scp -r username@pdc:/var/lib/samba /var/lib
336
Windows
username pdc
IP- PDC.
6.
, samba:
sudo restart smbd
sudo restart nmbd
,
Samba PDC, Windows, .
, :
logon home PDC, PDC
Home .
logon home , PDC BDC.
5.3.
Samba,
21
22
.
O'Reilly Using Samba
23
24
4 HOWTO Samba
.
25
5 HOWTO Samba
.
Ubuntu Wiki Samba
21
22
23
24
25
26
26
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html
337
Windows
6. Samba Active Directory

6.1. Samba
Samba
Windows. Active Directory, Samba
.
AD
Likewise-open.
27
Likewise Open .
Active Directory,
:
sudo apt-get install samba smbfs smbclient
/etc/samba/smb.conf, :
workgroup = EXAMPLE
...
security = ads
realm = EXAMPLE.COM
...
idmap backend = lwopen
idmap uid = 50-9999999999
idmap gid = 50-9999999999
samba, :
sudo restart smbd
sudo restart nmbd
Samba
Windows-. ,
AD .
4,
Samba [327].
6.2. Windows
, Samba Active Directory,
Windows.
27
http://www.likewise.com/resources/documentation_library/manuals/open/likewise-open-guide.html
338
Windows
Windows, :
mount.cifs //fs01.example.com/share mount_point
,
AD,
.

/etc/fstab, :
//192.168.0.5/share /mnt/windows cifs auto,username=steve,password=secret,rw 0
Windows
smbclient.
Windows, :
smbclient //fs01.example.com/share -k -c "ls"
, :
smbclient //fs01.example.com/share -k -c "get file.txt"
file.txt .
:
smbclient //fs01.example.com/share -k -c "put /etc/hosts hosts"
/etc/hosts
//fs01.example.com/share/hosts.
-c, ,
smbclient.
. smb:
\>,
, FTP, :
smbclient //fs01.example.com/share -k
fs01.example.com/share, //192.168.0.5/
share, username=steve,password=secret file.txt IP-
, , /
,
.
339
Windows
6.3.
smbclient : man
28
smbclient, .
29
mount.cifs
.
Ubuntu Wiki Samba
30
28
http://manpages.ubuntu.com/manpages/precise/en/man1/smbclient.1.html
http://manpages.ubuntu.com/manpages/precise/en/man8/mount.cifs.8.html
30
29
340
19.
Ubuntu.

, ,
.

.
341
1. Shell

shell script. ,
, ,
tar,
.
.
, NFS.
tar
.tar ,
.
1.1. Shell
shell tar
.
.
#!/bin/sh
####################################
#
# Backup to NFS mount script.
#
####################################
# What to backup.
backup_files="/home /var/spool/mail /etc /root /boot /opt"
# Where to backup to.
dest="/mnt/backup"
# Create archive filename.
day=$(date +%A)
hostname=$(hostname -s)
archive_file="$hostname-$day.tgz"
# Print start status message.
echo "Backing up $backup_files to $dest/$archive_file"
date
echo
# Backup the files using tar.
tar czf $dest/$archive_file $backup_files
# Print end status message.
echo
342

echo "Backup finished"
date
# Long listing of files in $dest to check file sizes.
ls -lh $dest
$backup_files: ,
. .
$day: , .
,
.
, date.
$hostname: , .

.
$archive_file: .
$dest: .

. 2,
(NFS) [261] NFS.
status messages: ,
echo.
tar czf $dest/$archive_file $backup_files: tar,
.
c: .
z: gzip.
f: . tar
STDOUT.
ls -lh $dest: , -l
-h .
.
.
,
, . 1.4,
[346] ,
shell .
343
1.2.
1.2.1.

. , backup.sh.
:
sudo bash backup.sh
, ,
.
1.2.2. cron
cron
. cron
.
cron crontab. crontab
:
# m h dom mon dow
command
m: , 0 59.
h: , 0 23.
dom: .
mon: .
dow: , 0 7.
0 7, .
command: .
crontab
crontab -e. , crontab
crontab -l.
backup.sh cron,
:
sudo crontab -e
sudo crontab -e
root.
, root.
344

crontab: crontab:
# m h dom mon dow
command
0 0 * * * bash /usr/local/bin/backup.sh
backup.sh .
backup.sh /usr/local/
bin/, .
,
crontab.
crontab 1.4,
[346].
1.3.
, .
, ,
.
, :
tar -tzvf /mnt/backup/host-Monday.tgz
, :
tar -xzvf /mnt/backup/host-Monday.tgz -C /tmp etc/hosts
-C tar
. /etc/hosts /
tmp/etc/hosts. tar
.
"/"
.
, :
cd /
sudo tar -xzvf /mnt/backup/host-Monday.tgz
, .
345
1.4.
shell
1
Advanced Bash-Scripting Guide
2
Teach Yourself Shell Programming in 24 Hours

shell .
3
CronHowto Wiki Page

cron.
4
GNU tar Manual

tar.
5
Backup Rotation Scheme

.
Shell tar ,
, . :
6
cpio : .
7
dd : coreutils. ,
.
8
rsnapshot : ,
.
9
rsync : ,
( ).
1
2
3
4
5
6
7
8
9
http://tldp.org/LDP/abs/html/
http://safari.samspublishing.com/0672323583
https://help.ubuntu.com/community/CronHowto
http://www.gnu.org/software/tar/manual/index.html
http://en.wikipedia.org/wiki/Backup_rotation_scheme
http://www.gnu.org/software/cpio/
http://www.gnu.org/software/coreutils/
http://www.rsnapshot.org/
http://www.samba.org/ftp/rsync/rsync.html
346
2.
Shell 1, Shell [342]
7 . ,
, .
,
.
2.1. NFS
shell
'--' (-):

.
,
.
,
,
.
:
#!/bin/bash
####################################
#
# Backup to NFS mount script with
# grandfather-father-son rotation.
#
####################################
# What to backup.
dest="/mnt/backup"
# Setup variables for the archive filename.
day=$(date +%A)
hostname=$(hostname -s)
# Find which week of the month 1-4 it is.
day_num=$(date +%d)
if (( $day_num <= 7 )); then
week_file="$hostname-week1.tgz"
elif (( $day_num > 7 && $day_num <= 14 )); then
347

elif (( $day_num > 14 && $day_num <= 21 )); then
elif (( $day_num > 21 && $day_num < 32 )); then
fi
# Find if the Month is odd or even.
month_num=$(date +%m)
month=$(expr $month_num % 2)
if [ $month -eq 0 ]; then
month_file="$hostname-month2.tgz"
else
month_file="$hostname-month1.tgz"
fi
# Create archive filename.
if [ $day_num == 1 ]; then
archive_file=$month_file
elif [ $day != "Saturday" ]; then
archive_file="$hostname-$day.tgz"
else
archive_file=$week_file
fi
echo "Backing up $backup_files to $dest/$archive_file"
date
echo
tar czf $dest/$archive_file $backup_files
echo
date
# Long listing of files in $dest to check file sizes.
ls -lh $dest/
, 1.2,
[344].

.
shell NFS . , NFS-
.
,
(WAN) ,
.
348

, .
,

.
, .
2.2.
, ,
NFS.
,
.
,
, ,
.
.
mt, cpio.
,
:
#!/bin/bash
####################################
#
# Backup to tape drive script.
#
####################################
# What to backup.
dest="/dev/st0"
echo "Backing up $backup_files to $dest"
date
echo
# Make sure the tape is rewound.
mt -f $dest rewind
tar czf $dest $backup_files
# Rewind and eject the tape.
349

mt -f $dest rewoffl
echo
date
SCSI /dev/st0.
.
,
.
. , /etc/hosts /tmp/etc/
hosts :
mt -f /dev/st0 rewind
tar -xzf /dev/st0 -C /tmp etc/hosts
350
3. Bacula
Bacula ,
, .
Bacula Linux, Windows Mac OS X,
- .
3.1.
Bacula Bacula
, :
Bacula Director: ,
, , .
Bacula Console: , Director.
Console:
, .
(GUI) Gnome,
GTK+.
wxWidgets.
Bacula File: , Bacula Client.
,
, ,
Director.
Bacula Storage: ,
.
Bacula Catalog:
,
. Catalog
: MySQL, PostgreSQL SQLite.
Bacula Monitor: Director File
Storage. Monitor GTK+ GUI
.

,
.
3.2.
MySQL PostgreSQL ,
.Bacula
.
351

,
Bacula. Bacula :
sudo apt-get install bacula
bacula
MySQL Catalog. SQLite PostgreSQL,
bacula-director-sqlite3 bacula-directorpgsql.

bacula.
.
1, MySQL [237].
3.3.
Bacula ,
directives, {}.
Bacula /etc/bacula.
Bacula
. password. ,
Storage /etc/bacula/bacula-dir.conf
Director /etc/bacula/bacula-sd.conf.

Client1 Bacula.
,
- .
/etc/bacula/bacula-dir.conf:
#
# Define the main nightly save backup job
#
By default, this job will back up to disk in
Job {
Name = "BackupServer"
JobDefs = "DefaultJob"
Write Bootstrap = "/var/lib/bacula/Client1.bsr"
}
BackupServer
. BackupServer

.
352

Console Director ,
non-root Console,
bacula. bacula,
:
sudo adduser $username bacula
$username . ,
,
, .
3.4.

.
. /
etc/bacula/bacula-sd.conf,
Device {
Name = "Tape Drive"
Device Type = tape
Media Type = DDS-4
Archive Device = /dev/st0
Hardware end of medium = No;
AutomaticMount = yes;
# when device opened, read it
AlwaysOpen = Yes;
RemovableMedia = yes;
RandomAccess = no;
Alert Command = "sh -c 'tapeinfo -f %c | grep TapeAlert'"
}
DDS-4. Media Type

Archive Device .

.
/etc/bacula/bacula-sd.conf Storage
:
sudo /etc/init.d/bacula-sd restart
Storage /etc/bacula/bacula-dir.conf
:
# Definition of "Tape Drive" storage device
Storage {
353

Name = TapeDrive
# Do not use "localhost" here
Address = backupserver
# N.B. Use a fully qualified name here
SDPort = 9103
Password = "Cv70F6pf1t6pBopT4vQOnigDrR0v3LT3Cgkiyjc"
Device = "Tape Drive"
Media Type = tape
}
Address
(FQDN) . backupserver
.
, ,
/etc/bacula/bacula-sd.conf.
,
:
# .
FileSet {
Name = "LocalhostFiles"
Include {
Options {
signature = MD5
compression=GZIP
}
File = /etc
File = /home
}
}
FileSet /etc /
home. Options FileSet
MD5
GZIP.

# -- .
Schedule {
Name = "LocalhostDaily"
Run = Full daily at 00:01
}
00:01 12:01.

, :
354

# .
Job {
Name = "LocalhostBackup"
JobDefs = "DefaultJob"
Enabled = yes
Level = Full
FileSet = "LocalhostFiles"
Schedule = "LocalhostDaily"
Storage = TapeDrive
Write Bootstrap = "/var/lib/bacula/LocalhostBackup.bsr"
}

.
.
, Bacula . ,
, Console, :
bconsole
Bacula :
Storage:
: MyCatalog
"MyCatalog"
: MyCatalog
Using Catalog "MyCatalog"
:
1:
2:
(1-2):2
Volume:
:
Defined Pools:
1: Default
2: Scratch
Sunday .
Pool:
355

Select the Pool (1-2): 1
Connecting to Storage daemon TapeDrive at backupserver:9103 ...
Sending label command for Volume "Sunday" Slot 0 ...
, Bacula localhost
.
3.5.
Bacula
10
Bacula
Bacula
Bacula.
11

12
, Bacula Ubuntu Wiki .
10
http://www.bacula.org/en/rel-manual/index.html
http://www.bacula.org/
12
https://help.ubuntu.com/community/Bacula
11
356
20.
.
, ,
,
. ,

, .
Ubuntu KVM.
KVM
Intel AMD. Xen Ubuntu. Xen
,
,
. Qemu
.
357
1.
libvirt ,
. libvirt, ,
KVM.
:
kvm-ok
,
.
,
, BIOS.
1.1.

.
,
SLIRP, NAT
.

, .

,
. 1.4,
[47].
1.2.
, :
sudo apt-get install kvm libvirt-bin
libvirt-bin ,
, libvirtd.
.
:
sudo adduser $USER libvirtd
358

- ,
,
.
.
,
.
, ,
.

(GUI) .
GUI
VNC virt-viewer.
1.6, [362]
.
,
Ubuntu, , preseeds, kickstart ..
1
Ubuntu .
Ubuntu
ubuntu-vm-builder.
,
.. : 2, JeOS vmbuilder [364]
Libvirt Xen.
Xen Ubuntu,
.
1.3. virt-install
virt-install virtinst.
:
sudo apt-get install virtinst
, virt-install.
:
sudo virt-install -n web_devel -r 256 \ --disk path=/var/lib/libvirt/images/web_devel.img,bus=virti
-n web_devel:
web_devel
1
359

-r 256: , ,
.
--disk path=/var/lib/libvirt/images/web_devel.img,size=4:
, ,
. web_devel.img,
/var/lib/libvirt/images/, 4
virtio .
-c jeos.iso: , CD-ROM.
ISO- CD-ROM .
--accelerate: .
--network ,
. default,
virtio.
--vnc:
VNC.
--noautoconsole:
.
-v: .
virt-install
, ,
virt-viewer.
1.4. virt-clone
virt-clone
. :
sudo virt-clone -o web_devel -n database_devel -f /path/to/database_devel.img \ --connect=qemu:///s
-o: .
-n: .
-f: ,
.
--connect: .
-d --debug
virt-clone.
web_devel database_devel
.
360
1.5.
1.5.1. virsh
,
libvirt. virsh
. :
:
virsh -c qemu:///system list
:
virsh -c qemu:///system start web_devel
, :
virsh -c qemu:///system autostart web_devel
:
virsh -c qemu:///system reboot web_devel

.
,
:
virsh -c qemu:///system save web_devel web_devel-022708.state
.

:
virsh -c qemu:///system restore web_devel-022708.state
, :
virsh -c qemu:///system shutdown web_devel
CD-ROM
:
virsh -c qemu:///system attach-disk web_devel /dev/cdrom /media/cdrom
361

web_devel
, web_devel-022708.state
.
1.5.2.
virt-manager
. virtmanager :
sudo apt-get install virt-manager
virt-manager
(GUI),
, .
libvirt :
virt-manager -c qemu:///system
libvirt, ,
:
virt-manager -c qemu+ssh://virtnode1.mydomain.com/system
, SSH
virtnode1.mydomain.com
SSH .
SSH , libvirt
. SSH 1,
OpenSSH [94]
1.6.
virt-viewer
. virt-viewer
.
virt-viewer, :
sudo apt-get install virt-viewer
,
, :
362

virt-viewer -c qemu:///system web_devel
virt-manager, virt-viewer
, SSH , :
virt-viewer -c qemu+ssh://virtnode1.mydomain.com/system web_devel
web_devel .
,
SSH .
1, OpenSSH [94] and 1.4,
[47] .
1.7.
2
KVM .
libvirt
3
libvirt
4

virt-manager.
5
, IRC #ubuntu-virt freenode

Ubuntu.
6
: Ubuntu Wiki KVM .

Xen, Xen libvirt,
7
, Ubuntu Wiki Xen .
2
3
4
5
6
7
http://kvm.qumranet.com/kvmwiki
http://libvirt.org/
http://virt-manager.et.redhat.com/
https://help.ubuntu.com/community/KVM
https://help.ubuntu.com/community/Xen
363
2. JeOS vmbuilder
2.1.
2.1.1. JeOS
Ubuntu JeOS ( "") Ubuntu
Server, .
CD-ROM ISO, :
Server Edition ISO ( F4

" ",
, JeOS).
Ubuntu vmbuilder,
.
JeOS Ubuntu Server Edition
, ,
.
Ubuntu JeOS ,

VMware.

Ubuntu JeOS Edition
.
ISV ,
,
, . ,
,
, ,
, .
, , JeOS,
,
.
2.1.2. vmbuilder
vmbuilder JeOS ISO.
vmbuilder
. vmbuilder
,
Linux (VM).
: KVM Xen
364

, , Ubuntu,
..
, tmpdir /dev/shm tmpfs,
, .
ubuntu-vm-builder Ubuntu 8.04 LTS.

.
Ubuntu,

. (
Ubuntu, ),
Intrepid python,
:
,
.
,

.
-
.
.
2.2.
, libvirt KVM ,
. , , :
1, [358]
8
KVM Wiki.
, ,
, nano vi.
,
9
PowerUsersTextEditors .
KVM,
.
8
9
https://help.ubuntu.com/community/KVM
https://help.ubuntu.com/community/PowerUsersTextEditors
365

2.2.1. vmbuilder
, python-vm-builder.
:
sudo apt-get install python-vm-builder
Hardy,
, ,
ubuntu-vm-builder,
.
2.3.
vmbuilder' Ubuntu
, :
, ,
,
, ,
,
, . ,
.
,
.
vmbuilder 2 :
() .
, , :
vmbuilder kvm ubuntu --help
2.3.1.
KVM Ubuntu 12.04 LTS (Precise Pangolin),
, ,
, vmbuilder :
sudo vmbuilder kvm ubuntu --suite precise --flavour virtual --arch i386 \ -o --libvirt qemu:///syst
--suite Ubuntu, --flavour ,

(, JeOS), --arch
, 32- , -o
vmbuilder' --libvirt

.
366

:
- , vmbuilder,
root, sudo
3 ,
64- (--arch amd64).
Ubuntu 8.10 32-
, 64- Hardy,
--flavour server.
2.3.2. JeOS
2.3.2.1. JeOS
2.3.2.1.1. IP .

, , .
, ,
,
IP- ,
.
192.168.0.0/255
:
--ip ADDRESS: IP- (
dhcp, )
--hostname NAME: NAME, .
--mask VALUE: IP- ( 255.255.255.0)
--net VALUE: IP- ( X.X.X.0)
--bcast VALUE: IP ( X.X.X.255)
--gw ADDRESS: ( ...1)
--dns ADDRESS: DNS ( X.X.X.1)
, ,
:
2.3.2.1.2.
,
, libvirt ,
367

. --bridge
:

,
1.4, [47] . ,
, br0
.
2.3.2.2.
,
.
,
/var.
vmbuilder --part:
--part PATH
Allows you to specify a partition table in a partition file, located at PATH. Each
line of the partition file should specify (root first):
mountpoint size
where size is in megabytes. You can have up to 4 virtual disks, a new disk starts
on a line with ---.
root 1000
ie :
/opt 1000
swap 256
--/var 2000
/log 1500
vmbuilder.partition,
:
root 8000
swap 4000
--/var 20000
, ,
, ,
.
:
368

"\"
.
2.3.2.3.
,
,
,
. ,
, ,
, ,
. 'user'
'default' .
:
--user USERNAME: . -:
ubuntu.
--name FULLNAME: . : Ubuntu.
--pass PASSWORD: . -: ubuntu.
:
2.3.3.
(Limesurvey),
MySQL -.
:
Apache
PHP
MySQL
OpenSSH
Limesurvey ( , )
vmbuilder --addpkg
:
--addpkg PKG
PKG ( )
, - vmbuilder,

369

. Limesurvey,
, .
, debconf, , mysqlserver, , ,
.
, ,
main, ,
--comp --ppa:
--components COMP1,COMP2,...,COMPN
A comma separated list of distro components to include (e.g. main,universe).
This defaults to "main"
--ppa=PPA Add ppa belonging to PPA to the vm's sources.list.
Limesurvey ,
PPA ( ),
/etc/apt/source.list .
:
--addpkg apache2 --addpkg apache2-mpm-prefork --addpkg apache2-utils \ --addpkg apache2.2-common --
2.3.4.
2.3.4.1.
vmbuilder ,
,
,
,
.
, (
, apt-mirror)
-, apt-proxy.
, ,
. :
sudo apt-get install apt-proxy
()
http://mirroraddress:9999
Ubuntu /ubuntu. , vmbuilder ,
--mirror:
370

--mirror=URL
URL Ubuntu ,
http://archive.ubuntu.com/ubuntu
http://ports.ubuntu.com/ubuntu-ports
:
--mirror http://mirroraddress:9999/ubuntu
/etc/
apt/sources.list ,
,
.
2.3.4.2.
,
Ubuntu. apt-mirror
, .
20
.
apt-mirror /etc/apt/
mirror.list.
.
, ,
deb, deb /deb-{arch}, arch
i386, amd64 .. , amd64
i386,
( ,
):
deb
http://archive.ubuntu.com/ubuntu precise main restricted universe multiverse
/deb-i386
deb
http://archive.ubuntu.com/ubuntu precise main restricted universe multiverse
http://archive.ubuntu.com/ubuntu precise-updates main restricted universe multiverse
/deb-i386
http://archive.ubuntu.com/ubuntu precise-updates main
restricted universe multiverse

deb http://archive.ubuntu.com/ubuntu/ precise-backports main restricted universe multiverse
/deb-i386
http://archive.ubuntu.com/ubuntu precise-backports main

deb http://security.ubuntu.com/ubuntu precise-security main restricted universe multiverse
/deb-i386 http://security.ubuntu.com/ubuntu precise-security main
deb http://archive.ubuntu.com/ubuntu precise main/debian-installer
371

restricted/debian-installer universe/debian-installer multiverse/debian-installer
/deb-i386 http://archive.ubuntu.com/ubuntu precise main/debian-installer
restricted/debian-installer universe/debian-installer multiverse/debian-installer
, ,
, ,
, .
, (
), Apache,
( /var/spool/apt-mirror, )
Apache.
Apache 1, HTTPD - Apache2 [213].
2.4.
:

Debian.
,

10
Ubuntu .
, .
11
Debian
.
/opt,
12
FHS .
, Limesurvey, , .
, PPA
( ).
2.5.
2.5.1.
,
, unattendedupgrades, :
10
https://wiki.ubuntu.com/PackagingGuide
http://www.debian-administration.org/articles/286
12
http://www.pathname.com/fhs/
11
372

--addpkg unattended-upgrades
PPA,
, ,
PPA.
2.5.2. ACPI
,
, acpid.
:
--addpkg acpid
2.6.
, :
sudo vmbuilder kvm ubuntu --suite precise --flavour virtual --arch i386 -o \ --libvirt qemu:///syst
2.7.
,
, Ubuntu Server :
IRC: #ubuntu-server on freenode
: ubuntu-server at lists.ubuntu.com
13
14
, JeOSVMBuilder Ubuntu Wiki .
13
14
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
https://help.ubuntu.com/community/JeOSVMBuilder
373
3. UEC
3.1.
UEC (Ubuntu Enterprise Cloud Ubuntu)
UC (Ubuntu Cloud
Ubuntu). Eucalyptus,
Openstack. .
UEC -
Ubuntu 12.04 LTS Server
, ,
" ", .
, , ,

, "front-end"
.
,
.
3.2.
,
:

.
,
. , ,
.
3.2.1.
,
:
(CLC)
(CC)
Walrus ( S3)
(SC)
374
20.1. UEC
2 x 2 -

5400 /
IDE
7200 / ,
SATA

- Java
,
40
200
40
,
.., Eucalyptus
100
1000
/
3.2.2.
, :
(NC)
20.2. UEC
VT, 64-bit,
64-
VT
i386, amd64 ;
, Eucalyptus
(VM)
.
375
5400 / 7200 /
IDE SATA
SCSI

,

Eucalyptus
; /

40
100
;
Eucalyptus
100
1000 /
3.3. //
/Walrus
1.
Ubuntu 12.04 LTS Server

-.
2.
, Ubuntu
.
Eucalyptus
3.
, ,
15

4.
,
,
5.

cluster1.
IP- ,

192.168.1.200-192.168.1.249.
3.4. ()
. ,
, /
15
https://help.ubuntu.com/community/UEC/Topologies
376

1.
()
2.
, Ubuntu
.
3.
Ubuntu
4.
5.
6.
3.5. ()
1.
UEC,

,
:
a. SSH .
b.
c. uec-component-listener .
d. .
a e
16
UEC/PackageInstall . ,
,
, "a"
"e".
2.

eucalyptus SSH
Walrus, , ,
eucalyptus.
ssh :

eucalyptus:
sudo passwd eucalyptus
, :
16
https://help.ubuntu.com/community/UEC/PackageInstall
377
sudo -u eucalyptus ssh-copy-id -i ~eucalyptus/.ssh/id_rsa.pub \ eucalyptus@<IP_OF_NODE>
, ,
eucalyptus :
sudo passwd -d eucalyptus
3.

:
:
CC_NAME /etc/eucalyptus/eucalyptuscc.conf
CC_IP_ADDR /etc/eucalyptus/
eucalyptus-ipaddr.conf IP-,

Walrus:
WALRUS_IP_ADDR /etc/eucalyptus/
eucalyptus-ipaddr.conf IP-
:
:
CC_NAME /etc/eucalyptus/eucalyptuscc.conf
SC_IP_ADDR /etc/eucalyptus/
eucalyptus-ipaddr.conf IP-,

4.

Walrus:
sudo start eucalyptus-walrus-publication
:
sudo start eucalyptus-cc-publication
:
sudo start eucalyptus-sc-publication
378
sudo start eucalyptus-nc-publication
5.

:
sudo start uec-component-listener
6.

cat /var/log/eucalyptus/registration.log
2010-04-08
2010-04-08
2010-04-08
2010-04-08
2010-04-08
15:46:36-05:00
15:46:36-05:00
15:48:47-05:00
15:48:51-05:00
15:49:04-05:00
|
|
|
|
|
24243
24243
25858
25858
26237
->
->
->
->
->
Calling node cluster1 node 10.1.1.75

euca_conf --register-nodes returned 0
Calling walrus Walrus 10.1.1.71
euca_conf --register-walrus returned 0
Calling cluster cluster1 10.1.1.71
2010-04-08 15:49:08-05:00 | 26237 -> euca_conf --register-cluster returned 0

2010-04-08 15:49:17-05:00 | 26644 -> Calling storage cluster1 storage 10.1.1.71
2010-04-08 15:49:18-05:00 | 26644 -> euca_conf --register-sc returned 0
3.6.

.
-, .
3.6.1.
1.
- ( Ubuntu)
URL-:
https://<cloud-controller-ip-address>:8443/
,
, -
"https", "http".
.
. ,
Eucalyptus
2.
'admin' 'admin' ,
( )
3.

admin
379

4.
,
" ",

5.
' '
.
6.
~/.euca.
7.
zip- (~/.euca).
unzip -d ~/.euca mycreds.zip
3.6.2.
, ,
:
mkdir -p ~/.euca
chmod 700 ~/.euca
cd ~/.euca
sudo euca_conf --get-credentials mycreds.zip
unzip mycreds.zip
ln -s ~/.euca/eucarc ~/.eucarc
cd -
3.6.3.
EC2 API AMI ,
X.509.
1.
:
sudo apt-get install euca2ools
2.
, , ,
:
. ~/.euca/eucarc
euca-describe-availability-zones verbose
AVAILABILITYZONE
myowncloud
192.168.1.1
AVAILABILITYZONE
|- vm types
free / max
cpu
ram
disk
AVAILABILITYZONE
|- m1.small
0004 / 0004
128
AVAILABILITYZONE
AVAILABILITYZONE
|- c1.medium
|- m1.large
0004 / 0004
0002 / 0002
1
2
256
512
5
10
AVAILABILITYZONE
|- m1.xlarge
0002 / 0002
1024
20
AVAILABILITYZONE
|- c1.xlarge
0001 / 0001
2048
20

e .
380
3.7.
.
, Bundle their
17
own image .
UEC
- UEC.
1.
- URL (
https):
https://<cloud-controller-ip-address>:8443/
2.
( , ,
, ).
3.
4.
5.
, "
?",
() .
"".
3.8.
UEC:
.
UEC ,
Landscape
18
ElasticFox
Firefox.
:
1.
,
( ssh), ,
root, .
, .
:
17
18
https://help.ubuntu.com/community/UEC/BundlingImages
https://help.ubuntu.com/community/UEC/ElasticFox
381
if [ ! -e ~/.euca/mykey.priv ]; then
mkdir -p -m 700 ~/.euca
touch ~/.euca/mykey.priv
chmod 0600 ~/.euca/mykey.priv
euca-add-keypair mykey > ~/.euca/mykey.priv
fi
'mykey'), , .
, euca-describekeypairs ,
.
2.
22:
euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
3.
,
:
euca-run-instances $EMI -k mykey -t m1.small
image_id,
"
"
.
4.

, .
,
.
:
watch -n5 euca-describe-instances
, .

''
5.
,
''. , IP-
, :
IPADDR=$(euca-describe-instances | grep $EMI | grep running | \ tail -n1 | awk '{print $4}')
ssh -i ~/.euca/mykey.priv ubuntu@$IPADDR
382

6.
, SSH,
:
INSTANCEID=$(euca-describe-instances | grep $EMI | grep running | \ tail -n1 | awk '{print $2}'
euca-terminate-instances $INSTANCEID
3.8.1.
cloud-init

ssh ~ubuntu/.ssh/
authorized_keys.
, ,
.

, .
, cloud-init,
19
(user-data) ,
.
cloud-init:
sudo apt-get install cloud-init
(user-data) '#!',
root
( 'rc.local').
.
, ud.txt, :
#!/bin/sh
echo ========== Hello World: $(date) ==========
echo "I have been up for $(cut -d\ -f 1 < /proc/uptime) sec"
--user-data-file:
euca-run-instances $EMI -k mykey -t m1.small --user-data-file=ud.txt
, , .
, :
19
http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1085
383

euca-get-console-output $EMI | grep --after-context=1 Hello
========== Hello World: Mon Mar 29 18:05:05 UTC 2010 ==========
I have been up for 28.26 sec
.
.
(user-data)
, (#!/bin/sh, #!/usr/
bin/python, #!/usr/bin/perl, #!/usr/bin/awk ... ).

. cloud-init "cloud-config"
, .
cloud-config (user-data)
'#cloud-config'.
, cloud-config.txt, :
#cloud-config
apt_upgrade: true
apt_sources:
- source: "ppa:ubuntu-server-edgers/server-edgers-apache "
packages:
- build-essential
- pastebinit
runcmd:
- echo ======= Hello World =====
- echo "I have been up for $(cut -d\
-f 1 < /proc/uptime) sec"
:
euca-run-instances $EMI -k mykey -t m1.small --user-data-file=cloud-config.txt
, , :
Apache Edgers PPA

'build-essential' 'pastebinit'
,
Apache Edgers PPA
Apache
. PPA
384

, , ,
. 20
Ubuntu Server Edgers .
'runcmd' ,
'#!' .
, cloud-config.
,
21
cloud-config, doc/examples .
3.9.

22
eucalyptus:
sudo service eucalyptus [start|stop|restart] ( CLC/CC/SC/Walrus)
sudo service eucalyptus-nc [start|stop|restart] ( )
:

/var/log/eucalyptus
:
/etc/eucalyptus
:
/var/lib/eucalyptus/db
:
/var/lib/eucalyptus
/var/lib/eucalyptus/.ssh
~/.euca/eucarc
.
3.10.
Eucalyptus
23
Wiki .
24
Eucalyptus (, , ) .
20
https://launchpad.net/~ubuntu-server-edgers
http://bazaar.launchpad.net/~cloud-init-dev/cloud-init/trunk/files/head:/doc/examples/
22
https://help.ubuntu.com/community/UEC/StorageController
23
https://help.ubuntu.com/community/Eucalyptus
24
http://open.eucalyptus.com/
21
385

25
Eucalyptus Launchpad (, ) .
26
Eucalyptus (1.5) .
RightScale
27
IRC- #ubuntu-virt,
28
#eucalyptus, #ubuntu-server Freenode .
25
https://launchpad.net/eucalyptus/
http://open.eucalyptus.com/wiki/EucalyptusTroubleshooting_v1.5
27
http://support.rightscale.com/2._References/02-Cloud_Infrastructures/Eucalyptus/03-Administration_Guide/
Register_with_RightScale
28
http://freenode.net
26
386
4. Ubuntu
(cloud computing) ,

. , ,
, ,

.
, ,
, , .
Ubuntu
OpenStack
, .
4.1.
OpenStack - Ubuntu
12.04 LTS Server Edition

" ". ,
,
Ubuntu
OpenStack.
4.2.
Ubuntu ,
, :
.
(
).
, (VT),
KVM.
, QEMU, UML, Vmware ESX / ESXi XEN. LXC (Linux
Containers) Libvirt.
, kvm, sudo kvm-ok
linux.
" ",
, :
, nova (
387

compute) , nova-compute.
,
(SPoF).
4.3.
OpenStack, ,
, MySQL,
(ntp). , .
" " 10.0.0.0/24
eth1. ,
" " 10.153.107.0/29
eth0.
4.3.1.
4.3.2. NTP
sudo apt-get install ntp
/etc/ntp.conf.
server 127.127.1.0
fudge 127.127.1.0 stratum 10
ntp
sudo service ntp restart
4.3.3. MySQL
sudo apt-get install mysql-server
mysql OpenStack
sudo mysql -uroot -ppassword -e "CREATE DATABASE nova;"
sudo mysql -uroot -ppassword -e "GRANT ALL ON nova.* TO novauser@localhost \
IDENTIFIED BY 'novapassword' ";
"\" ,
.
388
4.4. OpenStack Compute (Nova)

OpenStack (Nova)
( IaaS
). Python
Eventlet Twisted
AMQP, SQLAlchemy .
OpenStack Nova
sudo apt-get install nova-api nova-network nova-volume nova-objectstore nova-scheduler \
nova-compute euca2ools unzip
libvirt-bin, , libvirtd
ebtables.
sudo service libvirt-bin restart
RabbitMQ AMQP (Advanced Message

Queuing Protocol)
sudo apt-get install rabbitmq-server
/etc/nova/nova.conf, :
# Nova config FlatDHCPManager
--sql_connection=mysql://novauser:novapassword@localhost/nova
--flat_injected=true
--network_manager=nova.network.manager.FlatDHCPManager
--fixed_range=10.0.0.0/24
--floating_range=10.153.107.72/29
--flat_network_dhcp_start=10.0.0.2
--flat_network_bridge=br100
--flat_interface=eth1
--public_interface=eth0
OpenStack
for i in nova-api nova-network nova-objectstore nova-scheduler nova-volume nova-compute; \
do sudo stop $i; sleep 2; done
for i in nova-api nova-network nova-objectstore nova-scheduler nova-volume nova-compute; \

do sudo start $i; sleep 2; done
Nova sqlite MySQL.

.
389
sudo nova-manage db sync
,
. IP,
nova.conf .
sudo nova-manage network create --fixed_range_v4 10.0.0.0/24 --label private \

--bridge_interface br100
6 ()
IP- ,
10.153.107.72.
sudo nova-manage floating create --ip_range=10.153.107.72/29
(user1), (project1),
.
cd ; mkdir nova ; cd nova
sudo nova-manage user admin user1
sudo nova-manage project create project1 user1
sudo nova-manage project zipfile project1 user1
unzip nova.zip
source novarc
OpenStack Compute, :
sudo nova-manage service list
sudo nova-manage version list
Nova ,
OpenStack, .
,
.
4.5. (Glance)
Nova Glance
, . Glance
,
, S3 (Simple Storage Service) . Glance
: glance-api and glance-registry.
.
mysql.
390

Glance
sudo apt-get install glance
glance
sudo mysql -uroot -ppassword -e "CREATE DATABASE glance;"
sudo mysql -uroot -ppassword -e "GRANT ALL ON glance.* TO glanceuser@localhost \
IDENTIFIED BY 'glancepassword' ";
/etc/glance/glance-registry.conf,
, "sql_connection =", :
sql_connection = mysql://glanceuser:glancepassword@localhost/glance
sqlite
rm -rf /var/lib/glance/glance.sqlite
glance-registry , /etc/glance/glanceregistry.conf. MySQL .

sudo restart glance-registry
, /var/log/glance/api.log
/var/log/glance/registry.log.
4.6.
,
.
, .
, ,
. , ,
e OpenStack Nova:
, Ubuntu
distro=lucid
wget http://cloud-images.ubuntu.com/$distro/current/$distro-server-cloudimg-amd64.tar.gz
cloud-publish-tarball "$distro"-server-cloudimg-amd64.tar.gz "$distro"_amd64

:
cd ~/nova
391

source novarc
euca-add-keypair user1 > user1.priv
chmod 0600 user1.priv
icmp (ping) ssh :

euca-authorize default -P tcp -p 22 -s 0.0.0.0/0
euca-authorize -P icmp -t -1:-1 default

ami=èuca-describe-images | awk {'print $2'} | grep -m1 ami`
euca-run-instances $ami -k user1 -t m1.tiny
euca-describe-instances
.
euca-allocate-address
euca-associate-address -i instance_id public_ip_address
euca-describe-instances
instance_id (ami) public_ip_address,

euca-describe-instances euca-allocate-address.
SSH
ssh -i user1.priv ubuntu@ipaddress

euca-terminate-instances instance_id
4.7. (Swift)
Swift , ,
(eventually consistent) /.
OpenStack, S3,
. S3 API
Amazon.
Swift ,
,
API
, Swift.
Swift ,
.
392

OpenStack (Swift)
,
'Swift ' Ubuntu.
: http://
29
swift.openstack.org/development_saio.html .
4.8.

OpenStack
Wiki OpenStack
30
31
Launchpad
32
IRC #openstack freenode.
4.9.
.
33
34
OpenStack
35
OpenStack
OpenStack Object Storage
36
37
OpenStack Object Storage Ubuntu

http://cloudglossary.com/
4.10.
Ubuntu ,
.
.
(Cloud) ,
,
.
IaaS ( ) ,

29
http://swift.openstack.org/development_saio.html
https://launchpad.net/~openstack
31
http://wiki.openstack.org
32
https://bugs.launchpad.net/nova
33
http://en.wikipedia.org/wiki/Cloud_computing#Service_Models
34
docs.openstack.org/trunk/openstack-compute/
35
http://docs.openstack.org/diablo/openstack-compute/starter/content/GlanceMS-d2s21.html
36
OpenStack Object Storage Administration Guide
37
http://docs.openstack.org/trunk/openstack-object-storage/admin/content/installing-openstack-object-storage-onubuntu.html
30
393

.
, .
EBS - .
EC2 - .
, Amazon
.
(Node) ,
(node controller).
Ubuntu , (CPU)
(VT)
KVM.
S3 Simple Storage Service ( ). Amazon

EC2.
Ubuntu Cloud Ubuntu.
Ubuntu, OpenStack.
VM .
VT .
, .
394
5. LXC

. chroot
Qemu VMware,
,
, .
(zones) Solaris (jails) BSD. Linuxvserver OpenVZ -

Linux. ,
vserver and OpenVZ.
vserver OpenVZ
,
Linux ,
.
,
. Libvirt
LXC,
'lxc:///'. , ,
. , 'LXC',
libvirt,
.
, ,
.
lxc.
, libvirt LXC.
, CN, C1, C2.
5.1.
lxc
sudo apt-get install lxc
,
cgroup-lite, lvm2, debootstrap. libvirtlxc, libvirt-bin. LXC libvirt-lxc
.
395
5.2.
5.2.1. LXC
,
LXC.
:
/etc/init/lxc-net.conf: ,
/etc/default/lxc USE_LXC_BRIDGE (
true). NAT
.
/etc/init/lxc.conf: LXC_AUTO ( true)

/etc/default/lxc. /etc/lxc/auto/

,
.
/etc/lxc/lxc.conf:
/etc/lxc/lxc.conf,
LXC bridge, lxc-net upstart.
,
.

/usr/share/doc/lxc/examples. ,
macvlan, vlan, .

/usr/bin.
/usr/lib/lxc/lxc-init
, lxc-execute.
, ,
, /proc, .
.
/usr/lib/lxc/templates/ `',

.
.
/etc/apparmor.d/lxc/lxc-default Apparmor
,
.
5.2.6, Apparmor [398].
/etc/apparmor.d/usr.bin.lxc-start
lxc-start .
396

/etc/apparmor.d/lxc-containers , /etc/
apparmor.d/lxc, .
man-
LXC, lxc.conf.
/var/lib/lxc
.
/var/cache/lxc
.
5.2.2. lxcbr0
USE_LXC_BRIDGE true /etc/default/lxc (
), lxcbr0
. 10.0.3.1,
10.0.3.0/24.
dnsmasq , dnsmasq

lxc-net, lxc-net lxcbr0 .
, , virbr0 libvirt
br0 ,
lxcbr0 .
5.2.3.
LXC
( ) /var/lib/lxc.

/var/cache/lxc.
/var, ,
.
, ,
/var/lib/lxc.
, /srv,
. , /
srv ,
:
sudo mkdir /srv/lxclib /srv/lxccache sudo rm -rf /var/lib/lxc /var/cache/lxc sudo ln -s /srv/lxclib
, :
397
sudo mkdir /srv/lxclib /srv/lxccache sudo sed -i '$a \ /srv/lxclib /var/lib/lxc none defaults,bind
5.2.4. lvm
LVM
. , ,
.
VG ( ) lxc,
VG
. LV ( ) ,
/var/lib/lxc/CN/config,
(lxc.rootfs)
, .. /dev/lxc/CN.
LVM
.
5.2.5. Btrfs
/var btrfs,
LXC
btrfs.
5.2.6. Apparmor
LXC Apparmor,

. ,
/proc/sysrq-trigger
/sys.
usr.bin.lxc-start lxc-start.
lxc-start
. init
, LXC .
lxc-container-default /
etc/apparmor.d/lxc/lxc-default.
.
, lxc-start -
, Apparmor,
lxc-start :
sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start
398

sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/
lxc-start ,
.
,
usr.bin.lxc-start,
:
lxc.aa_profile = unconfined
,
/etc/apparmor.d/lxc/.
lxc- lxc-start .
, , :
sudo apparmor_parser -r /etc/apparmor.d/lxc-containers
,
/etc/apparmor.d/lxc-containers. ,
CN lxc-CN-profile,
:
lxc.aa_profile = lxc-CN-profile
lxc-execute Apparmor, ,
, .
5.2.7.
(cgroups)
,
cgroup.
(block
and character device) () .

/, CPU
CPU .
LXC cgrouplite, cgroup
. cgroup-lite cgroup
/sys/fs/cgroup/SS, SS . ,
freezer /sys/fs/cgroup/freezer.
LXC /sys/fs/cgroup/SS/INIT/lxc, INIT
399

. /,
freezer CN /sys/fs/cgroup/freezer/lxc/CN.
5.2.8.

. lxc-setup

,
. ,
,
. lxcsetup LXC lxcsetup, LXC
,
LTS-,
() ,
,
.
5.2.9. LXC
, lxc .
, lxc-net, , , lxc,
, .
USE_LXC_BRIDGE /etc/defaults/lxc,
. , LXC
, lxc . lxc-net LXC ,
, .
lxc 2-5 .
LXC_AUTO true, /etc/lxc ,

. lxc ,
0, 1 6,
.

/etc/default/lxc/name.conf,
. ,
CN /var/lib/lxc/CN/config.
, :
sudo ln -s /var/lib/lxc/CN/config /etc/lxc/auto/CN.conf
400
5.3.
5.3.1.
lxc-create.
/usr/lib/
lxc/templates/ chroots /
var/lib/lxc/CN/rootfs, /var/lib/lxc/CN/fstab
CN .

:
sudo lxc-create -t ubuntu -n CN
lxc-create ubuntu (-t ubuntu)

CN (-n CN). (
`-f file'),
/etc/lxc/lxc.conf.
veth, lxcbr0.
.
--. :
sudo lxc-create -t ubuntu -n oneiric1 -- -r oneiric
'-r oneiric1' ubuntu.

5.3.1.1.
lxc-create , lxc-create -h.
.
sudo lxc-create -t ubuntu -h
lxc-create ,
ubuntu. ,
lxc-create.
5.3.1.2. ubuntu
ubuntu
Ubuntu , 10.04 LTS. debootstrap
,
.
401

,
-F (flush),
:
sudo lxc-create -t ubuntu -n CN -- -F
Ubuntu, , ,
, -r, :
sudo lxc-create -t ubuntu -n CN -- -r lucid
32- 64- ,
-a i386.
qemu-user-static, ,
, qemu-user-static.
ubuntu ubuntu,
sudo.
ubuntu, -S sshkey.pub.
bind ()
, -b jdoe.
shadow jdoe , ,
, sudo
(bind-mount)
.
release-updates
sources.list , .
12.04 LTS,
lxcguest.
--trim, lxcguest
.
, , , .
5.3.1.3. ubuntu-cloud
ubuntu-cloud Ubuntu,
Ubuntu.
ubuntu, -r release, -S sshkey.pub, -a arch,
-F .
. -C cloud ,
metedata. -u

. -L,
402

. -T
(tarball)
. ,
-i id cloud-init,
.
5.3.1.4.
ubuntu ubuntu-cloud .
. debian Debian,
debootstrap , ubuntu.
debian squeeze.
SUITE:
sudo SUITE=sid lxc-create -t debian -n d1
debian ,
debian --trim
ubuntu.

--clean:
sudo SUITE=sid /usr/lib/lxc/templates/lxc-debian --clean
fedora,
fedora 14. fedora, 15, systemd,
,
. fedora,
, yum curl. fedora 12
:
sudo lxc-create -t fedora -n fedora12 -- -R 12
OpenSuSE, zypper
. , OpenSuSE
.
.
busybox ,
busybox. sshd
, sshd .

, /home /root. ,
ssh , :
403
sudo lxc-create -t sshd -n ssh1 ssh-keygen -f id sudo mkdir /var/lib/lxc/ssh1/rootfs/root/.ssh sudo
5.3.1.5.
, lxc-create
/var/lib/lxc/CN/rootfs.
LVM. lxc
lvm CN,
:
sudo lxc-create -t ubuntu -n CN -B lvm
schroots
xfs 5 , :
sudo lxc-create -t ubuntu -n CN -B lvm --vgname schroots --fssize 5G --fstype xfs
5.3.2.
canonical

. lxcclone. C1, C2
:
sudo lxc-clone -o C1 -n C2
/var/lib/lxc btrfs, lxc-clone

C2 C1.
lvm, -s
rootfs lvm :
sudo lxc-clone -s -o C1 -n C2
lvm btrfs
.
5.3.3.
, lxc-start -n CN.
lxc-start /sbin/init .
,
lxc-start:
404

sudo lxc-start -n container /sbin/init loglevel=debug
-d (daemon ),
( /dev/console, 5.3.5,
[407] )
. -d, , lxcstart ,
. lxcwait lxc-monitor ( 5.3.4,
[406]) , .
LXC -o filename -l
debuglevel, :
sudo lxc-start -o lxc.debug -l DEBUG -n container
, , s.
.
-f
.
lxc-start /sbin/init, lxcexecute lxc-init,
/proc, /dev/mqueue, /dev/shm,
, , . lxcstart system containers,
38
lxc-execute application containers ( this article
).
.
shutdown, poweroff reboot
. (..
), sudo lxc-shutdown
-n CN. .
, SIGPWR
. , , , sudo lxc-shutdown -n
CN -t 10,
. , ,
(kill) , .
(
), sudo lxc-stop -n CN. ,
38
https://www.ibm.com/developerworks/linux/library/l-lxc-containers/
405

lxc-kill
.

() , :
$ sudo poweroff
[sudo] password for ubuntu: =
$ =
Broadcast message from ubuntu@cn1
(/dev/lxc/console) at 18:17 ...
The system is going down for power off NOW!
* Asking all remaining processes to terminate...
...done.
* All processes ended within 1 seconds....
...done.
* Deconfiguring network interfaces...
...done.
* Deactivating swap...
...fail!
umount: /run/lock: not mounted
umount: /dev/shm: not mounted
mount: / is busy
* Will now halt
, "" sudo lxc-freeze

-n CN. ,
"" sudo lxc-unfreeze -n CN.
5.3.4.
.
lxc-monitor
. -n,

posix, . lxcmonitor .
lxc-wait
. ,
sudo lxc-monitor -n cont[0-5]*
,
,
406

sudo lxc-wait -n cont1 -s 'STOPPED|FROZEN'
, cont1 STOPPED
FROZEN .
5.3.5.
.
/dev/console. ,
lxc-start, -d. /dev/
console -c
console-file lxc-start.
lxc.tty, 4. /dev/ttyN
(for 1 <= N <= 4). 3
sudo lxc-console -n container -t 3
, -t N ,
.
Ctrl-a q. ,
lxc-start -d.
Unix98 pty
pty ( )
/dev/ttyN /dev/console. ,

4:N,
getty LXC . (
getty, ,
). ,
/dev.
5.3.6.

. lxc-ls
. lxc-list
,
. lxc-ps
. ps
lxc-ps, --. ,
sudo lxc-ps -n plain -- -ef
407

lxc-info pid .
lxc-cgroup
.
,
cgroup. , ,
, :
sudo lxc-cgroup -n CN devices.list
mknod, read write /dev/sda,

sudo lxc-cgroup -n CN devices.allow "b 8:* rwm"
300M:
lxc-cgroup -n CN memory.limit_in_bytes 300000000
lxc-netstat netstat ,
.
lxc-backup
(
lvm-based ), rsync /var/lib/
lxc/CN/rootfs.backup.1.
lxc-restore , lxc-backup lxcrestore , ,
.
5.3.7.
lxc-destroy .
sudo lxc-destroy -n CN
, lxc-destroy

sudo lxc-destroy -n CN -f
5.3.8.
Linux, LXC
, .

ID . ( 5.9,
[418] ).
408

,
,
.
LXC lxc-unshare
.
. ,
sudo lxc-unshare -s 'MOUNT|PID' /bin/bash
shell pid .

root@ubuntu:~# mount -t proc proc /proc
root@ubuntu:~# ps -ef
UID
PID PPID C STIME TTY
root
root
1
110
0
1
6 10:20 pts/9
0 10:20 pts/9
TIME CMD
00:00:00 /bin/bash
00:00:00 ps -ef
, ps .
5.3.9.
( ephemeral)
. CN,
, CN,
jdoe , :
lxc-start-ephemeral -b jdoe -o CN -- /home/jdoe/run_my_job
, .
5.3.10.
:
20.3.
lxc-attach
( )

lxc-backup

, lvm
lxc-cgroup
lxc-checkconfig
409
lxc-checkpoint
( )

lxc-clone
lxc-console
lxc-create
lxc-destroy
lxc-execute
()
lxc-freeze
lxc-info
lxc-kill
lxc-list
lxc-ls

, lxc-list
lxc-monitor
lxc-netstat
netstat
lxc-ps
lxc-restart
( ) ,

lxc-restore
,
lxc-backup
lxc-setcap
( )
(file capabilities) LXC
lxc-setuid
( ) setuid
LXC
lxc-shutdown
lxc-start
lxc-start-ephemeral
()
lxc-stop
410
lxc-unfreeze
lxc-unshare
lxc-version
LXC
lxc-wait
5.4.
LXC . Ubuntulxc
, Ubuntu
, .
,
.
lxc.conf(5) man.
, , ubuntu
, .
5.4.1.
LXC.
:

.
,
.
.
.
lxc-start
-f filename

lxc-start -s key=value.
.
5.4.2.
LXC .
lxc.network.type .
411

, .
, ,
IP- . lxc.network.type
, ( 2) .
firewall.
lxc.network.type:
lxc.network.type=empty:
, loopback.
lxc.network.type=veth: ,
ubuntu ubuntu-cloud, veth
.
,
.
lxc.network.type=veth
. , ,
lxc.network.link = lxcbr0.
lxc.network.type=phys (.. eth2)
.
, , vlan macvlan,
.
:
lxc.network.flags up
, .
lxc.network.hwaddr MAC-
.
lxc.network.ipv4 lxc.network.ipv6 IP, .
lxc.network.name .
, (.. eth0
).
lxc.network.lxcscript.up ,
.
lxc.conf(5) man .
5.4.3.
cgroup llxc.cgroup.
lxc.cgroup.subsystem.item = value LXC
item subsystem value.
,
412

. ,
320M
lxc.cgroup.memory.limit_in_bytes = 320000000
320000000 /sys/fs/cgroup/memory/lxc/
CN/limit_in_bytes.
5.4.4. Rootfs, fstab

.

:
lxc.rootfs = /var/lib/lxc/CN/rootfs lxc.mount.entry=proc /var/lib/lxc/CN/rootfs/proc proc nodev,noe
,
/var/lib/lxc/CN/rootfs.
( LVM),
.
lxc.mount.entry
fstab.
/var/lib/lxc/CN/rootfs, lxc.rootfs
.
, lxc.mount fstab,
. ,

.

.
5.4.5.
lxc.cap.drop
. ,
lxc.cap.drop = sys_admin
,
, cap_sys_admin.
capabilities(7) man
.
413

lxc.aa_profile = lxc-CN-profile
Apparmor . 5.2.6,
Apparmor [398] .
lxc.console=/path/to/consolefile
.
lxc.arch , , x86 x86_64.
lxc.tty=5 , 5 (
/dev/console). , /
dev/tty1 /dev/tty1. ubuntu 4.
lxc.pts=1024 ,
(Unix98) devpts. ,
( ) /dev/pts
, . 1024 , 1024
pty ,
. , LXC (
)
sudo mount -t devpts -o newinstance devpts /dev/pts
. ,
devpts .

/dev/pts.
sudo mount -t devpts devpts /dev/pts
devpts .
newinstance,
() .
, LXC.
pty , Apparmor

devpts .
lxc.devttydir /dev, LXC
. ,
pty /dev/console /dev/ttyN.

rm -f mknod .
( ),
. lxc.devttydir LXC,
, LXC pty /dev/
lxc/console /dev/lxc/ttyN
414

/dev/console /dev/ttyN.
, -
gettys .
.
5.5. Ubuntu
- , ,
. ,
,
.
, .
, chroot
,
chroot.
,
, :
,
--trim.
, lxcguest. , /lib/init/fstab
, mountall,
,
.
pty
udev.
Apparmor cgroup
.
, lxc.cap.drop,
.
5.6. Libvirt LXC

Libvirt
( ),
Qemu, Xen LXC,
. libvirt LXC
, LXC. :
XML
,
/dev/console
415

()
5.6.1. LXC libvirt-lxc

5.3.1, [401] ,
LXC . LXC
, libvirt. xml
:
wget http://people.canonical.com/~serge/o1.xml
,
.
:
virsh -c lxc:/// define o1.xml
5.6.2.

LXC, ubuntu,
xml libvirt LXC. ,
Ubuntu 12.04 LTS
:
url1=ùbuntu-cloudimg-query precise daily $arch --format "%{url}\n"` url=ècho $url1 | sed -e 's/.t
, , :
mkdir $HOME/c1 cd $HOME/c1 sudo tar zxf $filename
xml:
wget http://people.canonical.com/~serge/o1.xml
o1 c1 /var/lib/lxc/o1/rootfs
$HOME/c1. :
virsh define o1.xml
5.6.3. libvirt
, libvirt-lxc :
416

virsh -c lxc:/// define container.xml
container :
virsh -c lxc:/// start container
:
virsh -c lxc:/// destroy container
, lxc-destroy ,
virsh destroy .
:
virsh -c lxc:/// undefine container
:
virsh -c lxc:/// console container
Ctrl-].
5.7. lxcguest
Ubuntu 11.04 (Natty) 11.10 (Oneiric)
lxcguest.
,
lxcguest
Xen, kvm VMware.
12.04 LTS, ,
lxcguest, , lxcguest .
, 12.04 LTS
,
Xen, kvm VMware.
lxcguest .
5.8.
.
(id),
, .
,
. , IPC (
) .
417

,

.
LXC
Apparmor . ,
, 12.04 LTS
Apparmor
,
.
LXC security wiki
39
5.8.1.

. ,
, .
,
, .
5.9.
DeveloperWorks LXC: Linux container tools
.
40
41
Secure Containers Cookbook

.
:
4342
capabilities
45 44
lxc.conf .
46
LXC Sourceforge .
the LXC
47
Security wiki page
Linux
: S.Bhattiprolu, E.W.Biederman, S.E.Hallyn, and D.Lezcano. Virtual
39
40
41
43
42
45
44
46
47
http://wiki.ubuntu.com/LxcSecurity
https://www.ibm.com/developerworks/linux/library/l-lxc-containers/
http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html
http://manpages.ubuntu.com/manpages/en/man7/capabilities.7.html
http://manpages.ubuntu.com/manpages/en/man7/capabilities.7.html
http://manpages.ubuntu.com/manpages/en/man5/lxc.conf.5.html
http://manpages.ubuntu.com/manpages/en/man5/lxc.conf.5.html
http://lxc.sf.net
http://wiki.ubuntu.com/LxcSecurity
418

Servers and Checkpoint/Restart in Mainstream Linux. SIGOPS Operating
Systems Review, 42(5), 2008.
419
21.
420
1. DRBD
(Distributed Replicated
Block Device DRBD)
. ()
. : ,
, RAID , .. .
drbd .
:
sudo apt-get install drbd8-utils

, drbd.
,
linux-server .
drbd
/srv ext3 .
,
.
1.1.
drbd01 drbd02.
, DNS
/etc/hosts. 8,
(DNS) [158].
drbd /etc/drbd.conf:
global { usage-count no; }
common { syncer { rate 100M; } }
resource r0 {
protocol C;
startup {
wfc-timeout 15;
degr-wfc-timeout 60;
}
net {
cram-hmac-alg sha1;
shared-secret "secret";
}
on drbd01 {
device /dev/drbd0;
421

disk /dev/sdb1;
address 192.168.0.1:7788;
meta-disk internal;
}
on drbd02 {
device /dev/drbd0;
disk /dev/sdb1;
address 192.168.0.2:7788;
meta-disk internal;
}
}
/etc/drbd.conf,
.
/etc/drbd.conf :
scp /etc/drbd.conf drbd02:~
drbd02 /etc:
sudo mv drbd.conf /etc/
drbdadm
. :
sudo drbdadm create-md r0
drbd:
sudo /etc/init.d/drbd start
drbd01 , ,
:
sudo drbdadm -- --overwrite-data-of-peer primary all

. ,
drbd02 :
watch -n1 cat /proc/drbd
Ctrl+c.
, /dev/drbd0 :
sudo mkfs.ext3 /dev/drbd0
sudo mount /dev/drbd0 /srv
422
1.2.
,
, drbd01 ( )
/srv:
sudo cp -r /etc/default /srv
, /srv:
sudo umount /srv
:
sudo drbdadm secondary r0
role:
sudo drbdadm primary r0
, :
sudo mount /dev/drbd0 /srv
ls /srv/default,
drbd01.
1.3.
1
DRBD DRBD web site .

2
drbd.conf man page

, .
3
drbdadm .
DRBD Ubuntu
4
Wiki .
http://www.drbd.org/
http://manpages.ubuntu.com/manpages/precise/en/man5/drbd.conf.5.html
3
http://manpages.ubuntu.com/manpages/precise/en/man8/drbdadm.8.html
4
https://help.ubuntu.com/community/DRBD
2
423
22. VPN
OpenVPN ,
(VPN), Ubuntu.
SSL/TLS VPN ( IPSec VPN).
OpenVPN VPN.
424
VPN
1. OpenVPN
, pre-shared OpenVPN

(PKI), SSL/TLS
VPN- . OpenVPN
VPN
UDP TCP.
, 1194.
. VPN
, Linux, OS X, Windows WLAN OpenWRT.
1.1.
openvpn :
sudo apt-get install openvpn
1.2.
OpenVPN
(Public Key Infrastructure). PKI :
( )
,
(CA), ,
.
OpenVPN
, ,

.
,

, ,
( ).
1.2.1.
(CA)
OpenVPN
425
VPN
easy-rsa /etc/openvpn.
,
.
root :
mkdir /etc/openvpn/easy-rsa/
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
/etc/openvpn/easy-rsa/vars,
:
export
export
export
export
KEY_COUNTRY="US"
KEY_PROVINCE="NC"
KEY_CITY="-"
KEY_ORG="Example Company"
export KEY_EMAIL="steve@example.com"

(CA) :
cd /etc/openvpn/easy-rsa

./clean-all
./build-ca
1.2.2.
, :
./build-key-server myservername
,
.
: "Sign the certificate? [y/n]" "1 out of 1 certificate requests certified,
commit? [y/n]".
OpenVPN
./build-dh
keys/.
/etc/openvpn/:
cd keys/
426
VPN
cp myservername.crt myservername.key ca.crt dh1024.pem /etc/openvpn/
1.2.3.
VPN
. .
, ,
root:
cd /etc/openvpn/easy-rsa

./build-key client1
:
/etc/openvpn/ca.crt
/etc/openvpn/easy-rsa/keys/client1.crt
/etc/openvpn/easy-rsa/keys/client1.key

, .
1.3.
OpenVPN
( , ):
root@server:/# ls -l /usr/share/doc/openvpn/examples/sample-config-files/
total 68
-rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf
-rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz
server.conf.gz /etc/openvpn/
server.conf.
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
sudo gzip -d /etc/openvpn/server.conf.gz
/etc/openvpn/server.conf , ,
,
.
ca ca.crt
cert myservername.crt
key myservername.key
dh dh1024.pem
427
VPN
OpenVPN.

server.conf. .
syslog.
root@server:/etc/openvpn# /etc/init.d/openvpn start
* Starting virtual private network daemon(s)...
*
Autostarting VPN 'server'
[ OK ]
, OpenVPN tun0:
root@server:/etc/openvpn# ifconfig tun0
tun0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
[...]
1.4.
OpenVPN GUI .
.
OpenVPN Ubuntu,
, .
openvpn :
client.conf /etc/openvpn/:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/
CA ,
, , /etc/openvpn/ /etc/openvpn/client.conf,
, .
/etc/openvpn/, .
ca ca.crt
cert client1.crt
key client1.key
OpenVPN.
,
client. .
428
VPN
client
remote vpnserver.example.com 1194
OpenVPN:
root@client:/etc/openvpn# /etc/init.d/openvpn start
* Starting virtual private network daemon(s)...
*
Autostarting VPN 'client'
[ OK ]
, tun0:
root@client:/etc/openvpn# ifconfig tun0
tun0
Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
ping OpenVPN:
root@client:/etc/openvpn# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.920 ms
OpenVPN
, IP ping.
, /24,
, .1. P-t-P,
ifconfig , ping.
:
root@client:/etc/openvpn# netstat -rn
Kernel IP routing table
Destination
10.8.0.5
10.8.0.1
Gateway
0.0.0.0
10.8.0.5
Genmask
Flags
255.255.255.255 UH
255.255.255.255 UGH
MSS Window
0 0
0 0
irtt Iface
0 tun0
0 tun0
192.168.42.0
0.0.0.0
255.255.255.0
0 0
0 eth0
0.0.0.0
192.168.42.1
0.0.0.0
UG
0 0
0 eth0
1.5.
- , , ,
:
, , grep -i vpn /var/
log/syslog
? ,
? .
429
VPN
, .
UDP 1194, proto config
,
comp-lzo config

, server
server-bridge config
1.6.
1.6.1. VPN
VPN.
VPN
.
- , .
,
192.168.0.0/16, .
-
VPN .

VPN ,
(firewall) .
.

. ,
OpenVPN
(10.8.0.0/24), OpenVPN :
push "route 10.0.0.0 255.0.0.0"
,
VPN,
, - DNS
, VPN ( OpenVPN
firewall NAT
TUN/TAP , ):
push "redirect-gateway def1 bypass-dhcp"
VPN, OpenVPN
. 10.8.0.1,
430
VPN
.

10.8.0.1. ,
:
server 10.8.0.0 255.255.255.0
IP-
. OpenVPN ,
IP-,
:
ifconfig-pool-persist ipp.txt
DNS :
push "dhcp-option DNS 10.0.0.2"
push "dhcp-option DNS 10.1.0.2"
.
client-to-client
VPN .
comp-lzo
keepalive ping
, ,
.
; , ,
3 .
keepalive 1 3
OpenVPN
.
user nobody
group nogroup
OpenVPN 2.0 ,
OpenVPN
,
431
VPN
.
, auth-user-pass
. OpenVPN "
/" TLS-.
# client config!
auth-user-pass
OpenVPN /,
, PAM-. ,
, Kerberos.
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
,
1
OpenVPN.
1.6.2. VPN
OpenVPN
VPN. OSI Layer-2 Layer-3 VPN.
VPN Layer-2, Ethernet
VPN , VPN
Layer-3 . ,
, Broadcast, DHCP-, ARP ..,
VPN ,
.
1.6.2.1.

, bridge-utils:
OpenVPN ,
. ,
eth0 eth1
, , .
/etc/network/
interfaces:
auto eth0
1
http://openvpn.net/index.php/open-source/documentation/howto.html#security
432
VPN
address 1.2.3.4
netmask 255.255.255.248
default 1.2.3.1
auto eth1
address 10.0.0.4
netmask 255.255.255.0
,
eth1 br0.
, br0 eth1.
, eth1 ,

, .
auto eth0
address 1.2.3.4
netmask 255.255.255.248
default 1.2.3.1
auto eth1
iface eth1 inet manual
up ip link set $IFACE up promisc on
auto br0
iface br0 inet static
address 10.0.0.4
netmask 255.255.255.0
bridge_ports eth1
. ,
, ,
. , ,
.
sudo /etc/init.d/network restart
1.6.2.2.
/etc/openvpn/server.conf :
;dev tun
dev tap
up "/etc/openvpn/up.sh br0 eth1"
;server 10.8.0.0 255.255.255.0
server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254
433
VPN
, , tap
, , eth1 .
/etc/openvpn/up.sh:
#!/bin/sh
BR=$1
ETHDEV=$2
TAPDEV=$3
/sbin/ip link set "$TAPDEV" up
/sbin/ip link set "$ETHDEV" promisc on
/sbin/brctl addif $BR $TAPDEV
:
sudo chmod 755 /etc/openvpn/up.sh
, openvpn, :
sudo /etc/init.d/openvpn restart
1.6.2.3.
openvpn :

/etc/openvpn/, ,
.
:
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
/etc/openvpn/client.conf,
:
dev tap
;dev tun
, openvpn:
sudo /etc/init.d/openvpn restart

VPN.
434
VPN
1.7.
1.7.1. Linux OpenVPN
Linux, Ubuntu
, Network Manager
.
VPN-. , networkmanager-openvpn. ,
:
root@client:~# apt-get install network-manager-openvpn
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
liblzo2-2 libpkcs11-helper1 network-manager-openvpn-gnome openvpn
Suggested packages:
resolvconf
The following NEW packages will be installed:
liblzo2-2 libpkcs11-helper1 network-manager-openvpn
network-manager-openvpn-gnome openvpn
0 upgraded, 5 newly installed, 0 to remove and 631 not upgraded.
Need to get 700 kB of archives.
After this operation, 3,031 kB of additional disk space will be used.
Do you want to continue [Y/n]?
network-manager ,
:
root@client:~# restart network-manager
network-manager start/running, process 3078
Network Manager, VPN, "".

OpenVPN VPN "".
OpenVPN " " "

(TLS)" " ",
, "CA ",
CA " ", .
,
, .
VPN.
1.7.2. OpenVPN GUI Mac OS X: Tunnelblick
Tunnelblick , GUI OpenVPN
OS X. http://code.google.com/p/tunnelblick/.
435
VPN
OS X .
client.ovpn
/Users/username/Library/Application Support/Tunnelblick/
Configurations/ Tunnelblick
# sample client.ovpn for Tunnelblick
client
remote blue.example.com
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
auth-user-pass
auth-nocache
auth-retry interact
comp-lzo yes
verb 3
ca ca.crt
cert client.crt
key client.key
1.7.3. OpenVPN GUI Win 7

OpenVPN Windows
2
Installer .
OpenVPN 2.2.1.
Open VPN Windows. OpenVPN MI GUI http://openvpn-migui.inside-security.de Windows 7.
,
20110624.
OpenVPN. : > >
> > . OpenVPN
. .
OpenVPN GUI MI
.
.
OpenVPN
C:\Program Files\OpenVPN\config\client.ovpn
CA.
, .
http://www.openvpn.net/index.php/open-source/downloads.html
436
VPN
# C:\Program Files\OpenVPN\config\client.ovpn
client
remote server.example.com
port 1194
proto udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
auth-user-pass
auth-retry interact
comp-lzo yes
verb 3
ca ca.crt
cert "C:\\Users\\username\\My Documents\\openvpn\\client.crt"
key "C:\\Users\\username\\My Documents\\openvpn\\client.key"
management 127.0.0.1 1194
management-hold
management-query-passwords
auth-retry interact
1.7.4. OpenVPN OpenWRT

OpenWRT Linux
, WLAN .
WLAN-, OpenWRT.
OpenWRT ,
, OpenVPN ,

VPN . OpenVPN
3
OpenWRT . OpenWRT-: http://openwrt.org
OpenWRT OpenVPN:
opkg update
opkg install openvpn
/etc/config/openvpn .
/etc/openvpn/.
config openvpn client1
option enable 1
option client 1
#
option dev tap

option dev tun
option proto udp
option ca /etc/openvpn/ca.crt
http://wiki.openwrt.org/doc/howto/vpn.overview
437
VPN
option cert /etc/openvpn/client.crt
option key /etc/openvpn/client.key
option comp_lzo 1
OpenVPN:
/etc/init.d/openvpn restart
, ,
.
1.8.
4
OpenVPN .
OpenVPN
, Pakt:
6
OpenVPN: Building and Integrating Virtual Private Networks .
http://openvpn.net/
http://openvpn.net/index.php/open-source/documentation/howto.html#security
6
http://www.packtpub.com/openvpn/book
5
438
23.
,
Ubuntu Server Team ,
Ubuntu Server Edition, .
,
Ubuntu ( Ubuntu )
.
439
1. pam_motd
Ubuntu
(Informative Message Of The Day MOTD).
:
landscape-common:: landscapeclient,
- Landscape. /usr/
bin/landscape-sysinfo, ,
MOTD.
update-notifier-common::
MOTD pam_motd.
pam_motd /etc/update-motd.d ,
. /var/run/motd
/etc/motd.tail.

MOTD. , :
weather-util:
sudo apt-get install weather-util
weather METAR National Oceanic and

Atmospheric Administration National Weather Service.
4-
ICAO.
1
National Weather Service .
, National Weather Service
,
.
.
/usr/local/bin/local-weather, shell ,
weather ICAO :
#!/bin/sh
#
#
# Prints the local weather information for the MOTD.
#
#
1
http://www.weather.gov/tg/siteloc.shtml
440
# Replace KINT with your local weather station.

# Local stations can be found here: http://www.weather.gov/tg/siteloc.shtml
echo
weather -i KINT
echo
:
sudo chmod 755 /usr/local/bin/local-weather
/etc/update-motd.d/98-local-weather:
sudo ln -s /usr/local/bin/local-weather /etc/update-motd.d/98-local-weather
, ,
MOTD.

,
. , application>local-weather
441
2. etckeeper
etckeeper /etc
(VCS). apt
/etc
. /etc
, etckeeper
, .
etckeeper, :
sudo apt-get install etckeeper
, /etc/etckeeper/etckeeper.conf,
. VSC .
etckeeper
bzr. (
) .
, :
sudo etckeeper uninit
etckeeper /
etc .
AVOID_DAILY_AUTOCOMMITS.
.
,
:
sudo etckeeper commit "..Reason for configuration change.."
VCS /etc:
sudo bzr log /etc/passwd
,
postfix:
sudo apt-get install postfix
, postfix
:
Committing to: /etc/
added aliases.db
442

modified group
modified groupmodified gshadow
modified gshadowmodified passwd
modified passwdadded postfix
added resolvconf
added rsyslog.d
modified shadow
modified shadowadded init.d/postfix
added
added
added
added
added
network/if-down.d/postfix
network/if-up.d/postfix
postfix/dynamicmaps.cf
postfix/main.cf
postfix/master.cf
added postfix/post-install
added postfix/postfix-files
added postfix/postfix-script
added postfix/sasl
added ppp/ip-down.d
added ppp/ip-down.d/postfix
added ppp/ip-up.d/postfix
added rc0.d/K20postfix
added rc2.d/S20postfix
added resolvconf/update-libc.d
added resolvconf/update-libc.d/postfix
added rsyslog.d/postfix.conf
added ufw/applications.d/postfix
Committed revision 2.
, etckeeper ,
/etc/hosts. /etc/hosts
:
sudo bzr status /etc/
modified:
hosts
:
sudo etckeeper commit "new host"
bzr 1,
Bazaar [308].
443
3. Byobu

screen.
. screen

, byobu.
byobu F9 .
:

Byobu
Byobu

Byobu ()
,
, , ..
: f-keys screen-escape-keys.
,
none.
byobu , Ubuntu,
, , .
.
"Byobu
()" byobu ,
. byobu
.
byobu .
F7 .

, vi. :
h
j
444

k
l
0
$
G (
)
/
?
n ,

445
4.
2
man update-motd
update-motd.
3
Debian Package of the Day weather

weather.
4
etckeeper
etckeeper.
etckeeper Ubuntu Wiki
bzr bzr
screen screen .
8
screen Ubuntu Wiki .

byobu
.
2
3
4
5
6
7
8
9
http://manpages.ubuntu.com/manpages/precise/en/man1/update-motd.1.html
http://debaday.debian.net/2007/10/04/weather-check-weather-conditions-and-forecasts-on-the-command-line/
http://kitenet.net/~joey/code/etckeeper/
https://help.ubuntu.com/community/etckeeper
http://bazaar-vcs.org/
http://www.gnu.org/software/screen/
https://help.ubuntu.com/community/Screen
https://launchpad.net/byobu
446
A.
447
1. Ubuntu Server
Edition
Ubuntu
,
. ,
1
. Ubuntu Launchpad
.
2
Ubuntu Server Launchpad, .
1.1. ubuntu-bug

ubuntu-bug. ubuntu-bug
,
, ,
Launchpad. Ubuntu
, ,
, ubuntu-bug:
ubuntu-bug _
, openssh-server,
:
ubuntu-bug openssh-server
ubuntu-bug ,
. , openssh-server ,
openssh-server,
openssh:
ubuntu-bug openssh
Ubuntu, 3,
[24].
ubuntu-bug ,
, ,
:
1
2
https://help.launchpad.net/YourAccount/NewAccount
448
ubuntu-bug postgresql
*** Collecting problem information
The collected information can be sent to the developers to improve the
application. This might take a few minutes.
..........
*** Send problem report to the developers?
After the problem report has been sent, please fill out the form in the
automatically opened web browser.
What would you like to do? Your options are:
S: Send report (1.7 KiB)
V: View report
K: Keep report file for sending later or copying to somewhere else
C: Cancel
Please choose (S/V/K/C):
:
Send Report.
Launchpad, .
,
.
*** Uploading problem information
The collected information is being sent to the bug tracking system.
This might take a few minutes.
91%
*** To continue, you must visit the following URL:
https://bugs.launchpad.net/ubuntu/+source/postgresql-8.4/+filebug/kc6eSnTLnLxF8u0t3e56EukFeqJ?
You can launch a browser now, or copy this URL into a browser on another
computer.
Choices:
1: Launch a browser now
C: Cancel
Please choose (1/C):
,
- w3m
. URL
-.
449

View Report.
.
Package: postgresql 8.4.2-2
PackageArchitecture: all
Tags: lucid
ProblemType: Bug
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
Uname: Linux 2.6.32-16-server x86_64
Dependencies:
adduser 3.112ubuntu1
base-files 5.0.0ubuntu10
base-passwd 3.5.22
coreutils 7.4-2ubuntu2
...

, .
Keep Report File.
.

Ubuntu. ,
ubuntu-bug:
S: Send report (1.7 KiB)
V: View report
K: Keep report file for sending later or copying to somewhere else
C: Cancel
Please choose (S/V/K/C): k
Problem report file: /tmp/apport.postgresql.v4MQas.apport
ubuntu-bug /tmp/apport.postgresql.v4MQas.apport
*** Send problem report to the developers?
...
Cancel. ,
.
1.2.
, ubuntu-bug (apport),
.
,
450

,
, apport .
apport
. gdb;
Ubuntu Server Edition.
sudo apt-get install gdb
3, [24]
Ubuntu.
, gdb , /etc/default/
apport enabled 1,
:
# set this to 0 to disable apport, or to 1 to enable it
# you can temporarily override this with
# sudo service apport start force_start=1
enabled=1
# set maximum core dump file size (default: 209715200 bytes == 200 MB)
maxsize=209715200
, /etc/default/apport,
apport:
sudo start apport
apport-cli
:
apport-cli
*** dash closed unexpectedly on 2010-03-11 at 21:40:59.
If you were not doing anything confidential (entering passwords or other
private information), you can help to improve the application by
reporting
the problem.
R: Report Problem...
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (R/I/C):
451

Report Problem ( ) ,
ubuntu-bug.
, (private)
Launchpad,
.
,
.
1.3.
3
wiki Reporting Bugs .

4
, Apport .
.
3
4
https://help.ubuntu.com/community/ReportingBugs
https://wiki.ubuntu.com/Apport
452

Руководство По Ubuntu Server

Загружено:

Сведения о документе

Описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Описание:

Авторское право:

Доступные форматы

Руководство По Ubuntu Server

Загружено:

Описание:

Авторское право:

Доступные форматы

Ubuntu Server

: Creative Commons ShareAlike License .

bzr serverguide ubuntu6

1. HTTPD - Apache2 ..............................................................

DNS : DNS- BIND .

Linux ( Ubuntu), 'mdadm'

"#1" "RAID1 #0".

" :". " ",

"#1" "RAID1 #1".

" :". "

" " "/

mdadm -D, /dev/sda1

/dev/md0 /dev/sda1 RAID .

Ubuntu Wiki Articles on RAID .

Managing RAID on Linux

" " "".

" LVM" "

Ubuntu Wiki LVM .

Managing Disk Space with LVM

fdisk fdisk man page .

31.659002] SysRq : Trigger a crash

31.662668] IP: [<ffffffff8139f166>] sysrq_handle_crash+0x16/0x20

31.662668] Oops: 0002 [#1] SMP

sudo dpkg -r zip

Advanced Packaging Tool (APT).

apticron. apticron cron

APT HOWTO man apt-get

HOWTO (Ubuntu Wiki)

Advertised auto-negotiation: Yes

inet6 addr: fe80::215:c5ff:fe4a:165a/64 Scope:Link

RX packets:466475604 errors:0 dropped:0 overruns:0 frame:0

TX bytes:1618367329 (1.6 GB)

Flags Metric Ref

Link encap:Local Loopback

10.0.0.13 server3 www server3.example.com

files mdns4_minimal [NOTFOUND=return] dns mdns4

files dns [NOTFOUND=return] mdns4_minimal mdns4

Ubuntu Wiki Network

man- resolvconf resolvconf.

2.4. TCP UDP

TCP/IP Tutorial and Technical Overview

O'Reilly TCP/IP Network

sudo /etc/init.d/ntp reload

st t when poll reach

1.1. Ubuntu Server

prio_callout mpath_prio_emc /dev/%n

prio_callout mpath_prio_alua /dev/%n

prio_callout mpath_prio_netapp /dev/%n

prio_callout mpath_prio_rdac /dev/%n

prio_callout mpath_prio_hp_sw /dev/%n

, /etc/lvm.conf /etc/multipath.conf, initrd

create: 3600a0b80001327d800000070436216b3 undef WINSYS,SF2372

`- 3:0:0:3 sdg 8:128 undef ready

4.2. " "

## append module to file

, vendor, product, revision

features "1 queue_if_no_path"

action_if_any: alias (wwid_if_different_from_alias) dm_device_name_if_known vendor,product

`-+- policy='round-robin 0' prio=1 status=enabled

`- 18:0:0:3 sdj 8:144 active ready

SSH Ubuntu Wiki .