YobiWiki - User contributions [en]

Encfs

2007-07-17T07:28:25Z

57.67.161.6: /* PAM module */

==Install==
apt-get install [http://arg0.net/users/vgough/encfs.html encfs]

You'll also need the [http://fuse.sourceforge.net/ fuse] module:

apt-get install fuse-source fuse-utils
cd /usr/src; tar xjf fuse.tar.bz2
cd linux; make-kpkg --us --uc --revision $REVISION --append-to-version $APPEND modules_image

Note that fuse is already present in the last kernel versions (at least 2.6.15)

Test:

* Under Debian, the user must be member of the fuse group to have the right to use fuse:
adduser phil fuse
* To load automatically the module fuse:
echo fuse >> /etc/modules
* To mount:
encfs /home/user/crypt-raw /home/user/crypt%%%First time, choose "p" for paranoia settings
* To unmount:
fusermount -u /home/user/crypt

Another cool use of fuse is [http://shfs.sourceforge.net/ sshfs] (apt-get install sshfs)
 For other cool stuffs, check [http://fuse.sourceforge.net/wiki/index.php/FileSystems here], among others the amazing [http://unit.aist.go.jp/itri/knoppix/http-fuse/index-en.html HTTP-FUSE-KNOPPIX]
 Note on [http://www.ricardis.tudelft.nl/~vincent/fusesmb/ fusesmb]: contrary to use of smbfs where users are identified as USER/DOMAIN, here ~/.smb/fusesmb.conf must use username=DOMAIN/USER notation. On big Windows networks, I've problems discovering the neighborhood, in that case it's much easier to populate ~/.smb/fusesmb.cache by yourself with lines such as /WORKGROUP/COMPUTER/SHARE

==Encfs homedir==

===Personal script===

My first attempt was a bash script:

#!/bin/bash

# This scripts automatically attempts to mount
# an encrypted home directory at login time
#
# Usage: how to setup this for e.g. user <foo>
# Put this script as shell of the user foo in /etc/passwd instead of /bin/bash
# Encrypted data will be under /home/.foo and mount point will be /home/foo
# Don't forget to put user foo in the group "fuse": adduser foo fuse
#
# Requirements:
# Encfs, module fuse and fuse-utils
#
# Copyright:
# 2005, Philippe Teuwen <phil@teuwen.org>
#
# License:
# This script is under GPLv3 or later
#
# History:
# v0.02
# Change $(whoami) to $(USER)
# v0.01
# Initial version
#
# TODO:
# Check [xkg]dm login capability
# Abs paths
# Test presence of progs
# Test used only as login

# When using several users with the same UID, only environment
# variables USER and HOME tell the difference
# So don't use whoami but USER

echo "Welcome $USER, please type your master key :-)"
# Mount the home dir
/usr/bin/encfs /home/.$USER $HOME
# Check if encrypted fs was mounted properly otherwise exit
/bin/cat /etc/mtab|/bin/grep -q "^encfs $HOME"||exit 1
# Required to refresh the home directory
cd $HOME
# Finally gives a bash to the user
/bin/bash
# Required to exit the home dir to be able to unmount it
cd /
# Unmount the home dir
/usr/bin/fusermount -u $HOME

===PAM module===

There exists an [http://hollowtube.mine.nu/wiki/index.php?n=Projects.PamEncfs encfs PAM].
 My notes for a Debian installation:

cp pam_encfs.so /lib/security

/etc/pam.d/common-auth:
#auth required pam_unix.so nullok_secure
auth sufficient pam_encfs.so
auth required pam_unix.so use_first_pass nullok_secure

/etc/pam.d/common-session:
session required pam_encfs.so
session required pam_unix.so

/etc/security/pam_encfs.conf:
drop_permissions
encfs_default
fuse_default
- /home/encfs - - -

#To add a user with encfs homedir:
adduser testuser (put him in the fuse group if you have one)
mkdir -p /home/encfs/testuser /home/testuser
chown testuser:testuser /home/encfs/testuser /home/testuser
su testuser
encfs /home/encfs/testuser /home/testuser
#*use same password as your login atm*
fusermount -u /home/testuser

#To enable encfs homedir on existing user:
sudo mkdir -p /home/encfs/phil /home/encfs/tmp
sudo chmod 777 /home/encfs/tmp
sudo chown phil:phil /home/encfs/phil
#*use your main password on next part*
encfs /home/encfs/phil /home/encfs/tmp
cd /home/phil
find . -xdev | cpio -pamd /home/encfs/tmp
fusermount -u /home/encfs/tmp
cd /
sudo mv /home/phil /home/phil.BAK
sudo mkdir /home/phil
sudo chown phil:phil /home/phil
sudo rmdir /home/encfs/tmp
#*logout*

Problem after fuse upgrade:
* didn't work anymore.
* I had to enable "user_allow_other" in /etc/fuse.conf

Problems:

* --idle=1 is nice but how to avoid unwanted auto umount when still logged? (pam_encfs.so should maybe keep a file/dir open)
* if drop_permissions disabled, root needs explicit write access to user's home mount point
* if drop_permissions disabled and --public disabled, HOME env var set by default to / (while it was apparently defined in pam_encfs as mount point path was correctly found)
** No directory, logging in with HOME=/
** if drop_permissions disabled and --public enabled, no problem.
** Don't know how to solve that
* specific fuse options added only if generic fuse_default declared
** patch:
--- pam_encfs.c.orig :50:29.000000000 +0200
+++ pam_encfs.c:34:46.000000000 +0200
@@ -427,11 +427,11 @@
arg_pos += buildCmd(arg,arg_pos,path);
arg_pos += buildCmd(arg,arg_pos,targetpath);

- if (strlen(default_fuse_options) > 0) {
- if (strlen(fuse_options) > 0) {
+ if (strlen(default_fuse_options) > 0 && strlen(fuse_options) > 0) {
strcat(fuse_options,",");
}
- strcat(fuse_options,default_fuse_options);
+ strcat(fuse_options,default_fuse_options);
+ if (strlen(fuse_options) > 0) {
arg_pos += buildCmd(arg,arg_pos,"--");
arg_pos += buildCmd(arg,arg_pos,"-o");
arg_pos += buildCmd(arg,arg_pos,fuse_options);
* if fuse_default or encfs_default empty, garbage produced on call to encfs or fuse
** patch:
@@ -235,13 +235,12 @@
continue;
}
if (strcmp("encfs_default",username) == 0) {
-
- if (!strcmp("-",path) == 0)
+ if (parsed == 2 && !strcmp("-",path) == 0)
strcpy(default_encfs_options,path);
continue;
}
if (strcmp("fuse_default",username) == 0) {
- if (!strcmp("-",path) == 0)
+ if (parsed == 2 && !strcmp("-",path) == 0)
strcpy(default_fuse_options,path);
continue;
}
* multiple options not supported for encfs_default
** patch:
@@ -253,6 +252,7 @@
if (strcmp("-",fuse_options) == 0)
strcpy(fuse_options,"");

+ searchAndReplace(default_encfs_options);
searchAndReplace(encfs_options);

if ((strcmp(user,username) == 0) || (strcmp("-",username) == 0)) {
* On some circumstances, fusermount fails while it shouldn't:
testphil@mercure:~$ mount
[...]
encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil)
encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil)
testphil@mercure:~$ logout
fusermount: entry for /home/testphil not found in /etc/mtab
phil@mercure:~$ mount
[...]
encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil)
encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil)
phil@mercure:~$ sudo su testphil -c "fusermount -u /home/testphil"
* and here it works with exactly the same command*
* /etc/pam_encfs.conf is not the best place
** /usr/share/doc/libpam0g/Debian-PAM-~MiniPolicy.gz tells to have /lib/security/encfs.conf which is awful
** but libpam-modules has e.g. /etc/security/pam_env.conf so we will have /etc/security/pam_encfs.conf
** I should ask Sam Hartman <hartmans at ...> about this incoherence
** patch:
@@ -81,7 +81,7 @@
#define USERNAME_MAX 127
#define PATH_MAX 256
#define BUFSIZE ((USERNAME_MAX +1) + ((PATH_MAX+1) * 2))
-#define CONFIGFILE "/etc/pam_encfs.conf"
+#define CONFIGFILE "/etc/security/pam_encfs.conf"

static void _pam_log ( int err, const char *format, ... );
static char default_encfs_options[USERNAME_MAX];
* It looks like the argument allow_root given to fuse is transformed into allow_other when displayed by mount

==Problems linked to the absence of locking support:==

* encfs or fuse doesn't allow locking, cf [http://lists.samba.org/archive/samba/2004-April/085039.html similar problem with samba]
** Not sure which operation fails, flock() or open with O_EXCL flag.
* with KDE: could not read network connection list /home/.../.DCOPserver_machine__0
** Indeed dcopserver refuses to start (error in locking .ICEauthority)
** Solution: add to ~/.bashrc (or ~/.bash_profile if ~/.bash_profile does not include ~/.bashrc)
*** export XAUTHORITY=/tmp/.Xauthority-$USER
*** export ICEAUTHORITY=/tmp/.ICEauthority-$USER
* with unison: error (error message is not adequate...) Fatal error: Warning: the archives are locked. If no other instance of unison is running, the locks should be removed. Please delete lock files as appropriate and try again.
** Create a soft link from ~/.unison to an dir out of the encfs
* with courier-imap: this doesn't work if Maildir is on encfs
** For read-only IMAP, create a soft link from e.g. /home/user_noencfs/Maildir out of the encfs to ~/Maildir (so your mails will remain encrypted!) and tell to courier-imap that your homedir is the /home/user_noencfs
** For read-write, this is not possible
==Problems with tiger==
I get a very similar problem as [http://www.mail-archive.com/tiger-user@nongnu.org/msg00006.html this guy]: I always get the following msg
--CONFIG-- [con010c] Filesystem 'fuse' used by 'encfs' is not recognised as a local filesystem
and no way to get rid of it via /etc/tiger (except skipping all "system" tests) so I had also to add to /usr/lib/tiger/systems/Linux/2/gen_mounts a line with
[ "$2" = "encfs" ] && LOCAL=0
but I know next Debian upgrade will silently restore the original (or new) version :-(

Encfs

2007-07-17T07:27:30Z

57.67.161.6: /* PAM module */

==Install==
apt-get install [http://arg0.net/users/vgough/encfs.html encfs]

You'll also need the [http://fuse.sourceforge.net/ fuse] module:

apt-get install fuse-source fuse-utils
cd /usr/src; tar xjf fuse.tar.bz2
cd linux; make-kpkg --us --uc --revision $REVISION --append-to-version $APPEND modules_image

Note that fuse is already present in the last kernel versions (at least 2.6.15)

Test:

* Under Debian, the user must be member of the fuse group to have the right to use fuse:
adduser phil fuse
* To load automatically the module fuse:
echo fuse >> /etc/modules
* To mount:
encfs /home/user/crypt-raw /home/user/crypt%%%First time, choose "p" for paranoia settings
* To unmount:
fusermount -u /home/user/crypt

Another cool use of fuse is [http://shfs.sourceforge.net/ sshfs] (apt-get install sshfs)
 For other cool stuffs, check [http://fuse.sourceforge.net/wiki/index.php/FileSystems here], among others the amazing [http://unit.aist.go.jp/itri/knoppix/http-fuse/index-en.html HTTP-FUSE-KNOPPIX]
 Note on [http://www.ricardis.tudelft.nl/~vincent/fusesmb/ fusesmb]: contrary to use of smbfs where users are identified as USER/DOMAIN, here ~/.smb/fusesmb.conf must use username=DOMAIN/USER notation. On big Windows networks, I've problems discovering the neighborhood, in that case it's much easier to populate ~/.smb/fusesmb.cache by yourself with lines such as /WORKGROUP/COMPUTER/SHARE

==Encfs homedir==

===Personal script===

My first attempt was a bash script:

#!/bin/bash

# This scripts automatically attempts to mount
# an encrypted home directory at login time
#
# Usage: how to setup this for e.g. user <foo>
# Put this script as shell of the user foo in /etc/passwd instead of /bin/bash
# Encrypted data will be under /home/.foo and mount point will be /home/foo
# Don't forget to put user foo in the group "fuse": adduser foo fuse
#
# Requirements:
# Encfs, module fuse and fuse-utils
#
# Copyright:
# 2005, Philippe Teuwen <phil@teuwen.org>
#
# License:
# This script is under GPLv3 or later
#
# History:
# v0.02
# Change $(whoami) to $(USER)
# v0.01
# Initial version
#
# TODO:
# Check [xkg]dm login capability
# Abs paths
# Test presence of progs
# Test used only as login

# When using several users with the same UID, only environment
# variables USER and HOME tell the difference
# So don't use whoami but USER

echo "Welcome $USER, please type your master key :-)"
# Mount the home dir
/usr/bin/encfs /home/.$USER $HOME
# Check if encrypted fs was mounted properly otherwise exit
/bin/cat /etc/mtab|/bin/grep -q "^encfs $HOME"||exit 1
# Required to refresh the home directory
cd $HOME
# Finally gives a bash to the user
/bin/bash
# Required to exit the home dir to be able to unmount it
cd /
# Unmount the home dir
/usr/bin/fusermount -u $HOME

===PAM module===

There exists an [http://hollowtube.mine.nu/wiki/index.php?n=Projects.PamEncfs encfs PAM].
 My notes for a Debian installation:

cp pam_encfs.so /lib/security

/etc/pam.d/common-auth:
#auth required pam_unix.so nullok_secure
auth sufficient pam_encfs.so
auth required pam_unix.so use_first_pass nullok_secure

/etc/pam.d/common-session:
session required pam_encfs.so
session required pam_unix.so

/etc/pam_encfs.conf:
drop_permissions
encfs_default
fuse_default
- /home/encfs - - -

#To add a user with encfs homedir:
adduser testuser (put him in the fuse group if you have one)
mkdir -p /home/encfs/testuser /home/testuser
chown testuser:testuser /home/encfs/testuser /home/testuser
su testuser
encfs /home/encfs/testuser /home/testuser
#*use same password as your login atm*
fusermount -u /home/testuser

#To enable encfs homedir on existing user:
sudo mkdir -p /home/encfs/phil /home/encfs/tmp
sudo chmod 777 /home/encfs/tmp
sudo chown phil:phil /home/encfs/phil
#*use your main password on next part*
encfs /home/encfs/phil /home/encfs/tmp
cd /home/phil
find . -xdev | cpio -pamd /home/encfs/tmp
fusermount -u /home/encfs/tmp
cd /
sudo mv /home/phil /home/phil.BAK
sudo mkdir /home/phil
sudo chown phil:phil /home/phil
sudo rmdir /home/encfs/tmp
#*logout*

Problem after fuse upgrade:
* didn't work anymore.
* I had to enable "user_allow_other" in /etc/fuse.conf

Problems:

* --idle=1 is nice but how to avoid unwanted auto umount when still logged? (pam_encfs.so should maybe keep a file/dir open)
* if drop_permissions disabled, root needs explicit write access to user's home mount point
* if drop_permissions disabled and --public disabled, HOME env var set by default to / (while it was apparently defined in pam_encfs as mount point path was correctly found)
** No directory, logging in with HOME=/
** if drop_permissions disabled and --public enabled, no problem.
** Don't know how to solve that
* specific fuse options added only if generic fuse_default declared
** patch:
--- pam_encfs.c.orig :50:29.000000000 +0200
+++ pam_encfs.c:34:46.000000000 +0200
@@ -427,11 +427,11 @@
arg_pos += buildCmd(arg,arg_pos,path);
arg_pos += buildCmd(arg,arg_pos,targetpath);

- if (strlen(default_fuse_options) > 0) {
- if (strlen(fuse_options) > 0) {
+ if (strlen(default_fuse_options) > 0 && strlen(fuse_options) > 0) {
strcat(fuse_options,",");
}
- strcat(fuse_options,default_fuse_options);
+ strcat(fuse_options,default_fuse_options);
+ if (strlen(fuse_options) > 0) {
arg_pos += buildCmd(arg,arg_pos,"--");
arg_pos += buildCmd(arg,arg_pos,"-o");
arg_pos += buildCmd(arg,arg_pos,fuse_options);
* if fuse_default or encfs_default empty, garbage produced on call to encfs or fuse
** patch:
@@ -235,13 +235,12 @@
continue;
}
if (strcmp("encfs_default",username) == 0) {
-
- if (!strcmp("-",path) == 0)
+ if (parsed == 2 && !strcmp("-",path) == 0)
strcpy(default_encfs_options,path);
continue;
}
if (strcmp("fuse_default",username) == 0) {
- if (!strcmp("-",path) == 0)
+ if (parsed == 2 && !strcmp("-",path) == 0)
strcpy(default_fuse_options,path);
continue;
}
* multiple options not supported for encfs_default
** patch:
@@ -253,6 +252,7 @@
if (strcmp("-",fuse_options) == 0)
strcpy(fuse_options,"");

+ searchAndReplace(default_encfs_options);
searchAndReplace(encfs_options);

if ((strcmp(user,username) == 0) || (strcmp("-",username) == 0)) {
* On some circumstances, fusermount fails while it shouldn't:
testphil@mercure:~$ mount
[...]
encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil)
encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil)
testphil@mercure:~$ logout
fusermount: entry for /home/testphil not found in /etc/mtab
phil@mercure:~$ mount
[...]
encfs on /home/phil type fuse (rw,nosuid,nodev,default_permissions,user=phil)
encfs on /home/testphil type fuse (rw,nosuid,nodev,default_permissions,user=testphil)
phil@mercure:~$ sudo su testphil -c "fusermount -u /home/testphil"
* and here it works with exactly the same command*
* /etc/pam_encfs.conf is not the best place
** /usr/share/doc/libpam0g/Debian-PAM-~MiniPolicy.gz tells to have /lib/security/encfs.conf which is awful
** but libpam-modules has e.g. /etc/security/pam_env.conf so we will have /etc/security/pam_encfs.conf
** I should ask Sam Hartman <hartmans at ...> about this incoherence
** patch:
@@ -81,7 +81,7 @@
#define USERNAME_MAX 127
#define PATH_MAX 256
#define BUFSIZE ((USERNAME_MAX +1) + ((PATH_MAX+1) * 2))
-#define CONFIGFILE "/etc/pam_encfs.conf"
+#define CONFIGFILE "/etc/security/pam_encfs.conf"

static void _pam_log ( int err, const char *format, ... );
static char default_encfs_options[USERNAME_MAX];
* It looks like the argument allow_root given to fuse is transformed into allow_other when displayed by mount

==Problems linked to the absence of locking support:==

* encfs or fuse doesn't allow locking, cf [http://lists.samba.org/archive/samba/2004-April/085039.html similar problem with samba]
** Not sure which operation fails, flock() or open with O_EXCL flag.
* with KDE: could not read network connection list /home/.../.DCOPserver_machine__0
** Indeed dcopserver refuses to start (error in locking .ICEauthority)
** Solution: add to ~/.bashrc (or ~/.bash_profile if ~/.bash_profile does not include ~/.bashrc)
*** export XAUTHORITY=/tmp/.Xauthority-$USER
*** export ICEAUTHORITY=/tmp/.ICEauthority-$USER
* with unison: error (error message is not adequate...) Fatal error: Warning: the archives are locked. If no other instance of unison is running, the locks should be removed. Please delete lock files as appropriate and try again.
** Create a soft link from ~/.unison to an dir out of the encfs
* with courier-imap: this doesn't work if Maildir is on encfs
** For read-only IMAP, create a soft link from e.g. /home/user_noencfs/Maildir out of the encfs to ~/Maildir (so your mails will remain encrypted!) and tell to courier-imap that your homedir is the /home/user_noencfs
** For read-write, this is not possible
==Problems with tiger==
I get a very similar problem as [http://www.mail-archive.com/tiger-user@nongnu.org/msg00006.html this guy]: I always get the following msg
--CONFIG-- [con010c] Filesystem 'fuse' used by 'encfs' is not recognised as a local filesystem
and no way to get rid of it via /etc/tiger (except skipping all "system" tests) so I had also to add to /usr/lib/tiger/systems/Linux/2/gen_mounts a line with
[ "$2" = "encfs" ] && LOCAL=0
but I know next Debian upgrade will silently restore the original (or new) version :-(

Vserver tools

2007-05-21T07:44:11Z

57.67.161.6: /* Imposing disk usage limits on vservers */

==De-unifying tool==
From within a vserver, unified files cannot be directly modified.
 You could face such problem when upgrading with apt-get when apt tries to make .dpkg-tmp copies for some critical(?) files
 The user can of course make a copy, delete the file and re-create it but this is inconvenient therefore this tool :-)

<pre>
#!/bin/bash

# Copyright Philippe Teuwen <phil_at_teuwen.org>
# License: GPL

if [ "$1" = "-v" ]; then
DEBUG=true
shift
else
DEBUG=false
fi

files="$*"
if [ "$files" = "" ]; then
echo "Usage: $0 [-v] <file(s) to deunify>"
echo " (-v for verbose mode)"
exit
fi
for f in $files; do
if [ -f "$f" ]&&[ ! -L "$f" ]; then
if lsattr "$f"|cut -f1 -d " "|grep -q "....i.......E...."; then
$DEBUG && echo "Deunifying file $f..."
$DEBUG && echo -n "inode : " && ls -i "$f"|cut -f1 -d " "
$DEBUG && echo -n "attr : " && lsattr "$f"|cut -f1 -d " "
tmpfile="$(mktemp /tmp/deunify.XXXXXX)"
cp -a "$f" "$tmpfile"
mv -f "$tmpfile" "$f"
echo "File $f deunified!"
$DEBUG && echo -n "inode : " && ls -i "$f"|cut -f1 -d " "
$DEBUG && echo -n "attr : " && lsattr "$f"|cut -f1 -d " "
else
$DEBUG && echo "Skipping file $f, already deunified..."
$DEBUG && echo -n "inode : " && ls -i "$f"|cut -f1 -d " "
$DEBUG && echo -n "attr : " && lsattr "$f"|cut -f1 -d " "
fi
else
$DEBUG && echo "$f does not appear to be a regular file, skipping..."
fi
done
</pre>

==Deleting tool==
Be careful with this one, of course
<pre>
#!/bin/bash

# Copyright Philippe Teuwen <phil_at_teuwen.org>
# Lincense: GPL

VSERVER=$1
vserver $VSERVER status
ret=$?
if [ "$ret" = 5 ]; then
echo "Please specify an existing vserver!"
exit 1
fi
if [ "$ret" != 3 ]; then
vserver $VSERVER stop
fi
echo Deleting /etc/vservers/$VSERVER ...
rm -rf /etc/vservers/$VSERVER
echo Deleting /var/run/vservers/$VSERVER ...
rm -rf /var/run/vservers/$VSERVER
echo Deleting symlinks in /var/run/vservers.rev/ ...
ls -l /var/run/vservers.rev/|\
grep -o "[0-9]\+ -> /etc/vservers/$VSERVER"|\
cut -d ' ' -f 1|\
xargs rm -f
echo -n Deleting /etc/vservers/.defaults/vdirbase/$VSERVER ...
lsof|grep $VSERVER
i=0
# We need to insist a bit on this one...
while [[ "$i" -lt 10 ]] && ! rm -rf /etc/vservers/.defaults/vdirbase/$VSERVER >& /dev/null ; do
echo -n .
i=$(($i+1))
sleep 1
done
echo
echo Done.
</pre>
==Dupvserver patch==
Make dupvserver usable with the new vserver config method and handle static contextes
<pre>
--- dupvserver 2006-03-29 20:04:43.000000000 +0200
+++ dupvserver.new 2006-03-29 20:04:15.000000000 +0200
@@ -17,11 +17,11 @@
# Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
# 02111-1307, USA.

-VSERVERS_ROOT=/vservers
+VSERVERS_ROOT=/etc/vservers/.defaults/vdirbase

-if [ -r /etc/vservers.conf ] ; then
- . /etc/vservers.conf
-fi
+#if [ -r /etc/vservers.conf ] ; then
+# . /etc/vservers.conf
+#fi

usage ()
{
@@ -95,14 +95,14 @@
echo "ERROR: Vserver $FROM do not exist."
exit 1
fi
- if [ ! -r "/etc/vservers/$FROM.conf" ] ; then
+ if [ ! -d "/etc/vservers/$FROM" ] ; then
echo "ERROR: Vserver config for $FROM do not exist."
exit 1
fi
- . /etc/vservers/$FROM.conf
- FROMNAME=$S_HOSTNAME
- FROMIP=$IPROOT
- FROMDEV=$IPROOTDEV
+# . /etc/vservers/$FROM.conf
+ FROMNAME="$(cat /etc/vservers/$FROM/name)"
+ FROMIP="$(cat /etc/vservers/$FROM/interfaces/0/ip)"
+ FROMDEV="$(cat /etc/vservers/$FROM/interfaces/0/dev)"
;;
--to)
TO="$2"
@@ -184,16 +184,25 @@
$FINDTOREPIP" | sort -u
fi

-if [ ! -r /etc/vservers/$TO.conf -o "$FORCE" = "yes" ] ; then
- cp /etc/vservers/$FROM.conf /etc/vservers/$TO.conf
- perl -pi -e "s#$FROM#$TO#g;" \
- /etc/vservers/$TO.conf
+if [ ! -d /etc/vservers/$TO -o "$FORCE" = "yes" ] ; then
+ mkdir /etc/vservers/$TO
+ cp -a /etc/vservers/$FROM/* /etc/vservers/$TO
+ rm /etc/vservers/$TO/run
+ ln -s /var/run/vservers/$TO /etc/vservers/$TO/run
+ rm /etc/vservers/$TO/vdir
+ ln -s /etc/vservers/.defaults/vdirbase/$TO /etc/vservers/$TO/vdir
+ find /etc/vservers/$TO -type f -exec perl -pi -e "s#$FROM#$TO#g;" {} \;
if [ "$FROMIP" != "$TOIP" ] ; then
- perl -pi -e "s#$FROMIP#$TOIP#g;" \
- /etc/vservers/$TO.conf
+ find /etc/vservers/$TO -type f -exec perl -pi -e "s#$FROMIP#$TOIP#g;" {} \;
fi
if [ "$FROMDEV" != "$TODEV" -a -n "$TODEV" ] ; then
- perl -pi -e "s#$FROMDEV#$TODEV#g;" \
- /etc/vservers/$TO.conf
+ find /etc/vservers/$TO -type f -exec perl -pi -e "s#$FROMDEV#$TODEV#g;" {} \;
+ fi
+ if [ -e /etc/vservers/$TO/context ]; then
+ echo -n "Choose a new context: "
+ echo $RANDOM > /etc/vservers/$TO/context
+ cat /etc/vservers/$TO/context
+ echo "Apply new context to files..."
+ chxid -c $(cat /etc/vservers/$TO/context) -R $VSERVERS_ROOT/$TO
fi
fi
</pre>

==Newvserver patch==
* Add better support for etch
* Prevent corruption of /etc/motd
<pre>
--- newvserver 2006-03-29 20:04:28.000000000 +0200
+++ newvserver.new 2006-03-29 20:04:10.000000000 +0200
@@ -45,7 +45,7 @@
REMOVE_PACKAGES="sparc-utils,dhcp-client,lilo,makedev,pcmcia-cs,ppp,pppconfig,pppoe,pppoeconf,setserial,syslinux,fdutils,libpcap0,iptables,pciutils"

# sysvinit services relating to hardware access to remove
-REMOVE_LINKS="klogd hwclock.sh setserial urandom networking umountfs halt reboot mountvirtfs mountall.sh mountnfs.sh ifupdown"
+REMOVE_LINKS="klogd hwclock.sh setserial urandom networking umountfs umountroot halt reboot mountvirtfs mountall.sh mountnfs.sh ifupdown"

# Post installation script
POST_INSTALL_SCRIPT=""
@@ -384,7 +384,7 @@
fi

## use "vserver ... build" to build the new vserver
-if ! /usr/sbin/vserver "$VHOST" build -m debootstrap \
+if ! vserver "$VHOST" build -m debootstrap \
--rootdir "$VROOTDIR" --hostname "$VHOST" --interface "$INTERFACE:$IP" \
-- -d "$DIST" -m "$MIRROR" \
-- $ARCH_ARGUMENT \
@@ -398,12 +398,12 @@
# Make it so that apt and friends work
cat << EOF > "$VROOTDIR/$VHOST/etc/apt/sources.list"
deb $MIRROR/ $DIST main non-free contrib
-deb-src $MIRROR/ $DIST main non-free contrib
+#deb-src $MIRROR/ $DIST main non-free contrib

-deb http://non-us.debian.org/debian-non-US $DIST/non-US main contrib non-free
-deb-src http://non-us.debian.org/debian-non-US $DIST/non-US main contrib non-free
+#deb http://non-us.debian.org/debian-non-US $DIST/non-US main contrib non-free
+#deb-src http://non-us.debian.org/debian-non-US $DIST/non-US main contrib non-free

-deb http://security.debian.org $DIST/updates main contrib non-free
+#deb http://security.debian.org $DIST/updates main contrib non-free

EOF

@@ -455,8 +455,13 @@
# uname -a > $VROOTDIR/$VHOST/etc/motd

# Create a shorter motd (uname -a would give name of host-server)
-echo "Debian GNU/Linux ($DIST/$(uname -m)) $VHOST.$VDOMAIN" \
- > "$VROOTDIR/$VHOST/etc/motd"
+if [ -L "$VROOTDIR/$VHOST/etc/motd" ]; then
+ echo "Debian GNU/Linux ($DIST/$(uname -m)) $VHOST.$VDOMAIN" \
+ > "$VROOTDIR/$VHOST/var/run/motd"
+else
+ echo "Debian GNU/Linux ($DIST/$(uname -m)) $VHOST.$VDOMAIN" \
+ > "$VROOTDIR/$VHOST/etc/motd"
+fi

# Create a dummy fstab
cat << EOF > "$VROOTDIR/$VHOST/etc/fstab"
@@ -526,19 +531,26 @@

dselect update

-tzsetup -y
+if [ "$DIST" == "etch" ]||[ "$DIST" == "sid" ]; then
+ tzconfig
+else
+ tzsetup -y
+fi

dpkg-reconfigure passwd

-tasksel
+if [ "$DIST" == "woody" ]||[ "$DIST" == "sarge" ]; then
+ tasksel
+fi

if [ "$DIST" == "woody" ]; then
rm -f /etc/exim/exim.conf
eximconfig
fi
-
-# because the --exclude flag doesn\'t seem to work on debootstrap
-dpkg -P `echo $REMOVE_PACKAGES | sed -e 's/,/ /g'`
+if [ "$DIST" == "woody" ]||[ "$DIST" == "sarge" ]; then
+ # because the --exclude flag doesn\'t seem to work on debootstrap
+ dpkg -P `echo $REMOVE_PACKAGES | sed -e 's/,/ /g'`
+fi

for link in $REMOVE_LINKS
do
</pre>
Change also the /etc/hosts to assign localhost to the public ip

==Imposing disk usage limits on vservers==
This will also be used to monitor easily the disk usage of the vservers
<pre>
#!/bin/bash

# Link this as /etc/vservers/<servername>/scripts/post-start.d script
# with the desired size limit in Mb.
# For example to set the limit at 10G:
# ln -s /usr/local/sbin/vdlimit_
# /etc/vservers/<servername>/scripts/post-start.d/vdlimit_10240
# To change the limit on-the-fly simply rename the link and execute
# ./vdlimit_<newsize> pre-stop <servername>;./vdlimit_<newsize> post-start <servername>;

# Copyright Philippe Teuwen <phil_at_teuwen.org>
# License: GPL
# version 1.0

# The script will be called from within the vserver working dir
VSERVER=`pwd|sed 's/\/etc\/vservers\/$.*$\/vdir/\1/'`

# space in Mb
SPACE=$(basename $0 | sed 's/^vdlimit_//;')
# 10G if not specified
SPACE=${SPACE:-10240}

# space in kb
SPACE=$(($SPACE*1024))
INODES=$SPACE

vserver $VSERVER status &>/dev/null
ret=$?
if [ "$ret" = 5 ]; then
echo "Please specify an existing vserver!"
exit 1
fi
if [ "$ret" != 0 ]; then
echo "Please specify a running vserver!"
exit 1
fi

CTX=`cat /var/run/vservers/$VSERVER`
SPACE_USED=`du -sx /etc/vservers/.defaults/vdirbase/$VSERVER | awk '{print $1}'`
INODES_USED=`ls -1aRi /etc/vservers/.defaults/vdirbase/$VSERVER/ 2>/dev/null |\
awk '/^[0-9]+ / { print $1 }' | sort -u | wc -l`
if [ $SPACE_USED -ge $SPACE ]||[ $INODES_USED -ge $INODES ]; then
echo "Vserver $VSERVER is already taking more space/inodes than what you try to limit to!"
exit 1
fi
/usr/sbin/vdlimit --xid $CTX \
--set space_total=$SPACE \
--set space_used=$SPACE_USED \
--set inodes_total=$INODES \
--set inodes_used=$INODES_USED \
--set reserved=5 /etc/vservers/.defaults/vdirbase/$VSERVER/
</pre>

Vserver administration

2007-05-21T07:43:06Z

57.67.161.6: /* Disk limits */

==Introduction==
Official homepage: [http://linux-vserver.org/ Linux VServer Project]

Good introduction:
* [http://linux-vserver.org/index.php?page=Linux-VServer-Paper Linux-VServer Technology]
* [http://linux-vserver.org/index.php?page=Linux-VServer-Paper-French La Technologie Linux-VServer]

Debian support:
apt-cache search vserver
kernel-patch-vserver - context switching virtual private servers - kernel patch
[http://www.nongnu.org/util-vserver/ util-vserver] - tools for Virtual private servers and context switching
vserver-debiantools - Tools to manage debian virtual servers

Misc:
* [http://www.lri.fr/~fragile/IMG/pdf/Quetier.pdf Benchmark Comparisons between UML, VMWare, vserver and Xen (pdf)]

==Kernel compilation==
===The Debian way===
I followed instructions given in
* /usr/share/doc/kernel-patch-vserver/README.Debian
* [http://linux-vserver.org/Step-by-Step+Guide+2.6 Step-by-step 2.6]
* [http://deb.riseup.net/vserver/preparing/ Debian vservers]
* [http://arnofear.free.fr/linux/vserver-1.php Debian and vserver, french howto]
* [http://lena.franken.de/linux/debian_and_vserver/ Debian and vserver]
<pre>
apt-get install kernel-patch-vserver linux-source-2.6.16 kernel-package fakeroot
cd /usr/src
tar xjf linux-source-2.6.16.tar.bz2
cd /usr/src/linux-source-2.6.16
cp config-2.6.16-1-amd64-k8 .config
export PATCH_THE_KERNEL=YES
make-kpkg --rootcmd fakeroot \
--revision custom01 \
--added-patches vserver \
--append-to-version +vserver \
--initrd \
binary-arch
"Virtual root device support" -> **y**
"Legacy kernel API" -> y
"Show a Legacy Version ID" -> n
"Disable Legacy Networking Kernel API" -> n
"Enable Proc Security" -> y
"Enable Hard CPU Limits" -> y
"Limit the IDLE task" -> n
"Persistent Inode Context Tagging" -> UID24/GID24 (32/32 probably not yet supported on Reiserfs)
"Tag NFSD User Auth and Files" -> n
"VServer Debugging Code" -> n
</pre>
Install kernel and reboot
===Vanilla with GrSec, still the Debian way===
I used linux-2.6.17.14.tar.bz2 + patch-2.6.17.14-vs2.0.2.1-grsec2.1.9.diff
 and the config of the Debian kernel config-2.6.17-2-vserver-amd64
make oldconfig
I activated HARDCPU limits and misc PAX & GRSEC stuff ([http://people.linux-vserver.org/~harry/_README_ this page] can help):
<pre>
CONFIG_VSERVER_HARDCPU=y
CONFIG_VSERVER_HARDCPU_IDLE=y
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_HAVE_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
</pre>
make-kpkg --rootcmd fakeroot --us --uc --initrd kernel-image
And I got a linux-image-2.6.17.14-grsec2.1.9-vs2.0.2.1_2.6.17.14-grsec2.1.9-vs2.0.2.1-10.00.Custom_amd64.deb
==Host preparation==
<pre>
apt-get install util-vserver vserver-debiantools
wget http://vserver.13thfloor.at/Stuff/SCRIPT/testme.sh
chmod +x testme.sh
./testme.sh
dd bs=1024k count=1024 if=/dev/zero of=1gb.test
modprobe loop
losetup /dev/loop0 ./1gb.test
./testfs.sh [ -F reiser ] -D /dev/loop0 -M /mnt
losetup -d /dev/loop0
modprobe -r loop
</pre>
There is no error at this point but as I'm using Reiserfs, I have to activate manually the extended attributes (for lsattr/chattr) by adding the following option to /etc/fstab lines: "attrs" (?? also option acl ??)
 Test: lsattr <mount point of a Reiserfs>
===Change the vserver base path===
* /etc/vservers/.defaults/vdirbase -> /var/lib/vservers
* I change it to /home/vservers, fix the above symlink
* Re-create the "chroot barrier": setattr --barrier /home/vservers showattr /home -> B for vservers
* Some tools could have /var/lib/vservers hardcoded, for safety I create a symlink /var/lib/vservers pointing to /home/vservers

==Manipulating vservers==
===Create a vserver===
Edit /etc/vservers/newvserver-vars:
<pre>
# cf http://amd64.debian.net/README.mirrors.html
MIRROR="http://ftp.belnet.be/debian-amd64/debian"
INTERFACE="<my_if>"
ARCH="amd64"
</pre>
Create a vserver with 64bits:
LANG=C newvserver --hostname template64 --domain teuwen.org --ip <new_ip>/24 --dist etch
Create a vserver with 32bits emulation:
LANG=C newvserver --hostname template32 --domain teuwen.org --ip <new_ip>/24 --dist etch --arch i386 --mirror "http://<i386_debian_mirror>"
Tuning:
* take care of the config duplication!
* enter the vserver and run tzconfig to choose the proper timezone
* fix /etc/apt/sources.list
* delete rcX.d links to umountroot
* Warning! If you use newvserver as such, it will overwrite the host /etc/motd due to a symlink
* See [Vserver tools] for a patch for newvserver
Removing unnecessary progs (check if you really don't need them!!):
* aptitude apt-utils base-config cpio dselect tasksel libncursesw5 libsigc++-1.2-5c2 libsigc++-2.0-0c2a
* dmidecode laptop-detect module-init-tools
* bsdmainutils ed nano nvi
* groff-base man-db manpages info libgdbm3
* netcat traceroute wget libssl0.9.8
* gettext-base libconsole libgnutls11 liblzo2-2 libtasn1-2-bin

===Automatic start at bootup===
echo default > /etc/vservers/<my_vserver>/apps/init/mark
Note that at shotdown all vservers will be stopped
===Delete a vserver===
Remove dirs /home/vservers/<my_vserver> (depends on the setting of vdirbase, cf. above), /etc/vservers/<my_vserver> and /var/run/vservers/<my_vserver> and the corresponding symlink in /var/run/vservers.rev
===Config of a vserver===
''TODO''
?? /etc/vservers/<my_vserver>.conf
?? S_CAPS
see [http://www.nongnu.org/util-vserver/doc/conf/configuration.html Detailed config page (better choosing boring CSS...)]

If you don't assign unique IPs to the vservers but reuse the one of the host:
touch /etc/vservers/<vserver>/interfaces/<N>/nodev
''When this file exists, the interface will be assumed to exist already. This can be used to assign primary interfaces which are created by the host or another vserver.''

===Run a vserver===
vserver <my_vserver> start
vserver <my_vserver> enter
If you get "mesg: /dev/pts/1: Operation not permitted", be root on the host with "su -"
vserver <my_vserver> stop
===Other tools===
vserver <my_vserver> status
vserver-stat
vtop, vps, vpstree, vkill
/etc/rc.d/init.d/rebootmgr is a daemon which can be called from vservers via vreboot and vhalt to stop/restart the vserver from inside

See also [http://www.nongnu.org/util-vserver/doc/conf/compatibility.html compatibility of util-vserver alpha branch]

See [[Vserver tools]] for my own/modified scripts

===Duplicate a vserver===
vserver <my_vserver1> stop
dupvserver --from <my_vserver1> --to <my_vserver2> --ip <new_ip>
dupvserver is broken with the new configuration structure /etc/vservers/<my_vserver>/
 See [[Vserver tools]] for a patch for dupvserver
===Move/copy a vserver===
Basically stop the vserver and copy /etc/vservers/<my_vserver> and /home/vservers/<my_vserver>
 E.g. rsync -e ssh -avHl /vservers/XX new-server:/vserver/XX
==Share directories==
To mount a directory from one vserver into another from the host:
vnamespace -e <vserver> mount --rbind /directory/to/mount/somewhere /where/to/mount/it
vnamespace -e <vserver> umount /where/it/was/mounted

or
mount --bind /home /var/lib/vservers/vserver1/home
mount --bind /home /var/lib/vservers/vserver2/home
The second method had the disavantage to require a reboot of the vserver

To mount an NFS share in a vserver:
 Add the nfs share to /etc/vservers/<vserver>/fstab
 If you want the user to be able to do it from the vserver itself, you've to add some capabilities, apparently sth like SECURE_MOUNT, SECURE_REMOUNT and/or BINARY_MOUNT to /etc/vservers/<vserver>/ccapabilities (didn't try)

==Apt-get==
LANG=C vapt-get <my_vserver1> <my_vserver2> <...> -- install <pkg1> <pkg2>
==Unify==
cf immutable-linkage-invert flag

Preparation:
mkdir /etc/vservers/template64/apps/vunify
mkdir /etc/vservers/<my_vserver>/apps/vunify
ln -s /etc/vservers/template64 /etc/vservers/<my_vserver>/apps/vunify/refserver.template64
Unification:
 Be sure both vservers are running
vserver <my_vserver> unify [-n] [-R]
-n for dry run, no change
 -R for de-unifying

When using tar, add option -U to unlink & recreate files instead of overwriting.
 Manual set/unset of the immutable-linkage-invert flag:
setattr --iunlink /my/file
setattr --~iunlink /my/file
==Disk limits==
cf http://linux-vserver.org/Disk+Limits

* Assign static contexts for the vservers (i.e. have a value between 2 and 49151 in /etc/vservers/<name>/context)
* Mount the filesystem holding the vserver(s) with the tagxid option
** Check if this is mounted properly: use cat /proc/mounts Ex.: /dev/mapper/Zeus-home /home reiserfs rw,tagxid 0 0
** WARNING: if the filesystem is already in use with vservers, nothing prevent you to umount the filesystem while the vservers are still running, which is VERY BAD! Be careful.
** I could only get the tagxid taken properly into account after a reboot
* Change the xid of already existing files:
chxid -c <my_vserver> -R /home/vservers/<my_vserver>
* Set limits, first method: here limit to 5Gb, 100000 inodes and 5% for the root user For info as I could not get it working properly yet
mkdir /var/cache/vservers
ln -s /var/cache/vservers /etc/vservers/.defaults/cachebase
mkdir /etc/vservers/.defaults/cachebase/<my_server>
ln -s /etc/vservers/.defaults/cachebase/<my_server> /etc/vservers/<my_server>/cache
mkdir -p /etc/vservers/<my_vserver>/dlimits/0
echo /home/vservers/<my_vserver> > /etc/vservers/<my_vserver>/dlimits/0/directory
echo $(( 5 * 1024 * 1024 )) > /etc/vservers/<my_vserver>/dlimits/0/space_total
echo 100000 > /etc/vservers/<my_vserver>/dlimits/0/inodes_total
echo 5 > /etc/vservers/<my_vserver>/dlimits/0/reserved
* Set limits, second method:
** Install my vdlimit_ script in /usr/local/sbin: [[Vserver tools]]
ln -s /usr/local/sbin/vdlimit_ /etc/vservers/<my_vserver>/scripts/post-start.d/vdlimit_$((5*1024))
** To change the limit on-the-fly simply rename the link and execute
./vdlimit_<new_size> pre-stop <my_vserver>;./vdlimit_<new_size> post-start <my_vserver>;

==Network==
===Intern network===
For pure loopback, use dummy interface, cf http://mirabellug.org/wikini/wakka.php?wiki=VServers

For usable dummy interface, us permanent taps as the uml tools allow:
apt-get install uml-utilities
* Create a pseudo-interface:
<pre>
auto tap0
iface tap0 inet static
address 192.168.2.1
netmask 255.255.255.0
tunctl_user uml-net
</pre>
And configure vservers with the same dev=tap0

Update: to check but actually all traffic with private or public IP will anyway be done through lo so this is probably not required

Note that if you use openvpn, you can create tun/tap with
openvpn --mktun --dev tap0

===Configure daemons to listen only to the IP-address of the mothersystem===
* ''openbsd-inetd:'' (not netkit-inetd) in file /etc/inetd.conf: Prepend the service with <IP pub>: Example
<IP pub>:cvspserver stream tcp nowait root /usr/sbin/tcpd /usr/sbin/cvs-pserver
* ''xinetd:'' (not inetd) in file /etc/xinetd.conf:
defaults
{ bind = <IP pub> }

/etc/init.d/xinetd restart
* ''sshd:'' in file /etc/ssh/sshd_config:
ListenAddress <IP pub>

/etc/init.d/ssh restart
* ''exim4:'' in file /etc/exim4/update-exim4.conf.conf:
dc_local_interfaces='<IP pub>'

/etc/init.d/exim4 restart
Better to do it through debconf to avoid surprises at update time: dpkg-reconfigure exim4-config
* ''courier-imap:'' in file /etc/courier/imapd:
ADDRESS=<IP pub>

/etc/init.d/courier-imap restart
* ''courier-imap-ssl:'' in file /etc/courier-ssl/imapd:
ADDRESS=<IP pub>

/etc/init.d/courier-imap-ssl restart
* ''imapproxy:'' in file /etc/imapproxy.conf:
listen_address <IP pub>
Within a vserver, you'll probably hav to reduce the cache_size or give capability to the vserver to raise the setrlimit.
* ''mysql:'' in file /etc/mysql/my.cnf:
bind-address = <IP pub>
* ''vsFtpd:'' in file /etc/vsftpd.conf:
listen_address=<IP pub>
* ''postgresql:'' in file /etc/postgresql/postgresql.conf:
virtual_host = '<IP pub>'
* ''apache2:'' in file /etc/apache2/ports.conf:
Listen <IP pub>:80
* ''zope2.9:'' in file /etc/zope2.9/<instance>/zope.conf:
ip-address <IP pub>
* ''portmap:'' in file /etc/default/portmap:
OPTIONS="-i <IP pub/loopback>"
* ''dnsmasq:'' in file /etc/dnsmasq.conf:
listen-address=<IP pub>
bind-interfaces
* ''[[Virtual_Private_Networks|openvpn]]'' in file /etc/openvpn/server.conf:
local <IP pub>
* netstat -lp -> other greedy daemons?
* Seems that this is possible via another method, here it will bind the daemon to the first IP of the interface: exec /usr/sbin/chbind --ip eth0 /path/to/daemon

===Add an interface without rebooting the vserver===
* add the ip to the host (ip addr add ...)
* add the ip to the guest's network context
# naddress --add --nid <nid> --ip <ip>/<mask>
* enter the guest (best via ssh)
* restart the services if required (most services will automatically start using the new addresses)
* update the config to reflect the changes for the next guest restart (if desired)
Thanks Herbert!
==Understanding vservers==
===Security contextes===
* Find security context of process N:
chcontext --ctx 1 cat /proc/N/status|grep s_context
* Be in the same context:
chcontext --ctx X /bin/sh
* Master context: 1, example to get all listening ports:
chcontext --ctx 1 netstat -lpn
See also [http://www.solucorp.qc.ca/miscprj/s_context.hc Virtual private servers and security contexts]
===Ceiling capabilities===
* As non-root, check capBset:
cat /proc/self/status
* Reduce ceiling caps:
reducecap --secure /bin/sh
* Now capBset is reduced:
cat /proc/self/status
su
* capEff raised a bit but not enough to do for example /sbin/ifconfig eth0 down
* See also [Capabilities in Linux|http://www.lids.org/lids-howto/node34.html]

==Security==
Not necessarily related to vserver but always useful to consider :-)
*ssh
**Use the AllowUsers option to give ssh rights only to those who need it.
**Brute-force protection: apt-get install denyhosts Edit /etc/denyhosts.conf to get email reports Un case someone forgot his pwd and got banned, to remove the ban directly: remove it from /var/lib/denyhosts files and /etc/hosts.deny of course
*iptables (on the host)
**cf --uid-owner and other --XXX-owner options on OUTPUT table to avoid download of malicious code on INPUT table to avoid bindshells
*resource limits
** cpu/mem

===GrSec===
* http://pax.grsecurity.net/
* http://people.linux-vserver.org/~harry/_README_
* http://www.zataz.net/docs/8024/introduction-grsecurity.html
* http://linux-vserver.org/grsecurityHowto
* http://ludit.kuleuven.be/software/vserver/_README_
apt-get install paxctl gradm2

==Iptables Proxy==
* http://www.virtuaserver.com.br/forum/viewtopic.php?t=130

==Other tricks==
* For other tweaks, see http://deb.riseup.net/vserver/usage/ :
** What if I accidentally removed a vserver while it was running?
** Howto convert legacy vservers to the new format
** Howto add an IP to a running vserver, without restarting it?
** Howto make the host interface and IP available in a vserver
** Howto impose disk limits in each vserver
* http://www.paul.sladen.org/vserver/faq
* [http://linux-vserver.org/ProblematicPrograms Problematic programs]
* If you drop files from "outside of the vserver context" (from the host e.g.) you've to reassign the correct xid to the files:
chxid -c <vserver> -R /home/vservers/<vserver>
# all at once:
for i in $(ls /etc/vservers/); do echo $i; chxid -c $i -R /home/vservers/$i;done
* If you drop files from "outside of the vserver context" (from the host e.g.) you've to regenerate the disk usage and limit of the vserver if you use my vdlimit_ script:
vserver <vserver> stop
rm /var/cache/vservers/<vserver>_vdlimit_
vserver <vserver> start
* To run a script (e.g. an /etc/init.d/start_my_daemon) in ctx 1, e.g. to start ntop and be sure it can see all the traffic, simply add at the begin of the script:
if cat /proc/self/vinfo|grep -q -v ":[^0-9]1$"; then
/usr/sbin/chcontext --ctx 1 $0 $*
exit
fi
* To "mount" a samba shared drive from a vserver is not possible or at least when running grsec but you can still use the good old ftp-styled smbclient
smbclient //machine/share -U domain/user

==TODO==
* http://www.nongnu.org/util-vserver/doc/conf/compatibility.html
* http://linux-vserver.derjohn.de/
* [VServer wiki|http://vserver.strahlungsfrei.de/tiki-index.php]
* [Administrator Guide|http://linux-vserver.org/linux-vserver_administrators_gide]
* [Debian newvserver|http://www.paul.sladen.org/vserver/debian/]
* [Howto Debian vserver|http://www.howtoforge.com/linux_vserver_debian]
* ?? apt-get install vlan
* ?? ipac-ng
* CPU limit
** http://linux-vserver.org/Linux-VServer-Paper-06
** http://list.linux-vserver.org/archive/vserver/msg08134.html
* BW limit
** http://lartc.org/howto/
* http://linux-vserver.org/HowTo+Read+ProcFS
* http://linux-vserver.org/HistoryList?full=1
* Publish Munin scripts
* http://linux-vserver.org/VServer+installation+Fedora+Core+5
* http://vserver.13thfloor.at/Experimental/
* http://www.archivesat.com/Linux-VServer/
* http://www.solucorp.qc.ca/miscprj/s_context.hc?s1=1&s2=0&s3=0&s4=0&full=0&prjstate=1&nodoc=0
* (fr) http://fr.wikibooks.org/wiki/Vserver

Vserver administration

2007-04-18T12:48:40Z

57.67.161.6: /* Change the vserver base path */

==Introduction==
Official homepage: [http://linux-vserver.org/ Linux VServer Project]

Good introduction:
* [http://linux-vserver.org/index.php?page=Linux-VServer-Paper Linux-VServer Technology]
* [http://linux-vserver.org/index.php?page=Linux-VServer-Paper-French La Technologie Linux-VServer]

Debian support:
apt-cache search vserver
kernel-patch-vserver - context switching virtual private servers - kernel patch
[http://www.nongnu.org/util-vserver/ util-vserver] - tools for Virtual private servers and context switching
vserver-debiantools - Tools to manage debian virtual servers

Misc:
* [http://www.lri.fr/~fragile/IMG/pdf/Quetier.pdf Benchmark Comparisons between UML, VMWare, vserver and Xen (pdf)]

==Kernel compilation==
===The Debian way===
I followed instructions given in
* /usr/share/doc/kernel-patch-vserver/README.Debian
* [http://linux-vserver.org/Step-by-Step+Guide+2.6 Step-by-step 2.6]
* [http://deb.riseup.net/vserver/preparing/ Debian vservers]
* [http://arnofear.free.fr/linux/vserver-1.php Debian and vserver, french howto]
* [http://lena.franken.de/linux/debian_and_vserver/ Debian and vserver]
<pre>
apt-get install kernel-patch-vserver linux-source-2.6.16 kernel-package fakeroot
cd /usr/src
tar xjf linux-source-2.6.16.tar.bz2
cd /usr/src/linux-source-2.6.16
cp config-2.6.16-1-amd64-k8 .config
export PATCH_THE_KERNEL=YES
make-kpkg --rootcmd fakeroot \
--revision custom01 \
--added-patches vserver \
--append-to-version +vserver \
--initrd \
binary-arch
"Virtual root device support" -> **y**
"Legacy kernel API" -> y
"Show a Legacy Version ID" -> n
"Disable Legacy Networking Kernel API" -> n
"Enable Proc Security" -> y
"Enable Hard CPU Limits" -> y
"Limit the IDLE task" -> n
"Persistent Inode Context Tagging" -> UID24/GID24 (32/32 probably not yet supported on Reiserfs)
"Tag NFSD User Auth and Files" -> n
"VServer Debugging Code" -> n
</pre>
Install kernel and reboot
===Vanilla with GrSec, still the Debian way===
I used linux-2.6.17.14.tar.bz2 + patch-2.6.17.14-vs2.0.2.1-grsec2.1.9.diff
 and the config of the Debian kernel config-2.6.17-2-vserver-amd64
make oldconfig
I activated HARDCPU limits and misc PAX & GRSEC stuff ([http://people.linux-vserver.org/~harry/_README_ this page] can help):
<pre>
CONFIG_VSERVER_HARDCPU=y
CONFIG_VSERVER_HARDCPU_IDLE=y
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_HAVE_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
</pre>
make-kpkg --rootcmd fakeroot --us --uc --initrd kernel-image
And I got a linux-image-2.6.17.14-grsec2.1.9-vs2.0.2.1_2.6.17.14-grsec2.1.9-vs2.0.2.1-10.00.Custom_amd64.deb
==Host preparation==
<pre>
apt-get install util-vserver vserver-debiantools
wget http://vserver.13thfloor.at/Stuff/SCRIPT/testme.sh
chmod +x testme.sh
./testme.sh
dd bs=1024k count=1024 if=/dev/zero of=1gb.test
modprobe loop
losetup /dev/loop0 ./1gb.test
./testfs.sh [ -F reiser ] -D /dev/loop0 -M /mnt
losetup -d /dev/loop0
modprobe -r loop
</pre>
There is no error at this point but as I'm using Reiserfs, I have to activate manually the extended attributes (for lsattr/chattr) by adding the following option to /etc/fstab lines: "attrs" (?? also option acl ??)
 Test: lsattr <mount point of a Reiserfs>
===Change the vserver base path===
* /etc/vservers/.defaults/vdirbase -> /var/lib/vservers
* I change it to /home/vservers, fix the above symlink
* Re-create the "chroot barrier": setattr --barrier /home/vservers showattr /home -> B for vservers
* Some tools could have /var/lib/vservers hardcoded, for safety I create a symlink /var/lib/vservers pointing to /home/vservers

==Manipulating vservers==
===Create a vserver===
Edit /etc/vservers/newvserver-vars:
<pre>
# cf http://amd64.debian.net/README.mirrors.html
MIRROR="http://ftp.belnet.be/debian-amd64/debian"
INTERFACE="<my_if>"
ARCH="amd64"
</pre>
Create a vserver with 64bits:
LANG=C newvserver --hostname template64 --domain teuwen.org --ip <new_ip>/24 --dist etch
Create a vserver with 32bits emulation:
LANG=C newvserver --hostname template32 --domain teuwen.org --ip <new_ip>/24 --dist etch --arch i386 --mirror "http://<i386_debian_mirror>"
Tuning:
* take care of the config duplication!
* enter the vserver and run tzconfig to choose the proper timezone
* fix /etc/apt/sources.list
* delete rcX.d links to umountroot
* Warning! If you use newvserver as such, it will overwrite the host /etc/motd due to a symlink
* See [Vserver tools] for a patch for newvserver
Removing unnecessary progs (check if you really don't need them!!):
* aptitude apt-utils base-config cpio dselect tasksel libncursesw5 libsigc++-1.2-5c2 libsigc++-2.0-0c2a
* dmidecode laptop-detect module-init-tools
* bsdmainutils ed nano nvi
* groff-base man-db manpages info libgdbm3
* netcat traceroute wget libssl0.9.8
* gettext-base libconsole libgnutls11 liblzo2-2 libtasn1-2-bin

===Automatic start at bootup===
echo default > /etc/vservers/<my_vserver>/apps/init/mark
Note that at shotdown all vservers will be stopped
===Delete a vserver===
Remove dirs /home/vservers/<my_vserver> (depends on the setting of vdirbase, cf. above), /etc/vservers/<my_vserver> and /var/run/vservers/<my_vserver> and the corresponding symlink in /var/run/vservers.rev
===Config of a vserver===
''TODO''
?? /etc/vservers/<my_vserver>.conf
?? S_CAPS
see [http://www.nongnu.org/util-vserver/doc/conf/configuration.html Detailed config page (better choosing boring CSS...)]
===Run a vserver===
vserver <my_vserver> start
vserver <my_vserver> enter
If you get "mesg: /dev/pts/1: Operation not permitted", be root on the host with "su -"
vserver <my_vserver> stop
===Other tools===
vserver <my_vserver> status
vserver-stat
vtop, vps, vpstree, vkill
/etc/rc.d/init.d/rebootmgr is a daemon which can be called from vservers via vreboot and vhalt to stop/restart the vserver from inside

See also [http://www.nongnu.org/util-vserver/doc/conf/compatibility.html compatibility of util-vserver alpha branch]

See [[Vserver tools]] for my own/modified scripts

===Duplicate a vserver===
vserver <my_vserver1> stop
dupvserver --from <my_vserver1> --to <my_vserver2> --ip <new_ip>
dupvserver is broken with the new configuration structure /etc/vservers/<my_vserver>/
 See [[Vserver tools]] for a patch for dupvserver
===Move/copy a vserver===
Basically stop the vserver and copy /etc/vservers/<my_vserver> and /home/vservers/<my_vserver>
 E.g. rsync -e ssh -avHl /vservers/XX new-server:/vserver/XX
==Share directories==
To mount a directory from one vserver into another from the host:
vnamespace -e <vserver> mount --rbind /directory/to/mount/somewhere /where/to/mount/it
vnamespace -e <vserver> umount /where/it/was/mounted

or
mount --bind /home /var/lib/vservers/vserver1/home
mount --bind /home /var/lib/vservers/vserver2/home
The second method had the disavantage to require a reboot of the vserver
==Apt-get==
LANG=C vapt-get <my_vserver1> <my_vserver2> <...> -- install <pkg1> <pkg2>
==Unify==
cf immutable-linkage-invert flag

Preparation:
mkdir /etc/vservers/template64/apps/vunify
mkdir /etc/vservers/<my_vserver>/apps/vunify
ln -s /etc/vservers/template64 /etc/vservers/<my_vserver>/apps/vunify/refserver.template64
Unification:
 Be sure both vservers are running
vserver <my_vserver> unify [-n] [-R]
-n for dry run, no change
 -R for de-unifying

When using tar, add option -U to unlink & recreate files instead of overwriting.
 Manual set/unset of the immutable-linkage-invert flag:
setattr --iunlink /my/file
setattr --~iunlink /my/file
==Disk limits==
cf http://linux-vserver.org/Disk+Limits

* Assign static contexts for the vservers (i.e. have a value between 2 and 49151 in /etc/vservers/<name>/context)
* Mount the filesystem holding the vserver(s) with the tagxid option
** Check if this is mounted properly: use cat /proc/mounts Ex.: /dev/mapper/Zeus-home /home reiserfs rw,tagxid 0 0
** WARNING: if the filesystem is already in use with vservers, nothing prevent you to umount the filesystem while the vservers are still running, which is VERY BAD! Be careful.
** I could only get the tagxid taken properly into account after a reboot
* Change the xid of already existing files:
chxid -c <my_vserver> -R /home/vservers/<my_vserver>
* Set limits, first method: here limit to 5Gb, 100000 inodes and 5% for the root user For info as I could not get it working properly yet
mkdir /var/cache/vservers
ln -s /var/cache/vservers /etc/vservers/.defaults/cachebase
mkdir /etc/vservers/.defaults/cachebase/<my_server>
ln -s /etc/vservers/.defaults/cachebase/<my_server> /etc/vservers/<my_server>/cache
mkdir -p /etc/vservers/<my_vserver>/dlimits/0
echo /home/vservers/<my_vserver> > /etc/vservers/<my_vserver>/dlimits/0/directory
echo $(( 5 * 1024 * 1024 )) > /etc/vservers/<my_vserver>/dlimits/0/space_total
echo 100000 > /etc/vservers/<my_vserver>/dlimits/0/inodes_total
echo 5 > /etc/vservers/<my_vserver>/dlimits/0/reserved
* Set limits, second method:
** Install my vdlimit_ script in /usr/local/sbin: [[Vserver tools]]
ln -s /usr/local/sbin/vdlimit_ /etc/vservers/<my_vserver>/scripts/post-start.d/vdlimit_$((5*1024))
==Network==
===Intern network===
For pure loopback, use dummy interface, cf http://mirabellug.org/wikini/wakka.php?wiki=VServers

For usable dummy interface, us permanent taps as the uml tools allow:
apt-get install uml-utilities
* Create a pseudo-interface:
<pre>
auto tap0
iface tap0 inet static
address 192.168.2.1
netmask 255.255.255.0
tunctl_user uml-net
</pre>
And configure vservers with the same dev=tap0

Update: to check but actually all traffic with private or public IP will anyway be done through lo so this is probably not required
===Configure daemons to listen only to the IP-address of the mothersystem===
* ''openbsd-inetd:'' (not netkit-inetd) in file /etc/inetd.conf: Prepend the service with <IP pub>: Example
<IP pub>:cvspserver stream tcp nowait root /usr/sbin/tcpd /usr/sbin/cvs-pserver
* ''xinetd:'' (not inetd) in file /etc/xinetd.conf:
defaults
{ bind = <IP pub> }

/etc/init.d/xinetd restart
* ''sshd:'' in file /etc/ssh/sshd_config:
ListenAddress <IP pub>

/etc/init.d/ssh restart
* ''exim4:'' in file /etc/exim4/update-exim4.conf.conf:
dc_local_interfaces='<IP pub>'

/etc/init.d/exim4 restart
Better to do it through debconf to avoid surprises at update time: dpkg-reconfigure exim4-config
* ''courier-imap:'' in file /etc/courier/imapd:
ADDRESS=<IP pub>

/etc/init.d/courier-imap restart
* ''courier-imap-ssl:'' in file /etc/courier-ssl/imapd:
ADDRESS=<IP pub>

/etc/init.d/courier-imap-ssl restart
* ''imapproxy:'' in file /etc/imapproxy.conf:
listen_address <IP pub>
Within a vserver, you'll probably hav to reduce the cache_size or give capability to the vserver to raise the setrlimit.
* ''mysql:'' in file /etc/mysql/my.cnf:
bind-address = <IP pub>
* ''vsFtpd:'' in file /etc/vsftpd.conf:
listen_address=<IP pub>
* ''postgresql:'' in file /etc/postgresql/postgresql.conf:
virtual_host = '<IP pub>'
* ''apache2:'' in file /etc/apache2/ports.conf:
Listen <IP pub>:80
* ''zope2.9:'' in file /etc/zope2.9/<instance>/zope.conf:
ip-address <IP pub>
* ''portmap:'' in file /etc/default/portmap:
OPTIONS="-i <IP pub/loopback>"
* ''dnsmasq:'' in file /etc/dnsmasq.conf:
listen-address=<IP pub>
bind-interfaces
* netstat -lp -> other greedy daemons?
* Seems that this is possible via another method, here it will bind the daemon to the first IP of the interface: exec /usr/sbin/chbind --ip eth0 /path/to/daemon
===Add an interface without rebooting the vserver===
* add the ip to the host (ip addr add ...)
* add the ip to the guest's network context
# naddress --add --nid <nid> --ip <ip>/<mask>
* enter the guest (best via ssh)
* restart the services if required (most services will automatically start using the new addresses)
* update the config to reflect the changes for the next guest restart (if desired)
Thanks Herbert!
==Understanding vservers==
===Security contextes===
* Find security context of process N:
chcontext --ctx 1 cat /proc/N/status|grep s_context
* Be in the same context:
chcontext --ctx X /bin/sh
* Master context: 1, example to get all listening ports:
chcontext --ctx 1 netstat -lpn
See also [http://www.solucorp.qc.ca/miscprj/s_context.hc Virtual private servers and security contexts]
===Ceiling capabilities===
* As non-root, check capBset:
cat /proc/self/status
* Reduce ceiling caps:
reducecap --secure /bin/sh
* Now capBset is reduced:
cat /proc/self/status
su
* capEff raised a bit but not enough to do for example /sbin/ifconfig eth0 down
* See also [Capabilities in Linux|http://www.lids.org/lids-howto/node34.html]

==Security==
Not necessarily related to vserver but always useful to consider :-)
*ssh
**Use the AllowUsers option to give ssh rights only to those who need it.
**Brute-force protection: apt-get install denyhosts Edit /etc/denyhosts.conf to get email reports Un case someone forgot his pwd and got banned, to remove the ban directly: remove it from /var/lib/denyhosts files and /etc/hosts.deny of course
*iptables (on the host)
**cf --uid-owner and other --XXX-owner options on OUTPUT table to avoid download of malicious code on INPUT table to avoid bindshells
*resource limits
** cpu/mem

===GrSec===
* http://pax.grsecurity.net/
* http://people.linux-vserver.org/~harry/_README_
* http://www.zataz.net/docs/8024/introduction-grsecurity.html
* http://linux-vserver.org/grsecurityHowto
* http://ludit.kuleuven.be/software/vserver/_README_
apt-get install paxctl gradm2

==Iptables Proxy==
* http://www.virtuaserver.com.br/forum/viewtopic.php?t=130

==Other tricks==
* For other tweaks, see http://deb.riseup.net/vserver/usage/ :
** What if I accidentally removed a vserver while it was running?
** Howto convert legacy vservers to the new format
** Howto add an IP to a running vserver, without restarting it?
** Howto make the host interface and IP available in a vserver
** Howto impose disk limits in each vserver
* http://www.paul.sladen.org/vserver/faq
* [http://linux-vserver.org/ProblematicPrograms Problematic programs]

==TODO==
* http://www.nongnu.org/util-vserver/doc/conf/compatibility.html
* http://linux-vserver.derjohn.de/
* [VServer wiki|http://vserver.strahlungsfrei.de/tiki-index.php]
* [Administrator Guide|http://linux-vserver.org/linux-vserver_administrators_gide]
* [Debian newvserver|http://www.paul.sladen.org/vserver/debian/]
* [Howto Debian vserver|http://www.howtoforge.com/linux_vserver_debian]
* ?? apt-get install vlan
* ?? ipac-ng
* CPU limit
** http://linux-vserver.org/Linux-VServer-Paper-06
** http://list.linux-vserver.org/archive/vserver/msg08134.html
* BW limit
** http://lartc.org/howto/
* http://linux-vserver.org/HowTo+Read+ProcFS
* http://linux-vserver.org/HistoryList?full=1
* Publish Munin scripts
* http://linux-vserver.org/VServer+installation+Fedora+Core+5
* http://vserver.13thfloor.at/Experimental/
* http://www.archivesat.com/Linux-VServer/
* http://www.solucorp.qc.ca/miscprj/s_context.hc?s1=1&s2=0&s3=0&s4=0&full=0&prjstate=1&nodoc=0
* (fr) http://fr.wikibooks.org/wiki/Vserver

Vserver administration

2007-04-18T12:48:26Z

57.67.161.6: /* Change the vserver base path */

==Introduction==
Official homepage: [http://linux-vserver.org/ Linux VServer Project]

Good introduction:
* [http://linux-vserver.org/index.php?page=Linux-VServer-Paper Linux-VServer Technology]
* [http://linux-vserver.org/index.php?page=Linux-VServer-Paper-French La Technologie Linux-VServer]

Debian support:
apt-cache search vserver
kernel-patch-vserver - context switching virtual private servers - kernel patch
[http://www.nongnu.org/util-vserver/ util-vserver] - tools for Virtual private servers and context switching
vserver-debiantools - Tools to manage debian virtual servers

Misc:
* [http://www.lri.fr/~fragile/IMG/pdf/Quetier.pdf Benchmark Comparisons between UML, VMWare, vserver and Xen (pdf)]

==Kernel compilation==
===The Debian way===
I followed instructions given in
* /usr/share/doc/kernel-patch-vserver/README.Debian
* [http://linux-vserver.org/Step-by-Step+Guide+2.6 Step-by-step 2.6]
* [http://deb.riseup.net/vserver/preparing/ Debian vservers]
* [http://arnofear.free.fr/linux/vserver-1.php Debian and vserver, french howto]
* [http://lena.franken.de/linux/debian_and_vserver/ Debian and vserver]
<pre>
apt-get install kernel-patch-vserver linux-source-2.6.16 kernel-package fakeroot
cd /usr/src
tar xjf linux-source-2.6.16.tar.bz2
cd /usr/src/linux-source-2.6.16
cp config-2.6.16-1-amd64-k8 .config
export PATCH_THE_KERNEL=YES
make-kpkg --rootcmd fakeroot \
--revision custom01 \
--added-patches vserver \
--append-to-version +vserver \
--initrd \
binary-arch
"Virtual root device support" -> **y**
"Legacy kernel API" -> y
"Show a Legacy Version ID" -> n
"Disable Legacy Networking Kernel API" -> n
"Enable Proc Security" -> y
"Enable Hard CPU Limits" -> y
"Limit the IDLE task" -> n
"Persistent Inode Context Tagging" -> UID24/GID24 (32/32 probably not yet supported on Reiserfs)
"Tag NFSD User Auth and Files" -> n
"VServer Debugging Code" -> n
</pre>
Install kernel and reboot
===Vanilla with GrSec, still the Debian way===
I used linux-2.6.17.14.tar.bz2 + patch-2.6.17.14-vs2.0.2.1-grsec2.1.9.diff
 and the config of the Debian kernel config-2.6.17-2-vserver-amd64
make oldconfig
I activated HARDCPU limits and misc PAX & GRSEC stuff ([http://people.linux-vserver.org/~harry/_README_ this page] can help):
<pre>
CONFIG_VSERVER_HARDCPU=y
CONFIG_VSERVER_HARDCPU_IDLE=y
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_HAVE_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
</pre>
make-kpkg --rootcmd fakeroot --us --uc --initrd kernel-image
And I got a linux-image-2.6.17.14-grsec2.1.9-vs2.0.2.1_2.6.17.14-grsec2.1.9-vs2.0.2.1-10.00.Custom_amd64.deb
==Host preparation==
<pre>
apt-get install util-vserver vserver-debiantools
wget http://vserver.13thfloor.at/Stuff/SCRIPT/testme.sh
chmod +x testme.sh
./testme.sh
dd bs=1024k count=1024 if=/dev/zero of=1gb.test
modprobe loop
losetup /dev/loop0 ./1gb.test
./testfs.sh [ -F reiser ] -D /dev/loop0 -M /mnt
losetup -d /dev/loop0
modprobe -r loop
</pre>
There is no error at this point but as I'm using Reiserfs, I have to activate manually the extended attributes (for lsattr/chattr) by adding the following option to /etc/fstab lines: "attrs" (?? also option acl ??)
 Test: lsattr <mount point of a Reiserfs>
===Change the vserver base path===
* /etc/vservers/.defaults/vdirbase -> /var/lib/vservers
* I change it to /home/vservers, fix the above symlink
* Re-create the "chroot barrier": setattr --barrier /home/vservers%%%showattr /home -> B for vservers
* Some tools could have /var/lib/vservers hardcoded, for safety I create a symlink /var/lib/vservers pointing to /home/vservers

==Manipulating vservers==
===Create a vserver===
Edit /etc/vservers/newvserver-vars:
<pre>
# cf http://amd64.debian.net/README.mirrors.html
MIRROR="http://ftp.belnet.be/debian-amd64/debian"
INTERFACE="<my_if>"
ARCH="amd64"
</pre>
Create a vserver with 64bits:
LANG=C newvserver --hostname template64 --domain teuwen.org --ip <new_ip>/24 --dist etch
Create a vserver with 32bits emulation:
LANG=C newvserver --hostname template32 --domain teuwen.org --ip <new_ip>/24 --dist etch --arch i386 --mirror "http://<i386_debian_mirror>"
Tuning:
* take care of the config duplication!
* enter the vserver and run tzconfig to choose the proper timezone
* fix /etc/apt/sources.list
* delete rcX.d links to umountroot
* Warning! If you use newvserver as such, it will overwrite the host /etc/motd due to a symlink
* See [Vserver tools] for a patch for newvserver
Removing unnecessary progs (check if you really don't need them!!):
* aptitude apt-utils base-config cpio dselect tasksel libncursesw5 libsigc++-1.2-5c2 libsigc++-2.0-0c2a
* dmidecode laptop-detect module-init-tools
* bsdmainutils ed nano nvi
* groff-base man-db manpages info libgdbm3
* netcat traceroute wget libssl0.9.8
* gettext-base libconsole libgnutls11 liblzo2-2 libtasn1-2-bin

===Automatic start at bootup===
echo default > /etc/vservers/<my_vserver>/apps/init/mark
Note that at shotdown all vservers will be stopped
===Delete a vserver===
Remove dirs /home/vservers/<my_vserver> (depends on the setting of vdirbase, cf. above), /etc/vservers/<my_vserver> and /var/run/vservers/<my_vserver> and the corresponding symlink in /var/run/vservers.rev
===Config of a vserver===
''TODO''
?? /etc/vservers/<my_vserver>.conf
?? S_CAPS
see [http://www.nongnu.org/util-vserver/doc/conf/configuration.html Detailed config page (better choosing boring CSS...)]
===Run a vserver===
vserver <my_vserver> start
vserver <my_vserver> enter
If you get "mesg: /dev/pts/1: Operation not permitted", be root on the host with "su -"
vserver <my_vserver> stop
===Other tools===
vserver <my_vserver> status
vserver-stat
vtop, vps, vpstree, vkill
/etc/rc.d/init.d/rebootmgr is a daemon which can be called from vservers via vreboot and vhalt to stop/restart the vserver from inside

See also [http://www.nongnu.org/util-vserver/doc/conf/compatibility.html compatibility of util-vserver alpha branch]

See [[Vserver tools]] for my own/modified scripts

===Duplicate a vserver===
vserver <my_vserver1> stop
dupvserver --from <my_vserver1> --to <my_vserver2> --ip <new_ip>
dupvserver is broken with the new configuration structure /etc/vservers/<my_vserver>/
 See [[Vserver tools]] for a patch for dupvserver
===Move/copy a vserver===
Basically stop the vserver and copy /etc/vservers/<my_vserver> and /home/vservers/<my_vserver>
 E.g. rsync -e ssh -avHl /vservers/XX new-server:/vserver/XX
==Share directories==
To mount a directory from one vserver into another from the host:
vnamespace -e <vserver> mount --rbind /directory/to/mount/somewhere /where/to/mount/it
vnamespace -e <vserver> umount /where/it/was/mounted

or
mount --bind /home /var/lib/vservers/vserver1/home
mount --bind /home /var/lib/vservers/vserver2/home
The second method had the disavantage to require a reboot of the vserver
==Apt-get==
LANG=C vapt-get <my_vserver1> <my_vserver2> <...> -- install <pkg1> <pkg2>
==Unify==
cf immutable-linkage-invert flag

Preparation:
mkdir /etc/vservers/template64/apps/vunify
mkdir /etc/vservers/<my_vserver>/apps/vunify
ln -s /etc/vservers/template64 /etc/vservers/<my_vserver>/apps/vunify/refserver.template64
Unification:
 Be sure both vservers are running
vserver <my_vserver> unify [-n] [-R]
-n for dry run, no change
 -R for de-unifying

When using tar, add option -U to unlink & recreate files instead of overwriting.
 Manual set/unset of the immutable-linkage-invert flag:
setattr --iunlink /my/file
setattr --~iunlink /my/file
==Disk limits==
cf http://linux-vserver.org/Disk+Limits

* Assign static contexts for the vservers (i.e. have a value between 2 and 49151 in /etc/vservers/<name>/context)
* Mount the filesystem holding the vserver(s) with the tagxid option
** Check if this is mounted properly: use cat /proc/mounts Ex.: /dev/mapper/Zeus-home /home reiserfs rw,tagxid 0 0
** WARNING: if the filesystem is already in use with vservers, nothing prevent you to umount the filesystem while the vservers are still running, which is VERY BAD! Be careful.
** I could only get the tagxid taken properly into account after a reboot
* Change the xid of already existing files:
chxid -c <my_vserver> -R /home/vservers/<my_vserver>
* Set limits, first method: here limit to 5Gb, 100000 inodes and 5% for the root user For info as I could not get it working properly yet
mkdir /var/cache/vservers
ln -s /var/cache/vservers /etc/vservers/.defaults/cachebase
mkdir /etc/vservers/.defaults/cachebase/<my_server>
ln -s /etc/vservers/.defaults/cachebase/<my_server> /etc/vservers/<my_server>/cache
mkdir -p /etc/vservers/<my_vserver>/dlimits/0
echo /home/vservers/<my_vserver> > /etc/vservers/<my_vserver>/dlimits/0/directory
echo $(( 5 * 1024 * 1024 )) > /etc/vservers/<my_vserver>/dlimits/0/space_total
echo 100000 > /etc/vservers/<my_vserver>/dlimits/0/inodes_total
echo 5 > /etc/vservers/<my_vserver>/dlimits/0/reserved
* Set limits, second method:
** Install my vdlimit_ script in /usr/local/sbin: [[Vserver tools]]
ln -s /usr/local/sbin/vdlimit_ /etc/vservers/<my_vserver>/scripts/post-start.d/vdlimit_$((5*1024))
==Network==
===Intern network===
For pure loopback, use dummy interface, cf http://mirabellug.org/wikini/wakka.php?wiki=VServers

For usable dummy interface, us permanent taps as the uml tools allow:
apt-get install uml-utilities
* Create a pseudo-interface:
<pre>
auto tap0
iface tap0 inet static
address 192.168.2.1
netmask 255.255.255.0
tunctl_user uml-net
</pre>
And configure vservers with the same dev=tap0

Update: to check but actually all traffic with private or public IP will anyway be done through lo so this is probably not required
===Configure daemons to listen only to the IP-address of the mothersystem===
* ''openbsd-inetd:'' (not netkit-inetd) in file /etc/inetd.conf: Prepend the service with <IP pub>: Example
<IP pub>:cvspserver stream tcp nowait root /usr/sbin/tcpd /usr/sbin/cvs-pserver
* ''xinetd:'' (not inetd) in file /etc/xinetd.conf:
defaults
{ bind = <IP pub> }

/etc/init.d/xinetd restart
* ''sshd:'' in file /etc/ssh/sshd_config:
ListenAddress <IP pub>

/etc/init.d/ssh restart
* ''exim4:'' in file /etc/exim4/update-exim4.conf.conf:
dc_local_interfaces='<IP pub>'

/etc/init.d/exim4 restart
Better to do it through debconf to avoid surprises at update time: dpkg-reconfigure exim4-config
* ''courier-imap:'' in file /etc/courier/imapd:
ADDRESS=<IP pub>

/etc/init.d/courier-imap restart
* ''courier-imap-ssl:'' in file /etc/courier-ssl/imapd:
ADDRESS=<IP pub>

/etc/init.d/courier-imap-ssl restart
* ''imapproxy:'' in file /etc/imapproxy.conf:
listen_address <IP pub>
Within a vserver, you'll probably hav to reduce the cache_size or give capability to the vserver to raise the setrlimit.
* ''mysql:'' in file /etc/mysql/my.cnf:
bind-address = <IP pub>
* ''vsFtpd:'' in file /etc/vsftpd.conf:
listen_address=<IP pub>
* ''postgresql:'' in file /etc/postgresql/postgresql.conf:
virtual_host = '<IP pub>'
* ''apache2:'' in file /etc/apache2/ports.conf:
Listen <IP pub>:80
* ''zope2.9:'' in file /etc/zope2.9/<instance>/zope.conf:
ip-address <IP pub>
* ''portmap:'' in file /etc/default/portmap:
OPTIONS="-i <IP pub/loopback>"
* ''dnsmasq:'' in file /etc/dnsmasq.conf:
listen-address=<IP pub>
bind-interfaces
* netstat -lp -> other greedy daemons?
* Seems that this is possible via another method, here it will bind the daemon to the first IP of the interface: exec /usr/sbin/chbind --ip eth0 /path/to/daemon
===Add an interface without rebooting the vserver===
* add the ip to the host (ip addr add ...)
* add the ip to the guest's network context
# naddress --add --nid <nid> --ip <ip>/<mask>
* enter the guest (best via ssh)
* restart the services if required (most services will automatically start using the new addresses)
* update the config to reflect the changes for the next guest restart (if desired)
Thanks Herbert!
==Understanding vservers==
===Security contextes===
* Find security context of process N:
chcontext --ctx 1 cat /proc/N/status|grep s_context
* Be in the same context:
chcontext --ctx X /bin/sh
* Master context: 1, example to get all listening ports:
chcontext --ctx 1 netstat -lpn
See also [http://www.solucorp.qc.ca/miscprj/s_context.hc Virtual private servers and security contexts]
===Ceiling capabilities===
* As non-root, check capBset:
cat /proc/self/status
* Reduce ceiling caps:
reducecap --secure /bin/sh
* Now capBset is reduced:
cat /proc/self/status
su
* capEff raised a bit but not enough to do for example /sbin/ifconfig eth0 down
* See also [Capabilities in Linux|http://www.lids.org/lids-howto/node34.html]

==Security==
Not necessarily related to vserver but always useful to consider :-)
*ssh
**Use the AllowUsers option to give ssh rights only to those who need it.
**Brute-force protection: apt-get install denyhosts Edit /etc/denyhosts.conf to get email reports Un case someone forgot his pwd and got banned, to remove the ban directly: remove it from /var/lib/denyhosts files and /etc/hosts.deny of course
*iptables (on the host)
**cf --uid-owner and other --XXX-owner options on OUTPUT table to avoid download of malicious code on INPUT table to avoid bindshells
*resource limits
** cpu/mem

===GrSec===
* http://pax.grsecurity.net/
* http://people.linux-vserver.org/~harry/_README_
* http://www.zataz.net/docs/8024/introduction-grsecurity.html
* http://linux-vserver.org/grsecurityHowto
* http://ludit.kuleuven.be/software/vserver/_README_
apt-get install paxctl gradm2

==Iptables Proxy==
* http://www.virtuaserver.com.br/forum/viewtopic.php?t=130

==Other tricks==
* For other tweaks, see http://deb.riseup.net/vserver/usage/ :
** What if I accidentally removed a vserver while it was running?
** Howto convert legacy vservers to the new format
** Howto add an IP to a running vserver, without restarting it?
** Howto make the host interface and IP available in a vserver
** Howto impose disk limits in each vserver
* http://www.paul.sladen.org/vserver/faq
* [http://linux-vserver.org/ProblematicPrograms Problematic programs]

==TODO==
* http://www.nongnu.org/util-vserver/doc/conf/compatibility.html
* http://linux-vserver.derjohn.de/
* [VServer wiki|http://vserver.strahlungsfrei.de/tiki-index.php]
* [Administrator Guide|http://linux-vserver.org/linux-vserver_administrators_gide]
* [Debian newvserver|http://www.paul.sladen.org/vserver/debian/]
* [Howto Debian vserver|http://www.howtoforge.com/linux_vserver_debian]
* ?? apt-get install vlan
* ?? ipac-ng
* CPU limit
** http://linux-vserver.org/Linux-VServer-Paper-06
** http://list.linux-vserver.org/archive/vserver/msg08134.html
* BW limit
** http://lartc.org/howto/
* http://linux-vserver.org/HowTo+Read+ProcFS
* http://linux-vserver.org/HistoryList?full=1
* Publish Munin scripts
* http://linux-vserver.org/VServer+installation+Fedora+Core+5
* http://vserver.13thfloor.at/Experimental/
* http://www.archivesat.com/Linux-VServer/
* http://www.solucorp.qc.ca/miscprj/s_context.hc?s1=1&s2=0&s3=0&s4=0&full=0&prjstate=1&nodoc=0
* (fr) http://fr.wikibooks.org/wiki/Vserver

Linux Certification

2007-03-08T08:35:35Z

57.67.161.6: /* Try yourself */

===[http://www.lpi.org Linux Professional Institute]===

See also [http://en.wikipedia.org/wiki/Linux_Professional_Institute On Wikipedia]

====Objectives====
* [http://www.lpi.org/en/lpi/english/certification/the_lpic_program/exam_101_detailed_objectives Detailed objectives for exam 101]
* [http://www.lpi.org/en/lpi/english/certification/the_lpic_program/exam_102_detailed_objectives Detailed objectives for exam 102]
====Books====
* [http://www.amazon.co.uk/gp/product/0789722895/ LPIC Linux Level 1, Test 1 (Cheat Sheet S.) (Paperback) ] 352 pages
* [http://www.amazon.co.uk/gp/product/3937514023 LPIC-1. (Hardcover)]
* [http://www.amazon.co.uk/gp/product/0764547720 LPIC1 Certification Bible (Paperback)] 880 pages
* [http://www.amazon.co.uk/gp/product/0789731274 LPIC I Exam Cram 2: Exam 101, 102 (Exam Cram 2 S.) (Paperback)] 588 pages, said to be up-to-date, [http://www.examcram2.com/bookstore/product.asp?isbn=0789731274&rl=1 official website]
* [http://www.amazon.co.uk/gp/product/1565927486 LPI Linux Certification in a Nutshell (Paperback)] 576 pages [http://www.amazon.co.uk/gp/product/0596005288 New edition in July 2006] current edition is largely outdated
* [http://www.amazon.co.uk/gp/product/078214425X LPIC-1: Linux Professional Institute Certification: Study Guide (Level 1 Exams 101 and 102) (Paperback)] 656 pages

====Courses====
* http://www.linuxcertified.com/linux-courseware.html
* http://www.lynuxtraining.com/formations/index.html#3
* http://www.ibm.com/Search/?q=lpic-1&v=11&lang=en&cc=us&en=utf&Search.x=0&Search.y=0&Search=Search
* http://www.sybex.com/WileyCDA/SybexTitle/productCd-078214425X,navId-291002,pageCd-resources.html
* http://www.bradfordlearning.com/cgi-bin/Item.cgi?action=ShowCategory&category=certification16&item=34
====Tutorials====
* http://www.ibm.com/developerworks/linux/lpi/index.html Seems impossible to register for now...
** [http://www.google.fr/search?hl=fr&q=ibm.com%2FdeveloperWorks+filetype%3Apdf+intitle%3Alpi&btnG=Rechercher&meta= Search for copies on Google]
** e.g. here: http://www.eastbayimprov.com/dave/ux/linuxstudy/
* http://en.wikibooks.org/wiki/LPI_Linux_Certification
* http://en.wikibooks.org/wiki/Learning_the_vi_editor
* http://en.wikibooks.org/wiki/Category:Linux

====Centers====
Among others Telindus Leuven can offer this certification
* http://www.vue.com/servlet/vue.web2.core.Dispatcher?webContext=CandidateSite&webApp=TestCenterLocator&requestedAction=register&cid=117
* http://www.jcacademy.be/testingCentre/_fr/index.asp
First register to LPI:
* http://www.lpi.org/en/lpi/english/certification/register_now
Then to PearsonVue with your LPI ID (visible in Candidate Overview after registration to LPI)
* +32 16 38 28 18 (Telindus)
* https://wsvprd1b.pearsonvue.com/obtainlogin/
* Select "IT certification" / "Linux Professional Institute Testing"

===Try yourself===
Simulators:
* http://www.linux-praxis.de/lpisim/lpi.html
* http://www.ph-home.de/linux-test/lpi-1/index.php

Here are "clean" test questions copied from the LPI site but without the answers and fuzzed (on LPI the right answer is always the first!) so you can really try them and then check the answers on the LPI website.

====LPIC-1 101 Sample questions====
<pre>
OBJECTIVE: 1.3.1 TYPE: mc
If you wanted to turn off mail notification, what command would you use?

mesg n
mesg off
biff n
notify off
set notify=off

OBJECTIVE: 1.3.1 TYPE: mcma
Which of these commands could you use to show one page of output at a time?

more
sed
pause
less
grep

OBJECTIVE: 1.3.3 TYPE: mcma
Which commands will give you information about how much disk space each file in the current directory uses?

ls
ls -l
ls -a
ls -la
du .

OBJECTIVE: 1.3.4 TYPE: mc
What command would send the output of cmd1 to the input of cmd2?

cmd1 cmd2
cmd1 ; cmd2
cmd1 | cmd2
cmd1 || cmd2
cmd1 && cmd2

Top OBJECTIVE: 1.3.5 TYPE: mc
Under the bash shell, when a command is running, pressing control-Z will usually

adds an EOF to the file.
suspend the foreground task.
kill the command running in the foreground
move the foreground task into the background
log the user off

OBJECTIVE: 1.8.1 TYPE: mc
What is the 'man' command used for?

it is the replacement for the 'boy' command
it is a standard alias to 'ls -la | more'
it is used to display formatted html pages
to display information about the syntax for a command

OBJECTIVE: 2.11.1 TYPE: fitb
In which file might you find the following entry: root:x:0:0::/root:/bin/bash

OBJECTIVE: 2.11.1 TYPE: fitb
As root, what command would you type to initiate a password change for user larry?

OBJECTIVE: 2.11.2 TYPE: mc
Under the bash shell which is the most appropriate place to set environment variables that apply to all users?

rc.local
rc.sysinit
/etc/skel
/etc/profile
/etc/bashrc

OBJECTIVE: 2.11.4 TYPE: mc
Which statement describes the cron daemon?

Manages all incoming connections and spawns off child processes
Is responsible for file sharing across a network
Manages scheduling of routine system tasks
Manages the printing subsystem
Keeps track of system messages and errors

OBJECTIVE: 2.4.1 TYPE: mcma
Which of the following are valid block devices on most default linux distributions?

loopback devices
serial ports
virtual terminals
tape devices
hard disks

OBJECTIVE: 2.4.2 TYPE: mc
How can you best see how much free space you have in your current directory?

Use df
Use df .
Use df /
Use du .
Use du /

OBJECTIVE: 2.4.5 TYPE: fitb
Which command would you use to alter the permissions of a file (do not give any parameters)

OBJECTIVE: 2.4.8 TYPE: mc
Which command will update the slocate database as a background process?

updatedb &
slocate --start &
slocate --update &
slocate --updatedb &
slocatedb

OBJECTIVE: 2.6.2 TYPE: mc
Having booted into run level 3, how would you change to run level 5 without rebooting?

startx
run 5
ALT-F7-5
setinit 5
telinit 5
</pre>
Check the solutions on http://www.lpi.org/en/lpi/english/certification/the_lpic_program/exam_101_tasks_and_sample_questions

====LPIC-1 102 Sample questions====
<pre>
OBJECTIVE: 1.1.1 TYPE: mc
which command is used to change settings on IDE hard disk drives?

diskparm
hdparam
hdparm
hddparm
ideconfig

OBJECTIVE: 1.12.1 TYPE: mc
Your logfile shows repeated connections to TCP port 143. Which named service is being accessed?

imap
smbd
nmbd
pop2
smtp

OBJECTIVE: 1.12.1 TYPE: fitb
What type of packet does an IP ping use (provide acronym)?

OBJECTIVE: 1.12.2 TYPE: mc
To learn more about the management of an internet site the best utility to use would be:

ping
rpcdump
telnet
traceroute
whois

OBJECTIVE: 1.12.3 TYPE: mc
If you had a Linux system routing 3 different Networks through 3 NICs and you were having trouble with your IP-Forwarding. Where would you look to ensure that IP-Forwarding is actually enabled?

iptraf -d eth0
cat /proc/net/tcp
cat /proc/sys/net/ipv4/ip_forward
netstat
tail -f /var/log/messages

OBJECTIVE: 1.13.1 TYPE: mc
What file is used for associating port numbers to port names.

/etc/hosts
/etc/inetd.conf
/etc/ports
/etc/securetty
/etc/services

OBJECTIVE: 1.13.4 TYPE: mc
You want to make the directory /local available via NFS. All users on your local network should be allowed to read and write files. Which of the following is correct, assuming that your local network is 192.168.1.0, and your machine is part of the DNS domain foobar.com?

192.168.1.0 /local
/local 192.168.1.0(rw)
/local 192.168.1.0/255.255.255.0(rw)
/local *.com(rw)

Top OBJECTIVE: 1.14.1 TYPE: fitb
Which file can you create to prevent non-root users from logging into the system? (specify path and filename)

OBJECTIVE: 1.14.2 TYPE: fitb
What command can be used to display a formatted output of the wtmp file? (no arguments)

OBJECTIVE: 1.14.3 TYPE: fitb
Which command can be executed by a user who is already logged into the system, in order to change to the root user? (type the command without any parameters)

OBJECTIVE: 1.7.2 TYPE: mc
To cause a particular print job to be printed next, regardless of its current position in the queue, what command would be used?

lpc topq
lpc -t
lpq -t
lpq --next
lpc move

OBJECTIVE: 1.7.2 TYPE: mc
Which statement describes the LPD daemon?

Manages all incoming connections and spawns off child processes
Is responsible for file sharing across a network
Manages scheduling of routine system tasks
Manages the printing subsystem
Keeps track of system messages and errors

OBJECTIVE: 2.10.4 TYPE: mc
When configuring a terminal for X what does the -fn switch do?

It sets the terminal's default function.
It places the terminal in the foreground on your screen.
It sets the terminal's initial value to false.
It sets the terminal's initial display to reverse video.
It sets the font size and or type for the terminal.

OBJECTIVE: 2.2.1 TYPE: mc
What command(s) do you use to create swap space?

activeswap
initswap
mkfs -t swap
mkswap
swapon

OBJECTIVE: 2.2.3 TYPE: fitb
Type the full command you could use to decompress the file "foo.gz"

decompress foo.gz
gzip -d foo.gz
gunzip -d foo.gz
gunzip foo.gz
unzip foo.gz

OBJECTIVE: 2.2.5 TYPE: mc
How can you add package information from a file Packages to the database of available Debian packages?

dpkg --merge-avail Packages
dpkg --record-avail Packages
dpkg --update-avail Packages
dpkg -U Packages

OBJECTIVE: 2.2.6 TYPE: mc
You need to find out which package owns a file called /etc/paper.config. Which command will answer this question?

rpm --requires /etc/paper.config
rpm -Fq /etc/paper.config
rpm -q /etc/paper.config
rpm -qa|grep /etc/paper.config
rpm -qf /etc/paper.config

</pre>

Check the solutions on http://www.lpi.org/en/lpi/english/certification/the_lpic_program/exam_102_tasks_and_sample_questions

Customizing Knoppix

2007-02-15T11:11:17Z

57.67.161.6:

===Versions currently supported===
Currently this document is written for Knoppix 5.0.1
 It also works with FCCU v11.0 CD

It has to be updated for 5.1.1 as aufs replaces unionfs

===Principle===
Knoppix is now based on Unionfs (cf [http://www.fsl.cs.sunysb.edu/project-unionfs.html here] or [http://www.filesystems.org/project-unionfs.html there])
 See [http://www.linux-live.org/unionfs/ this page]to discover and understand unionfs.

The goal of the setup is to get control on an environment constituted of an original Knoppix CD and a USB stick of our own.

Knoppix has already such setup foreseen but slightly differently.

Basic Knoppix CD boot ends up into an unionfs constituted of
* RAM (starts empty)
* Knoppix CD
so everything is modifiable on run-time but every reboots start again from fresh CD.

Knoppix has also the possiblity to create a script on a USB stick so that the setup becomes:
* Image on USB stick
* Knoppix CD
so everything is again modifiable but changes are kept across reboots.

The problem with such a solution is that the USB image tends to grow unavoidably with the inherent entropy of a system in use (mainly /tmp).

Here we will start from this setup but with the following layout:
* RAM (starts empty)
* Image on USB stick
* Knoppix CD
Now we combine advantages of both worlds: a fresh state at boot time but under our control.

===Creation===
====knoppix.sh====
USB stick will have to hold a customised version of the script available on the Knoppix under /usr/sbin/knoppix-image
 Customised because this is the whole goal of the operation, customising a Knoppix without remasterising the CD-Rom
 The script goes in the root of the USB stick and has to be named knoppix.sh, this is a must!
 Here is the diff between the original knoppix-image and our knoppix.sh script:
* Handle my_own.img image
* Skip the main user menu
* Call unionctl by ourselves and reroute /home through unionfs
<pre>
--- knoppix-image 2006-04-23 00:19:38.000000000 +0200
+++ knoppix.sh 2006-08-16 11:19:04.000000000 +0200
@@ -49,7 +49,7 @@
[ -z "$LANGUAGE" ] && export LANGUAGE
[ -z "$CHARSET" ] && export CHARSET

-IMAGE="$1"
+IMAGE="$1/my_own.img"
[ -n "$IMAGE" -a -f "$IMAGE" ] || { $DIALOG --title ERROR --msgbox "Usage: $0 imagefile" 8 55; bailout; }
[ "`id -u`" = "0" ] || { $DIALOG --title ERROR --msgbox "$0 must be run as in admin mode." 8 55; bailout; }

@@ -213,7 +213,9 @@
esac

SELECTION=""
-if $DIALOG --title "$TITLE" --timeout 20 --defaultno --checklist "$DESC1" 22 75 4 home "$MENU1" on system "$MENU2" on overwrite "$MENU3" off init "$MENU4" on 2>"$TMP"; then
+
+#if $DIALOG --title "$TITLE" --timeout 20 --defaultno --checklist "$DESC1" 22 75 4 home "$MENU1" on system "$MENU2" on overwrite "$MENU3" off init "$MENU4" on 2>"$TMP"; then
+if true 2>"$TMP"; then
# if $DIALOG --title "$TITLE" --timeout 20 --defaultno --checklist "$DESC1" 22 75 4 home "$MENU1" on 2>"$TMP"; then
SELECTION="$(<$TMP)"
rm -f "$TMP"
@@ -314,3 +316,15 @@
fi
;;
esac
+
+#My own changes: Add /home between CD-ROM and RAM
+unionctl /UNIONFS --add --after /ramdisk --mode ro /KNOPPIX.IMG
+
+#My own changes: Reroute /home via unionfs
+#Originally /home is a symlink to only the ramdisk as
+#there is no /home at all on the CD-ROM but we want to
+#have /home as union of ramdisk and our extra layer
+rm -f /home
+ln -s /UNIONFS/home /home
+
+#All My own customisation will be done from here:
</pre>

When later we will boot from the Knoppix CD, by giving the "myconf=scan" argument on the boot line, the CD will look for... a script called knoppix.sh
 From this script we mount a filesystem image with our changes, the image is an ext3 fs and the file is at the root of the USB stick, named my_own.img
====my_own.img====
Name can change but must be adapted consequently in the knoppix.sh script.

To create the image my_own.img:
 Create an empty file of the right size (here 10Mb)
$ dd if=/dev/zero of=my_own.img bs=1024 count=10240
Format it as ext3 (say yes when the system points out that you are about formatting a file instead of a partition)
$ mkfs -t ext3 my_own.img
Mount it in loopback mode somewhere (here /media/disk) as root
# mount -o loop my_own.img /media/disk
Place a file so we will be able to check if everything went right at next step:
# mkdir /media/disk/etc
# echo test > /media/disk/etc/my_own.txt
Umount the loopback image
# umount /media/disk
Reboot on the Knoppix with the boot command
knoppix myconf=scan

Now you can check the existence of a file /etc/my_own.txt, this will be the proof everything went well up to now.

===Customisation===
You can check the status of the unionfs we got so far by typing
# unionctl --list /UNIONFS
* /UNIONFS is the merged view through unionfs and, by symlinks, most of the view you get from / (try ls -al /)
* /ramdisk is the RAM layer, everything you do on / or /UNIONFS goes to RAM and will be lost next reboot, be careful!!
* /KNOPPIX is the read-only content of the CD, mounted through a decompression layer (that's how you get gigs of files on a CD) If you boot from the DVD there is also a /KNOPPIX2, this is just because the DVD filesystem could not hold files of more than 2G (they are under /cdrom/KNOPPIX/)
* Between /ramdisk and /KNOPPIX is /KNOPPIX.IMG, this is our customisation layer. Through unionfs, this layer is set as read-only so all modifications will always go to RAM. To modify stuffs in the customisation layer, you have to do it via /KNOPPIX.IMG which is mounted with r/w accesses

So, a priori, every new or changed file has simply to be inserted in the /KNOPPIX.IMG layer

===Exceptions===
Note that unionfs seems to feature a caching system because sometimes changes done via /KNOPPIX.IMG do not appear through unionfs and a reboot could be required

====/home====
This directory is not present on the CD and is created on-the-fly.
 Originally it is even not part of unionfs but only in /ramdisk but our knoppix.sh script rerouted it through unionfs.
 So adding new files can be done simply by adding files (! owner and permissions) to /KNOPPIX.IMG/home/knoppix.
 Modifying file to be created later on-the-fly is much more tricky.
 These modifications have to be done via the knoppix.sh script.
 We have first to understand when the knoppix.sh is executed:
 The script is called by /etc/init.d/knoppix-autoconfig but most of the /home will be created later, by /etc/X11/Xsession.d/45xsession from /etc/skelfrom /etc/skel, /etc/sysconfig and /usr/share/knoppix and from the script itself.
 One way could be to simply replace the 45xsession script by ours but this would break probably any tentative to run the next Knoppix version with our setup so it is better to change as few things as possible.

====Drivers====
Hardware was already discovered and drivers were already loaded when our script is called.
 Depending of the driver some specific actions will have to be taken.
 The driver must be compiled for the kernel used in the Knoppix CD.
 For version 5.0.1 the kernel tree of the CD is broken and if this is not impossible to compile a driver from the CD this is extremely challenging.
 The DVD version contains the full kernel source tree so drivers should be compiled against the DVD (which runs the same kernel), this will save a lot of effort.
* The driver file should be copied to /KNOPPIX.IMG/lib/modules/...
* A call to depmod is required to generate new symbol tables and those will have also to be copied to /KNOPPIX.IMG/lib/modules/...
* If the driver did not exist on the CD, then we can simply load manually the driver with a modprobe from our script.
* If the system relies on udev to set automatically some rights or whatever and if udev rules were added, then it is wise to restart udev from knoppix.sh script so that next time the hardware is plugged these rules will be effective.
* If the driver is an updated version of an existing driver on the CD then things are slightly more complex: All drivers loaded during the boot are copied for a mysterious reason to /ramdisk So before calling depmod, better first to overwrite the old driver with the new one in /ramdisk The procedure will then be, from the knoppix.sh script: rmmod the driver, overwrite the old version with the new one in /ramdisk, modprobe the new one.

===Exception examples===
====New driver====
Here this is the case of a new driver, not available on the original Knoppix CD
 Install the compiled driver under /KNOPPIX.IMG/lib/modules/2.6.17/kernel/drivers/...
 Execute depmod and copy new /ramdisk/lib/modules/2.6.17/modules.* to /KNOPPIX.IMG
 If there are configuration files, simply copy them to /KNOPPIX.IMG/etc
 E.g. /KNOPPIX.IMG/etc/udev/rules.d/my_driver.rules

Then, we have to append the following to our knoppix.sh script:
* restarting udev so that it is aware of the new driver (for subsequent hotpluggings of the hardware)
* loading manually the driver (in case the hardware was already plugged when the Knoppix booted)
# My driver
/etc/init.d/udev restart
modprobe my_module

====New shared library====
Install the new lib and its symlink under /KNOPPIX.IMG/usr/local/lib
 Regenerate the lib cache with ldconfig and copy it from /etc/ld.so.cache to /KNOPPIX.IMG/etc/

====Fixing a driver====
Here this is the case of a driver available on the original Knoppix CD but not with the last firmware update (rendering the driver unusable): ipw2200

Install the last firmware under /KNOPPIX.IMG/usr/lib/hotplug/firmware/ipw2200-*.fw

Then we have to append the following to our knoppix.sh script:
* Simply force reloading of the driver, which will look again for its firmware
# ipw2200 driver
if lsmod | grep -q ipw2200; then
rmmod ipw2200
modprobe ipw2200
fi

====Upgrading a driver====
Here this is the case of a driver available on the original Knoppix CD but we want e.g. to upgrade it or use a patched version.
 As said before, all drivers loaded during the boot are copied to /ramdisk so as we want to update them, we better have to update those in /ramdisk as well.
Install the compiled drivers under /KNOPPIX.IMG/lib/modules/2.6.17/kernel/drivers/... and /ramdisk/lib/modules/2.6.17/kernel/drivers/... and binaries under /KNOPPIX.IMG/usr/local/bin
 Execute depmod and copy new /ramdisk/lib/modules/2.6.17/modules.* to /KNOPPIX.IMG

Then we have to append the following to our knoppix.sh script:
* Copy the driver to /ramdisk as well
* Force reloading of the updated driver
# my new version of driver
# Note that loaded drivers were copied also to /ramdisk so we need to change them there
if lsmod | grep -q old_driver; then
rmmod old_drivers...
/bin/cp /KNOPPIX.IMG/lib/modules/2.6.17/kernel/drivers/net/* /ramdisk/lib/modules/2.6.17/kernel/drivers/net/
modprobe new_driver
fi

====Background customization====

This is a good example of the said tricky changes to perform in the /home
 Creation of the background has to be tracked in the booting scripts to understand where and what to change.

We put our new background in e.g. /home/knoppix/resources/my_background.png
 Then we have to append the following to our knoppix.sh script:
# Customize background
# This is tricky, /etc/init.d/knoppix-autoconfig defines $BACKGROUND
# in /etc/sysconfig/knoppix
# Then knoppix-autconfig is calling us
# and later /etc/X11/Xsession.d uses the value
# to patch /home/knoppix/.kde/share/config/kdesktoprc
# so we modify /etc/sysconfig/knoppix
sed -i 's#^BACKGROUND=.*#BACKGROUND="/UNIONFS/home/knoppix/resources/my_background.png"#' /etc/sysconfig/knoppix

====Software====
We could install the Debian package but this means having to bring hte new dpkg caches to the stick too.
 For small stuffs this is much easier just to extract the soft from the Debian package and install it in /usr/local
-> /KNOPPIX.IMG/usr/local/bin/my_soft (and the man page...)
This is better to take it fron the real Debian package as you benefit from the version control of dpkg and are sure you install a version compatible with the rest of the CD.

====Help====
Originally Knoppix prompts the user with an html help file open in a browser.
 To hook our own file instead we do the following:
* We put our own help page under /home/knoppix/resources/help.html
* We change the icon on the desktop /home/knoppix/Desktop/Help.desktop
[Desktop Entry]
Name=CERTIFICATION HELP
Exec=konqueror --geometry 850x600+85+70 file:/UNIONFS/home/knoppix/resources/help.html
Type=Application
Icon=html
Terminal=0
* We make sure the help file will be automatically open
ln -s /home/knoppix/Desktop/Help.desktop /KNOPPIX.IMG/home/knoppix/.kde/Autostart/showindex.desktop

====Misc icons====
Icons positions can be defined in /KNOPPIX.IMG/home/knoppix/.kde/share/apps/kdesktop/IconPositions
 Only position of new icons is required.
 Additional icons useful to get on /KNOPPIX.IMG/home/knoppix/Desktop:
 E.g. ethereal shortcut: "Exec=sudo ifconfig ath2 up; sudo ethereal -i ath2 -k -S -l"

Customizing Knoppix

2007-02-15T11:02:41Z

57.67.161.6:

'''WARNING this was written for Knoppix 5.0.1, has to be updated for 5.1.1 as aufs replaces unionfs'''

===Principle===
Knoppix is now based on Unionfs (cf [http://www.fsl.cs.sunysb.edu/project-unionfs.html here] or [http://www.filesystems.org/project-unionfs.html there])
 See [http://www.linux-live.org/unionfs/ this page]to discover and understand unionfs.

The goal of the setup is to get control on an environment constituted of an original Knoppix CD and a USB stick of our own.

Knoppix has already such setup foreseen but slightly differently.

Basic Knoppix CD boot ends up into an unionfs constituted of
* RAM (starts empty)
* Knoppix CD
so everything is modifiable on run-time but every reboots start again from fresh CD.

Knoppix has also the possiblity to create a script on a USB stick so that the setup becomes:
* Image on USB stick
* Knoppix CD
so everything is again modifiable but changes are kept across reboots.

The problem with such a solution is that the USB image tends to grow unavoidably with the inherent entropy of a system in use (mainly /tmp).

Here we will start from this setup but with the following layout:
* RAM (starts empty)
* Image on USB stick
* Knoppix CD
Now we combine advantages of both worlds: a fresh state at boot time but under our control.

===Creation===
====knoppix.sh====
USB stick will have to hold a customised version of the script available on the Knoppix under /usr/sbin/knoppix-image
 Customised because this is the whole goal of the operation, customising a Knoppix without remasterising the CD-Rom
 The script goes in the root of the USB stick and has to be named knoppix.sh, this is a must!
 Here is the diff between the original knoppix-image and our knoppix.sh script:
* Handle my_own.img image
* Skip the main user menu
* Call unionctl by ourselves and reroute /home through unionfs
<pre>
--- knoppix-image 2006-04-23 00:19:38.000000000 +0200
+++ knoppix.sh 2006-08-16 11:19:04.000000000 +0200
@@ -49,7 +49,7 @@
[ -z "$LANGUAGE" ] && export LANGUAGE
[ -z "$CHARSET" ] && export CHARSET

-IMAGE="$1"
+IMAGE="$1/my_own.img"
[ -n "$IMAGE" -a -f "$IMAGE" ] || { $DIALOG --title ERROR --msgbox "Usage: $0 imagefile" 8 55; bailout; }
[ "`id -u`" = "0" ] || { $DIALOG --title ERROR --msgbox "$0 must be run as in admin mode." 8 55; bailout; }

@@ -213,7 +213,9 @@
esac

SELECTION=""
-if $DIALOG --title "$TITLE" --timeout 20 --defaultno --checklist "$DESC1" 22 75 4 home "$MENU1" on system "$MENU2" on overwrite "$MENU3" off init "$MENU4" on 2>"$TMP"; then
+
+#if $DIALOG --title "$TITLE" --timeout 20 --defaultno --checklist "$DESC1" 22 75 4 home "$MENU1" on system "$MENU2" on overwrite "$MENU3" off init "$MENU4" on 2>"$TMP"; then
+if true 2>"$TMP"; then
# if $DIALOG --title "$TITLE" --timeout 20 --defaultno --checklist "$DESC1" 22 75 4 home "$MENU1" on 2>"$TMP"; then
SELECTION="$(<$TMP)"
rm -f "$TMP"
@@ -314,3 +316,15 @@
fi
;;
esac
+
+#My own changes: Add /home between CD-ROM and RAM
+unionctl /UNIONFS --add --after /ramdisk --mode ro /KNOPPIX.IMG
+
+#My own changes: Reroute /home via unionfs
+#Originally /home is a symlink to only the ramdisk as
+#there is no /home at all on the CD-ROM but we want to
+#have /home as union of ramdisk and our extra layer
+rm -f /home
+ln -s /UNIONFS/home /home
+
+#All My own customisation will be done from here:
</pre>

When later we will boot from the Knoppix CD, by giving the "myconf=scan" argument on the boot line, the CD will look for... a script called knoppix.sh
 From this script we mount a filesystem image with our changes, the image is an ext3 fs and the file is at the root of the USB stick, named my_own.img
====my_own.img====
Name can change but must be adapted consequently in the knoppix.sh script.

To create the image my_own.img:
 Create an empty file of the right size (here 10Mb)
$ dd if=/dev/zero of=my_own.img bs=1024 count=10240
Format it as ext3 (say yes when the system points out that you are about formatting a file instead of a partition)
$ mkfs -t ext3 my_own.img
Mount it in loopback mode somewhere (here /media/disk) as root
# mount -o loop my_own.img /media/disk
Place a file so we will be able to check if everything went right at next step:
# mkdir /media/disk/etc
# echo test > /media/disk/etc/my_own.txt
Umount the loopback image
# umount /media/disk
Reboot on the Knoppix with the boot command
knoppix myconf=scan

Now you can check the existence of a file /etc/my_own.txt, this will be the proof everything went well up to now.

===Customisation===
You can check the status of the unionfs we got so far by typing
# unionctl --list /UNIONFS
* /UNIONFS is the merged view through unionfs and, by symlinks, most of the view you get from / (try ls -al /)
* /ramdisk is the RAM layer, everything you do on / or /UNIONFS goes to RAM and will be lost next reboot, be careful!!
* /KNOPPIX is the read-only content of the CD, mounted through a decompression layer (that's how you get gigs of files on a CD) If you boot from the DVD there is also a /KNOPPIX2, this is just because the DVD filesystem could not hold files of more than 2G (they are under /cdrom/KNOPPIX/)
* Between /ramdisk and /KNOPPIX is /KNOPPIX.IMG, this is our customisation layer. Through unionfs, this layer is set as read-only so all modifications will always go to RAM. To modify stuffs in the customisation layer, you have to do it via /KNOPPIX.IMG which is mounted with r/w accesses

So, a priori, every new or changed file has simply to be inserted in the /KNOPPIX.IMG layer

===Exceptions===
Note that unionfs seems to feature a caching system because sometimes changes done via /KNOPPIX.IMG do not appear through unionfs and a reboot could be required

====/home====
This directory is not present on the CD and is created on-the-fly.
 Originally it is even not part of unionfs but only in /ramdisk but our knoppix.sh script rerouted it through unionfs.
 So adding new files can be done simply by adding files (! owner and permissions) to /KNOPPIX.IMG/home/knoppix.
 Modifying file to be created later on-the-fly is much more tricky.
 These modifications have to be done via the knoppix.sh script.
 We have first to understand when the knoppix.sh is executed:
 The script is called by /etc/init.d/knoppix-autoconfig but most of the /home will be created later, by /etc/X11/Xsession.d/45xsession from /etc/skelfrom /etc/skel, /etc/sysconfig and /usr/share/knoppix and from the script itself.
 One way could be to simply replace the 45xsession script by ours but this would break probably any tentative to run the next Knoppix version with our setup so it is better to change as few things as possible.

====Drivers====
Hardware was already discovered and drivers were already loaded when our script is called.
 Depending of the driver some specific actions will have to be taken.
 The driver must be compiled for the kernel used in the Knoppix CD.
 For version 5.0.1 the kernel tree of the CD is broken and if this is not impossible to compile a driver from the CD this is extremely challenging.
 The DVD version contains the full kernel source tree so drivers should be compiled against the DVD (which runs the same kernel), this will save a lot of effort.
* The driver file should be copied to /KNOPPIX.IMG/lib/modules/...
* A call to depmod is required to generate new symbol tables and those will have also to be copied to /KNOPPIX.IMG/lib/modules/...
* If the driver did not exist on the CD, then we can simply load manually the driver with a modprobe from our script.
* If the system relies on udev to set automatically some rights or whatever and if udev rules were added, then it is wise to restart udev from knoppix.sh script so that next time the hardware is plugged these rules will be effective.
* If the driver is an updated version of an existing driver on the CD then things are slightly more complex: All drivers loaded during the boot are copied for a mysterious reason to /ramdisk So before calling depmod, better first to overwrite the old driver with the new one in /ramdisk The procedure will then be, from the knoppix.sh script: rmmod the driver, overwrite the old version with the new one in /ramdisk, modprobe the new one.

===Exception examples===
====New driver====
Here this is the case of a new driver, not available on the original Knoppix CD
 Install the compiled driver under /KNOPPIX.IMG/lib/modules/2.6.17/kernel/drivers/...
 Execute depmod and copy new /ramdisk/lib/modules/2.6.17/modules.* to /KNOPPIX.IMG
 If there are configuration files, simply copy them to /KNOPPIX.IMG/etc
 E.g. /KNOPPIX.IMG/etc/udev/rules.d/my_driver.rules

Then, we have to append the following to our knoppix.sh script:
* restarting udev so that it is aware of the new driver (for subsequent hotpluggings of the hardware)
* loading manually the driver (in case the hardware was already plugged when the Knoppix booted)
# My driver
/etc/init.d/udev restart
modprobe my_module

====New shared library====
Install the new lib and its symlink under /KNOPPIX.IMG/usr/local/lib
 Regenerate the lib cache with ldconfig and copy it from /etc/ld.so.cache to /KNOPPIX.IMG/etc/

====Fixing a driver====
Here this is the case of a driver available on the original Knoppix CD but not with the last firmware update (rendering the driver unusable): ipw2200

Install the last firmware under /KNOPPIX.IMG/usr/lib/hotplug/firmware/ipw2200-*.fw

Then we have to append the following to our knoppix.sh script:
* Simply force reloading of the driver, which will look again for its firmware
# ipw2200 driver
if lsmod | grep -q ipw2200; then
rmmod ipw2200
modprobe ipw2200
fi

====Upgrading a driver====
Here this is the case of a driver available on the original Knoppix CD but we want e.g. to upgrade it or use a patched version.
 As said before, all drivers loaded during the boot are copied to /ramdisk so as we want to update them, we better have to update those in /ramdisk as well.
Install the compiled drivers under /KNOPPIX.IMG/lib/modules/2.6.17/kernel/drivers/... and /ramdisk/lib/modules/2.6.17/kernel/drivers/... and binaries under /KNOPPIX.IMG/usr/local/bin
 Execute depmod and copy new /ramdisk/lib/modules/2.6.17/modules.* to /KNOPPIX.IMG

Then we have to append the following to our knoppix.sh script:
* Copy the driver to /ramdisk as well
* Force reloading of the updated driver
# my new version of driver
# Note that loaded drivers were copied also to /ramdisk so we need to change them there
if lsmod | grep -q old_driver; then
rmmod old_drivers...
/bin/cp /KNOPPIX.IMG/lib/modules/2.6.17/kernel/drivers/net/* /ramdisk/lib/modules/2.6.17/kernel/drivers/net/
modprobe new_driver
fi

====Background customization====

This is a good example of the said tricky changes to perform in the /home
 Creation of the background has to be tracked in the booting scripts to understand where and what to change.

We put our new background in e.g. /home/knoppix/resources/my_background.png
 Then we have to append the following to our knoppix.sh script:
# Customize background
# This is tricky, /etc/init.d/knoppix-autoconfig defines $BACKGROUND
# in /etc/sysconfig/knoppix
# Then knoppix-autconfig is calling us
# and later /etc/X11/Xsession.d uses the value
# to patch /home/knoppix/.kde/share/config/kdesktoprc
# so we modify /etc/sysconfig/knoppix
sed -i 's#^BACKGROUND=.*#BACKGROUND="/UNIONFS/home/knoppix/resources/my_background.png"#' /etc/sysconfig/knoppix

====Software====
We could install the Debian package but this means having to bring hte new dpkg caches to the stick too.
 For small stuffs this is much easier just to extract the soft from the Debian package and install it in /usr/local
-> /KNOPPIX.IMG/usr/local/bin/my_soft (and the man page...)
This is better to take it fron the real Debian package as you benefit from the version control of dpkg and are sure you install a version compatible with the rest of the CD.

====Help====
Originally Knoppix prompts the user with an html help file open in a browser.
 To hook our own file instead we do the following:
* We put our own help page under /home/knoppix/resources/help.html
* We change the icon on the desktop /home/knoppix/Desktop/Help.desktop
[Desktop Entry]
Name=CERTIFICATION HELP
Exec=konqueror --geometry 850x600+85+70 file:/UNIONFS/home/knoppix/resources/help.html
Type=Application
Icon=html
Terminal=0
* We make sure the help file will be automatically open
ln -s /home/knoppix/Desktop/Help.desktop /KNOPPIX.IMG/home/knoppix/.kde/Autostart/showindex.desktop

====Misc icons====
Icons positions can be defined in /KNOPPIX.IMG/home/knoppix/.kde/share/apps/kdesktop/IconPositions
 Only position of new icons is required.
 Additional icons useful to get on /KNOPPIX.IMG/home/knoppix/Desktop:
 E.g. ethereal shortcut: "Exec=sudo ifconfig ath2 up; sudo ethereal -i ath2 -k -S -l"

Apache

2007-02-02T11:10:57Z

57.67.161.6: /* Enable reverse-proxy */

==Apache2==

===Activate ssl module===
a2enmod ssl
* Generate certificates, cf above or in short:
openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr
openssl rsa -in privkey.pem -out mydomain.key
openssl x509 -in mydomain.csr -out mydomain.crt -req -signkey mydomain.key -days 3650
openssl x509 -in mydomain.crt -out mydomain.der.crt -outform DER
* Install mydomain.crt and mydomain.key in /etc/apache2/ssl/
cp /usr/share/doc/apache2/examples/ssl.conf.gz /etc/apache2/sites-available
gunzip ssl.conf.gz
mv ssl.conf mydomain_ssl
strip it... TODO
SSLCertificateFile /etc/apache2/ssl/mydomain.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key
<VirtualHost my_ip:443>
* /etc/apache2/ports.conf:
Listen <my_ip>:443

ln -s /etc/apache2/sites-available/mydomain_ssl /etc/apache2/sites-enabled

===Enable reverse-proxy===
a2enmod rewrite
a2enmod proxy
a2enmod proxy_http
Personally I created a /etc/apache2/proxy-available and proxy-enabled directories with from the :443 VirtualHost an inclusion rule:
Include /etc/apache2/proxy-enabled/
First file to create is to initialize rewrite and proxy, e.g. /etc/apache2/proxy-enabled/000init -> /etc/apache2/proxy-available/init
RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
Example of rules:
<pre>
# Rules for https://foo.yobi.be

# Here this was a service that had to be called with the index.htm explicitely so we redirect the browser
RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$
RewriteCond %{REQUEST_URI} ^/?$
RewriteRule ^/? /index.htm [R]
# Then the real rule:
RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$
RewriteRule ^/(.*) http://twilight.zone/$1 [P]
ProxyPassReverse / http://twilight.zone/
</pre>
<pre>
# Rules for https://www.yobi.be/foo

# Here this was a service that had to be called with the index.htm explicitely so we redirect the browser
RewriteCond %{REQUEST_URI} ^/foo/?$
RewriteRule ^/foo/? /foo/index.htm [R]
# Then the real rule:
RewriteCond %{REQUEST_URI} ^/foo.*
RewriteRule ^/foo/(.*) http://twilight.zone/$1 [P]
ProxyPassReverse / http://twilight.zone/
</pre>

==Older notes==
===Activate a module===

* Find the module name, try
ls /usr/lib/apache/1.3/*.info|sed 's/^[^_]*_$.*$\.info/\1/'
* apache-modconf apache enable ''module name''
 E.g. apache-modconf apache enable libproxy

[http://www.apacheweek.com/features/reverseproxies Setup proxy HTTP1.1 with Apache 2]
* libapache2-mod-proxy-html

===These are very old notes===
* [[HtAccess]]
* [[ModMp3]]
* [[Webalizer]]
* [[AWFFull]]
====HTTPS====
cf LM53 p68
cd /opt/httpd/httpd/conf
# clef RSA:
mkdir ssl.key
cd ssl.key
openssl gensra -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
mv server.key server.key.encrypted
mv server.key.unsecure server.key
cd ..
# certificat (CSR):
mkdir ssl.csr
cd ssl.csr
openssl req -new -key ../ssl.key/server.key.encrypted -out server.csr
# ! CommonName = the exact name server following https://
cd ..
# clef RSA de la CA:
cd ssl.key
openssl gensra -des3 -out ca.key 1024
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key ca.key.encrypted
mv ca.key.unsecure ca.key
cd ..
# certificate x.509
mkdir ssl.crt
cd ssl.crt
openssl req -new -x509 -days 2002 -key ../ssl.key/ca.key.encrypted -out ca.crt
# ! CommonName = another name than yours
cd ..
# signature of certificate
mkdir tmp
cd tmp
cp ../ssl.key/*key .
cp ../ssl.crt/ca.crt .
cp ../ssl.csr/server.csr .
sh sign.sh server.csr
mv server.crt ../ssl.crt/

rm -rf tmp
cd ssl.crt
chmod 600 *

sign.sh: cf sources de mod_ssl, rep pkg.contrib
 /usr/share/doc/libapache-mod-ssl/examples/sign.sh
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) Ralf S. Engelschall, All Rights Reserved.
##

# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac

# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi

# create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT

# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

# die gracefully
exit 0

Apache

2007-02-02T11:08:34Z

57.67.161.6:

==Apache2==

===Activate ssl module===
a2enmod ssl
* Generate certificates, cf above or in short:
openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr
openssl rsa -in privkey.pem -out mydomain.key
openssl x509 -in mydomain.csr -out mydomain.crt -req -signkey mydomain.key -days 3650
openssl x509 -in mydomain.crt -out mydomain.der.crt -outform DER
* Install mydomain.crt and mydomain.key in /etc/apache2/ssl/
cp /usr/share/doc/apache2/examples/ssl.conf.gz /etc/apache2/sites-available
gunzip ssl.conf.gz
mv ssl.conf mydomain_ssl
strip it... TODO
SSLCertificateFile /etc/apache2/ssl/mydomain.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key
<VirtualHost my_ip:443>
* /etc/apache2/ports.conf:
Listen <my_ip>:443

ln -s /etc/apache2/sites-available/mydomain_ssl /etc/apache2/sites-enabled

===Enable reverse-proxy===
a2enmod rewrite
a2enmod proxy
a2enmod proxy_http
Personally I created a /etc/apache2/proxy-available and proxy-enabled directories with from the :443 vserver an inclusion rule
Include /etc/apache2/proxy-enabled/
First file to create is to initialize rewrite and proxy, e.g. /etc/apache2/proxy-enabled/000init -> /etc/apache2/proxy-available/init
RewriteEngine On
RewriteLog /var/log/apache2/rewrite.log
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
Example of rules:
<pre>
# Rules for https://foo.yobi.be

# Here this was a service that had to be called with the index.htm explicitely so we redirect the browser
RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$
RewriteCond %{REQUEST_URI} ^/?$
RewriteRule ^/? /index.htm [R]
# Then the real rule:
RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$
RewriteRule ^/(.*) http://twilight.zone/$1 [P]
ProxyPassReverse / http://twilight.zone/
</pre>
<pre>
# Rules for https://www.yobi.be/foo

# Here this was a service that had to be called with the index.htm explicitely so we redirect the browser
RewriteCond %{REQUEST_URI} ^/foo/?$
RewriteRule ^/foo/? /foo/index.htm [R]
# Then the real rule:
RewriteCond %{REQUEST_URI} ^/foo.*
RewriteRule ^/foo/(.*) http://twilight.zone/$1 [P]
ProxyPassReverse / http://twilight.zone/
</pre>

==Older notes==
===Activate a module===

* Find the module name, try
ls /usr/lib/apache/1.3/*.info|sed 's/^[^_]*_$.*$\.info/\1/'
* apache-modconf apache enable ''module name''
 E.g. apache-modconf apache enable libproxy

[http://www.apacheweek.com/features/reverseproxies Setup proxy HTTP1.1 with Apache 2]
* libapache2-mod-proxy-html

===These are very old notes===
* [[HtAccess]]
* [[ModMp3]]
* [[Webalizer]]
* [[AWFFull]]
====HTTPS====
cf LM53 p68
cd /opt/httpd/httpd/conf
# clef RSA:
mkdir ssl.key
cd ssl.key
openssl gensra -des3 -out server.key 1024
openssl rsa -in server.key -out server.key.unsecure
mv server.key server.key.encrypted
mv server.key.unsecure server.key
cd ..
# certificat (CSR):
mkdir ssl.csr
cd ssl.csr
openssl req -new -key ../ssl.key/server.key.encrypted -out server.csr
# ! CommonName = the exact name server following https://
cd ..
# clef RSA de la CA:
cd ssl.key
openssl gensra -des3 -out ca.key 1024
openssl rsa -in ca.key -out ca.key.unsecure
mv ca.key ca.key.encrypted
mv ca.key.unsecure ca.key
cd ..
# certificate x.509
mkdir ssl.crt
cd ssl.crt
openssl req -new -x509 -days 2002 -key ../ssl.key/ca.key.encrypted -out ca.crt
# ! CommonName = another name than yours
cd ..
# signature of certificate
mkdir tmp
cd tmp
cp ../ssl.key/*key .
cp ../ssl.crt/ca.crt .
cp ../ssl.csr/server.csr .
sh sign.sh server.csr
mv server.crt ../ssl.crt/

rm -rf tmp
cd ssl.crt
chmod 600 *

sign.sh: cf sources de mod_ssl, rep pkg.contrib
 /usr/share/doc/libapache-mod-ssl/examples/sign.sh
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) Ralf S. Engelschall, All Rights Reserved.
##

# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac

# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi

# create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT

# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT

# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old

# die gracefully
exit 0

2007-01-02T13:32:08Z

57.67.161.6: /* Security */

==Security==
* [[Forensics]]
* [[Bypass Proxy]]
** [[Bypass Proxy reference]]
* [[MiscCrypto]]
** [[Encfs]]
** [[LoopCrypt]]
* [[Reverse Cross-Site Request (RCSR) vulnerability]]
* [[Belgian eID]]

==Hobbies==
* [[Photo]]
* [[Linux Certification]]
==Hardware==
* [[bttv]]
* [[Canon EOS]]
* [[Kiss 450]]
* [[Laptop Asus]]
* [[Laptop Dell Latitude D600]]
* [[Laptop Dell Latitude D610]]
* [[Photo Frame]]
* [[Philips Webcam]]

==Software==
===Server side===
* [[Syslog]]
* [[Munin]]
* [[Apache]]
* [[AWFFull]]
* [[GeoIP]]
* [[Mysql]]
* [[CVS and Subversion]]
* [[MediaWiki]]
* [[Gallery]]
* [[PhpMyAdmin]]
* [[Webcalendar]]
* [[Avimanager]]
* [[Zope]]
* [[Plone]]
* [[Alert notifications]]
====Mail services====
* [[qmail & ezmlm]]
* [[Exim]]
* [[Courier]]
* [[Procmail]]
* [[Imapproxy]]
* [[Squirrelmail]]
* [[Spamassassin]]
* [[Fetchmail]]
* [[Anti-Virus]]
====Syslog services====
* [[Syslog]]
* [[Logcheck]]
* [[Php-Syslog-ng]]
====Jabber====
* [[Jabberd]]
* [[Jabberd-Addons]]
* [[Jabberd-Conference]]
* [[Jabberd-Jud]]
* [[Jabberd-AIM]]
* [[Jabberd-Icq]]
* [[Jabberd-Irc]]
* [[Jabberd-MSN]]
* [[Jabberd-Yahoo]]

===Desktop side===
* [[Dict Applications]]
* [[Screen Tips]]
* [[Firefox Tips]]
* [[Bash Tips]]
* [[Mail Tips]]
* [[Offlineimap]]
====[[Jabber]]====
* [[Jabber Clients]]
* [[Jabber Send Message]]
* [[Jabber Utils]]

===Debian===
* [[Debian Documentation]]
* [[Debian Commands]]
* [[DebTags]]
* [[Debian Alsa]]
* [[Debian Kernel]]
* [[Debian Soft Raid]]
* [[My Debian Bugreports]]

==Lifeware==
* [[whoami]]
* [[Généalogie]]
* [[Bébé]]
* [[Chassis Couronne]]
* [[Prêts et emprunts]]

==Misc==
* [[External links]]

Bébé

2006-08-23T08:47:33Z

57.67.161.6: /* Crèches */

====Crèches====
* [http://www.elsene.irisnet.be/site/fr/02vivrexl/grandir/crechescommu.htm Les crèches communales]
* [http://www.elsene.irisnet.be/site/fr/02vivrexl/grandir/crechespriv.htm Les crèches privées]
* Mini Cracra Chaussée d'Ixelles, 315 - 1050 Bruxelles Tél. 02.644.64.50 Francophone 380€ pour 4/5

====Congés====
* [http://www.meta.fgov.be/pdf/pd/frdc19.pdf Congé de maternité] et [http://www.meta.fgov.be/pdf/pd/frdc19a.pdf addendum]
* [http://www.meta.fgov.be/pk/pkh/frkh05.htm Congé de paternité]
* [http://www.meta.fgov.be/pk/pkh/frkh33.htm Congé parental]
* [http://www.meta.fgov.be/pdf/pd/frdc30.pdf Congé-éducation (pdf)]
====Primes et allocs====
* [http://www.securex.be/portal/application?language=FR&contentUrl=/website/be/public/5E7D78B6053283A7C1256FDC00423326_fr.html#topPage Prime de naissance caisse d'allocations]
* [http://www.fmsb.be/pdf/info/infomut41.pdf Prime de naissance FMSB (pdf)]
** Pour recevoir l'intervention, vous devez nous présenter un certificat de naissance ou d'adoption délivré par l'administration communale.

====Commune====
* [http://www.elsene.irisnet.be/site/fr/02vivrexl/habiter/gdsevents.htm Ixelles]: déclaration, parrainnage laïque etc
====Divers====
* http://www.terrafutura.com/html/univers/enceinte.asp
* http://www.famidoo.be/xml/doc__fr-IDC-5-.html
* http://www.gardes-bb.be
* Vêtements femme enceinte Liège
** http://www.nombril.be/
** http://liegecachecache.site.voila.fr/
* http://www.kiddybips.com/frans/fr_wie.html
* http://www.chez.com/accouchement/shopping.htm
* http://www.peau-a-peau.be/defaultn.htm
* http://www.bebenageur.be/
* http://www.ptibou.be/index.asp?ID=911
* http://www.maman-nature.com/shop/
* http://www.dreambaby.be/dreambaby/index.jsp
* http://www.alternatives.be/presse/accouchement_aquatique_article.htm
* http://www.lasante.be/dossiers/accouchement_aqua.htm
* http://www.chirec.be/content/default.asp?id=28&key=0305&subitem=03
* Grand déstockage des marques en octobre 2006
** http://www.majishop.be

Linux Certification

2006-08-17T14:34:13Z

57.67.161.6: /* Books */

===[http://www.lpi.org Linux Professional Institute]===

See also [http://en.wikipedia.org/wiki/Linux_Professional_Institute On Wikipedia]

====Objectives====
* [http://www.lpi.org/en/lpi/english/certification/the_lpic_program/exam_101_detailed_objectives Detailed objectives for exam 101]
* [http://www.lpi.org/en/lpi/english/certification/the_lpic_program/exam_102_detailed_objectives Detailed objectives for exam 102]
====Books====
* [http://www.amazon.co.uk/gp/product/0789722895/ LPIC Linux Level 1, Test 1 (Cheat Sheet S.) (Paperback) ] 352 pages
* [http://www.amazon.co.uk/gp/product/3937514023 LPIC-1. (Hardcover)]
* [http://www.amazon.co.uk/gp/product/0764547720 LPIC1 Certification Bible (Paperback)] 880 pages
* [http://www.amazon.co.uk/gp/product/0789731274 LPIC I Exam Cram 2: Exam 101, 102 (Exam Cram 2 S.) (Paperback)] 588 pages, said to be up-to-date, [http://www.examcram2.com/bookstore/product.asp?isbn=0789731274&rl=1 official website]
* [http://www.amazon.co.uk/gp/product/1565927486 LPI Linux Certification in a Nutshell (Paperback)] 576 pages [http://www.amazon.co.uk/gp/product/0596005288 New edition in July 2006] current edition is largely outdated
* [http://www.amazon.co.uk/gp/product/078214425X LPIC-1: Linux Professional Institute Certification: Study Guide (Level 1 Exams 101 and 102) (Paperback)] 656 pages

====Courses====
* http://www.linuxcertified.com/linux-courseware.html
* http://www.lynuxtraining.com/formations/index.html#3
* http://www.ibm.com/Search/?q=lpic-1&v=11&lang=en&cc=us&en=utf&Search.x=0&Search.y=0&Search=Search
* http://www.sybex.com/WileyCDA/SybexTitle/productCd-078214425X,navId-291002,pageCd-resources.html
* http://www.bradfordlearning.com/cgi-bin/Item.cgi?action=ShowCategory&category=certification16&item=34
====Tutorials====
* http://www.ibm.com/developerworks/linux/lpi/index.html Seems impossible to register for now...
** [http://www.google.fr/search?hl=fr&q=ibm.com%2FdeveloperWorks+filetype%3Apdf+intitle%3Alpi&btnG=Rechercher&meta= Search for copies on Google]
** e.g. here: http://www.eastbayimprov.com/dave/ux/linuxstudy/
* http://en.wikibooks.org/wiki/LPI_Linux_Certification
* http://en.wikibooks.org/wiki/Learning_the_vi_editor
* http://en.wikibooks.org/wiki/Category:Linux

====Centers====
Among others Telindus Leuven can offer this certification
* http://www.vue.com/servlet/vue.web2.core.Dispatcher?webContext=CandidateSite&webApp=TestCenterLocator&requestedAction=register&cid=117
* http://www.jcacademy.be/testingCentre/_fr/index.asp
First register to LPI:
* http://www.lpi.org/en/lpi/english/certification/register_now
Then to Telindus with your LPI ID (visible in Candidate Overview after registration to LPI)
* +32 16 38 28 18 or http://www.jcacademy.be/testingCentre/_fr/inschrijven.asp

===Try yourself===
Here are "clean" test questions copied from the LPI site but without the answers and fuzzed (on LPI the right answer is always the first!) so you can really try them and then check the answers on the LPI website.

====LPIC-1 101 Sample questions====
<pre>
OBJECTIVE: 1.3.1 TYPE: mc
If you wanted to turn off mail notification, what command would you use?

mesg n
mesg off
biff n
notify off
set notify=off

OBJECTIVE: 1.3.1 TYPE: mcma
Which of these commands could you use to show one page of output at a time?

more
sed
pause
less
grep

OBJECTIVE: 1.3.3 TYPE: mcma
Which commands will give you information about how much disk space each file in the current directory uses?

ls
ls -l
ls -a
ls -la
du .

OBJECTIVE: 1.3.4 TYPE: mc
What command would send the output of cmd1 to the input of cmd2?

cmd1 cmd2
cmd1 ; cmd2
cmd1 | cmd2
cmd1 || cmd2
cmd1 && cmd2

Top OBJECTIVE: 1.3.5 TYPE: mc
Under the bash shell, when a command is running, pressing control-Z will usually

adds an EOF to the file.
suspend the foreground task.
kill the command running in the foreground
move the foreground task into the background
log the user off

OBJECTIVE: 1.8.1 TYPE: mc
What is the 'man' command used for?

it is the replacement for the 'boy' command
it is a standard alias to 'ls -la | more'
it is used to display formatted html pages
to display information about the syntax for a command

OBJECTIVE: 2.11.1 TYPE: fitb
In which file might you find the following entry: root:x:0:0::/root:/bin/bash

OBJECTIVE: 2.11.1 TYPE: fitb
As root, what command would you type to initiate a password change for user larry?

OBJECTIVE: 2.11.2 TYPE: mc
Under the bash shell which is the most appropriate place to set environment variables that apply to all users?

rc.local
rc.sysinit
/etc/skel
/etc/profile
/etc/bashrc

OBJECTIVE: 2.11.4 TYPE: mc
Which statement describes the cron daemon?

Manages all incoming connections and spawns off child processes
Is responsible for file sharing across a network
Manages scheduling of routine system tasks
Manages the printing subsystem
Keeps track of system messages and errors

OBJECTIVE: 2.4.1 TYPE: mcma
Which of the following are valid block devices on most default linux distributions?

loopback devices
serial ports
virtual terminals
tape devices
hard disks

OBJECTIVE: 2.4.2 TYPE: mc
How can you best see how much free space you have in your current directory?

Use df
Use df .
Use df /
Use du .
Use du /

OBJECTIVE: 2.4.5 TYPE: fitb
Which command would you use to alter the permissions of a file (do not give any parameters)

OBJECTIVE: 2.4.8 TYPE: mc
Which command will update the slocate database as a background process?

updatedb &
slocate --start &
slocate --update &
slocate --updatedb &
slocatedb

OBJECTIVE: 2.6.2 TYPE: mc
Having booted into run level 3, how would you change to run level 5 without rebooting?

startx
run 5
ALT-F7-5
setinit 5
telinit 5
</pre>
Check the solutions on http://www.lpi.org/en/tasks_101.html
====LPIC-1 102 Sample questions====
<pre>
OBJECTIVE: 1.1.1 TYPE: mc
which command is used to change settings on IDE hard disk drives?

diskparm
hdparam
hdparm
hddparm
ideconfig

OBJECTIVE: 1.12.1 TYPE: mc
Your logfile shows repeated connections to TCP port 143. Which named service is being accessed?

imap
smbd
nmbd
pop2
smtp

OBJECTIVE: 1.12.1 TYPE: fitb
What type of packet does an IP ping use (provide acronym)?

OBJECTIVE: 1.12.2 TYPE: mc
To learn more about the management of an internet site the best utility to use would be:

ping
rpcdump
telnet
traceroute
whois

OBJECTIVE: 1.12.3 TYPE: mc
If you had a Linux system routing 3 different Networks through 3 NICs and you were having trouble with your IP-Forwarding. Where would you look to ensure that IP-Forwarding is actually enabled?

iptraf -d eth0
cat /proc/net/tcp
cat /proc/sys/net/ipv4/ip_forward
netstat
tail -f /var/log/messages

OBJECTIVE: 1.13.1 TYPE: mc
What file is used for associating port numbers to port names.

/etc/hosts
/etc/inetd.conf
/etc/ports
/etc/securetty
/etc/services

OBJECTIVE: 1.13.4 TYPE: mc
You want to make the directory /local available via NFS. All users on your local network should be allowed to read and write files. Which of the following is correct, assuming that your local network is 192.168.1.0, and your machine is part of the DNS domain foobar.com?

192.168.1.0 /local
/local 192.168.1.0(rw)
/local 192.168.1.0/255.255.255.0(rw)
/local *.com(rw)

Top OBJECTIVE: 1.14.1 TYPE: fitb
Which file can you create to prevent non-root users from logging into the system? (specify path and filename)

OBJECTIVE: 1.14.2 TYPE: fitb
What command can be used to display a formatted output of the wtmp file? (no arguments)

OBJECTIVE: 1.14.3 TYPE: fitb
Which command can be executed by a user who is already logged into the system, in order to change to the root user? (type the command without any parameters)

OBJECTIVE: 1.7.2 TYPE: mc
To cause a particular print job to be printed next, regardless of its current position in the queue, what command would be used?

lpc topq
lpc -t
lpq -t
lpq --next
lpc move

OBJECTIVE: 1.7.2 TYPE: mc
Which statement describes the LPD daemon?

Manages all incoming connections and spawns off child processes
Is responsible for file sharing across a network
Manages scheduling of routine system tasks
Manages the printing subsystem
Keeps track of system messages and errors

OBJECTIVE: 2.10.4 TYPE: mc
When configuring a terminal for X what does the -fn switch do?

It sets the terminal's default function.
It places the terminal in the foreground on your screen.
It sets the terminal's initial value to false.
It sets the terminal's initial display to reverse video.
It sets the font size and or type for the terminal.

OBJECTIVE: 2.2.1 TYPE: mc
What command(s) do you use to create swap space?

activeswap
initswap
mkfs -t swap
mkswap
swapon

OBJECTIVE: 2.2.3 TYPE: fitb
Type the full command you could use to decompress the file "foo.gz"

decompress foo.gz
gzip -d foo.gz
gunzip -d foo.gz
gunzip foo.gz
unzip foo.gz

OBJECTIVE: 2.2.5 TYPE: mc
How can you add package information from a file Packages to the database of available Debian packages?

dpkg --merge-avail Packages
dpkg --record-avail Packages
dpkg --update-avail Packages
dpkg -U Packages

OBJECTIVE: 2.2.6 TYPE: mc
You need to find out which package owns a file called /etc/paper.config. Which command will answer this question?

rpm --requires /etc/paper.config
rpm -Fq /etc/paper.config
rpm -q /etc/paper.config
rpm -qa|grep /etc/paper.config
rpm -qf /etc/paper.config

</pre>

Check the solutions on http://www.lpi.org/en/tasks_102.html

Linux Certification

2006-08-16T13:05:15Z

57.67.161.6: /* Centers */

===[http://www.lpi.org Linux Professional Institute]===

See also [http://en.wikipedia.org/wiki/Linux_Professional_Institute On Wikipedia]

====Books====
* [http://www.amazon.co.uk/gp/product/0789722895/ LPIC Linux Level 1, Test 1 (Cheat Sheet S.) (Paperback) ] 352 pages
* [http://www.amazon.co.uk/gp/product/3937514023 LPIC-1. (Hardcover)]
* [http://www.amazon.co.uk/gp/product/0764547720 LPIC1 Certification Bible (Paperback)] 880 pages
* [http://www.amazon.co.uk/gp/product/0789731274 LPIC I Exam Cram 2: Exam 101, 102 (Exam Cram 2 S.) (Paperback)] 588 pages, said to be up-to-date, [http://www.examcram2.com/bookstore/product.asp?isbn=0789731274&rl=1 official website]
* [http://www.amazon.co.uk/gp/product/1565927486 LPI Linux Certification in a Nutshell (Paperback)] 576 pages [http://www.amazon.co.uk/gp/product/0596005288 New edition in July 2006] current edition is largely outdated
* [http://www.amazon.co.uk/gp/product/078214425X LPIC-1: Linux Professional Institute Certification: Study Guide (Level 1 Exams 101 and 102) (Paperback)] 656 pages

====Courses====
* http://www.linuxcertified.com/linux-courseware.html
* http://www.lynuxtraining.com/formations/index.html#3
* http://www.ibm.com/Search/?q=lpic-1&v=11&lang=en&cc=us&en=utf&Search.x=0&Search.y=0&Search=Search
* http://www.sybex.com/WileyCDA/SybexTitle/productCd-078214425X,navId-291002,pageCd-resources.html
* http://www.bradfordlearning.com/cgi-bin/Item.cgi?action=ShowCategory&category=certification16&item=34
====Tutorials====
* http://www.ibm.com/developerworks/linux/lpi/index.html Seems impossible to register for now...
** [http://www.google.fr/search?hl=fr&q=ibm.com%2FdeveloperWorks+filetype%3Apdf+intitle%3Alpi&btnG=Rechercher&meta= Search for copies on Google]
** e.g. here: http://www.eastbayimprov.com/dave/ux/linuxstudy/
* http://en.wikibooks.org/wiki/LPI_Linux_Certification
* http://en.wikibooks.org/wiki/Learning_the_vi_editor
* http://en.wikibooks.org/wiki/Category:Linux

====Centers====
Among others Telindus Leuven can offer this certification
* http://www.vue.com/servlet/vue.web2.core.Dispatcher?webContext=CandidateSite&webApp=TestCenterLocator&requestedAction=register&cid=117
* http://www.jcacademy.be/testingCentre/_fr/index.asp
First register to LPI:
* http://www.lpi.org/en/lpi/english/certification/register_now
Then to Telindus with your LPI ID (visible in Candidate Overview after registration to LPI)
* +32 16 38 28 18 or http://www.jcacademy.be/testingCentre/_fr/inschrijven.asp

===Try yourself===
Here are "clean" test questions copied from the LPI site but without the answers and fuzzed (on LPI the right answer is always the first!) so you can really try them and then check the answers on the LPI website.

====LPIC-1 101 Sample questions====
<pre>
OBJECTIVE: 1.3.1 TYPE: mc
If you wanted to turn off mail notification, what command would you use?

mesg n
mesg off
biff n
notify off
set notify=off

OBJECTIVE: 1.3.1 TYPE: mcma
Which of these commands could you use to show one page of output at a time?

more
sed
pause
less
grep

OBJECTIVE: 1.3.3 TYPE: mcma
Which commands will give you information about how much disk space each file in the current directory uses?

ls
ls -l
ls -a
ls -la
du .

OBJECTIVE: 1.3.4 TYPE: mc
What command would send the output of cmd1 to the input of cmd2?

cmd1 cmd2
cmd1 ; cmd2
cmd1 | cmd2
cmd1 || cmd2
cmd1 && cmd2

Top OBJECTIVE: 1.3.5 TYPE: mc
Under the bash shell, when a command is running, pressing control-Z will usually

adds an EOF to the file.
suspend the foreground task.
kill the command running in the foreground
move the foreground task into the background
log the user off

OBJECTIVE: 1.8.1 TYPE: mc
What is the 'man' command used for?

it is the replacement for the 'boy' command
it is a standard alias to 'ls -la | more'
it is used to display formatted html pages
to display information about the syntax for a command

OBJECTIVE: 2.11.1 TYPE: fitb
In which file might you find the following entry: root:x:0:0::/root:/bin/bash

OBJECTIVE: 2.11.1 TYPE: fitb
As root, what command would you type to initiate a password change for user larry?

OBJECTIVE: 2.11.2 TYPE: mc
Under the bash shell which is the most appropriate place to set environment variables that apply to all users?

rc.local
rc.sysinit
/etc/skel
/etc/profile
/etc/bashrc

OBJECTIVE: 2.11.4 TYPE: mc
Which statement describes the cron daemon?

Manages all incoming connections and spawns off child processes
Is responsible for file sharing across a network
Manages scheduling of routine system tasks
Manages the printing subsystem
Keeps track of system messages and errors

OBJECTIVE: 2.4.1 TYPE: mcma
Which of the following are valid block devices on most default linux distributions?

loopback devices
serial ports
virtual terminals
tape devices
hard disks

OBJECTIVE: 2.4.2 TYPE: mc
How can you best see how much free space you have in your current directory?

Use df
Use df .
Use df /
Use du .
Use du /

OBJECTIVE: 2.4.5 TYPE: fitb
Which command would you use to alter the permissions of a file (do not give any parameters)

OBJECTIVE: 2.4.8 TYPE: mc
Which command will update the slocate database as a background process?

updatedb &
slocate --start &
slocate --update &
slocate --updatedb &
slocatedb

OBJECTIVE: 2.6.2 TYPE: mc
Having booted into run level 3, how would you change to run level 5 without rebooting?

startx
run 5
ALT-F7-5
setinit 5
telinit 5
</pre>
Check the solutions on http://www.lpi.org/en/tasks_101.html
====LPIC-1 102 Sample questions====
<pre>
OBJECTIVE: 1.1.1 TYPE: mc
which command is used to change settings on IDE hard disk drives?

diskparm
hdparam
hdparm
hddparm
ideconfig

OBJECTIVE: 1.12.1 TYPE: mc
Your logfile shows repeated connections to TCP port 143. Which named service is being accessed?

imap
smbd
nmbd
pop2
smtp

OBJECTIVE: 1.12.1 TYPE: fitb
What type of packet does an IP ping use (provide acronym)?

OBJECTIVE: 1.12.2 TYPE: mc
To learn more about the management of an internet site the best utility to use would be:

ping
rpcdump
telnet
traceroute
whois

OBJECTIVE: 1.12.3 TYPE: mc
If you had a Linux system routing 3 different Networks through 3 NICs and you were having trouble with your IP-Forwarding. Where would you look to ensure that IP-Forwarding is actually enabled?

iptraf -d eth0
cat /proc/net/tcp
cat /proc/sys/net/ipv4/ip_forward
netstat
tail -f /var/log/messages

OBJECTIVE: 1.13.1 TYPE: mc
What file is used for associating port numbers to port names.

/etc/hosts
/etc/inetd.conf
/etc/ports
/etc/securetty
/etc/services

OBJECTIVE: 1.13.4 TYPE: mc
You want to make the directory /local available via NFS. All users on your local network should be allowed to read and write files. Which of the following is correct, assuming that your local network is 192.168.1.0, and your machine is part of the DNS domain foobar.com?

192.168.1.0 /local
/local 192.168.1.0(rw)
/local 192.168.1.0/255.255.255.0(rw)
/local *.com(rw)

Top OBJECTIVE: 1.14.1 TYPE: fitb
Which file can you create to prevent non-root users from logging into the system? (specify path and filename)

OBJECTIVE: 1.14.2 TYPE: fitb
What command can be used to display a formatted output of the wtmp file? (no arguments)

OBJECTIVE: 1.14.3 TYPE: fitb
Which command can be executed by a user who is already logged into the system, in order to change to the root user? (type the command without any parameters)

OBJECTIVE: 1.7.2 TYPE: mc
To cause a particular print job to be printed next, regardless of its current position in the queue, what command would be used?

lpc topq
lpc -t
lpq -t
lpq --next
lpc move

OBJECTIVE: 1.7.2 TYPE: mc
Which statement describes the LPD daemon?

Manages all incoming connections and spawns off child processes
Is responsible for file sharing across a network
Manages scheduling of routine system tasks
Manages the printing subsystem
Keeps track of system messages and errors

OBJECTIVE: 2.10.4 TYPE: mc
When configuring a terminal for X what does the -fn switch do?

It sets the terminal's default function.
It places the terminal in the foreground on your screen.
It sets the terminal's initial value to false.
It sets the terminal's initial display to reverse video.
It sets the font size and or type for the terminal.

OBJECTIVE: 2.2.1 TYPE: mc
What command(s) do you use to create swap space?

activeswap
initswap
mkfs -t swap
mkswap
swapon

OBJECTIVE: 2.2.3 TYPE: fitb
Type the full command you could use to decompress the file "foo.gz"

decompress foo.gz
gzip -d foo.gz
gunzip -d foo.gz
gunzip foo.gz
unzip foo.gz

OBJECTIVE: 2.2.5 TYPE: mc
How can you add package information from a file Packages to the database of available Debian packages?

dpkg --merge-avail Packages
dpkg --record-avail Packages
dpkg --update-avail Packages
dpkg -U Packages

OBJECTIVE: 2.2.6 TYPE: mc
You need to find out which package owns a file called /etc/paper.config. Which command will answer this question?

rpm --requires /etc/paper.config
rpm -Fq /etc/paper.config
rpm -q /etc/paper.config
rpm -qa|grep /etc/paper.config
rpm -qf /etc/paper.config

</pre>

Check the solutions on http://www.lpi.org/en/tasks_102.html

Linux Certification

2006-08-16T13:04:43Z

57.67.161.6: /* Centers */

===[http://www.lpi.org Linux Professional Institute]===

See also [http://en.wikipedia.org/wiki/Linux_Professional_Institute On Wikipedia]

====Books====
* [http://www.amazon.co.uk/gp/product/0789722895/ LPIC Linux Level 1, Test 1 (Cheat Sheet S.) (Paperback) ] 352 pages
* [http://www.amazon.co.uk/gp/product/3937514023 LPIC-1. (Hardcover)]
* [http://www.amazon.co.uk/gp/product/0764547720 LPIC1 Certification Bible (Paperback)] 880 pages
* [http://www.amazon.co.uk/gp/product/0789731274 LPIC I Exam Cram 2: Exam 101, 102 (Exam Cram 2 S.) (Paperback)] 588 pages, said to be up-to-date, [http://www.examcram2.com/bookstore/product.asp?isbn=0789731274&rl=1 official website]
* [http://www.amazon.co.uk/gp/product/1565927486 LPI Linux Certification in a Nutshell (Paperback)] 576 pages [http://www.amazon.co.uk/gp/product/0596005288 New edition in July 2006] current edition is largely outdated
* [http://www.amazon.co.uk/gp/product/078214425X LPIC-1: Linux Professional Institute Certification: Study Guide (Level 1 Exams 101 and 102) (Paperback)] 656 pages

====Courses====
* http://www.linuxcertified.com/linux-courseware.html
* http://www.lynuxtraining.com/formations/index.html#3
* http://www.ibm.com/Search/?q=lpic-1&v=11&lang=en&cc=us&en=utf&Search.x=0&Search.y=0&Search=Search
* http://www.sybex.com/WileyCDA/SybexTitle/productCd-078214425X,navId-291002,pageCd-resources.html
* http://www.bradfordlearning.com/cgi-bin/Item.cgi?action=ShowCategory&category=certification16&item=34
====Tutorials====
* http://www.ibm.com/developerworks/linux/lpi/index.html Seems impossible to register for now...
** [http://www.google.fr/search?hl=fr&q=ibm.com%2FdeveloperWorks+filetype%3Apdf+intitle%3Alpi&btnG=Rechercher&meta= Search for copies on Google]
** e.g. here: http://www.eastbayimprov.com/dave/ux/linuxstudy/
* http://en.wikibooks.org/wiki/LPI_Linux_Certification
* http://en.wikibooks.org/wiki/Learning_the_vi_editor
* http://en.wikibooks.org/wiki/Category:Linux

====Centers====
Among others Telindus Leuven can offer this certification
* http://www.vue.com/servlet/vue.web2.core.Dispatcher?webContext=CandidateSite&webApp=TestCenterLocator&requestedAction=register&cid=117
* http://www.jcacademy.be/testingCentre/_fr/index.asp
First register to LPI:
* http://www.lpi.org/en/lpi/english/certification/register_now
Then to Telindus with your LPI ID (visible in Candidate Overview after registration to LPI)
** +32 16 38 28 18 or http://www.jcacademy.be/testingCentre/_fr/inschrijven.asp

===Try yourself===
Here are "clean" test questions copied from the LPI site but without the answers and fuzzed (on LPI the right answer is always the first!) so you can really try them and then check the answers on the LPI website.

====LPIC-1 101 Sample questions====
<pre>
OBJECTIVE: 1.3.1 TYPE: mc
If you wanted to turn off mail notification, what command would you use?

mesg n
mesg off
biff n
notify off
set notify=off

OBJECTIVE: 1.3.1 TYPE: mcma
Which of these commands could you use to show one page of output at a time?

more
sed
pause
less
grep

OBJECTIVE: 1.3.3 TYPE: mcma
Which commands will give you information about how much disk space each file in the current directory uses?

ls
ls -l
ls -a
ls -la
du .

OBJECTIVE: 1.3.4 TYPE: mc
What command would send the output of cmd1 to the input of cmd2?

cmd1 cmd2
cmd1 ; cmd2
cmd1 | cmd2
cmd1 || cmd2
cmd1 && cmd2

Top OBJECTIVE: 1.3.5 TYPE: mc
Under the bash shell, when a command is running, pressing control-Z will usually

adds an EOF to the file.
suspend the foreground task.
kill the command running in the foreground
move the foreground task into the background
log the user off

OBJECTIVE: 1.8.1 TYPE: mc
What is the 'man' command used for?

it is the replacement for the 'boy' command
it is a standard alias to 'ls -la | more'
it is used to display formatted html pages
to display information about the syntax for a command

OBJECTIVE: 2.11.1 TYPE: fitb
In which file might you find the following entry: root:x:0:0::/root:/bin/bash

OBJECTIVE: 2.11.1 TYPE: fitb
As root, what command would you type to initiate a password change for user larry?

OBJECTIVE: 2.11.2 TYPE: mc
Under the bash shell which is the most appropriate place to set environment variables that apply to all users?

rc.local
rc.sysinit
/etc/skel
/etc/profile
/etc/bashrc

OBJECTIVE: 2.11.4 TYPE: mc
Which statement describes the cron daemon?

Manages all incoming connections and spawns off child processes
Is responsible for file sharing across a network
Manages scheduling of routine system tasks
Manages the printing subsystem
Keeps track of system messages and errors

OBJECTIVE: 2.4.1 TYPE: mcma
Which of the following are valid block devices on most default linux distributions?

loopback devices
serial ports
virtual terminals
tape devices
hard disks

OBJECTIVE: 2.4.2 TYPE: mc
How can you best see how much free space you have in your current directory?

Use df
Use df .
Use df /
Use du .
Use du /

OBJECTIVE: 2.4.5 TYPE: fitb
Which command would you use to alter the permissions of a file (do not give any parameters)

OBJECTIVE: 2.4.8 TYPE: mc
Which command will update the slocate database as a background process?

updatedb &
slocate --start &
slocate --update &
slocate --updatedb &
slocatedb

OBJECTIVE: 2.6.2 TYPE: mc
Having booted into run level 3, how would you change to run level 5 without rebooting?

startx
run 5
ALT-F7-5
setinit 5
telinit 5
</pre>
Check the solutions on http://www.lpi.org/en/tasks_101.html
====LPIC-1 102 Sample questions====
<pre>
OBJECTIVE: 1.1.1 TYPE: mc
which command is used to change settings on IDE hard disk drives?

diskparm
hdparam
hdparm
hddparm
ideconfig

OBJECTIVE: 1.12.1 TYPE: mc
Your logfile shows repeated connections to TCP port 143. Which named service is being accessed?

imap
smbd
nmbd
pop2
smtp

OBJECTIVE: 1.12.1 TYPE: fitb
What type of packet does an IP ping use (provide acronym)?

OBJECTIVE: 1.12.2 TYPE: mc
To learn more about the management of an internet site the best utility to use would be:

ping
rpcdump
telnet
traceroute
whois

OBJECTIVE: 1.12.3 TYPE: mc
If you had a Linux system routing 3 different Networks through 3 NICs and you were having trouble with your IP-Forwarding. Where would you look to ensure that IP-Forwarding is actually enabled?

iptraf -d eth0
cat /proc/net/tcp
cat /proc/sys/net/ipv4/ip_forward
netstat
tail -f /var/log/messages

OBJECTIVE: 1.13.1 TYPE: mc
What file is used for associating port numbers to port names.

/etc/hosts
/etc/inetd.conf
/etc/ports
/etc/securetty
/etc/services

OBJECTIVE: 1.13.4 TYPE: mc
You want to make the directory /local available via NFS. All users on your local network should be allowed to read and write files. Which of the following is correct, assuming that your local network is 192.168.1.0, and your machine is part of the DNS domain foobar.com?

192.168.1.0 /local
/local 192.168.1.0(rw)
/local 192.168.1.0/255.255.255.0(rw)
/local *.com(rw)

Top OBJECTIVE: 1.14.1 TYPE: fitb
Which file can you create to prevent non-root users from logging into the system? (specify path and filename)

OBJECTIVE: 1.14.2 TYPE: fitb
What command can be used to display a formatted output of the wtmp file? (no arguments)

OBJECTIVE: 1.14.3 TYPE: fitb
Which command can be executed by a user who is already logged into the system, in order to change to the root user? (type the command without any parameters)

OBJECTIVE: 1.7.2 TYPE: mc
To cause a particular print job to be printed next, regardless of its current position in the queue, what command would be used?

lpc topq
lpc -t
lpq -t
lpq --next
lpc move

OBJECTIVE: 1.7.2 TYPE: mc
Which statement describes the LPD daemon?

Manages all incoming connections and spawns off child processes
Is responsible for file sharing across a network
Manages scheduling of routine system tasks
Manages the printing subsystem
Keeps track of system messages and errors

OBJECTIVE: 2.10.4 TYPE: mc
When configuring a terminal for X what does the -fn switch do?

It sets the terminal's default function.
It places the terminal in the foreground on your screen.
It sets the terminal's initial value to false.
It sets the terminal's initial display to reverse video.
It sets the font size and or type for the terminal.

OBJECTIVE: 2.2.1 TYPE: mc
What command(s) do you use to create swap space?

activeswap
initswap
mkfs -t swap
mkswap
swapon

OBJECTIVE: 2.2.3 TYPE: fitb
Type the full command you could use to decompress the file "foo.gz"

decompress foo.gz
gzip -d foo.gz
gunzip -d foo.gz
gunzip foo.gz
unzip foo.gz

OBJECTIVE: 2.2.5 TYPE: mc
How can you add package information from a file Packages to the database of available Debian packages?

dpkg --merge-avail Packages
dpkg --record-avail Packages
dpkg --update-avail Packages
dpkg -U Packages

OBJECTIVE: 2.2.6 TYPE: mc
You need to find out which package owns a file called /etc/paper.config. Which command will answer this question?

rpm --requires /etc/paper.config
rpm -Fq /etc/paper.config
rpm -q /etc/paper.config
rpm -qa|grep /etc/paper.config
rpm -qf /etc/paper.config

</pre>

Check the solutions on http://www.lpi.org/en/tasks_102.html

Bébé

2006-07-24T08:33:10Z

57.67.161.6: /* Primes et allocs */

====Crèches====
* [http://www.elsene.irisnet.be/site/fr/02vivrexl/grandir/crechescommu.htm Les crèches communales]
* [http://www.elsene.irisnet.be/site/fr/02vivrexl/grandir/crechespriv.htm Les crèches privées]
* Mini Cracra Chaussée d'Ixelles, 315 - 1050 Bruxelles Tél. 02.644.64.50 Francophone 380€ pour 4/5
====Congés====
* [http://www.meta.fgov.be/pdf/pd/frdc19.pdf Congé de maternité] et [http://www.meta.fgov.be/pdf/pd/frdc19a.pdf addendum]
* [http://www.meta.fgov.be/pk/pkh/frkh05.htm Congé de paternité]
* [http://www.meta.fgov.be/pk/pkh/frkh33.htm Congé parental]
* [http://www.meta.fgov.be/pdf/pd/frdc30.pdf Congé-éducation (pdf)]
====Primes et allocs====
* [http://www.securex.be/portal/application?language=FR&contentUrl=/website/be/public/5E7D78B6053283A7C1256FDC00423326_fr.html#topPage Prime de naissance caisse d'allocations]
* [http://www.fmsb.be/pdf/info/infomut41.pdf Prime de naissance FMSB (pdf)]
** Pour recevoir l'intervention, vous devez nous présenter un certificat de naissance ou d'adoption délivré par l'administration communale.

====Commune====
* [http://www.elsene.irisnet.be/site/fr/02vivrexl/habiter/gdsevents.htm Ixelles]: déclaration, parrainnage laïque etc
====Divers====
* http://www.terrafutura.com/html/univers/enceinte.asp
* http://www.famidoo.be/xml/doc__fr-IDC-5-.html
* http://www.gardes-bb.be
* Vêtements femme enceinte Liège
** http://www.nombril.be/
** http://liegecachecache.site.voila.fr/
* http://www.kiddybips.com/frans/fr_wie.html
* http://www.chez.com/accouchement/shopping.htm
* http://www.peau-a-peau.be/defaultn.htm
* http://www.bebenageur.be/
* http://www.ptibou.be/index.asp?ID=911
* http://www.maman-nature.com/shop/
* http://www.dreambaby.be/dreambaby/index.jsp

Prêts et emprunts

2006-06-21T09:32:57Z

57.67.161.6:

===Philips===
====MarcV====
*Chomsky: La fabrique de l'opinion publique & Chomsky: De la propagande
*Dancer in the Dark, Lain 1
====Fabian====
*Guide Singapour
===Autres===
====Henri====
*Fantasia
====Jean-Seb====
*Accordéon
*Cruche verte
*1k5
====Guy====
*Farde emploi
====Oli====
*Hold-up planétaire
*Knight Tale, Shil Angel, Antitrust
*Ikonos? (copie ou pret?)
*290.46 + 114.76(frys) + 141.84 (500-baie un an) = 547.06€
*Souches Oli=je dois???
*Brico, Oli doit 85.21
*Diesel: ??? j'ai payé un plein de 59€

====Val====
*Lecteur Zip + un zip
====Nath====
*Poche Linux
*OBrother??, Mononoke
* <- Pour une éthique à l'ingérence
*Mitac
====Dorian====
*pigtail court+pigtail long cassé+rallonge N+WET11
*2 Linux France mags
*Camping gaz
*Dernier empereur, c'est arrivé près de chez vous
* Zaurus SL5000 + housse + SD128Mb + CF Wifi + chargeur + 2ème batterie + adapt. secteur + station USB
====Marc Mign====
*Coder Zen
====Carl====
*je dois 5€
====Dimi====
*Carte WiFi Avaya

===qui?===
*Bridge PCI-PCMCIA

YobiWiki - User contributions [en]

Encfs

Encfs

Vserver tools

Vserver administration

Vserver administration

Vserver administration

Linux Certification

Customizing Knoppix

Customizing Knoppix

Apache

Apache

Table of contents

Bébé

Linux Certification

Linux Certification

Linux Certification

Bébé

Prêts et emprunts