Friday, November 4, 2011

GNU/Linux Hardening - CentOS Distro Taken an Example

GNU/Linux CentOS server hardening that meets security guidelines.

The document will cover Physical Protection, User Rights, Network Security, Kernel Security and Tamper Resistance

File System Partitioning
File System LVM (So partitions can be shrunk or grown if needs be)

Partitions: (must be journaled FS)
/boot        primary
/        primary

        Extended
/tmp       
/var      
/var/log   
/usr/local   
/opt
/home       
swap        
   
CentOS ISO
-Install from clean formatted drive (check md5 sum)
-Use CentOS-ver-arch-minimal (roughly 260MB)
-Custom installations (installation must be done with minimal packages as possible)

Package installs
-The list of apps should be determined by the use of the machine.
-As a base no more than SSH installed, this to allow remote access.
-If we don't need i386/i686 packages for compatibility purposes, we may want to remove them as well, by using yum remove *.i?86, and then keep them gone by adding exclude = *.i?86 to your /etc/yum.conf

Physical Protection
-Set up BIOS password.
-Place servers in a controlled area.
-Prevent servers from being booted through other medium.
-Servers are to be placed in racks with locking mechanisms.
-Conceal cabling and power outlets.
-Activate password for grub.
-Do not install any auto mount package for mount of external devices  such as USB, PCMCI, etc.
-Once installation of server is complete make sure that you’ve logged out from tty (virtual terminal).
-Allow only 2 tty and disable others (there are 6 by default), so make sure that we have only 2 runlevel.


CentOS Hardening
After installing and configuring, further steps have to be taken to ensure operating system hardening.
The minimum procedure that must be followed:
•Accounts (check if passwd files is shadowed)
•Check service and ports (services are background programs that serve as a utility function without being called by a user. This utility may range from maintenance utility or to provide an interface upon request. Most of these services are not useful depending on the UNIX/Linux usage purposes.
•Securing root applications (ensure /sbin and /etc folders are owned by root. By default, normal users can reboot the system by issuing ‘reboot’ command or by pressing Ctrl-Alt-Del combo keys.
•Detecting SUID/SGID apps (a regular user will be able to run a program as root if it is set to SUID root. We should minimize the use of these SUID/GUID apps and disable the programs which are not needed.
•Setup a specific server for repository that can be the only one with access to global internet.
•Install and check patches (verify integrity of patch by md5sum)
•Make sure that the server has no access to global internet.
•The list of apps should be determined by the use of the machine.
•The only service running by default should be SSH

Alert to show when user log on

-SSH banner alert message
                                      ------------------
                                      W A R N I N G
                                      ------------------

*************************************************************************************************
NOTICE TO USERS WARNING! The use of this system is restricted to authorized users, unauthorized access is forbidden and will be prosecuted by law. All information and communications on this system are subject to review, monitoring and recording at any time, without notice or permission. Users should have no expectation of privacy.
*************************************************************************************************

Lock down GRUB 2
•Grub 2 has the ability to set password protection on individual menu entries and/or for specific users.
•The username and password will also be required to gain access to the Grub 2 command line and menu editing modes.
•The username and/or password do not have to be the same as the system logon name/password.
•This is basic password security. The name/password are unencrypted; anyone having physical access to the machine and more than an elementary knowledge of how Linux works will be able to access the configuration files and bypass this feature.
•Grub 2 password protection is still evolving. Currently (Grub 1.97beta4) password protection must be assigned to each menu entry. There is a chance the password feature will be revised so that all entries are protected by default. If and when this feature is incorporated in Grub 2, password protection can be eliminated for a specific menu entry by adding “(–unlock)” on the menu entry line.

Setting up password protection:
There are three steps to enabling Grub 2 password protection. The user must set up the authorized users, designate the password(s), and identify the password-protected menu entries in the/etc/grub.d/ scripts.

1. Superuser & password designation (required):
A superuser must be designated. This superuser can access any menu entry, edit the menu entries in the Grub 2 menu by pressing “e”, or invoke the Grub 2 command line mode. Add the following the bottom of /etc/grub.d/00_header
cat << EOF
set superusers=”user1″
password user1 password1
EOF

2. Other users (optional)
Other users can be identified and given a password. A designated user can access unprotected and their own menuentries. Add the following the bottom of /etc/grub.d/00_header

Example:
cat << EOF
set superusers=”sysadmin”
password sysadmin 1234
password user 5678
EOF

3. Designating menu entries for password protection
Once the superuser/other users and their password(s) are established, the entries to be protected must be identified. Currently Grub 2 adds no password protection to any entries upon establishment of a superuser and password in /etc/grub.d/00_header. Each entry must be identified and modified. Scripts can be used to tailor entries for specific menu entries.

Turn on SELinux protection (basic)

-Edit /etc/selinux/config file using “vi” or other text tool
-Update the configuration as follows:
SELINUX=enforcing
SELINUXTYPE=targeted

Remove unnecessary modules

-A simple loop can be used to disable them via a blacklist file in /etc/modprobe.d:
-For example to remove wireless modules perform:
for i in $(find /lib/modules/`uname -r`/kernel/drivers/net/wireless -name "*.ko" -type f) ; do echo blacklist $i >> /etc/modprobe.d/blacklist-wireless ; done

Linux Kernel /etc/sysctl.conf Security Hardening

-Use “vi” to edit /etc/sysctl.conf and setup basic configuration as follows:
oLimit network-transmitted configuration for IPv4
oLimit network-transmitted configuration for IPv6
oTurn on exec shield protection
oPrevent against the common 'syn flood attack'
oTurn on source IP address verification
oPrevents a cracker from using a spoofing attack against the IP address of the server.
oLogs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

-For example:
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0

Harden password policies
-vi /etc/login.defs then edit PASS_MIN_LEN    5 ==> 8
-Strong passwords should be used. A strong password should have mixed case, special characters, numbers, and be at least 8 characters.
-Password complexity requirements should be in place to enforce strong password usage.
-Passwords should be changed reasonably regularly.
•echo "Passwords expire every 90 days"
•perl -npe 's/PASS_MAX_DAYS\s+99999/PASS_MAX_DAYS 90/' -i /etc/login.defs

-The command below will update your system to use sha512 instead of md5 for password protection.

•authconfig --passalgo=sha512 --update
Time out after 15 minutes of idle time
-echo "Idle users will be removed after 15 minutes"
-echo "readonly TMOUT=900" >> /etc/profile.d/os-security.sh
-echo "readonly HISTFILE" >> /etc/profile.d/os-security.sh
-chmod +x /etc/profile.d/os-security.sh

Remove unwanted base applications
-rpm -ev iptables-ipv6 system-config-securitylevel-tui system-config-network-tui firstboot-tui wireless-tools
-rpm -ev xorg-x11-filesystem cups redhat-lsb rhpl gpm vim-enhanced pcsc-lite ifd-egate ccid coolkey

Ensure that root cannot log on through ssh
-sed "# PermitRootLogin yes/PermitRootLogin no/g" /etc/sshd.conf > /tmp/swap; cp /tmp/swap /etc/sshd.conf

Ensure that root can only log on locally

-Once a server is up and running, root shouldn't be logging in directly except in emergency situations. These usually require hands at the console, so that's the only place root should be allowed to log in. To do this, we need to modify /etc/securetty. Additionally, no one other than root should be allowed in root's home directory. The default settings are close to this, but not quite paranoid enough.

echo "tty1" > /etc/securetty
chmod 700 /root

-Since we have effectively removed root's ability to log in from anywhere but the local console, it becomes necessary to use su and sudo. This offers a few secondary benefits in a multi-admin environment.

•sudo allows for granular control over privileged actions. This way a website administrator can start, stop and otherwise manage the web server without being able to affect other services.

•You get a much clearer picture of who did what in your logs, since who became root at what time is no longer a mystery.
Blocking “su” to root user

The su (Substitute User) command allows a user to become other existing users on the system. To prevent users from su to root or restrict su command to certain users then add the following two lines to the top of su configuration in the /etc/pam.d directory.

Edit the su file (vi /etc/pam.d/su) and add the following two lines to the top of the file:
-auth sufficient /lib/security/pam_rootok.so debug
-auth required /lib/security/Pam_wheel.so group=wheel

This example provides that only members of the ‘wheel’ group can su to root, which also includes logging.
Securing root apps

Ensure /sbin and /etc folders are owned by root. By default, normal users can reboot the system by issuing ‘reboot’ command or by pressing Ctrl-Alt-Del combo keys.

To disable the reboot command to users, ensure /sbin/halt is owned by root:
# chmod 700 /sbin/halt

To disable Ctrl-Alt-Del, edit /etc/inittab :
# vi /etc/inittab

Add a comment to the line stating, ca::ctrlaltdel:/sbin/shutdown -t3 -r now, so it reads
# ca::ctrlaltdel:/sbin/shutdown -t3 -r now

After making changes issue the command to take effect :
# /sbin/init q

By commenting out the line, restarting using Ctrl-Alt-Del is useless even to root. To shutdown, login as root and use the proper shutdown command :
# /sbin/shutdown –r now

Replace ‘r’ with ‘h’ for powering off the system.

Securing /etc/services file

Securing the "/etc/services" file prevents unauthorized deletion or addition of services. This involves in adding an immutable bit to the file. To secure the "/etc/services" file, use the command:
# chattr +i /etc/services

Hardening the IPTables

IPTables provide customization of rules depending on the user needs. Here are some
recommended IPTables configurations. First general rule is to block everything, and from there rules are added accordingly. An allowed rule, ACCEPT, will bypass a blocking rule, e.g DROP, REJECT.

IPTables consists of chains that control the packet flow. These chains are INPUT,  OUTPUT and FORWARD.

Here are some basic configurations:
Rules should be cleared from the beginning.
# iptables -F; iptables -t nat -F; iptables -t mangle –F

To deny everything:
# iptables –A INPUT –j DROP
# iptables –A OUTPUT –j DROP
# iptables –A FORWARD –j DROP

These sample rules make a secure connection by enabling inspection against flowing packets. Only packets with established sessions are allowed through. 'eth0’ is the interface number of a network card, changes should be applied accordingly:
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
# iptables -P INPUT DROP
# iptables –A FORWARD –I eth0 –o eth0 –j REJECT
TCP Wrappers

TCP wrapper is used to provide additional security against intrusion by controlling connections to defined services. TCP wrappers are controlled from two files.
- /etc/hosts.allow
-/etc/hosts.deny

The best policy is to deny all hosts by putting "ALL: ALL@ALL, PARANOID" in the "/etc/hosts.deny" file and then explicitly list trusted hosts who are allowed to connect to the machine in the "/etc/hosts.allow" file.

However, advance filtering can be achieved using a built-in utility IPTables.
Hiding the system information

echo " " >/etc/issue
echo " " >/etc/issue.net

chattr +i /etc/issue
chattr +i /etc/issue.net
Hardening network

-Remove ipv6
cp /etc/sysconfig/network /root/aspf_files/network.aspf

cat > /etc/sysconfig/network <<DELIM
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=<whatever.fine.com>
GATEWAY=<DGW>
DELIM

-Enabled bonding on the network cards, will need to discuss the best algorithm
Enable NTP and sync

-Sort NTP -- Should be the router once it works for NTP
cp /etc/ntp.conf /root/aspf_files/ntp.conf.aspf

sed "/[0-1].centos.pool.ntp.org/d" /etc/ntp.conf > /tmp/swap;
sed "s/2.centos.pool.ntp.org/hostname/g" /tmp/swap > /etc/ntp.conf;

ntpdate -d hostname

-Sync everything to the NTP clock before installing any applications -- Add to root cron for consistent time stamps
yum install ntp

hwclock; date; ntpdate 10.3.1.1
/usr/sbin/hwclock --systohc

** Add it cron
cat > /tmp/crontab.txt <<DELIM
*/10 * * * * /usr/sbin/hwclock --systohc
DELIM
crontab /tmp/crontab.txt; rm -f /tmp/crontab.txt


Install sudosh

-Setup sudosh
Assume root PWD is with security, enusre all user shells including roots are recorded when used, the sudosh-replay logs need to be shipped out via syslog. For the moment they are local "TPOC"
-echo "/usr/bin/sudosh" >>/etc/shells
Synchronise all group accounts

-Synchronise all group accounts across all systems to use specific GID's using higher numbers so we have no chance of application group overlap i.e.

groupadd ops -g 1000
groupadd ops_support -g 1001


-Then ( only use -g 10 if they need sudo for root )
useradd spannerh -n -m -c "Spanner Admin" -G 1000 -s /usr/bin/sudosh
-use -p and crypt if you do not want to use #passwd spannerh to set the password

Disable YUM after updates run
-Disable yum automatic updates and do it manually if needed
-List all packages installed on the sytem:
yum list installed  >>  ~/installed.txt

-Add it to cron
cat > /tmp/yumtab.txt <<DELIM
#!/bin/sh
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum
/usr/bin/yum -R 10 -e 0 -d 0 -y update
DELIM

cp /tmp/yumtab.txt /etc/cron.daily/yum_update.cron
chmod 500 /etc/cron.daily/yum_update.cron

-manual until we script it | kill off suid
find / \( -perm -4000 -o -perm -2000 \) –print

Ensure that the system cannot be messed with

-You should have a central logging system, on a remote server (LDAP with Kerberos/PAM auth and Samba for other OS cooperation)
-On critical machines can be installed/configured Host Based IDS and Network Based IDS at software level such as (Snort, AIDE, Tripwire, LogCheck, etc.)

Saturday, July 30, 2011

Frequently Asked Questions : UNIX/Linux

Q:What is virtual Memory?

A:Virtual memory is an implementation of technique that used for multitasking kernel and it's part of OS. This implementation virtualizes hardware memory devices such as RAM and Hard Disk to manage applications to relaative addressing.

Q:what is memory pressure?

A:This is a term to describe a condition or state of an operating system where most of the memory has been used, but it doesn’t mean that we are really out of memory. Just that there is now an urgent need to begin to release/swap some memory areas that we currently do not need because there is an application now requesting more memory than the one available. It may be the policy of an OS (and it is of Linux) to make the most use of resources (especially the scarce ones like main memory) and use as much memory as possible for buffers, kernel caches in order to speed up things. E.g. we may want to save in RAM one or more block read from disk, although a process only needs a few bytes of it - because it may need the rest shortly and we will not have to repeat an expensive I/O operation. This is the case with Linux that actually uses free memory as a buffer for hard drive access. When it faces a memory-pressure situation, Linux first will try to reduce the buffer space and only when this is not enough it will fall-back on paging to disk parts of a process memory that are inactive because this is slower. Even more rarely Linux will swap an entire process to disk, since resuming such a process will be resource-intensive.

There are two types of memory pressure a process can be exposed to external and internal. To maximize its performance and reliability a process might want to react to both of them. External memory pressure might cause a process and whole system go into paging . Internal memory pressure might cause out of memory conditions and eventual process's crash.

External memory pressure is controlled by OS. There are two types of external memory pressure such as physical dynamic memory pressure and physical “static” memory pressure. The latter type happens when a system runs out of page file. This type of memory pressure might drive the whole system into out of memory condition. You might have seen those pop ups in the right corner indicating that system runs low on virtual memory. In order to detect this type of pressure one needs to monitor the size of page file. Usually applications don’t do it.

Q:Is there a command that would show the system to be in such a state?
The command "vmstat" will be helpfull to get usage and details of memory.

A:Virtual Memory STATistics. Average since last boot:
$ vmstat

The situation every 1 seconds:
$ vmstat 1 (ctrl-c to stop output)

The most interesting columns in the output are:
-for central Memory
free the amount of idle (free) memory

-for disk
si: Amount of memory swapped in from disk (/s) - aka page-ins
so: Amount of memory swapped to disk (/s) - aka page-outs

As a rule of thumb if free memory is less than 5% of the total memory in more than 10 samples per 100 we could say that the system is under “memory pressure". Adding more memory and/or better distributing the workload during the day may be a cure here.

Q:what is a page fault?

A:A page fault is an interrupt to the software raised by the hardware, when a program accesses a page that is mapped in address space, but not loaded in physical memory. It occurs when the kernel needs a page of memory but this page does not exist in RAM, because it has been written to disk (we say “paged-out”). Thus it has to be re-read from disk (a “page-in” operation).

Q:what is the oom-killer and when is it triggered?

A:OOM-killer is out of memory process killer and it is related to overcommitment of the memory. The oom-killer starts killing processes in order to free some memory up. The default behaviour of the oom-killer that which process have to start to kill is defined in sysctl(8) parameter vm.overcommit_memory. Major distribution kernels set the default value of /proc/sys/vm/overcommit_memory to zero, which means that processes can request more memory than is currently free in the system.

If a system is brought to its knees, intense paging is causing performance to suffer and everything else fails, Linux will kill some processes (OOM stands for Out of Memory Killer) to keep the machine up. It may seem terrible, but in such severe situations the alternative would be to panic or lock up the system, not better. It is a sacrifice done in order to free up memory for the system to be usable and actually do something :) Linux will try to find the best candidate for elimination and here are the heuristic criteria used (from some kernel source code comments):

1) we lose the minimum amount of work done
2) we recover a large amount of memory
3) we don’t kill anything innocent of eating tons of memory
4) we want to kill the minimum amount of processes (one)
5) we try to kill the process the user expects us to kill, this algorithm has been meticulously tuned to meet the principle of least surprise ... (be careful when you change it)

Q:Can the sysadmin force the OOM killer to start?

A:Of course, by sending the Magic SysReq command “f”. It could be a better alternative to a hard reboot. Usually preceded by a SysReq “m” to dump some kernel memory stats. Alternatively, sysadmin can do that by creating out of memory conditions and the oom killer policy can be handled and managed by sysadmins defining the priority of processes. I mean, it can be configured.

Q:Can the kernel swap to a ramdisk?

A:Yes it can. This can be done by using sysctl vm.swappiness. The vm.swappiness is a tunable kernel parameter that controls how much the kernel favors swap over RAM (using swap tendency by assigning mapped ratio etc.).

Q:How can a 32-bit system use more than 4GB of RAM?

A:That can be done by installing PAE (Physical Address Extention) enabled kernel. That will allow us to use higher then 4GB of RAM. An OS can do that through virtual memory provided that there is some kind of hardware support because the 4 GB limit only refers to the amount of memory *directly* addressable with 32-bit. A single application can continue to use 32-bit virtual addresses and thus will be still limited to 4G, but more than one application can use more than 4 GB altogether, because the OS can map each 4GB virtual address space in a larger physical memory space.

E.g. since 1995 Intel processors, starting from the Pentium Pro, incorporate a feature called PAE (Physical Address Extension) that augments the address lines from 32 bits to 36 bits, thus allowing 16*4GB=64GB of memory to be addressed (at least theoretically, in practice it is a bit less because there are some memory-mapped devices). The Linux kernel supports PAE as a build option and most of Linux distributions are already PAE enabled.

Q:How does one list the pci peripherals connected to the system?

A:By performing the "lspci" command will list the pci peripherals connected.
lspci(8). I often use:
$ lspci | grep -i net

to identify the wireless interface,
$ lspci | grep VGA
for the graphics card, etc.

Some other methods can be used as well, for example:
"lshal" (hardware abstraction layer) would be on of the better solution to get the entire connected devices/peripherals to the system. Alternatively we can use "lsdev" for the same reason. There are several method/commands to do that.
There are also:
$ cat /proc/cpuinfo
to find CPU specification
$ cat /proc/meminfo = memory information
$ lsmod = list of loaded kernel modules
$ dmesg = examine the kernel ring buffer

If one has root privileges:
# dmidecode
to dump BIOS info and overall hardware in a system
# hdparm -I /dev/sda (repeat for sdb, sdc, etc)
detailed IDE/SATA HDD info

Q:What is a filesystem and what are the main structures used in?

A:A file system is a structure used to organize and access files on a storage device; the most popular storage device is the hard disk. It is a kind of database that stores files (both file metadata and data), usually in secondary memory and organizes them in a hierarchical structure of nested directories for easy retrieval by humans.

The basic purpose of a file system is to organize files and provide access to those files. The primary organization method is called the hierarchical structure. The entry point to this structure is called the root or top-level. The two basic elements of the structure are folders and files. Folders are used to hold more files and folders. By starting at the root folder and opening a folder in the root, you are moving one level deeper into the hierarchy.
File, directories (in Unix a directory is just a special kind of file containing a list of file names and respective inode numbers), metadata structures (in Unix these are called inodes and store all the info about a certain file/directory or other object in the file system except its data and name), data storage structures (called clusters or blocks and consisting usually of a fixed number of disk sectors) and indexes to allow both quick random access to an arbitrary block in a particular file (from simple linked lists to combined B-trees and hashes as in ext3) and to quickly translate between names and inodes (Linux uses a cache for that).

Q:Do all filesystems implement all the file and directory access system calls? When making a directory for instance, do filesystems share the same code in the syscall?

A:The system call is the fundamental interface between an application and the kernel, so the answer is yes. Filesystem will share the same code (inode) in the syscall if the directory instanced hardly (hard link) linked, no in case of symbolic link instances.

Linux supports a very wide range of filesystems, both old and new types and some more exotic e.g. for clustering, cryptography. There are virtual FSs as well, such as /proc. One can even create his own FS by writing code in user space only (see the FUSE project).

Of course it won’t be possible to support many different types of FSs and target storage devices transparently to applications without some sort of abstraction and layered architecture. The Virtual File System (VFS) in the Linux kernel defines a common set of API functions that every FS has to implement so that for example the mkdir(2) function call doesn’t have to be aware of the file system types or the particular storage medium upon which the file system is mounted. User applications deal with a consistent generic system call interface rather than having to worry about differences in individual FS implementations. Anyway a filesystem doesn’t have to implement all the FS calls found in the GNU C Library. Let’s say that I develop an awkward FS where there is no concept of directories, trying to call the mkdir(2) function on it will return the EPERM error code.

Q:Is it possible to have a hard link spanning two files in different filesystems and what is the reason?

A:The answer is definitely no. Hard links cannot cross file system boundaries. This is because all hard links are based upon inode numbers and nothing else. In other words, as shown by an "ls -i" two or more hard links to the same file share the same inode number. Inodes are only guaranteed to be unique on a single filesystem. If Linux allowed to create an hard link in a different filesystems there would be ambiguity about which filesystem the inode number belongs to. Hard link can not span filesystems because an inode number is meaningless outside of the inode's own filesystem. But we can do that with symlink.

Q:Can we use 8k block ext3 filesystems on x86 machines?

A:Of course not. On x86, a filesystem block is just about always 4KiB, the default size and never larger than the size of a memory page. It is not possible to have block size greater then 4KiB. It is possible to extend in 8KiB of block size on Intel Itanium and other architectures that support 8KiB.

Q:What are the reasons why some applications insist on accessing raw devices?

A:The complex applications like database management systems (DBMS) do usually their own caching. So they need to access to the raw devices which can be used to perform raw I/O with existing block devices by bypassing the caching that is normally associated with block devices (kernel). We can say also that raw devices are suitable for applications like DBMS. So, the applications like RDBMS are known to utilize raw disk directly instead of file system storage, mostly for bypassing the system buffer cache, because they already implement their own cache in a way that better tailored to the application needs. If these applications are well engineered they can perform better on a raw file system, e.g. better throughput. The drawback is that raw disk partitions cannot be managed by the OS (e.g. with Unix shell commands): only the application knows about the format and for the OS it is just a bunch of contiguous disk blocks, without any known structure. Another reason could be that an application would like to implement its own kind of network file system for accessing the same data concurrently from many hosts.

Q:What type of file system would be most suitable for a character device?

A:Raw filesystems because character devices are read and written directly without buffering and this is exactly why one usually wants to use a raw filesystem.
On the contrary block devices can only be read/written via the buffer cache and in fixed block sizes or multiples of the block size. A raw device is seen by Linux as a character device but it is actually bound to an existing block device (usually a disk).

Q:What is an access control list? How is it used in Linux?

A:An access control list (ACL) is a table that defines the user privileges policy of the operating system. It defines which access rights each user has to a particular system object, such as a file directory or individual files. The most common privileges are the ability to read/write/execute data/file/directories (rwx). Shortly is know as filesystem permission access privilege list and entries. Each file or directory can have an associated ACL that lists the permission rules to be applied to it. Each of the rules within an ACL is called an access control entry, or ACE. In general, an access control entry identifies the user or group to which it applies and specifies a set of permissions to be applied to those users. ACLs have no set length and can include permission specifications for multiple users or groups.

Traditionally, Unix allows the assignment of permissions (rwx plus some special flags SUID, SGID and sticky bit), for three user groups only (classes of users): the file owner, the owning group and all other users. This is sufficient in most situation but more complex permission models may require the assignment of permission to individual users or groups even if these do not correspond to the owner or the owning group. Such fine-grained control is provided by POSIX ACL, and for example well supported by Linux 2.6 and the Ext3 FS.

Here is some example performed on my tablet:
$ sudo -s
# cd /tmp
# dd if=/dev/zero of=partition.img bs=1k count=10000
# losetup /dev/loop0 partition.img
# mkfs.ext3 -c /dev/loop0 10000
# mkdir partition
# mount -t ext3 -o acl /dev/loop0 partition
# cd partition
# cat>data
I am Debian fan and Free Software promoter
^D
# chmod go= data.csv
# getfacl data.csv
# file: data.csv
# owner: root
# group: root
user::rw-
group::---
other::---
# setfacl -m u:myfriend:r-- data.csv
# getfacl --omit-header data.csv
user::rw-
user:myfriend:r--
group::---
mask::r--
other::---
# cd ..
# umount partition
# losetup -d /dev/loop0
^D

Q:What is the main binary executable format used in linux and the most important components of this format?

A:The standard ELF (Executable and Linkable Format). It is used for both regular binary executables, shared libraries, object code (.o files) and core dumps (e.g. useful for post-mortem debugging), because their internal structure is quite similar. An ELF file starts with an ELF header, followed by an image header and the actual data. This is divided into sections, a concept familiar to any Assembly language programmer.

section type of information
.text executable code
.data initialized data variables
.bss unitialized data

I remember the old MS-DOS COM format jumbled all together with no structure. At that time there was no memory protection and program executable code could modify itself - a "feature" not very useful in common programming but exploited mostly by mutant viruses :) Now the Linux kernel loads all .text sections into memory pages marked as read-only while .data section use read-write memory pages. .bss sections do not take up much space in the executable because they only declare variables so that the kernel loader will know how much space reserve for them. Typically each ELF file includes a symbol table that contains important data for linking, relocation and debugging (although the latter is optional and can be stripped out to reduce the executable size).

For example I can use a function defined not in my code, but in an external shared library - a very common situation, e.g. I am using printf(3) from the standard C I/O library to output a string. When I compile my code I still cannot know the final address to use with the assembly-level CALL instruction. I do not even know the absolute addresses of the operand(s) that must be pushed onto the stack before the call is made (assuming parameters are not all constant). But I can put aside all the information needed to compute these addresses later on, e.g. type of relocation, which symbol is being referenced, relative addresses of operands in one of the .data or .bss sections, etc. The kernel loader will use this information to resolve all the symbols and generate a usable executable in memory. Summarizing the machine code found into executables is not in a ready-to-run state, there are still some references that could only be resolved when loading the program in memory.

Q:what is linking?

A:Linking is the process of combining various pieces of code and data together to form a single executable that can be loaded in memory. Linking can be done at compile time, (by linkers, e.g. the GNU ld), at load time (by loaders, usually part of an OS kernel) and also at run time (by application programs). During the early days of computing it was done manually :)

A considerable overlap exists between the functions of linkers and loaders. One way to think of them is: the loader does the program loading from HD to RAM, allocates storage space and maps virtual disk pages to virtual addresses; the linker does all the symbol resolutions that could be done at compile-time; and either of them can do the relocation and merging of all sections of the same type.

Q:what is a shared library?

A:The shared library is a program/library that allow executables to dynamically access external functionality at run time and thereby reduce their overall memory footprint by bringing functionality in when it's needed. In the Linux library hierarchy there are two different libraries which are Static and Shared libraries. The Shared Libraries can be used in two different way, Dynamic Linking and Dynamic Loading (run time used under control program).

Shared library are an improvement over static libraries. The latter allows code reuse but requires the linker to extract all the library functions used and make them part of the executable, which can make it rather large. On the contrary when linking your program against a shared library no code is copied and pasted from the library into your binary program, just information for the loader are saved. The loader will add all the shared-library functions used by your program into its address space at run-time, not at compile-time as happens with static libraries. As the name implies, shared libraries are actually shared by multiple programs and can be easily upgraded centrally.

Linking, relocation, static/shared libraries and shared code segments are all a complication, but necessary to support code reuse, keep executable size low and save computational resources.

Q:How can one see all the shared libraries which a binary is linked to?

A:When we are starting an application on our operative system the shared libraries invoke an ELF image and then the kernel begins with the process of loading the ELF image into our user space virtual memory. Then the kernel notices an ELF section called ".interp", which indicates the dynamic linker to be used (/lib/ld-linux.so which is itself also is a shared library but in this state it is statistically compiled and has no shared library dependencies). So, if we would like to list all the shared libraries and the correspondence linked binary we can run the command "ldd /path/of/binary" to list dynamic dependencies of executable files or shared objects.
E.g. ldd -v /usr/bin/vi

Q:By removing (accidentally) all the links in the /lib directory leaving the binaries will cause many applications loading problem. What is the best way of finding the links through which a library should be accessed and how can one recover from this situation?

A:Inspecting another similar working system and recreating the links by hand may help the budding sysadmin here, although it is not the fastest way :) (see next question). /lib holds only those libraries necessary to boot the system and to run the commands in the root file system, it’s not a long list to go through. In fact to keep the root partition small, most libraries are put in /usr/lib

Anyway the run time loader finds the library by its "soname" which includes only the major version number (for example, "libfoo.so.1"). Therefore, a new version of the library can be installed, and existing programs will use it automatically. Of course, it is critical to change the major version number if calling sequences change in an incompatible way. Several libraries with different major version numbers can be installed at once, and in fact need to be, until all programs using the library have been recompiled..

There should also be a symbolic link with no version number (for example, "libfoo.so") which is used at compile time to find the current version.

The "ldconfig" creates a symbolic link with the soname pointing to the current version of the shared library. Therefore it would suffice to run for recovering:
# ldconfig /lib

Q:Is it possible to override the functions defined in a shared library when running an application?

A:The current Linux shared libraries are much more flexible and sophisticated that permit us to override the specific functions in a library when executing a particular program. It can be done without messing up with the library source code or having root permissions in order to install a patched version of the library! And it makes sense to do that, e.g. for debugging purposes or transparent extensions.
It is a feature of the GNU linker ld(1) well explained here:
http://www.ibm.com/developerworks/linux/library/l-glibc.html

Q:What kind of memory protection is needed in order for the operating system to correctly implement shared libraries?

A:Shared libraries are designed with a technique for placing library functions into a single unit that can be shared by multiple processes at run time. This technique save both disk space and RAM. Then, I think the PROT_READ (which is mean to mark code pages as read-only) can be suitable protocol to read the contents of the memory region in order for the operating system to correctly implement shared libraries. But I am not sure about as I had no chance to deal to much with shared libraries in my experience.

Q:What is the meaning of an unfinished syscall?

A:When the system call is being executed and meanwhile another one is being called from a different thread/process then strace try to preserve the order of those events and mark the ongoing call as being unfinished.

Q:How can one tell exactly where the process is stuck, or how to debug the problem further?

A:A process is said to be "stuck" when it cannot proceed because it is waiting for an event that cannot, or does not, occur. So, if we want to find where the process is stuck we should put that in debig mode by creating a break points. We might want to consider running it from a debugger, instead of trying to attach to it at runtime.

Q:Superuser runs 'sync' on a linux system, but this command never returns, doing 'ps auxw | grep sync' the sysadmin notices that it is in 'D' state. Can the sysadmin kill this process? The sysadmin tried to strace the process, which only showed the unfinished sync() syscall.

A:The process with flag D is uninterruptable sleep and basically can not be killed by users and/or admins. Status uninterruptable mean that process performing so-called critical task, the signals do not stop the process or alter the behavior and it mean also that the process holding a semaphore or a critical system resources. The only way to kill the process in state D is reboot of the machine.

Q:The sysadmin rebooted the system, and now the boot loader is not working properly, and GRUB complains about a problem at stage 1.5. What should one do?

A:The GRUB problem at stage 1.5 is one of the most common problem that the grub has lost it configuration and there are several way to restore it to back. So, one the solution can be overwrite the MBR which will not cause any damage to our system installed in. We can do that by using any live cd or usb pen drive then chroot on filesystem where grub is located.

Tuesday, May 10, 2011

Disk Error on Block UNIX/Linux OS (mainly Solaris)

One of the most common problem that we encounter is disk errors on block. The best way to begin is starting our investigation from log files.

Incident:Mar 7 18:00:49 sarge scsi: [ID 107833 kern.notice] Requested Block: 27982496 Error Block: 27982496

Mar 7 18:00:47 sarge scsi: [ID 799468 kern.info] ssd127 at scsi_vhci0: name g60060e8005436200000043620000015e, bus address g60060e8005436200000043620000015e
Mar 7 18:00:47 sarge genunix: [ID 834635 kern.info] /scsi_vhci/ssd@g60060e8005436200000043620000015e (ssd127) multipath status: optimal, path /pci@25,700000/SUNW,qlc@0/fp@0,0 (fp1) to target address: w50060e8005436211,37 is online Load balancing: round-robin
Mar 7 18:00:48 sarge scsi: [ID 107833 kern.warning] WARNING: /scsi_vhci/ssd@g60060e80054362000000436200000045 (ssd78):
Mar 7 18:00:48 sarge scsi: [ID 107833 kern.notice] Requested Block: 6463744 Error Block: 6463744
Mar 7 18:00:48 sarge scsi: [ID 107833 kern.notice] Vendor: HITACHI Serial Number: 50 043620045
Mar 7 18:00:48 sarge scsi: [ID 107833 kern.notice] Sense Key: Unit Attention
Mar 7 18:00:48 sarge scsi: [ID 107833 kern.notice] ASC: 0x3f (reported LUNs data has changed), ASCQ: 0xe, FRU: 0x0

Once we ascertain the error exist and persist, we will proceed to check to disk connection/configuration status.

The cfgadm command provides configuration administration operations on dynamically reconfigurable hardware resources. These operations include displaying status, (-l), initiating testing, (-t), invoking configuration state changes, (-c), invoking hardware specific functions, (-x), and obtaining configuration administration help messages (-h). Configuration administration is performed at attachment points, which are places where system software supports dynamic reconfi guration of hardware resources during continued operation of OS.

sarge:~ # cfgadm
Ap_Id Type Receptacle Occupant Condition
c0 scsi-bus connected configured unknown
c1 scsi-bus connected configured unknown

The mpathadm command enables multipathing discovery and management. The mpathadm command is implemented as a set of subcommands, many with their own options, that are described in the section for that subcommand. Options not associated with a particular subcommand are described under OPTIONS. The mpathadm subcommands operate on a direct-object. These are described in this section for each subcommand. The direct-objects, initiator-port, target-port, andlogical-unit in the subcommands are consistent with SCSI standard definitions.

To list available multipathing support:

sarge:~ # mpathadm list mpath-support
mpath-support: libmpscsi_vhci.so

The view properties for supported multipathing facilities:

sarge:~ # mpathadm show mpath-support libmpscsi_vhci.so

And list initiators port:

sarge:~ # mpathadm list initiator-port
# mpathadm disable/enable path -i 2000000173018713 -t 20030003ba27d095 \
-l /dev/rdsk/c4t60003BA27D2120004204AC2B000DAB00d0s2

To support for many third-party devices is not contained in the default version of the configuration file at /kernel/drv/scsi_vhci.conf. The following shows the changes necessary to bring EMC Symmetrix support into the multipathing software:
sarge:~ # less /kernel/drv/scsi_vhci.conf

The problem is that if 'Channel A' or 'B' is disabled, then we lose all contact with the disk. What we want is failover such that if 'A' fails, then all traffic is routed through 'Channel B' (and vice-versa, fibre-channel stuff).

When the disk becomes available again (after modunload/modload), we can see by log files.

The problem 'resolved' itself when three things occurred!

These were:

1) The '/kernel/drv/fp.conf' file had 2 entries in it for fibre-channel - as if there was a dual-port card present. In our case we only had the one port, so I commented out one of the entries.

2) The 'mpathadm show lu ...' command showed the 'Current Load Balance' as round-robin. This was changed to 'none'.

3) It seems that Sun recently released a patch fixing some problems with Qlogic cards. I tend to run 'pca' to patch my systems, and wasn't really paying too much attention to it I'm afraid! I think the patch was 113042.

Rebooting and reconfiguring the system, the FC card then seemed to work correctly when one of the channels was disabled. As far as we can tell running Solaris 10 with 2 FC cards should work pretty much out of the box with respect to failover.

Performance Problem - Memory and High CPU utilization - UNIX and Linux Basic

One of the most common problem encountered by Unix/Linux system administrators is high memory/cpu utilization and the first step of each admin is that proceed to check by vmstat command to see if system is paging/swapping.

bash#"vmstat -[option] (or top/mpstat for linux systems)

The option can be: -p to report the paging activiy in details, -S report on swapping rather than paging activity, or numeric options like vmstat 5 1 (summary of the system every 5 seconds on single row).

We have to check also if there are any telnet session lives, the way to discover this:

#bash "ps -leaf |grep ttyp" and compare the output to 'who |grep ttyp' to see if there are unaccounted sessions.

% /usr/ucb/ps aux
USER PID %CPU %MEM SZ RSS TT S START TIME COMMAND
root 16755 0.1 1.0 1448 1208 pts/0 O 17:33:35 0:00 /usr/ucb/ps uax
root 3 0.1 0.0 0 0 ? S May 24 6:19 fsflush
root 1 0.1 0.6 2232 680 ? S May 24 3:10 /etc/init -

###prstat###---See man page for further details---

The prstat utility iteratively examines all active processes on the system and reports statistics based on the selected output mode and sort order. prstat provides options to examine only processes matching specified PIDs, UIDs, zone IDs, CPU IDs, and processor set IDs.

root:~ # prstat -t or -a (estimates memory usage to high)

The vmstat (Virtual Memory Statistics) is a system monitoring tool that collects and displays summary information about OS memory, processes, interrupts, paging and block I/O. Users of vmstat can specify a sampling interval which permits observing system activity in near-real time.

###vmstat###---See man page for further details---

root:~ # vmstat 5 5
kthr memory page disk faults cpu
r b w swap free re mf pi po fr de sr s1 sd sd sd in sy cs us sy id
0 0 0 36548016 22532120 257 889 590 5 5 0 0 0 6 0 3 7464 5758 5109 5 1 94
0 0 0 33598232 17679640 1152 2039 349 0 0 0 0 0 22 0 7 30496 22545 14116 18 4 77
0 0 0 33652768 17658800 2108 4781 164 2 2 0 0 0 3 0 5 37047 23362 17242 21 5 74
0 0 0 33604288 17606696 989 2411 211 2 2 0 0 0 10 0 0 29848 16244 11399 17 4 79
0 0 0 33602216 17595896 102 1073 8 0 0 0 0 0 4 3 3 30349 15371 12069 16 4 80

###sar###--See man page for further details---
The sar command writes to standard output the contents of selected cumulative activity counters in the operating system. So it can extracts and writes to standard output records previously saved in a file.

In general, the syntax for invoking sar is sar -flags interval number. This causes a specific number of data points to be gathered every interval seconds. When looking at memory statistics, the most important flags are -g, -p, and -r. Here's an example of the output generated:

root:~ # sar -gpr 5 5

SunOS 5.10 Generic_118833-33 sun4u 03/02/2011

12:07:52 pgout/s ppgout/s pgfree/s pgscan/s %ufs_ipf
atch/s pgin/s ppgin/s pflt/s vflt/s slock/s
freemem freeswap
Average 0.00 0.00 0.00 0.00 0.00
Average 95.26 0.08 0.16 402.15 778.84 0.40
Average 2326386 69272492

Flag Field Meaning
-g pgout/s Page-out requests per second
ppgout/s Pages paged out per second
pgfree/s Pages placed on the free list per second by the page scanner
pgscan/s Pages scanned per second by the page scanner
%ufs_ipf The percentage of cached filesystem pages taken off the free list while they still contained valid data; these pages are flushed and cannot be reclaimed (see )
-p atch/s Page faults per second that are satisfied by reclaiming a page from the free list (this is sometimes called an attach)
pgin/s The number of page-in requests per second
ppgin/s The number of pages paged in per second
pflt/s The number of page faults caused by protection errors (illegal access to page, copy-on-write faults) per second
-r freemem The average amount of free memory
freeswap The number of disk blocks available in paging space

###memstat###---See man page for further details---

The command memstat identify what's using up virtual memory, lists all the processes, executables, and shared libraries that are using up virtual memory. It's helpful to see how the shared memory is used and which 'old' libs are loaded.

# memstat 5 2
memory ---------- paging----------executable- -anonymous---filesys -- --- cpu --
free re mf pi po fr de sr epi epo epf api apo apf fpi fpo fpf us sy wt id
49584 0 1 5 0 0 0 0 0 0 0 0 0 0 5 0 0 1 1 1 98
56944 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 100

On Linux systems we can try also % cat /proc/12329/status and top commands to get information about performance.

Friday, March 11, 2011

VDI Minimal Basic Steps for Managing Virtual Desktops - (Vmware-Virtualbox-MS Hyper-V)

VDI Minimal Basic Steps for Managing Virtual Desktops
(Vmware-Virtualbox-MS Hyper-V)

With Sun Virtual Desktop Infrastructure software, we can deploy a number of virtual desktop operating systems and access these operating systems from a variety of client devices .

Administrating Virtual Desktops by Using VDA-Tools
When we talking about the cloning process we suppose that a virtual machine is already imported before cloning template. Cloning is the fastest and most efficient way to populate a pool.

Before starting we need to put some definitions:
user = Users and groups from the user directory
group = Local groups of users that are not in the user directory
directory = Active Directory or LDAP information is stored
token = Smart cards identifiers for users in a Sun Ray environment
pool = Collection of desktops
desktop = Desktops managed by Sun VDI
provider = Desktop providers that encapsulate the details of the underlying virtualization technology
job = Action executed in the background
settings = Global settings that apply to the Sun VDI system

And some general actions that:
list = Lists all the objects
show = Shows the detailed properties/status of an object
setprops = Sets the properties of an object
getprops = Gets the properties of an object
add = Adds an object
create = Creates an object
remove = Removes an object
delete = Deletes an object

And some example of sub-commands:
user-show = Shows the desktops available for a user
group create = Creates a new local group with specified properties
token-setprops = Edits the properties of the token
pool-list = Lists all pools
desktop-delete = Deletes the desktops
provider-disable-host = Disables the hosts for the Virtual- Box desktop provider. Disabled hosts are not used for automated cloning.


Creating Desktop Providers and Pools

Creating VMware vCenter Desktop provider:
sarge@David:~$vda provider-vc-create -p name="VC-provider",host=wwwhost,username=Admin

Creating Virtualbox Desktop provider with 2 host and 1 storage:
sarge@David:~$vda provider-add-host -p name=”VB provider”

sarge@David:~$vda provider-add-host -p host=1st.vb.com,port=443,username=root "VB provider"
sarge@David:~$vda provider-add-host -p host=2nd.vb.com,port=443,username=root "VB provider"
sarge@David:~$vda provider-add-storage -p host=zfs.com,username=root,zfspool=vda_zfspool "VB provider"

Creating Pool for storing Virtualbox templates:
sarge@David:~$vda pool-create -p name="Templates",provider="VB provider",assignment-
type=personal

sarge@David:~$pool-vb-import -p vdi- image=template.vdi,xml-configuration=golden-master.xml Templates

Creating a pool for cloning 30 desktops from VMware vCenter. First list the templates from the
vCenter, and select one of them:
sarge@David:~$vda provider-list-templates "VC provider"
NAME ID PATH
XP-Template vm-134 [Datacenters, ADatacenter, vm]
XPClone vm-629 [Datacenters, ADatacenter, vm]

sarge@David:~$vda pool-create -p name="VC pool",provider="VC provider",template=vm-134, preferred-size=30,free-size=5,max-size=35,power-state=on,assignment- type=flexible,recycle-policy=reuse,idle-timeout=2

sarge@David:~$vda pool-start "VC pool"

Configuring the User Directory - configures a LDAP directory using simple authentication, the default 389 port, a fallback LDAP server, and no restriction on the base DN:
sarge@David:~$directory-add -p auth- type=simple,hosts=my.ldap.com;secondary.ldap.com,username='"cn=Admin,ou=people,dc=my,dc=company,dc=com"'

Configuring an Active Directory using Kerberos authentication:
sarge@David:~$vda directory-add -p auth- type=kerberos,addomain=my.company.com, username=Admin

Assigning Pool and Desktop to Users: We are going to assign the user “Stefan Uygur” to the pool “VC-pool”. Once complete, Stefan Uygur will be dynamically assigned a desktop from the VC-pool each time he logs in:

sarge@David:~$vda user-assign -p "VC pool""cn=Stefan Uygur,ou=people"

Lists the desktops in the pool “Static pool” and permanently assign one of them to the user “Stefan Uygur”. Each time Stefan Uygur logs in, he will get the same desktop:

sarge@David:~$vda pool-desktops "Static pool"
NAME ID MACHINE STATE STATUS DN
WinXP0001 11 Running Used cn=Stefan Uygur,ou=people
WinXP0002 12 Powered Off Available -

sarge@David:~$vda user-assign -d stefanuygur

Listing the Desktops and Pools Assigned to a User:
sarge@David:~$vda user-show stefanuygur


VDA Sub-Commands:

sarge@David:~$vda –help or -?

Sun Virtual Desktop Infrastructure Administration
Usage: vda
-?, --help: Print this help list
-V, --version: Display the version

User Subcommands:
user-search: Search for users/groups in the user directory that match the specified search criteria
user-show: Show the desktops available for the user
user-desktops: Show the desktops assigned to the user
user-assign: Assign users to pools or desktops
user-unassign: Unassign users from pools or desktops. If no pool or desktop is specified, all
assignments are removed from the users
user-defaultdesktop: Make the desktop the default desktop for the user
user-personaldesktop: Make the desktop a personal desktop for the user

Custom Groups Subcommands:
group-list: List all custom groups
group-create: Create a new local group with the specified properties
group-delete: Delete the custom group
group-getprops: List the properties of the custom group
group-setprops: Edit the properties of the custom group
group-show: Show the pools assigned to the custom group
group-assign: Assign custom groups to pools
group-unassign: Unassign custom groups from pools. If no pool is specified, all assignments are
removed from the custom groups

Token Subcommands:
token-search: Search for tokens that match the search criteria
token-create: Create a new token (smart card id)
token-remove: Remove the specified tokens from the system
token-getprops: List the properties of the token
token-setprops: Edit the properties of the token
token-unsetprops: Remove the properties of the token
token-show: Show the desktops available for the token
token-desktops: Show the desktops assigned to the token
token-assign: Assign tokens to pools or desktops
token-unassign: Unassign tokens from pools or desktops. If no pool or desktop is specified, all
assignments are removed from the tokens

Pool Subcommands:
pool-list: List all pools
pool-create: Create a new pool with the specified properties
pool-delete: Delete the pools and their desktops
pool-getprops: List the properties of the pool
pool-setprops: Edit the properties of the pool
pool-resetprops: Reset the properties of the pool to their default value
pool-unsetprops: Unset the properties of the pool
pool-show: Show detailed information about the pool
pool-desktops: List all desktops from the pool
pool-templates: List all templates from the pool
pool-vb-import: Import VirtualBox desktops into the pool
pool-vb-import-unmanaged: Import unmanaged VirtualBox desktops into the pool
pool-vc-import: Import VMware vCenter desktops into the pool
pool-hv-import: Import Microsoft Hyper-V desktops into the pool
pool-start: Start automatic cloning of desktops for the pools
pool-stop: Stop automatic cloning of desktops for the pools
pool-enable: Enable users to connect to flexible desktops from the pools
pool-disable: Disable users from connecting to flexible desktops from the pools
pool-create-sysprep: Create a Sysprep file for the pool. Valid only for VirtualBox pools

Desktop Subcommands:
desktop-delete: Delete the desktops
desktop-show: Show detailed properties of the desktop
desktop-getprops: List the properties of the desktop
desktop-setprops: Edit the properties of the desktop
desktop-template: Convert the desktops to templates. Valid for VirtualBox and Hyper-V desktops
desktop-duplicate: Duplicate the desktop. Valid for VirtualBox and Hyper-V desktops only
desktop-start: Start the desktops
desktop-stop: Shutdown the desktops allowing the OS to save all information first
desktop-restart: Restart the desktops
desktop-suspend: Suspend the desktops
desktop-logoff: Logoff user sessions. Valid for Microsoft Remote Desktop Services desktops only
desktop-disconnect: Disconnects user sessions. Valid for Microsoft RDS desktops only
desktop-mount-iso: Mount an ISO image on the virtual machine.
desktop-unmount-iso: Unmount an ISO image from the virtual machine.
desktop-activate: Activates a defective desktop.
desktop-export: Exports a desktop.

Template Subcommands:
template-show: Show detailed properties of the template
template-revisions: List all revisions from the template
template-start: Start the templates
template-suspend: Suspend the templates
template-stop: Shutdown the templates allowing the OS to save all information first
template-restart: Restart the templates
template-delete: Delete the template with all its revisions
template-desktop: Copy the template to a new desktop
template-revert: Revert the template to the most recent revision.
template-export: Exports a template to disk
template-create: Copy the revision to a new template.
template-getprops: List the properties of the template
template-setprops: Edit the properties of the template
template-mount-iso: Mount an ISO image on the virtual machine.
template-unmount-iso: Unmount an ISO image from the virtual machine.

Revision Subcommands:
revision-show: Show detailed properties of the revision
revision-create: Create a new revision of a template.
revision-delete: Create a new revision of a template.
revision-getprops: List the properties of the revision
revision-setprops: Edit the properties of the revision
revision-clone: Create a cloned desktop from a revision in the revision's pool.
revision-desktop: Copy the revision to a new desktop
revision-sysprep: Execute System Preparation for a revision.
revision-export: Exports a revision to disk

Desktop Provider Subcommands:
provider-list: List all desktop providers
provider-vb-create: Create a new VirtualBox desktop provider
provider-vc-create: Create a new VMware vCenter desktop provider
provider-hv-create: Create a new Microsoft Hyper-V desktop provider
provider-ts-create: Create a new Microsoft Remote Desktop desktop provider
provider-delete: Delete the desktop providers
provider-vb-getprops: List the properties of the VirtualBox desktop provider
provider-vb-setprops: Edit the properties of the VirtualBox desktop provider
provider-hv-getprops: List the properties of the Microsot Hyper-V desktop provider
provider-hv-setprops: Edit the properties of the Microsot Hyper-V desktop provider
provider-ts-getprops: List the properties of the Microsot Remote Desktop desktop provider
provider-ts-setprops: Edit the properties of the Microsot Remote Desktop desktop provider
provider-vc-getprops: List the properties of the VMware vCenter desktop provider
provider-vc-setprops: Edit the properties of the VMware vCenter desktop provider
provider-show: Show detailed information about the desktop provider
provider-list-hosts: List all hosts for the VirtualBox, Microsoft Hyper-V or Microsoft Remote
Desktop desktop provider
provider-add-host: Add a host to the VirtualBox, Microsoft Hyper-V or Microsoft Remote
Desktop desktop provider
provider-remove-host: Remove the hosts from the VirtualBox, Microsoft Hyper-V or Microsoft
Remote Desktop provider
provider-enable-host: Enable the hosts for the VirtualBox or Hyper-V desktop provider. Enabled
hosts are used for automated cloning
provider-disable-host: Disable the hosts for the VirtualBox or Hyper-V desktop provider. Disabled
hosts are not used for automated cloning
provider-migrate-host: Migrates desktops off the specified host. Valid only for the VirtualBox
provider-host-getprops: Lists the properties of the specified Host of a Desktop Provider. Valid for
VirtualBox and Hyper-V
provider-host-setprops: Update the properties of the specified Host of a Desktop Provider. Valid for
VirtualBox and Hyper-V
provider-list-storage: List all storages for the desktop provider
provider-add-storage: Add a storage to a VirtualBox or Hyper-V desktop provider
provider-remove-storage: Remove the storage from a VirtualBox or Hyper-V desktop provider
provider-enable-storage: Enables the specified storage. Valid only for a VirtualBox or Hyper-V
desktop provider
provider-disable-storage: Disables the specified storage. Valid only for a VirtualBox or Hyper-V
desktop provider
provider-suspend-storage: Suspends the specified storage. Valid only for a VirtualBox or Hyper-V
desktop provider
provider-replace-storage: Replace a storage. Valid only for a VirtualBox or Hyper-V desktop
provider
provider-storage-getprops: Lists the properties of the specified storage of a Desktop Provider. Valid
for VirtualBox and Hyper-V
provider-storage-setprops: Update the properties of the specified Storage of a Desktop Provider.
Valid for VirtualBox and Hyper-V
provider-list-templates: List the templates for the desktop provider
provider-list-unmanaged: List the desktops from the VMware vCenter that are not managed by any
desktop provider
provider-list-networks: List all networks for the desktop provider
provider-rename-network: Renames a network for the desktop provider

User Directory Subcommands:
directory-add: Add the user directory configuration to the system
directory-remove: Remove the user directory configuration from the system
directory-getprops: List the properties of the user directory
directory-setprops: Edit the properties of the user directory
directory-show: Show the configuration details for the user directory

Global Settings Subcommands:
settings-getprops: List global settings
settings-setprops: Edit global settings
settings-resetprops: Reset global settings to their default value

Job Subcommands:
job-list: List the existing jobs
job-show: Show the job details
job-cancel: Cancels the specified running jobs
job-wait: Wait until the job ends

Each subcommand has its specific options and arguments. Specify --help after the subcommand name to display its usage.

Sun Virtual Desktop Infrastructure Administration webadmin command:
vda-webadmin start (start the service)
vda-webadmin stop (stop the service)
vda-webadmin restart (restart service)
vda-webadmin status (query and print the service status)
vda-webadmin enable (enable the service to start at system boot)
vda-webadmin disable (disable service to start at system boot)
vda-webadmin -h (print a usage message)

Sun Virtual Desktop Infrastructure Administration vda-db-status:
vda-db-status -i -x -s -h (current db, no header, short db, usage)

Sun Virtual Desktop Infrastructure Administration vda-service:
vda-service start
vda-service stop
vda-service restart
vda-service status
vda-service -h

Sun Virtual Desktop Infrastructure vda-client
vda-client [-i] [-p port] [-m [-t token] [-u user] [-P pool] [-D desktop]


Some Examples of Commands:
Start automatic cloning in a pool, 000=pool number:
sarge@David:~$ vda pool-start POOL000

Assign a new token to a user:
sarge@David:~$ vda token-create -p token-id=TokenID, user=UserID

Assigning an existing token to user “sarge”:
sarge@David:~$ vda token-setprops -p t user=sarge

Assigning token to existing desktops listed:
sarge@David:~$ vda token-assign –desktop=DesktopID TokenID

sarge@David:~$ vda pool-desktops “Ondemand – Oracle” (here we will get the desktop Id=33 for ex)
sarge@David:~$ vda token-assign –desktop=33 TokenID

Assigning an existing token to to a pool:
sarge@David:~$ vda token-assign –pool=”Ondemand - Oracle” TokenID

UNIX/Linux Minimal Basic Steps for Each Sysadmin

Login/Logout:

We want to get started using Unix/Linux by connecting to and login/logout in to our
Unix/Linux system with a set of credentials. In Unix/Linux, there are different types of accounts. Some are more powerful than others, allowing you to do more or less depending on the rights and privileges assigned to them.

The root account and generic user accounts are the most common accounts seen on
Unix/Linux systems. Root is the administrator's user account. It has the most privileges available to the system and can do the most harm as well.

Unix is a multi-user platform. This allows for multiple users to log in to the system
simultaneously, set up their own environments, and so on. Because Unix/Linux enables multiple users to access the system simultaneously, you can be working on a large calculation on a
spreadsheet while another user on the system is running another type of calculation of some sort. Many different processes can run simultaneously on a single computer by hundreds of different users.

Text-based login takes us right to where we want to go: to the command line or shell prompt. Most text-based Unix/Linux login prompts look like this:

login:

password:

When wee see the login: prompt, we will type our username and press return. The password: prompt appears immediately thereafter. When we have successfully typed in both your username and password, we reach what is called a shell prompt. When we login on Unix/Linux environments with correct parameters, it come something like the following:

David login: sarge

Password:

Linux David 2.6.37-1-686 #1 SMP Tue Feb 15 18:21:50 UTC 2011 i686

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in
/usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

You have new mail.

sarge@David:~$

When working within the shell prompt, all you need to do to log out is type "logout."
The command would be seen as

unix-sarge@David:~$logout

Change your password by using passwd command

The passwd command changes passwords for user accounts. A normal user may only change the password for his/her own account, while the superuser may change the password for any account. Passwd also changes the account or associated password validity period.

To change your password run:

unix-sarge@David:~$passwd

Changing password for sarge.

(current) UNIX password:

(new) UNIX password:

(retype new) UNIX password:

Password successfully changed

Getting info about user by using finger/chfn/date commands:

By using finger command we will get information about users that they're local to our system. The syntax to run finger command is #finger username. To get information about remote users we can perform the syntax #finger username@remote host.

The chfn command allow us to change real user name and information. It runs an interactive process that enables us to set more personal information into our account:

unix-root@David:/home/sarge#chfn sarge

Changing the user information for sarge

Enter the new value, or press ENTER for the default

Full
Name [sarge]:

The date command print or set the system date and time. Running simply date command without option or
parameters printout:

root@David:/home/sarge#date

Sun Feb 27 16:09:13 GMT 2011

Knowing system up time and logged users by using uptime/who commands:

The uptime command gives a one line display of the: current time, how long the system has been running, how many users are currently logged on, and the system load averages for the past 1, 5, and 15 minutes:

unix-root@David:/home/sarge#uptime

16:12:11 up 3:03, 2
users, load average: 0.00, 0.11, 0.14

Consequently of this command we can run who command to see who is logged on:

unix-root@David:/home/sarge#who

sarge tty7 2011-02-27 13:10 (:0)

sarge pts/0 2011-02-27 13:21 (:0.0)

By the output we can see there is only one user that logged on 2 different session.

Creating aliases of commands by using alias command:

The alias command is highly useful to system administrator that can really reduce the time for doing routines job (for complex job automation
bash script is the best way). An alias is a file that represents another object in the file system. If we have some command with regular expressions that we running periodically is very useful to create an alias by correlating to command that we running.

For example, if we want to reboot our system at 23:15PM and we would like to put a short message to let know to other administrators about the reason of reboot (backup periodically, os patch application, etc.) :

unix-root@David:/home/sarge# shutdown -r 23:15 "I need to reboot the machine because the OS patch applied successfully right now"

And if this process should have run aperiodically on discretion of mine, is better to create an alias and run anytime needed:

unix-root@David:/home/sarge# alias patchosreboot='shutdown -r 23:15 "I need to reboot the machine because the OS patch applied successfully right now"'

Or if I want to call the normal shutdown command in “spegniti”(that is a sympathetic way to say in my language, in Italian, shutdown):

unix-root@David:/home/sarge#alias shutdown='spegniti'

And starting from now if I run spegniti my pc will shutdown.

Setting environment variable and paths by using setenv command and PATH:

The setenv command change or add an environment variable in our system. Environment variables are used by programs to pick up specific
pieces of information that are needed when the program is run. To set an environment variable we can perform the following sytax:

unix-root@David:/home/sarge#setenv variablename value

The path tells the shell where to look for programs that we want to execute. Sometimes running some command by terminal are given result like “command not found”. If we are sure that this command exist and no mistake that mean we missing some path we need. If we want to set the path that the current directory /usr/local/bin, we can do that by using the following instruction:

unix-root@David:/home/sarge#set path=($path /usr/local/bin .)

Searching whatever in system by using the find command:

The find command search for files in a directory hierarchy. Using find command to find files and directories. This command would appear as find <starting directory> -name <filename> -print, or if we wanted to find a specific file in the root directory:

unix-sarge@David:~$ find / -name *.log print

In some cases, we may not be able to recall what a file is named or what its extension is, but we may know what day we created it. Creation date is another searchable criterion that we can select. To search, we will need to adapt a "how many days ago" mentality because Unix will
search for files that have been made since the time that you specify.

Use the find command with the -ctime option: find <starting directory> -ctime <how many days old> -print. For example: unix-sarge@David:~$ find ~/ -ctime 5 -print or finding file bye its size: find ~/ -size 1024k -print The first command specifies that Unix should find a file in our home directory that is less than five days old and print it to the screen.

The whereis command can be used to run a quick search on a specific number of directories for whatever we specify. For example, if we wanted to run a search on a file named "test", then we would get all instances of "test" that came up within that preset number of directories, such as paths to source code, binaries, and man pages. The whereis command performs a quick search for the file we specify.

unix-sarge@David:~$whereis test

Analysis of file contents by using grep command:

Grep searches the named input files (or standard input if no files are named, or if a single hyphen-minus (-) is given as file name) for lines containing a match to the given PATTERN. By default, grep prints the matching lines.

One of the most commonly used Unix/Linux commands is grep. Learning how to use grep will help us find files that contain a word or pattern. When the grep command is used properly, it can help us search through a file for something specific.

We will soon understand that grep is one of the most powerful built-in programs in Unix/Linux. The program grep is also subdivided into more commands: grep, egrep, and fgrep. These three commands differ in what regular expressions they can handle. A regular expression is a pattern that can match various text strings. Regular expressions define a pattern of text that can be used to search files when a specific word or phrase to be searched for might not be known.

unix-sarge@David:~$ grep "error" *.log

In this example, we see a quick grep of the word error in any log files. The grep
command is a tool that will become even more valuable when we learn more about regular expressions.

Working with files at the Shell Prompt

The command line is our primary interface to the Unix/Linux file system as well as our primary tool for manipulate data.

File content analysis and searching by using regular expressions:

Each Unix/Linux system administrator need to know and use regular expressions to simplify they're job. By using regular expressions like wildcard (*), (.), ([]), (^) and ($) symbols we can find anything in our system at a very granular level.

We are going to use on of file in our system to give an example that the data we will search
to learn how to use regular expressions:

unix-sarge@David:~$ grep "Sun..." clipdat2.rdf

Le support SMC.
Sun Microsystems.

SMC Support. Sun Microsystems.

In this example we are looking to find in this file all the term that come after word “Sun”.
It was able to do so, even though we left the last three letters "ems" off, and intentionally put in three periods so that Unix/Linux could come back to me with what it found in the clipdat2.rdf file as a match. This can be used in multiple ways, such as the following:

sarge@David:~$
grep "S*.ms" clipdat2.rdf

Le support SMC.
Sun Microsystems.

SMC Support. Sun Microsystems.

As we know there are some telephone number in this file and we would like to view the range of numbers only that allow us ti see quickly only numbers:

sarge@David:~$ grep "+[0-9]*" clipdat2.rdf

<NS1:clipping
RDF:about="rdf:#$+K6qG2"

+33 (0)1.34.03.00.61

Change/crate/update file timestamps by using touch command:

The short definition of touch command is that change
file timestamps.
If we want to create a new empty file in Unix/Linux, the most easiest way that when we use the touch command. The touch command is used to update the last modified time of a file, setting it to the current time. The touch command is normally used with one particular area: backup and disaster recovery. As a Unix/Linux system administrator, you may be asked to do backup and restore jobs. There are a few different types and methods of backup
and restore we can choose from, one of which is called an "incremental backup” that the touch command can be used by helping to verify that a backup was in fact completed .

unix-sarge@David:~$touch backupfile

Performing the above command that if the backup file previously existed, its last-modified
date would now be set to the current time. If the backup file did not previously exist, it would now exist as an empty file with a last-modification date of the current time. It's that easy.

As with using touch, rm is easy: As long as you can find and specify the filename,
you can remove it.

Determine which file or files you want to delete and issue the rm command as rm <filename>.

Create and remove directories by using mkdir and rmdir commands:

The mkdir command create the directory(ies), if they do not already exist. The directories are basically used to organize data. We may have
experienced instances where we have one directory with hundreds of files. It would not be easy to find anything quickly unless we memorize every filename on our system.

To create directory issue the mkdir command as mkdir <directoryname> and to remove directory perform rmdir command as rmdir <directory>.
Removing the files and directories at the same time we can use
rm -r option.

unix-sarge@David:~$mkdir test (creating test
directory)

unix-sarge@David:~$rmdir -r test (removing test directory and sub-directories/files)

Copying/renaming files by using cp and mv commands:

The cp command will allow us to copy a single file to a new destination file, or copy one or more files to a single destination directory.

Perform the cp command as cp <sourcefile>
<destinationfile>
.

unix-sarge@David:~$
cp testfile /tmp/

The cp command has a recursive mode for copying directories. When it is used with the following syntax, the cp command with the -r option, you will be able to copy each source directory (as well as files) into whatever destination directory you specify.

Perform the cp command as cp -r <sourcedirectory1> <sourcedirectory2> [...]
<destinationdirectory>.

To move a file or directory, we need to use the mv command. The mv command will move or rename a file based on the destination. Perform the mv command as mv <sourcefile> <directory>.

unix-sarge@David:~$mv testfile /tmp/testfile ormv testfile /tmp/testfile.old

Creating symbolic link link by using ln command:

The literal definition of ln command that make links between files. Is used to build links or aliases to other files on our Unix/Linux system. We can create manageable links to other files so that they can appear in the ls command output when we
want the source file to appear to be in different locations, as well as have different names.

To create a symbolic link, issue the ln command as ln -s realfilename/dir alternatename/link

unix-sarge@David:~$ln -s /data/directory/accessible /everybody/public

Viewing file contents by using cat/less/more commands:

The cat commands is useful to view the file(s) for its current entries. It .concatenate files and print on the standard output. For example ti
view the file host we perform the following action on command line using
cat command:

unix-sarge@David:~$cat /etc/hosts

127.0.0.1 localhost

127.0.1.1 David

...............(the rest of the output removed)........................

The cat command is also know I/O redirection command to sending input/output to somewhere different than the default locations by combination of a couple special characters. The standard characters for redirection input/output respectively <> symbols.

For example, if we want to redirect the output of ps command on file “processes” because is so long to read on display
(vice verse for input):

unix-sarge@David:~$ps aux | cat > processes

The less command is similar to using the cat and more commands. Less
is a program similar to more, but which allows backward movement in the file as well as forward movement. As a matter of fact, the syntax is nearly identical. It's really what the tool does that makes it different. When using the less command, we have more control over the pager than ever before.

As you can see by command executed above we have pipe (|) symbol also. The pipe symbol allow us to combine the Unix/Linux commands and its very useful for system administrators..

Viewing the contents of files by using tail/head commands:

The tail command is used to view the end of the file and head command is used to view the top of the file. The tail command is powerful, quick, and simple to use. If we want to see the bottom 20
lines of a file, then we may want to just specify the tail command and the file you want to view the inside of and the vice verse for
head command to view the top 20 lines.

unix-sarge@David:~$tail 20 /var/log/messages

unix-sarge@David:~$head 20 /var/log/messages

Editing files by using word processors “The vi Editor”:

When working within the shell prompt, we will need word processor for editing/writing files.
There are a lot of variety of editors in Unix/Linux but here we are going to use vi editor, which is nothing more than a Unix-based word processor. Personally I prefer vim (Vi Improved) editor:-)

To use the vi editor, we only need to open it up using the vi command:

unix-sarge@David:~$vi testfile

This will open up the vi editor and the file opened will be the new file that we called
testfile. Now that we have a file opened, we can use a plethora of commands to edit the file. So, we have a file open, we may be able to read a help file for a specific application installed on our system. No matter what we choose, we will find the vi editor has a wide array of commands that can be used within it to work with the open files. One thing we have to consider is what mode the vi editor is working in. There are two modes that the vi editor
operates in. The vi editor either uses command mode or insert mode. In command mode we can control things such as cursor position, deleting characters, and saving files. Iin insert mode we can insert characters.

As we are working in shell environment, mastering the vi editor comes only from
mastering the keyboard shortcuts used to operate the vi editor. The most common manipulation keyboard shortcuts we will use are:


Command Mode


Key Combination


Description



l


Move right



h


Move left



j


Move the next line



k


Move the previous line



x


Delete character



dd


Delete entire line



A


Append the end of line



i


Change the insert mode



:w Return


Save file



:w<filename>


Save the file to a new name



:q Return


To exit vi



:q! Return


To exit vi without sawing


Insert Mode


Esc


Changes to command mode



Backspace/ Delete


Backspaces or deletes, but only for data just
inserted

Some other basics and helpful commands in vi editor are: [Ctrl+d] that tells the computer
that you are done sending input to a command, [Ctrl+c] the Unix/Linux break character. [Ctrl+z] that suspends the process we are currently running and returns to a command prompt.

Fore more details and help about vi editor (and any other commands) just perform man pages, apropos or whatis commands (for ex: man vi giving us all the help that we need to use vi editor).

If you are using GUI like KDE, GNOME or others X-Window System, there are graphical editors like kate, kedit, gedit, etc.

Count word/line and byte of file content by using wc command:

The wc command (stand for word count) print newline, word and byte counts for each file, some kind of counter. When we want to see how many words are typed in a file, we simply need to execute the command and then the filename with its absolute or relative path. We will be shown the word count as well as the number of bytes, words, and lines in files.

The wc command is an excellent way to provide current statistics on a file you may want to work with. For example, if we wanted to issue the tail command on a file we think may be very large, we can use the wc command on a file to quickly see how many lines are in it.

unix-root@David:/home/sarge#wc /var/log/syslog

8 89 718 /var/log/syslog

As we can see by command that performed above a set of values returned by Unix/Linux when queried with the wc command. The first value is 8 and indicates the number of lines in the file. The second line is a count of the words in the file, and the third is the number of characters. We can limit the values to lines, words, or characters by using the -l, -w, or -c options, respectively.

Splitting, patching and updating files by using split/diff/patch commands:

Literally split a file into pieces. Following the wc
command interaction on some files let us know
much data is in a file, and what that file is comprised of logically to build up its internal structure, we will look at how to take a large file and break it down. The split command will cut down a file into whatever length we specify. To use the split command we need only to know that a file is too large to work with or to send to someone. Once this is determined, we can execute the split command to break it
down.

So, we proceed to choose our input file that we want to break down and determine the number of lines we want stored in each output file and finally we chose a base output file name that we wish to record data.

unix-root@David:/home/sarge# split -l 6 /var/log/syslog filerecorddata

The syslog file has been run through split and has been divided into two files of six lines each. The -l option specified the 3 lines each. We can reassemble the file after we break and split it up. To do this we need to use cat command. In
case that we created files “filerecorddata00, filerecorddata01, filerecorddata02,.... we just need to perform the following command to reassemble our files like original one:

unix-root@David:/home/sarge#cat filerecorddata* > syslog-original

The diff and patch commands are doing exactly the same that we've done right now with cat command. They're useful to create patch files and then update the new patch file to existing one:

unix-root@David:/home/sarge#diff existingfile updatefile > patchapplied

unix-root@David:/home/sarge#patch existingfile patch

File compression by using tar command:

The tar command (stand for Tape Archive) in its simplest form either creates or unpacks archive files. If we want to create any archive, we should provide tar with a filename for the archive and a list of files that we want to archive. The tar program will collect
all the files we specify and put them into one single file that is commonly called a tarball.

To use tar to create an archive and extract the same, we can perform somethingsimilar like:

unix-root@David:/home/sarge# tar -cvf clipdat.tar clipdat2.rdf

unix-root@David:/home/sarge# tar -xvf clipdat.tar

File compression by compress/gzip/bzip2 tools:

One of the common issue that we encounter during our Unix/Linux systems that space problem and the sole reason for compressing files is to save space. There are 3 major compression formats we will use when working with Unix/Linux: compress, pkzip, gzip.

The compress command is an older Unix command that uses an older algorithm to make the compression (compress <filename>. So now the Unix/Linux environment it's been moved to the side and replaced compress by tools such as gzip.
Files created with the compress command have the file suffix .Z. The uncompress command like it's name uncompresses the results of a compress command (uncompress <filename.Z>).

The gzip command will work
essentially identically to the
compress/uncompress/zcat suite and it is a better utility and less proprietary than the older tools in use such as compress. When gzip is combined with tar, the resulting file extensions may be .tgz, .tar.gz, or tar.Z.

There is also bzip2 that is freely available and high-quality data compressor. Compression with bzip2 follows the gzip format bzip2 <filename>, which produces the compressed file <filename.bz2>.
Decompression is simply
bunzip2
<filename.bz2>.

Basic UNIX/Linux Processes:

The Unix/Linux systems allow us multitask in that it lets us run more then one process at a time. If we wish to run some process in background we can type ampersand (&) symbol to the end of command that we running.

Using
Ctrl+Z and
bg commands we can manage the processes. By pressing Ctrl+Z we can stop any processes that running. If we wish to moving it into background some process before we have to suspend it and than use the bg command. When we press Ctrl+Z the system give us an output by assigned job number of the process. We just need to (see also jobs
command):

unix-root@David:/home/sarge#bg
%x

(where x is number of job suspended)

To bring back the process from background:

unix-root@David:/home/sarge#fg
%x


View running processes by using ps command:

The ps displays information about a selection of the active processes. If you want a repetitive update of the selection and the displayed information, use top instead. To see every process on the system using standard syntax:

unix-sarge@David:~$ps aux or for unix env
ps
-ef

USER
PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

root
1 0.1 0.0 2080 688 ? Ss 13:08 0:01 init [2]

root
2 0.0 0.0 0 0 ? S 13:08 0:00
[kthreadd]

root
3 0.0 0.0 0 0 ? S 13:08 0:00
[ksoftirqd/0]

…...................(The rest of output removed)..............................

Terminating process by using kill/killall commands:

The kill command send a signal to a process by using default signal which is TERM. If we don't want to use default signal and if we want to view available signals we can use -l or -L options. Particularly useful signals include HUP, INT, KILL, STOP, CONT, and 0. Alternate signals may be
specified in three ways: -9 -SIGKILL -KILL.

For example if there is a process that causing some problem in our system, the first step to
do that run ps/top command to get PID of this process. So, considering that the PID is 2318:

unix-sarge@David:~$kill -9 2318

By killall command we can
proceed to kill the process by their name:

unix-sarge@David:~$killall firefox-bin

Automating processes by using at/cron commands:

There are two basic ways to set up our Unix/Linux system to run a process at a specific time; one way is to use the cron command, and the other is to use the at command.

The cron command, is also called cron daemon, provide to execute scheduled commands. cron also reads /etc/crontab, which is in a slightly different format. Additionally, cron reads the files in /etc/cron.d: it treats the files in /etc/cron.d as in the same way as the /etc/crontab file (they follow the special format of that file, i.e. they include the user field). An example would be:

unix-sarge@David:~$crontab -a cronfile

The -a option will install the cronfile as our crontab file and that will allow us to edit our crontabfile if we need to change processes. We can display our crontab files by using -l option.

Each entry in a crontab file consists of six fields, specifying the following information:

minute(s) hour(s) day(s) month(s) weekday(s) command(s)

The at command read commands from standard input or a specified file which are to be executed at a later time, using /bin/sh. When we type
the at command we will get into the environment of at> that allow us to establish run time that we need to run some processes. At allows fairly complex time specifications, extending the POSIX.2 standard. It accepts times of the form HH:MM to run a job at a specific time of day. (If that time is already past, the next day is assumed.) You may also specify midnight, noon, or teatime (4pm) and you can have a time-of-day suffixed with AM or PM for running in the morning or the evening:

unix-sarge@David:~$at midnight

warning:
commands will be executed using /bin/sh

at>
tar -cvf /home/sarge/Documents /backups/Documents-sarge.tar

at>
Ctrl+d

at>
<EOT>

job
1 at Mon Feb 28 00:00:00 2011

We are submitting a job that will run at midnight of the current day. As well, at will create a tarball of /home/sarge/Documents directory and call it Documents-sarge.tar . By Ctrl+d we break out of the at process and return to our shell prompt.

Data structure permission with chmod in UNIX/Linux
environment:

The chmod that allow us to change file mode bits. Here are some examples of what we can do with the chmod command:

root@David:/home/sarge#chmod 755 clipdat2.rdf

By running the above instructions we giving to the owner of file full read, write and execute permissions on file clipdat2.rdf.

root@David:/home/sarge#chmod u=rwx,g=rx,o=rx
clipdat2.rdf

By this command we are giving full read, write and execute permission to user, read and write permission to group and read and execute permission to other.

Permission Bits:

To figure this out we need to know how binary numbers are converted to decimal. We need only to know how to convert the first three numbers. From moving from right to left, start to count from 1 and move up by the power of 2 each time, so we would have 1, 2, and then 4. If that is the case, then we need to know that if we took the first bunch of three 001 and counted from left to right saying that 0 is "off" and a 1 is "on," the first one count from right to left by 1, 2, and 4 would be 1. Now take the next example010. This one is two because the middle column in our example of 1, 2, 4 from the right to left would mean that 0 is off, then 2 is on, then 4 is off. Get it now? How about the last one… 100.

With this example, we can quickly figure out the decimal number we need to use; instead of setting permissions. By this technique, we can easily set multiple permissions simultaneously. For example, it's easy to see that 110 is the combination of the read and write permissions.
The decimal value of this binary string is 6 (4+2). I now have my setting for read and write permissions. To use this method of setting a file's permissions, we set permissions for owner, group, and other simultaneously. Each of these digits is the sum of the permissions that we want to set. The first digit is the owner, the second is the group, and the third is other.

For example, suppose that you want to set the owner to have full permissions, and the group and other to have read and execute permissions. Full permissions are achieved by adding all the
permission values (4+2+1=7). Read and execute permissions are a combination of 4+1=5. The three numbers you'll use to set this are 7, 5, and 5, entered as a single three-digit number, 755.