Archive for June, 2006

h1

Linux Install options in Fedora

June 23, 2006

A commonly asked question among new users and some experienced users is how do I do get this or that during the installation of Fedora Core Linux. Below is a list of command line options that can be used when you first boot from your Fedora distro media–taken from Anaconda-10.0:

 

Boot time command args:
-----------------------

expert          Turns on special features:
- allows partitioning of removable media
- prompts for driver disk

noshell         Do not put a shell on tty2 during install.

lowres          Force GUI installer to run at 640x480.

resolution=<mode> Run installer in mode specified, '1024x768' for example.

nousb           Do not load USB support (helps if install hangs
early sometimes).

nofb            Do not load the VGA16 framebuffer required for doing
text-mode installation in some languages

nofirewire      Do not load support for firewire devices

askmethod       Do not automatically use the CD-ROM as the install
source if we detect a Red Hat Linux CD in your CD-ROM drive.

nousbstorage    Do not load usbstorage module in loader.  May help with
device ordering on SCSI systems.

noparport       Do not attempt to load support for parallel ports

noprobe         Do not attempt to detect hw, prompts user instead.

nopcmcia        Ignore PCMCIA controller in system.

skipddc         Skips DDC probe of monitor, may help if its handing system.

graphical       Force graphical install. Required to have ftp/http use GUI.

text            Force text mode install.

vnc             Enable vnc-based installation. You will need to connect
to the machine using a vnc client application.

vncpassword=<password>  Enable a password for the vnc connection. This will
prevent someone from inadvertantly connecting to the
vnc-based installation.

Requires 'vnc' option to be specified as well.

vncconnect=<host>[:<port>]   Once installation is up and running, connect to
the vnc client named <host>, and optionally use port <port>.

Requires 'vnc' option to be specified as well.

updates         Prompt for floppy containing updates (bug fixes).

isa             Prompt user for ISA devices configuration.

dd              Use a driver disk.

driverdisk      Same as 'dd'.

mediacheck      Activates loader code to give user option of testing integrity
of install source (if an ISO-based method).

rescue          Run rescue environment.

nomount         Don't automatically mount any installed Linux partitions
in rescue mode.

nopass          Don't pass keyboard/mouse info to stage 2 installer, good for
testing keyboard and mouse config screens in stage2 installer
during network installs.


serial          Turns on serial console support.

ksdevice        Takes an argument like 'eth0', tells install what network
device to use for kickstart from network.

ks              Kickstart over NFS.

ks=cdrom:       Kickstart from CDROM

ks=nfs:<path>   Kickstart from NFS.

ks=<url>        Kickstart via HTTP.

ks=hd:<dev>     Kickstart via harddrive (dev = 'hda1', for example)

ks=file:<path>  Kickstart from a file (path = 'fd0/ks.cfg')

ks=ftp://<path> Kickstart from FTP.

ks=http://<path> Kickstart from HTTP.

kssendmac       Adds HTTP headers to ks=http:// request that can be helpful
for provisioning systems.  Includes MAC address of all nics in
a CGI environment variable of the form
HTTP_X_RHN_PROVISIONING_0, HTTP_X_RHN_PROVISIONING_1, etc, for
all nics.

dhcpclass=<class> Sends a custom DHCP vendor class identifier. ISC's dhcpcd can
inspect this value using "option vendor-class-identifier".

upgradeany      Don't require an /etc/redhat-release that matches the
expected syntax to upgrade.

lang=<lang>     Language to use for the installation.  This should be a
language which is valid to be used with the 'lang' kickstart
command.

keymap=<keymap> Keyboard layout to use.  Valid values are those which can be
used for the 'keyboard' kickstart command.

ip=<ip>         IP to use for a network installation, use 'dhcp' for DHCP.

netmask=<nm>    Netmask to use for a network installation.

gateway=<gw>    Gateway to use for a network installation.

dns=<dns>       Comma separated list of nameservers to use for a network
installation.

method=nfs:<path> Use <path> for an NFS installation.

method=http://<path> Use <path> for an HTTP installation

method=ftp://<path> Use <path> for an FTP installation

method=hd://<dev>/<path> Use <path> on <dev> for a hard drive installation

method=cdrom    Do a CDROM based installation.

vnc             Do graphical installation via VNC.  Instead of
starting a normal X server, vncserver will be started
and you can then connect remotely to do the
installation.

vncpassword=<password>  Set a password for the vnc session.

vncconnect=<host>[:<port>]   Once installation is up and running, connect to
the vnc client named <host>, and optionally, on port <port>.
Requires 'vnc' option to be specified as well.

Below is a list of undocumented commands that I found contained in the anaconda source:

 

test
debug           Start up pdb immediately
nofallback      If GUI fails exit
rootpath=       Where to install packages (default /mnt/sysimage)
pcic=           Specify pcmcia controller
overhead=       Override LVM overhead calculation
testpath=
mountfs
traceonly       Don't run, just list modules we use
kickstart=      Set serial install and kickstart file
kbdtype=        Set the type of keyboard
module=         Load additional kernel modules
class=          Choose install class to use
autostep        Make kickstart non-interactive
noselinux       Disable Security Enhanced Linux
selinux         Enable Security Enhanced Linux
vnc=
cmdline         Use command line installer
headless        Automate install for machines with no display
virtpconsole=
xfs             Allows the creation of a xfs filesystem
reiserfs        Allows the creation of a reiserfs filesystem
jfs             Allows the creation of a jfs filesystem
syslogd

 

Advertisements
h1

netfilter’s geoip match

June 19, 2006

Introduction
netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network addresss [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems. To learn more about iptables/netfilter you should visit http://www.netfilter.org.

what is iptables/netfilter’s geoip match?
This framework is modular and easily let you extend the features. This is exactly what geoip is : an extension to iptables/netfilter that allows you to filter, nat or mangle packets based on the country’s destination or provenance.
Installation
There’s some minor steps to go through before using this match.
The geoip’s database
In order to efficiently filter on a country basis, we obviously need a subnet-to-country database. Fortunately, there’s a free one available at http://www.maxmind.com.
However, this database is big and unsorted. Loading this database into memory would eat up too much ressources than what we really need. Also, seeking through unsorted database takes ages. This is why you need a tool called ‘csv2bin’ to strip, sort and compile your database.
csv2bin is available at http://people.netfilter.org/peejix/geoip/tools/
An alternative to creating your own up-to-date database is downloading a prebuilt but possibly outdated database from http://people.netfilter.org/peejix/geoip/database/.
You’ll now have to copy `geoipdb.bin’ and its index file `geoipdb.idx’ into /var/geoip/. The reason on why we do this is that iptables’s geoip shared library is statically reading both files from that path. If you ever need to change that path, take a look at extensions/libipt_geoip.c and suit it for your needs.
Applying patch-o-matic
Just like other “official” patches, geoip is part of patch-o-matic-ng. As a new match, we’ve put it into Testing state and Extra repository, so start ‘runme’ accordingly.
#> tar xfz patch-o-matic-ng-XXXXXX.tar.gz
#> cd patch-o-matic-ng
#> IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip

Do not forget to :
o recompile iptables;
o enable geoip into your kernel config;
o recompile your kernel or compile geoip as a module;
o boot the new kernel or modprobe ipt_geoip.
NOTE: If you had to change the database path into libipt_geoip.c, you MUST do it before compiling.

Examples
If you want to block all Anonymous Proxies and Satellite Providers, you can enter something like that: (I assume that your linux box acts as a router, else you can provide `-A INPUT’ instead.)
#> iptables -A FORWARD -m geoip –src-cc A1,A2 -j DROP

If you only plan to accept connections from your country.
#> iptables -P INPUT DROP
#> iptables -A INPUT -m geoip ! –src-cc CA -j DROP

Some people likes to know which countries are hitting obscure or well-known security risk ports.
Create a dedicated accounting custom chain
#> iptables -N SSH_GEOIP

Feed that chain with your targeted countries (below are for exemple means only)
#> iptables -A SSH_GEOIP -m geoip –src-cc CA
#> iptables -A SSH_GEOIP -m geoip –src-cc DE
#> iptables -A SSH_GEOIP -m geoip –src-cc US
#> iptables -A SSH_GEOIP -m geoip –src-cc JP
#> iptables -A SSH_GEOIP -m geoip –src-cc FR

The sixth rule will match all other countries
#> iptables -A SSH_GEOIP -m geoip ! –src-cc CA,DE,US,JP,FR

Then call the chain for a specific situation
#> iptables -A INPUT -p tcp –dport 22 -j SSH_GEOIP

Motivation
This patch has been provided for fun and as a challenge only. Please do not consider this patch as an anti-spam approach. There is much better uses of this patch than such a racist-routing.

Thanks
Thanks to

Charles Michaud, for giving us the project’s idea.
Arthur Ouellet, for giving us ideas and bugs report.
Martin Josefsson, for answering our technicals questions.

Tarek W. Said for jiggling his butt when we succeed.
Sean Donner for testing and writing the geoip_update.sh

and all the netfilter core team, you’re working like a big mama.

h1

Using Linux – Environment Variables

June 16, 2006

Environment Variables

Environment variables in the bash shell help you in several ways. Certain built-in variables change the shell in ways that make your life a little easier, and you can define other variables to suit your own purposes. Here are some examples of built-in s hell variables:

 PS1 defines the shell's command-line prompt.

· HOME defines the home directory for a user.

· PATH defines a list of directories to search through when looking for a command to execute.

To list the current values of all environment variables, issue the command

env

or list a specific variable with the echo command, prefixing the variable n ame with a dollar sign (the second line shows the result of the echo command):

echo $HOME
/home/hermie

You've already learned how to customize your shell prompt with the PS1 variable. The HOME variable is one you shouldn't mess with, because lots of programs count on it to create or find files in your personal home directory.

Understanding the Path Variable

As in DOS, the shell uses the PATH variable to locate a command. PATH contains a list of dir ectories separated by colons:

echo $PATH
/bin:/usr/bin:/usr/local/bin

When you enter a command, the shell looks in each of the directories specified in PATH to try to find it. If it can't find the command in any of those directories, you'll see a "Command not found" message.

If you decide to put your own programs in a bin directory under your home directory, you'll have to modify the path to include that directory, or the system will never find your programs (unless you happen to be in that directory when you enter the command). Here's how to change your PATH variable so it includes your personal bin directory:

PATH=$PATH:$HOME/bin

So if PATH was set to /bin:/usr/bin:/usr/local/bin beforehand, it would now have the value /bin:/usr/bin:/usr/local/bin:/home/hermie/bin.

Creating Your Own Shell Variables

If you are a programmer, you'll find it handy to create your own shell variables. First issue the command

code=$HOME/projects/src/spew

and then, regardless of what directory you are in, you can issue

cd $code

to pop over quickly to the directory containing the source code for that way-cool spew program you're developing. (The cd command means "change directory.")

A variable assignment like this will work just fine, but its scope (visibility) is limited to the current shell. If you launch a program or enter another shell, that child task will not know about your environment variables unless you export them first.

Unless you know for sure that an environment variable will have meaning only in the current shell, it's a good idea to always use export when creating variables to ensure they will be global in scope–for example,

export PS1="\u \$ "
export code=$HOME/projects/src/spew

And be sure to add these commands to your .profile file so you won't have to retype them eac h time you log in.

h1

Using Linux – Redirection

June 16, 2006

Redirecting the Input or Output of Linux CommandsAnother useful bash feature is its ability to redirect the input and output of Linux commands. You can save the results of a command in a file instead of displaying the results on the screen, or you can feed data from a file to a program instead of entering data from the keyboard.

Let's look at redirection first. Imagine a fictitious command called nocats that prompts the user for a number and then waits for that many lines of text to be entered before processing them. (The program looks at each input line and pr ints only the ones that do not contain the word cat.)

You could feed the program by entering the data from the console (bold text is your typed input, normal text is console output):

$ nocats
3
Dogs are much better than those other household animals.
A cat would never beg for jerky treats.
Dogs are pretty stupid, but at least they stick around.
Dogs are much better than those other household animals.
Dogs are pretty stupid, but at least they stick around.

Or using a text editor, you could put all the input data in a file called stuff and feed the nocats program like this:

% nocats < stuff
Dogs are much better than those other household animals.
Dogs are pretty stupid, but at least they stick around.

The less-than (<) symbol causes the program to get input from the stuff file instead of waiting for keyboard input. The greater-than (>) symbol, on the other hand, redirects output to a file instead of to the console. Thus, the co mmand

% nocats < stuff > bother

will cause the nocats program to read its input from one file (stuff) and write it to another (bother), without the keyboard or console entering the picture. Note that the nocats progra m doesn't know or care about all this redirection. It still thinks it is reading data from the keyboard and writing to the console–but the shell has temporarily reassigned the input and output to files instead of physical devices.

To append to an existing file instead of creating a new one, use two greater-than symbols (>>), as in this example:

zippity > somefile
doodah >> somefile

The zippity command runs first, and the output is placed in a new file called somefile. Then doodah runs, and its output is added (appended) to the somefile file.

Note: It's important to remember that piping with a single > symbol will wipe out existing data if the output file already exists.

h1

Pico tips

June 16, 2006

The Pico text editor doesn't have a lot of fancy features, but it's a welcome alternative to the vi or Emacs editors because learning it is quick and easy. Cursor movement and text entry are straightforward, and–best of all–you don't have to learn any arcane commands: all commands are listed in a handy menu at the bottom of the screen.

Before we explore Pico commands, here's a summary of how to navigate your way around a file in Pico.

Positioning the Cursor
®     Move cursor one space right (also ctrl-N).
¬     Move cursor one space left (also ctrl-P).
­     Move cursor up one line (also ctrl-F).
¯     Move cursor down one line (also ctrl-B).
del     Delete character at cursor (also ctrl-D).
ctrl-Y     Move backward one screen (maybe F7).
ctrl-V     Move forward one screen (also F8).
ctrl-A     Move cursor to beginning of line.
ctrl-E     Move cursor to end of line.

With the exception of the ctrl-Y (page down) command, text entry and cursor handling are identical to that of the Emacs editor, so we won't cover that again here.

The Pico Menu

When you start Pico you'll see this menu of commands:

^G Help ^O WriteOut ^R Read File ^Y Prev Pg ^K Cut Text ^C Cur Pos

^X Exit ^J Justify ^W Where is ^V Next Pg ^U UnCut Text ^T To Spell

Here's a list of what they mean. Note that the circumflex (^) stands for ctrl.

Pico Commands
ctrl-G     Display help screens.
ctrl-O     Write file to disk.
ctrl-R     Read another file.
ctrl-K     Cut line or marked text.
ctrl-C     Display cursor position.
ctrl-X     Exit from Pico.
ctrl-J     Reflow the paragraph.
ctrl-W     Search for text.
ctrl-U     Paste (uncut) text.
ctrl-T     Run spelling checker.

Trying Out Some Pico Commands

Now let's try out some Pico commands.

Saving and Exiting

Saving your file is easy with Pico–just press ctrl-O to write your file to disk and remain in the editor, or press ctrl-X and respond y to the Save Modified Buffer? prompt to save and exit.

If you want to exit from Pico without saving your file, press ctrl-X and respond n to the Save Modified Buffer? prompt.

Inserting Another File

To insert another file into the one you're currently editing, position the cursor where you want to insert the file, press ctrl-R, and enter the name of the file you wish to insert at the prompt that appears on your screen:

Insert file from home directory: ______________
^G Get Help ^T To Files
^C Cancel

If you can't remember the name of the file to insert, press ctrl-T to display a list of all your files. If you ultimately decide not to insert it, press ctrl-C to cancel.

Cutting and Pasting with Pico

If all you want to do is cut and paste a line of text, you can use ctrl-K to delete the current line and ctrl-U to paste it somewhere else. Pico also lets you cut and paste blocks of text. Put your cursor on the word light on the first line of the bulb.joke file and press ctrl-^ ( the circumflex is the shifted 6 key).

Once you've marked a block of text, ctrl-K acts a bit differently from before. Instead of deleting the entire line where the cursor is located, it deletes the highlighted block. You can then use ctrl-U to paste the deleted block elsewhere.

Tip: You don't have to paste the deleted text right away, or ever. ctrl-K can be used simply as a handy way of deleting unwanted text. (Deleted text goes to an invisible clipboard, and it disappears once you delete more text.)

Pico Bells and Whistles

Pico has a few nifty features you might not expect to find in a simple text editor. For example, ctrl-J will justify the sentences in the current paragraph. Type a bunch of short sentences on separate lines and try it. If you don't like the results, ctrl-U will undo the operation.

Pico also has a built-in spelling checker you can call up with ctrl-T from within a file. If Pico doesn't find any dubious words in the current document, nothing much happens except that the message "Done checking spelling" appears at the bottom of the screen.

And if you'd like to know exactly where you are within a file (on which line and at which character), or if you'd like a quick character or line count, press ctrl-C and look in the message area at the bottom of the screen for something like this:

line 2 of 4 (50%), character 65 of 173 (37%)

h1

Pipe Fitting

June 16, 2006

Throughout this section, we've discussed how to manipulate a file with many different tools. But you can use each of these tools in a more powerful way by combining them into pipelines. Back in "Living in a Shell" you learned how to pump the output from one command to another by redirecting the input or output of those commands.

Following are several examples that show how to combine the power of the tools described in this section.

· To find files that have not been accessed for over 30 days and print the first five lines of each:

find . -atime +30 -exec head -5 {} \;

· To find out if a process named netscape is running:

ps | grep netscape

· To print only the second and third lines of a file:

head -3 some.file | tail -2

Note that the usage changes slightly when a command is in the second or subsequent stages of a pipeline. No input file is specified, because the previous stage feeds the command.

At the beginning of this section, I said that it would be no problem to search within a bunch of files, pull out all lines that contain a certain keyword, sort those lines, eliminate duplicates, and then print just the third column of each line. Here's proof that you can do it all on one line:

grep 'stuff' *.data | sort +1 -2 | uniq | cut -f3

Seems almost too easy, doesn't it? Beats the heck out of writing a program several hundred lines long if you want to run it only once! Now let's use the rest of the commands from this section in another pipeline. Start by creating the file odds.ends containing the lines shown here:

Ford Cat 47
IBM Lion 152
Xerox Slug 31
Zenith Bear 26
Intel Cat 133
Hershey Lynx 28
Apple Panda 74

Then execute the following command. (The backslash at the end of a line tells the shell that you are continuing a command on the next line.) Can you figure out what the output will be?

head -5 odds.ends | sed s/Cat/Tigger/g | \
awk /Tigger/'{print "Buy",$1,"from",$2,"at",$3}' | \
tail -1

The correct answer is "Buy Intel from Tigger at 133"–can you prove it?

h1

Finding Files – find

June 16, 2006

The find command locates files in many different ways. Unlike the rest of the commands in this section, find does not look at the contents of a file–it only helps you find files that meet certain criteria, such as name, size, age, and type. The general form of the find command is

find <starting point> <search criteria> <action>

The starting point is the name of the directory where find should start looking for files. The find command examines all files in this directory (and any subdirectories) to see if they meet the specified search criteria. If any do, find performs the specified action on each found file. Here are some of the most useful search criteria options:

-name pattern Find files with names that match the pattern.
size [+|-] n Find files larger or smaller than a certain size.
-atime [+|-] n Find files accessed before or after a certain date.
-mtime [+|-] n Find files modified before or after a certain date.
-type filetype Find only regular files or only directories.

And here are the actions that can be applied to found files:

-print Print just the names of matching files.
-ls Print the names, dates, sizes, and so on of matching files.
-exec command Execute a command with the file name as input.
-ok command Same as -exec, but asks for confirmation first.

That all might look a bit confusing, so here are some examples to bring things down to earth. To find files (starting in the current directory) with names ending with .data and to print their names, try this:

find . -name '*.data' -print
company.data
donor.data
grades.data
sorted.data
words.data

To find files larger than 40K and print the file names and details (use a minus sign instead of a plus sign to find files smaller than a certain size), issue this command:

find . -size +40k -ls
-rw-rw-r– hermie users 56720 Jan 16 12:42 bigfile
-rw-rw-r– hermie users 415206 Feb 27 21:37 largefile
-rw-rw-r– hermie users 315428 Jan 07 05:23 hugefile

To find files ending with .dat that are smaller than 100K, enter

find . -name *.txt -size -100k -ls
-rw-rw-r– hermie users 26720 Feb 06 23:52 recipes.txt
-rw-rw-r– hermie users 506 Feb 18 18:45 poem.txt

To find files that have not been accessed for over 30 days and delete them (by sending their names to the rm command), enter

find . -atime +30 -exec rm {} \;

To find directories (starting in the junk directory) and conditionally delete them (by sending their names to the rmdir command), enter

find junk -type d -ok rmdir {} \;