LPI Linux Certification in a Nutshell Part 32

Chapter16.Essential System Services (Topics 108.1 and 108.2)

As a system administrator in a multiuser environment, much of your activity is related to maintaining various system services. These services include accurate system time and logging of system events. The following two Objectives are covered in this chapter: Objective 1: Maintain System Time Candidates should be able to properly maintain the system time and synchronize the clock over NTP. Tasks include setting the system date and time, setting the hardware clock to the correct time in UTC, configuring the correct time zone for the system, and configuring the system to correct clock drift to match the NTP clock. Weight: 3.

Objective 2: System Logging Candidates should be able to configure system logs. This Objective includes managing the type and level of information logged, manually scanning logfiles for notable activity, monitoring logfiles, arranging for automatic rotation and archiving of logs, and tracking down problems noted in logs. Weight: 2.

Objective 1: Maintain System Time An accurate system clock is important on a Linux system for a variety of reasons. Log entries need to be accurate so you can accurately determine what system events occurred. Programs such as make make and and anacron anacron require accurate modification times on files. Network file sharing (such as NFS) requires both client and server to keep accurate time so file operations are kept in sync. require accurate modification times on files. Network file sharing (such as NFS) requires both client and server to keep accurate time so file operations are kept in sync.

The most popular way to keep accurate time on an Internet-connected Linux system is to use the Network Time Protocol (NTP) and the NTP software package from http://www.ntp.org.

NTP Concepts NTP is used to set and synchronize the internal clocks of network-connected systems. When properly configured, systems running the NTP daemon can be synchronized within a few milliseconds (or better), even over relatively slow WAN connections.

The NTP daemon also supports synchronization with an external time source, such as a GPS receiver. Systems directly connected to an external time source (and properly configured) are the most accurate, so they are designated stratum 1 stratum 1 servers. Systems synchronizing to stratum 1 servers are designated servers. Systems synchronizing to stratum 1 servers are designated stratum 2 stratum 2, and so on, down to stratum 15.

NoteThe NTP software package has support for cryptographic key-based authentication, although setting this up is outside the scope of the LPI Level 1 Exams and will not be covered here.

The NTP Software Package Components The NTP software package consists of several programs, including the NTP daemon and a number of programs used to configure and query NTP servers. The more commonly used programs from the package are listed here.

The Hardware Clock Computer motherboards all contain a small battery that is used to power the hardware clock. This ensures that the computer can successfully keep track of the time even when it is powered off. In Linux, you can configure this hardware clock and synchronize your system clock to it (or vice versa). The importance of the hardware clock has been somewhat minimized with the widespread use of NTP and easily available, reliable time servers. However, for systems that aren't always connected to the Internet, an accurate hardware clock is an important thing to have. Syncing a hardware clock is also required when working with old hardware that suffers from time issues, such as BIOSes that are not Y2K-aware.

Hardware clocks can suffer from the same drifts that system clocks experience, causing them to slowly lose (or gain) time over a certain period. The hwclock hwclock command is used in Linux to control the hardware clock. command is used in Linux to control the hardware clock.

Time Zones As stated previously, a time zone is just a positive or negative value combined with UTC. Once you set the time zone on a Linux system, applications will honor that positive or negative offset when they need to use a timestamp. The time zone on a Linux system is identified by the file /etc/localtime /etc/localtime. This can be either a data file itself or a symbolic link to a data file in the directory /usr/share/zoneinfo /usr/share/zoneinfo.

/usr/share/zoneinfo contains files that represent every time zone. In order to set the time zone on your Linux system, you must either copy one of these files to contains files that represent every time zone. In order to set the time zone on your Linux system, you must either copy one of these files to /etc/localtime /etc/localtime or create a symbolic link from or create a symbolic link from /etc/localtime /etc/localtime to one of these files. For example, if your system is in the United States in the Central time zone, your to one of these files. For example, if your system is in the United States in the Central time zone, your /etc/localtime /etc/localtime file would look like this: file would look like this: $lsl/etc/localtime lrwxrwxrwx1rootroot30Sep1213:56 /etc/localtime->/usr/share/zoneinfo/US/CentralOn the ExamMake sure you understand the difference between system time and the hardware clock, and the importance of keeping good system time. Also remember the difference between local time and UTC, and how it affects the time configuration on your Linux system.

Name ntpd Syntax ntpd[options]

Description ntpd is the heart of the NTP software package. It performs the following functions: is the heart of the NTP software package. It performs the following functions: Synchronizes the PC clock with remote NTP servers Allows synchronization from other NTP clients Adjusts (skews) the rate of the kernel's clock tick so that it tracks time accurately Reads time synchronization data from hardware time sources such as GPS receivers Frequently used options -c file file This option tells ntpd ntpd to use to use file file as its configuration file instead of the default as its configuration file instead of the default /etc/ntpd.conf /etc/ntpd.conf.

-g This option will let ntpd ntpd start on a system with a clock that is off by more than the panic threshold (1,000 seconds by default). start on a system with a clock that is off by more than the panic threshold (1,000 seconds by default).

-n Normally ntpd ntpd runs as a daemon, in the background. This option disables that behavior. runs as a daemon, in the background. This option disables that behavior.

-q This option tells ntpd ntpd to exit after setting the time once. to exit after setting the time once.

-N When this option is specified, ntpd ntpd attempts to run at the highest priority possible. attempts to run at the highest priority possible.

ntpd is configured using the file is configured using the file /etc/ntp.conf /etc/ntp.conf. The file is fully doc.u.mented in a series of files linked to from the ntpd ntpd doc.u.mentation, found in the software distribution or at doc.u.mentation, found in the software distribution or at http://www.eecis.udel.edu/~mills/ntp/html/ntpd.html.

The most important configuration options are restrict restrict, which is used to implement access controls, and server server, which is used to direct ntpd ntpd to an NTP server. Another often-used configuration option (not mentioned in the sample to an NTP server. Another often-used configuration option (not mentioned in the sample ntp.conf ntp.conf in in Example16-1 Example16-1) is peer peer, which is used much like server server, but implies that the system is both a client and a server. A peer peer is usually a system that is nearby on the network, but uses different time sources than the local system. is usually a system that is nearby on the network, but uses different time sources than the local system.

Example16-1.Sample /etc/ntp.conf #Prohibitgeneralaccesstothisservice.

restrictdefaultignore

#Permitallaccessovertheloopbackinterface.Thiscould #betightenedaswell,b.u.t.todosowouldaffectsomeof #theadministrativefunctions.

restrict127.0.0.1

#--CLIENTNETWORK------- #Permitsystemsonthisnetworktosynchronizewiththis #timeservice.Donotpermitthosesystemstomodifythe #configurationofthisservice.Also,donotusethose #systemsaspeersforsynchronization.

restrict192.168.1.0mask255.255.255.0notrustnomodifynotrap

#---OURTIMESERVERS----- #Permittimesynchronizationwithourtimesource,butdonot #permitthesourcetoqueryormodifytheserviceonthissystem.

#time.nist.gov restrict192.43.244.18mask255.255.255.255nomodifynotrapnoquery server192.43.244.18

#time-b.nist.gov restrict129.6.15.29mask255.255.255.255nomodifynotrapnoquery server129.6.15.29

#---GENERALCONFIGURATION--- # #UndisciplinedLocalClock.Thisisafakedriverintendedforbackup #andwhennooutsidesourceofsynchronizedtimeisavailable.

# server127.127.1.0#localclock fudge127.127.1.0stratum10

# #Driftfile.Putthisinadirectorywhichthedaemoncanwriteto.

#Nosymboliclinksallowed,either,sincethedaemonupdatesthefile #bycreatingatemporaryinthesamedirectoryandthenrenaming #ittothefile.

# driftfile/etc/ntp/drift broadcastdelay0.008 Example Normally ntpd ntpd consistently adjusts the time, depending on how far out-of-sync the server is from the stratum source, to the correct time. To force the system time to the right time (for example, when occasionally setting the correct time from consistently adjusts the time, depending on how far out-of-sync the server is from the stratum source, to the correct time. To force the system time to the right time (for example, when occasionally setting the correct time from cron cron), use the following: #ntpd-g-n-q Why are IP addresses used in the configuration file instead of fully qualified domain names? The answer is security. System time is an extremely important service, and as a system administrator, you must always be very careful trusting data you are receiving from an outside system. When you query a time server, you need to make sure that you're querying the correct time server. If you are querying a fully qualified domain name instead of an IP address, you are potentially vulnerable to a domain name poisoning attack. If someone has compromised the DNS server of the time server in question, they could be relaying your request to any system on the Internet. By querying directly to an IP address, you are eliminating the possibility of this kind of spoofing.

Name ntpdate Syntax ntpdate[options]server[server[...]]

Description ntpdate is used to set the time of the local system to match a remote NTP host. is used to set the time of the local system to match a remote NTP host.

The maintainers of the ntp code intend to drop ntpdate ntpdate in the future since in the future since ntpd ntpd can perform essentially the same function when used with the can perform essentially the same function when used with the -q -q option. option.

Frequently used options -b Using this option, the system time is set instead of being slowly adjusted, no matter how far off the local time is.

-d This option enables debugging mode. ntpdate ntpdate goes through the motions and prints debugging information, but does not actually set the local clock. goes through the motions and prints debugging information, but does not actually set the local clock.

-p n n Use this option to specify the number of samples (where n n is from 1 to 8) to get from each server. The default is 4. is from 1 to 8) to get from each server. The default is 4.

-q This option causes ntpdate ntpdate to query the servers listed on the command line without actually setting the clock. to query the servers listed on the command line without actually setting the clock.

-s This option causes all output from ntpdate ntpdate to be logged via syslog instead of being printed to to be logged via syslog instead of being printed to stdout stdout.

-t n n This option sets the timeout for a response from any server to n n seconds. seconds. n n may be fractional, in which case it will be rounded to the nearest 0.2 second. The default value is 1 second. may be fractional, in which case it will be rounded to the nearest 0.2 second. The default value is 1 second.

-u Normally ntpdate ntpdate uses a privileged port (123/tcp) as the source port for outgoing packets. Some firewalls block outgoing packets from privileged ports, so with this option, uses a privileged port (123/tcp) as the source port for outgoing packets. Some firewalls block outgoing packets from privileged ports, so with this option, ntpdate ntpdate uses an unprivileged port above 1024/tcp. uses an unprivileged port above 1024/tcp.

-v This option makes ntpdate ntpdate more verbose. more verbose.

-B Using this option, the system time is slowly adjusted to the proper time, even if the local time is off by more than 128 ms. (Normally the time is forcibly set if it is off by more than 128 ms.)If the time is off by very much, it can take a very long time to set it with this option.

Example Quietly sync the local clock with two stratum 1 NTP servers: #ntpdate-stime.nist.govtime-b.nist.gov

Name ntpq Syntax ntpq[options][host]

Description ntpq is the standard NTP query program. It is used to send NTP control messages to is the standard NTP query program. It is used to send NTP control messages to host host (or (or localhost localhost if no if no host host is specified), which can be used to check the status of is specified), which can be used to check the status of ntpd ntpd on on host host or change its configuration. or change its configuration.

The commands that can be used with ntpq ntpq are doc.u.mented in the NTP software doc.u.mentation included with the distribution and at are doc.u.mented in the NTP software doc.u.mentation included with the distribution and at http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html.

Frequently used options -c command command Execute command command as if it were given interactively. as if it were given interactively.

-i Enter interactive mode. This is the default.

-n Suppress reverse DNS lookups. Addresses are printed instead of hostnames.

-p Query the server for a list of peers. This is equivalent to the peers peers interactive command or interactive command or -c peers -c peers on the command line. on the command line.

Example Print the list of peers known to the server by IP address: #ntpq-pnpool.ntp.org or: #ntpq-cpeersnpool.ntp.org or: #ntpqnpool.ntp.org ntpq>peers remoterefidsttwhenpollreachdelayoffsetjitter ============================================================================== *64.90.182.55.ACTS.1u-10243772.9833.2530.014 +209.51.161.238.CDMA.1u-10243772.456-2.7950.096 -128.118.25.3147.84.59.1452u-102437718.476-2.5860.446 +67.128.71.75172.21.0.132u-10243778.195-2.6260.194 -66.250.45.2192.5.41.402u-10243778.119-6.4910.421 ntpq> The system pool.ntp.org pool.ntp.org is a pointer to a collection of systems that have volunteered to be publicly available time servers. Round robin DNS is used to share the request load among these servers. This kind of setup is usually sufficient for end users, but in a corporate environment, it's usually advisable to query a stratum 2 time server from a designated server on your network, and then have your other servers query that server. More information on pooling is available at is a pointer to a collection of systems that have volunteered to be publicly available time servers. Round robin DNS is used to share the request load among these servers. This kind of setup is usually sufficient for end users, but in a corporate environment, it's usually advisable to query a stratum 2 time server from a designated server on your network, and then have your other servers query that server. More information on pooling is available at http://support.ntp.org/bin/view/Servers/WebHome.

Name ntpdc Syntax ntpdc[options][host]

Description ntpdc is much like is much like ntpq ntpq, except that it supports some extended commands. For this reason, it is likely to work only when talking to ntpd ntpd from the same version of the NTP software package. from the same version of the NTP software package.

For the most part, the command-line options it supports are the same as those of ntpq ntpq. Full doc.u.mentation for ntpdc ntpdc can be found in the NTP software distribution or at can be found in the NTP software distribution or at http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html.

Name ntptrace Syntax ntptrace[options]server[server[...]]

Description Traces a chain of NTP servers back to the primary source.

Frequently used options -n Turn off reverse DNS lookups.

Examples To see where the local system is synchronizing its lock to, run ntptrace ntptrace with no options: with no options: $/usr/sbin/ntptrace localhost:stratum4,offset0.000109,synchdistance0.16133 ntp1.example.net:stratum3,offset0.004605,synchdistance0.06682 ntp-1.example.edu:stratum2,offset0.001702,synchdistance0.01241 stratum1.example.edu:*Timeout*

In this example, the stratum 1 server is not directly accessible.

ntptrace can also be used on any arbitrary NTP server, a.s.suming it is accessible. This example queries two publicly accessible stratum 2 NTP servers: can also be used on any arbitrary NTP server, a.s.suming it is accessible. This example queries two publicly accessible stratum 2 NTP servers: $/usr/sbin/ntptracentp0.cornell.edu cudns.cit.cornell.edu:stratum2,offset-0.004214,synchdistance0.03455 dtc-truetime.ntp.aol.com:stratum1,offset-0.005957,synchdistance 0.00000,refid'ACTS'

$/usr/sbin/ntptracentp-2.mcs.anl.gov mcs.anl.gov:stratum2,offset-0.004515,synchdistance0.06354 clepsydra.dec.com:stratum1,offset0.002045, synchdistance0.00107,refid'GPS'

Name hwclock Syntax hwclock-show hwclock--systohc hwclock-hctosys hwclock--adjust hwclock--version Description Query and/or set the hardware clock.

Examples Query the system's hardware clock: #/sbin/hwclock--show Sat12Sep200912:49:43PMCDT-0.216537seconds Set the hardware clock to the current value of the system clock: #/sbin/hwclock-systohc All time values in the hardware clock are stored as the number of seconds since January 1, 1970. This number is then converted to the output format desired. Time is represented as either Coordinated Universal Time (UTC) or local time. UTC is a universal time standard that is the same across all time zones. Local time is simply UTC combined with either a positive or negative offset to reflect the current time zone. For example, in the United States, the Central Time Zone is actually UTC-6 (six hours behind Coordinated Universal Time).

As a system administrator, you have the option of setting your hardware clock to either UTC or your own local time. Some administrators prefer to use UTC for this, and then reflect their current time zone in the system software. The hwclock hwclock command allows you to indicate how your hardware clock is set. Compare the output of these two commands: command allows you to indicate how your hardware clock is set. Compare the output of these two commands: #/sbin/hwclockshow--localtime SatSep1213:33:352009-0.766111seconds #/sbin/hwclock-show--utc SatSep1208:33:372009-0.048881seconds Telling hwclock hwclock that our hardware clock was set to UTC time resulted in a different answer when we asked to show the time. that our hardware clock was set to UTC time resulted in a different answer when we asked to show the time.

Objective 2: System Logging Many events occur on your Linux system that should be logged for administrative purposes. Linux uses the syslogd syslogd service to display and record messages describing these events. This system allows finely controlled logging of messages from the kernel as well as processes running on your system and remote systems. Messages can be placed on the console display, in logfiles, and on the text screens of users logged into the system. service to display and record messages describing these events. This system allows finely controlled logging of messages from the kernel as well as processes running on your system and remote systems. Messages can be placed on the console display, in logfiles, and on the text screens of users logged into the system.

What are the advantages of the syslogd syslogd service over applications maintaining their own logfiles? service over applications maintaining their own logfiles?

All logfiles are centralized, either in one directory or on one server.

The client/server nature of syslogd syslogd allows for machines to log events to a centralized log server for easier monitoring and reporting. allows for machines to log events to a centralized log server for easier monitoring and reporting.

Syslogd allows multiple processes to write to the same logfile, while avoiding file-locking issues. allows multiple processes to write to the same logfile, while avoiding file-locking issues.

There are a number of different applications available for Linux that implement the syslogd syslogd functionality and offer additional functionality. Some examples are functionality and offer additional functionality. Some examples are rsyslog rsyslog (native database logging support) and (native database logging support) and syslog-ng syslog-ng (regular expression matching). For the purposes of the LPI exam, we cover only the basic (regular expression matching). For the purposes of the LPI exam, we cover only the basic syslogd syslogd server. server.

Configuring syslogd The behavior of syslogd syslogd is controlled by its configuration file, is controlled by its configuration file, /etc/syslog.conf /etc/syslog.conf. This text file contains lines indicating what is to be logged and where. Each line contains directives in this form: facility.levelaction The directives are defined as follows: facility This represents the creator of the message (that is, the kernel or a process) and is one of the following: auth auth (the facility (the facility security security is equivalent to is equivalent to auth auth, but its use is deprecated), authpriv authpriv, cron cron, daemon daemon, kern kern, lpr lpr, mail mail, mark mark (the (the mark mark facility is meant for facility is meant for syslogd syslogd's internal use only), news news, syslog syslog, user user, uucp uucp, or local0 local0 through through local7 local7. The use of these facility designators allows you to control the destination of messages based on their origin. Facilities local0 local0 through through local7 local7 are for any use you may wish to a.s.sign to them in your own programs and scripts. It's possible that your distribution has a.s.signed one or more of the local facilities already. Check your configuration before using a local facility. are for any use you may wish to a.s.sign to them in your own programs and scripts. It's possible that your distribution has a.s.signed one or more of the local facilities already. Check your configuration before using a local facility.

level Specifies a severity threshold beyond which messages are logged, and is one of the following (from lowest to highest severity): debug debug, info info, notice notice, warning warning (or (or warn warn), err err (or (or error error), crit crit, alert alert, or emerg emerg (or (or panic panic). (warn, error error, and panic panic are all deprecated, but you might see them on older systems.) There is also a special level called are all deprecated, but you might see them on older systems.) There is also a special level called none none that will disable a facility. The level defines the amount of detail recorded in the logfile. A single period separates the facility from the level, and together they comprise the that will disable a facility. The level defines the amount of detail recorded in the logfile. A single period separates the facility from the level, and together they comprise the message selector message selector. The asterisk (*) can be used to describe all facilities or all levels.

action The action action directive is arguably misnamed. It represents the destination for messages that correspond to a given selector ( directive is arguably misnamed. It represents the destination for messages that correspond to a given selector (facility.level). The action can be a filename (including the full pathname), a hostname preceded by the @ @ sign, or a comma-separated list of users or an asterisk (this means all logged-in users will receive the logged line on their consoles). sign, or a comma-separated list of users or an asterisk (this means all logged-in users will receive the logged line on their consoles).

For example, if you wanted to create a separate logfile for activity reported by the scripts you write, you might include a line like this in /etc/syslog.conf /etc/syslog.conf: #Defineanewlogfileforthelocal5facility local5.*/var/log/local5 You could then use the logger logger utility to write messages to the facility from your sh.e.l.l script ( utility to write messages to the facility from your sh.e.l.l script (syslogd must be restarted or signaled to reinitialize before the new logfile is created): must be restarted or signaled to reinitialize before the new logfile is created): $logger-plocal5.info"Scriptterminatednormally"

The message "Script terminated normally" would be placed into /var/log/local5 /var/log/local5, along with a timestamp and the hostname that sent the message. Example16-2 Example16-2 contains an example contains an example /etc/syslog.conf /etc/syslog.conf file. file.

Example16-2.Sample /etc/syslog.conf file #Logeverythingexceptmail&authprivoflevelinfo #orhighertomessages.

*.info;mail.none;authpriv.none/var/log/messages #Theauthprivfilehasrestrictedaccess.

authpriv.*/var/log/secure #Logallthemailmessagesinoneplace.