Top Ten Linux Configuration Tools?

jman251 asks: "I am presenting at a conference in September on a couple of Linux-centric topics. One of these is a collection of tips, tricks, and tools for configuring, securing, and maintaining a Linux-based server. I have a short list of tools I use, but would like some community input on the subject. What tools do you use that make your admin responsibilities easier or more automated on the Linux platform?"

Webmin is nice

[arfonrg]

I use it on several of my servers to do basic configuration.

Re:Webmin is nice

[rainman_bc]

I like webmin as well. Much less overhead than KDE or X... Definately gets the job done for most server management needs.

Make your life easier...

[MadWicKdWire]

My at least top 4...

grep
gawk
xargs
for

Tripwire

[nharmon]

Tripwire is a very easy to use intrustion detection system. If you follow the documentation, and implement it properly (storing the statically linked binary + database files on read-only media), it will make things very hard on a potential hacker.

Cfengine: It's all you need

[kognate]

cfengine (http://www.cfengine.org) is
the best automation tool for unix and unix-like
environments. Hands down.

It's a little hard to configure sometimes, but
worth the effort.

Re:Webmin is nice

[John Hurliman]

I'd put Webmin on my #1 list for best Linux admin tools. phpmysql is probably second (or the postgresql equivalent), and all the necessary toolkit apps like nmap, ethereal, netcat, etc.

sudo, screen

[raddan]

sudo!

Learn it in detail. If you work with other people on the same machine, it will make your life a lot easier.

screen is pretty handy, too. Being able to detach sessions is also nice for when you've started sprouting icycles from your nostrils from the cold, cold server room.

My Top 10:

[Punk Walrus]

Your needs may vary...

• vi - Yeah, yeah... vi and emacs wars. I started with vi on a Sun system in 1989, and so it's what I like.
• ifconfig - Without it, you're kind of lost, at least on the network.
• testparm - I use a lot of Samba at work, and this is a great tool for checking what I screwed up in my smb.conf in vi!
• man -k - Okay, what I want to do starts with...?
• grep - Great trying to find that paramenter you want to change in httpd. or squid.conf. Even better, "grep -v '#'" to weed out all those comments...
• tail -f - Great for keeping track of logs realtime in a vtty or xterm window. Like tail -f /var/log/messages
• crontab -e - For keeping stuff on schedule.

That's all I can think of now. I'll think of others later.

Dang!

[itwerx]

I can't believe with all these posts that the only one(s) that actually respond to the question are about Webmin!
Don't get me wrong, Webmin is great, it's at the top of my list fer shure, but that's not the be-all and end-all of systems management!! What about actual convenient tools like MRTG, Novell's eDirectory, RedCarpet, etc. etc.?
Heck, I'm reading this article hoping to pick up a few tips myself and all I'm seeing are scripting languages and text-editor flame wars, (all of which can/should be moderated Off-topic or Funny).
So, anybody actually got anything useful to contribute besides Webmin?

Re:CVS (or insert your favorite alternative here)

[hackstraw]

Also, it kills me to see *NIX people still using passwords all the damn time. CVS + ssh keys = godlike.

Things I do. syslog to a common place. I have cloning scripts to dup a machine to a basic setup (poor mans jumpstart but faster and easier).

Perl and sed come in handy. Rsync (again with ssh keys) is good.

Oh yeah, /usr/local over nfs is good too. The only issue is that you may have to configure some packages to use a local filesystem for configuration files, keys, etc.

With these tips and tricks I can do whatever I need to do over a dialup connection anywhere in the world (I've only tested this from coast to coast in the US thought, but I believe it will scale worlwide :)

My 10

[thenextpresident]

vim
sudo
apt-get
wget
rsync
ssh
ps
php
per l
make

SSH.

[Olinator]

Don't know if this is quite what you were looking for, but it's the first thing that popped into my mind...
There are four of us who do *nix admin for over 600 *nix machines, more than half of which are linux boxes (both workstations and servers.) SSH with X displayback on a 100Mbit switched network is such a godsend I can't even begin to imagine life without it. I probably generate more SSH sessions in a normal workday than I do HTTP sessions. (Yes, that does include /. reloads, why do you ask? :-)

I also think it's well worth your while to understand SSH's more esoteric tunneling capabilities... Recently I had to support a research group who was doing a demo at JPL [nasa.gov] and they were behind a very restrictive firewall but needed to do control and image transfer from a robot framework here in Massachusetts, and the researchers who'd coded the software hadn't implemented any kind of authentication layer. We were able to do everything using SSH tunneling over one of the three ports allowed through JPL's firewall (and they could IMAP their mail from our servers as a side bonus) without exposing our servers or JPL to unencrypted protocols of any kind.

Ole

Re:Dave Lettermans Top 10

[hackstraw]

su -- better sudo keeps your root password better kept, does more logging, etc

more -- better less (Its not the 70s anymore people, you can search and go backwards in files since less first came about in the mid 80s. With the LESSOPEN varible set to something useful you can "browse" many, many filetypes too).

bash -- better zsh My shell can do anything your shell can do, but better!

Re:Dang!

[lspd]

Don't get me wrong, Webmin is great, it's at the top of my list fer shure, but that's not the be-all and end-all of systems management!! What about actual convenient tools like MRTG, Novell's eDirectory, RedCarpet, etc. etc.?

Huh? I'm not that familiar with eDirectory or RedCarpet, but MRTG isn't an all in one configuration interface like webmin. I though the only webmin alternatives were commercial products like:

Ensim [ensim.com]
Plesk [sw-soft.com]
Cpanel [cpanel.net]

Are there free software uber-configuration products other than Webmin? I tend to stick to the command line over ssh myself.

My List

[np_bernstein]

1. Nagios [nagios.org]: monitors your servers/services, amails, pages, sends a carrier pigeon when one goes down.

2. Logwatch [logwatch.org]: Logwatch is something that should be used by every Unix/Linux SA everywhere. It gives you a daily snapshot of events in your logs

3. Mon [slashdot.org]: Nice, simple, easy. If your webserver goes down, your secondary can bring up a virtual ip a couple of seconds later. No more annoying three am phone calls

4. Snort [snort.ortg]/ACID [sourceforge.net]: lets me know if a virus breaks out, or if there are stupid script kiddies trying to brute force their way in.

5. Nessus [nessus.org]: run it early, run it often. Figure out any holes you have in your security, and make sure you fix them.

There's more, but you should really do some of your own homework.

Re:rm

[Homology]

I used

$ chflags uchg /home/dude

So now "rm -fr /" won't work even as root as it will properly give you :

rm: /home/dude: Operation not permitted

So there you are, you pesky root of all evil. Oh bummer, now I can't make any new files in /home/dude ....

Re:Dave Lettermans Top 10

[stevey]

I can logout, the process keeps running, and I can check on the progress later from another location.

Whilst you are correct this works for non-interactive processes, you can't use nohup to keep a copy of say, Lynx, running when you logout. Then return to it later and pick off where you left it.

Instead you should look at GNU Screen [gnu.org] which allows this and more.

(It's essentially a windowing system for consoles, with the ability to detach and resume at will, and definately one of my top ten Unix utilities).

Here is one Screen tutorial [kuro5hin.org] which explains basic operation well.

Re:Dave Lettermans Top 10

[hackstraw]

what are the advatages of zsh over bash

1) programable tab completion - yes folks there is more to tab completion besides beeping all the time. When I hit cd fooTAB the list of completions only shows _directories_ beginning with foo

2) sane invocation - zsh is the only shell that has one file that is sourced _on all invocations of the shell_ so you can do stuff like have a consistant PATH and other env stuff

3) global aliases - zsh provides an alias that works _anywhere on the commandline_ I have 'G' mapped to '| grep -i', I have 'L' mapped to '| less' and 'vi' mapped to 'vim' (why? So sudo vi FILE gives me vim if the system has vim), etc, etc

4) the only shell that supports working 'vi' style history editing

5) multiple commandline commands are not rewritten as commands with ';' in them (what I typed is what I get, see 4)

6) too many features to name. Like I said, my shell can do anything your shell can do, but better.

Re:Dang!

[Anonymous Coward]

Here are some very good tools IMHO.

nagios - monitor remote server, setup notifications via email, pager, etc. Comes with many plugins to monitor specific thins like disk usage or ports.

ganglia - sort of like mrtg geared towards clusters.
Very easy to setup but requires multicast communication between nodes.
You can see one here
http://wulf.chem.valdosta.edu:8000/ganglia/

Kerberos and OpenLDAP - if you ever need to maintain a large number of machines sharing common authentication. Kerberos enabled SSH is a great way to avoid typing passwords or sharing key for passwordless authentication.

Systemimager - if you have many machine sharing common configuration (like corporate network or server farm) this is absolutely a must. Very easy to configure and use. Images that systemimager create can be chrooted to just like regular systems. Creating image, updating image, updating machines is very easy and fast.

Finally Debian is the best tool (and a distro) for maintaining a stable, reliable Linux system that does not get in your way like YAST or other "candy " tools. While Debian is a bit harder to get used to then GUI-centric distros like Fedora and SuSe, the benefit of learning Debian is great if you are serious about Linux.

Re:Tripwire

[EvilAlien]

Tripwire != IDS

Tripwire is a file integrity auditing tool to ensure that files that should remain static do in fact remain static.

I would have to say that the top of any config tool list will have to be $favoritetexteditor. Each distribution is going to have a number of tools, both text and GUI, but the text editior rules *NIX when it comes down to indispensible configuration tools. Webwin deserves to be on the list just because it is a non-distro specific config tool... I personally don't use it, but lots of people do.

Otherwise, toss YaST, redhat/fedora-config-foo, drakfoo, etc-update, and so on to the list.

If the list was to be extended beyond Linux, the AIX people out there would probable love to see smitty on there.

Radmind

[jonpublic]

we at the university of michigan use radmind to update and deploy software to our linux environment. it is a great tool that helps us centrally manage our environment and rapidly deploy security updates. update one machine, take a snapshot of the differences, and push it out to 50 machines or more. command line freaks will love it.

learn more at radmind.org

Re:Dang!

[ahaning]

nmap
ethereal/tcpdump
I've also heard that nessus is nice to use.
And, I've just remembered, google.

But, really, it doesn't seem like it would be easy to have a Linux Sysadmin's Toolkit CD where you could run programs on a live system (rather than boot into another one like with Knoppix) due to the different systems out there using different distros with different file tree structures and different versions of [g]libc.

Also, most of the tools are so simplistic that it's hardly worth mentioning them. Need to reset a root password and you don't know the current one? Mount the filesystem and edit /etc/shadow. Most things are done using simple tools, rather than complicated applications.

Also, FWIW, screen [kuro5hin.org] is likely very useful to many admins. I just find it useful for keeping terminals available without cluttering up my desktop. An added benefit is that I can ssh in from elsewhere and work with them from there, too. I've wanted for a while to fiddle with ratpoison [sourceforge.net] to get a similar effect for X programs.

Single machine or multiple machines?

[ComputerSlicer23]

I've always like the "redhat-config" series of tools on RedHat or RedHat derived products.

• chkconfig and service are valuable for doing things.
• yum, apt, autorpm are all nice tools.
• logwatch is great.
• PAM isn't an application, but using PAM and LDAP can make having users spread across machines is a snap.
• tripwire is a great tool
• kickstart does wonders if you have to install lots of machines. I use it to completely document every scriptable part of an install.
• WebMin is great, but it worries me from a security perspective.
• gq is a great LDAP editor that I use to edit LDAP entries for users.
• Software like Bastielle Linux (a script that attempts to harden a machine)
• iptables, iproute2 (including ip and tc) are wonderful for networking.
• cron, sh, sed, awk, perl and python are used in conjunction quite a bit.
• fuser and lsof are used frequently by to to figure out what is going on.
• ethereal and tcpdump are tools of the gods.
• ssh is a thing of beauty.
• encrypted swap is fun.
• Nagios, MRTG, and sar are very useful for profiling and monitoring of your machines.

Who exactly is your target audience? People who've never seen UNIX, people who've worked on UNIX environment for years? What is it you are attempting to accomplish with them?

Most of my list would be boring to people who know a lot about UNIX, however some of them are Linux specific.

MOD PARENT DOWN

[Anonymous Coward]

Plagiarism isn't cool. the original post [google.com]

Re:More or Less ?

[tntguy]

"more", in its "standard" *NIX form, is forward-scroll only, among many other limitations. "less" takes care of all those limitations. Think if it as "less" is "vi" and "more" is "ex" (or "edlin", from the DOS days if you're unfamiliar with ancient tools).

Re:Webmin all the way

[Anonymous Coward]

Webmin's all well and good for a few machines. But if you're employed maintaining 100s of machines, there are very few real and free options, and I don't personally think webmin is one of them, unless it's become much more scriptable than when I last checked.

cfengine works really well, but you don't appreciate its features until you hit the 70+ machine mark - the "trick" is that cfengine with it's inheritance and boolean class logic excels for systems that are different but have bits in common. Such different bits ALWAYS turn up with 70+ machines, simply because PC-class hardware's failure rate means something will have been changed on some machine somewhere at any given time. But if you've only got tens of machines runnning one OS rather than hundreds running five different OSes, it all seems like very hard work to set up your cfengine configuration files. The other "trick" is that cfengine is mostly multiuser and you can allow different users perform different actions, so when you've got a team of admins of different ability,
johnny-adds-visitor-laptops-to-vlan-17 just can't fuck up mordred-rules-production-database-servers-with-iro n-fist's work, yet _can_ have role-based limited admin abilities.

Re:Dave Lettermans Top 10

[tjw]

what are the advatages of zsh over bash? Pros Cons?

Personally I find both useful. I prefer zsh for my interactive shell because it has many features that I think make it a better tool for that job:

1. vi bindings work like tcsh
2. preexec function that allows me to update xterm title bars before the command runs in them
3. multiple output redirection (e.g. date > out1 > out2)

On the other hand, I much prefer bash for writing shell scripts because it has many features that make it a better tool for that job:

1. supports TCP and UDP filehandles (e.g. /dev/tcp/localhost/80)
2. nice array variables
3. installed on just about every linux system

YMMV

Your question is flawed, thus you have no answers.

[moorley]

UN*X/Linux doesn't work that way. You are looking for a one size fits all administrative interface and it doesn't exist.

But I can sum up some the key points and bits of wisdom I have picked up over the years.

1) Ascii text is your friend. 98% of all the configuration files for UN*X programs live in ascii files and they "usually" live in /etc. You can use this to write program to update different pieces as needed. Any problem you do, you can undo. You can then run a program or use "kill -HUP" to get a process to reread that configuration.

2) Pick a programming language. Perl, AWK, Sed, ksh, all of them. You can use that programming language to role out changes as needed, or make a lot of changes really quickly. RSH/SSH allows you to do that across multiple systems. Use it carefully!

3) Design your environment. If you know what you are going to be using the servers, workstations and/or Linux embedded appliances for you can better decide how to automate it.

4)"Crunchy Cookie, Liquid Center".
In the end you will be automating certain administrative tasks over and over, but not all of them. That's why one size fits all won't work. It becomes a bloated security hole, so you only automate what you need and you automate it in an original and secure fashion.

As for some rock solid TLA recommendations.

SSH - SSH is your friend and as a replacement for RSH and its ilk you can use it to securely automate tasks. read up on ssh-agent for automating ssh access across multiple machines.

mon - How do you know it's working if you don't test it? You need to turn on monitoring, the more specific the test and monitor the better. mon is a good PERL framework for performing any test, and it has a lot of prepackaged/contributed test scripts that come in handy.

LDAP - Lots of UN*X environments are moving to LDAP to store enterprise wide information. It depends on how big of a UN*X environment you are setting up but having a centralized directory ala LDAP can be quite handy.

PAM/NIS - Plug In Authentication Modules. You can use these to have a centralized authentication server, cuts down on password updates. NIS+ is a tried and true system for stitching UNIX Systems together but I've only seen it installed in 1 UN*X environment and I've worked in several.

If you are looking for a prebuilt system or paradigm like Microsoft Server then you need to look to Redhat, Debian, else you are going to work from the need/application outwards.

Whatever you do more than once you will automate. When you no longer can budget the amount of UN*X Admins you will need you will start to build "tools" to delegate routine tasks, these will eventually become web pages, the web page will become an application. The application will become an acronym. The acronym will become a skill. The skill will become a job requirement HR will use to backfill a position. That's the way it goes.

Enjoy!

Re:Dave Lettermans Top 10

[sonicattack]

1) programable tab completion - yes folks there is more to tab completion besides beeping all the time. When I hit cd fooTAB the list of completions only shows _directories_ beginning with foo

"Bash" also supports programmable tab completion - it's possible to do stuff such as:

Tab completion after the command ...

... unzip, which will only complete filenames ending with ".zip"

... kill, will give you a full list of PID's to kill.

... killall, will complete process names.

... ping, telnet, ftp, will complete to entries in /etc/hosts

... insmod, will complete module names to be loaded.

... rmmod, will complete to loaded modules to unload.



And my favorite:

apt-get install, which will complete to packages known to apt

There are lots more of them, and of course, since it's programmable, more can be added to suite ones needs.

Re:Webmin is nice

[rokka]

Oh but really. You don't have to run it when you're not configuring something. I guess the lazy guys just lets the deamon run constantly. I do that at home, but I wouldn't keep it alive on a box that actually -does- something. You can always start it when needed.

Re:More or Less ?

[LinuxHam]

and the console spits out junk until you close that shell.

Just so you know, when you accidentally cat a binary file and it changes all the letters in your console to garbage characters, just blindly type

reset

and hit Enter. Fixes it every time.

Re:Cfengine: It's all you need

[dannyrap]

I wholeheartedly agree. A combination of cfengine and cvs makes maintaining hordes of systems SO much easier. You can start thinking of a server in terms of +cvsserver +dnsserver +mailclient +kerberosclient and know that the right sets of configuration files will get on each machine. It is a steep learning curve to get it going. You'll have to pretty much lock yourself in the server room for a couple of days. But you'll gain the time back easily within a couple of months.

We use this in combination with OS autoinstallation scripts to deploy new servers really quickly. Autoinstall to get a base OS on. A few minutes to get hostname/IP right. Cfengine to blast the right packages and config files. Voila...working dns server, or web server, etc.

Danny

Keychain

[YetAnotherDave]

I regularly access dozens of *nix systems (mostly linux & solaris). I love the fact that I can enter my privatekey password once on booting my laptop, and then have a tool handle all the ssh-agents in subsequent sessions. Entering one (very long and tangled :) password once is so much nicer than having to enter passwords every time I connect to a new system...

http://www.gentoo.org/proj/en/keychain.xml

Also, (obligatory) perl is great and larry wall is my hero...

*drake

[MicroBerto]

OK, nobody is posting good config tools except for webmin. Even I am guilty as I first posted rkhunter.

If you look at Mandrake, there's tons of great config tools there:

diskdrake for disk partitioning

harddrake for hardware configuration

userdrake for user configging (or userconf)

XFdrake for X config

mousedrake for mouse config

printerdrake absolutely rules for CUPS, better than localhost:631 if you ask me

drakconf for ALL mandrake tools together

rpmdrake is good for package managing...

Oh and of course linuxconf is still nice! netconf is the network partition of that I think. The list goes on i bet

Re:CVS (or insert your favorite alternative here)

[Anonymous Coward]

10 characters??? Seiously, pasphrases should be longer. But I wasn't writing this post to flame the length of your pasphrase. I wanted to add to this by saying that keychain [gentoo.org] will save you from having to repreatedly enter your passphrase. It's a front end to ssh-agent that allows you to enter your passphrase once and have it available system wide. Normally you have to enter your passphrase for every login session. Most distributions include keychain. For a good how-to see this page [com.com].

It sounds dumb, but...

[Anonymous Coward]

KDE's Print Manager. I've struggled for hours and hours trying to get my printer to work using the instructions from linuxprinting.org as well as CUPS documentation. I'm sure foomatic automates a LOT of stuff you'd have to do manually, but it still was falling pretty short. Such as the margins adjustment step and trying to set the hardware clipping plane... Even after I sit around with a ruler and doublecheck exactly which arrows on the page they're referring to, how do I enter stuff like "" or whatever? I tried at script's waiting prompt, and it just complained. After trying as many permutations of entering the data as I could think of, I finally gave up.

And yes, I did try the web interface built-in to CUPS, but I would run into things like the "Location" blank. What's that? /dev/lp0? localhost? Just a comment for people to look at? It's probably in the documentation somewhere (if you even guess which piece of documentation you should look at for something simple like, say, USING the damn thing) but I must've just kept overlooking it.

"There's got to be a better way," I said to myself. Lo and behold, KDE Print Manager. Worked like a charm. Even informed me that "location" was an optional string of text for users. Sure, Print Manager isn't perfect, but then again, who is?

Re:Single machine or multiple machines?

[ComputerSlicer23]

http://www.flyn.org/projects/cryptoswap/index.html

Googling around, that's the best link I've seen, but it's relatively short. I haven't looked into in about a year. There is a patch to mount that will allow you to use let you setup cryptoloop (the loopback block device with encryption built in). The maintainer of mount (Andries Bouwer), however wouldn't accept the patch for some legalistic reasons (copyright and/or encryption, I've forgotten the details). Try "man losetup" for information on how to get crypto loop working.

What you do, is have no swap partition, then at the end of the bootup sequence run losetup to setup loopback encryption to either a file or a partition. Then initialize the swap file or partition using mkswap, then swapon /dev/loop0 (or whatever loop device you used).

So something like this:

losetup -e DES /dev/loop0 /tmp/swapfile mkswap /dev/loop0 swapon /dev/loop0 However, I can't seem to get that working, as my RHEL doesn't have DES as a modules, and losetup doesn't support AES yet. So there's probably a kernel patch to track down. However, it sounds like Mandrake supports this out of the box.

Finally, I'm not much of a 2.6 user, what I described above will work in 2.4. 2.6 I believe either has in the main tree, or it's coming "Real Soon Now", a feature called dm-crypt. dm stands for device mapper. It's the low level replacement for the guts of LVM from the 2.4 kernel. It sounds like a layered/plugin type feature, one of which you can put LVM on top of. Some clever fellows decide to put crypto on top of it. I don't know a thing about that, and have never used it. However, search for dm-crypto in google, here's the most useful page I found in a single query:

http://www.saout.de/misc/dm-crypt/

Good luck.

Kirby

Re:Dave Lettermans Top 10

[Matt Perry]

1) programable tab completion

Bash has programable tab completion. In fact, you should check out the Bash Programmable Completion package [freshmeat.net] if you are a bash user. That contains a bunch of completions for commonly used commands and their options.

5) multiple commandline commands are not rewritten as commands with ';' in them (what I typed is what I get, see 4)

That's the default in bash, too. If you aren't getting that behaviour it's because you turned the cmdhist option on (or your distro did). "shopt -u cmdhist" will turn that back off.

Re:No, no! (nano nano) nanoo nanoo

[ReNeGaDe75]

Nano also doesn't depend on any major packages. Pico is part of pine. And I don't want to install an entire email client that I will NEVER use (and have heard terrible things about) just to use a text editor. Nano works out of the box.

I've also heard nano is a smaller executable and runs much faster. I haven't really tested that, however.

Re:Or sudo

[Nailer]

I think rm -rf / is right... [ra@gentoo ~] $ rm --help Usage: rm [OPTION]... FILE...

Yes, but rm FILE [OPTIONS] is much safer. Compare hitting enter to early when deleting a directory.

Man pages are generally unmaintained. Eg, man resolv.conf says the file is generally unnecessary as most machines have a DNS server installed on them.

infrastructures.org, cfengine, and the like

[Anonymous Coward]

Hi all. I prefer to answer the question as the best sysadmin tools that aren't always commonly used. Try:
1. Go to www.infrastructures.org
2. Read each section, and select a tool which achieves the goal of the section
3. ???
4. Profit

The steps above will generate a good top 10 list.

Alternatively, you can use my list:
1. cfengine
2. Templating on cfengine config files (I use perl to template them); cfengine is better than anything else similar I've tried (although I haven't tried LCFG), but it still needs perl templating to make it work properly
3. Some kind of database; see http://astro.uchicago.edu/~davidr/cfengine-tools/l isa-paper_html/ for details (or, alternatively, use mine when I release it on the 'Net)
4. An ACAP server: http://infotrope.clues.ltd.uk/ (ok, I admit -- I've never set up an ACAP server, but they could become increasingly useful in the future, reducing support costs and the like)
5. Learn how not to be stupid about administration: http://users.sunet.com.au/~tsn/sysadmin/good_sysad min.html

PS. Sorry about the anonymous posting, but this is a public terminal

Re:Ahem

[Olinator]

1. They have more than one firewall, and I didn't name the subunit of JPL.
2. those are outgoing ports, so that's useful information only if you're already on the inside...

Ole