Top Ten Linux Configuration Tools? 651
jman251 asks: "I am presenting at a conference in September on a couple of Linux-centric topics. One of these is a collection of tips, tricks, and tools for configuring, securing, and maintaining a Linux-based server. I have a short list of tools I use, but would like some community input on the subject. What tools do you use that make your admin responsibilities easier or more automated on the Linux platform?"
They all start with "nano -wiR /etc/" (Score:3, Interesting)
Re:They all start with "nano -wiR /etc/" (Score:3, Funny)
Only one... (Score:2)
make + cfengine + cvs + LDAP (Score:5, Insightful)
-
Task: Add this printer to 200 machines. You have 5 different un*xes (and different versions of each of those around).
- We need to change the sudo file on 200 servers.
- Update
/etc/mail/access on 6 machines in 4 locations (and 3 continents). Oh, we forgot this, do it again.
- Make sure $THIS is in the sybase's crontab on all the sybase server.
- Patch all the Solaris 7 machines with this new patch cluster. It's urgent. (and we have 50 of those machines scattered around the world).
- Change the (locally stored) root password on all the machines we take care of because X just got fired, but we couldn't tell you till now).
- Rebuild the 2 HA database servers (one at a time) and make sure they have the current patches and access to the new partitions on the SAN
vi! webmin. heh.no, nfs is not used
My partner took the Solaris Advanced Certification tests (someone else was paying and what the hell). She screwed up the parts about AdminTool. Someone who'd been using Unix since the 80s. She came home raging: AdminTool!! If I ever hired a senior admin and they kicked up admin tool, I'd fire them before the windows finished opening.
I find these single machine solutions quite quaint.
No, I'm delighted to have my cfengine scripts that go through /etc/ and make sure that inetd.conf is stripped, and that rpcbind and nfs aren't running on standalone servers and that the Right Stuff is in the Right Config files and that permissions are correct.
Best part is that I can run it again anytime later to redo that (or with '-n' to just show me what's changed).
And if it uses CVS to pull down $Today's configs, then so be it.
rm (Score:5, Funny)
That'll teach those pesky users....
Re:rm (Score:5, Insightful)
Re:rm (Score:5, Funny)
Re:rm (Score:5, Informative)
So now "rm -fr /" won't work even as root as it will properly give you :
So there you are, you pesky root of all evil. Oh bummer, now I can't make any new files in /home/dude ....
Re:Or sudo (Score:4, Informative)
Yes, but rm FILE [OPTIONS] is much safer. Compare hitting enter to early when deleting a directory.
Man pages are generally unmaintained. Eg, man resolv.conf says the file is generally unnecessary as most machines have a DNS server installed on them.
Xconfigurator (Score:2, Interesting)
Re:Xconfigurator (Score:2)
Webmin all the way (Score:5, Interesting)
Re:Webmin all the way (Score:5, Insightful)
Re:Webmin all the way (Score:4, Informative)
cfengine works really well, but you don't appreciate its features until you hit the 70+ machine mark - the "trick" is that cfengine with it's inheritance and boolean class logic excels for systems that are different but have bits in common. Such different bits ALWAYS turn up with 70+ machines, simply because PC-class hardware's failure rate means something will have been changed on some machine somewhere at any given time. But if you've only got tens of machines runnning one OS rather than hundreds running five different OSes, it all seems like very hard work to set up your cfengine configuration files. The other "trick" is that cfengine is mostly multiuser and you can allow different users perform different actions, so when you've got a team of admins of different ability,
johnny-adds-visitor-laptops-to-vlan-17 just can't fuck up mordred-rules-production-database-servers-with-ir
I second cfengine (Score:3, Interesting)
I think that even with as few as 5 systems it is worth the effort... especially if the systems are largely similar.
Re:Webmin all the way (Score:3, Interesting)
Webmin is nice (Score:3, Informative)
Re:Webmin is nice (Score:5, Informative)
Re:Webmin is nice (Score:3, Insightful)
Re:Webmin is nice (Score:3, Insightful)
Re:Webmin is nice (Score:3, Insightful)
Re:Webmin is nice (Score:5, Interesting)
Webmin has lots of thoughtful touches, like the ability to block certain UIDs and GIDs so that a lesser sysop cannot change the root account (for example). Another bonus is that Webmin users don't have to be regular shell accounts. It's not perfect, but it's still the Swiss Army Knife of configuration utilities.
Dave Lettermans Top 10 (Score:5, Insightful)
df
du
ls
rm
passwd
chown
vi
more
bash
Hey, you asked for it - No clicky links to read.
Re:Dave Lettermans Top 10 (Score:3, Insightful)
df
du
ls
rm
passwd
chown
vi
more
bash
s/more/less/
Your comment has too few characters per line (currently 3.6).
Re:Dave Lettermans Top 10 (Score:5, Funny)
A is for awk, which runs like a snail
B is for biff, which reads all your mail
C is for cc, as hackers recall
D is for dd, the command that does all
E is for emacs, which rebinds your keys
F is for fsck, which rebuilds your trees
G is for grep, a clever detective
H is for halt, which may seem defective
I is for indent, which rarely amuses
J is for join, which nobody uses
K is for kill, which makes you the boss
L is for lex, which is missing from DOS
M is for more, from which less was begot
N is for nice, which really is not
O is for od, which prints out things nice
P is for passwd, which reads in strings twice
Q is for quota, a Berkeley-type fable
R is for ranlib, for sorting a table
S is for spell, which attempts to belittle
T is for true, which does very little
U is for uniq, which is used after sort
V is for vi, which is hard to abort
W is for whoami, which tells you your name
X is, well, X, of dubious fame
Y is for yes, which makes an impression, and
Z is for zcat, which handles compression
Re:More or Less ? (Score:5, Informative)
Just so you know, when you accidentally cat a binary file and it changes all the letters in your console to garbage characters, just blindly type
reset
and hit Enter. Fixes it every time.
Re:Dave Lettermans Top 10 (Score:5, Informative)
more -- better less (Its not the 70s anymore people, you can search and go backwards in files since less first came about in the mid 80s. With the LESSOPEN varible set to something useful you can "browse" many, many filetypes too).
bash -- better zsh My shell can do anything your shell can do, but better!
Re:Dave Lettermans Top 10 (Score:5, Informative)
1) programable tab completion - yes folks there is more to tab completion besides beeping all the time. When I hit cd fooTAB the list of completions only shows _directories_ beginning with foo
2) sane invocation - zsh is the only shell that has one file that is sourced _on all invocations of the shell_ so you can do stuff like have a consistant PATH and other env stuff
3) global aliases - zsh provides an alias that works _anywhere on the commandline_ I have 'G' mapped to '| grep -i', I have 'L' mapped to '| less' and 'vi' mapped to 'vim' (why? So sudo vi FILE gives me vim if the system has vim), etc, etc
4) the only shell that supports working 'vi' style history editing
5) multiple commandline commands are not rewritten as commands with ';' in them (what I typed is what I get, see 4)
6) too many features to name. Like I said, my shell can do anything your shell can do, but better.
Re:Dave Lettermans Top 10 (Score:3, Informative)
"Bash" also supports programmable tab completion - it's possible to do stuff such as:
Tab completion after the command
Re:Dave Lettermans Top 10 (Score:3, Interesting)
bash completion [freshmeat.net]
is a good start.
Re:Dave Lettermans Top 10 (Score:3, Insightful)
Personally I think zsh is a great example of "lots of features and no taste."
[*] Yes, I'm exaggerating -- I'm sure there are a few without...
Re:Dave Lettermans Top 10 (Score:4, Informative)
Re:Dave Lettermans Top 10 (Score:3, Informative)
Personally I find both useful. I prefer zsh for my interactive shell because it has many features that I think make it a better tool for that job:
On the other hand, I much prefer bash for writing shell scripts because it has many features that make it a better tool for tha
Re:Dave Lettermans Top 10 (Score:3, Interesting)
nohup emerge sync &
( or nohup make && make install & )
tail -f nohup.out
exit
This is the coolest thing in the world, because I can logout, the process keeps running, and I can check on the progress later from another location.
This is probably no suprise to the graybeards out there, but is sparkly to a n00b like me.
Re:Dave Lettermans Top 10 (Score:4, Informative)
Whilst you are correct this works for non-interactive processes, you can't use nohup to keep a copy of say, Lynx, running when you logout. Then return to it later and pick off where you left it.
Instead you should look at GNU Screen [gnu.org] which allows this and more.
(It's essentially a windowing system for consoles, with the ability to detach and resume at will, and definately one of my top ten Unix utilities).
Here is one Screen tutorial [kuro5hin.org] which explains basic operation well.
Not The FP (Score:5, Insightful)
man and vi
Seriously.
Vim and regex (Score:4, Insightful)
Doom... (Score:4, Interesting)
http://www.cs.unm.edu/~dlchao/flake/doom/
mc (Score:2)
i like using 'mc' as a good editor and file manager, helps me setup and configure my system very quickly
In a word (Score:5, Interesting)
Perl is your friend
Re:In a word (Score:5, Funny)
my ass, perl is GOD
Blbbbbph..... (Score:5, Funny)
If Perl is God, then nobody would be able to understand the bible.
... oh wait.
A tendency toward self improvement (Score:5, Insightful)
I know that's not what you wanted; but it's really true. A desire to constantly increase your own knowledge is paramount.
Re:In a word (Score:5, Funny)
Well it sure doesn't act like it sometimes.
Hmm.. (Score:5, Funny)
Knoppix is a nice solution too when I don't have time.
Comment removed (Score:5, Funny)
Computer Management ? (Score:3, Funny)
don't forget (Score:2)
Make your life easier... (Score:2, Informative)
grep
gawk
xargs
for
CVS (or insert your favorite alternative here) (Score:5, Insightful)
Re:CVS (or insert your favorite alternative here) (Score:5, Informative)
Things I do. syslog to a common place. I have cloning scripts to dup a machine to a basic setup (poor mans jumpstart but faster and easier).
Perl and sed come in handy. Rsync (again with ssh keys) is good.
Oh yeah,
With these tips and tricks I can do whatever I need to do over a dialup connection anywhere in the world (I've only tested this from coast to coast in the US thought, but I believe it will scale worlwide
Re:CVS (or insert your favorite alternative here) (Score:5, Interesting)
Sure, ssh keys are convenient, but they don't always replace passwords.
Passwords suck. Oh, and I have a 10 character passphrase on my privatekey that sits on my password protected computer.
I would guestimate that the liklihood that a password has been found or guessed or shown up in a plain text file (my ISP used to have a world readable radius logfile that had passwords in it) or sniffed is much greater than someone logging into my laptop (I have no remote services running) or physically beating me up and getting my key and passphrase from me.
I love the classic:
sj (misstyped su)
followed by the root password in plaintext. Gotta love that!
Hmmmmm. (Score:5, Funny)
Emacs! No, vi! No, Arrrrrrgh!
Re:Hmmmmm. (Score:5, Funny)
Re:Hmmmmm. (Score:5, Funny)
Editing text files?
Re:Hmmmmm. (Score:5, Funny)
Re:Hmmmmm. (Score:5, Funny)
N073P@D OWNZ JOO!
MOD PARENT DOWN (Score:3, Informative)
CSSH (Score:2, Interesting)
Source Forge Page [sourceforge.net]
grep -sir foobar /etc/rc.d (Score:2)
Tripwire (Score:5, Informative)
Re:Tripwire (Score:3, Informative)
Tripwire is a file integrity auditing tool to ensure that files that should remain static do in fact remain static.
I would have to say that the top of any config tool list will have to be $favoritetexteditor. Each distribution is going to have a number of tools, both text and GUI, but the text editior rules *NIX when it comes down to indispensible configuration tools. Webwin deserves to be on the list just because it is a non-distro specific config tool... I personally don't use it, but
RPM (Score:3, Interesting)
This is saved into the RPM database in
You can use RPM as an IDS by backing up the database to a read-only media and then use, for example:
rpm -V coreutils procps net-tools --dbpath
To see if someone's installed a root kit (if someone has, they'll have to at least modify top, ps, and netstat, which are included in these packages).
Unlike tripwire, you're not forever having to upd
/bin/bash (Score:5, Insightful)
BIND (Score:3, Interesting)
Even better would be something that also tied into dhcpd (these are the ISC daemons Im talking about, folks), that would serve to configuring them both, even on working together in a ddns/dhcp setup.
Cfengine: It's all you need (Score:5, Informative)
the best automation tool for unix and unix-like
environments. Hands down.
It's a little hard to configure sometimes, but
worth the effort.
Tim. (Score:5, Funny)
Easy-peasy.
Or I just do what Vigor [sourceforge.net] tells me to do.
RCS and Bastille-Linux (Score:4, Interesting)
RCS to provide rollback and change control.
No professionally administered Linux box should be without it.
I've been using Ruby for little utilities... (Score:3, Interesting)
Nothing fancy, just twiddling configuration files (httpd.conf, etc), pushing data into a PostgreSQL database, automating StatCVS runs, etc. I keep them in CVS, of course, here [rubyforge.org].
Several points of view.... (Score:5, Insightful)
... the most important tool is the brain :) As an admin, whatever you do, if you don't think enough on it you deserve what could happen.
As "admin suite", i.e. a single program to do a lot of administrative tasks, maybe YaST could be a good start. I'm not use webmin, tried it some years ago and don't liked the idea, but could be useful for a lot of people too.
And about individual tools, well, bash, vi, perl, mc, awk, the gnu text/file/shell utilities (cat, grep, ls, cut, chmod, etc) are essential.
Last but not least, a "tool" is also something that help you to use what you have available already. Man pages, the HOWTO collection, a lot of O'Reilly books, and Google are examples of that kind of tools.
sudo, screen (Score:4, Informative)
Learn it in detail. If you work with other people on the same machine, it will make your life a lot easier.
screen is pretty handy, too. Being able to detach sessions is also nice for when you've started sprouting icycles from your nostrils from the cold, cold server room.
My Top 10: (Score:5, Informative)
That's all I can think of now. I'll think of others later.
Dang! (Score:5, Informative)
Don't get me wrong, Webmin is great, it's at the top of my list fer shure, but that's not the be-all and end-all of systems management!! What about actual convenient tools like MRTG, Novell's eDirectory, RedCarpet, etc. etc.?
Heck, I'm reading this article hoping to pick up a few tips myself and all I'm seeing are scripting languages and text-editor flame wars, (all of which can/should be moderated Off-topic or Funny).
So, anybody actually got anything useful to contribute besides Webmin?
Re:Dang! (Score:4, Informative)
Huh? I'm not that familiar with eDirectory or RedCarpet, but MRTG isn't an all in one configuration interface like webmin. I though the only webmin alternatives were commercial products like:
Ensim [ensim.com]
Plesk [sw-soft.com]
Cpanel [cpanel.net]
Are there free software uber-configuration products other than Webmin? I tend to stick to the command line over ssh myself.
The ultimate server admin tool (Score:3, Interesting)
Turn off all the services you don't need.
My 10 (Score:3, Informative)
sudo
apt-get
wget
rsync
ssh
ps
php
pe
make
Perl, vi and cron (Score:3, Insightful)
vi for adding perl scripts into crontab.
theres not much else to do
SSH. (Score:5, Informative)
There are four of us who do *nix admin for over 600 *nix machines, more than half of which are linux boxes (both workstations and servers.) SSH with X displayback on a 100Mbit switched network is such a godsend I can't even begin to imagine life without it. I probably generate more SSH sessions in a normal workday than I do HTTP sessions. (Yes, that does include
I also think it's well worth your while to understand SSH's more esoteric tunneling capabilities... Recently I had to support a research group who was doing a demo at JPL [nasa.gov] and they were behind a very restrictive firewall but needed to do control and image transfer from a robot framework here in Massachusetts, and the researchers who'd coded the software hadn't implemented any kind of authentication layer. We were able to do everything using SSH tunneling over one of the three ports allowed through JPL's firewall (and they could IMAP their mail from our servers as a side bonus) without exposing our servers or JPL to unencrypted protocols of any kind.
Re:SSH. (Score:3, Funny)
I was thinking the same thing, I have active ssh connections to servers nearly around the clock.
Radmind (Score:3, Informative)
learn more at radmind.org
Ahem (Score:3, Interesting)
Re:Ahem (Score:3, Informative)
Command line (Score:5, Interesting)
Whatever runs from the bash command line is good enough for me.
No bloated fancy GUI needed, can run remotely over a secure ssh connection, and has all the raw power you need.
I am not a luddite. For some tasks, I will use the GUI tool (e.g. Mandrake Control Center, or Webmin) to do things, when it is faster to do so. But the bulk of what I do is command line.
My List (Score:5, Informative)
2. Logwatch [logwatch.org]: Logwatch is something that should be used by every Unix/Linux SA everywhere. It gives you a daily snapshot of events in your logs
3. Mon [slashdot.org]: Nice, simple, easy. If your webserver goes down, your secondary can bring up a virtual ip a couple of seconds later. No more annoying three am phone calls
4. Snort [snort.ortg]/ACID [sourceforge.net]: lets me know if a virus breaks out, or if there are stupid script kiddies trying to brute force their way in.
5. Nessus [nessus.org]: run it early, run it often. Figure out any holes you have in your security, and make sure you fix them.
There's more, but you should really do some of your own homework.
just basic tools... (Score:4, Funny)
"Awk!" sed perl.
"Make sum nice tee, joe," sed man.
Single machine or multiple machines? (Score:5, Informative)
Who exactly is your target audience? People who've never seen UNIX, people who've worked on UNIX environment for years? What is it you are attempting to accomplish with them?
Most of my list would be boring to people who know a lot about UNIX, however some of them are Linux specific.
Re:Single machine or multiple machines? (Score:4, Informative)
Googling around, that's the best link I've seen, but it's relatively short. I haven't looked into in about a year. There is a patch to mount that will allow you to use let you setup cryptoloop (the loopback block device with encryption built in). The maintainer of mount (Andries Bouwer), however wouldn't accept the patch for some legalistic reasons (copyright and/or encryption, I've forgotten the details). Try "man losetup" for information on how to get crypto loop working.
What you do, is have no swap partition, then at the end of the bootup sequence run losetup to setup loopback encryption to either a file or a partition. Then initialize the swap file or partition using mkswap, then swapon /dev/loop0 (or whatever loop device you used).
So something like this:
losetup -e DES /dev/loop0 /tmp/swapfile
mkswap /dev/loop0
swapon /dev/loop0
However, I can't seem to get that working, as my RHEL doesn't have DES as a modules, and losetup doesn't support AES yet. So there's probably a kernel patch to track down. However, it sounds like Mandrake supports this out of the box.
Finally, I'm not much of a 2.6 user, what I described above will work in 2.4. 2.6 I believe either has in the main tree, or it's coming "Real Soon Now", a feature called dm-crypt. dm stands for device mapper. It's the low level replacement for the guts of LVM from the 2.4 kernel. It sounds like a layered/plugin type feature, one of which you can put LVM on top of. Some clever fellows decide to put crypto on top of it. I don't know a thing about that, and have never used it. However, search for dm-crypto in google, here's the most useful page I found in a single query:
http://www.saout.de/misc/dm-crypt/
Good luck.
Kirby
My Top Ten (Score:5, Insightful)
2) OpenSSH... Oh yeah baby!
3) GCC and make... DUH!
4) FTP...I know I know SFTP if you prefer
5) Perl...YUM and even better with perl expect
6) Bash...we all need a CLI
7) Jumpstart...If you manage a lot of solaris boxes, this is your friend
8) Sendmail or postfix...pick your poison
9) nmap...oh yeah, let the Windows guys drool
10) Nagios...monitor that network in style!
Your question is flawed, thus you have no answers. (Score:4, Informative)
But I can sum up some the key points and bits of wisdom I have picked up over the years.
1) Ascii text is your friend. 98% of all the configuration files for UN*X programs live in ascii files and they "usually" live in
2) Pick a programming language. Perl, AWK, Sed, ksh, all of them. You can use that programming language to role out changes as needed, or make a lot of changes really quickly. RSH/SSH allows you to do that across multiple systems. Use it carefully!
3) Design your environment. If you know what you are going to be using the servers, workstations and/or Linux embedded appliances for you can better decide how to automate it.
4)"Crunchy Cookie, Liquid Center".
In the end you will be automating certain administrative tasks over and over, but not all of them. That's why one size fits all won't work. It becomes a bloated security hole, so you only automate what you need and you automate it in an original and secure fashion.
As for some rock solid TLA recommendations.
SSH - SSH is your friend and as a replacement for RSH and its ilk you can use it to securely automate tasks. read up on ssh-agent for automating ssh access across multiple machines.
mon - How do you know it's working if you don't test it? You need to turn on monitoring, the more specific the test and monitor the better. mon is a good PERL framework for performing any test, and it has a lot of prepackaged/contributed test scripts that come in handy.
LDAP - Lots of UN*X environments are moving to LDAP to store enterprise wide information. It depends on how big of a UN*X environment you are setting up but having a centralized directory ala LDAP can be quite handy.
PAM/NIS - Plug In Authentication Modules. You can use these to have a centralized authentication server, cuts down on password updates. NIS+ is a tried and true system for stitching UNIX Systems together but I've only seen it installed in 1 UN*X environment and I've worked in several.
If you are looking for a prebuilt system or paradigm like Microsoft Server then you need to look to Redhat, Debian, else you are going to work from the need/application outwards.
Whatever you do more than once you will automate. When you no longer can budget the amount of UN*X Admins you will need you will start to build "tools" to delegate routine tasks, these will eventually become web pages, the web page will become an application. The application will become an acronym. The acronym will become a skill. The skill will become a job requirement HR will use to backfill a position. That's the way it goes.
Enjoy!
WRONG QUESTION (Score:5, Insightful)
I think it would more useful to ask for the Top Ten MOST OVERLOOKED tools, or the most under-used, the most mis-used, or the ones whose full power is forgotten, unrecognized, or unused.
Pico, you dick mods. (Score:5, Funny)
When I don't have time to figure out goddamn control chars, and just want to edit a config file without having to resort to IRC, man pages, and poor documentation -
I USE FUCKING PICO.
All the commands are right there. On the screen.
Maybe this elitist attitude is why Linux isn't ready for the desktop. Now mod me Troll, bitches.
Make a list as you go (Score:3, Interesting)
Oh yeah, learn regular expressions. The O'Reilly book is great. The time investment *will* pay off.
Keychain (Score:5, Informative)
http://www.gentoo.org/proj/en/keychain.xml
Also, (obligatory) perl is great and larry wall is my hero...
*drake (Score:4, Informative)
If you look at Mandrake, there's tons of great config tools there:
diskdrake for disk partitioning
harddrake for hardware configuration
userdrake for user configging (or userconf)
XFdrake for X config
mousedrake for mouse config
printerdrake absolutely rules for CUPS, better than localhost:631 if you ask me
drakconf for ALL mandrake tools together
rpmdrake is good for package managing...
Oh and of course linuxconf is still nice! netconf is the network partition of that I think. The list goes on i bet
An experienced system's administrator (Score:3, Insightful)
Right. (Score:4, Funny)
My 10 favorite linux configuration tools? Let's see:
- Left little finger
- Left ring finger
- Left middle finger
- Left index finger
- Left thumb
- Right little finger
- Right ring finger
- Right middle finger
- Right index finger
- Right thumb
Yapp, that sums it up nicely.Re:Add tool name here - once. (Score:2, Interesting)
Re:The one true Text Editor! (Score:5, Funny)
Vi user 2: Mesmerize this so-called-pico-mesiah
Slashdot winfiend1: I for one....
Slashdot winfiend2: Imagine a
Emacs user 1: Damn, the vimers beat us to the hangin!... we cant say kill him, they already did...
Emacs user 2: Its Gnu-Pic.... oh wait...
It also has to be said... (Score:3, Insightful)
...which I believe is what this poll is about. Top Ten Configuration Tools.
Re:Shouldn't you be asking (Score:5, Funny)
And ed doesn't waste space on my Timex Sinclair. Just look:
-rwxr-xr-x 1 root 24 Oct 29 1929
-rwxr-xr-t 4 root 1310720 Jan 1 1970
-rwxr-xr-x 1 root 5.89824e37 Oct 22 1990
Of course, on the system *I* administrate, vi is symlinked to ed.
Emacs has been replaced by a shell script which 1) Generates a syslog
message at level LOG_EMERG; 2) reduces the user's disk quota by 100K;
and 3) RUNS ED!!!!!!
"Ed is the standard text editor."
Let's look at a typical novice's session with the mighty ed:
golem$ ed
?
help
?
?
?
quit
?
exit
?
bye
?
hel
?
eat flaming death
?
^C
?
^C
?
^D
?
---
Note the consistent user interface and error reportage. Ed is
generous enough to flag errors, yet prudent enough not to overwhelm
the novice with verbosity.
"Ed is the standard text editor."
Ed, the greatest WYGIWYG editor of all.