原文出处
http://www.dbanotes.net/OpenSource/Using_xinetd.html
[OpenSource] 使用xinetd
作者:Jose Nazario译者:Fenng
日期Q?5-Oct-2004
出处Qhttp://www.dbanotes.net
版本Q@2001/11/27 Version 0.01 @2003/05/23 Version 1.00
Jose描述了如何着手配|调?acronym title="Extended Internet Services Daemon">xinetd?
xinetd取代了inetdQƈ且提供了讉K控制、加强的日志和资源管理功能?acronym title="Extended Internet Services Daemon">xinetd已经成ؓRed Hat 7 ?Mandrake 7.2的Internet标准守护q程。这文章将引导你如何应用一些它的特性,q些Ҏ基?acronym title="Extended Internet Services Daemon">xinetd 2.1.8.8 pre3版本?
D
xinetd的最初的作者(Panagoitis Tsirigotis panos@cs.colorado.eduQ好像已l停止了q个目?Rob Braun (bbraun@synack.net)l箋了该目Q现在负责维护这个Y件包。ؓ了能?select()在我的老的libc5pȝ上也可以使用Q我不得不给当前的包d几对头文Ӟq是我注意到的问题。或怽需要它们,如下Q?
xinetd/internals.c.orig Fri Jun 16 19:00:15 2000 +++ xinetd/internals.c Fri Jun 16 19:00:53 2000 @@ -12,6 +12,8 @@ #include <time.h> #include <fcntl.h> #include <syslog.h> #include <unistd.h> #include <sys/time.h> #include "sio.h"
关于 xinetd
xinetd用括hL、扩展了的语法取代了inetd中的通用的行。另外,q添加了日志和访问控制功能?虽然inetd可以使用Venema?tcp_wrappers 软g (tcpd) 控制 TCP 的连接,但是你不能用它来控制 UDP q接。此外,inetd对RPC(portmapper)cd的服务也处理不好。另外,虽然使用 inetd 你可以控制连接速度 ( 通过lwait或是no wait 变量附加一个数|例如nowait.1表示每隔一U钟一个实?Q你不能控制实例的最大数。这能导致进E表dQ例如,一个有效的拒绝服务dQ。通过使用xinetdQ我们可以防?acronym title="Denial Of Service">Dos?
我通常使用下面的命令启?acronym title="Extended Internet Services Daemon">xinetdQ把它放在我的Internet服务启动脚本中:
/usr/sbin/xinetd -filelog /var/adm/xinetd.log -f /etc/xinetd.conf
q告?xinetd Ҏ有的服务都进行纪录,日志保存到文?/var/adm/xinetd.log中,q且使用配置文g/etc/xinetd.conf。这文章中的大量篇q都用在这个配|文件上?
~译旉项
你应该注?个编译时的选项Qlibwrap、loadavg (用于监视负蝲均衡) ?IPv6 supportQ它们提供了额外的访问控制。对于大多数libwrap"明白"的守护进E?(如portmapper 和sendmail)Q在配置脚本中的"with-libwrap"选项告诉xinetd支持tcp_wrappers文g/etc/hosts.allow?etc/hosts.deny。这些选项?acronym title="Extended Internet Services Daemon">xinetd作用如同它们之?inetd那样Qƈ且支持所有的 xinetd控制的守护进E。注意如果你从零开始做xinetd的话Q就可以做访问控Ӟ不再需要tcpd。不怎样。对libwrap 的支持是有用?-如果你从inetd/tcpdq移q且也不x变你的访问文件的??
W二个有的讄选项是支持负载均衡监控,通过?/configure脚本中用with-loadavg选项可以辑ֈ。sendmail支持在高负蝲的时候停止连?-假定它已l脱M控制q且正在当掉机器。用q个选项可以Ȁzmax_load 选项以限制Q何连接或是基于负载均衡机器的所有服务?/p>
最后,d IPv6支持 可以通过?./configure 脚本中?with-inet6 capability选项来完成?qxinetd 支持IPv6地址和连接。注意要使其生效的话你的核心Q和|络Q必L?IPv6。当然IPv4 仍然被支持?
配置文g
xinetd 配置文gQ通常可以手工或是自动从inetd.conf文g生成。前者费旉且容易出错;后者可以通过 itox软g或者xconv.pl 脚本L完成。虽然itox软g正在被取消而們于?xconv.pl 脚本Q它仍是很有用的。但是,要注意重复的q行它会覆盖原有的配|文件。itox?xconv都以同样的方式工作,我们?itox来进行演C:
$ itox < /etc/inetd.conf > xinetd.conf
C些的工具QxconvQ可以理解注释,q且在对tcpd的用上要比itox做得更好Q用itoxQ你不得不指定守护进E的路径 Q如 /usr/sbinQ?你想要包含的W一D就是默认的D,像名字暗示的那P默认?acronym title="Extended Internet Services Daemon">xinetd服务?
defaults
{
instances = 25
log_type = FILE /var/adm/servicelog
log_on_success = PID HOST EXIT
flags = NORETRY
log_on_failure = HOST RECORD ATTEMPT
only_from = 129.22.0.0
no_access = 129.22.210.61
disabled = nntp uucp tftp bootps who
shell login exec
disabled += finger
}
马上Q我们可以了?xinetd 讄参数的语法:<指示QdirectiveQ?gt; <操作W(operatorQ?gt; <|valueQ?gt;?acronym title="Extended Internet Services Daemon">xinetd所能理解的指示列在表一中,在这里我们将忽略 flags、type、env 和passenv指示W?我对对 only_from ?no_access以及额外的日志选项加以更多的讨?
?1. xinetd的指C符 指示W? 描述 socket_type |络套接字类? 或者数据包 socket_type |络套接字类? 或者数据包 protocol IP 协议, 通常是TCP或?UDP wait yes/no, {同于inetd的wait/nowait user q行q程的用?ID server 执行的完整\?/td> server_args 传递给server的变?或者是?/td> instances 可以启动的实例的最大的?/td> start max_load 负蝲均衡 log_on_success 成功启动的登记选项 log_on_failure 联机p|的时候的日志信息 only_from 接受的网l或是主?/td> no_access 拒绝讉K的网l或是主?/td> disabled 用在默认?{} ?止服务 log_type 日志的类型和路径 FILE /SYSLOG nice q行服务的优先 id 日志中用的服务?/td>
操作W非常简单,?”或者?=”。用 =Q右边给定的gl左边的指示W?=也是非常直接的,用于l一个已l指定的指示W添加一个倹{没有它Q原先的指示W就会被覆盖Q这样可以用来展开讉K列表Q或者跨多行?/p>
用如下的格式描述服务Q?
服务名
{
指示W?= ?
指示W?+= ?
}
服务名一定要?/etc/services列出 Qƈ且要使用合适的socket和协议?
关于讉K控制
关于讉K控制的有几句话?首先Q?acronym title="Extended Internet Services Daemon">xinetd控制q接而不是控制数据分l,它只是个用户方的守护q程Q如同inetd 一栗同LQ可以打断一个被服务器禁止的L的SYN或是connect()。但不能中止象FIN [端口扫描使用带有FIN 标志位的TCP包,通常是nmapq样的工兯行生的]q样?U密" 扫描。不要把xinetd 当作一个firewall 用以L端口扫描。一个有l验的入侵者能够用q些信息攉你的不同服务的访问控制列表。幸q的? q些可以被xinetdU录。当你看到日志的时候你的疑虑会消除的?
W二Q?acronym title="Extended Internet Services Daemon">xinetdQ?.1.8.8pre3版本Q,当一个系l试图连接的时候进行名字查找。以前,它在启动的时候进行查找, 但是现在已经改变?
使用讉K控制真的很简单。第一个指C符?only_from, 列出了我们可以接受从哪一个网l或是主机的q接。这个规则可以被 no_access覆盖?你可以用网l号Q如 10.0.0.0 或?10或者是|络名(包括 .my.com 或?.my.comQ。主机名或者主机的 IP地址也可以在q里使用指示W?.0.0.0 匚w所有的Lq监听所有的地址。通过使用 no_access一旦符合标准拒l就会被解析。再说一遍,|络和主机可以指定?/p>
服务配置
让我们看一些基本的应用。我们先看第一个基本的服务echoQ它是inetd ?acronym title="Extended Internet Services Daemon">xinetd固有的服务?/p>
service echo
{
socket_type = stream
protocol = tcp
wait = no
user = root
type = INTERNAL
id = echo-stream
}
echo 以root权限q行, 是一个tcp ƈ在内部处理。echo-stream指示W将出现在日志中。如果没有only_from或是 no_access在指C符?对这个服务的讉K的配|将是不受限制的?/p>
现在Q让我们看一个正规的服务QdaytimeQ?/p>
service daytime
{
socket_type = stream
protocol = tcp
wait = no
user = nobody
server = /usr/sbin/in.date
instances = 1
nice = 10
only_from = 0.0.0.0
}
再说一ơ,M人都可以q接, 不过我们指明它以nobody的n份运行来q回信息。和前一个例子相比,q个q没有额外的什么。现在我们看另一个服?secure shell version 1。下面的讄可以防止sshd所带来的资源耗尽问题?/p>
service ssh1
{
socket_type = stream
protocol = tcp
instances = 10
nice = 10
wait = no
user = root
server = /usr/local/sbin/sshd1
server_args = -i
log_on_failure += USERID
only_from = 192.168.0.0
no_access = 192.168.54.0
no_access += 192.168.33.0
}
在这里,我们建立了前面我们所作的。当作ؓ用户inetd或?xinetd重新调用sshd 需要用 -i 参数Q?所以我们把它放在了 server_args 指示W后。注意:把这个标记添加到server标识W出会导致失败。在M时候只有十个h可以同时使用Q在q个服务器上q不是问题,q个例子我们从日志得到。另外作为默认信息,如果不能q接的话Q连接方的用?ID在RFC 1413中描q。最后,我们列出了两个网l不能访问这个服务?
日志?xinetd
日志中有几个值可以用于得C的服务器的信?/p>
? 不同的日志指C?/strong> ? 成功/p| 描述 PID success 当一个连接成功时登记产生的进E的pid HOST both 登记q程L地址 USERID both 登记q程用户的RFC 1413 ID EXIT success 登记产生的进E的完成 DURATION success 登记d持箋的时?/td> ATTEMPT failure 登记q接p|的原?/td> RECORD failure 关于q接p|的额外的信息
q样Q可以添加一些标准的行指明日志,像下面的样子。对一个成功连接的服务Q我们通常想登记服务生的q程idQ连接的L和退出的旉Q?/p>
log_on_success = PID HOST EXIT
q样可以l出我们用来排错的有用的信息和正常的服务器操做信息。针对失败,我们可以记录我们惌的:
log_on_failure = HOST RECORD ATTEMPT
我们记录了连接的L、拒l连接的原因和关于连接中的主机的额外的信?有的时候是那些试图q接的用户ID)。推荐你q样做,可以对你的服务器有一个好的把握?/p>
q看上面Q在我们的默认段中,我们的日志写?var/adm/servicelog中。我们指定所有信息,成功和失败的都要被xinetd记录。我们的大多C息看h像这P
00/9/13@16:05:07: START: pop3 pid=25679 from=192.168.152.133 00/9/13@16:05:09: EXIT: pop3 status=0 pid=25679 00/10/3@19:28:18: USERID: telnet OTHER :www
使用q个信息Q可以轻易对 xinetd 排错和进行和正常操作。也可以Ҏ发现安全问题Q如你试N止的q接企图Q,在日志中单的?grep ?''FAIL'' qoQ这些项昄如下Q?/p>
00/10/4@17:04:58: FAIL: telnet address from=216.237.57.154 00/10/8@22:25:09: FAIL: pop2 address from=202.112.14.184
真正的安全问题需要另外的文章Q但是,q以说明,既然地址可以伪造,不要把地址报告看作固定的信息。xinetd.log文gQ包含了?xinetd得到的信息)在连接出错的时候作为排错信息很有用?/p>
00/10/25@21:10:48 xinetd[50]: ERROR: service echo-stream, accept: Connection reset by peer
重配|?xinetd
在xinetd.confq行的时候,你可以编?xinetd.conf 文g。要重新配置Q发送一个信号SIGUSR1 l?xinetd q程Q?/p>
# ps -ax | grep xinetd 50 ? S 5:47 /usr/sbin/xinetd -filelog /var/adm/xinetd.log -f /etc/xinetd.conf # kill -SIGUSR1 50
察看日志文g的尾部(用tail命oQ确保你的配|和改动已经生效。如果你是个q程用户的话要确保你退出后q可以重新登陆进来。注意?HUP对xinetd重新配置Q会实际D xinetd 停止操作。从设计的角度看Q这可以L黑客重新配置你的xinetdq且在无需理解文档的情况下可以重新蝲入它?/p>
何时使用xinetd
以我个h而言Q对所有的服务我都?acronym title="Extended Internet Services Daemon">xinetdQ唯一一个对性能有媄响的服务是我的Apache web 守护q程。太多的q程不得不启动,对它来说q太快了从而时间效率是个问题。DNS 服务也不应该?xinetdQ性能消耗太大?/p>
对sendmail 服务我也使用?acronym title="Extended Internet Services Daemon">xinetd。这样对于允许连接的客户Q我能够q行完美的控制。针?sendmail我的讄如下Q?
service smtp
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/sendmail
server_args = -bs
instances = 20
nice = 10
only_from += 0.0.0.0
no_access += 129.22.122.84 204.0.224.254
}
即是在一个高量的邮件服务器上,Ҏ能的媄响也是可以忽略不计的。我q把 sshd 载入?xinetd 以便L对它的进E表d?
l论
希望q篇文章对你配置或是Ҏ需要调整inetd能有帮助。正如你所看到的,它提供的Ҏ要比inetd大得多,甚至包含了tcp_wrappers。Solar Designer (http://www.openwall.com/) 提供一个针对稍旧一点的xinetd的版本的Q?.2.1版本Q的补丁Q允许基于IP的实例控Ӟq有助于L单的q程表攻凅R注意,不管怎样Q简单的伪造可以绕q它。我不知道是否这个包对以后的 xinetd是否也适用?
附:xinetd 代表 Extended Internet Services Daemon 下面附上一个xinetd.conf手册上的参考设|:
#
# Sample configuration file for xinetd
#
defaults
{
log_type = FILE /var/log/servicelog
log_on_success = PID
log_on_failure = HOST RECORD
only_from = 128.138.193.0 128.138.204.0
only_from = 128.138.252.1
instances = 10
disabled = rstatd
}
#
# Note 1: the protocol attribute is not required
# Note 2: the instances attribute overrides the default
#
service login
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/etc/in.rlogind
instances = UNLIMITED
}
#
# Note 1: the instances attribute overrides the default
# Note 2: the log_on_success flags are augmented
#
service shell
{
socket_type = stream
wait = no
user = root
instances = UNLIMITED
server = /usr/etc/in.rshd
log_on_success += HOST RECORD
}
service ftp
{
socket_type = stream
wait = no
nice = 10
user = root
server = /usr/etc/in.ftpd
server_args = -l
instances = 4
log_on_success += DURATION HOST USERID
access_times = 2:00-9:00 12:00-24:00
}
# Limit telnet sessions to 8 Mbytes of memory and a total
# 20 CPU seconds for child processes.
service telnet
{
socket_type = stream
wait = no
nice = 10
user = root
server = /usr/etc/in.telnetd
rlimit_as = 8M
rlimit_cpu = 20
}
#
# This entry and the next one specify internal services. Since
# this is the same service using a different socket type, the
# id attribute is used to uniquely identify each entry
#
service echo
{
id = echo-stream
type = INTERNAL
socket_type = stream
user = root
wait = no
}
service echo
{
id = echo-dgram
type = INTERNAL
socket_type = dgram
user = root
wait = no
}
service servers
{
type = INTERNAL UNLISTED
protocol = tcp
port = 9099
socket_type = stream
wait = no
}
#
# Sample RPC service
#
service rstatd
{
type = RPC
socket_type = dgram
protocol = udp
server = /usr/etc/rpc.rstatd
wait = yes
user = root
rpc_version = 2-4
env = LD_LIBRARY_PATH=/etc/securelib
}
#
# Sample unlisted service
#
service unlisted
{
type = UNLISTED
socket_type = stream
protocol = tcp
wait = no
server = /home/user/some_server
port = 20020
}
译后记Q一日在|上看到自己?q前的这个翻译文档,l读一下,发现谬误不少Q遂扑ֈ原文Q更正了一些不当之处。翻译不当之处肯定还是存在的Q欢q指?
参考信?译者提?
xinetd - http://www.xinetd.org/
Frederic Raynal的文?/a> - http://www.linuxfocus.org/English/November2000/article175.shtml
xinetd HOWTO - http://www.dbanotes/net/Books/xinted.pdf
本文译?/h2>FenngQ某资公司DBAQ业余时间q于各数据库相关的技术论坛且乐此不疲。目前关注如何利用ORACLE数据库有效地构徏企业应用。对Oracle tuning、troubleshooting有一点研I?br />个h技术站?http://www.dbanotes.net/ 。可以通过电子邮g dbanotes@gmail.com 联系C?
]]>
domain mci.uestc.edu.cnnameserver 127.0.0.1nameserver 202.112.14.151nameserver 202.112.14.161{
query-source port 53;
query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.root";
};
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "mci.uestc.edu.cn" IN {
type master;
file "mci.uestc.edu.cn.zone";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "named.192.168.1";
allow-update { none; };
};
include "/etc/rndc.key";
/var/named/named.root
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 29, 2004
; related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
/var/named/localdomain.zone
@ IN SOA localhost root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost
localhost IN A 127.0.0.1
/var/named/localhost.zone
@ IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 127.0.0.1
IN AAAA ::1
/var/named/named.local
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
/var/named/mci.uestc.edu.cn.zone
@ IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 192.168.1.129
wtj IN A 192.168.1.147
/var/named/named.192.168.1
@ IN SOA mci.uestc.edu.cn. root.mci.uestc.edu.cn. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS mci.uestc.edu.cn.
129 IN PTR mci.uestc.edu.cn.
147 IN PTR wtj.mci.uestc.edu.cn.
配置完成后重启DNS服务Q?br />service named restart
接下来,试配置l果
nslookup localhost
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: localhost
Address: 127.0.0.1
nslookup mci.uestc.edu.cn
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: mci.uestc.edu.cn
Address: 192.168.1.129
nslookup wtj.mci.uestc.edu.cn
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: wtj.mci.uestc.edu.cn
Address: 192.168.1.147
]]>
An abbreviation for "accessibility," frequently used in programming to avoid unnecessary typing and misspelling. Accessibility is the provision of services for impaired users, such as text-to-speech translation for the visually impaired. The 11 derives from the eleven letters between the beginning a and the ending y.
The Advanced Linux Sound Architecture (ALSA) is a technology that gives Fedora the ability to mix and output multiple audio sources. ALSA supports many consumer and professional level hardware devices. Refer to http://www.alsa-project.org/ for more information.
Anaconda is the Fedora Core installation system. Anaconda identifies and configures the system's hardware, creates appropriate file systems, and installs or upgrades software packages. Anaconda runs in a fully interactive text or graphical mode, or in an automated kickstart mode. Refer to http://fedoraproject.org/wiki/Anaconda for more information.
The apt (Advanced Package Tool) utility is a dependency tool developed for use with Debian Linux dpkg packages. The apt-rpm utility extends apt for use with RPM packages. Since apt has specific problems with multilib, however, it is not recommended for use with Fedora systems. Use yum instead.
ATrpms a third party RPM repository for Fedora software. Refer to http://atrpms.physik.fu-berlin.de/ for more information about ATrpms.
BitTorrent is a peer-to-peer file sharing which downloads from multiple channels at once. Refer to http://bitconjurer.org/BitTorrent/ for more information.
Use BitTorrent to download Fedora Core by downloading and opening a torrent file. The official Fedora Core torrent tracker is located at http://torrent.fedoraproject.org/. Download a torrent file there to begin downloading a release of Fedora Core.
Bluecurve?is a theme which unifies the look and feel of the Fedora desktop. Bluecurve was introduced in Red Hat Linux 9 and was used as the default for Fedora Core through release 3. Bluecurve was replaced in Fedora Core 4 by Clearlooks. Bluecurve included icons and settings for the menu and layout of the desktop.
Bugzilla is an online database for recording flaws, or bugs, in Fedora software, documentation, and other projects. Bugzilla also tracks bugs in Red Hat software. When you encounter a problem with Fedora, you can help the community fix the problem by making a record in Bugzilla. This procedure is called "entering a bug." For more information about Bugzilla, refer to http://bugzilla.redhat.com.
An abbreviation for "Chinese, Japanese and Korean," East Asian languages which require the use of an Input method platform due to the large number of possible typographic characters.
See Also IIIMF.
Clearlooks is the default theme for a GNOME desktop environment in Fedora Core 4. The Clearlooks design is based on the original Bluecurve.
Core is a numbered release of a subset of Fedora software, and is usually called "Fedora Core." Core packages are maintained mainly by employees of Red Hat, and are made up of free and open source software produced by the Linux community.
Although the software in Fedora Core is updated regularly, the original release of Fedora Core does not change. For this reason, when users discuss the state of their Fedora system software, they might refer to "Fedora Core plus updates." When you request help from the community, this terminology is the most accurate. However, many users simply call the updated system "Fedora Core."
The Central Processing Unit, or CPU , is the "brain" of a computer. The rest of the computer is organized around the CPU, so people often refer to computer systems by the type of processor inside. Examples of CPUs include Pentium-4, Athlon64, and PowerPC.
The cron system executes automatic jobs on behalf of the system or an individual user on a schedule. An example of a system cron job might include running yum nightly to update the system.
The Common UNIX Printing System, or CUPS , is a cross-platform, modularized printing system for UNIX-type environments, including Linux and Macintosh OS X. It is based on the Internet Printing Protocol and provides facilities for managing print jobs and queues. CUPS drivers are available at http://www.cups.org/windows/ which allow Windows systems to use printers shared from Linux systems. Refer to http://www.cups.org/ for more information about CUPS.
The Desktop Switcher tool allows a user to convert the Fedora desktop between GNOME and KDE. To run the Desktop Switcher tool from the Main Menu, select Desktop ?Preferences ?More Preferences ?Desktop Switcher. If you do not see this item in your menu, you may not have the switchdesk-gui package installed. Refer to http://fedora.redhat.com/docs/ to learn how to use yum to install software packages.
The eth0 name represents the first discovered Ethernet interface in a Fedora system. If your Fedora system has more than one such interface, the others will be numbered eth1, eth2, and so on.
Ethernet is the most common type of network technology for small computer networks.
The ethtool utility is a Linux network driver diagnostic and tuning tool for a Linux 2.4 or later kernel. The ethtool utility is used for querying and changing settings of an Ethernet device.
The ext3 file system is a method of organizing data on storage devices. It is based on the older but still vital ext2 Linux file system. Most users do not need to understand file system internals because Linux translates this system into understandable concepts such as files and folders. Refer to http://e2fsprogs.sourceforge.net/, however, for more information on ext2 and ext3.
A FAQ is a list of Frequently Asked Questions. Refer to http://fedora.redhat.com/about/faq/ for a FAQ about the Fedora Project. Refer to http://fedorafaq.org/ for a FAQ about using Fedora.
The GNU Free Documentation License, or FDL, is a means of licensing program documentation. The FDL carries both rights and responsibilities. You have the right to modify and redistribute FDL materials, or create other works based on them. You then have the responsibility of licensing any such material under the FDL as well. In this fashion the FDL guarantees that documentation cannot be made less free by a recipient.
The File Hierarchy Standard, or FHS , is a specification for the naming and organization of directories on a Linux system. The FHS sets standards for the types of files that should inhabit specific system directories. Refer to http://www.pathname.com/fhs/ for more information about the FHS.
A third-party repository of RPM software packages. FreshRPMS is soon to be subsumed into the larger RPMForge repository. Refer to http://www.freshrpms.net/ for more information.
The fsck utility is a command line tool used to test file systems for consistency and repair errors. It is normally used with Linux file systems such as ext3, but also has the ability to make repairs on other types of file systems.
The GIMP is the GNU Image Manipulation Program. The GIMP is graphics software suitable for such tasks as photo retouching, image composition and image authoring. The GIMP will read and write graphics files in a variety of formats, including JPG, PNG, BMP, GIF. It will also import some proprietary image formats from other graphics programs. Refer to http://www.gimp.org/ for more information about the GIMP.
The GNU C library, or glibc, is a free and open source library of C functions. Most software programs for your Fedora system rely on glibc for basic common functions. Refer to http://www.gnu.org/software/libc/libc.html for more information about glibc.
GNOME is the short name for the GNOME Desktop, a product of the GNOME Project. GNOME is at once a free desktop environment for UNIX-like operating systems such as Fedora, and a framework for software developers to develop graphical utilities and interfaces. GNOME provides a complete set of human interface guidelines, which means that GNOME strives to have a consistent look and feel for all its applications. Read more about GNOME at http://www.gnome.org/.
GNU is an acronym that stands for "GNU's Not UNIX," and is pronounced "guh-NOO." GNU was originally intended to be a complete UNIX-like operating system. It has become a broader term describing free software licensed under the GPL. Because the kernel and much of the other software in a Linux system are licensed under the GPL, many people call that system GNU/Linux.
GnuPG, the GNU Privacy Guard, is a complete and free replacement for PGP, Pretty Good Privacy. GnuPG software allows you to digitally sign or encrypt data using public key encryption methods. GnuPG is OpenPGP compliant, so data signed or encrypted by GnuPG can be exchanged with almost any computer user. Refer to http://www.gnupg.org/ for more information about GPG.
The GNU General Public Licence, or GPL , is a software license designed to preserve users' rights to share and modify software. The GPL does this by restricting anyone from denying you those rights. Use of software is usually subject to the terms under which it is licensed. Many software licenses restrict you from copying, sharing, or even examining the software they cover. The terms of the GPL, however, allow you very broad rights to share, modify, and redistribute software. In return the GPL requires you to give others those rights if you share the results. The GPL encourages software programmers to learn and contribute to each other's work. Refer to http://www.fsf.org/licenses/licenses/gpl.html for more information about the GPL. For a FAQ about the GPL, refer to http://www.fsf.org/licensing/licenses/gpl-faq.html.
The GNU GRand Unified Boot Loader, or GRUB , is a program which controls the boot process after basic system tests occur. It presents a menu that allows the user to select an operating system or kernel to boot. Its features include passing parameters and options to the kernel, and a minimal functional shell. Refer to http://www.gnu.org/software/grub/ for more information about GRUB.
An abbreviation for "internationalization," frequently used in programming to avoid unnecessary typing and misspellings. Internationalization is the provision of multiple translations for messages that applications produce. The 18 derives from the eighteen (18) letters between the beginning i and the ending n.
See Also l10n.
The entire set of computer processors that are compatible with the Intel x86 platform, including Intel Pentium and Celeron, AMD Athlon and Duron, and VIA C3 CPUs, are commonly referred to as i386. The i386 term is often used to refer a set of software packages that run on these processors.
The Intranet/Internet Input Method Framework, or IIIMF , is an Input method framework for handling languages such as CJK, which will not map readily to a standard keyboard device. IIIMF works by loading language engines dynamically at runtime as they are requested by clients.
Instant messaging, or IM , is a real-time, text-based form of communication. You can use IM to have conversations with individuals or groups. America Online, an Internet service provider, popularized IM in the 1990's, but many other providers such as Yahoo and Google offer similar services. Fedora has programs such as gaim that allow you to use IM to communicate with other Internet users.
Inkscape is a vector graphics illustration program. It uses SVG as the default file format. For more information about Inkscape, refer to http://www.inkscape.org/.
See Also Sodipodi.
A method used to enter text other than selecting each character directly on a keyboard or other input hardware. Input methods are widely used for entering ideographs and other characters phonetically or by component, such as in Esat Asian languages. Fedora Core uses the IIIMF platform by default, but also offers other platforms such as SCIM.
See Also CJK.
Internet Relay Chat, or IRC , is a communication protocol that allows users to type text messages to each other in approximately real time. You can use IRC to have conversations with individuals or groups. IRC is very similar to IM, and offers many of the same capabilities, but predates IM by many years.
ISO is an acronym that stands for International Standards Organization. It is also used as an abbreviation for the ISO-9660 format of a standard data CD-ROM. Fedora offers installation CDs for Fedora Core as downloadable files on the Internet, in the form of CD image files sometimes called ISO files. These files can be burned directly to CD media using a CD-Recordable drive, and the resulting CD will contain all the files on the original Fedora Core media.
KDE is a free and open desktop environment for UNIX-like operating systems such as Fedora. KDE also offers a complete development framework for writing graphical applications, as well as an office application suite. Refer to http://www.kde.org/whatiskde/ for more information about KDE.
A kernel is the core of an operating system, responsible for managing memory and conducting hardware operations. The Linux kernel used in Fedora is free and open source software, originally written by Linus Torvalds. Many computer scientists and programmers from around the world now contribute to its development.
Kickstart is a facility that allows system administrators to automate the installation of Fedora. To use Kickstart, the administrator creates a configuration file which contains all the information needed by Anaconda to complete the installation process. Refer to http://fedoraproject.org/wiki/Anaconda for more information about Kickstart.
The kudzu utility usually runs at boot time. The kudzu utility detects changes in the system's hardware configuration, and configures the devices for use with Fedora software. Refer to http://fedora.redhat.com/projects/additional-projects/kudzu/ for more information about kudzu.
An abbreviation for "localization," frequently used in programming to avoid unnecessary typing and misspelling. Localization is the provision of nation-specific settings for the representation of numbers, dates, currency, and other customary symbols. The 10 derives from the ten letters between the beginning l and the ending n.
See Also i18n.
The Lightweight Directory Access Protocol, or LDAP , is a standard for hierarchically organizing and accessing collections of information. This information may be practically anything, but LDAP is most often used to collect information about organizations, including personnel and resource information. Fedora includes support for OpenLDAP, which is a free and open source implementation of LDAP. For more information about OpenLDAP, refer to http://www.openldap.org/.
The LInux LOader, or LILO , is a small program used on older Linux systems to boot the Linux kernel or some other operating systems. LILO has been superseded by GRUB in Fedora.
The Linux Standard Base, or LSB , is a project that develops and promotes a set of standards to increase compatibility among Linux distributions. For more information about LSB, refer to http://www.linuxbase.org/.
The lspci utility displays information about all PCI buses in the system and all devices connected to them. It is frequently used to diagnose problems with hardware recognition or driver compatibility.
The md5sum utility computes a 128-bit message digest hash value for any specified files. A hash value is a "fingerprint" for a given file, created by a computation that makes it very unlikely that any two files will create the same hash value.
To download an MD5 hash program for Windows operating systems, refer to http://unxutils.sourceforge.net/.
The Fedora Core Installation CD 1 includes a memory testing utility called memtest86. To perform memory testing before you install Fedora Core, or to diagnose a RAM problem, enter memtest86 at the boot: prompt. The tests continue until you press the Esc key.
A mirror is a complete copy of an online resource. System administrators of computers connected to the Internet often create and provide mirrors for public use. If a resource has one or more mirrors, many more users can access its content without overloading the original resource.
To use a disk device such as a CD, USB drive, or floppy diskette, you must first mount it. Fedora uses a single unified file system for all attached devices. Windows systems, on the other hand, use a "drive letter" for each disk device, such as A: or C:. When you mount a disk device, its file system becomes part of the unified file system on Fedora. The device is mounted on a mount point, which is a directory that points to that device, such as /media/floppy. You must also unmount the file system before you eject or remove the disk, to insure all file information is safely written to the device.
Since these functions are often handled through user-friendly helpers, you may perform all mounting, unmounting, and file browsing through the graphical desktop interface. For instance, if you use the GNOME Desktop, the Nautilus file management utility makes it easy to perform these tasks.
The Mozilla Project produces several user applications such as the Firefox web browser and the Thunderbird email client. These programs are designed for standards compliance, performance and portability. For more information about Mozilla software, refer to http://www.mozilla.org/.
The GNOME desktop environment includes a file manager called Nautilus which provides a graphical display of your system and personal files. Nautilus also allows you to configure your desktop and Fedora, browse your photo collection, access your network resources, and more, all from an integrated interface.
Users often refer to a RPM file as a package.
See Also RPM.
Pine , short for a Program for Internet News and Email, is a tool for reading, sending, and managing electronic messages. Refer to http://www.washington.edu/pine/ for more information about Pine.
Rawhide is a package repository which contains the latest development versions of packages which will eventually be included in Fedora. These latest versions are sometimes called "bleeding edge" package, since they often include new and untested technology. You should consider the Rawhide repository "unstable," since any Rawhide package might be badly broken if the programmers are trying to add, change, or test features. If you want to develop programs for Fedora, you may want to install a system from Rawhide. If you only want to use a stable Fedora system, you should use the standard Fedora Core distribution instead.
Red Hat Enterprise Linux, or Red Hat Enterprise Linux , is a fully-supported enterprise-class operating system for open source computing. Red Hat Enterprise Linux runs on many system architectures, is certified by top enterprise software and hardware vendors, and is based on Fedora technology. Refer to http://www.redhat.com/software/rhel/ for more information about Red Hat Enterprise Linux.
Red Hat Graphical Boot, or rhgb, is an optional component of the boot process. The rhgb application produces a boot screen with a progress bar and fewer technical messages. The rhgb application allows you to click a link to see the technical boot messages if desired. Systems that have been upgraded from Red Hat Linux to Fedora Core are not configured to include rhgb.
The rhn-applet utility was originally designed for use with Red Hat Enterprise Linux and Red Hat Network. It provides a notification and user interface for system updates using up2date. It allows the user to retrieve and install system updates, but this usage is no longer recommended. Users should use yum for system updates instead.
RPM stands for RPM Package Manager. RPM is a robust database system for maintaining software on Fedora systems. Software packaged for Fedora is distributed in special package files called RPM files, or RPMs. System owners use the rpm utility to query the RPM database for information about installed software. Although some administrators use rpm to install, update, and remove software, it is recommended that you use yum for these purposes.
The rsync utility is used to perform incremental file transfers, meaning it can transfer only sections of data that have changed. Administrators frequently use rsync to create a mirror of an online resource. Refer to http://samba.anu.edu.au/rsync/ for more information about rsync.
The Smart Common Input Method platform, or SCIM , is a C++ library that abstracts input method interface into simple, independent classes. It provides a higher level and simpler interface than some other input method platforms.
See Also Input method.
SELinux is a set of extensions to the Linux kernel that provide extremely strong security. SELinux is based on role definitions, and allows very granular control over access to system resources based on those roles. These security measures limit the risk associated with computer intrusions by unauthorized persons. For more information about SELinux, refer to http://www.nsa.gov/selinux/ and http://fedora.redhat.com/docs/selinux-faq.
The sha1sum utility computes a 160-bit message digest hash value for any specified files. A hash value is a "fingerprint" for a given file, created by a computation that makes it very unlikely that any two files will create the same hash value.
Download mirrors for Fedora Core ISO image files also include a related SHA1SUMS file which contains the hash values for the ISO files. Run sha1sum against the downloaded files to verify the hash value. If a file's hash value does not match, you should not use that file to burn a CD. Try downloading the file again.
To download an SHA-1 hash program for Windows operating systems, refer to http://unxutils.sourceforge.net/.
Sodipodi is a vector graphics illustration application. It uses W3C SVG as its default format. Refer to http://sourceforge.net/projects/sodipodi/ for more information.
See Also Inkscape.
A source RPM, or SRPM , contains the source code for a RPM package. To read or modify a program's source, install its SRPM. You do not need SRPM packages to use the software itself.
See Also RPM.
The system-config-packages utility is a package installation for new Fedora Core systems which have no software updates installed yet. Since most administrators and users update their system software regularly, system-config-packages is not often used. Users should instead use the yum utility to install new software.
The up2date application is a utility for managing and updating software on Red Hat Enterprise Linux and Fedora systems. The up2date application has been superseded by yum-based utilities. Refer to http://fedora.redhat.com/docs/yum/ for more information on managing software on your Fedora system.
The vino utility is a variant of VNC used in Fedora Core 4 and beyond for remote assistance and control.
Virtual Network Computing, or VNC, is communication software that allows you to view and interact with another computer over the network. Fedora includes VNC server and client software, as well as the customized vino package. Refer to http://www.realvnc.com/ for more information about VNC.
An abbreviation for "Intel 80x86," the microprocessor family used in most PC systems. Users and developers tend to use this term rather broadly, since the very old 8086 and 80286 microprocessors are rarely seen and not usable with most modern Linux distributions. In Fedora terms, this abbreviation stands for Intel and Intel-compatible processors, Pentium class and above.
XFS is a scalable journaling filesystem developed by SGI and available for Fedora systems. Refer to http://oss.sgi.com/projects/xfs/faq.html#whatisxfs for more information about XFS.
The X Window System, or simply "X," is the underlying technology for GNOME, KDE, and other graphical environments used in Fedora. X is a network-based system for displaying and communicating graphical input and output. It is very flexible and is suitable for a wide variety of configurations such as remote desktops and thin-client applications.
Xen is an open source virtual machine monitor for Intel x86 machines which supports concurrent execution of multiple guest operating systems. Using Xen, an administrator can set up many virtual machines running on a single physical computer. Any single virtual machine, while executing, performs nearly as well as the physical system without Xen. Xen may be used for testing software, providing large-scale web hosting on limited hardware, any many other applications.
The Yellow Dog Updater, or yum , is a complete software management utility for RPM-based systems such as Fedora. It automatically determines software requirements, or dependencies, and uses this data to install, update, or remove packages. Refer to http://linux.duke.edu/projects/yum/ for more information about yum.
]]>
Daniel RobbinsQdrobbins@gentoo.orgQ?br />总裁Q首席执行官QGentoo TechnologiesQInc.
2001 q?9 ?br />**********
伴随着 Linux 2.4 版本的发行,出现了大量的文gpȝ可能性,其中包括 ReiserFS、XFS、GFS 和其它文件系l。这些文件系l听h的确都很P但是它们真正能做些什么呢Q擅长在哪些斚wQ以及在 Linux 产品环境下如何才能安全地使用它们呢?Daniel Robbins 通过向您展示如何?Linux 2.4 的环境下建立q些新的高文gpȝ来回{以上的问题。在q个部分QDaniel 单地介绍?tmpfsQ一个基?VM 的文件系l,q向您介l了 2.4 版本的“绑定”安装功能带来的新的可能?br />
在本文中Q我们要谈论几个相对ơ要的主题。首先,我们会简单地介绍一?tmpfsQ也是我们知道的虚拟内存(virtual memoryQVMQ文件系l。Tmpfs 可能是现?Linux 可以使用的最好的cM?RAM 盘的系l,而且?2.4 内核的一个新功能。然后,我们简单地介绍另一?2.4 内核的新功能Q叫做“绑定安装”,它在安装Q和重新安装Q文件系l的时候带来了很大的灵zL。介l?tmpfs
如果我必M下子说清?tmpfsQ我会说 tmpfs p虚拟盘QramdiskQ,但不一栗象虚拟盘一Ptmpfs 可以使用您的 RAMQ但它也可以使用您的交换分区来存储。而且传统的虚拟磁盘是个块讑֤Qƈ需要一?mkfs 之类的命令才能真正地使用它,tmpfs 是一个文件系l,而不是块讑֤Q您只是安装它,它就可以使用了。总而言之,q让 tmpfs 成ؓ我有Z遇到的最好的Z RAM 的文件系l?br />
tmpfs ?VM
让我们来看看 tmpfs 更有的一些特性吧。正如我前面提到的一Ptmpfs 既可以?RAMQ也可以使用交换分区。刚开始这看v来可能有Ҏ断,但请C tmpfs 也是我们知道的“虚拟内存文件系l”。而且Q您可能也知道,Linux 内核的虚拟内存资源同时来源于您的 RAM 和交换分区。内怸?VM 子系l将q些资源分配到系l中的其它部分,q负责在后台理q些资源Q通常是透明地将 RAM 늧动到交换分区或从交换分区?RAM c?br />
tmpfs 文gpȝ需?VM 子系l的面来存储文件。tmpfs 自己q不知道q些面是在交换分区q是?RAM 中;做这U决定是 VM 子系l的工作。tmpfs 文gpȝ所知道的就是它正在使用某种形式的虚拟内存?br />
不是块设?br />q里?tmpfs 文gpȝ另一个有的Ҏ。不同于大多数“标准的”文件系l,?ext3、ext2、XFS、JFS、ReiserFS 和其它一些系l,tmpfs q不是存在于一个底层块讑֤上面。因?tmpfs 是直接徏立在 VM 之上的,您用一个简单的 mount 命o可以创?tmpfs 文gpȝ了?br />
# mount tmpfs /mnt/tmpfs -t tmpfs
执行q个命o之后Q一个新?tmpfs 文gpȝ安装在 /mnt/tmpfsQ随时可以用。注意,不需q行 mkfs.tmpfsQ事实上Q那是不可能的,因ؓ没有q样的命令存在。在 mount 命o执行之后Q文件系l立卛_被安装ƈ且可以用了Q类型是 tmpfs。这?Linux 虚拟盘如何使用大相径庭Q标准的 Linux 虚拟盘是块讑֤Q所以在使用它们之前必须用您选择的文件系l将其格式化。相反,tmpfs 是一个文件系l。所以,您可以简单地安装它就可以使用了?br />
Tmpfs 的优?br />
动态文件系l的大小
您可能想知道我们前面?/mnt/tmpfs 安装?tmpfs 文gpȝ有多大。这个问题的{案有点意外Q特别是在和Z盘的文件系l比较的时候?mnt/tmpfs 最初会只有很小的空_但随着文g的复制和创徏Qtmpfs 文gpȝ驱动E序会分配更多的 VMQƈ按照需求动态地增加文gpȝ的空间。而且Q当 /mnt/tmpfs 中的文g被删除时Qtmpfs 文gpȝ驱动E序会动态地减小文gpȝq?VM 资源Q这样做可以?VM q回到@环当中以供系l中其它部分按需要用。因?VM 是宝늚资源Q所以您一定不希望M东西费出它实际所需?VMQtmpfs 的好处之一在于这些都是自动处理的?请参阅参考资料?br />
速度
tmpfs 的另一个主要的好处是它闪电般的速度。因为典型的 tmpfs 文gpȝ会完全驻留在 RAM 中,d几乎可以是瞬间的。即使用了一些交换分区,性能仍然是卓的Q当更多I闲?VM 资源可以使用Ӟq部?tmpfs 文gpȝ会被Ud?RAM 中去。让 VM 子系l自动地Ud部分 tmpfs 文gpȝC换分区实际上Ҏ能上是好的Q因样做可以?VM 子系lؓ需?RAM 的进E释攄间。这一点连同它动态调整大的能力Q比选择使用传统?RAM 盘可以让操作系l有好得多的整体性能和灵zL?br />
没有持久?br />q看h可能不象是个U极因素Qtmpfs 数据在重新启动之后不会保留,因ؓ虚拟内存本质上就是易q。我x可能猜到?tmpfs 被称为“tmpfs”的一个原因,不是吗?然而,q实际上可以是一件好事。它?tmpfs 成ؓ一个保存您不需保留的数据(如时文Ӟ可以?/tmp 中找刎ͼq有 /var 文gpȝ树的某些部分Q的卓越的文件系l?br />
使用 tmpfs
Z使用 tmpfsQ您所需要的是启用了“Virtual memory file system supportQ以前是 shm fsQ”选项?2.4 pd内核Q这个选项在内栔R|选项的“File systems”部分。一旦您有了一个启用了 tmpfs 的内核,您就可以开始安?tmpfs 文gpȝ了。其实,在您所有的 2.4 内核中都打开 tmpfs 选项是个好主意,不管您是否计划?tmpfs。这是因为您需要内?tmpfs 支持来?POSIX ׃n的内存。然而,System V ׃n的内存不需要内怸?tmpfs 可以工作。注意,您不需要ؓ了让 POSIX ׃n的内存工作而安?tmpfs 文gpȝQ您只需要在内核中支?tmpfs 可以了。POSIX ׃n的内存现在用得不太多,但这U情况可能会随着旉而改变?br />
避免?VM 情况
tmpfs Ҏ需要动态增大或减小的事实让人疑惑:如果您的 tmpfs 文gpȝ增大到它耗尽了所有虚拟内存的E度Q而您没有剩余?RAM 或交换分区,q时会发生什么?一般来_q种情况是有点讨厌。如果是 2.4.4 内核Q内怼立即锁定。如果是 2.4.6 内核QVM 子系l已l以很多U方式得C修正Q虽然耗尽 VM q不是一个美好的l历Q事情也不会完全地失败。如?2.4.6 内核C无法分配更多 VM 的程度,您显然不愿意不能?tmpfs 文gpȝ写Q何新数据。另外,可能会发生其他一些事情。首先,pȝ的其他一些进E会无法分配更多的内存;通常Q这意味着pȝ多半会变得极度缓慢而且几乎没有响应。这P用户要采取必要的步骤来缓解这U低 VM 的情况就会很困难Q或异常地耗时?br />
另外Q内核有一个内建的最l防U系l,用来在没有可用内存的时候释攑ֆ存,它会扑ֈ占用 VM 资源的进Eƈl止该进E。不q的是,q种“终止进E”的解决Ҏ?tmpfs 的用增加引?VM 耗尽的情况下通常会导致不良后果。以下是原因。tmpfs 本n不能Q也不应该)被终止,因ؓ它是内核的一部分而非一个用戯E,而且也没有容易的Ҏ可以让内核找出是那个q程占满?tmpfs 文gpȝ。所以,内核会错误地d它能扑ֈ的最大的占用 VM 的进E,通常会是 X 服务器(X serverQ,如果您碰巧在使用它。所以,您的 X 服务器会被终止,而引起低 VM 情况的根本原因(tmpfsQ却没有被解冟뀂Ick.
?VMQ解x?br />q运的是Qtmpfs 允许您在安装或重新安装文件系l的时候指定文件系l容量的最大g限。实际上Q从 2.4.6 内核?2.11g 内核Q这些参数只能在安装时设|,而不是重新安装时Q但我们可以期望在不久的来可以在重新安装时讄q些参数。tmpfs 定w最大值的最佌|依赖于资源和您特定?Linux L的用模式;q个x是要防止一个完全用资源的 tmpfs 文gpȝ耗尽所有虚拟内存结果导致我们前面谈到的p糕的低 VM 情况。寻扑֥?tmpfs 上限值的一个好Ҏ是?top 来监控您pȝ的交换分区在高峰使用阶段的用情c然后,保指定?tmpfs 上限E小于所有这些高C用时间内I闲交换分区和空?RAM 的d?br />
创徏有最大容量的 tmpfs 文gpȝ很容易。要创徏一个新的最?32 MB ?tmpfs 文gpȝQ请键入Q?br /># mount tmpfs /dev/shm -t tmpfs -o size=32m
q次Q我们没有把 tmpfs 文gpȝ安装?/mnt/tmpfsQ而是创徏?/dev/shmQ这正好?tmpfs 文gpȝ的“正式”安装点。如果您正好在?devfsQ您会发现这个目录已lؓ您创建好了?br />
q有Q如果我们想文件系l的定w限制?512 KB ?1 GB 以内Q我们可以分别指?size=512k ?size=1g。除了限制容量,我们q可以通过指定 nr_inodes=x 参数限制索引节点Q文件系l对象)。在使用 nr_inodes Ӟx 可以是一个简单的整数Q后面还可以跟一?k、m ?g 指定千、百万或十亿Q!Q个索引节点?br />
而且Q如果您x上面?mount tmpfs 命o的等价功能添加到 /etc/fstabQ应该是q样Q?br />
tmpfs /dev/shm tmpfs size=32m 0 0
在现存的安装点上安装
在以前?2.2 的时候,试图在已l安装了东西的安装点再次安装M东西都会引发错误。然而,重写后的内核安装代码使多ơ用安装点不再成ؓ问题。这里是一个示例的情况Q假设我们有一个现存的文gpȝ安装?/tmp。然而,我们军_要开始?tmpfs q行 /tmp 的存储。过去,您唯一的选择是卸蝲 /tmp q在其位|重新安装您新的 tmpfs/tmp 文gpȝQ如下所C:
# umount /tmp
# mount tmpfs /tmp -t tmpfs -o size=64m
可是Q这U解x案也许对您不用。可能有很多正在q行的进E在 /tmp 中有打开的文Ӟ如果是这P在试囑֍?/tmp Ӟ您就会遇到如下的错误Q?br />
umount: /tmp: device is busy
然而,使用最q的 2.4 内核Q您可以安装您新?/tmp 文gpȝQ而不会遇到“device is busy”错误:
# mount tmpfs /tmp -t tmpfs -o size=64m
用一条命令,您新?tmpfs /tmp 文gpȝp安装?/tmpQƈ安装在已l安装的不能再被直接讉K的分Z上。然而,虽然您不能访问原来的 /tmpQQ何在原文件系l上q有打开文g的进E都可以l箋讉K它们。而且Q如果您 unmount Z tmpfs ?/tmpQ原来安装的 /tmp 文gpȝ会重新出现。实际上Q您在相同的安装点上可以安装L数目的文件系l,安装点就象一个堆栈;卸蝲当前的文件系l,上一个最q安装的文gpȝ׃重新出现?br />
l定安装
使用l定安装Q我们可以将所有甚至部分已l安装的文gpȝ安装到另一个位|,而在两个安装点可以同时访问该文gpȝ。例如,您可以用绑定安装来安装您现存的Ҏ件系l到 /home/drobbins/niftyQ如下所C:
# mount --bind / /home/drobbins/nifty
现在Q如果您观察 /home/drobbins/nifty 的内部,您就会看到您的根文gpȝQ?home/drobbins/nifty/etc?home/drobbins/nifty/opt {)。而且Q如果您在根文gpȝ修改文gQ您?/home/drobbins/nifty 中也可以看到所作的改动。这是因为它们是同一个文件系l;内核只是单地为我们将该文件系l映到两个不同的安装点。注意,当您在另一处安装文件系l时QQ何安装在l定安装文gpȝ内部的安装点的文件系l都不会随之Ud。换句话_如果您在单独的文件系l上?/usrQ我们前面执行的l定安装׃?/home/drobbins/nifty/usr 为空。您会需要附加的l定安装命o来您能够浏览位?/home/drobbins/nifty/usr ?/usr 的内容:
# mount --bind /usr /home/drobbins/nifty/usr
l定安装部分文gpȝ
l定安装让更妙的事情成ؓ可能。假设您有一?tmpfs 文gpȝ安装在它的传l位|?/dev/shmQ您军_要开始在当前位于Ҏ件系l的 /tmp 使用 tmpfs。虽然可以在 /tmpQ这是可能的Q安装一个新?tmpfs 文gpȝQ您也可以决定让新的 /tmp ׃n当前安装?/dev/shm 文gpȝ。然而,虽然您可以在 /tmp l定安装 /dev/shm 完成了Q但您的 /dev/shm q包含一些您不想?/tmp 出现的目录。所以,您怎么做呢Q这样如何:
# mkdir /dev/shm/tmp
# chmod 1777 /dev/shm/tmp
# mount --bind /dev/shm/tmp /tmp
在这个示例中Q我们首先创Z一?/dev/shm/tmp 目录Q然后给?1777 权限Q对 /tmp 适当的许可。既然我们的目录已经准备好了Q我们可以安装,也只能安?/dev/shm/tmp ?/tmp。所以,虽然 /tmp/foo 会映到 /dev/shm/tmp/fooQ但您没有办法从 /tmp 讉K /dev/shm/bar 文g?br />
正如您所见,l定安装非常强大Q让您可以轻易地修改文gpȝ设计Q丝毫不必忙乱?/span>
]]>
l ntsysv
l chkconfig
l serviceconf
其中Q?/span> serviceconf 是在 X 下面的图形化的配|,很方便,׃作过多的介绍。剩下的两个都是可以在终端启动的。其中, ntsysv 是终端下面的囑Ş化配|程序,默认是用来配|当前运行别的启动服务。但是可以通过在后面加入参?/span> --level xxx 来指定修Ҏ影响的运行别。其?/span> “xxx?/span> 表示q行U别的数字,?/span> 0 ?/span> 9 Q不加Q何空根{如Q?/span>
ntsysv --level 345
表示要对q行?/span> 3 ?/span> 4 ?/span> 5 U的相应服务的启动配|作修改。启动之后,q单的选择希望在指定别下自动启动的服务了?/span>
chkconfig 可以用来列出、添加和删除pȝ服务的信息。这里需要特别指出的是,当我们向pȝ中添加一个服务时Q如 Mysql Server Q如果不?/span> RPM 安装Q需要手动进行启动。这Ӟ我们可以?/span> MySQL 的启动脚本,可能?/span> mysql.server 拯?/span> /etc/init.d/ 目录下。根据喜好,也可以将其更名ؓ mysqld 。这h较符合系l的命名习惯。这ӞZ使该服务可以在系l启动的时候自动运行,可以采用如下命o来添加:
chkconfig –add mysqld on
默认情况下,参数 on ?/span> off ?/span> reset 只媄?/span> 2 ?/span> 3 ?/span> 4 ?/span> 5 U的pȝ启动信息。如果需要特D定Ӟ可以使用参数 --level 对其q行指定。方式跟 ntsysv ?/span> --level 参数一致?/span>
]]>
Newcomers to Linux, especially those coming from a Windows background, often find files in the /etc directory to be difficult to understand. In this article, I provide a brief explanation of some of these files and their uses. Before we dive into the /etc directory however, I would like to point out that changes to some of these files can render your system unstable or in some circumstances unbootable. I cannot emphasize enough that you should make a backup of these files before making any changes.
Let's dive in:
/etc/exports: this file contains the partition configuration to load NFS (network filesystem). It states how partitions are mounted and shared with other Linux/UNIX systems.
/etc/ftpusers: this file contains the login names of users who are not allowed to log in by way of FTP. For security reasons, it is recommended to add the root user to this file.
/etc/fstab: this file automatically mounts filesystems that are spread across multiple drives or separate partitions. This file is checked when the system boots and filesystems are mounted.
/etc/hosts.[allow, deny]: you can control access to your network by using these files. Adds hosts that you want to grant access to your network to the hosts.allow file; add hosts that you want to deny access to hosts.deny.
/etc/inetd.conf or /etc/xinetd.conf: the inetd file can be called the father of networking services. This file is responsible for starting services such as FTP, telnet and the like. Some Linux distributions come with xinetd.conf, which stands for extended Internet services daemon. This file provides all the functionalities and capabilities of inetd but extends them further.
It is advisable to comment out services you do not use.
/etc/inittab: this file describes what takes place or which processes are started at bootup or at different runlevels. A runlevel is defined as the state in which the Linux box currently is in. Linux has seven runlevels, from 0-6.
/etc/motd: motd stands for message of the day. This file is executed and its contents displayed after a successful login.
/etc/passwd: this file contains user information. Whenever a new user is added, an entry is added to this file containing the user's login name, password and so on. This file is readable by everyone on the system. If the password field contains "x", then encrypted passwords are stored in /etc/shadow, a file that is accessible only by the root user.
/etc/profile: when a user logs in, a number of configuration files are executed, including /etc/profile. This file contains settings and global startup information for the bash shell.
/etc/services: this file works in conjunction with /etc/inetd.conf or /etc/xinetd.conf files (see above). This file determines which port a service mentioned in inetd.conf is to use, for example, FTP/21, TELNET/23 and so on.
/etc/securetty: this file lists TTYs from which root is allowed to log in. For security reasons it is recommended to keep only tty1 for root login.
/etc/shells: this file contains the names of all the shells installed on the system, along with their full path names.
I hope you enjoyed this article and hope it helped in your understanding the /etc directory. You might find other subdirectories beneath the /etc directory that are application specific. /etc/httpd and /etc/sendmail, for example, are for Apache and sendmail, respectively.
Copyright (c) 2003, AmirAli Lalji. Originally published in Linux Gazette issue 94. Copyright (c) 2003, Specialized Systems Consultants, Inc.
AmirAli Lalji is a system administrator/DBA who lives and works in the UK and Portugal.
]]>
RC
在Linux中,最为常用的~略语也许是“rc”,它是“runcomm”的~写――即名词“run command?q行命o)的简写。今天,“rc”是M脚本cL件的后缀Q这些脚本通常在程序的启动阶段被调用,通常是Linuxpȝ启动时。如/etc/rs是Linux启动的主脚本Q?bashrc是当Linux的bash shell启动后所q行的脚本?bashrc的前~?”是一个命名标准,它被设计用来在用h件中隐藏那些用户指定的特D文?“ls”命令默认情况下不会列出此类文gQ“rm”默认情况下也不会删除它们。许多程序在启动Ӟ都需要“rc”后~的初始文件或配置文gQ这对于Unix的文件系l视图来_没有什么神U的?/P>
ETC
在“etc/bin”中的“etc”真正代表的是“etcetera?附加?。在早期的Unixpȝ中,最为重要的目录是“bin”目?“bin”是“binaries”二q制文g――编译后的程序的~写)Q“etc”中则包含琐的E序Q如启动、关机和理。运行一个Linux必须的东西的列表?一个二q制E序QetceteraQetcetera――换句话_是一个底层的重要目Q通常d一些次{重要的零碎事物。今天,“etc”包含了q泛?A class=bluekey target=_blank>pȝ配置文gQ这些配|文件几乎包含了pȝ配置的方斚w面,同样非常重要?/P>
Bin
今天Q许多在Linux上运行的大型子系l,如GNOME或OracleQ所~译成的E序使用它们自己的“bin”目?或者是/usr/binQ或者是/usr/local/bin)作ؓ标准的存攑֜。同P现在也能够在q些目录看到脚本文gQ因为“bin”目录通常d到用LPATH路径中,q样他们才能够正常的使用E序。因此运行脚本通常在bin中运行良好?/P>
TTY
在Linux中,TTY也许是跟l端有关pȝ最为q术语。TTY是TeleTYpe的一个老羃写。TeletypesQ或者teletypewritersQ原来指的是电传打字机,是通过串行U用打印机键盘通过阅读和发送信息的东西Q和古老的甉|机区别ƈ不是很大。之后,当计机只能以批处理方式q行?当时I孔卡片阅读器是唯一一UɽE序载入q行的方?Q电传打字机成ؓ唯一能够被用的“实时”输?输出讑֤。最l,电传打字键盘和显C器l端所取代Q但在终端或TTY接插的地方,操作pȝ仍然需要一个程序来监视串行端口。一个getty“Get TTY”的处理q程?一个程序监视物理的TTY/l端接口。对一?A class=bluekey target=_blank>虚拟|络沮服务?VNC)来说Q一个伪装的TTY(Pseudo-TTYQ即家猫的TTYQ也叫做“PTY?是等Ll端。当你运行一个xterm(l端仿真E序)或GNOMEl端E序ӞPTY对虚拟的用户或者如xterm一L伪终端来_像是一个TTY在运行。“Pseudo”的意思是“duplicating in a fake way?用伪造的Ҏ复制)Q它相比“virtual”或“emulated”更能真实的说明问题。而在现在的计中Q它却处于被攑ּ的阶Dc?/P>
Dev
从TTY留下的命令有“stty”,是“set tty?讄TTY)的羃写,它能够生成一个配|文?etc/initab(“initialization table”,初始?Q以配置gettys使用哪一个串口。在CQ直接附加在LinuxH口上的唯一l端通常是控制台Q由于它是特D的TTYQ因此被命名为“console”。当Ӟ一旦你启动X11Q“console”TTY׃消失Q再也不能用串口协议。所有的TTY都被储存在?dev”目录,它是“[physical] devices?[物理]讑֤)的羃写。以前,你必d电脑后面的串口中接入一个新的终端时Q手工修改和配置每一个设备文件。现在,Linux(和Unix)在安装过E中在此目录中创徏了它所能向导的每一个设备的文g。这是_你很需要自己创建它?/P>
随着g在电脑中的移出移q,q些名字变得更加模p不清。幸q的是,今天在Linux上的高等UY件块对历史和g使用Ҏ理解的名字。D例来_嗯,Pango(http://www.pango.org/)是其中之一?/P>
如果你对q些内容很感兴趣Q那么我你阅d大的Q但有些以美国英语历史ؓ中心的,由Eric S. Raymond撰写的Jargon File。它q没有解释所有在Unix中用的术语Q但是它l出了这些Ş成的大致情况?/P>
]]>