System and Network Administration
lecture
in color
Providing services
- without service, everything is easy.
- set up system, start using it.
- services make things more difficult
- special processes
- special initialization files
Where we are:
- name of a service is triple (ip address, protocol, port number)
- don't know how one associates a name with an actual service.
Providing services is a long story
- structure of unix
- processes and daemons
- daemon scheduling
UNIX consists of four kinds of programs:
- KERNEL - /boot/linix, the 'operating system'. responsible for:
- managing memory, disk, cpu time.
- scheduling tasks(processes)
- SHELLS: /usr/bin/tcsh, /bin/sh (Bourne Shell)
- invoked by user actions.
- directly interact with users.
- control I/O for programs.
a.out < file (glue file to input for a.out)
- translate CONTROL CHARACTERS into SIGNALS.
- USER PROGRAMS - cat, gcc, etc.
- invoked by shells.
- directly interact with users.
- killed by control-C, etc passed from the SHELL.
- DAEMONS - bootpd, named, etc.
- invoked at system startup
- end with 'd'.
- in */sbin or */etc.
- run as root(!)
- interact with OTHER SYSTEMS(and perhaps users thereupon).
- provide network services.
- a DAEMON is different from a DEMON. A DAEMON is a motivating
(perhaps pantheistic) force, as in 'Maxwell's daemon'.
- controlled by use of SIGNALS.
Process concepts:
- process ID: number between 0 and 65535 (wraps from 65535 to 0)
- parent process: process that 'spawned' this one.
- spawning:
- child inherits environment from parent
- environment variables (PATH=, MANPATH=)
- open files in parent stay open in child.
Forms of process spawning:
- exec: replace current process with new one.
In C:
char *program, *arg1, *arg2, *arg3, ....; /* strings */
execl(program, arg1, arg2, arg3, ....);
In csh,sh:
exec /bin/cat
replaces the current shell with an instance of cat!
- fork: make two COPIES of an existing process.
in C:
int childpid = fork();
if (childpid) { /* in parent */ }
else { /* in child */ }
- fork and exec: make a copy that becomes another program.
In C:
int childpid = fork();
if (childpid) { /* in parent */ }
else {
execl(program, arg1, arg2, arg3, ...);
}
- fork, exec, and join (fork-join): fork, exec, wait for completion.
In C:
system("/usr/bin/cat soandso");
or the equivalent:
int childpid = fork();
if (childpid) {
int status = 0;
int gotpid = waitpid(childpid,&status,0);
} else {
/* parse system arguments into program name and arguments */
execl("/usr/bin/cat", "soandso");
}
Process spawning rules:
- every process is a child of init (process 0).
- init is its own parent.
- every other process has a parent that spawned it.
- manipulating a process automatically manipulates its
immediate children
- if a parent dies, the children are then on their own.
- dirty trick (dissociation) to intentionally orphan a process,
kill its parent with a fork!
if (fork()) exit(0);
Then the process has no living parent -> on its own.
- if init dies, system reboots!
Viewing processes:
Stupid process tricks:
- It's often awkward to deal with processes directly.
- use awk(1) or perl(1) to tear apart process LISTING.
- list all process numbers owned by couch.
ps -ef | awk '$1=="couch" { print $2 }'
- kill all processes owned by couch:
kill -9 `ps -ef | awk '$1=="couch" { print $2 }'`
(substitutes the output of the former into the command)
- kill all commands called emacs (including commands stupid enough
to name themselves emacs without being emacs:
kill -9 `ps -ef | awk '$8 ~ /emacs/ { print $2 }'`
Awk:
- table processing language
- complete programs occupy one line.
- each program has a guard clause and an action clause.
- variables $1,$2,$3 apply to fields in input.
- guard clauses:
- $8 ~ /emacs/: matches any line in which field 8 CONTAINS the pattern emacs.
- $1 == "couch" : equality. >=, >, <=, <, != similarly.
- $8 !~ /emacs/ : matches anything that doesn't contain emacs.
- A && B, A || B, etc. all work as in C.
- program statements:
- print something; prints the thing.
- for, while work as in C.
- variables are created when referenced.
- Arrays are full associative: a["foo"]="bar"; is legal.
EX: simple program to figure out how many processes people have:
BEGIN { # BEGIN is done before any input read.
count=0;
}
$2 != "PID" { # skip first line of ps.
# for each new UID, put into people.
# then increment procs[uid].
if (!procs[$1]) { people[count++]=$1; }
procs[$1]++; # count for each PERSON of processes.
}
END { # END is done after eof on input.
for (i=0; i<count; i++) {
print people[i],procs[people[i]];
}
}
ps -ef | awk -f count.awk
Controlling processes:
- when running under a shell, processes respond to CONTROL CHARACTERS.
These are translated by the shell into SIGNALS sent to the process.
- when running without a controlling terminal, processes
communicate via SIGNALS. A SIGNAL is a message containing an integer.
Each integer has a specific meaning.
In /usr/include/sys/signal.h:
#define SIGHUP 1 /* hangup, generated when terminal disconnects */
#define SIGINT 2 /* interrupt, generated from terminal special char */
#define SIGQUIT 3 /* (*) quit, generated from terminal special char */
#define SIGILL 4 /* (*) illegal instruction (not reset when caught)*/
#define SIGTRAP 5 /* (*) trace trap (not reset when caught) */
#define SIGABRT 6 /* (*) abort process */
#define SIGEMT 7 /* (*) EMT instruction */
#define SIGFPE 8 /* (*) floating point exception */
#define SIGKILL 9 /* kill (cannot be caught or ignored) */
#define SIGBUS 10 /* (*) bus error (specification exception) */
#define SIGSEGV 11 /* (*) segmentation violation */
#define SIGSYS 12 /* (*) bad argument to system call */
#define SIGPIPE 13 /* write on a pipe with no one to read it */
#define SIGALRM 14 /* alarm clock timeout */
#define SIGTERM 15 /* software termination signal */
#define SIGURG 16 /* (+) urgent contition on I/O channel */
#define SIGSTOP 17 /* (@) stop (cannot be caught or ignored) */
#define SIGTSTP 18 /* (@) interactive stop */
#define SIGCONT 19 /* (!) continue if stopped */
#define SIGCHLD 20 /* (+) sent to parent on child stop or exit */
#define SIGTTIN 21 /* (@) background read attempted from control terminal*/
#define SIGTTOU 22 /* (@) background write attempted to control terminal */
#define SIGPOLL 23 /* I/O possible, or completed */
#define SIGXCPU 24 /* cpu time limit exceeded (see setrlimit()) */
#define SIGXFSZ 25 /* file size limit exceeded (see setrlimit()) */
#define SIGVTALRM 26 /* virtual time alarm (see setitimer) */
#define SIGPROF 27 /* profiling time alarm (see setitimer) */
#define SIGWINCH 28 /* (+) window size changed */
#define SIGINFO 29 /* (+) information request */
#define SIGUSR1 30 /* user defined signal 1 */
#define SIGUSR2 31 /* user defined signal 2 */
#define SIGRESV 32 /* reserved by Digital for future use */
Special signals:
- INT (2) die with full honors (control-C).
- QUIT (3) die with core dump (control-\).
- KILL (9) die without honor.
- TERM (15) kindest kind of death. required for processes that
must clean up after themselves (automountd)
- HUP (1) re-read databases (VERY IMPORTANT).
Signal handling:
- some processes BLOCK some signals.
- must remember that SIGINT and SIGQUIT are blockable, but
SIGKILL isn't.
Configuring a service:
- edit its databases.
- start its daemon(s).
- arrange for them to start at system startup.
When daemons are started: run-levels:
- BSD system: two run levels (single user and multiuser)
- single-user: no network services. (control-D -> multiuser)
- multiuser: network services. (shutdown -> single user)
- System V: multiple 'run levels'.
0: dead.
1, S: single user.
2: user services (interactive login).
3: network services (nfs, etc)
6: reboot.
- Linux: 5 run levels, ill-defined
0: dead
1: single-user
5: multi-user with network services enabled.
- to change run levels:
init 3 ( go to multiuser)
init 0 # /etc/halt
init 6 # /etc/reboot
Two ways to start services:
- BSD:
- /etc/rc.boot, rc.single: bring up single user mode from nothing.
- /etc/rc.local: command script to run at beginning of multiuser mode.
- sh scripts: bizarre syntax
- System V: (OSF4)
- /etc/init.d, /sbin/init.d: lots of little individual scripts to run.
- each script takes two possible parameters, 'stop' and 'start'
- 'start' : start a daemon
- 'stop' : stop a daemon
- /sbin/init.d/named: script that starts and stops name service.
- /sbin/init.d/named start : starts it.
- /sbin/init.d/named stop : stops it.
- /sbin/rc*.d: ordered list of scripts to run
- symlinks to things in /sbin/init.d
/sbin/rc3.d/S15named -> /sbin/init.d/named MEANS
^ run level
^^^ Action and order (lower is earlier)
^^^^^ daemon to start or stop. S=start, K=stop.
Call this with parameter start, when system coming up to run level 3.
/sbin/rc2.d/K35nfs -> /sbin/init.d/nfs MEANS
^ run level
^^^ Action and order (lower is earlier)
Call this with parameter stop, when system coming down past run level 2.
- Linux: /etc/rc.d/init.d, /etc/rc.d/rc?.d.
Reconfiguring a service:
- edit databases.
- tell daemons to re-read databases by
- kill and restart (lpd, lpsched, etc. )
- lpd : ps -ef | grep lpd; kill {pid} ; /usr/lib/lpd.
- lpsched: /usr/bin/lpshut ; /usr/lib/lpsched
- send HUP (bootp, inetd, named)
- if doesn't work the first time, might have to kill and restart.
- kill with auto-restart (inetd daemons, in.*)
- bootpd will restart itself if you kill it!
- send SIGTERM and restart (automount).
- things get REALLY AWFUL if you don't.
- reboot (automount in practice).
Must remember what to do for each specific daemon
Classes of daemons:
- organic: run by themselves, run all the time, started at boot time.
- embedded: run by the superdaemon _inetd_.
- wait: run only one instance when service requested.
- typically, this daemon will lock into memory,
- to restart, simply kill the instance.
- EX: bootp.
- fork, exec, join of inetd.
- Daemon itself has control over further forking
(forking consumes system resources)
- nowait: run as many instances as demands require.
- typically, daemon responds and exits.
- inetd then schedules another.
- no restart needed.
- fork and exec.
- inetd fails to control forking.
Inetd configuration
- /etc/inetd.conf: configuration file for inetd.
- inetd listens on ALL PORTS LISTED IN inetd.conf.
- selectively runs daemons as needed.
EX: BOOTP has a line:
#name socktyp proto wait user command arguments
bootps dgram udp wait root /usr/sbin/bootpd bootpd
^ SERVICE NAME (from /etc/services)
^ SOCKET TYPE: dgram, stream, raw, rdm, seqpacket.
^ PROTOCOL: udp, tcp, or any other protocol in /etc/protocols.
^ wait or nowait.
^ user to run this as
^ COMMAND to execute
Sample inetd file
# Syntax for socket-based Internet services:
# <service_name> <socket_type> <proto> <flags> <user> <server_pathname> <args>
#
# Syntax for TLI-based Internet services:
# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
#
# Ftp and telnet are standard Internet services.
#
ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
name dgram udp wait root /usr/sbin/tcpd in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
shell stream tcp nowait root /usr/sbin/tcpd in.rshd
login stream tcp nowait root /usr/sbin/tcpd in.rlogind
exec stream tcp nowait root /usr/sbin/tcpd in.rexecd
comsat dgram udp wait root /usr/sbin/tcpd in.comsat
talk dgram udp wait root /usr/sbin/tcpd in.talkd
#
# Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp.
#
uucp stream tcp nowait root /usr/sbin/tcpd in.uucpd
#
# Tftp service is provided primarily for booting. Most sites run this
# only on machines acting as "boot servers."
#
#tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
#
# Finger, systat and netstat give out user information which may be
# valuable to potential "system crackers." Many sites choose to disable
# some or all of these services to improve security.
#
finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd
#systat stream tcp nowait root /usr/bin/ps ps -ef
#netstat stream tcp nowait root /usr/bin/netstat netstat -f inet
#
# Time service is used for clock synchronization.
#
time stream tcp nowait root internal
time dgram udp wait root internal
#
# Echo, discard, daytime, and chargen are used primarily for testing.
#
echo stream tcp nowait root internal
echo dgram udp wait root internal
discard stream tcp nowait root internal
discard dgram udp wait root internal
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
chargen stream tcp nowait root internal
chargen dgram udp wait root internal
...
Recall /etc/services: what are network services?
tcpmux 1/tcp
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp 21/tcp
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
name 42/udp nameserver
whois 43/tcp nicname # usually to sri-nic
domain 53/udp
domain 53/tcp
bootps 67/udp # BOOTP/DHCP server
bootpc 68/udp # BOOTP/DHCP client
hostnames 101/tcp hostname # usually to sri-nic
pop2 109/tcp pop-2 # Post Office Protocol - V2
pop3 110/tcp # Post Office Protocol - Version 3
sunrpc 111/udp rpcbind
sunrpc 111/tcp rpcbind
imap 143/tcp imap2 # Internet Mail Access Protocol v2
ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp # Lightweight Directory Access Protocol
ldaps 636/tcp # LDAP protocol over TLS/SSL (was sldap)
ldaps 636/udp # LDAP protocol over TLS/SSL (was sldap)
#
# Host specific functions
#
tftp 69/udp
rje 77/tcp
finger 79/tcp
link 87/tcp ttylink
supdup 95/tcp
iso-tsap 102/tcp
x400 103/tcp # ISO Mail
x400-snd 104/tcp
csnet-ns 105/tcp
pop-2 109/tcp # Post Office
uucp-path 117/tcp
nntp 119/tcp usenet # Network News Transfer
ntp 123/tcp # Network Time Protocol
ntp 123/udp # Network Time Protocol
NeWS 144/tcp news # Window System
cvc_hostd 442/tcp # Network Console
#
# UNIX specific services
#
# these are NOT officially assigned
#
exec 512/tcp
login 513/tcp
shell 514/tcp cmd # no passwords used
printer 515/tcp spooler # line printer spooler
courier 530/tcp rpc # experimental
uucp 540/tcp uucpd # uucp daemon
biff 512/udp comsat
who 513/udp whod
syslog 514/udp
talk 517/udp
route 520/udp router routed
klogin 543/tcp # Kerberos authenticated rlogin
new-rwho 550/udp new-who # experimental
rmonitor 560/udp rmonitord # experimental
monitor 561/udp # experimental
pcserver 600/tcp # ECD Integrated PC board srvr
kerberos-adm 749/tcp # Kerberos V5 Administration
kerberos-adm 749/udp # Kerberos V5 Administration
kerberos 750/udp kdc # Kerberos key server
kerberos 750/tcp kdc # Kerberos key server
krb5_prop 754/tcp # Kerberos V5 KDC propogation
ufsd 1008/tcp ufsd # UFS-aware server
ufsd 1008/udp ufsd
cvc 1495/tcp # Network Console
ingreslock 1524/tcp
www-ldap-gw 1760/tcp # HTTP to LDAP gateway
www-ldap-gw 1760/udp # HTTP to LDAP gateway
listen 2766/tcp # System V listener port
nfsd 2049/udp nfs # NFS server daemon (clts)
nfsd 2049/tcp nfs # NFS server daemon (cots)
eklogin 2105/tcp # Kerberos encrypted rlogin
lockd 4045/udp # NFS lock daemon/manager
lockd 4045/tcp
dtspc 6112/tcp # CDE subprocess control
fs 7100/tcp # Font server
...
/etc/protocols: what are names of protocols?
ip 0 IP # internet protocol, pseudo protocol number
icmp 1 ICMP # internet control message protocol
ggp 3 GGP # gateway-gateway protocol
tcp 6 TCP # transmission control protocol
egp 8 EGP # exterior gateway protocol
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # user datagram protocol
hmp 20 HMP # host monitoring protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
#
# Internet (IPv6) extension headers
#
ipv6 41 IPv6 # IPv6 in IP encapsulation
ipv6-route 43 IPv6-Route # Routing header for IPv6
ipv6-frag 44 IPv6-Frag # Fragment header for IPv6
esp 50 ESP # Encap Security Payload for IPv6
ah 51 AH # Authentication Header for IPv6
ipv6-icmp 58 IPv6-ICMP # IPv6 internet control message protocol
ipv6-nonxt 59 IPv6-NoNxt # No next header extension header for IPv6
ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
Inetd function:
- pretend to be all services listed in /etc/inetd.conf.
- if someone contacts you, fork and exec the CORRECT daemon
and let it respond.
- this works because:
- forked programs have the same open files as the original
- so this one inherits a connection to the requestor
- so it can pretend it was running all along.
How to read inetd.conf
- actually need to understand several files
- inetd.conf: what inetd services are.
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
^^^proto^^^^^^execution control
^^^^^^ service^^^^^^kind ^^^^ user ^^^^^^^^^^ progname
^^^^^^^^^^^^^^file
- services: explains field 1 of inetd.conf
telnet 23/tcp
^^^^^^ service name ^^number
^^^ protocol (/etc/protocols)
- protocols: explains field 3 of inetd.conf
tcp 6 TCP # transmission control protocol
^^^ name ^ number
The awful truth: names are fake
- none of these names are known to the Internet
- They're provided for HUMANS
- Actual packets contain the NUMBERS
- to read raw packets, must translate between names and numbers!
Two kinds of inetd daemons
- wait: daemon terminates at completion of each request.
- called this because inetd must call the wait(2) system call.
- you don't have to kill these
- nowait: daemon stays active until requests cease.
- you may have to kill these if they don't die.
Time/space tradeoff
- daemons that run all the time
- take memory all the time
- respond to requests quickly.
- ex httpd (web service)
- daemons that are started by inetd
- don't run all the time
- take no memory when idle
- ex: telnetd
lecture
in color
/comp/150NET/notes/service-old.php
downloaded on Nov-23-2009 03:54:25 PM,
was last modified on Feb-17-2004 10:49:51 PM.
All lecture note content is copyright 2004 by
Alva L. Couch,
Computer Science,
Tufts University