Principles of Network
and System Administration
Second Edition
Mark Burgess
Oslo University College, Norway
Principles of Network
and System Administration
Second Edition
Principles of Network
and System Administration
Second Edition
Mark Burgess
Oslo University College, Norway
Second edition copyright c 2004 John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester,
West Sussex PO19 8SQ, England
Telephone (+44) 1243 779777
Email (for orders and customer service enquiries): cs-books@wiley.co.uk
Visit our Home Page on www.wileyeurope.com or www.wiley.com
First edition copyright c 2000 John Wiley & Sons Ltd
Cover painting: Man + Air + Space, 1915 (oil on canvas) by Lyubov’ Sergeena Popova (1889-1924) State Russian Museum, St Petersburg, Russia/Bridgeman Art Gallery
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London W1T 4LP, UK, without the permission in writing of the Publisher, with the exception of any material supplied specifically for the purpose of being entered and executed on a computer system for exclusive use by the purchase of the publication. Requests to the Publisher should be addressed to the Permissions Department, John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed to permreq@wiley.co.uk, or faxed to (+44) 1243 770620.
This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought.
Other Wiley Editorial Offices
John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA
Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA
Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany
John Wiley & Sons Australia Ltd, 33 Park Road, Milton, Queensland 4064, Australia
John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809
John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada M9W 1L1
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.
Library of Congress Cataloging-in-Publication Data
Burgess, Mark, 1966–
Principles of network and system administration / Mark Burgess. – 2nd ed. p. cm.
ISBN 0-470-86807-4 (Paper : alk. paper)
1. Computer networks – Management. 2. Computer systems. I. Title. TK5105.5.B863 2003
005.4 3 – dc22
2003019766
British Library Cataloguing in Publication Data
A catalogue record for this book is available from the British Library
ISBN 0-470-86807-4
Typeset in 10/12pt Bookman by Laserwords Private Limited, Chennai, India Printed and bound in Great Britain by Biddles Ltd, Guildford and King’s Lynn
This book is printed on acid-free paper responsibly manufactured from sustainable forestry in which at least two trees are planted for each one used for paper production.
Contents
Preface to second edition |
|
|
|
xi |
||
1 |
Introduction |
|
|
|
1 |
|
|
1.1 |
What is network and system administration? . . . . . . . . . . . . |
1 |
|||
|
1.2 |
Applying technology in an environment . . . . . . . . . . . . . . . |
2 |
|||
|
1.3 |
The human role in systems |
. . . . . . |
. . . . . . . . . . . . . . . . . |
2 |
|
|
1.4 |
Ethical issues . . . . . . . |
. . . . . . . . . . . . . . . . . . . . . . . |
3 |
||
|
1.5 |
Is system administration a discipline? . . . . . . |
. . . . . . . . . . |
3 |
||
|
1.6 |
The challenges of system administration . . . . . |
. . . . . . . . . . |
4 |
||
|
1.7 |
Common practice and good practice |
. . . . . . . |
. . . . . . . . . . |
5 |
|
|
1.8 |
Bugs and emergent phenomena . . . . . . . . . . . . . . . . . . . . |
6 |
|||
|
1.9 |
The meta principles of system administration . . |
. . . . . . . . . . |
6 |
||
|
1.10 |
Knowledge is a jigsaw puzzle . . . . . |
. . . . . . . . . . . . . . . . . |
7 |
||
|
1.11 |
To the student . . . . . . . |
. . . . . . . . . . . . . . . . . . . . . . . |
8 |
||
|
1.12 |
Some road-maps . . . . . . |
. . . . . . . . . . . . . . . . . . . . . . . |
9 |
||
2 |
System components |
|
|
|
11 |
|
2.1What is ‘the system’? . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 |
Handling hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 |
2.3Operating systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4Filesystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.5Processes and job control . . . . . . . . . . . . . . . . . . . . . . . . 43
2.6Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.7 |
IPv4 networks . . . . . . . |
. . . . . . . . . . . . . . . . . . . . . . . 55 |
2.8Address space in IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . 63
2.9 |
IPv6 networks . . . . . . . |
. . . . . . . . . . . . . . . . . . . . . . . 68 |
3 Networked communities |
75 |
|
3.1Communities and enterprises . . . . . . . . . . . . . . . . . . . . . 75
3.2Policy blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
3.3System uniformity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
3.4 |
User behavior: socio-anthropology . . . . . . . . . . . . . . . . . . |
78 |
3.5 |
Clients, servers and delegation . . . . . . . . . . . . . . . . . . . . |
78 |
3.6 |
Host identities and name services . . . . . . . . . . . . . . . . . . . |
80 |
vi |
CONTENTS |
3.7Common network sharing models . . . . . . . . . . . . . . . . . . . 82
3.8Local network orientation and analysis . . . . . . . . . . . . . . . . 86
4 Host management |
109 |
4.1 Global view, local action |
. . . . . . . . . . . . . . . . . . . . . . . . 109 |
4.2Physical considerations of server room . . . . . . . . . . . . . . . . 109
4.3Computer startup and shutdown . . . . . . . . . . . . . . . . . . . 111
4.4Configuring and personalizing workstations . . . . . . . . . . . . . 114
4.5Installing a Unix disk . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.6Installation of the operating system . . . . . . . . . . . . . . . . . . 124
4.7 |
Software installation |
. . . . . . . . . . . . . . . . . . . . . . . . . . |
131 |
4.8 |
Kernel customization |
. . . . . . . . . . . . . . . . . . . . . . . . . . |
140 |
5 User management |
|
147 |
|
5.1Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
5.2User registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
5.3Account policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
5.4Login environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
5.5User support services . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.6Controlling user resources . . . . . . . . . . . . . . . . . . . . . . . 163
5.7Online user services . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
5.8User well-being . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
5.9 |
Ethical conduct of administrators and users . . . . . . . . . . . . 173 |
5.10Computer usage policy . . . . . . . . . . . . . . . . . . . . . . . . . 186
6 Models of network and system administration |
195 |
6.1Information models and directory services . . . . . . . . . . . . . . 196
6.2System infrastructure organization . . . . . . . . . . . . . . . . . . 201
6.3Network administration models . . . . . . . . . . . . . . . . . . . . 207
6.4Network management technologies . . . . . . . . . . . . . . . . . . 213
6.5Creating infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . 219
6.6System maintenance models . . . . . . . . . . . . . . . . . . . . . . 223
6.7Competition, immunity and convergence . . . . . . . . . . . . . . . 225
6.8Policy and configuration automation . . . . . . . . . . . . . . . . . 227
6.9Integrating multiple OSs . . . . . . . . . . . . . . . . . . . . . . . . 228
6.10 |
A model checklist . . . . . . |
. . . . . . . . . . . . . . . . . . . . . . |
231 |
7 Configuration and maintenance |
|
235 |
|
7.1 |
System configuration policy |
. . . . . . . . . . . . . . . . . . . . . . |
236 |
7.2Methods: controlling causes and symptoms . . . . . . . . . . . . . 237
7.3 |
Change management . . . . . . . . . . . . . . . . . . . . . . . . . . 239 |
7.4Declarative languages . . . . . . . . . . . . . . . . . . . . . . . . . . 240
7.5 |
Policy configuration and its ethical usage . . . . . . . . . . . . . . 240 |
7.6Common assumptions: clock synchronization . . . . . . . . . . . . 241
7.7Human–computer job scheduling . . . . . . . . . . . . . . . . . . . 242
7.8Automation of host configuration . . . . . . . . . . . . . . . . . . . 248
7.9 |
Preventative host maintenance . . . . . . . . . . . . . . . . . . . . 252 |
CONTENTS |
vii |
7.10SNMP tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
7.11Cfengine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
7.12Database configuration management . . . . . . . . . . . . . . . . . 268
8 Diagnostics, fault and change management |
281 |
8.1Fault tolerance and propagation . . . . . . . . . . . . . . . . . . . . 281
8.2Networks and small worlds . . . . . . . . . . . . . . . . . . . . . . . 283
8.3Causality and dependency . . . . . . . . . . . . . . . . . . . . . . . 285
8.4Defining the system . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
8.5Faults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
8.6Cause trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
8.7Probabilistic fault trees . . . . . . . . . . . . . . . . . . . . . . . . . 299
8.8Change management revisited . . . . . . . . . . . . . . . . . . . . . 303
8.9Game-theoretical strategy selection . . . . . . . . . . . . . . . . . . 304
8.10 |
Monitoring . . . . . . . . . |
. . . . . . . . . . . . . . . . . . . . . . . 313 |
|
8.11 |
System performance tuning |
. . . . . . . . . . . . . . . . . . . . . . |
314 |
8.12 |
Principles of quality assurance . . . . . . . . . . . . . . . . . . . . |
324 |
|
9 Application-level services |
|
331 |
|
9.1Application-level services . . . . . . . . . . . . . . . . . . . . . . . . 331
9.2Proxies and agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
9.3Installing a new service . . . . . . . . . . . . . . . . . . . . . . . . . 333
9.4Summoning daemons . . . . . . . . . . . . . . . . . . . . . . . . . . 333
9.5 Setting up the DNS nameservice . . . . . . . . . |
. . . . . . . . . . 337 |
9.6Setting up a WWW server . . . . . . . . . . . . . . . . . . . . . . . . 353
9.7E-mail configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
9.8 OpenLDAP directory service . . . . . . . . . . . . . . . . . . . . . . 373
9.9Mounting NFS disks . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
9.10Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
9.11The printer service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
9.12Java web and enterprise services . . . . . . . . . . . . . . . . . . . 382
10 Network-level services |
391 |
10.1 The Internet . . . . . . . . . . . . . . . . . . . . . |
. . . . . . . . . . 391 |
10.2A recap of networking concepts . . . . . . . . . . . . . . . . . . . . 392
10.3Getting traffic to its destination . . . . . . . . . . . . . . . . . . . . 393
10.4 |
Alternative network transport technologies |
. . . . . . . . . . . . . 397 |
|
10.5 |
Alternative network connection technologies |
. . . . . . . . . . . . |
400 |
10.6 |
IP routing and forwarding . . . . . . . . . . |
. . . . . . . . . . . . . |
401 |
10.7Multi-Protocol Label Switching (MPLS) . . . . . . . . . . . . . . . . 407
10.8 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
10.9Competition or cooperation for service? . . . . . . . . . . . . . . . 413
10.10Service Level Agreements . . . . . . . . . . . . . . . . . . . . . . . . 415
11 Principles of security |
423 |
11.1Four independent issues . . . . . . . . . . . . . . . . . . . . . . . . 424
11.2Physical security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
viii |
CONTENTS |
11.3 |
Trust relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 |
11.4Security policy and definition of security . . . . . . . . . . . . . . . 427
11.5RFC 2196 and BS/ISO 17799 . . . . . . . . . . . . . . . . . . . . . 430
11.6System failure modes . . . . . . . . . . . . . . . . . . . . . . . . . . 432
11.7 Preventing and minimizing failure modes . . . . . . . . . . . . . . 440
11.8Some well-known attacks . . . . . . . . . . . . . . . . . . . . . . . . 445
12 Security implementation |
453 |
12.1System design and normalization . . . . . . . . . . . . . . . . . . . 453
12.2 The recovery plan . . . . . . |
. . . . . . . . . . . . . . . . . . . . . . 454 |
12.3Data integrity and protection . . . . . . . . . . . . . . . . . . . . . . 454
12.4 Authentication methods . . . . . . . . . . . . . . . . . . . . . . . . 463
12.5Analyzing network security . . . . . . . . . . . . . . . . . . . . . . . 469
12.6VPNs: secure shell and FreeS/WAN . . . . . . . . . . . . . . . . . . 477
12.7 Role-based security and capabilities . . . . . . . . . . . . . . . . . 478
12.8WWW security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
12.9IPSec – secure IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
12.10 |
Ordered access control and policy conflicts . . . . . . . . . . . . . 483 |
|
12.11 |
IP filtering for firewalls . . . . . . . . . . . . . . . . . . . . . . . . . |
485 |
12.12 |
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
486 |
12.13 |
Intrusion detection and forensics . . . . . . . . . . . . . . . . . . . |
493 |
12.14 |
Compromised machines . . . . . . . . . . . . . . . . . . . . . . . . 494 |
|
13 Analytical system administration |
499 |
|
13.1Science vs technology . . . . . . . . . . . . . . . . . . . . . . . . . . 499
13.2Studying complex systems . . . . . . . . . . . . . . . . . . . . . . . 500
13.3The purpose of observation . . . . . . . . . . . . . . . . . . . . . . . 502
13.4 |
Evaluation methods and problems |
. . |
. . . . . . . |
. . . . . . |
. . . |
502 |
13.5 |
Evaluating a hierarchical system |
. . . |
. . . . . . . |
. . . . . . |
. . . |
504 |
13.6Deterministic and stochastic behavior . . . . . . . . . . . . . . . . 518
13.7Observational errors . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
13.8Strategic analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
13.9Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
14 Summary and outlook |
539 |
14.1Information management in the future . . . . . . . . . . . . . . . . 540
14.2Collaboration with software engineering . . . . . . . . . . . . . . . 540
14.3Pervasive computing . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
|
14.4 |
The future of system administration |
. . . . . . . . . . . . . . . . . 541 |
A Some useful Unix commands |
543 |
||
B |
Programming and compiling |
549 |
|
|
B.1 |
Make . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549 |
|
|
B.2 |
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553 |
|
|
B.3 |
WWW and CGI programming . . . . . . . . . . . . . . . . . . . . . . 574 |
|
C |
Example telnet session |
581 |
|
CONTENTS |
ix |
|
D |
Glossary |
591 |
E |
Recommended reading |
597 |
Bibliography |
599 |
|
Index |
623 |
|