3457
3122
"export KEY_EMAIL=\"steve@example.com\"\n"
3460
#: serverguide/C/vpn.xml:76(para)
3461
msgid "Enter the following to create the server certificates:"
3125
#: serverguide/C/vpn.xml:92(para)
3127
"Enter the following to generate the master Certificate Authority (CA) "
3128
"certificate and key:"
3464
#: serverguide/C/vpn.xml:81(command) serverguide/C/vpn.xml:102(command)
3131
#: serverguide/C/vpn.xml:97(command) serverguide/C/vpn.xml:145(command)
3465
3132
msgid "cd /etc/openvpn/easy-rsa/"
3468
#: serverguide/C/vpn.xml:82(command) serverguide/C/vpn.xml:103(command)
3135
#: serverguide/C/vpn.xml:98(command) serverguide/C/vpn.xml:146(command)
3469
3136
msgid "source vars"
3472
#: serverguide/C/vpn.xml:83(command)
3139
#: serverguide/C/vpn.xml:99(command)
3473
3140
msgid "./clean-all"
3476
#: serverguide/C/vpn.xml:84(command)
3143
#: serverguide/C/vpn.xml:100(command)
3147
#: serverguide/C/vpn.xml:105(title)
3148
msgid "Server Certificates"
3151
#: serverguide/C/vpn.xml:107(para)
3152
msgid "Next, we will generate a certificate and private key for the server:"
3155
#: serverguide/C/vpn.xml:112(command)
3156
msgid "./build-key-server myservername"
3159
#: serverguide/C/vpn.xml:115(para)
3161
"As in the previous step, most parameters can be defaulted. Two other queries "
3162
"require positive responses, \"Sign the certificate? [y/n]\" and \"1 out of 1 "
3163
"certificate requests certified, commit? [y/n]\"."
3166
#: serverguide/C/vpn.xml:119(para)
3167
msgid "Diffie Hellman parameters must be generated for the OpenVPN server:"
3170
#: serverguide/C/vpn.xml:124(command)
3477
3171
msgid "./build-dh"
3480
#: serverguide/C/vpn.xml:85(command)
3481
msgid "./pkitool --initca"
3484
#: serverguide/C/vpn.xml:86(command)
3485
msgid "./pkitool --server server"
3488
#: serverguide/C/vpn.xml:87(command)
3492
#: serverguide/C/vpn.xml:88(command)
3493
msgid "openvpn --genkey --secret ta.key"
3496
#: serverguide/C/vpn.xml:89(command)
3497
msgid "sudo cp server.crt server.key ca.crt dh1024.pem ta.key /etc/openvpn/"
3500
#: serverguide/C/vpn.xml:94(title)
3174
#: serverguide/C/vpn.xml:127(para)
3176
"All certificates and keys have been generated in the subdirectory keys/. "
3177
"Common practice is to copy them to /etc/openvpn/:"
3180
#: serverguide/C/vpn.xml:131(command)
3184
#: serverguide/C/vpn.xml:132(command)
3185
msgid "cp myservername.crt myservername.key ca.crt dh1024.pem /etc/openvpn/"
3188
#: serverguide/C/vpn.xml:137(title)
3501
3189
msgid "Client Certificates"
3504
#: serverguide/C/vpn.xml:96(para)
3192
#: serverguide/C/vpn.xml:139(para)
3506
3194
"The VPN client will also need a certificate to authenticate itself to the "
3507
"server. To create the certificate, enter the following in a terminal:"
3510
#: serverguide/C/vpn.xml:104(command)
3511
msgid "./pkitool hostname"
3514
#: serverguide/C/vpn.xml:108(para)
3516
"Replace <emphasis>hostname</emphasis> with the actual hostname of the "
3517
"machine connecting to the VPN."
3520
#: serverguide/C/vpn.xml:113(para)
3521
msgid "Copy the following files to the client:"
3524
#: serverguide/C/vpn.xml:118(para)
3195
"server. Usually you create a different certificate for each client. To "
3196
"create the certificate, enter the following in a terminal while being user "
3200
#: serverguide/C/vpn.xml:147(command)
3201
msgid "./build-key client1"
3204
#: serverguide/C/vpn.xml:150(para)
3205
msgid "Copy the following files to the client using a secure method:"
3208
#: serverguide/C/vpn.xml:155(para)
3525
3209
msgid "/etc/openvpn/ca.crt"
3528
#: serverguide/C/vpn.xml:119(para)
3529
msgid "/etc/openvpn/easy-rsa/keys/hostname.crt"
3532
#: serverguide/C/vpn.xml:120(para)
3533
msgid "/etc/openvpn/easy-rsa/keys/hostname.key"
3536
#: serverguide/C/vpn.xml:121(para)
3537
msgid "/etc/openvpn/ta.key"
3540
#: serverguide/C/vpn.xml:125(para)
3542
"Remember to adjust the above file names for your client machine's "
3543
"<emphasis>hostname</emphasis>."
3546
#: serverguide/C/vpn.xml:130(para)
3548
"It is best to use a secure method to copy the certificate and key files. The "
3549
"<application>scp</application> utility is a good choice, but copying the "
3550
"files to removable media then to the client, also works well."
3553
#: serverguide/C/vpn.xml:141(title) serverguide/C/vcs.xml:107(title)
3554
msgid "Server Configuration"
3557
#: serverguide/C/vpn.xml:143(para)
3559
"Now configure the <application>openvpn</application> server by creating "
3560
"<filename>/etc/openvpn/server.conf</filename> from the example file. In a "
3564
#: serverguide/C/vpn.xml:149(command)
3212
#: serverguide/C/vpn.xml:156(para)
3213
msgid "/etc/openvpn/easy-rsa/keys/client1.crt"
3216
#: serverguide/C/vpn.xml:157(para)
3217
msgid "/etc/openvpn/easy-rsa/keys/client1.key"
3220
#: serverguide/C/vpn.xml:160(para)
3222
"As the client certificates and keys are only required on the client machine, "
3223
"you should remove them from the server."
3226
#: serverguide/C/vpn.xml:168(title)
3227
msgid "Simple Server Configuration"
3230
#: serverguide/C/vpn.xml:170(para)
3232
"Along with your <application>OpenVPN</application> installation you got "
3233
"these sample config files (and many more if if you check):"
3236
#: serverguide/C/vpn.xml:174(programlisting)
3240
"root@server:/# ls -l /usr/share/doc/openvpn/examples/sample-config-files/\n"
3242
"-rw-r--r-- 1 root root 3427 2011-07-04 15:09 client.conf\n"
3243
"-rw-r--r-- 1 root root 4141 2011-07-04 15:09 server.conf.gz\n"
3246
#: serverguide/C/vpn.xml:181(para)
3248
"Start with copying and unpacking server.conf.gz to /etc/openvpn/server.conf."
3251
#: serverguide/C/vpn.xml:185(command)
3566
3253
"sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz "
3567
3254
"/etc/openvpn/"
3570
#: serverguide/C/vpn.xml:150(command)
3257
#: serverguide/C/vpn.xml:186(command)
3571
3258
msgid "sudo gzip -d /etc/openvpn/server.conf.gz"
3574
#: serverguide/C/vpn.xml:153(para)
3261
#: serverguide/C/vpn.xml:189(para)
3263
"Edit <filename>/etc/openvpn/server.conf</filename> to make sure the "
3264
"following lines are pointing to the certificates and keys you created in the "
3268
#: serverguide/C/vpn.xml:192(programlisting)
3273
"cert myservername.crt\n"
3274
"key myservername.key \n"
3278
#: serverguide/C/vpn.xml:199(para)
3280
"That is the minimum you have to configure to get a working OpenVPN server. "
3281
"You can use all the default settings in the sample server.conf file. Now "
3282
"start the server. You will find logging and error messages in your syslog."
3285
#: serverguide/C/vpn.xml:204(programlisting)
3289
"root@server:/etc/openvpn# /etc/init.d/openvpn start\n"
3290
" * Starting virtual private network daemon(s)...\n"
3291
" * Autostarting VPN 'server' [ OK ]\n"
3294
#: serverguide/C/vpn.xml:210(para)
3295
msgid "Now check if OpenVPN created a tun0 interface:"
3298
#: serverguide/C/vpn.xml:214(programlisting)
3302
"root@server:/etc/openvpn# ifconfig tun0\n"
3303
"tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-"
3305
" inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255\n"
3306
" UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1\n"
3310
#: serverguide/C/vpn.xml:224(title)
3311
msgid "Simple Client Configuration"
3314
#: serverguide/C/vpn.xml:226(para)
3316
"There are various different <application>OpenVPN</application> client "
3317
"implementations with and without GUIs. You can read more about clients in a "
3318
"later section. For now we use the <application>OpenVPN</application> client "
3319
"for Ubuntu which is the same executable as the server. So you have to "
3320
"install the openvpn package again on the client machine:"
3323
#: serverguide/C/vpn.xml:236(para)
3324
msgid "This time copy the client.conf sample config file to /etc/openvpn/."
3327
#: serverguide/C/vpn.xml:240(command)
3329
"sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf "
3333
#: serverguide/C/vpn.xml:243(para)
3335
"Copy the client keys and the certificate of the CA you created in the "
3336
"section above to e.g. /etc/openvpn/ and edit "
3337
"<filename>/etc/openvpn/client.conf</filename> to make sure the following "
3338
"lines are pointing to those files. If you have the files in /etc/openvpn/ "
3339
"you can omit the path."
3342
#: serverguide/C/vpn.xml:246(programlisting)
3347
"cert client1.crt\n"
3351
#: serverguide/C/vpn.xml:252(para)
3353
"And you have to at least specify the OpenVPN server name or address. Make "
3354
"sure the keyword client is in the config. That's what enables client mode."
3357
#: serverguide/C/vpn.xml:258(programlisting)
3362
"remote vpnserver.example.com 1194\n"
3365
#: serverguide/C/vpn.xml:263(para)
3366
msgid "Now start the OpenVPN client:"
3369
#: serverguide/C/vpn.xml:267(programlisting)
3373
"root@client:/etc/openvpn# /etc/init.d/openvpn start\n"
3374
" * Starting virtual private network daemon(s)... \n"
3375
" * Autostarting VPN 'client' [ OK ] \n"
3378
#: serverguide/C/vpn.xml:273(para)
3379
msgid "Check if it created a tun0 interface:"
3382
#: serverguide/C/vpn.xml:277(programlisting)
3386
"root@client:/etc/openvpn# ifconfig tun0\n"
3387
"tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-"
3389
" inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255\n"
3390
" UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1\n"
3393
#: serverguide/C/vpn.xml:284(para)
3394
msgid "Check if you can ping the OpenVPN server:"
3397
#: serverguide/C/vpn.xml:287(programlisting)
3401
"root@client:/etc/openvpn# ping 10.8.0.1\n"
3402
"PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.\n"
3403
"64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=0.920 ms\n"
3406
#: serverguide/C/vpn.xml:294(para)
3408
"The OpenVPN server always uses the first usable IP address in the client "
3409
"network and only that IP is pingable. E.g. if you configured a /24 for the "
3410
"client network mask, the .1 address will be used. The P-t-P address you see "
3411
"in the ifconfig output above is usually not answering ping requests."
3414
#: serverguide/C/vpn.xml:299(para)
3415
msgid "Check out your routes:"
3418
#: serverguide/C/vpn.xml:302(programlisting)
3422
"root@client:/etc/openvpn# netstat -rn\n"
3423
"Kernel IP routing table\n"
3424
"Destination Gateway Genmask Flags MSS Window irtt "
3426
"10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 "
3428
"10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 "
3430
"192.168.42.0 0.0.0.0 255.255.255.0 U 0 0 0 "
3432
"0.0.0.0 192.168.42.1 0.0.0.0 UG 0 0 0 "
3436
#: serverguide/C/vpn.xml:314(title)
3437
msgid "First trouble shooting"
3440
#: serverguide/C/vpn.xml:316(para)
3441
msgid "If the above didn't work for you, check this:"
3444
#: serverguide/C/vpn.xml:321(para)
3445
msgid "Check your syslog, e.g. grep -i vpn /var/log/syslog"
3448
#: serverguide/C/vpn.xml:324(para)
3450
"Can the client connect to the server machine? Maybe a firewall is blocking "
3451
"access? Check syslog on server."
3454
#: serverguide/C/vpn.xml:327(para)
3456
"Client and server must use same protocol and port, e.g. UDP port 1194, see "
3457
"port and proto config option"
3460
#: serverguide/C/vpn.xml:330(para)
3462
"Client and server must use same config regarding compression, see comp-lzo "
3466
#: serverguide/C/vpn.xml:333(para)
3468
"Client and server must use same config regarding bridged vs routed mode, see "
3469
"server vs server-bridge config option"
3472
#: serverguide/C/vpn.xml:341(title)
3473
msgid "Advanved configuration"
3476
#: serverguide/C/vpn.xml:344(title)
3477
msgid "Advanced routed VPN configuration on server"
3480
#: serverguide/C/vpn.xml:346(para)
3482
"The above is a very simple working VPN. The client can access services on "
3483
"the VPN server machine through an encrypted tunnel. If you want to reach "
3484
"more servers or anything in other networks, push some routes to the clients. "
3485
"E.g. if your company's network can be summarized to the network "
3486
"192.168.0.0/16, you could push this route to the clients. But you will also "
3487
"have to change the routing for the way back - your servers need to know a "
3488
"route to the VPN client-network."
3491
#: serverguide/C/vpn.xml:350(para)
3493
"Or you might push a default gateway to all the clients to send all their "
3494
"internet traffic to the VPN gateway first and from there via the company "
3495
"firewall into the internet. This section shows you some possible options."
3498
#: serverguide/C/vpn.xml:354(para)
3500
"Push routes to the client to allow it to reach other private subnets behind "
3501
"the server. Remember that these private subnets will also need to know to "
3502
"route the OpenVPN client address pool (10.8.0.0/24) back to the OpenVPN "
3506
#: serverguide/C/vpn.xml:363(programlisting)
3510
"push \"route 10.0.0.0 255.0.0.0\"\n"
3513
#: serverguide/C/vpn.xml:367(para)
3515
"If enabled, this directive will configure all clients to redirect their "
3516
"default network gateway through the VPN, causing all IP traffic such as web "
3517
"browsing and and DNS lookups to go through the VPN (the OpenVPN server "
3518
"machine or your central firewall may need to NAT the TUN/TAP interface to "
3519
"the internet in order for this to work properly)."
3522
#: serverguide/C/vpn.xml:376(programlisting)
3526
"push \"redirect-gateway def1 bypass-dhcp\"\n"
3529
#: serverguide/C/vpn.xml:380(para)
3531
"Configure server mode and supply a VPN subnet for OpenVPN to draw client "
3532
"addresses from. The server will take 10.8.0.1 for itself, the rest will be "
3533
"made available to clients. Each client will be able to reach the server on "
3534
"10.8.0.1. Comment this line out if you are ethernet bridging."
3537
#: serverguide/C/vpn.xml:389(programlisting)
3541
"server 10.8.0.0 255.255.255.0\n"
3544
#: serverguide/C/vpn.xml:393(para)
3546
"Maintain a record of client to virtual IP address associations in this file. "
3547
"If OpenVPN goes down or is restarted, reconnecting clients can be assigned "
3548
"the same virtual IP address from the pool that was previously assigned."
3551
#: serverguide/C/vpn.xml:400(programlisting)
3555
"ifconfig-pool-persist ipp.txt\n"
3558
#: serverguide/C/vpn.xml:404(para)
3559
msgid "Push DNS servers to the client."
3562
#: serverguide/C/vpn.xml:407(programlisting)
3566
"push \"dhcp-option DNS 10.0.0.2\"\n"
3567
"push \"dhcp-option DNS 10.1.0.2\"\n"
3570
#: serverguide/C/vpn.xml:412(para)
3571
msgid "Allow client to client communication."
3574
#: serverguide/C/vpn.xml:415(programlisting)
3578
"client-to-client\n"
3581
#: serverguide/C/vpn.xml:419(para)
3582
msgid "Enable compression on the VPN link."
3585
#: serverguide/C/vpn.xml:422(programlisting)
3592
#: serverguide/C/vpn.xml:426(para)
3594
"The keepalive directive causes ping-like messages to be sent back and forth "
3595
"over the link so that each side knows when the other side has gone down. "
3596
"Ping every 1 second, assume that remote peer is down if no ping received "
3597
"during a 3 second time period."
3600
#: serverguide/C/vpn.xml:435(programlisting)
3607
#: serverguide/C/vpn.xml:439(para)
3609
"It's a good idea to reduce the OpenVPN daemon's privileges after "
3613
#: serverguide/C/vpn.xml:442(programlisting)
3621
#: serverguide/C/vpn.xml:447(para)
3623
"OpenVPN 2.0 includes a feature that allows the OpenVPN server to securely "
3624
"obtain a username and password from a connecting client, and to use that "
3625
"information as a basis for authenticating the client. To use this "
3626
"authentication method, first add the auth-user-pass directive to the client "
3627
"configuration. It will direct the OpenVPN client to query the user for a "
3628
"username/password, passing it on to the server over the secure TLS channel."
3631
#: serverguide/C/vpn.xml:451(programlisting)
3635
"# client config!\n"
3639
#: serverguide/C/vpn.xml:456(para)
3641
"This will tell the OpenVPN server to validate the username/password entered "
3642
"by clients using the login PAM module. Useful if you have centralized "
3643
"authentication with e.g. Kerberos."
3646
#: serverguide/C/vpn.xml:461(programlisting)
3650
"plugin /usr/lib/openvpn/openvpn-auth-pam.so login\n"
3653
#: serverguide/C/vpn.xml:465(para)
3655
"Please read the OpenVPN <ulink url=\"http://openvpn.net/index.php/open-"
3656
"source/documentation/howto.html#security\">hardening security guide</ulink> "
3657
"for further security advice."
3660
#: serverguide/C/vpn.xml:471(title)
3661
msgid "Advanced bridged VPN configuration on server"
3664
#: serverguide/C/vpn.xml:473(para)
3666
"<application>OpenVPN</application> can be setup for either a routed or a "
3667
"bridged VPN mode. Sometimes this is also referred to as OSI layer-2 versus "
3668
"layer-3 VPN. In a bridged VPN all layer-2 frames - e.g. all ethernet frames -"
3669
" are sent to the VPN partners and in a routed VPN only layer-3 packets are "
3670
"sent to VPN partners. In bridged mode all traffic including traffic which "
3671
"was traditionally LAN-local like local network broadcasts, DHCP requests, "
3672
"ARP requests etc. are sent to VPN partners whereas in routed mode this would "
3676
#: serverguide/C/vpn.xml:479(title)
3677
msgid "Prepare interface config for bridging on server"
3680
#: serverguide/C/vpn.xml:481(para)
3681
msgid "Make sure you have the bridge-utils package installed:"
3684
#: serverguide/C/vpn.xml:485(command) serverguide/C/virtualization.xml:2179(command) serverguide/C/network-config.xml:540(command)
3685
msgid "sudo apt-get install bridge-utils"
3688
#: serverguide/C/vpn.xml:488(para)
3690
"Before you setup OpenVPN in bridged mode you need to change your interface "
3691
"configuration. Let's assume your server has an interface eth0 connected to "
3692
"the internet and an interface eth1 connected to the LAN you want to bridge. "
3693
"Your /etc/network/interfaces would like this:"
3696
#: serverguide/C/vpn.xml:492(programlisting)
3701
"iface eth0 inet static\n"
3702
" address 1.2.3.4\n"
3703
" netmask 255.255.255.248\n"
3704
" default 1.2.3.1\n"
3707
"iface eth1 inet static\n"
3708
" address 10.0.0.4\n"
3709
" netmask 255.255.255.0\n"
3712
#: serverguide/C/vpn.xml:505(para)
3714
"This straight forward interface config needs to be changed into a bridged "
3715
"mode like where the config of interface eth1 moves to the new br0 interface. "
3716
"Plus we configure that br0 should bridge interface eth1. We also need to "
3717
"make sure that interface eth1 is always in promiscuous mode - this tells the "
3718
"interface to forward all ethernet frames to the IP stack."
3721
#: serverguide/C/vpn.xml:509(programlisting)
3726
"iface eth0 inet static\n"
3727
" address 1.2.3.4\n"
3728
" netmask 255.255.255.248\n"
3729
" default 1.2.3.1\n"
3732
"iface eth1 inet manual\n"
3733
" up ip link set $IFACE up promisc on\n"
3736
"iface br0 inet static\n"
3737
" address 10.0.0.4\n"
3738
" netmask 255.255.255.0\n"
3739
" bridge_ports eth1\n"
3742
#: serverguide/C/vpn.xml:527(para)
3744
"At this point you need to restart networking. Be prepared that this might "
3745
"not work as expected and that you will lose remote connectivity. Make sure "
3746
"you can solve problems having local access."
3749
#: serverguide/C/vpn.xml:531(command)
3750
msgid "sudo /etc/init.d/network restart"
3753
#: serverguide/C/vpn.xml:536(title)
3754
msgid "Prepare server config for bridging"
3757
#: serverguide/C/vpn.xml:538(para)
3576
3759
"Edit <filename>/etc/openvpn/server.conf</filename> changing the following "
3580
#: serverguide/C/vpn.xml:157(programlisting)
3763
#: serverguide/C/vpn.xml:542(programlisting)
3584
"local 172.18.100.101\n"
3586
"up \"/etc/openvpn/up.sh br0\"\n"
3587
"down \"/etc/openvpn/down.sh br0\"\n"
3769
"up \"/etc/openvpn/up.sh br0 eth1\"\n"
3588
3770
";server 10.8.0.0 255.255.255.0\n"
3589
"server-bridge 172.18.100.101 255.255.255.0 172.18.100.105 172.18.100.200\n"
3590
"push \"route 172.18.100.1 255.255.255.0\"\n"
3591
"push \"dhcp-option DNS 172.18.100.20\"\n"
3592
"push \"dhcp-option DOMAIN example.com\"\n"
3593
"tls-auth ta.key 0 # This file is secret\n"
3598
#: serverguide/C/vpn.xml:174(para)
3600
"<emphasis>local</emphasis>: is the IP address of the bridge interface."
3603
#: serverguide/C/vpn.xml:179(para)
3605
"<emphasis>server-bridge</emphasis>: needed when the configuration uses "
3606
"bridging. The <emphasis>172.18.100.101 255.255.255.0</emphasis> portion is "
3607
"the bridge interface and mask. The IP range <emphasis>172.18.100.105 "
3608
"172.18.100.200</emphasis> is the range of IP addresses that will be assigned "
3612
#: serverguide/C/vpn.xml:186(para)
3614
"<emphasis>push</emphasis>: are directives to add networking options for "
3618
#: serverguide/C/vpn.xml:191(para)
3620
"<emphasis>user and group</emphasis>: configure which user and group the "
3621
"<application>openvpn</application> daemon executes as."
3624
#: serverguide/C/vpn.xml:198(para)
3626
"Replace all IP addresses and domain names above with those of your network."
3629
#: serverguide/C/vpn.xml:203(para)
3631
"Next, create a couple of helper scripts to add the <emphasis>tap</emphasis> "
3632
"interface to the bridge. Create <filename>/etc/openvpn/up.sh</filename>:"
3635
#: serverguide/C/vpn.xml:207(programlisting)
3644
"/sbin/ifconfig $DEV mtu $MTU promisc up\n"
3645
"/usr/sbin/brctl addif $BR $DEV\n"
3648
#: serverguide/C/vpn.xml:217(para)
3649
msgid "And <filename>/etc/openvpn/down.sh</filename>:"
3652
#: serverguide/C/vpn.xml:221(programlisting)
3661
"/usr/sbin/brctl delif $BR $DEV\n"
3662
"/sbin/ifconfig $DEV down\n"
3665
#: serverguide/C/vpn.xml:231(para)
3666
msgid "Then make them executable:"
3669
#: serverguide/C/vpn.xml:236(command)
3670
msgid "sudo chmod 755 /etc/openvpn/down.sh"
3673
#: serverguide/C/vpn.xml:237(command)
3771
"server-bridge 10.0.0.4 255.255.255.0 10.0.0.128 10.0.0.254\n"
3774
#: serverguide/C/vpn.xml:550(para)
3776
"Next, create a helper script to add the <emphasis>tap</emphasis> interface "
3777
"to the bridge and to ensure that eth1 is promiscuous mode. Create "
3778
"<filename>/etc/openvpn/up.sh</filename>:"
3781
#: serverguide/C/vpn.xml:554(programlisting)
3791
"/sbin/ip link set \"$TAPDEV\" up\n"
3792
"/sbin/ip link set \"$ETHDEV\" promisc on\n"
3793
"/sbin/brctl addif $BR $TAPDEV\n"
3796
#: serverguide/C/vpn.xml:566(para)
3797
msgid "Then make it executable:"
3800
#: serverguide/C/vpn.xml:571(command)
3674
3801
msgid "sudo chmod 755 /etc/openvpn/up.sh"
3677
#: serverguide/C/vpn.xml:240(para)
3804
#: serverguide/C/vpn.xml:574(para)
3679
3806
"After configuring the server, restart <application>openvpn</application> by "
3683
#: serverguide/C/vpn.xml:245(command) serverguide/C/vpn.xml:293(command)
3810
#: serverguide/C/vpn.xml:579(command) serverguide/C/vpn.xml:617(command)
3684
3811
msgid "sudo /etc/init.d/openvpn restart"
3687
#: serverguide/C/vpn.xml:250(title)
3814
#: serverguide/C/vpn.xml:584(title)
3688
3815
msgid "Client Configuration"
3691
#: serverguide/C/vpn.xml:252(para)
3818
#: serverguide/C/vpn.xml:586(para)
3692
3819
msgid "First, install <application>openvpn</application> on the client:"
3695
#: serverguide/C/vpn.xml:260(para)
3822
#: serverguide/C/vpn.xml:594(para)
3697
3824
"Then with the server configured and the client certificates copied to the "
3698
3825
"<filename>/etc/openvpn/</filename> directory, create a client configuration "
3699
3826
"file by copying the example. In a terminal on the client machine enter:"
3702
#: serverguide/C/vpn.xml:266(command)
3829
#: serverguide/C/vpn.xml:600(command)
3704
3831
"sudo cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf "
3708
#: serverguide/C/vpn.xml:269(para)
3835
#: serverguide/C/vpn.xml:603(para)
3710
3837
"Now edit <filename>/etc/openvpn/client.conf</filename> changing the "
3711
3838
"following options:"
3714
#: serverguide/C/vpn.xml:273(programlisting)
3841
#: serverguide/C/vpn.xml:607(programlisting)
3719
"remote vpn.example.com 1194\n"
3720
"cert hostname.crt\n"
3721
"key hostname.key\n"
3722
"tls-auth ta.key 1\n"
3725
#: serverguide/C/vpn.xml:282(para)
3727
"Replace <emphasis>vpn.example.com</emphasis> with the hostname of your VPN "
3728
"server, and <emphasis>hostname.*</emphasis> with the actual certificate and "
3732
#: serverguide/C/vpn.xml:288(para)
3849
#: serverguide/C/vpn.xml:612(para)
3733
3850
msgid "Finally, restart <application>openvpn</application>:"
3736
#: serverguide/C/vpn.xml:296(para)
3853
#: serverguide/C/vpn.xml:620(para)
3737
3854
msgid "You should now be able to connect to the remote LAN through the VPN."
3740
#: serverguide/C/vpn.xml:307(para)
3857
#: serverguide/C/vpn.xml:629(title)
3858
msgid "Client software implementations"
3861
#: serverguide/C/vpn.xml:632(title)
3862
msgid "Linux Network-Manager GUI for OpenVPN"
3865
#: serverguide/C/vpn.xml:634(para)
3867
"Many Linux distributions including Ubuntu desktop variants come with Network "
3868
"Manager, a nice GUI to configure your network settings. It also can manage "
3869
"your VPN connections. Make sure you have package network-manager-openvpn "
3870
"installed. Here you see that the installation installs all other required "
3874
#: serverguide/C/vpn.xml:639(programlisting)
3878
"root@client:~# apt-get install network-manager-openvpn\n"
3879
"Reading package lists... Done\n"
3880
"Building dependency tree \n"
3881
"Reading state information... Done\n"
3882
"The following extra packages will be installed:\n"
3883
" liblzo2-2 libpkcs11-helper1 network-manager-openvpn-gnome openvpn\n"
3884
"Suggested packages:\n"
3886
"The following NEW packages will be installed:\n"
3887
" liblzo2-2 libpkcs11-helper1 network-manager-openvpn\n"
3888
" network-manager-openvpn-gnome openvpn\n"
3889
"0 upgraded, 5 newly installed, 0 to remove and 631 not upgraded.\n"
3890
"Need to get 700 kB of archives.\n"
3891
"After this operation, 3,031 kB of additional disk space will be used.\n"
3892
"Do you want to continue [Y/n]? \n"
3895
#: serverguide/C/vpn.xml:657(para)
3897
"To inform network-manager about the new installed packages you will have to "
3901
#: serverguide/C/vpn.xml:661(programlisting)
3905
"root@client:~# restart network-manager \n"
3906
"network-manager start/running, process 3078\n"
3909
#: serverguide/C/vpn.xml:666(para)
3911
"Open the Network Manager GUI, select the VPN tab and then the 'Add' button. "
3912
"Select OpenVPN as the VPN type in the opening requester and press 'Create'. "
3913
"In the next window add the OpenVPN's server name as the 'Gateway', set "
3914
"'Type' to 'Certificates (TLS)', point 'User Certificate' to your user "
3915
"certificate, 'CA Certificate' to your CA certificate and 'Private Key' to "
3916
"your private key file. Use the advanced button to enable compression or "
3917
"other special settings you set on the server. Now try to establish your VPN."
3920
#: serverguide/C/vpn.xml:678(title)
3921
msgid "OpenVPN with GUI for Mac OS X: Tunnelblick"
3924
#: serverguide/C/vpn.xml:680(para)
3926
"Tunnelblick is an excellent free, open source implementation of a GUI for "
3927
"OpenVPN for OS X. The project's homepage is at <ulink "
3928
"url=\"http://code.google.com/p/tunnelblick/\">http://code.google.com/p/tunnel"
3929
"blick/</ulink>. Download the latest OS X installer from there and install "
3930
"it. Then put your client.ovpn config file together with the certificates and "
3931
"keys in /Users/username/Library/Application "
3932
"Support/Tunnelblick/Configurations/ and lauch Tunnelblick from your "
3933
"Application folder."
3936
#: serverguide/C/vpn.xml:686(programlisting)
3940
"# sample client.ovpn for Tunnelblick\n"
3942
"remote blue.example.com\n"
3947
"ns-cert-type server\n"
3951
"auth-retry interact\n"
3959
#: serverguide/C/vpn.xml:708(title)
3960
msgid "OpenVPN with GUI for Win 7"
3963
#: serverguide/C/vpn.xml:710(para)
3965
"First download and install the latest <ulink "
3966
"url=\"http://www.openvpn.net/index.php/open-source/downloads.html\">OpenVPN "
3967
"Windows Installer</ulink>. OpenVPN 2.2.1 was the latest when this was "
3968
"written. Additionally download an alternative Open VPN Windows GUI. The "
3969
"OpenVPN MI GUI from <ulink url=\"http://openvpn-mi-gui.inside-"
3970
"security.de\">http://openvpn-mi-gui.inside-security.de</ulink> seems to be a "
3971
"nice one for Windows 7. Download the latest version. 20110624 was the latest "
3972
"version when this was written."
3975
#: serverguide/C/vpn.xml:716(para)
3977
"You need to start the OpenVPN service. Goto Start > Computer > Manage "
3978
"> Services and Applications > Services. Find the OpenVPN service and "
3979
"start it. Set it's startup type to automatic. When you start the OpenVPN MI "
3980
"GUI the first time you need to run it as an administrator. You have to right "
3981
"click on it and you will see that option."
3984
#: serverguide/C/vpn.xml:720(para)
3986
"You will have to write your OpenVPN config in a textfile and place it in C:\\"
3987
"Program Files\\OpenVPN\\config\\client.ovpn along with the CA certificate. "
3988
"You could put the user certificate in the user's home directory like in the "
3992
#: serverguide/C/vpn.xml:724(programlisting)
3996
"# C:\\Program Files\\OpenVPN\\config\\client.ovpn\n"
3998
"remote server.example.com\n"
4003
"ns-cert-type server\n"
4006
"auth-retry interact\n"
4010
"cert \"C:\\\\Users\\\\username\\\\My Documents\\\\openvpn\\\\client.crt\"\n"
4011
"key \"C:\\\\Users\\\\username\\\\My Documents\\\\openvpn\\\\client.key\"\n"
4012
"management 127.0.0.1 1194\n"
4014
"management-query-passwords\n"
4015
"auth-retry interact\n"
4018
#: serverguide/C/vpn.xml:749(title)
4019
msgid "OpenVPN for OpenWRT"
4022
#: serverguide/C/vpn.xml:751(para)
4024
"OpenWRT is described as a Linux distribution for embedded devices like WLAN "
4025
"router. There are certain types of WLAN routers who can be flashed to run "
4026
"OpenWRT. Depending on the available memory on your OpenWRT router you can "
4027
"run software like OpenVPN and you could for example build a small "
4028
"inexpensive branch office router with VPN connectivity to the central "
4029
"office. More info on OpenVPN on OpenWRT is <ulink "
4030
"url=\"http://wiki.openwrt.org/doc/howto/vpn.overview\">here</ulink>. And "
4031
"here is the OpenWRT project's homepage: <ulink "
4032
"url=\"http://openwrt.org\">http://openwrt.org</ulink>"
4035
#: serverguide/C/vpn.xml:760(para)
4036
msgid "Log into your OpenWRT router and install OpenVPN:"
4039
#: serverguide/C/vpn.xml:765(command)
4043
#: serverguide/C/vpn.xml:766(command)
4044
msgid "opkg install openvpn"
4047
#: serverguide/C/vpn.xml:769(para)
4049
"Check out /etc/config/openvpn and put you client config in there. Copy "
4050
"certificated and keys to /etc/openvpn/"
4053
#: serverguide/C/vpn.xml:774(programlisting)
4057
"config openvpn client1\n"
4058
" option enable 1 \n"
4059
" option client 1 \n"
4060
"# option dev tap \n"
4061
" option dev tun \n"
4062
" option proto udp \n"
4063
" option ca /etc/openvpn/ca.crt \n"
4064
" option cert /etc/openvpn/client.crt\n"
4065
" option key /etc/openvpn/client.key\n"
4066
" option comp_lzo 1 \n"
4069
#: serverguide/C/vpn.xml:787(para)
4070
msgid "Restart OpenVPN:"
4073
#: serverguide/C/vpn.xml:792(command)
4074
msgid "/etc/init.d/openvpn restart"
4077
#: serverguide/C/vpn.xml:795(para)
4079
"You will have to see if you need to adjust your router's routing and "
4083
#: serverguide/C/vpn.xml:805(para)
3742
4085
"See the <ulink url=\"http://openvpn.net/\">OpenVPN</ulink> website for "
3743
4086
"additional information."
3746
#: serverguide/C/vpn.xml:312(para)
4089
#: serverguide/C/vpn.xml:811(ulink)
4090
msgid "OpenVPN hardening security guide"
4093
#: serverguide/C/vpn.xml:815(para)
3748
4095
"Also, Pakt's <ulink url=\"http://www.packtpub.com/openvpn/book\">OpenVPN: "
3749
4096
"Building and Integrating Virtual Private Networks</ulink> is a good resource."
3752
#: serverguide/C/vpn.xml:318(para)
3754
"Another source of further information is the <ulink "
3755
"url=\"https://help.ubuntu.com/community/OpenVPN\">Ubuntu Wiki "
3756
"OpenVPN</ulink> page."
3759
4099
#: serverguide/C/virtualization.xml:13(title)
3760
4100
msgid "Virtualization"
6422
6624
"RightScale</ulink>."
6425
#: serverguide/C/virtualization.xml:2184(para)
6627
#: serverguide/C/virtualization.xml:2102(para)
6427
6629
"You can also find help in the <emphasis>#ubuntu-virt</emphasis>, "
6428
6630
"<emphasis>#eucalyptus</emphasis>, and <emphasis>#ubuntu-server</emphasis> "
6429
6631
"IRC channels on <ulink url=\"http://freenode.net\">Freenode</ulink>."
6432
#: serverguide/C/virtualization.xml:2193(title)
6634
#: serverguide/C/virtualization.xml:2112(title)
6635
msgid "Ubuntu Cloud"
6638
#: serverguide/C/virtualization.xml:2113(para)
6640
"<application>Cloud computing</application> is a computing model that allows "
6641
"vast pools of resources to be allocated on-demand. These resources such as "
6642
"storage, computing power, network and software are abstracted and delivered "
6643
"as a service over the Internet anywhere, anytime. These services are billed "
6644
"per time consumed similar to the ones used by public services such as "
6645
"electricity, water and telephony. <application>Ubuntu Cloud "
6646
"Infrastructure</application> uses OpenStack open source software to help "
6647
"build highly scalable, cloud computing for both public and private clouds."
6650
#: serverguide/C/virtualization.xml:2124(para)
6652
"This tutorial covers the OpenStack installation from the Ubuntu 12.04 LTS "
6653
"Server Edition CD, and assumes a basic network topology, with a single "
6654
"system serving as the \"all-in-one cloud infrastructure\".Due to the "
6655
"tutorial's simplicity, the instructions as-is are not intended to set up "
6656
"production servers although it allows you to have a POC (proof of concept) "
6657
"of the Ubuntu Cloud using OpenStack."
6660
#: serverguide/C/virtualization.xml:2133(para)
6662
"To deploy a minimal Ubuntu Cloud infrastructure, you’ll need at least:"
6665
#: serverguide/C/virtualization.xml:2139(para)
6666
msgid "One dedicated system."
6669
#: serverguide/C/virtualization.xml:2144(para)
6670
msgid "Two network address ranges (private network and public network)."
6673
#: serverguide/C/virtualization.xml:2149(para)
6675
"Make sure the host in question supports VT ( Virtualization Technology ) "
6676
"since we will be using KVM as the virtualization technology. Other "
6677
"hypervisors are also supported such as QEMU, UML, Vmware ESX/ESXi and XEN. "
6678
"LXC (Linux Containers) is also supported through libvirt."
6681
#: serverguide/C/virtualization.xml:2154(para)
6683
"Check if your system supports kvm issuing <application><command>sudo kvm-"
6684
"ok</command></application> in a linux terminal."
6687
#: serverguide/C/virtualization.xml:2158(para)
6689
"The <command>\"Minimum Topology\"</command> recommended for production use "
6690
"is using three nodes - One master server running nova services (except "
6691
"compute) and two servers running nova-compute. This setup is not redundant "
6692
"and the master server is a SPoF (Single Point of Failure)."
6695
#: serverguide/C/virtualization.xml:2166(title)
6696
msgid "Preconfiguring the network"
6699
#: serverguide/C/virtualization.xml:2167(para)
6701
"Before we start installing OpenStack we need to make sure we have bridging "
6702
"support installed, a MySQL database, and a central time server (ntp). This "
6703
"will assure that we have instantiated machines and hosts in sync."
6706
#: serverguide/C/virtualization.xml:2171(para)
6708
"In this example the “private network” will be in the 10.0.0.0/24 range on "
6709
"eth1. All the internal communication between instances will happen there "
6710
"while the “public network” will be in the 10.153.107.0/29 range on eth0."
6713
#: serverguide/C/virtualization.xml:2177(title)
6714
msgid "Install bridging support"
6717
#: serverguide/C/virtualization.xml:2184(title)
6718
msgid "Install and configure NTP"
6721
#: serverguide/C/virtualization.xml:2186(command) serverguide/C/network-config.xml:1097(command)
6722
msgid "sudo apt-get install ntp"
6725
#: serverguide/C/virtualization.xml:2188(para)
6727
"Add these two lines at the end of the <filename>/etc/ntp.conf</filename> "
6731
#: serverguide/C/virtualization.xml:2191(programlisting)
6735
"server 127.127.1.0\n"
6736
"fudge 127.127.1.0 stratum 10\n"
6739
#: serverguide/C/virtualization.xml:2195(para)
6740
msgid "Restart ntp service"
6743
#: serverguide/C/virtualization.xml:2199(command)
6744
msgid "sudo service ntp restart"
6747
#: serverguide/C/virtualization.xml:2204(title)
6748
msgid "Install and configure MySQL"
6751
#: serverguide/C/virtualization.xml:2206(command) serverguide/C/databases.xml:44(command)
6752
msgid "sudo apt-get install mysql-server"
6755
#: serverguide/C/virtualization.xml:2208(para)
6756
msgid "Create a database and mysql user for OpenStack"
6759
#: serverguide/C/virtualization.xml:2212(command)
6760
msgid "sudo mysql -uroot -ppassword -e \"CREATE DATABASE nova;\""
6763
#: serverguide/C/virtualization.xml:2213(command)
6765
"sudo mysql -uroot -ppassword -e \"GRANT ALL ON nova.* TO novauser@localhost "
6769
#: serverguide/C/virtualization.xml:2214(command)
6770
msgid "IDENTIFIED BY 'novapassword' \";"
6773
#: serverguide/C/virtualization.xml:2216(para)
6775
"The line continuation character <application>\"\\\"</application> implies "
6776
"that you must include the subsequent line as part of the current command."
6779
#: serverguide/C/virtualization.xml:2225(title)
6780
msgid "Install OpenStack Compute (Nova)"
6783
#: serverguide/C/virtualization.xml:2226(para)
6785
"<command>OpenStack Compute (Nova)</command> is a cloud computing fabric "
6786
"controller (the main part of an IaaS system). It is written in Python, using "
6787
"the Eventlet and Twisted frameworks, and relies on the standard AMQP "
6788
"messaging protocol, and SQLAlchemy for data store access."
6791
#: serverguide/C/virtualization.xml:2231(para)
6792
msgid "Install OpenStack Nova components"
6795
#: serverguide/C/virtualization.xml:2235(command)
6797
"sudo apt-get install nova-api nova-network nova-volume nova-objectstore nova-"
6801
#: serverguide/C/virtualization.xml:2236(command)
6802
msgid "nova-compute euca2ools unzip"
6805
#: serverguide/C/virtualization.xml:2238(para)
6806
msgid "Restart libvirt-bin just to make sure libvirtd is aware of ebtables."
6809
#: serverguide/C/virtualization.xml:2241(command)
6810
msgid "sudo service libvirt-bin restart"
6813
#: serverguide/C/virtualization.xml:2243(para)
6814
msgid "Install RabbitMQ – Advanced Message Queuing Protocol (AMQP)"
6817
#: serverguide/C/virtualization.xml:2247(command)
6818
msgid "sudo apt-get install rabbitmq-server"
6821
#: serverguide/C/virtualization.xml:2250(para)
6822
msgid "Edit <filename>/etc/nova/nova.conf</filename> and add the following:"
6825
#: serverguide/C/virtualization.xml:2253(programlisting)
6829
"# Nova config FlatDHCPManager\n"
6830
"--sql_connection=mysql://novauser:novapassword@localhost/nova\n"
6831
"--flat_injected=true\n"
6832
"--network_manager=nova.network.manager.FlatDHCPManager\n"
6833
"--fixed_range=10.0.0.0/24\n"
6834
"--floating_range=10.153.107.72/29\n"
6835
"--flat_network_dhcp_start=10.0.0.2\n"
6836
"--flat_network_bridge=br100\n"
6837
"--flat_interface=eth1\n"
6838
"--public_interface=eth0\n"
6841
#: serverguide/C/virtualization.xml:2266(para)
6842
msgid "Restart OpenStack services"
6845
#: serverguide/C/virtualization.xml:2270(command) serverguide/C/virtualization.xml:2274(command)
6847
"for i in nova-api nova-network nova-objectstore nova-scheduler nova-volume "
6851
#: serverguide/C/virtualization.xml:2271(command)
6852
msgid "do sudo stop $i; sleep 2; done"
6855
#: serverguide/C/virtualization.xml:2275(command)
6856
msgid "do sudo start $i; sleep 2; done"
6859
#: serverguide/C/virtualization.xml:2277(para)
6861
"Migrate Nova database from sqlite db to MySQL db. It may take a while."
6864
#: serverguide/C/virtualization.xml:2281(command)
6865
msgid "sudo nova-manage db sync"
6868
#: serverguide/C/virtualization.xml:2283(para)
6870
"Define a specific <application>private network</application> where all your "
6871
"Instances will run. This will be used in the network of fixed Ips set inside "
6872
"<filename>nova.conf </filename>."
6875
#: serverguide/C/virtualization.xml:2288(command)
6877
"sudo nova-manage network create --fixed_range_v4 10.0.0.0/24 --label private "
6881
#: serverguide/C/virtualization.xml:2289(command)
6882
msgid "--bridge_interface br100"
6885
#: serverguide/C/virtualization.xml:2291(para)
6887
"Define a specific public network and allocate 6 (usable) Floating Public IP "
6888
"addresses for use with the instances starting from 10.153.107.72."
6891
#: serverguide/C/virtualization.xml:2295(command)
6892
msgid "sudo nova-manage floating create --ip_range=10.153.107.72/29"
6895
#: serverguide/C/virtualization.xml:2297(para)
6897
"Create a user (user1), a project (project1), download credentials and source "
6898
"its configuration file."
6901
#: serverguide/C/virtualization.xml:2299(command)
6902
msgid "cd ; mkdir nova ; cd nova"
6905
#: serverguide/C/virtualization.xml:2300(command)
6906
msgid "sudo nova-manage user admin user1"
6909
#: serverguide/C/virtualization.xml:2301(command)
6910
msgid "sudo nova-manage project create project1 user1"
6913
#: serverguide/C/virtualization.xml:2302(command)
6914
msgid "sudo nova-manage project zipfile project1 user1"
6917
#: serverguide/C/virtualization.xml:2303(command)
6918
msgid "unzip nova.zip"
6921
#: serverguide/C/virtualization.xml:2304(command) serverguide/C/virtualization.xml:2379(command)
6922
msgid "source novarc"
6925
#: serverguide/C/virtualization.xml:2307(para)
6926
msgid "Verify the OpenStack Compute installation by typing:"
6929
#: serverguide/C/virtualization.xml:2309(command)
6930
msgid "sudo nova-manage service list"
6933
#: serverguide/C/virtualization.xml:2310(command)
6934
msgid "sudo nova-manage version list"
6937
#: serverguide/C/virtualization.xml:2312(para)
6939
"If nova services don’t show up correctly restart OpenStack services as "
6940
"described previously. For more information please refer to the "
6941
"troubleshooting section on this guide."
6944
#: serverguide/C/virtualization.xml:2318(title)
6945
msgid "Install Imaging Service (Glance)"
6948
#: serverguide/C/virtualization.xml:2319(para)
6950
"Nova uses Glance service to manage Operating System images that it needs for "
6951
"bringing up instances. Glance can use several types of storage backends such "
6952
"as filestore, s3 etc. Glance has two components - <emphasis>glance-api and "
6953
"glance-registry</emphasis>. These can be controlled using the concerned "
6954
"upstart service jobs. For this specific case we will be using mysql as a "
6958
#: serverguide/C/virtualization.xml:2325(para)
6959
msgid "Install Glance"
6962
#: serverguide/C/virtualization.xml:2327(command)
6963
msgid "sudo apt-get install glance"
6966
#: serverguide/C/virtualization.xml:2329(para)
6967
msgid "Create a database and user for glance"
6970
#: serverguide/C/virtualization.xml:2333(command)
6971
msgid "sudo mysql -uroot -ppassword -e \"CREATE DATABASE glance;\""
6974
#: serverguide/C/virtualization.xml:2334(command)
6976
"sudo mysql -uroot -ppassword -e \"GRANT ALL ON glance.* TO "
6977
"glanceuser@localhost \\"
6980
#: serverguide/C/virtualization.xml:2335(command)
6981
msgid "IDENTIFIED BY 'glancepassword' \";"
6984
#: serverguide/C/virtualization.xml:2337(para)
6986
"Edit the file /etc/glance/glance-registry.conf and edit the line which "
6987
"contains the option \"sql_connection =\" to this:"
6990
#: serverguide/C/virtualization.xml:2341(programlisting)
6992
msgid "sql_connection = mysql://glanceuser:glancepassword@localhost/glance"
6995
#: serverguide/C/virtualization.xml:2343(para)
6996
msgid "Remove the sqlite database"
6999
#: serverguide/C/virtualization.xml:2345(command)
7000
msgid "rm -rf /var/lib/glance/glance.sqlite"
7003
#: serverguide/C/virtualization.xml:2350(para)
7005
"Restart glance-registry after making changes to /etc/glance/glance-"
7006
"registry.conf. The MySQL database will be automatically populated."
7009
#: serverguide/C/virtualization.xml:2353(command)
7010
msgid "sudo restart glance-registry"
7013
#: serverguide/C/virtualization.xml:2357(para)
7015
"If you find issues take a look at the log file in /var/log/glance/api.log "
7016
"and /var/log/glance/registry.log."
7019
#: serverguide/C/virtualization.xml:2362(title)
7020
msgid "Running Instances"
7023
#: serverguide/C/virtualization.xml:2363(para)
7025
"Before you can instantiate images, you first need to setup user credentials. "
7026
"Once this first step is achieved you also need to upload images that you "
7027
"want to run in the cloud. Once you have these images uploaded to the cloud "
7028
"you will be able to run and connect to them. Here are the steps you should "
7029
"follow to get OpenStack Nova running instances:"
7032
#: serverguide/C/virtualization.xml:2370(para)
7033
msgid "Download, register and publish an Ubuntu cloud image"
7036
#: serverguide/C/virtualization.xml:2372(command)
7037
msgid "distro=lucid"
7040
#: serverguide/C/virtualization.xml:2373(command)
7042
"wget http://cloud-images.ubuntu.com/$distro/current/$distro-server-cloudimg-"
7046
#: serverguide/C/virtualization.xml:2374(command)
7048
"cloud-publish-tarball \"$distro\"-server-cloudimg-amd64.tar.gz "
7052
#: serverguide/C/virtualization.xml:2376(para)
7053
msgid "Create a key pair and start an instance"
7056
#: serverguide/C/virtualization.xml:2378(command)
7060
#: serverguide/C/virtualization.xml:2380(command)
7061
msgid "euca-add-keypair user1 > user1.priv"
7064
#: serverguide/C/virtualization.xml:2381(command)
7065
msgid "chmod 0600 user1.priv"
7068
#: serverguide/C/virtualization.xml:2384(para)
7069
msgid "Allow icmp (ping) and ssh access to instances"
7072
#: serverguide/C/virtualization.xml:2387(command)
7073
msgid "euca-authorize -P icmp -t -1:-1 default"
7076
#: serverguide/C/virtualization.xml:2389(para)
7077
msgid "Run an instance"
7080
#: serverguide/C/virtualization.xml:2392(command)
7081
msgid "ami=`euca-describe-images | awk {'print $2'} | grep -m1 ami`"
7084
#: serverguide/C/virtualization.xml:2393(command)
7085
msgid "euca-run-instances $ami -k user1 -t m1.tiny"
7088
#: serverguide/C/virtualization.xml:2394(command) serverguide/C/virtualization.xml:2403(command)
7089
msgid "euca-describe-instances"
7092
#: serverguide/C/virtualization.xml:2397(para)
7093
msgid "Assign public address to the instance."
7096
#: serverguide/C/virtualization.xml:2401(command)
7097
msgid "euca-allocate-address"
7100
#: serverguide/C/virtualization.xml:2402(command)
7101
msgid "euca-associate-address -i instance_id public_ip_address"
7104
#: serverguide/C/virtualization.xml:2406(para)
7106
"You must enter above the <application>instance_id (ami)</application> and "
7107
"<application>public_ip_address</application> shown above by euca-describe-"
7108
"instances and euca-allocate-address commands."
7111
#: serverguide/C/virtualization.xml:2410(para)
7112
msgid "Now you should be able to SSH to the instance"
7115
#: serverguide/C/virtualization.xml:2413(application)
7119
#: serverguide/C/virtualization.xml:2413(command)
7120
msgid "ssh -i user1.priv ubuntu@<placeholder-1/>"
7123
#: serverguide/C/virtualization.xml:2416(para)
7124
msgid "To terminate instances"
7127
#: serverguide/C/virtualization.xml:2418(application)
7131
#: serverguide/C/virtualization.xml:2418(command)
7132
msgid "euca-terminate-instances <placeholder-1/>"
7135
#: serverguide/C/virtualization.xml:2424(title)
7136
msgid "Install the Storage Infrastructure (Swift)"
7139
#: serverguide/C/virtualization.xml:2425(para)
7141
"Swift is a highly available, distributed, eventually consistent object/blob "
7142
"store. It is used by the OpenStack Infrastructure to provide S3 like cloud "
7143
"storage services. It is also S3 api compatible with amazon."
7146
#: serverguide/C/virtualization.xml:2428(para)
7148
"Organizations use Swift to store lots of data efficiently, safely, and "
7149
"cheaply where applications use an special api to interface between the "
7150
"applications and objects stored in Swift."
7153
#: serverguide/C/virtualization.xml:2432(para)
7155
"Although you can install Swift on a single server, a multiple-server "
7156
"installation is required for production environments. If you want to install "
7157
"OpenStack Object Storage (Swift) on a single node for development or testing "
7158
"purposes, use the Swift All In One instructions on Ubuntu."
7161
#: serverguide/C/virtualization.xml:2436(para)
7163
"For more information see: <ulink "
7164
"url=\"http://swift.openstack.org/development_saio.html\">http://swift.opensta"
7165
"ck.org/development_saio.html </ulink> ."
7168
#: serverguide/C/virtualization.xml:2443(title)
7169
msgid "Support and Troubleshooting"
7172
#: serverguide/C/virtualization.xml:2444(para)
7173
msgid "Community Support"
7176
#: serverguide/C/virtualization.xml:2448(ulink)
7177
msgid "OpenStack Mailing list"
7180
#: serverguide/C/virtualization.xml:2453(ulink)
7181
msgid "The OpenStack Wiki search"
7184
#: serverguide/C/virtualization.xml:2459(ulink)
7185
msgid "Launchpad bugs area"
7188
#: serverguide/C/virtualization.xml:2463(para)
7189
msgid "Join the IRC channel #openstack on freenode."
7192
#: serverguide/C/virtualization.xml:2477(ulink)
7193
msgid "Cloud Computing - Service models"
7196
#: serverguide/C/virtualization.xml:2482(ulink)
7197
msgid "OpenStack Compute"
7200
#: serverguide/C/virtualization.xml:2487(ulink)
7201
msgid "OpenStack Image Service"
7204
#: serverguide/C/virtualization.xml:2492(ulink)
7205
msgid "OpenStack Object Storage Administration Guide"
7208
#: serverguide/C/virtualization.xml:2497(ulink)
7209
msgid "Installing OpenStack Object Storage on Ubuntu"
7212
#: serverguide/C/virtualization.xml:2502(ulink)
7213
msgid "http://cloudglossary.com/"
7216
#: serverguide/C/virtualization.xml:2512(title)
6433
7217
msgid "Glossary"
6436
#: serverguide/C/virtualization.xml:2195(para)
7220
#: serverguide/C/virtualization.xml:2514(para)
6438
"The Ubuntu Enterprise Cloud documentation uses terminology that might be "
6439
"unfamiliar to some readers. This page is intended to provide a glossary of "
6440
"such terms and acronyms."
7222
"The Ubuntu Cloud documentation uses terminology that might be unfamiliar to "
7223
"some readers. This page is intended to provide a glossary of such terms and "
6443
#: serverguide/C/virtualization.xml:2202(para)
7227
#: serverguide/C/virtualization.xml:2521(para)
6445
7229
"<emphasis>Cloud</emphasis> - A federated set of physical machines that offer "
6446
7230
"computing resources through virtual machines, provisioned and recollected "
6450
#: serverguide/C/virtualization.xml:2208(para)
6452
"<emphasis>Cloud Controller (CLC)</emphasis> - Eucalyptus component that "
6453
"provides the web UI (an https server on port 8443), and implements the "
6454
"Amazon EC2 API. There should be only one Cloud Controller in an installation "
6455
"of UEC. This service is provided by the Ubuntu <application>eucalyptus-"
6456
"cloud</application> package."
6459
#: serverguide/C/virtualization.xml:2215(para)
6461
"<emphasis>Cluster</emphasis> - A collection of nodes, associated with a "
6462
"Cluster Controller. There can be more than one Cluster in an installation of "
6463
"UEC. Clusters are sometimes physically separate sets of nodes. (e.g. floor1, "
6467
#: serverguide/C/virtualization.xml:2221(para)
6469
"<emphasis>Cluster Controller (CC)</emphasis> - Eucalyptus component that "
6470
"manages collections of node resources. This service is provided by the "
6471
"Ubuntu <application>eucalyptus-cc</application> package."
6474
#: serverguide/C/virtualization.xml:2227(para)
7234
#: serverguide/C/virtualization.xml:2527(para)
7236
"<emphasis>IaaS</emphasis> - Infrastructure as a Service — Cloud "
7237
"infrastructure services, whereby a virtualized environment is delivered as a "
7238
"service over the Internet by the provider. The infrastructure can include "
7239
"servers, network equipment, and software."
7242
#: serverguide/C/virtualization.xml:2534(para)
6475
7243
msgid "<emphasis>EBS</emphasis> - Elastic Block Storage."
6478
#: serverguide/C/virtualization.xml:2232(para)
7246
#: serverguide/C/virtualization.xml:2539(para)
6480
7248
"<emphasis>EC2</emphasis> - Elastic Compute Cloud. Amazon's pay-by-the-hour, "
6481
7249
"pay-by-the-gigabyte public cloud computing offering."
6484
#: serverguide/C/virtualization.xml:2237(para)
6485
msgid "<emphasis>EKI</emphasis> - Eucalyptus Kernel Image."
6488
#: serverguide/C/virtualization.xml:2242(para)
6489
msgid "<emphasis>EMI</emphasis> - Eucalyptus Machine Image."
6492
#: serverguide/C/virtualization.xml:2247(para)
6493
msgid "<emphasis>ERI</emphasis> - Eucalyptus Ramdisk Image."
6496
#: serverguide/C/virtualization.xml:2252(para)
6498
"<emphasis>Eucalyptus</emphasis> - Elastic Utility Computing Architecture for "
6499
"Linking Your Programs To Useful Systems. An open source project originally "
6500
"from the University of California at Santa Barbara, now supported by "
6501
"Eucalyptus Systems, a Canonical Partner."
6504
#: serverguide/C/virtualization.xml:2259(para)
6506
"<emphasis>Front-end</emphasis> - Physical machine hosting one (or more) of "
6507
"the high level Eucalyptus components (cloud, walrus, storage controller, "
6508
"cluster controller)."
6511
#: serverguide/C/virtualization.xml:2265(para)
7252
#: serverguide/C/virtualization.xml:2544(para)
6513
7254
"<emphasis>Node</emphasis> - A node is a physical machine that's capable of "
6514
7255
"running virtual machines, running a node controller. Within Ubuntu, this "
6519
#: serverguide/C/virtualization.xml:2271(para)
6521
"<emphasis>Node Controller (NC)</emphasis> - Eucalyptus component that runs "
6522
"on nodes which host the virtual machines that comprise the cloud. This "
6523
"service is provided by the Ubuntu package <application>eucalyptus-"
6527
#: serverguide/C/virtualization.xml:2277(para)
7260
#: serverguide/C/virtualization.xml:2550(para)
6529
7262
"<emphasis>S3</emphasis> - Simple Storage Service. Amazon's pay-by-the-"
6530
7263
"gigabyte persistent storage solution for EC2."
6533
#: serverguide/C/virtualization.xml:2282(para)
6535
"<emphasis>Storage Controller (SC)</emphasis> - Eucalyptus component that "
6536
"manages dynamic block storage services (EBS). Each 'cluster' in a Eucalyptus "
6537
"installation can have its own Storage Controller. This component is provided "
6538
"by the <application>eucalyptus-sc</application> package."
6541
#: serverguide/C/virtualization.xml:2289(para)
6543
"<emphasis>UEC</emphasis> - Ubuntu Enterprise Cloud. Ubuntu's cloud computing "
6544
"solution, based on Eucalyptus."
6547
#: serverguide/C/virtualization.xml:2294(para)
7266
#: serverguide/C/virtualization.xml:2555(para)
7268
"<emphasis>Ubuntu Cloud</emphasis> - Ubuntu Cloud. Ubuntu's cloud computing "
7269
"solution, based on OpenStack."
7272
#: serverguide/C/virtualization.xml:2560(para)
6548
7273
msgid "<emphasis>VM</emphasis> - Virtual Machine."
6551
#: serverguide/C/virtualization.xml:2299(para)
7276
#: serverguide/C/virtualization.xml:2565(para)
6553
7278
"<emphasis>VT</emphasis> - Virtualization Technology. An optional feature of "
6554
7279
"some modern CPUs, allowing for accelerated virtual machine hosting."
6557
#: serverguide/C/virtualization.xml:2304(para)
6559
"<emphasis>Walrus</emphasis> - Eucalyptus component that implements the "
6560
"Amazon S3 API, used for storing VM images and user storage using S3 bucket "
6561
"put/get abstractions."
7282
#: serverguide/C/virtualization.xml:2577(title)
7286
#: serverguide/C/virtualization.xml:2578(para)
7288
"Containers are a lightweight virtualization technology. They are more akin "
7289
"to an enhanced chroot than to full virtualization like Qemu or VMware, both "
7290
"because they do not emulate hardware and because containers share the same "
7291
"operating system as the host. Therefore containers are better compared to "
7292
"Solaris zones or BSD jails. Linux-vserver and OpenVZ are two pre-existing, "
7293
"independently developed implementations of containers-like functionality for "
7294
"Linux. In fact, containers came about as a result of the work to upstream "
7295
"the vserver and OpenVZ functionality. Some vserver and OpenVZ functionality "
7296
"is still missing in containers, however containers can "
7297
"<emphasis>boot</emphasis> many Linux distributions and have the advantage "
7298
"that they can be used with an un-modified upstream kernel."
7301
#: serverguide/C/virtualization.xml:2593(para)
7303
"There are two user-space implementations of containers, each exploiting the "
7304
"same kernel features. Libvirt allows the use of containers through the LXC "
7305
"driver by connecting to 'lxc:///'. This can be very convenient as it "
7306
"supports the same usage as its other drivers. The other implementation, "
7307
"called simply 'LXC', is not compatible with libvirt, but is more flexible "
7308
"with more userspace tools. It is possible to switch between the two, though "
7309
"there are peculiarities which can cause confusion."
7312
#: serverguide/C/virtualization.xml:2604(para)
7314
"In this document we will mainly describe the <application>lxc</application> "
7315
"package. Toward the end, we will describe how to use the libvirt LXC driver."
7318
#: serverguide/C/virtualization.xml:2609(para)
7319
msgid "In this document, a container name will be shown as CN, C1, or C2."
7322
#: serverguide/C/virtualization.xml:2615(para)
7323
msgid "The <application>lxc</application> package can be installed using"
7326
#: serverguide/C/virtualization.xml:2620(command)
7327
msgid "sudo apt-get install lxc"
7330
#: serverguide/C/virtualization.xml:2625(para)
7332
"This will pull in the required and recommended dependencies, including "
7333
"cgroup-lite, lvm2, and debootstrap. To use libvirt-lxc, install libvirt-bin. "
7334
"LXC and libvirt-lxc can be installed and used at the same time."
7337
#: serverguide/C/virtualization.xml:2633(title)
7341
#: serverguide/C/virtualization.xml:2635(title)
7342
msgid "Basic layout of LXC files"
7345
#: serverguide/C/virtualization.xml:2636(para)
7347
"Following is a description of the files and directories which are installed "
7351
#: serverguide/C/virtualization.xml:2643(para)
7352
msgid "There are two upstart jobs:"
7355
#: serverguide/C/virtualization.xml:2647(para)
7357
"<filename>/etc/init/lxc-net.conf:</filename> is an optional job which only "
7358
"runs if <filename> /etc/default/lxc</filename> specifies USE_LXC_BRIDGE "
7359
"(true by default). It sets up a NATed bridge for containers to use."
7362
#: serverguide/C/virtualization.xml:2656(para)
7364
"<filename>/etc/init/lxc.conf:</filename> runs if LXC_AUTO (true by default) "
7365
"is set to true in <filename>/etc/default/lxc</filename>. It looks for "
7366
"entries under <filename>/etc/lxc/auto/</filename> which are symbolic links "
7367
"to configuration files for the containers which should be started at boot."
7370
#: serverguide/C/virtualization.xml:2668(para)
7372
"<filename>/etc/lxc/lxc.conf:</filename> There is a default container "
7373
"creation configuration file, <filename>/etc/lxc/lxc.conf</filename>, which "
7374
"directs containers to use the LXC bridge created by the lxc-net upstart job. "
7375
"If no configuration file is specified when creating a container, then this "
7379
#: serverguide/C/virtualization.xml:2678(para)
7381
"Examples of other container creation configuration files are found under "
7382
"<filename>/usr/share/doc/lxc/examples</filename>. These show how to create "
7383
"containers without a private network, or using macvlan, vlan, or other "
7387
#: serverguide/C/virtualization.xml:2687(para)
7389
"The various container administration tools are found under "
7390
"<filename>/usr/bin</filename>."
7393
#: serverguide/C/virtualization.xml:2694(para)
7395
"<filename>/usr/lib/lxc/lxc-init</filename> is a very minimal and lightweight "
7396
"init binary which is used by lxc-execute. Rather than `booting' a full "
7397
"container, it manually mounts a few filesystems, especially "
7398
"<filename>/proc</filename>, and executes its arguments. You are not likely "
7399
"to need to manually refer to this file."
7402
#: serverguide/C/virtualization.xml:2704(para)
7404
"<filename>/usr/lib/lxc/templates/</filename> contains the `templates' which "
7405
"can be used to create new containers of various distributions and flavors. "
7406
"Not all templates are currently supported."
7409
#: serverguide/C/virtualization.xml:2712(para)
7411
"<filename>/etc/apparmor.d/lxc/lxc-default</filename> contains the default "
7412
"Apparmor MAC policy which works to protect the host from containers. Please "
7413
"see the <xref linkend=\"lxc-apparmor\"/> for more information."
7416
#: serverguide/C/virtualization.xml:2720(para)
7418
"<filename>/etc/apparmor.d/usr.bin.lxc-start</filename> contains a profile to "
7419
"protect the host from <command>lxc-start</command> while it is setting up "
7423
#: serverguide/C/virtualization.xml:2728(para)
7425
"<filename>/etc/apparmor.d/lxc-containers</filename> causes all the profiles "
7426
"defined under <filename>/etc/apparmor.d/lxc</filename> to be loaded at boot."
7429
#: serverguide/C/virtualization.xml:2736(para)
7431
"There are various man pages for the LXC administration tools as well as the "
7432
"<filename>lxc.conf</filename> container configuration file."
7435
#: serverguide/C/virtualization.xml:2743(para)
7437
"<filename>/var/lib/lxc</filename> is where containers and their "
7438
"configuration information are stored."
7441
#: serverguide/C/virtualization.xml:2750(para)
7443
"<filename>/var/cache/lxc</filename> is where caches of distribution data are "
7444
"stored to speed up multiple container creations."
7447
#: serverguide/C/virtualization.xml:2759(title)
7451
#: serverguide/C/virtualization.xml:2760(para)
7453
"When USE_LXC_BRIDGE is set to true in /etc/default/lxc (as it is by "
7454
"default), a bridge called lxcbr0 is created at startup. This bridge is given "
7455
"the private address 10.0.3.1, and containers using this bridge will have a "
7456
"10.0.3.0/24 address. A dnsmasq instance is run listening on that bridge, so "
7457
"if another dnsmasq has bound all interfaces before the lxc-net upstart job "
7458
"runs, lxc-net will fail to start and lxcbr0 will not exist."
7461
#: serverguide/C/virtualization.xml:2769(para)
7463
"If you have another bridge - libvirt's default virbr0, or a br0 bridge for "
7464
"your default NIC - you can use that bridge in place of lxcbr0 for your "
7468
#: serverguide/C/virtualization.xml:2777(title)
7469
msgid "Using a separate filesystem for the container store"
7472
#: serverguide/C/virtualization.xml:2778(para)
7474
"LXC stores container information and (with the default backing store) root "
7475
"filesystems under <filename>/var/lib/lxc</filename>. Container creation "
7476
"templates also tend to store cached distribution information under "
7477
"<filename>/var/cache/lxc</filename>."
7480
#: serverguide/C/virtualization.xml:2785(para)
7482
"If you wish to use another filesystem than <filename>/var</filename>, you "
7483
"can mount a filesystem which has more space into those locations. If you "
7484
"have a disk dedicated for this, you can simply mount it at "
7485
"<filename>/var/lib/lxc</filename>. If you'd like to use another location, "
7486
"like <filename>/srv</filename>, you can bind mount it or use a symbolic "
7487
"link. For instance, if <filename>/srv</filename> is a large mounted "
7488
"filesystem, create and symlink two directories:"
7491
#: serverguide/C/virtualization.xml:2795(command)
7493
"sudo mkdir /srv/lxclib /srv/lxccache sudo rm -rf /var/lib/lxc /var/cache/lxc "
7494
"sudo ln -s /srv/lxclib /var/lib/lxc sudo ln -s /srv/lxccache /var/cache/lxc"
7497
#: serverguide/C/virtualization.xml:2803(para)
7498
msgid "or, using bind mounts:"
7501
#: serverguide/C/virtualization.xml:2808(command)
7503
"sudo mkdir /srv/lxclib /srv/lxccache sudo sed -i '$a \\ /srv/lxclib "
7504
"/var/lib/lxc none defaults,bind 0 0 \\ /srv/lxccache /var/cache/lxc none "
7505
"defaults,bind 0 0' /etc/fstab sudo mount -a"
7508
#: serverguide/C/virtualization.xml:2820(title)
7509
msgid "Containers backed by lvm"
7512
#: serverguide/C/virtualization.xml:2822(para)
7514
"It is possible to use LVM partitions as the backing stores for containers. "
7515
"Advantages of this include flexibility in storage management and fast "
7516
"container cloning. The tools default to using a VG (volume group) named "
7517
"<emphasis>lxc</emphasis>, but another VG can be used through command line "
7518
"options. When a LV is used as a container backing store, the container's "
7519
"configuration file is still <filename>/var/lib/lxc/CN/config</filename>, but "
7520
"the root fs entry in that file (<emphasis>lxc.rootfs</emphasis>) will point "
7521
"to the lV block device name, i.e. <filename>/dev/lxc/CN</filename>."
7524
#: serverguide/C/virtualization.xml:2834(para)
7525
msgid "Containers with directory tree and LVM backing stores can co-exist."
7528
#: serverguide/C/virtualization.xml:2841(title)
7532
#: serverguide/C/virtualization.xml:2842(para)
7534
"If your host has a btrfs <filename>/var</filename>, the LXC administration "
7535
"tools will detect this and automatically exploit it by cloning containers "
7536
"using btrfs snapshots."
7539
#: serverguide/C/virtualization.xml:2850(title)
7543
#: serverguide/C/virtualization.xml:2851(para)
7545
"LXC ships with an Apparmor profile intended to protect the host from "
7546
"accidental misuses of privilege inside the container. For instance, the "
7547
"container will not be able to write to <filename>/proc/sysrq-"
7548
"trigger</filename> or to most <filename>/sys</filename> files."
7551
#: serverguide/C/virtualization.xml:2858(para)
7553
"The <filename>usr.bin.lxc-start</filename> profile is entered by running "
7554
"<command>lxc-start</command>. This profile mainly prevents <command>lxc-"
7555
"start</command> from mounting new filesystems outside of the container's "
7556
"root filesystem. Before executing the container's <command>init</command>, "
7557
"<command>LXC</command> requests a switch to the container's profile. By "
7558
"default, this profile is the <filename>lxc-container-default</filename> "
7559
"policy which is defined in <filename>/etc/apparmor.d/lxc/lxc-"
7560
"default</filename>. This profile prevents the container from accessing many "
7561
"dangerous paths, and from mounting most filesystems."
7564
#: serverguide/C/virtualization.xml:2870(para)
7566
"If you find that <command>lxc-start</command> is failing due to a legitimate "
7567
"access which is being denied by its Apparmor policy, you can disable the lxc-"
7568
"start profile by doing:"
7571
#: serverguide/C/virtualization.xml:2876(screen)
7575
"sudo apparmor_parser -R /etc/apparmor.d/usr.bin.lxc-start\n"
7576
"sudo ln -s /etc/apparmor.d/usr.bin.lxc-start /etc/apparmor.d/disabled/\n"
7579
#: serverguide/C/virtualization.xml:2881(para)
7581
"This will make <command>lxc-start</command> run unconfined, but continue to "
7582
"confine the container itself. If you also wish to disable confinement of the "
7583
"container, then in addition to disabling the <filename>usr.bin.lxc-"
7584
"start</filename> profile, you must add:"
7587
#: serverguide/C/virtualization.xml:2888(screen)
7591
"lxc.aa_profile = unconfined\n"
7594
#: serverguide/C/virtualization.xml:2892(para)
7596
"to the container's configuration file. If you wish to run a container in a "
7597
"custom profile, you can create a new profile under "
7598
"<filename>/etc/apparmor.d/lxc/</filename>. Its name must start with "
7599
"<filename>lxc-</filename> in order for <command>lxc-start</command> to be "
7600
"allowed to transition to that profile. After creating the policy, load it "
7604
#: serverguide/C/virtualization.xml:2901(screen)
7608
"sudo apparmor_parser -r /etc/apparmor.d/lxc-containers\n"
7611
#: serverguide/C/virtualization.xml:2905(para)
7613
"The profile will automatically be loaded after a reboot, because it is "
7614
"sourced by the file <filename>/etc/apparmor.d/lxc-containers</filename>. "
7615
"Finally, to make container <filename>CN</filename> use this new "
7616
"<filename>lxc-CN-profile</filename>, add the following line to its "
7617
"configuration file:"
7620
#: serverguide/C/virtualization.xml:2913(screen)
7624
"lxc.aa_profile = lxc-CN-profile\n"
7627
#: serverguide/C/virtualization.xml:2917(para)
7629
"<command>lxc-execute</command> does not enter an Apparmor profile, but the "
7630
"container it spawns will be confined."
7633
#: serverguide/C/virtualization.xml:2925(title)
7634
msgid "Control Groups"
7637
#: serverguide/C/virtualization.xml:2926(para)
7639
"Control groups (cgroups) are a kernel feature providing hierarchical task "
7640
"grouping and per-cgroup resource accounting and limits. They are used in "
7641
"containers to limit block and character device access and to freeze "
7642
"(suspend) containers. They can be further used to limit memory use and block "
7643
"i/o, guarantee minimum cpu shares, and to lock containers to specific cpus. "
7644
"By default, LXC depends on the cgroup-lite package to be installed, which "
7645
"provides the proper cgroup initialization at boot. The cgroup-lite package "
7646
"mounts each cgroup subsystem separately under "
7647
"<filename>/sys/fs/cgroup/SS</filename>, where SS is the subsystem name. For "
7648
"instance the freezer subsystem is mounted under "
7649
"<filename>/sys/fs/cgroup/freezer</filename>. LXC cgroup are kept under "
7650
"<filename>/sys/fs/cgroup/SS/INIT/lxc</filename>, where INIT is the init "
7651
"task's cgroup. This is <filename>/</filename> by default, so in the end the "
7652
"freezer cgroup for container CN would be "
7653
"<filename>/sys/fs/cgroup/freezer/lxc/CN</filename>."
7656
#: serverguide/C/virtualization.xml:2945(title)
7660
#: serverguide/C/virtualization.xml:2946(para)
7662
"The container administration tools must be run with root user privilege. A "
7663
"utility called <filename>lxc-setup</filename> was written with the intention "
7664
"of providing the tools with the needed file capabilities to allow non-root "
7665
"users to run the tools with sufficient privilege. However, as root in a "
7666
"container cannot yet be reliably contained, this is not worthwhile. It is "
7667
"therefore recommended to not use <filename>lxc-setup</filename>, and to "
7668
"provide the LXC administrators the needed sudo privilege."
7671
#: serverguide/C/virtualization.xml:2957(para)
7673
"The user namespace, which is expected to be available in the next Long Term "
7674
"Support (LTS) release, will allow containment of the container root user, as "
7675
"well as reduce the amount of privilege required for creating and "
7676
"administering containers."
7679
#: serverguide/C/virtualization.xml:2966(title)
7680
msgid "LXC Upstart Jobs"
7683
#: serverguide/C/virtualization.xml:2967(para)
7685
"As listed above, the <application>lxc</application> package includes two "
7686
"upstart jobs. The first, <filename>lxc-net</filename>, is always started "
7687
"when the other, <filename>lxc</filename>, is about to begin, and stops when "
7688
"it stops. If the USE_LXC_BRIDGE variable is set to false in "
7689
"<filename>/etc/defaults/lxc</filename>, then it will immediately exit. If it "
7690
"is true, and an error occurs bringing up the LXC bridge, then the "
7691
"<filename>lxc</filename> job will not start. <filename>lxc-net</filename> "
7692
"will bring down the LXC bridge when stopped, unless a container is running "
7693
"which is using that bridge."
7696
#: serverguide/C/virtualization.xml:2978(para)
7698
"The <filename>lxc</filename> job starts on runlevel 2-5. If the LXC_AUTO "
7699
"variable is set to true, then it will look under "
7700
"<filename>/etc/lxc</filename> for containers which should be started "
7701
"automatically. When the <filename>lxc</filename> job is stopped, either "
7702
"manually or by entering runlevel 0, 1, or 6, it will stop those containers."
7705
#: serverguide/C/virtualization.xml:2986(para)
7707
"To register a container to start automatically, create a symbolic link "
7708
"<filename>/etc/default/lxc/name.conf</filename> pointing to the container's "
7709
"config file. For instance, the configuration file for a container "
7710
"<filename>CN</filename> is <filename>/var/lib/lxc/CN/config</filename>. To "
7711
"make that container auto-start, use the command:"
7714
#: serverguide/C/virtualization.xml:2995(command)
7715
msgid "sudo ln -s /var/lib/lxc/CN/config /etc/lxc/auto/CN.conf"
7718
#: serverguide/C/virtualization.xml:3004(title)
7719
msgid "Container Administration"
7722
#: serverguide/C/virtualization.xml:3006(title)
7723
msgid "Creating Containers"
7726
#: serverguide/C/virtualization.xml:3008(para)
7728
"The easiest way to create containers is using <command>lxc-create</command>. "
7729
"This script uses distribution-specific templates under "
7730
"<filename>/usr/lib/lxc/templates/</filename> to set up container-friendly "
7731
"chroots under <filename>/var/lib/lxc/CN/rootfs</filename>, and initialize "
7732
"the configuration in <filename>/var/lib/lxc/CN/fstab</filename> and "
7733
"<filename>/var/lib/lxc/CN/config</filename>, where CN is the container name"
7736
#: serverguide/C/virtualization.xml:3017(para)
7737
msgid "The simplest container creation command would look like:"
7740
#: serverguide/C/virtualization.xml:3022(command)
7741
msgid "sudo lxc-create -t ubuntu -n CN"
7744
#: serverguide/C/virtualization.xml:3027(para)
7746
"This tells lxc-create to use the ubuntu template (-t ubuntu) and to call the "
7747
"container CN (-n CN). Since no configuration file was specified (which would "
7748
"have been done with `-f file'), it will use the default configuration file "
7749
"under <filename>/etc/lxc/lxc.conf</filename>. This gives the container a "
7750
"single veth network interface attached to the lxcbr0 bridge."
7753
#: serverguide/C/virtualization.xml:3035(para)
7755
"The container creation templates can also accept arguments. These can be "
7756
"listed after --. For instance"
7759
#: serverguide/C/virtualization.xml:3041(command)
7760
msgid "sudo lxc-create -t ubuntu -n oneiric1 -- -r oneiric"
7763
#: serverguide/C/virtualization.xml:3046(para)
7764
msgid "passes the arguments '-r oneiric1' to the ubuntu template."
7767
#: serverguide/C/virtualization.xml:3051(title)
7771
#: serverguide/C/virtualization.xml:3052(para)
7773
"Help on the lxc-create command can be seen by using<command> lxc-create -"
7774
"h</command>. However, the templates also take their own options. If you do"
7777
#: serverguide/C/virtualization.xml:3058(command)
7778
msgid "sudo lxc-create -t ubuntu -h"
7781
#: serverguide/C/virtualization.xml:3063(para)
7783
"then the general <command>lxc-create</command> help will be followed by help "
7784
"output specific to the ubuntu template. If no template is specified, then "
7785
"only help for <command>lxc-create</command> itself will be shown."
7788
#: serverguide/C/virtualization.xml:3071(title)
7789
msgid "Ubuntu template"
7792
#: serverguide/C/virtualization.xml:3073(para)
7794
"The ubuntu template can be used to create Ubuntu system containers with any "
7795
"release at least as new as 10.04 LTS. It uses debootstrap to create a cached "
7796
"container filesystem which gets copied into place each time a container is "
7797
"created. The cached image is saved and only re-generated when you create a "
7798
"container using the <emphasis>-F</emphasis> (flush) option to the template, "
7802
#: serverguide/C/virtualization.xml:3083(command)
7803
msgid "sudo lxc-create -t ubuntu -n CN -- -F"
7806
#: serverguide/C/virtualization.xml:3088(para)
7808
"The Ubuntu release installed by the template will be the same as that on the "
7809
"host, unless otherwise specified with the <emphasis>-r</emphasis> option, "
7813
#: serverguide/C/virtualization.xml:3094(command)
7814
msgid "sudo lxc-create -t ubuntu -n CN -- -r lucid"
7817
#: serverguide/C/virtualization.xml:3099(para)
7819
"If you want to create a 32-bit container on a 64-bit host, pass <emphasis>-a "
7820
"i386</emphasis> to the container. If you have the qemu-user-static package "
7821
"installed, then you can create a container using any architecture supported "
7822
"by qemu-user-static."
7825
#: serverguide/C/virtualization.xml:3105(para)
7827
"The container will have a user named <emphasis>ubuntu</emphasis> whose "
7828
"password is <emphasis>ubuntu</emphasis> and who is a member of the "
7829
"<emphasis>sudo</emphasis> group. If you wish to inject a public ssh key for "
7830
"the <emphasis>ubuntu</emphasis> user, you can do so with <emphasis>-S "
7831
"sshkey.pub</emphasis>."
7834
#: serverguide/C/virtualization.xml:3111(para)
7836
"You can also <emphasis>bind</emphasis> user jdoe from the host into the "
7837
"container using the <emphasis>-b jdoe</emphasis> option. This will copy "
7838
"jdoe's password and shadow entries into the container, make sure his default "
7839
"group and shell are available, add him to the sudo group, and bind-mount his "
7840
"home directory into the container when the container is started."
7843
#: serverguide/C/virtualization.xml:3119(para)
7845
"When a container is created, the <filename>release-updates</filename> "
7846
"archive is added to the container's <filename>sources.list</filename>, and "
7847
"its package archive will be updated. If the container release is older than "
7848
"12.04 LTS, then the lxcguest package will be automatically installed. "
7849
"Alternatively, if the <emphasis>--trim</emphasis> option is specified, then "
7850
"the lxcguest package will not be installed, and many services will be "
7851
"removed from the container. This will result in a faster-booting, but less "
7852
"upgrade-able container."
7855
#: serverguide/C/virtualization.xml:3131(title)
7856
msgid "Ubuntu-cloud template"
7859
#: serverguide/C/virtualization.xml:3133(para)
7861
"The ubuntu-cloud template creates Ubuntu containers by downloading and "
7862
"extracting the published Ubuntu cloud images. It accepts some of the same "
7863
"options as the ubuntu template, namely <emphasis>-r release</emphasis>, "
7864
"<emphasis>-S sshkey.pub</emphasis>, <emphasis>-a arch</emphasis>, and "
7865
"<emphasis>-F</emphasis> to flush the cached image. It also accepts a few "
7866
"extra options. The <emphasis>-C</emphasis> option will create a "
7867
"<emphasis>cloud</emphasis> container, configured for use with a metadata "
7868
"service. The <emphasis>-u</emphasis> option accepts a cloud-init user-data "
7869
"file to configure the container on start. If <emphasis>-L</emphasis> is "
7870
"passed, then no locales will be installed. The <emphasis>-T</emphasis> "
7871
"option can be used to choose a tarball location to extract in place of the "
7872
"published cloud image tarball. Finally the <emphasis>-i</emphasis> option "
7873
"sets a host id for cloud-init, which by default is set to a random string."
7876
#: serverguide/C/virtualization.xml:3149(title)
7877
msgid "Other templates"
7880
#: serverguide/C/virtualization.xml:3151(para)
7882
"The ubuntu and ubuntu-cloud templates are well supported. Other templates "
7883
"are available however. The debian template creates a Debian based container, "
7884
"using debootstrap much as the ubuntu template does. By default it installs a "
7885
"<emphasis>debian squeeze</emphasis> image. An alternate release can be "
7886
"chosen by setting the SUITE environment variable, i.e.:"
7889
#: serverguide/C/virtualization.xml:3161(command)
7890
msgid "sudo SUITE=sid lxc-create -t debian -n d1"
7893
#: serverguide/C/virtualization.xml:3166(para)
7895
"Since debian cannot be safely booted inside a container, debian containers "
7896
"will be trimmed as with the <emphasis>--trim</emphasis> option to the ubuntu "
7900
#: serverguide/C/virtualization.xml:3172(para)
7902
"To purge the container image cache, call the template directly and pass it "
7903
"the <emphasis>--clean</emphasis> option."
7906
#: serverguide/C/virtualization.xml:3178(command)
7907
msgid "sudo SUITE=sid /usr/lib/lxc/templates/lxc-debian --clean"
7910
#: serverguide/C/virtualization.xml:3183(para)
7912
"A fedora template exists, which creates containers based on fedora releases "
7913
"<= 14. Fedora release 15 and higher are based on systemd, which the "
7914
"template is not yet able to convert into a container-bootable setup. Before "
7915
"the fedora template is able to run, you'll need to make sure that "
7916
"<command>yum</command> and <command>curl</command> are installed. A fedora "
7917
"12 container can be created with"
7920
#: serverguide/C/virtualization.xml:3193(command)
7921
msgid "sudo lxc-create -t fedora -n fedora12 -- -R 12"
7924
#: serverguide/C/virtualization.xml:3198(para)
7926
"A OpenSuSE template exists, but it requires the <command>zypper</command> "
7927
"program, which is not yet packaged. The OpenSuSE template is therefore not "
7931
#: serverguide/C/virtualization.xml:3204(para)
7933
"Two more templates exist mainly for experimental purposes. The busybox "
7934
"template creates a very small system container based entirely on busybox. "
7935
"The sshd template creates an application container running sshd in a private "
7936
"network namespace. The host's library and binary directories are bind-"
7937
"mounted into the container, though not its <filename>/home</filename> or "
7938
"<filename>/root</filename>. To create, start, and ssh into an ssh container, "
7942
#: serverguide/C/virtualization.xml:3216(command)
7944
"sudo lxc-create -t sshd -n ssh1 ssh-keygen -f id sudo mkdir "
7945
"/var/lib/lxc/ssh1/rootfs/root/.ssh sudo cp id.pub "
7946
"/var/lib/lxc/ssh1/rootfs/root/.ssh/authorized_keys sudo lxc-start -n ssh1 -d "
7947
"ssh -i id root@ssh1."
7950
#: serverguide/C/virtualization.xml:3229(title)
7951
msgid "Backing Stores"
7954
#: serverguide/C/virtualization.xml:3231(para)
7956
"By default, <command>lxc-create</command> places the container's root "
7957
"filesystem as a directory tree at "
7958
"<filename>/var/lib/lxc/CN/rootfs.</filename> Another option is to use LVM "
7959
"logical volumes. If a volume group named <emphasis>lxc</emphasis> exists, "
7960
"you can create an lvm-backed container called CN using:"
7963
#: serverguide/C/virtualization.xml:3239(command)
7964
msgid "sudo lxc-create -t ubuntu -n CN -B lvm"
7967
#: serverguide/C/virtualization.xml:3244(para)
7969
"If you want to use a volume group named schroots, with a 5G xfs filesystem, "
7970
"then you would use"
7973
#: serverguide/C/virtualization.xml:3250(command)
7975
"sudo lxc-create -t ubuntu -n CN -B lvm --vgname schroots --fssize 5G --"
7979
#: serverguide/C/virtualization.xml:3259(title)
7983
#: serverguide/C/virtualization.xml:3261(para)
7985
"For rapid provisioning, you may wish to customize a canonical container "
7986
"according to your needs and then make multiple copies of it. This can be "
7987
"done with the <command>lxc-clone</command> program. Given an existing "
7988
"container called C1, a new container called C2 can be created using"
7991
#: serverguide/C/virtualization.xml:3271(command)
7992
msgid "sudo lxc-clone -o C1 -n C2"
7995
#: serverguide/C/virtualization.xml:3276(para)
7997
"If <filename>/var/lib/lxc</filename> is a btrfs filesystem, then "
7998
"<command>lxc-clone</command> will create C2's filesystem as a snapshot of "
7999
"C1's. If the container's root filesystem is lvm backed, then you can specify "
8000
"the <emphasis>-s</emphasis> option to create the new rootfs as a lvm "
8001
"snapshot of the original as follows:"
8004
#: serverguide/C/virtualization.xml:3285(command)
8005
msgid "sudo lxc-clone -s -o C1 -n C2"
8008
#: serverguide/C/virtualization.xml:3290(para)
8010
"Both lvm and btrfs snapshots will provide fast cloning with very small "
8011
"initial disk usage."
8014
#: serverguide/C/virtualization.xml:3297(title)
8015
msgid "Starting and stopping"
8018
#: serverguide/C/virtualization.xml:3299(para)
8020
"To start a container, use <command>lxc-start -n CN</command>. By default "
8021
"<command>lxc-start</command> will execute <filename>/sbin/init</filename> in "
8022
"the container. You can provide a different program to execute, plus "
8023
"arguments, as further arguments to <command>lxc-start</command>:"
8026
#: serverguide/C/virtualization.xml:3307(command)
8027
msgid "sudo lxc-start -n container /sbin/init loglevel=debug"
8030
#: serverguide/C/virtualization.xml:3312(para)
8032
"If you do not specify the <emphasis>-d</emphasis> (daemon) option, then you "
8033
"will see a console (on the container's <filename>/dev/console</filename>, "
8034
"see <xref linkend=\"lxc-consoles\"/> for more information) on the terminal. "
8035
"If you specify the <emphasis>-d</emphasis> option, you will not see that "
8036
"console, and lxc-start will immediately exit success - even if a later part "
8037
"of container startup has failed. You can use <command>lxc-wait</command> or "
8038
"<command>lxc-monitor</command> (see <xref linkend=\"lxc-monitoring\"/>) to "
8039
"check on the success or failure of the container startup."
8042
#: serverguide/C/virtualization.xml:3324(para)
8044
"To obtain LXC debugging information, use <emphasis>-o filename -l "
8045
"debuglevel</emphasis>, for instance:"
8048
#: serverguide/C/virtualization.xml:3330(command)
8049
msgid "sudo lxc-start -o lxc.debug -l DEBUG -n container"
8052
#: serverguide/C/virtualization.xml:3335(para)
8054
"Finally, you can specify configuration parameters inline using <emphasis>-"
8055
"s</emphasis>. However, it is generally recommended to place them in the "
8056
"container's configuration file instead. Likewise, an entirely alternate "
8057
"config file can be specified with the <emphasis>-f</emphasis> option, but "
8058
"this is not generally recommended."
8061
#: serverguide/C/virtualization.xml:3343(para)
8063
"While <command>lxc-start</command> runs the container's "
8064
"<filename>/sbin/init</filename>, <command>lxc-execute</command> uses a "
8065
"minimal init program called <command>lxc-init</command>, which attempts to "
8066
"mount <filename>/proc</filename>, <filename>/dev/mqueue</filename>, and "
8067
"<filename>/dev/shm</filename>, executes the programs specified on the "
8068
"command line, and waits for those to finish executing. <command>lxc-"
8069
"start</command> is intended to be used for <emphasis>system "
8070
"containers</emphasis>, while <command>lxc-execute</command> is intended for "
8071
"<emphasis>application containers</emphasis> (see <ulink "
8072
"url=\"https://www.ibm.com/developerworks/linux/library/l-lxc-containers/\"> "
8073
"this article</ulink> for more)."
8076
#: serverguide/C/virtualization.xml:3356(para)
8078
"You can stop a container several ways. You can use "
8079
"<command>shutdown</command>, <command>poweroff</command> and "
8080
"<command>reboot</command> while logged into the container. To cleanly shut "
8081
"down a container externally (i.e. from the host), you can issue the "
8082
"<command>sudo lxc-shutdown -n CN</command> command. This takes an optional "
8083
"timeout value. If not specified, the command issues a SIGPWR signal to the "
8084
"container and immediately returns. If the option is used, as in "
8085
"<command>sudo lxc-shutdown -n CN -t 10</command>, then the command will wait "
8086
"the specified number of seconds for the container to cleanly shut down. "
8087
"Then, if the container is still running, it will kill it (and any running "
8088
"applications). You can also immediately kill the container (without any "
8089
"chance for applications to cleanly shut down) using <command>sudo lxc-stop -"
8090
"n CN</command>. Finally, <command>lxc-kill</command> can be used more "
8091
"generally to send any signal number to the container's init."
8094
#: serverguide/C/virtualization.xml:3373(para)
8096
"While the container is shutting down, you can expect to see some (harmless) "
8097
"error messages, as follows:"
8100
#: serverguide/C/virtualization.xml:3378(screen)
8105
"[sudo] password for ubuntu: =\n"
8109
"Broadcast message from ubuntu@cn1\n"
8110
" (/dev/lxc/console) at 18:17 ...\n"
8112
"The system is going down for power off NOW!\n"
8113
" * Asking all remaining processes to terminate...\n"
8115
" * All processes ended within 1 seconds....\n"
8117
" * Deconfiguring network interfaces...\n"
8119
" * Deactivating swap...\n"
8121
"umount: /run/lock: not mounted\n"
8122
"umount: /dev/shm: not mounted\n"
8123
"mount: / is busy\n"
8124
" * Will now halt\n"
8127
#: serverguide/C/virtualization.xml:3402(para)
8129
"A container can be frozen with <command>sudo lxc-freeze -n CN</command>. "
8130
"This will block all its processes until the container is later unfrozen "
8131
"using <command>sudo lxc-unfreeze -n CN</command>."
8134
#: serverguide/C/virtualization.xml:3411(title)
8135
msgid "Monitoring container status"
8138
#: serverguide/C/virtualization.xml:3413(para)
8140
"Two commands are available to monitor container state changes. <command>lxc-"
8141
"monitor</command> monitors one or more containers for any state changes. It "
8142
"takes a container name as usual with the <emphasis>-n</emphasis> option, but "
8143
"in this case the container name can be a posix regular expression to allow "
8144
"monitoring desirable sets of containers. <command>lxc-monitor</command> "
8145
"continues running as it prints container changes. <command>lxc-"
8146
"wait</command> waits for a specific state change and then exits. For "
8150
#: serverguide/C/virtualization.xml:3426(command)
8151
msgid "sudo lxc-monitor -n cont[0-5]*"
8154
#: serverguide/C/virtualization.xml:3431(para)
8156
"would print all state changes to any containers matching the listed regular "
8157
"expression, whereas"
8160
#: serverguide/C/virtualization.xml:3437(command)
8161
msgid "sudo lxc-wait -n cont1 -s 'STOPPED|FROZEN'"
8164
#: serverguide/C/virtualization.xml:3442(para)
8166
"will wait until container cont1 enters state STOPPED or state FROZEN and "
8170
#: serverguide/C/virtualization.xml:3449(title)
8174
#: serverguide/C/virtualization.xml:3451(para)
8176
"Containers have a configurable number of consoles. One always exists on the "
8177
"container's <filename>/dev/console.</filename> This is shown on the terminal "
8178
"from which you ran <command>lxc-start</command>, unless the <emphasis>-"
8179
"d</emphasis> option is specified. The output on "
8180
"<filename>/dev/console</filename> can be redirected to a file using the "
8181
"<emphasis>-c console-file</emphasis> option to <command>lxc-start</command>. "
8182
"The number of extra consoles is specified by the <command>lxc.tty</command> "
8183
"variable, and is usually set to 4. Those consoles are shown on "
8184
"<filename>/dev/ttyN</filename> (for 1 <= N <= 4). To log into console "
8185
"3 from the host, use"
8188
#: serverguide/C/virtualization.xml:3464(command)
8189
msgid "sudo lxc-console -n container -t 3"
8192
#: serverguide/C/virtualization.xml:3469(para)
8194
"or if the <emphasis>-t N</emphasis> option is not specified, an unused "
8195
"console will be automatically chosen. To exit the console, use the escape "
8196
"sequence Ctrl-a q. Note that the escape sequence does not work in the "
8197
"console resulting from <command>lxc-start</command> without the <emphasis>-"
8198
"d</emphasis> option."
8201
#: serverguide/C/virtualization.xml:3477(para)
8203
"Each container console is actually a Unix98 pty in the host's (not the "
8204
"guest's) pty mount, bind-mounted over the guest's "
8205
"<filename>/dev/ttyN</filename> and <filename>/dev/console</filename>. "
8206
"Therefore, if the guest unmounts those or otherwise tries to access the "
8207
"actual character device <command>4:N</command>, it will not be serving getty "
8208
"to the LXC consoles. (With the default settings, the container will not be "
8209
"able to access that character device and getty will therefore fail.) This "
8210
"can easily happen when a boot script blindly mounts a new "
8211
"<filename>/dev</filename>."
8214
#: serverguide/C/virtualization.xml:3491(title)
8215
msgid "Container Inspection"
8218
#: serverguide/C/virtualization.xml:3493(para)
8220
"Several commands are available to gather information on existing containers. "
8221
"<command>lxc-ls</command> will report all existing containers in its first "
8222
"line of output, and all running containers in the second line. <command>lxc-"
8223
"list</command> provides the same information in a more verbose format, "
8224
"listing running containers first and stopped containers next. <command>lxc-"
8225
"ps</command> will provide lists of processes in containers. To provide "
8226
"<command>ps</command> arguments to <command>lxc-ps</command>, prepend them "
8227
"with <command>--</command>. For instance, for listing of all processes in "
8231
#: serverguide/C/virtualization.xml:3506(command)
8232
msgid "sudo lxc-ps -n plain -- -ef"
8235
#: serverguide/C/virtualization.xml:3511(para)
8237
"<command>lxc-info</command> provides the state of a container and the pid of "
8238
"its init process. <command>lxc-cgroup</command> can be used to query or set "
8239
"the values of a container's control group limits and information. This can "
8240
"be more convenient than interacting with the <command>cgroup</command> "
8241
"filesystem. For instance, to query the list of devices which a running "
8242
"container is allowed to access, you could use"
8245
#: serverguide/C/virtualization.xml:3521(command)
8246
msgid "sudo lxc-cgroup -n CN devices.list"
8249
#: serverguide/C/virtualization.xml:3526(para)
8251
"or to add mknod, read, and write access to <filename>/dev/sda</filename>,"
8254
#: serverguide/C/virtualization.xml:3531(command)
8255
msgid "sudo lxc-cgroup -n CN devices.allow \"b 8:* rwm\""
8258
#: serverguide/C/virtualization.xml:3536(para)
8259
msgid "and, to limit it to 300M of RAM,"
8262
#: serverguide/C/virtualization.xml:3541(command)
8263
msgid "lxc-cgroup -n CN memory.limit_in_bytes 300000000"
8266
#: serverguide/C/virtualization.xml:3546(para)
8268
"<command>lxc-netstat</command> executes <command>netstat</command> in the "
8269
"running container, giving you a glimpse of its network state."
8272
#: serverguide/C/virtualization.xml:3551(para)
8274
"<command>lxc-backup</command> will create backups of the root filesystems of "
8275
"all existing containers (except lvm-based ones), using "
8276
"<command>rsync</command> to back the contents up under "
8277
"<filename>/var/lib/lxc/CN/rootfs.backup.1</filename>. These backups can be "
8278
"restored using <command>lxc-restore.</command> However, <command>lxc-"
8279
"backup</command> and <command>lxc-restore</command> are fragile with respect "
8280
"to customizations and therefore their use is not recommended."
8283
#: serverguide/C/virtualization.xml:3565(title)
8284
msgid "Destroying containers"
8287
#: serverguide/C/virtualization.xml:3567(para)
8288
msgid "Use <command>lxc-destroy</command> to destroy an existing container."
8291
#: serverguide/C/virtualization.xml:3572(command)
8292
msgid "sudo lxc-destroy -n CN"
8295
#: serverguide/C/virtualization.xml:3577(para)
8297
"If the container is running, <command>lxc-destroy</command> will exit with a "
8298
"message informing you that you can force stopping and destroying the "
8302
#: serverguide/C/virtualization.xml:3584(command)
8303
msgid "sudo lxc-destroy -n CN -f"
8306
#: serverguide/C/virtualization.xml:3592(title)
8307
msgid "Advanced namespace usage"
8310
#: serverguide/C/virtualization.xml:3594(para)
8312
"One of the Linux kernel features used by LXC to create containers is private "
8313
"namespaces. Namespaces allow a set of tasks to have private mappings of "
8314
"names to resources for things like pathnames and process IDs. (See <xref "
8315
"linkend=\"lxc-resources\"/> for a link to more information). Unlike control "
8316
"groups and other mount features which are also used to create containers, "
8317
"namespaces cannot be manipulated using a filesystem interface. Therefore, "
8318
"LXC ships with the <command>lxc-unshare</command> program, which is mainly "
8319
"for testing. It provides the ability to create new tasks in private "
8320
"namespaces. For instance,"
8323
#: serverguide/C/virtualization.xml:3607(command)
8324
msgid "sudo lxc-unshare -s 'MOUNT|PID' /bin/bash"
8327
#: serverguide/C/virtualization.xml:3612(para)
8329
"creates a bash shell with private pid and mount namespaces. In this shell, "
8333
#: serverguide/C/virtualization.xml:3617(screen)
8337
"root@ubuntu:~# mount -t proc proc /proc\n"
8338
"root@ubuntu:~# ps -ef\n"
8339
"UID PID PPID C STIME TTY TIME CMD\n"
8340
"root 1 0 6 10:20 pts/9 00:00:00 /bin/bash\n"
8341
"root 110 1 0 10:20 pts/9 00:00:00 ps -ef\n"
8344
#: serverguide/C/virtualization.xml:3625(para)
8346
"so that <command>ps</command> shows only the tasks in your new namespace."
8349
#: serverguide/C/virtualization.xml:3631(title)
8350
msgid "Ephemeral containers"
8353
#: serverguide/C/virtualization.xml:3633(para)
8355
"Ephemeral containers are one-time containers. Given an existing container "
8356
"CN, you can run a command in an ephemeral container created based on CN, "
8357
"with the host's jdoe user bound into the container, using:"
8360
#: serverguide/C/virtualization.xml:3641(command)
8361
msgid "lxc-start-ephemeral -b jdoe -o CN -- /home/jdoe/run_my_job"
8364
#: serverguide/C/virtualization.xml:3646(para)
8365
msgid "When the job is finished, the container will be discarded."
8368
#: serverguide/C/virtualization.xml:3652(title)
8369
msgid "Container Commands"
8372
#: serverguide/C/virtualization.xml:3653(para)
8373
msgid "Following is a table of all container commands:"
8376
#: serverguide/C/virtualization.xml:3657(title)
8377
msgid "Container commands"
8380
#: serverguide/C/virtualization.xml:3663(para)
8384
#: serverguide/C/virtualization.xml:3664(para)
8388
#: serverguide/C/virtualization.xml:3669(para)
8392
#: serverguide/C/virtualization.xml:3670(para)
8393
msgid "(NOT SUPPORTED) Run a command in a running container"
8396
#: serverguide/C/virtualization.xml:3673(para)
8400
#: serverguide/C/virtualization.xml:3674(para)
8401
msgid "Back up the root filesystems for all lvm-backed containers"
8404
#: serverguide/C/virtualization.xml:3677(para)
8408
#: serverguide/C/virtualization.xml:3678(para)
8409
msgid "View and set container control group settings"
8412
#: serverguide/C/virtualization.xml:3681(para)
8413
msgid "lxc-checkconfig"
8416
#: serverguide/C/virtualization.xml:3682(para)
8417
msgid "Verify host support for containers"
8420
#: serverguide/C/virtualization.xml:3685(para)
8421
msgid "lxc-checkpoint"
8424
#: serverguide/C/virtualization.xml:3686(para)
8425
msgid "(NOT SUPPORTED) Checkpoint a running container"
8428
#: serverguide/C/virtualization.xml:3689(para)
8432
#: serverguide/C/virtualization.xml:3690(para)
8433
msgid "Clone a new container from an existing one"
8436
#: serverguide/C/virtualization.xml:3693(para)
8440
#: serverguide/C/virtualization.xml:3694(para)
8441
msgid "Open a console in a running container"
8444
#: serverguide/C/virtualization.xml:3697(para)
8448
#: serverguide/C/virtualization.xml:3698(para)
8449
msgid "Create a new container"
8452
#: serverguide/C/virtualization.xml:3701(para)
8456
#: serverguide/C/virtualization.xml:3702(para)
8457
msgid "Destroy an existing container"
8460
#: serverguide/C/virtualization.xml:3705(para)
8464
#: serverguide/C/virtualization.xml:3706(para)
8465
msgid "Run a command in a (not running) application container"
8468
#: serverguide/C/virtualization.xml:3709(para)
8472
#: serverguide/C/virtualization.xml:3710(para)
8473
msgid "Freeze a running container"
8476
#: serverguide/C/virtualization.xml:3713(para)
8480
#: serverguide/C/virtualization.xml:3714(para)
8481
msgid "Print information on the state of a container"
8484
#: serverguide/C/virtualization.xml:3717(para)
8488
#: serverguide/C/virtualization.xml:3718(para)
8489
msgid "Send a signal to a container's init"
8492
#: serverguide/C/virtualization.xml:3721(para)
8496
#: serverguide/C/virtualization.xml:3722(para)
8497
msgid "List all containers"
8500
#: serverguide/C/virtualization.xml:3725(para)
8504
#: serverguide/C/virtualization.xml:3726(para)
8505
msgid "List all containers with shorter output than lxc-list"
8508
#: serverguide/C/virtualization.xml:3729(para)
8512
#: serverguide/C/virtualization.xml:3730(para)
8513
msgid "Monitor state changes of one or more containers"
8516
#: serverguide/C/virtualization.xml:3733(para)
8520
#: serverguide/C/virtualization.xml:3734(para)
8521
msgid "Execute netstat in a running container"
8524
#: serverguide/C/virtualization.xml:3737(para)
8528
#: serverguide/C/virtualization.xml:3738(para)
8529
msgid "View process info in a running container"
8532
#: serverguide/C/virtualization.xml:3741(para)
8536
#: serverguide/C/virtualization.xml:3742(para)
8537
msgid "(NOT SUPPORTED) Restart a checkpointed container"
8540
#: serverguide/C/virtualization.xml:3745(para)
8544
#: serverguide/C/virtualization.xml:3746(para)
8545
msgid "Restore containers from backups made by lxc-backup"
8548
#: serverguide/C/virtualization.xml:3749(para)
8552
#: serverguide/C/virtualization.xml:3750(para)
8553
msgid "(NOT RECOMMENDED) Set file capabilities on LXC tools"
8556
#: serverguide/C/virtualization.xml:3753(para)
8560
#: serverguide/C/virtualization.xml:3754(para)
8561
msgid "(NOT RECOMMENDED) Set or remove setuid bits on LXC tools"
8564
#: serverguide/C/virtualization.xml:3757(para)
8565
msgid "lxc-shutdown"
8568
#: serverguide/C/virtualization.xml:3758(para)
8569
msgid "Safely shut down a container"
8572
#: serverguide/C/virtualization.xml:3761(para)
8576
#: serverguide/C/virtualization.xml:3762(para)
8577
msgid "Start a stopped container"
8580
#: serverguide/C/virtualization.xml:3765(para)
8581
msgid "lxc-start-ephemeral"
8584
#: serverguide/C/virtualization.xml:3766(para)
8585
msgid "Start an ephemeral (one-time) container"
8588
#: serverguide/C/virtualization.xml:3769(para)
8592
#: serverguide/C/virtualization.xml:3770(para)
8593
msgid "Immediately stop a running container"
8596
#: serverguide/C/virtualization.xml:3773(para)
8597
msgid "lxc-unfreeze"
8600
#: serverguide/C/virtualization.xml:3774(para)
8601
msgid "Unfreeze a frozen container"
8604
#: serverguide/C/virtualization.xml:3777(para)
8608
#: serverguide/C/virtualization.xml:3778(para)
8609
msgid "Testing tool to manually unshare namespaces"
8612
#: serverguide/C/virtualization.xml:3781(para)
8616
#: serverguide/C/virtualization.xml:3782(para)
8617
msgid "Print the version of the LXC tools"
8620
#: serverguide/C/virtualization.xml:3785(para)
8624
#: serverguide/C/virtualization.xml:3786(para)
8625
msgid "Wait for a container to reach a particular state"
8628
#: serverguide/C/virtualization.xml:3796(title)
8629
msgid "Configuration File"
8632
#: serverguide/C/virtualization.xml:3798(para)
8634
"LXC containers are very flexible. The Ubuntu <application>lxc</application> "
8635
"package sets defaults to make creation of Ubuntu system containers as simple "
8636
"as possible. If you need more flexibility, this chapter will show how to "
8637
"fine-tune your containers as you need."
8640
#: serverguide/C/virtualization.xml:3805(para)
8642
"Detailed information is available in the <command>lxc.conf(5)</command> man "
8643
"page. Note that the default configurations created by the ubuntu templates "
8644
"are reasonable for a system container and usually do not need customization."
8647
#: serverguide/C/virtualization.xml:3813(title)
8648
msgid "Choosing configuration files and options"
8651
#: serverguide/C/virtualization.xml:3815(para)
8653
"The container setup is controlled by the LXC configuration options. Options "
8654
"can be specified at several points:"
8657
#: serverguide/C/virtualization.xml:3821(para)
8659
"During container creation, a configuration file can be specified. However, "
8660
"creation templates often insert their own configuration options, so we "
8661
"usually specify only network configuration options at this point. For other "
8662
"configuration, it is usually better to edit the configuration file after "
8663
"container creation."
8666
#: serverguide/C/virtualization.xml:3829(para)
8668
"The file <filename>/var/lib/lxc/CN/config</filename> is used at container "
8669
"startup by default."
8672
#: serverguide/C/virtualization.xml:3834(para)
8674
"<command>lxc-start</command> accepts an alternate configuration file with "
8675
"the <emphasis>-f filename</emphasis> option."
8678
#: serverguide/C/virtualization.xml:3839(para)
8680
"Specific configuration variables can be overridden at <command>lxc-"
8681
"start</command> using <emphasis>-s key=value</emphasis>. It is generally "
8682
"better to edit the container configuration file."
8685
#: serverguide/C/virtualization.xml:3850(title) serverguide/C/network-config.xml:27(title)
8686
msgid "Network Configuration"
8689
#: serverguide/C/virtualization.xml:3852(para)
8691
"Container networking in LXC is very flexible. It is triggered by the "
8692
"<command>lxc.network.type</command> configuration file entries. If no such "
8693
"entries exist, then the container will share the host's networking stack. "
8694
"Services and connections started in the container will be using the host's "
8695
"IP address. If at least one <command>lxc.network.type</command> entry is "
8696
"present, then the container will have a private (layer 2) network stack. It "
8697
"will have its own network interfaces and firewall rules. There are several "
8698
"options for <command>lxc.network.type</command>:"
8701
#: serverguide/C/virtualization.xml:3865(para)
8703
"<command>lxc.network.type=empty</command>: The container will have no "
8704
"network interfaces other than loopback."
8707
#: serverguide/C/virtualization.xml:3870(para)
8709
"<command>lxc.network.type=veth</command>: This is the default when using the "
8710
"ubuntu or ubuntu-cloud templates, and creates a veth network tunnel. One end "
8711
"of this tunnel becomes the network interface inside the container. The other "
8712
"end is attached to a bridged on the host. Any number of such tunnels can be "
8713
"created by adding more <command>lxc.network.type=veth</command> entries in "
8714
"the container configuration file. The bridge to which the host end of the "
8715
"tunnel will be attached is specified with <command>lxc.network.link = "
8719
#: serverguide/C/virtualization.xml:3882(para)
8721
"<command>lxc.network.type=phys</command> A physical network interface (i.e. "
8722
"eth2) is passed into the container."
8725
#: serverguide/C/virtualization.xml:3888(para)
8727
"Two other options are to use vlan or macvlan, however their use is more "
8728
"complicated and is not described here. A few other networking options exist:"
8731
#: serverguide/C/virtualization.xml:3895(para)
8733
"<command>lxc.network.flags</command> can only be set to "
8734
"<emphasis>up</emphasis> and ensures that the network interface is up."
8737
#: serverguide/C/virtualization.xml:3899(para)
8739
"<command>lxc.network.hwaddr</command> specifies a mac address to assign the "
8740
"the nic inside the container."
8743
#: serverguide/C/virtualization.xml:3904(para)
8745
"<command>lxc.network.ipv4</command> and <command>lxc.network.ipv6</command> "
8746
"set the respective IP addresses, if those should be static."
8749
#: serverguide/C/virtualization.xml:3909(para)
8751
"<command>lxc.network.name</command> specifies a name to assign inside the "
8752
"container. If this is not specified, a good default (i.e. eth0 for the first "
8756
#: serverguide/C/virtualization.xml:3915(para)
8758
"<command>lxc.network.lxcscript.up</command> specifies a script to be called "
8759
"after the host side of the networking has been set up. See the "
8760
"<command>lxc.conf(5)</command> manual page for details."
8763
#: serverguide/C/virtualization.xml:3925(title)
8764
msgid "Control group configuration"
8767
#: serverguide/C/virtualization.xml:3927(para)
8769
"Cgroup options can be specified using <command>lxc.cgroup</command> entries. "
8770
"<command>lxc.cgroup.subsystem.item = value</command> instructs LXC to set "
8771
"cgroup <command>subsystem</command>'s <command>item</command> to "
8772
"<command>value</command>. It is perhaps simpler to realize that this will "
8773
"simply write <command>value</command> to the file <command>item</command> "
8774
"for the container's control group for subsystem "
8775
"<command>subsystem</command>. For instance, to set the memory limit to 320M, "
8779
#: serverguide/C/virtualization.xml:3939(command)
8780
msgid "lxc.cgroup.memory.limit_in_bytes = 320000000"
8783
#: serverguide/C/virtualization.xml:3944(para)
8785
"which will cause 320000000 to be written to the file "
8786
"<filename>/sys/fs/cgroup/memory/lxc/CN/limit_in_bytes</filename>."
8789
#: serverguide/C/virtualization.xml:3951(title)
8790
msgid "Rootfs, mounts and fstab"
8793
#: serverguide/C/virtualization.xml:3953(para)
8795
"An important part of container setup is the mounting of various filesystems "
8796
"into place. The following is an example configuration file excerpt "
8797
"demonstrating the commonly used configuration options:"
8800
#: serverguide/C/virtualization.xml:3960(command)
8802
"lxc.rootfs = /var/lib/lxc/CN/rootfs lxc.mount.entry=proc "
8803
"/var/lib/lxc/CN/rootfs/proc proc nodev,noexec,nosuid 0 0 lxc.mount = "
8804
"/var/lib/lxc/CN/fstab"
8807
#: serverguide/C/virtualization.xml:3967(para)
8809
"The first line says that the container's root filesystem is already mounted "
8810
"at <filename>/var/lib/lxc/CN/rootfs</filename>. If the filesystem is a block "
8811
"device (such as an LVM logical volume), then the path to the block device "
8812
"must be given instead."
8815
#: serverguide/C/virtualization.xml:3974(para)
8817
"Each <command>lxc.mount.entry</command> line should contain an item to mount "
8818
"in valid fstab format. The target directory should be prefixed by "
8819
"<filename>/var/lib/lxc/CN/rootfs</filename>, even if "
8820
"<command>lxc.rootfs</command> points to a block device."
8823
#: serverguide/C/virtualization.xml:3981(para)
8825
"Finally, <command>lxc.mount</command> points to a file, in fstab format, "
8826
"containing further items to mount. Note that all of these entries will be "
8827
"mounted by the host before the container init is started. In this way it is "
8828
"possible to bind mount various directories from the host into the container."
8831
#: serverguide/C/virtualization.xml:3991(title)
8832
msgid "Other configuration options"
8835
#: serverguide/C/virtualization.xml:3996(para)
8837
"<command>lxc.cap.drop</command> can be used to prevent the container from "
8838
"having or ever obtaining the listed capabilities. For instance, including"
8841
#: serverguide/C/virtualization.xml:4002(command)
8842
msgid "lxc.cap.drop = sys_admin"
8845
#: serverguide/C/virtualization.xml:4007(para)
8847
"will prevent the container from mounting filesystems, as well as all other "
8848
"actions which require cap_sys_admin. See the "
8849
"<command>capabilities(7)</command> manual page for a list of capabilities "
8850
"and their meanings."
8853
#: serverguide/C/virtualization.xml:4014(para)
8855
"<command>lxc.aa_profile = lxc-CN-profile</command> specifies a custom "
8856
"Apparmor profile in which to start the container. See <xref linkend=\"lxc-"
8857
"apparmor\"/> for more information."
8860
#: serverguide/C/virtualization.xml:4020(para)
8862
"<command>lxc.console=/path/to/consolefile</command> will cause console "
8863
"messages to be written to the specified file."
8866
#: serverguide/C/virtualization.xml:4025(para)
8868
"<command>lxc.arch</command> specifies the architecture for the container, "
8869
"for instance x86, or x86_64."
8872
#: serverguide/C/virtualization.xml:4030(para)
8874
"<command>lxc.tty=5</command> specifies that 5 consoles (in addition to "
8875
"<filename>/dev/console</filename>) should be created. That is, consoles will "
8876
"be available on <filename>/dev/tty1</filename> through "
8877
"<filename>/dev/tty5</filename>. The ubuntu templates set this value to 4."
8880
#: serverguide/C/virtualization.xml:4038(para)
8882
"<command>lxc.pts=1024</command> specifies that the container should have a "
8883
"private (Unix98) devpts filesystem mount. If this is not specified, then the "
8884
"container will share <filename>/dev/pts</filename> with the host, which is "
8885
"rarely desired. The number 1024 means that 1024 ptys should be allowed in "
8886
"the container, however this number is currently ignored. Before starting the "
8887
"container init, LXC will do (essentially) a"
8890
#: serverguide/C/virtualization.xml:4048(command)
8891
msgid "sudo mount -t devpts -o newinstance devpts /dev/pts"
8894
#: serverguide/C/virtualization.xml:4053(para)
8896
"inside the container. It is important to realize that the container should "
8897
"not mount devpts filesystems of its own. It may safely do bind or move "
8898
"mounts of its mounted <filename>/dev/pts</filename>. But if it does"
8901
#: serverguide/C/virtualization.xml:4060(command)
8902
msgid "sudo mount -t devpts devpts /dev/pts"
8905
#: serverguide/C/virtualization.xml:4065(para)
8907
"it will remount the host's devpts instance. If it adds the newinstance mount "
8908
"option, then it will mount a new private (empty) instance. In neither case "
8909
"will it remount the instance which was set up by LXC. For this reason, and "
8910
"to prevent the container from using the host's ptys, the default Apparmor "
8911
"policy will not allow containers to mount devpts filesystems after the "
8912
"container's init has been started."
8915
#: serverguide/C/virtualization.xml:4076(para)
8917
"<command>lxc.devttydir</command> specifies a directory under "
8918
"<filename>/dev</filename> in which LXC will create its console devices. If "
8919
"this option is not specified, then the ptys will be bind-mounted over "
8920
"<filename>/dev/console</filename> and <filename>/dev/ttyN.</filename> "
8921
"However, rare package updates may try to blindly <emphasis>rm -f</emphasis> "
8922
"and then <emphasis>mknod</emphasis> those devices. They will fail (because "
8923
"the file has been bind-mounted), causing the package update to fail. When "
8924
"<command>lxc.devttydir</command> is set to LXC, for instance, then LXC will "
8925
"bind-mount the console ptys onto <filename>/dev/lxc/console</filename> and "
8926
"<filename>/dev/lxc/ttyN,</filename> and subsequently symbolically link them "
8927
"to <filename>/dev/console</filename> and <filename>/dev/ttyN.</filename> "
8928
"This allows the package updates to succeed, at the risk of making future "
8929
"gettys on those consoles fail until the next reboot. This problem will be "
8930
"ideally solved with device namespaces."
8933
#: serverguide/C/virtualization.xml:4100(title)
8934
msgid "Updates in Ubuntu containers"
8937
#: serverguide/C/virtualization.xml:4102(para)
8939
"Because of some limitations which are placed on containers, package upgrades "
8940
"at times can fail. For instance, a package install or upgrade might fail if "
8941
"it is not allowed to create or open a block device. This often blocks all "
8942
"future upgrades until the issue is resolved. In some cases, you can work "
8943
"around this by chrooting into the container, to avoid the container "
8944
"restrictions, and completing the upgrade in the chroot."
8947
#: serverguide/C/virtualization.xml:4111(para)
8949
"Some of the specific things known to occasionally impede package upgrades "
8953
#: serverguide/C/virtualization.xml:4117(para)
8955
"The container modifications performed when creating containers with the --"
8959
#: serverguide/C/virtualization.xml:4121(para)
8961
"Actions performed by lxcguest. For instance, because "
8962
"<filename>/lib/init/fstab</filename> is bind-mounted from another file, "
8963
"mountall upgrades which insist on replacing that file can fail."
8966
#: serverguide/C/virtualization.xml:4126(para)
8968
"The over-mounting of console devices with ptys from the host can cause "
8969
"trouble with udev upgrades."
8972
#: serverguide/C/virtualization.xml:4130(para)
8974
"Apparmor policy and devices cgroup restrictions can prevent package upgrades "
8975
"from performing certain actions."
8978
#: serverguide/C/virtualization.xml:4134(para)
8980
"Capabilities dropped by use of <command>lxc.cap.drop</command> can likewise "
8981
"stop package upgrades from performing certain actions."
8984
#: serverguide/C/virtualization.xml:4142(title)
8988
#: serverguide/C/virtualization.xml:4144(para)
8990
"Libvirt is a powerful hypervisor management solution with which you can "
8991
"administer Qemu, Xen and LXC virtual machines, both locally and remote. The "
8992
"libvirt LXC driver is a separate implementation from what we normally call "
8993
"<emphasis>LXC</emphasis>. A few differences include:"
8996
#: serverguide/C/virtualization.xml:4152(para)
8997
msgid "Configuration is stored in xml format"
9000
#: serverguide/C/virtualization.xml:4155(para)
9001
msgid "There no tools to facilitate container creation"
9004
#: serverguide/C/virtualization.xml:4158(para)
9005
msgid "By default there is no console on <filename>/dev/console</filename>"
9008
#: serverguide/C/virtualization.xml:4161(para)
9009
msgid "There is no support (yet) for container reboot or full shutdown"
9012
#: serverguide/C/virtualization.xml:4179(title)
9013
msgid "Converting a LXC container to libvirt-lxc"
9016
#: serverguide/C/virtualization.xml:4181(para)
9018
"<xref linkend=\"lxc-creation\"/> showed how to create LXC containers. If "
9019
"you've created a valid LXC container in this way, you can manage it with "
9020
"libvirt. Fetch a sample xml file from"
9023
#: serverguide/C/virtualization.xml:4189(command) serverguide/C/virtualization.xml:4242(command)
9024
msgid "wget http://people.canonical.com/~serge/o1.xml"
9027
#: serverguide/C/virtualization.xml:4194(para)
9029
"Edit this file to replace the container name and root filesystem locations. "
9030
"Then you can define the container with:"
9033
#: serverguide/C/virtualization.xml:4200(command)
9034
msgid "virsh -c lxc:/// define o1.xml"
9037
#: serverguide/C/virtualization.xml:4207(title)
9038
msgid "Creating a container from cloud image"
9041
#: serverguide/C/virtualization.xml:4209(para)
9043
"If you prefer to create a pristine new container just for LXC, you can "
9044
"download an ubuntu cloud image, extract it, and point a libvirt LXC xml file "
9045
"to it. For instance, find the url for a root tarball for the latest daily "
9046
"Ubuntu 12.04 LTS cloud image using"
9049
#: serverguide/C/virtualization.xml:4217(command)
9051
"url1=`ubuntu-cloudimg-query precise daily $arch --format \"%{url}\\n\"` "
9052
"url=`echo $url1 | sed -e 's/.tar.gz/-root\\0/'` wget $url filename=`basename "
9056
#: serverguide/C/virtualization.xml:4225(para)
9057
msgid "Extract the downloaded tarball, for instance"
9060
#: serverguide/C/virtualization.xml:4230(command)
9061
msgid "mkdir $HOME/c1 cd $HOME/c1 sudo tar zxf $filename"
9064
#: serverguide/C/virtualization.xml:4237(para)
9065
msgid "Download the xml template"
9068
#: serverguide/C/virtualization.xml:4247(para)
9070
"In the xml template, replace the name o1 with c1 and the source directory "
9071
"<filename>/var/lib/lxc/o1/rootfs</filename> with "
9072
"<filename>$HOME/c1</filename>. Then define the container using"
9075
#: serverguide/C/virtualization.xml:4254(command)
9076
msgid "virsh define o1.xml"
9079
#: serverguide/C/virtualization.xml:4262(title)
9080
msgid "Interacting with libvirt containers"
9083
#: serverguide/C/virtualization.xml:4264(para)
9084
msgid "As we've seen, you can create a libvirt-lxc container using"
9087
#: serverguide/C/virtualization.xml:4269(command)
9088
msgid "virsh -c lxc:/// define container.xml"
9091
#: serverguide/C/virtualization.xml:4274(para)
9092
msgid "To start a container called <emphasis>container</emphasis>, use"
9095
#: serverguide/C/virtualization.xml:4279(command)
9096
msgid "virsh -c lxc:/// start container"
9099
#: serverguide/C/virtualization.xml:4284(para)
9100
msgid "To stop a running container, use"
9103
#: serverguide/C/virtualization.xml:4289(command)
9104
msgid "virsh -c lxc:/// destroy container"
9107
#: serverguide/C/virtualization.xml:4294(para)
9109
"Note that whereas the <command>lxc-destroy</command> command deletes the "
9110
"container, the <command>virsh destroy</command> command stops a running "
9111
"container. To delete the container definition, use"
9114
#: serverguide/C/virtualization.xml:4301(command)
9115
msgid "virsh -c lxc:/// undefine container"
9118
#: serverguide/C/virtualization.xml:4306(para)
9119
msgid "To get a console to a running container, use"
9122
#: serverguide/C/virtualization.xml:4311(command)
9123
msgid "virsh -c lxc:/// console container"
9126
#: serverguide/C/virtualization.xml:4316(para)
9127
msgid "Exit the console by simultaneously pressing control and ]."
9130
#: serverguide/C/virtualization.xml:4325(title)
9131
msgid "The lxcguest package"
9134
#: serverguide/C/virtualization.xml:4327(para)
9136
"In the 11.04 (Natty) and 11.10 (Oneiric) releases of Ubuntu, a package was "
9137
"introduced called <emphasis role=\"italic\">lxcguest</emphasis>. An "
9138
"unmodified root image could not be safely booted inside a container, but an "
9139
"image with the lxcguest package installed could be booted as a container, on "
9140
"bare hardware, or in a Xen, kvm, or VMware virtual machine."
9143
#: serverguide/C/virtualization.xml:4335(para)
9145
"As of the 12.04 LTS release, the work previously done by the lxcguest "
9146
"package was pushed into the core packages, and the lxcguest package was "
9147
"removed. As a result, an unmodified 12.04 LTS image can be booted as a "
9148
"container, on bare hardware, or in a Xen, kvm, or VMware virtual machine. To "
9149
"use an older release, the lxcguest package should still be used."
9152
#: serverguide/C/virtualization.xml:4346(title) serverguide/C/security.xml:13(title)
9156
#: serverguide/C/virtualization.xml:4348(para)
9158
"A namespace maps ids to resources. By not providing a container any id with "
9159
"which to reference a resource, the resource can be protected. This is the "
9160
"basis of some of the security afforded to container users. For instance, IPC "
9161
"namespaces are completely isolated. Other namespaces, however, have various "
9162
"<emphasis role=\"italic\">leaks</emphasis> which allow privilege to be "
9163
"inappropriately exerted from a container into another container or to the "
9167
#: serverguide/C/virtualization.xml:4358(para)
9169
"By default, LXC containers are started under a Apparmor policy to restrict "
9170
"some actions. However, while stronger security is a goal for future "
9171
"releases, in 12.04 LTS the goal of the Apparmor policy is not to stop "
9172
"malicious actions but rather to stop accidental harm of the host by the "
9176
#: serverguide/C/virtualization.xml:4366(para)
9178
"See the <ulink url=\"http://wiki.ubuntu.com/LxcSecurity\">LXC "
9179
"security</ulink> wiki page for more, uptodate information."
9182
#: serverguide/C/virtualization.xml:4372(title)
9183
msgid "Exploitable system calls"
9186
#: serverguide/C/virtualization.xml:4374(para)
9188
"It is a core container feature that containers share a kernel with the host. "
9189
"Therefore, if the kernel contains any exploitable system calls, the "
9190
"container can exploit these as well. Once the container controls the kernel "
9191
"it can fully control any resource known to the host."
9194
#: serverguide/C/virtualization.xml:4389(para)
9196
"The DeveloperWorks article <ulink "
9197
"url=\"https://www.ibm.com/developerworks/linux/library/l-lxc-"
9198
"containers/\">LXC: Linux container tools</ulink> was an early introduction "
9199
"to the use of containers."
9202
#: serverguide/C/virtualization.xml:4395(para)
9204
"The <ulink url=\"http://www.ibm.com/developerworks/linux/library/l-lxc-"
9205
"security/index.html\"> Secure Containers Cookbook</ulink> demonstrated the "
9206
"use of security modules to make containers more secure."
9209
#: serverguide/C/virtualization.xml:4404(ulink)
9210
msgid "capabilities"
9213
#: serverguide/C/virtualization.xml:4405(ulink)
9217
#: serverguide/C/virtualization.xml:4401(para)
9218
msgid "Manual pages referenced above can be found at: <placeholder-1/>"
9221
#: serverguide/C/virtualization.xml:4411(para)
9223
"The upstream LXC project is hosted at <ulink "
9224
"url=\"http://lxc.sf.net\">Sourceforge</ulink>."
9227
#: serverguide/C/virtualization.xml:4417(para)
9229
"LXC security issues are listed and discussed at <ulink "
9230
"url=\"http://wiki.ubuntu.com/LxcSecurity\">the LXC Security wiki page</ulink>"
9233
#: serverguide/C/virtualization.xml:4423(para)
9235
"For more on namespaces in Linux, see: S. Bhattiprolu, E. W. Biederman, S. E. "
9236
"Hallyn, and D. Lezcano. Virtual Servers and Check- point/Restart in "
9237
"Mainstream Linux. SIGOPS Op- erating Systems Review, 42(5), 2008."
6564
9240
#: serverguide/C/vcs.xml:13(title)
10254
12963
"change them by:"
10257
#: serverguide/C/remote-administration.xml:195(command)
12966
#: serverguide/C/remote-administration.xml:191(command)
10258
12967
msgid "chmod 600 .ssh/authorized_keys"
10261
#: serverguide/C/remote-administration.xml:197(para)
12970
#: serverguide/C/remote-administration.xml:193(para)
10263
12972
"You should now be able to SSH to the host without being prompted for a "
10267
#: serverguide/C/remote-administration.xml:206(para)
12976
#: serverguide/C/remote-administration.xml:202(para)
10269
12978
"<ulink url=\"https://help.ubuntu.com/community/SSH\">Ubuntu Wiki SSH</ulink> "
10273
#: serverguide/C/remote-administration.xml:212(ulink)
12982
#: serverguide/C/remote-administration.xml:208(ulink)
10274
12983
msgid "OpenSSH Website"
10277
#: serverguide/C/remote-administration.xml:217(ulink)
12986
#: serverguide/C/remote-administration.xml:213(ulink)
10278
12987
msgid "Advanced OpenSSH Wiki Page"
12990
#: serverguide/C/remote-administration.xml:221(title)
12994
#: serverguide/C/remote-administration.xml:223(para)
12996
"<application>Puppet</application> is a cross platform framework enabling "
12997
"system administrators to perform common tasks using code. The code can do a "
12998
"variety of tasks from installing new software, to checking file permissions, "
12999
"or updating user accounts. Puppet is great not only during the initial "
13000
"installation of a system, but also throughout the system's entire life "
13001
"cycle. In most circumstances <application>puppet</application> will be used "
13002
"in a client/server configuration."
13005
#: serverguide/C/remote-administration.xml:230(para)
13007
"This section will cover installing and configuring "
13008
"<application>Puppet</application> in a client/server configuration. This "
13009
"simple example will demonstrate how to install "
13010
"<application>Apache</application> using <application>Puppet</application>."
13013
#: serverguide/C/remote-administration.xml:238(para)
13015
"To install <application>Puppet</application>, in a terminal on the "
13016
"<emphasis>server</emphasis> enter:"
13019
#: serverguide/C/remote-administration.xml:243(command)
13020
msgid "sudo apt-get install puppetmaster"
13023
#: serverguide/C/remote-administration.xml:246(para)
13024
msgid "On the <emphasis>client</emphasis> machine, or machines, enter:"
13027
#: serverguide/C/remote-administration.xml:251(command)
13028
msgid "sudo apt-get install puppet"
13031
#: serverguide/C/remote-administration.xml:258(para)
13033
"Prior to configuring <application>puppet</application> you may want to add a "
13034
"DNS <emphasis>CNAME</emphasis> record for "
13035
"<emphasis>puppet.example.com</emphasis>, where "
13036
"<emphasis>example.com</emphasis> is your domain. By default "
13037
"<application>Puppet</application> clients check DNS for puppet.example.com "
13038
"as the puppet server name, or <emphasis>Puppet Master</emphasis>. See <xref "
13039
"linkend=\"dns\"/> for more DNS details."
13042
#: serverguide/C/remote-administration.xml:265(para)
13044
"If you do not wish to use DNS, you can add entries to the server and client "
13045
"<filename>/etc/hosts</filename> file. For example, in the "
13046
"<application>Puppet</application> server's <filename>/etc/hosts</filename> "
13050
#: serverguide/C/remote-administration.xml:270(programlisting)
13054
"127.0.0.1 localhost.localdomain localhost puppet\n"
13055
"192.168.1.17 meercat02.example.com meercat02\n"
13058
#: serverguide/C/remote-administration.xml:275(para)
13060
"On each <application>Puppet</application> client, add an entry for the "
13064
#: serverguide/C/remote-administration.xml:279(programlisting)
13068
"192.168.1.16 meercat.example.com meercat puppet\n"
13071
#: serverguide/C/remote-administration.xml:284(para)
13073
"Replace the example IP addresses and domain names above with your actual "
13074
"server and client addresses and domain names."
13077
#: serverguide/C/remote-administration.xml:289(para)
13079
"Now setup some resources for <application>apache2</application>. Create a "
13080
"file <filename>/etc/puppet/manifests/site.pp</filename> containing the "
13084
#: serverguide/C/remote-administration.xml:294(programlisting)
13090
" ensure => installed\n"
13095
" ensure => true,\n"
13096
" enable => true,\n"
13097
" require => Package['apache2']\n"
13101
#: serverguide/C/remote-administration.xml:309(para)
13103
"Next, create a node file <filename>/etc/puppet/manifests/nodes.pp</filename> "
13107
#: serverguide/C/remote-administration.xml:313(programlisting)
13111
"node 'meercat02.example.com' {\n"
13112
" include apache2\n"
13116
#: serverguide/C/remote-administration.xml:320(para)
13118
"Replace <emphasis>meercat02.example.com</emphasis> with your actual "
13119
"<application>Puppet</application> client's host name."
13122
#: serverguide/C/remote-administration.xml:325(para)
13124
"The final step for this simple <application>Puppet</application> server is "
13125
"to restart the daemon:"
13128
#: serverguide/C/remote-administration.xml:330(command)
13129
msgid "sudo /etc/init.d/puppetmaster restart"
13132
#: serverguide/C/remote-administration.xml:333(para)
13134
"Now everything is configured on the <application>Puppet</application> "
13135
"server, it is time to configure the client."
13138
#: serverguide/C/remote-administration.xml:337(para)
13140
"First, configure the <application>Puppet</application>agent daemon to start. "
13141
"Edit <filename>/etc/default/puppet</filename>, changing "
13142
"<emphasis>START</emphasis> to yes:"
13145
#: serverguide/C/remote-administration.xml:342(programlisting) serverguide/C/mail.xml:629(programlisting)
13152
#: serverguide/C/remote-administration.xml:346(para)
13153
msgid "Then start the service:"
13156
#: serverguide/C/remote-administration.xml:351(command)
13157
msgid "sudo /etc/init.d/puppet start"
13160
#: serverguide/C/remote-administration.xml:354(para)
13162
"Back on the <application>Puppet</application> server sign the client "
13163
"certificate by entering:"
13166
#: serverguide/C/remote-administration.xml:359(command)
13167
msgid "sudo puppetca --sign meercat02.example.com"
13170
#: serverguide/C/remote-administration.xml:362(para)
13172
"Check <filename>/var/log/syslog</filename> for any errors with the "
13173
"configuration. If all goes well the <application>apache2</application> "
13174
"package and it's dependencies will be installed on the "
13175
"<application>Puppet</application> client."
13178
#: serverguide/C/remote-administration.xml:368(para)
13180
"This example is <emphasis>very</emphasis> simple, and does not highlight "
13181
"many of <application>Puppet</application>'s features and benefits. For more "
13182
"information see <xref linkend=\"puppet-resources\"/>."
13185
#: serverguide/C/remote-administration.xml:380(para)
13187
"See the <ulink url=\"http://docs.puppetlabs.com/\">Official Puppet "
13188
"Documentation</ulink> web site."
13191
#: serverguide/C/remote-administration.xml:385(para)
13193
"Also see <ulink url=\"http://www.apress.com/9781430230571\">Pro "
13197
#: serverguide/C/remote-administration.xml:390(para)
13199
"Another source of additional information is the <ulink "
13200
"url=\"https://help.ubuntu.com/community/Puppet\">Ubuntu Wiki Puppet "
13204
#: serverguide/C/remote-administration.xml:399(title)
13208
#: serverguide/C/remote-administration.xml:401(para)
13210
"<application>Zentyal</application> is a Linux small business server, that "
13211
"can be configured as a Gateway, Infrastructure Manager, Unified Threat "
13212
"Manager, Office Server, Unified Communication Server or a combination of "
13213
"them. All network services managed by Zentyal are tightly integrated, "
13214
"automating most tasks. This helps to avoid errors in the network "
13215
"configuration and administration and allows to save time. "
13216
"<application>Zentyal</application> is open source, released under the GNU "
13217
"General Public License (GPL) and runs on top of Ubuntu GNU/Linux."
13220
#: serverguide/C/remote-administration.xml:412(para)
13222
"<application>Zentyal</application> consists of a serie of packages (usually "
13223
"one for each module) that provide a web interface to configure the different "
13224
"servers or services. The configuration is stored on a key-value "
13225
"<application>Redis</application> database but users, groups and domains "
13226
"related configuration is on <application>OpenLDAP </application>. When you "
13227
"configure any of the available parameters through the web interface, final "
13228
"configuration files are overwritten using the configuration templates "
13229
"provided by the modules. The main advantages of using "
13230
"<application>Zentyal</application> are: unified, graphical user interface to "
13231
"configure all network services and high, out-of-the-box integration between "
13235
#: serverguide/C/remote-administration.xml:429(para)
13237
"Zentyal 2.3 is available on Ubuntu 12.04 Universe repository. The modules "
13241
#: serverguide/C/remote-administration.xml:436(para)
13243
"zentyal-core & zentyal-common: the core of the "
13244
"<application>Zentyal</application> interface and the common libraries of the "
13245
"framework. Also include the logs and events modules that give the "
13246
"administrator an interface to view the logs and generate events from them."
13249
#: serverguide/C/remote-administration.xml:445(para)
13251
"zentyal-network: manages the configuration of the network. From the "
13252
"interfaces (supporting static IP, DHCP, VLAN, bridges or PPPoE), to multiple "
13253
"gateways when having more than one Internet connection, load balancing and "
13254
"advanced routing, static routes or dynamic DNS."
13257
#: serverguide/C/remote-administration.xml:453(para)
13259
"zentyal-objects & zentyal-services: provide an abstration level for "
13260
"network addresses (e.g. LAN instead of 192.168.1.0/24) and ports named as "
13261
"services (e.g. HTTP instead of 80/TCP)."
13264
#: serverguide/C/remote-administration.xml:460(para)
13266
"zentyal-firewall: configures the <application>iptables</application> rules "
13267
"to block forbiden connections, NAT and port redirections."
13270
#: serverguide/C/remote-administration.xml:466(para)
13272
"zentyal-ntp: installs the NTP daemon to keep server on time and allow "
13273
"network clients to synchronize their clocks against the server."
13276
#: serverguide/C/remote-administration.xml:472(para)
13278
"zentyal-dhcp: configures <application>ISC DHCP</application> server "
13279
"supporting network ranges, static leases and other advanced options like "
13280
"NTP, WINS, dynamic DNS updates and network boot with PXE."
13283
#: serverguide/C/remote-administration.xml:479(para)
13285
"zentyal-dns: brings <application>ISC Bind9</application> DNS server into "
13286
"your server for caching local queries as a forwarder or as an authoritative "
13287
"server for the configured domains. Allows to configure A, CNAME, MX, NS, TXT "
13291
#: serverguide/C/remote-administration.xml:487(para)
13293
"zentyal-ca: integrates the management of a Certification Authority within "
13294
"Zentyal so users can use certificates to authenticate against the services, "
13295
"like with <application>OpenVPN</application>."
13298
#: serverguide/C/remote-administration.xml:494(para)
13300
"zentyal-openvpn: allows to configure multiple VPN servers and clients using "
13301
"<application>OpenVPN</application> with dynamic routing configuration using "
13302
"<application>Quagga</application>."
13305
#: serverguide/C/remote-administration.xml:501(para)
13307
"zentyal-users: provides an interface to configure and manage users and "
13308
"groups on <application>OpenLDAP</application>. Other services on Zentyal are "
13309
"authenticated against LDAP having a centralized users and groups management. "
13310
"It is also possible to synchronize users, passwords and groups from a "
13311
"<application>Microsoft Active Directory</application> domain."
13314
#: serverguide/C/remote-administration.xml:511(para)
13316
"zentyal-squid: configures <application>Squid</application> and "
13317
"<application>Dansguardian</application> for speeding up browsing thanks to "
13318
"the caching capabilities and content filtering."
13321
#: serverguide/C/remote-administration.xml:518(para)
13323
"zentyal-samba: allows <application>Samba</application> configuration and "
13324
"integration with existing LDAP. From the same interface you can define "
13325
"password policies, create shared resources and assign permissions."
13328
#: serverguide/C/remote-administration.xml:526(para)
13330
"zentyal-printers: integrates <application>CUPS</application> with "
13331
"<application>Samba</application> and allows not only to configure the "
13332
"printers but also give them permissions based on LDAP users and groups."
13335
#: serverguide/C/remote-administration.xml:535(para)
13337
"To install <application>Zentyal</application>, in a terminal on the "
13338
"<emphasis>server</emphasis> enter (where <zentyal-module> is any of "
13339
"the modules from the previous list):"
13342
#: serverguide/C/remote-administration.xml:542(command)
13343
msgid "sudo apt-get install <zentyal-module>"
13346
#: serverguide/C/remote-administration.xml:546(para)
13348
"<application>Zentyal</application> publishes one major stable release once a "
13349
"year (in September) based on latest Ubuntu LTS release. Stable releases "
13350
"always have even minor numbers (e.g. 2.2, 3.0) and beta releases have odd "
13351
"minor numbers (e.g. 2.1, 2.3). Ubuntu 12.04 comes with "
13352
"<application>Zentyal</application> 2.3 packages. If you want to upgrade to a "
13353
"new stable release published after the release of Ubuntu 12.04 you can use "
13354
"<ulink url=\"https://launchpad.net/~zentyal/\">Zentyal Team PPA</ulink>. "
13355
"Upgrading to newer stable releases can provide you minor bugfixes not "
13356
"backported to 2.3 in Precise and newer features."
13359
#: serverguide/C/remote-administration.xml:560(para)
13361
"If you need more information on how to add packages from a PPA see <ulink "
13362
"url=\"https://help.ubuntu.com/12.04/ubuntu-help/addremove-ppa.html\"> Add a "
13363
"Personal Package Archive (PPA)</ulink>."
13366
#: serverguide/C/remote-administration.xml:568(para)
13368
"Not present on Ubuntu Universe repositories, but on <ulink "
13369
"url=\"https://launchpad.net/~zentyal/\">Zentyal Team PPA</ulink> you will "
13370
"find these other modules:"
13373
#: serverguide/C/remote-administration.xml:575(para)
13375
"zentyal-antivirus: integrates <application>ClamAV</application> antivirus "
13376
"with other modules like the proxy, file sharing or mailfilter."
13379
#: serverguide/C/remote-administration.xml:582(para)
13381
"zentyal-asterisk: configures <application>Asterisk</application> to provide "
13382
"a simple PBX with LDAP based authentication."
13385
#: serverguide/C/remote-administration.xml:588(para)
13387
"zentyal-bwmonitor: allows to monitor bandwith usage of your LAN clients."
13390
#: serverguide/C/remote-administration.xml:594(para)
13392
"zentyal-captiveportal: integrates a captive portal with the firewall and "
13393
"LDAP users and groups."
13396
#: serverguide/C/remote-administration.xml:600(para)
13398
"zentyal-ebackup: allows to make scheduled backups of your server using the "
13399
"popular <application>duplicity</application> backup tool."
13402
#: serverguide/C/remote-administration.xml:606(para)
13403
msgid "zentyal-ftp: configures a FTP server with LDAP based authentication."
13406
#: serverguide/C/remote-administration.xml:611(para)
13407
msgid "zentyal-ids: integrates a network intrusion detection system."
13410
#: serverguide/C/remote-administration.xml:616(para)
13412
"zentyal-ipsec: allows to configure IPsec tunnels using "
13413
"<application>OpenSwan</application>."
13416
#: serverguide/C/remote-administration.xml:622(para)
13418
"zentyal-jabber: integrates <application>ejabberd</application> XMPP server "
13419
"with LDAP users and groups."
13422
#: serverguide/C/remote-administration.xml:628(para)
13424
"zentyal-thinclients: a <application>LTSP</application> based thin clients "
13428
#: serverguide/C/remote-administration.xml:634(para)
13430
"zentyal-mail: a full mail stack including <application>Postfix "
13431
"</application> and <application>Dovecot</application> with LDAP backend."
13434
#: serverguide/C/remote-administration.xml:641(para)
13436
"zentyal-mailfilter: configures <application>amavisd</application> with mail "
13437
"stack to filter spam and attached virus."
13440
#: serverguide/C/remote-administration.xml:647(para)
13442
"zentyal-monitor: integrates <application>collectd</application> to monitor "
13443
"server performance and running services."
13446
#: serverguide/C/remote-administration.xml:653(para)
13448
"zentyal-pptp: configures a <application>PPTP</application> VPN server."
13451
#: serverguide/C/remote-administration.xml:658(para)
13453
"zentyal-radius: integrates <application>FreeRADIUS</application> with LDAP "
13454
"users and groups."
13457
#: serverguide/C/remote-administration.xml:664(para)
13459
"zentyal-software: simple interface to manage installed "
13460
"<application>Zentyal</application> modules and system updates."
13463
#: serverguide/C/remote-administration.xml:670(para)
13465
"zentyal-trafficshaping: configures traffic limiting rules to do bandwidth "
13466
"throttling and improve latency."
13469
#: serverguide/C/remote-administration.xml:676(para)
13471
"zentyal-usercorner: allows users to edit their own LDAP attributes using a "
13475
#: serverguide/C/remote-administration.xml:682(para)
13477
"zentyal-virt: simple interface to create and manage virtual machines based "
13478
"on <application>libvirt</application>."
13481
#: serverguide/C/remote-administration.xml:688(para)
13483
"zentyal-webmail: allows to access your mail using the popular "
13484
"<application>Roundcube</application> webmail."
13487
#: serverguide/C/remote-administration.xml:694(para)
13489
"zentyal-webserver: configures <application>Apache</application> webserver to "
13490
"host different sites on your machine."
13493
#: serverguide/C/remote-administration.xml:700(para)
13495
"zentyal-zarafa: integrates <application>Zarafa</application> groupware suite "
13496
"with <application>Zentyal</application> mail stack and LDAP."
13499
#: serverguide/C/remote-administration.xml:712(title)
13500
msgid "First steps"
13503
#: serverguide/C/remote-administration.xml:714(para)
13505
"Any system account belonging to the sudo group is allowed to log into "
13506
"<application>Zentyal</application> web interface. If you are using the user "
13507
"created during the installation, this should be in the sudo group by default."
13510
#: serverguide/C/remote-administration.xml:722(para)
13511
msgid "If you need to add another user to the sudo group, just execute:"
13514
#: serverguide/C/remote-administration.xml:727(command)
13515
msgid "sudo adduser username sudo"
13518
#: serverguide/C/remote-administration.xml:731(para)
13520
"To access <application>Zentyal</application> web interface, browse into "
13521
"https://localhost/ (or the IP of your remote server). As Zentyal creates its "
13522
"own self-signed SSL certificate, you will have to accept a security "
13523
"exception on your browser."
13526
#: serverguide/C/remote-administration.xml:738(para)
13528
"Once logged in you will see the dashboard with an overview of your server. "
13529
"To configure any of the features of your installed modules, go to the "
13530
"different sections on the left menu. When you make any changes, on the upper "
13531
"right corner appears a red <emphasis>Save changes</emphasis> button that you "
13532
"must click to save all configuration changes. To apply these configuration "
13533
"changes in your server, the module needs to be enabled first, you can do so "
13534
"from the <emphasis>Module Status </emphasis> entry on the left menu. Every "
13535
"time you enable a module, a pop-up will appear asking for a confirmation to "
13536
"perform the necessary actions and changes on your server and configuration "
13540
#: serverguide/C/remote-administration.xml:752(para)
13542
"If you need to customize any configuration file or run certain actions "
13543
"(scripts or commands) to configure features not available on "
13544
"<application>Zentyal</application> place the custom configuration file "
13545
"templates on /etc/zentyal/stubs/<module>/ and the hooks on "
13546
"/etc/zentyal/hooks/<module>.<action>."
13549
#: serverguide/C/remote-administration.xml:765(para)
13551
"<ulink url=\"http://doc.zentyal.org/\">Zentyal Official Documentation "
13555
#: serverguide/C/remote-administration.xml:769(para)
13557
"See also <ulink url=\"http://trac.zentyal.org/wiki/Documentation\">Zentyal "
13558
"Community Documentation</ulink> page."
13561
#: serverguide/C/remote-administration.xml:773(para)
13563
"And don't forget to visit the <ulink url=\"http://forum.zentyal.org/\">forum "
13564
"</ulink> for community support, feedback, feature requests, etc."
10281
13567
#: serverguide/C/package-management.xml:13(title)
10282
13568
msgid "Package Management"
10285
13571
#: serverguide/C/package-management.xml:14(para)
10287
"Ubuntu features a comprehensive package management system for the "
10288
"installation, upgrade, configuration, and removal of software. In addition "
10289
"to providing access to an organized base of over 24,000 software packages "
10290
"for your Ubuntu computer, the package management facilities also feature "
10291
"dependency resolution capabilities and software update checking."
13573
"Ubuntu features a comprehensive package management system for installing, "
13574
"upgrading, configuring, and removing software. In addition to providing "
13575
"access to an organized base of over 35,000 software packages for your Ubuntu "
13576
"computer, the package management facilities also feature dependency "
13577
"resolution capabilities and software update checking."
10294
13580
#: serverguide/C/package-management.xml:16(para)
12642
15957
"also reduced."
12645
#: serverguide/C/network-config.xml:899(para)
12646
msgid "A DHCP server can provide configuration settings using two methods:"
12649
#: serverguide/C/network-config.xml:904(term)
12650
msgid "MAC Address"
12653
#: serverguide/C/network-config.xml:906(para)
15960
#: serverguide/C/network-config.xml:921(para)
15962
"A DHCP server can provide configuration settings using the following methods:"
15965
#: serverguide/C/network-config.xml:926(term)
15966
msgid "Manual allocation (MAC address)"
15969
#: serverguide/C/network-config.xml:928(para)
12655
15971
"This method entails using DHCP to identify the unique hardware address of "
12656
15972
"each network card connected to the network and then continually supplying a "
12657
15973
"constant configuration each time the DHCP client makes a request to the DHCP "
12658
"server using that network device."
12661
#: serverguide/C/network-config.xml:915(term)
12662
msgid "Address Pool"
12665
#: serverguide/C/network-config.xml:917(para)
12667
"This method entails defining a pool (sometimes also called a range or scope) "
12668
"of IP addresses from which DHCP clients are supplied their configuration "
12669
"properties dynamically and on a \"first come, first served\" basis. When a "
12670
"DHCP client is no longer on the network for a specified period, the "
12671
"configuration is expired and released back to the address pool for use by "
12672
"other DHCP Clients."
12675
#: serverguide/C/network-config.xml:928(para)
12677
"Ubuntu is shipped with both DHCP server and client. The server is "
12678
"<application>dhcpd</application> (dynamic host configuration protocol "
12679
"daemon). The client provided with Ubuntu is "
12680
"<application>dhclient</application> and should be installed on all computers "
12681
"required to be automatically configured. Both programs are easy to install "
12682
"and configure and will be automatically started at system boot."
12685
#: serverguide/C/network-config.xml:938(para)
15974
"server using that network device. This ensures that a particular address is "
15975
"assigned automatically to that network card, based on it's MAC address."
15978
#: serverguide/C/network-config.xml:939(term)
15979
msgid "Dynamic allocation (address pool)"
15982
#: serverguide/C/network-config.xml:941(para)
15984
"In this method, the DHCP server will assign an IP address from a pool of "
15985
"addresses (sometimes also called a range or scope) for a period of time or "
15986
"lease, that is configured on the server or until the client informs the "
15987
"server that it doesn't need the address anymore. This way, the clients will "
15988
"be receiving their configuration properties dynamically and on a \"first "
15989
"come, first served\" basis. When a DHCP client is no longer on the network "
15990
"for a specified period, the configuration is expired and released back to "
15991
"the address pool for use by other DHCP Clients. This way, an address cand be "
15992
"leased or used for a period of time. After this period, the client has to "
15993
"renegociate the lease with the server to maintain use of the address."
15996
#: serverguide/C/network-config.xml:954(term)
15997
msgid "Automatic allocation"
16000
#: serverguide/C/network-config.xml:956(para)
16002
"Using this method, the DHCP automatically assigns an IP address permanently "
16003
"to a device, selecting it from a pool of available addresses. Usually DHCP "
16004
"is used to assign a temporary address to a client, but a DHCP server can "
16005
"allow an infinite lease time."
16008
#: serverguide/C/network-config.xml:963(para)
16010
"The last two methods can be considered “automatic” because in each case the "
16011
"DHCP server assigns an address with no extra intervention needed. The only "
16012
"difference between them is in how long the IP address is leased, in other "
16013
"words whether a client's address varies over time. Ubuntu is shipped with "
16014
"both DHCP server and client. The server is <application>dhcpd</application> "
16015
"(dynamic host configuration protocol daemon). The client provided with "
16016
"Ubuntu is <application>dhclient</application> and should be installed on all "
16017
"computers required to be automatically configured. Both programs are easy to "
16018
"install and configure and will be automatically started at system boot."
16021
#: serverguide/C/network-config.xml:978(para)
12687
16023
"At a terminal prompt, enter the following command to install "
12688
16024
"<application>dhcpd</application>:"
12691
#: serverguide/C/network-config.xml:943(command)
12692
msgid "sudo apt-get install dhcp3-server"
16027
#: serverguide/C/network-config.xml:983(command)
16028
msgid "sudo apt-get install isc-dhcp-server"
12695
#: serverguide/C/network-config.xml:945(para)
16031
#: serverguide/C/network-config.xml:985(para)
12697
16033
"You will probably need to change the default configuration by editing "
12698
"/etc/dhcp3/dhcpd.conf to suit your needs and particular configuration."
16034
"/etc/dhcp/dhcpd.conf to suit your needs and particular configuration."
12701
#: serverguide/C/network-config.xml:949(para)
16037
#: serverguide/C/network-config.xml:989(para)
12703
"You also need to edit /etc/default/dhcp3-server to specify the interfaces "
12704
"dhcpd should listen to. By default it listens to eth0."
16039
"You also may need to edit /etc/default/isc-dhcp-server to specify the "
16040
"interfaces dhcpd should listen to."
12707
#: serverguide/C/network-config.xml:953(para)
16043
#: serverguide/C/network-config.xml:993(para)
12709
16045
"NOTE: dhcpd's messages are being sent to syslog. Look there for diagnostics "
12713
#: serverguide/C/network-config.xml:960(para)
16049
#: serverguide/C/network-config.xml:1000(para)
12715
16051
"The error message the installation ends with might be a little confusing, "
12716
16052
"but the following steps will help you configure the service:"
12719
#: serverguide/C/network-config.xml:964(para)
16055
#: serverguide/C/network-config.xml:1004(para)
12721
16057
"Most commonly, what you want to do is assign an IP address randomly. This "
12722
16058
"can be done with settings as follows:"
12725
#: serverguide/C/network-config.xml:968(programlisting)
16061
#: serverguide/C/network-config.xml:1008(programlisting)
12729
"# Sample /etc/dhcpd.conf\n"
12730
"# (add your comments here) \n"
16065
"# minimal sample /etc/dhcp/dhcpd.conf\n"
12731
16066
"default-lease-time 600;\n"
12732
16067
"max-lease-time 7200;\n"
12733
"option subnet-mask 255.255.255.0;\n"
12734
"option broadcast-address 192.168.1.255;\n"
12735
"option routers 192.168.1.254;\n"
12736
"option domain-name-servers 192.168.1.1, 192.168.1.2;\n"
12737
"option domain-name \"mydomain.example\";\n"
12739
16069
"subnet 192.168.1.0 netmask 255.255.255.0 {\n"
12740
"range 192.168.1.10 192.168.1.100;\n"
12741
"range 192.168.1.150 192.168.1.200;\n"
16070
" range 192.168.1.150 192.168.1.200;\n"
16071
" option routers 192.168.1.254;\n"
16072
" option domain-name-servers 192.168.1.1, 192.168.1.2;\n"
16073
" option domain-name \"mydomain.example\";\n"
12745
#: serverguide/C/network-config.xml:984(para)
12747
"This will result in the DHCP server giving a client an IP address from the "
12748
"range 192.168.1.10-192.168.1.100 or 192.168.1.150-192.168.1.200. It will "
12749
"lease an IP address for 600 seconds if the client doesn't ask for a specific "
12750
"time frame. Otherwise the maximum (allowed) lease will be 7200 seconds. The "
12751
"server will also \"advise\" the client that it should use 255.255.255.0 as "
12752
"its subnet mask, 192.168.1.255 as its broadcast address, 192.168.1.254 as "
12753
"the router/gateway and 192.168.1.1 and 192.168.1.2 as its DNS servers."
12756
#: serverguide/C/network-config.xml:993(para)
12758
"If you need to specify a WINS server for your Windows clients, you will need "
12759
"to include the netbios-name-servers option, e.g."
12762
#: serverguide/C/network-config.xml:997(programlisting)
12766
"option netbios-name-servers 192.168.1.1; \n"
12769
#: serverguide/C/network-config.xml:1000(para)
12771
"Dhcpd configuration settings are taken from the DHCP mini-HOWTO, which can "
12773
"url=\"http://www.tldp.org/HOWTO/DHCP/index.html\">here</ulink>."
12776
#: serverguide/C/network-config.xml:1010(para)
16077
#: serverguide/C/network-config.xml:1020(para)
16079
"This will result in the DHCP server giving clients an IP address from the "
16080
"range 192.168.1.150-192.168.1.200. It will lease an IP address for 600 "
16081
"seconds if the client doesn't ask for a specific time frame. Otherwise the "
16082
"maximum (allowed) lease will be 7200 seconds. The server will also "
16083
"\"advise\" the client to use 192.168.1.254 as the default-gateway and "
16084
"192.168.1.1 and 192.168.1.2 as its DNS servers."
16087
#: serverguide/C/network-config.xml:1028(para)
16089
"After changing the config file you have to restart the "
16090
"<application>dhcpd</application>:"
16093
#: serverguide/C/network-config.xml:1033(command)
16094
msgid "sudo /etc/init.d/isc-dhcp-server restart"
16097
#: serverguide/C/network-config.xml:1041(para)
12778
16099
"The <ulink url=\"https://help.ubuntu.com/community/dhcp3-server\">dhcp3-"
12779
16100
"server Ubuntu Wiki</ulink> page has more information."
12782
#: serverguide/C/network-config.xml:1015(para)
12784
"For more <filename>/etc/dhcp3/dhcpd.conf</filename> options see the <ulink "
12785
"url=\"http://manpages.ubuntu.com/manpages/maverick/en/man5/dhcpd.conf.5.html"
12786
"\">dhcpd.conf man page</ulink>."
12789
#: serverguide/C/network-config.xml:1021(para)
12791
"Also see the <ulink url=\"http://www.dhcp-handbook.com/dhcp_faq.html\">DHCP "
12795
#: serverguide/C/network-config.xml:1031(title)
16103
#: serverguide/C/network-config.xml:1046(para)
16105
"For more <filename>/etc/dhcp/dhcpd.conf</filename> options see the <ulink "
16106
"url=\"http://manpages.ubuntu.com/manpages/precise/en/man5/dhcpd.conf.5.html\""
16107
">dhcpd.conf man page</ulink>."
16110
#: serverguide/C/network-config.xml:1053(ulink)
16111
msgid "ISC dhcp-server"
16114
#: serverguide/C/network-config.xml:1062(title)
12796
16115
msgid "Time Synchronisation with NTP"
12799
#: serverguide/C/network-config.xml:1032(para)
12801
"This page describes methods for keeping your computer's time accurate. This "
12802
"is useful for servers, but is not necessary (or desirable) for desktop "
12806
#: serverguide/C/network-config.xml:1035(para)
16118
#: serverguide/C/network-config.xml:1063(para)
12808
16120
"NTP is a TCP/IP protocol for synchronising time over a network. Basically a "
12809
16121
"client requests the current time from a server, and uses it to set its own "
12813
#: serverguide/C/network-config.xml:1038(para)
16125
#: serverguide/C/network-config.xml:1066(para)
12815
16127
"Behind this simple description, there is a lot of complexity - there are "
12816
16128
"tiers of NTP servers, with the tier one NTP servers connected to atomic "
12817
"clocks (often via GPS), and tier two and three servers spreading the load of "
12818
"actually handling requests across the Internet. Also the client software is "
12819
"a lot more complex than you might think - it has to factor out communication "
16129
"clocks, and tier two and three servers spreading the load of actually "
16130
"handling requests across the Internet. Also the client software is a lot "
16131
"more complex than you might think - it has to factor out communication "
12820
16132
"delays, and adjust the time in a way that does not upset all the other "
12821
16133
"processes that run on the server. But luckily all that complexity is hidden "
12825
#: serverguide/C/network-config.xml:1041(para)
12827
"Ubuntu has two ways of automatically setting your time: ntpdate and ntpd."
16137
#: serverguide/C/network-config.xml:1069(para)
16138
msgid "Ubuntu uses ntpdate and ntpd."
12830
#: serverguide/C/network-config.xml:1046(title)
16141
#: serverguide/C/network-config.xml:1074(title)
12831
16142
msgid "ntpdate"
12834
#: serverguide/C/network-config.xml:1047(para)
16145
#: serverguide/C/network-config.xml:1075(para)
12836
16147
"Ubuntu comes with ntpdate as standard, and will run it once at boot time to "
12837
"set up your time according to Ubuntu's NTP server. However, a server's clock "
12838
"is likely to drift considerably between reboots, so it makes sense to "
12839
"correct the time occasionally. The easiest way to do this is to get cron to "
12840
"run ntpdate every day. With your favorite editor, as root, create a file "
12841
"<code>/etc/cron.daily/ntpdate</code> containing:"
16148
"set up your time according to Ubuntu's NTP server."
12844
#: serverguide/C/network-config.xml:1052(screen)
16151
#: serverguide/C/network-config.xml:1078(programlisting)
12846
msgid "ntpdate ntp.ubuntu.com\n"
12849
#: serverguide/C/network-config.xml:1054(para)
12851
"The file <code>/etc/cron.daily/ntpdate</code> must also be executable."
12854
#: serverguide/C/network-config.xml:1057(screen)
12856
msgid "sudo chmod 755 /etc/cron.daily/ntpdate\n"
12859
#: serverguide/C/network-config.xml:1061(title)
16155
"ntpdate -s ntp.ubuntu.com\n"
16158
#: serverguide/C/network-config.xml:1084(title)
12863
#: serverguide/C/network-config.xml:1062(para)
12865
"ntpdate is a bit of a blunt instrument - it can only adjust the time once a "
12866
"day, in one big correction. The ntp daemon ntpd is far more subtle. It "
12867
"calculates the drift of your system clock and continuously adjusts it, so "
12868
"there are no large corrections that could lead to inconsistent logs for "
12869
"instance. The cost is a little processing power and memory, but for a modern "
12870
"server this is negligible."
12873
#: serverguide/C/network-config.xml:1065(para)
12874
msgid "To set up ntpd:"
12877
#: serverguide/C/network-config.xml:1066(screen)
12879
msgid "sudo apt-get install ntp\n"
12882
#: serverguide/C/network-config.xml:1071(title)
12883
msgid "Changing Time Servers"
12886
#: serverguide/C/network-config.xml:1072(para)
12888
"In both cases above, your system will use Ubuntu's NTP server at "
12889
"<code>ntp.ubuntu.com</code> by default. This is OK, but you might want to "
12890
"use several servers to increase accuracy and resilience, and you may want to "
12891
"use time servers that are geographically closer to you. to do this for "
12892
"ntpdate, change the contents of <code>/etc/cron.daily/ntpdate</code> to:"
12895
#: serverguide/C/network-config.xml:1079(screen)
12897
msgid "ntpdate ntp.ubuntu.com pool.ntp.org \n"
12900
#: serverguide/C/network-config.xml:1081(para)
12902
"And for ntpd edit <code>/etc/ntp.conf</code> to include additional server "
12906
#: serverguide/C/network-config.xml:1086(screen)
12909
"server ntp.ubuntu.com\n"
12910
"server pool.ntp.org\n"
12913
#: serverguide/C/network-config.xml:1089(para)
12915
"You may notice <code>pool.ntp.org</code> in the examples above. This is a "
12916
"really good idea which uses round-robin DNS to return an NTP server from a "
12917
"pool, spreading the load between several different servers. Even better, "
12918
"they have pools for different regions - for instance, if you are in New "
12919
"Zealand, so you could use <code>nz.pool.ntp.org</code> instead of "
12920
"<code>pool.ntp.org</code> . Look at <ulink "
12921
"url=\"http://www.pool.ntp.org/\">http://www.pool.ntp.org/</ulink> for more "
12925
#: serverguide/C/network-config.xml:1100(para)
12927
"You can also Google for NTP servers in your region, and add these to your "
12928
"configuration. To test that a server works, just type <code>sudo ntpdate "
12929
"ntp.server.name</code> and see what happens."
12932
#: serverguide/C/network-config.xml:1111(para)
16162
#: serverguide/C/network-config.xml:1085(para)
16164
"The ntp daemon ntpd calculates the drift of your system clock and "
16165
"continuously adjusts it, so there are no large corrections that could lead "
16166
"to inconsistent logs for instance. The cost is a little processing power and "
16167
"memory, but for a modern server this is negligible."
16170
#: serverguide/C/network-config.xml:1092(para)
16171
msgid "To install ntpd, from a terminal prompt enter:"
16174
#: serverguide/C/network-config.xml:1104(para)
16176
"Edit <filename>/etc/ntp.conf</filename> to add/remove server lines. By "
16177
"default these servers are configured:"
16180
#: serverguide/C/network-config.xml:1109(programlisting)
16184
"# Use servers from the NTP Pool Project. Approved by Ubuntu Technical Board\n"
16185
"# on 2011-02-08 (LP: #104525). See http://www.pool.ntp.org/join.html for\n"
16186
"# more information.\n"
16187
"server 0.ubuntu.pool.ntp.org\n"
16188
"server 1.ubuntu.pool.ntp.org\n"
16189
"server 2.ubuntu.pool.ntp.org\n"
16190
"server 3.ubuntu.pool.ntp.org\n"
16193
#: serverguide/C/network-config.xml:1119(para)
16195
"After changing the config file you have to reload the "
16196
"<application>ntpd</application>:"
16199
#: serverguide/C/network-config.xml:1124(command)
16200
msgid "sudo /etc/init.d/ntp reload"
16203
#: serverguide/C/network-config.xml:1128(title)
16204
msgid "View status"
16207
#: serverguide/C/network-config.xml:1129(para)
16208
msgid "Use ntpq to see to see more info:"
16211
#: serverguide/C/network-config.xml:1133(userinput)
16213
msgid "# sudo ntpq -p"
16216
#: serverguide/C/network-config.xml:1132(screen)
16220
"<placeholder-1/>\n"
16221
" remote refid st t when poll reach delay offset "
16223
"============================================================================="
16225
"+stratum2-2.NTP. 129.70.130.70 2 u 5 64 377 68.461 -44.274 "
16227
"+ntp2.m-online.n 212.18.1.106 2 u 5 64 377 54.629 -27.318 "
16229
"*145.253.66.170 .DCFa. 1 u 10 64 377 83.607 -30.159 "
16231
"+stratum2-3.NTP. 129.70.130.70 2 u 5 64 357 68.795 -68.168 "
16233
"+europium.canoni 193.79.237.14 2 u 63 64 337 81.534 -67.968 "
16237
#: serverguide/C/network-config.xml:1149(para)
12934
16239
"See the <ulink url=\"https://help.ubuntu.com/community/UbuntuTime\">Ubuntu "
12935
16240
"Time</ulink> wiki page for more information."
12938
#: serverguide/C/network-config.xml:1117(ulink)
12939
msgid "NTP Support"
12942
#: serverguide/C/network-config.xml:1122(ulink)
12943
msgid "The NTP FAQ and HOWTO"
12946
#: serverguide/C/network-auth.xml:13(title)
16243
#: serverguide/C/network-config.xml:1155(ulink)
16244
msgid "ntp.org, home of the Network Time Protocol project"
16247
#: serverguide/C/network-auth.xml:14(title)
12947
16248
msgid "Network Authentication"
12950
#: serverguide/C/network-auth.xml:15(para)
12951
msgid "This section explains various Network Authentication protocols."
16251
#: serverguide/C/network-auth.xml:16(para)
16253
"This section applies LDAP to network authentication and authorization."
12954
#: serverguide/C/network-auth.xml:19(title)
16256
#: serverguide/C/network-auth.xml:21(title)
12955
16257
msgid "OpenLDAP Server"
12958
#: serverguide/C/network-auth.xml:20(para)
12960
"LDAP is an acronym for Lightweight Directory Access Protocol, it is a "
12961
"simplified version of the X.500 protocol. The directory setup in this "
12962
"section will be used for authentication. Nevertheless, LDAP can be used in "
12963
"numerous ways: authentication, shared directory (for mail clients), address "
12967
#: serverguide/C/network-auth.xml:28(para)
12969
"To describe LDAP quickly, all information is stored in a tree structure. "
12970
"With <application>OpenLDAP</application> you have freedom to determine the "
12971
"directory arborescence (the Directory Information Tree: the DIT) yourself. "
12972
"We will begin with a basic tree containing two nodes below the root:"
12975
#: serverguide/C/network-auth.xml:37(para)
12976
msgid "\"People\" node where your users will be stored"
12979
#: serverguide/C/network-auth.xml:40(para)
12980
msgid "\"Groups\" node where your groups will be stored"
12983
#: serverguide/C/network-auth.xml:44(para)
12985
"Before beginning, you should determine what the root of your LDAP directory "
12986
"will be. By default, your tree will be determined by your Fully Qualified "
12987
"Domain Name (FQDN). If your domain is example.com (which we will use in this "
12988
"example), your root node will be dc=example,dc=com."
12991
#: serverguide/C/network-auth.xml:54(para)
12993
"First, install the <application>OpenLDAP</application> server daemon "
12994
"<application>slapd</application> and <application>ldap-utils</application>, "
12995
"a package containing LDAP management utilities:"
12998
#: serverguide/C/network-auth.xml:60(command)
12999
msgid "sudo apt-get install slapd ldap-utils"
13002
#: serverguide/C/network-auth.xml:63(para)
13004
"By default <application>slapd</application> is configured with minimal "
13005
"options needed to run the <application>slapd</application> daemon."
16260
#: serverguide/C/network-auth.xml:23(para)
16262
"The Lightweight Directory Access Protocol, or LDAP, is a protocol for "
16263
"querying and modifying a X.500-based directory service running over TCP/IP. "
16264
"The current LDAP version is LDAPv3, as defined in <ulink "
16265
"url=\"http://tools.ietf.org/html/rfc4510\">RFC4510</ulink>, and the LDAP "
16266
"implementation used in Ubuntu is OpenLDAP, currently at version 2.4.25 "
16270
#: serverguide/C/network-auth.xml:29(para)
16272
"So this protocol accesses LDAP directories. Here are some key concepts and "
16276
#: serverguide/C/network-auth.xml:36(para)
16278
"A LDAP directory is a tree of data <emphasis>entries</emphasis> that is "
16279
"hierarchical in nature and is called the Directory Information Tree (DIT)."
16282
#: serverguide/C/network-auth.xml:43(para)
16283
msgid "An entry consists of a set of <emphasis>attributes</emphasis>."
16286
#: serverguide/C/network-auth.xml:49(para)
16288
"An attribute has a <emphasis>type</emphasis> (a name/description) and one or "
16289
"more <emphasis>values</emphasis>."
16292
#: serverguide/C/network-auth.xml:55(para)
16294
"Every attribute must be defined in at least one "
16295
"<emphasis>objectClass</emphasis>."
16298
#: serverguide/C/network-auth.xml:61(para)
16300
"Attributes and objectclasses are defined in <emphasis>schemas</emphasis> (an "
16301
"objectclass is actually considered as a special kind of attribute)."
13008
16304
#: serverguide/C/network-auth.xml:68(para)
13010
"The configuration example in the following sections will match the domain "
13011
"name of the server. For example, if the machine's Fully Qualified Domain "
13012
"Name (FQDN) is ldap.example.com, the default suffix will be "
16306
"Each entry has a unique identifier: it's <emphasis>Distinguished "
16307
"Name</emphasis> (DN or dn). This consists of it's <emphasis>Relative "
16308
"Distinguished Name</emphasis> (RDN) followed by the parent entry's DN."
16311
#: serverguide/C/network-auth.xml:75(para)
16313
"The entry's DN is not an attribute. It is not considered part of the entry "
16317
#: serverguide/C/network-auth.xml:83(para)
16319
"The terms <emphasis>object</emphasis>, <emphasis>container</emphasis>, and "
16320
"<emphasis>node</emphasis> have certain connotations but they all essentially "
16321
"mean the same thing as <emphasis>entry</emphasis>, the technically correct "
16325
#: serverguide/C/network-auth.xml:89(para)
16327
"For example, below we have a single entry consisting of 11 attributes. It's "
16328
"DN is \"cn=John Doe,dc=example,dc=com\"; it's RDN is \"cn=John Doe\"; and "
16329
"it's parent DN is \"dc=example,dc=com\"."
16332
#: serverguide/C/network-auth.xml:94(programlisting)
16336
" dn: cn=John Doe,dc=example,dc=com\n"
16338
" givenName: John\n"
16340
" telephoneNumber: +1 888 555 6789\n"
16341
" telephoneNumber: +1 888 555 1232\n"
16342
" mail: john@example.com\n"
16343
" manager: cn=Larry Smith,dc=example,dc=com\n"
16344
" objectClass: inetOrgPerson\n"
16345
" objectClass: organizationalPerson\n"
16346
" objectClass: person\n"
16347
" objectClass: top\n"
16350
#: serverguide/C/network-auth.xml:109(para)
16352
"The above entry is in <emphasis>LDIF</emphasis> format (LDAP Data "
16353
"Interchange Format). Any information that you feed into your DIT must also "
16354
"be in such a format. It is defined in <ulink "
16355
"url=\"http://tools.ietf.org/html/rfc2849\">RFC2849</ulink>."
16358
#: serverguide/C/network-auth.xml:114(para)
16360
"Although this guide will describe how to use it for central authentication, "
16361
"LDAP is good for anything that involves a large number of access requests to "
16362
"a mostly-read, attribute-based (name:value) backend. Examples include an "
16363
"address book, a list of email addresses, and a mail server's configuration."
16366
#: serverguide/C/network-auth.xml:123(para)
16368
"Install the OpenLDAP server daemon and the traditional LDAP management "
16369
"utilities. These are found in packages <application>slapd</application> and "
16370
"<application>ldap-utils</application> respectively."
16373
#: serverguide/C/network-auth.xml:128(para)
16375
"The installation of slapd will create a working configuration. In "
16376
"particular, it will create a database instance that you can use to store "
16377
"your data. However, the suffix (or base DN) of this instance will be "
16378
"determined from the domain name of the localhost. If you want something "
16379
"different, edit <filename>/etc/hosts</filename> and replace the domain name "
16380
"with one that will give you the suffix you desire. For instance, if you want "
16381
"a suffix of <emphasis>dc=example,dc=com</emphasis> then your file would have "
16382
"a line similar to this:"
16385
#: serverguide/C/network-auth.xml:136(programlisting)
16389
"127.0.1.1 hostname.example.com\thostname\n"
16392
#: serverguide/C/network-auth.xml:140(para)
16393
msgid "You can revert the change after package installation."
16396
#: serverguide/C/network-auth.xml:145(para)
16398
"This guide will use a database suffix of "
13013
16399
"<emphasis>dc=example,dc=com</emphasis>."
13016
#: serverguide/C/network-auth.xml:76(title)
13017
msgid "Populating LDAP"
13020
#: serverguide/C/network-auth.xml:78(para)
13022
"<application>OpenLDAP</application> uses a separate directory which contains "
13023
"the <emphasis>cn=config</emphasis> Directory Information Tree (DIT). The "
13024
"<emphasis>cn=config</emphasis> DIT is used to dynamically configure the "
13025
"<application>slapd</application> daemon, allowing the modification of schema "
13026
"definitions, indexes, ACLs, etc without stopping the service."
13029
#: serverguide/C/network-auth.xml:86(para)
13031
"The backend <emphasis>cn=config</emphasis> directory has only a minimal "
13032
"configuration and will need additional configuration options in order to "
13033
"populate the frontend directory. The frontend will be populated with a "
13034
"\"classical\" scheme that will be compatible with address book applications "
13035
"and with Unix Posix accounts. Posix accounts will allow authentication to "
13036
"various applications, such as web applications, email Mail Transfer Agent "
13037
"(MTA) applications, etc."
13040
#: serverguide/C/network-auth.xml:95(para)
13042
"For external applications to authenticate using LDAP they will each need to "
13043
"be specifically configured to do so. Refer to the individual application "
13044
"documentation for details."
13047
#: serverguide/C/network-auth.xml:103(para)
13049
"Remember to change <emphasis>dc=example,dc=com</emphasis> in the following "
13050
"examples to match your LDAP configuration."
13053
#: serverguide/C/network-auth.xml:108(para)
13055
"First, some additional schema files need to be loaded. In a terminal enter:"
13058
#: serverguide/C/network-auth.xml:113(command) serverguide/C/network-auth.xml:702(command)
13059
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif"
13062
#: serverguide/C/network-auth.xml:114(command) serverguide/C/network-auth.xml:703(command)
13063
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif"
13066
#: serverguide/C/network-auth.xml:115(command) serverguide/C/network-auth.xml:704(command)
13068
"sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif"
13071
#: serverguide/C/network-auth.xml:118(para)
13073
"Next, copy the following example LDIF file, naming it "
13074
"<filename>backend.example.com.ldif</filename>, somewhere on your system:"
13077
#: serverguide/C/network-auth.xml:123(programlisting)
13081
"# Load dynamic backend modules\n"
13082
"dn: cn=module,cn=config\n"
13083
"objectClass: olcModuleList\n"
13085
"olcModulepath: /usr/lib/ldap\n"
13086
"olcModuleload: back_hdb\n"
13088
"# Database settings\n"
13089
"dn: olcDatabase=hdb,cn=config\n"
13090
"objectClass: olcDatabaseConfig\n"
13091
"objectClass: olcHdbConfig\n"
13092
"olcDatabase: {1}hdb\n"
13093
"olcSuffix: dc=example,dc=com\n"
13094
"olcDbDirectory: /var/lib/ldap\n"
13095
"olcRootDN: cn=admin,dc=example,dc=com\n"
13096
"olcRootPW: secret\n"
13097
"olcDbConfig: set_cachesize 0 2097152 0\n"
13098
"olcDbConfig: set_lk_max_objects 1500\n"
13099
"olcDbConfig: set_lk_max_locks 1500\n"
13100
"olcDbConfig: set_lk_max_lockers 1500\n"
13101
"olcDbIndex: objectClass eq\n"
13102
"olcLastMod: TRUE\n"
13103
"olcDbCheckpoint: 512 30\n"
13104
"olcAccess: to attrs=userPassword by dn=\"cn=admin,dc=example,dc=com\" write "
13105
"by anonymous auth by self write by * none\n"
13106
"olcAccess: to attrs=shadowLastChange by self write by * read\n"
13107
"olcAccess: to dn.base=\"\" by * read\n"
13108
"olcAccess: to * by dn=\"cn=admin,dc=example,dc=com\" write by * read\n"
13112
#: serverguide/C/network-auth.xml:155(para)
13114
"Change <emphasis>olcRootPW: secret</emphasis> to a password of your choosing."
13117
#: serverguide/C/network-auth.xml:160(para)
13118
msgid "Now add the LDIF to the directory:"
13121
#: serverguide/C/network-auth.xml:165(command) serverguide/C/network-auth.xml:746(command)
13122
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.example.com.ldif"
13125
#: serverguide/C/network-auth.xml:168(para)
13127
"The frontend directory is now ready to be populated. Create a "
13128
"<filename>frontend.example.com.ldif</filename> with the following contents:"
13131
#: serverguide/C/network-auth.xml:173(programlisting)
13135
"# Create top-level object in domain\n"
16402
#: serverguide/C/network-auth.xml:150(para)
16403
msgid "Proceed with the install:"
16406
#: serverguide/C/network-auth.xml:155(command)
16407
msgid "sudo apt-get install slapd ldap-utils"
16410
#: serverguide/C/network-auth.xml:158(para)
16412
"Since Ubuntu 8.10 slapd is designed to be configured within slapd itself by "
16413
"dedicating a separate DIT for that purpose. This allows one to dynamically "
16414
"configure slapd without the need to restart the service. This configuration "
16415
"database consists of a collection of text-based LDIF files located under "
16416
"<filename>/etc/ldap/slapd.d</filename>. This way of working is known by "
16417
"several names: the slapd-config method, the RTC method (Real Time "
16418
"Configuration), or the cn=config method. You can still use the traditional "
16419
"flat-file method (slapd.conf) but it's not recommended; the functionality "
16420
"will be eventually phased out."
16423
#: serverguide/C/network-auth.xml:167(para)
16425
"Ubuntu now uses the <emphasis>slapd-config</emphasis> method for slapd "
16426
"configuration and this guide reflects that."
16429
#: serverguide/C/network-auth.xml:173(para)
16431
"During the install you were prompted to define administrative credentials. "
16432
"These are LDAP-based credentials for the <emphasis>rootDN</emphasis> of your "
16433
"database instance. By default, this user's DN is "
16434
"<emphasis>cn=admin,dc=example,dc=com</emphasis>. Also by default, there is "
16435
"no administrative account created for the slapd-config database and you will "
16436
"therefore need to authenticate externally to LDAP in order to access it. We "
16437
"will see how to do this later on."
16440
#: serverguide/C/network-auth.xml:180(para)
16442
"Some classical schemas (cosine, nis, inetorgperson) come built-in with slapd "
16443
"nowadays. There is also an included \"core\" schema, a pre-requisite for any "
16447
#: serverguide/C/network-auth.xml:188(title)
16448
msgid "Post-install Inspection"
16451
#: serverguide/C/network-auth.xml:190(para)
16453
"The installation process set up 2 DITs. One for slapd-config and one for "
16454
"your own data (dc=example,dc=com). Let's take a look."
16457
#: serverguide/C/network-auth.xml:197(para)
16459
"This is what the slapd-config database/DIT looks like. Recall that this "
16460
"database is LDIF-based and lives under "
16461
"<filename>/etc/ldap/slapd.d</filename>:"
16464
#: serverguide/C/network-auth.xml:203(computeroutput)
16468
" /etc/ldap/slapd.d/\n"
16470
"\t├── cn=config\n"
16471
"\t│ ├── cn=module{0}.ldif\n"
16472
"\t│ ├── cn=schema\n"
16473
"\t│ │ ├── cn={0}core.ldif\n"
16474
"\t│ │ ├── cn={1}cosine.ldif\n"
16475
"\t│ │ ├── cn={2}nis.ldif\n"
16476
"\t│ │ └── cn={3}inetorgperson.ldif\n"
16477
"\t│ ├── cn=schema.ldif\n"
16478
"\t│ ├── olcBackend={0}hdb.ldif\n"
16479
"\t│ ├── olcDatabase={0}config.ldif\n"
16480
"\t│ ├── olcDatabase={-1}frontend.ldif\n"
16481
"\t│ └── olcDatabase={1}hdb.ldif\n"
16482
"\t└── cn=config.ldif\n"
16485
#: serverguide/C/network-auth.xml:223(para)
16487
"Do not edit the slapd-config database directly. Make changes via the LDAP "
16488
"protocol (utilities)."
16491
#: serverguide/C/network-auth.xml:231(para)
16492
msgid "This is what the slapd-config DIT looks like via the LDAP protocol:"
16495
#: serverguide/C/network-auth.xml:236(command)
16496
msgid "sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn"
16499
#: serverguide/C/network-auth.xml:237(computeroutput)
16505
"dn: cn=module{0},cn=config\n"
16507
"dn: cn=schema,cn=config\n"
16509
"dn: cn={0}core,cn=schema,cn=config\n"
16511
"dn: cn={1}cosine,cn=schema,cn=config\n"
16513
"dn: cn={2}nis,cn=schema,cn=config\n"
16515
"dn: cn={3}inetorgperson,cn=schema,cn=config\n"
16517
"dn: olcBackend={0}hdb,cn=config\n"
16519
"dn: olcDatabase={-1}frontend,cn=config\n"
16521
"dn: olcDatabase={0}config,cn=config\n"
16523
"dn: olcDatabase={1}hdb,cn=config\n"
16526
#: serverguide/C/network-auth.xml:262(para) serverguide/C/network-auth.xml:353(para)
16527
msgid "Explanation of entries:"
16530
#: serverguide/C/network-auth.xml:269(para)
16531
msgid "<emphasis>cn=config</emphasis>: global settings"
16534
#: serverguide/C/network-auth.xml:275(para)
16536
"<emphasis>cn=module{0},cn=config</emphasis>: a dynamically loaded module"
16539
#: serverguide/C/network-auth.xml:281(para)
16541
"<emphasis>cn=schema,cn=config</emphasis>: contains hard-coded system-level "
16545
#: serverguide/C/network-auth.xml:287(para)
16547
"<emphasis>cn={0}core,cn=schema,cn=config</emphasis>: the hard-coded core "
16551
#: serverguide/C/network-auth.xml:293(para)
16553
"<emphasis>cn={1}cosine,cn=schema,cn=config</emphasis>: the cosine schema"
16556
#: serverguide/C/network-auth.xml:299(para)
16557
msgid "<emphasis>cn={2}nis,cn=schema,cn=config</emphasis>: the nis schema"
16560
#: serverguide/C/network-auth.xml:305(para)
16562
"<emphasis>cn={3}inetorgperson,cn=schema,cn=config</emphasis>: the "
16563
"inetorgperson schema"
16566
#: serverguide/C/network-auth.xml:311(para)
16568
"<emphasis>olcBackend={0}hdb,cn=config</emphasis>: the 'hdb' backend storage "
16572
#: serverguide/C/network-auth.xml:317(para)
16574
"<emphasis>olcDatabase={-1}frontend,cn=config</emphasis>: frontend database, "
16575
"default settings for other databases"
16578
#: serverguide/C/network-auth.xml:323(para)
16580
"<emphasis>olcDatabase={0}config,cn=config</emphasis>: slapd configuration "
16581
"database (cn=config)"
16584
#: serverguide/C/network-auth.xml:329(para)
16586
"<emphasis>olcDatabase={1}hdb,cn=config</emphasis>: your database instance "
16587
"(dc=examle,dc=com)"
16590
#: serverguide/C/network-auth.xml:340(para)
16591
msgid "This is what the dc=example,dc=com DIT looks like:"
16594
#: serverguide/C/network-auth.xml:345(command)
16595
msgid "ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dn"
16598
#: serverguide/C/network-auth.xml:346(computeroutput)
13136
16602
"dn: dc=example,dc=com\n"
13137
"objectClass: top\n"
13138
"objectClass: dcObject\n"
13139
"objectclass: organization\n"
13140
"o: Example Organization\n"
13142
"description: LDAP Example \n"
13145
16604
"dn: cn=admin,dc=example,dc=com\n"
13146
"objectClass: simpleSecurityObject\n"
13147
"objectClass: organizationalRole\n"
13149
"description: LDAP administrator\n"
13150
"userPassword: secret\n"
13152
"dn: ou=people,dc=example,dc=com\n"
13153
"objectClass: organizationalUnit\n"
13156
"dn: ou=groups,dc=example,dc=com\n"
13157
"objectClass: organizationalUnit\n"
13160
"dn: uid=john,ou=people,dc=example,dc=com\n"
16607
#: serverguide/C/network-auth.xml:360(para)
16608
msgid "<emphasis>dc=example,dc=com</emphasis>: base of the DIT"
16611
#: serverguide/C/network-auth.xml:366(para)
16613
"<emphasis>cn=admin,dc=example,dc=com</emphasis>: administrator (rootDN) for "
16614
"this DIT (set up during package install)"
16617
#: serverguide/C/network-auth.xml:380(title)
16618
msgid "Modifying/Populating your Database"
16621
#: serverguide/C/network-auth.xml:382(para)
16623
"Let's introduce some content to our database. We will add the following:"
16626
#: serverguide/C/network-auth.xml:389(para)
16627
msgid "a node called <emphasis>People</emphasis> (to store users)"
16630
#: serverguide/C/network-auth.xml:395(para)
16631
msgid "a node called <emphasis>Groups</emphasis> (to store groups)"
16634
#: serverguide/C/network-auth.xml:401(para)
16635
msgid "a group called <emphasis>miners</emphasis>"
16638
#: serverguide/C/network-auth.xml:407(para)
16639
msgid "a user called <emphasis>john</emphasis>"
16642
#: serverguide/C/network-auth.xml:414(para)
16644
"Create the following LDIF file and call it "
16645
"<filename>add_content.ldif</filename>:"
16648
#: serverguide/C/network-auth.xml:418(programlisting)
16652
"dn: ou=People,dc=example,dc=com\n"
16653
"objectClass: organizationalUnit\n"
16656
"dn: ou=Groups,dc=example,dc=com\n"
16657
"objectClass: organizationalUnit\n"
16660
"dn: cn=miners,ou=Groups,dc=example,dc=com\n"
16661
"objectClass: posixGroup\n"
16663
"gidNumber: 5000\n"
16665
"dn: uid=john,ou=People,dc=example,dc=com\n"
13161
16666
"objectClass: inetOrgPerson\n"
13162
16667
"objectClass: posixAccount\n"
13163
16668
"objectClass: shadowAccount\n"
13166
16671
"givenName: John\n"
13167
16672
"cn: John Doe\n"
13168
16673
"displayName: John Doe\n"
13169
"uidNumber: 1000\n"
13170
"gidNumber: 10000\n"
13171
"userPassword: password\n"
16674
"uidNumber: 10000\n"
16675
"gidNumber: 5000\n"
16676
"userPassword: johnldap\n"
13172
16677
"gecos: John Doe\n"
13173
16678
"loginShell: /bin/bash\n"
13174
16679
"homeDirectory: /home/john\n"
13175
"shadowExpire: -1\n"
13177
"shadowWarning: 7\n"
13179
"shadowMax: 999999\n"
13180
"shadowLastChange: 10877\n"
13181
"mail: john.doe@example.com\n"
13182
"postalCode: 31000\n"
13185
"mobile: +33 (0)6 xx xx xx xx\n"
13186
"homePhone: +33 (0)5 xx xx xx xx\n"
13187
"title: System Administrator\n"
13188
"postalAddress: \n"
13191
"dn: cn=example,ou=groups,dc=example,dc=com\n"
13192
"objectClass: posixGroup\n"
13194
"gidNumber: 10000\n"
13197
#: serverguide/C/network-auth.xml:236(para)
13199
"In this example the directory structure, a user, and a group have been "
13200
"setup. In other examples you might see the <emphasis>objectClass: "
13201
"top</emphasis> added in every entry, but that is the default behaviour so "
13202
"you do not have to add it explicitly."
13205
#: serverguide/C/network-auth.xml:243(para)
13206
msgid "Add the entries to the LDAP directory:"
13209
#: serverguide/C/network-auth.xml:249(command) serverguide/C/network-auth.xml:757(command)
13211
"sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.example.com.ldif"
13214
#: serverguide/C/network-auth.xml:252(para)
13216
"We can check that the content has been correctly added with the "
13217
"<application>ldapsearch</application> utility. Execute a search of the LDAP "
13221
#: serverguide/C/network-auth.xml:258(command)
13222
msgid "ldapsearch -xLLL -b \"dc=example,dc=com\" uid=john sn givenName cn"
13225
#: serverguide/C/network-auth.xml:259(computeroutput)
13229
"dn: uid=john,ou=people,dc=example,dc=com\n"
13232
"givenName: John\n"
13235
#: serverguide/C/network-auth.xml:267(para)
13236
msgid "Just a quick explanation:"
13239
#: serverguide/C/network-auth.xml:273(para)
13241
"<emphasis>-x:</emphasis> will not use SASL authentication method, which is "
13245
#: serverguide/C/network-auth.xml:279(para)
13246
msgid "<emphasis>-LLL:</emphasis> disable printing LDIF schema information."
13249
#: serverguide/C/network-auth.xml:287(title)
13250
msgid "Further Configuration"
13253
#: serverguide/C/network-auth.xml:290(para)
13255
"The <emphasis>cn=config</emphasis> tree can be manipulated using the "
13256
"utilities in the <application>ldap-utils</application> package. For example:"
13259
#: serverguide/C/network-auth.xml:298(para)
13261
"Use <application>ldapsearch</application> to view the tree, entering the "
13262
"admin password set during installation or reconfiguration:"
13265
#: serverguide/C/network-auth.xml:304(command)
13266
msgid "sudo ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn"
13269
#: serverguide/C/network-auth.xml:308(computeroutput)
13273
"SASL/EXTERNAL authentication started\n"
13274
"SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\n"
13278
"dn: cn=module{0},cn=config\n"
13280
"dn: cn=schema,cn=config\n"
13282
"dn: cn={0}core,cn=schema,cn=config\n"
13284
"dn: cn={1}cosine,cn=schema,cn=config\n"
13286
"dn: cn={2}nis,cn=schema,cn=config\n"
13288
"dn: cn={3}inetorgperson,cn=schema,cn=config\n"
13290
"dn: olcDatabase={-1}frontend,cn=config\n"
13292
"dn: olcDatabase={0}config,cn=config\n"
13294
"dn: olcDatabase={1}hdb,cn=config\n"
13297
#: serverguide/C/network-auth.xml:334(para)
13299
"The output above is the current configuration options for the "
13300
"<emphasis>cn=config</emphasis> backend database. Your output may be vary."
13303
#: serverguide/C/network-auth.xml:342(para)
13305
"As an example of modifying the <emphasis>cn=config</emphasis> tree, add "
13306
"another attribute to the index list using "
13307
"<application>ldapmodify</application>:"
13310
#: serverguide/C/network-auth.xml:348(command) serverguide/C/network-auth.xml:993(command) serverguide/C/network-auth.xml:1164(command) serverguide/C/network-auth.xml:1200(command)
13311
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:///"
13314
#: serverguide/C/network-auth.xml:356(userinput)
13317
"dn: olcDatabase={1}hdb,cn=config\n"
13318
"add: olcDbIndex\n"
13319
"olcDbIndex: uidNumber eq"
13322
#: serverguide/C/network-auth.xml:352(computeroutput)
13326
"SASL/EXTERNAL authentication started\n"
13327
"SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\n"
13329
"<placeholder-1/>\n"
13331
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
13334
#: serverguide/C/network-auth.xml:364(para)
13336
"Once the modification has completed, press <emphasis>Ctrl+D</emphasis> to "
13337
"exit the utility."
13340
#: serverguide/C/network-auth.xml:371(para)
13342
"<application>ldapmodify</application> can also read the changes from a file. "
13343
"Copy and paste the following into a file named "
13344
"<filename>uid_index.ldif</filename>:"
13347
#: serverguide/C/network-auth.xml:376(programlisting)
13351
"dn: olcDatabase={1}hdb,cn=config\n"
13352
"add: olcDbIndex\n"
13353
"olcDbIndex: uid eq,pres,sub\n"
13356
#: serverguide/C/network-auth.xml:382(para)
13357
msgid "Then execute <application>ldapmodify</application>:"
13360
#: serverguide/C/network-auth.xml:387(command)
13361
msgid "sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f uid_index.ldif"
13364
#: serverguide/C/network-auth.xml:391(computeroutput)
13368
"SASL/EXTERNAL authentication started\n"
13369
"SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\n"
13371
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
13374
#: serverguide/C/network-auth.xml:399(para)
13375
msgid "The file method is very useful for large changes."
13378
#: serverguide/C/network-auth.xml:406(para)
13380
"Adding additional <emphasis>schemas</emphasis> to "
13381
"<application>slapd</application> requires the schema to be converted to LDIF "
13382
"format. The <filename role=\"directory\">/etc/ldap/schema</filename> "
13383
"directory contains some schema files already converted to LDIF format as "
13384
"demonstrated in the previous section. Fortunately, the "
13385
"<application>slapd</application> program can be used to automate the "
13386
"conversion. The following example will add the "
13387
"<emphasis>dyngroup.schema</emphasis>:"
13390
#: serverguide/C/network-auth.xml:416(para)
13392
"First, create a conversion <filename>schema_convert.conf</filename> file "
13393
"containing the following lines:"
13396
#: serverguide/C/network-auth.xml:421(programlisting)
13400
"include /etc/ldap/schema/core.schema\n"
13401
"include /etc/ldap/schema/collective.schema\n"
13402
"include /etc/ldap/schema/corba.schema\n"
13403
"include /etc/ldap/schema/cosine.schema\n"
13404
"include /etc/ldap/schema/duaconf.schema\n"
13405
"include /etc/ldap/schema/dyngroup.schema\n"
13406
"include /etc/ldap/schema/inetorgperson.schema\n"
13407
"include /etc/ldap/schema/java.schema\n"
13408
"include /etc/ldap/schema/misc.schema\n"
13409
"include /etc/ldap/schema/nis.schema\n"
13410
"include /etc/ldap/schema/openldap.schema\n"
13411
"include /etc/ldap/schema/ppolicy.schema\n"
13414
#: serverguide/C/network-auth.xml:439(para) serverguide/C/network-auth.xml:1664(para)
13415
msgid "Next, create a temporary directory to hold the output:"
13418
#: serverguide/C/network-auth.xml:444(command) serverguide/C/network-auth.xml:1669(command) serverguide/C/network-auth.xml:2705(command)
13419
msgid "mkdir /tmp/ldif_output"
13422
16682
#: serverguide/C/network-auth.xml:450(para)
13424
"Now using <application>slapcat</application> convert the schema files to "
13428
#: serverguide/C/network-auth.xml:455(command)
13430
"slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "
13431
"\"cn={5}dyngroup,cn=schema,cn=config\" > /tmp/cn=dyngroup.ldif"
16684
"It's important that uid and gid values in your directory do not collide with "
16685
"local values. Use high number ranges, such as starting at 5000. By setting "
16686
"the uid and gid values in ldap high, you also allow for easier control of "
16687
"what can be done with a local user vs a ldap one. More on that later."
13434
16690
#: serverguide/C/network-auth.xml:458(para)
13436
"Adjust the configuration file name and temporary directory names if yours "
13437
"are different. Also, it may be worthwhile to keep the "
13438
"<filename>ldif_output</filename> directory around in case you want to add "
13439
"additional schemas in the future."
13442
#: serverguide/C/network-auth.xml:467(para)
13444
"Edit the <filename>/tmp/cn\\=dyngroup.ldif</filename> file, changing the "
13445
"following attributes:"
13448
#: serverguide/C/network-auth.xml:471(programlisting)
13452
"dn: cn=dyngroup,cn=schema,cn=config\n"
16691
msgid "Add the content:"
16694
#: serverguide/C/network-auth.xml:463(command)
16695
msgid "ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif"
16698
#: serverguide/C/network-auth.xml:465(application)
16702
#: serverguide/C/network-auth.xml:464(computeroutput)
16706
"Enter LDAP Password: <placeholder-1/>\n"
16707
"adding new entry \"ou=People,dc=example,dc=com\"\n"
16709
"adding new entry \"ou=Groups,dc=example,dc=com\"\n"
16711
"adding new entry \"cn=miners,ou=Groups,dc=example,dc=com\"\n"
16713
"adding new entry \"uid=john,ou=People,dc=example,dc=com\"\n"
16716
#: serverguide/C/network-auth.xml:476(para)
16718
"We can check that the information has been correctly added with the "
16719
"<application>ldapsearch</application> utility:"
16722
#: serverguide/C/network-auth.xml:481(command)
16723
msgid "ldapsearch -x -LLL -b dc=example,dc=com 'uid=john' cn gidNumber"
16726
#: serverguide/C/network-auth.xml:482(computeroutput)
16730
"dn: uid=john,ou=People,dc=example,dc=com\n"
16732
"gidNumber: 5000\n"
16735
#: serverguide/C/network-auth.xml:489(para)
16736
msgid "Explanation of switches:"
16739
#: serverguide/C/network-auth.xml:496(para)
16741
"<emphasis>-x:</emphasis> \"simple\" binding; will not use the default SASL "
16745
#: serverguide/C/network-auth.xml:502(para)
16746
msgid "<emphasis>-LLL:</emphasis> disable printing extraneous information"
16749
#: serverguide/C/network-auth.xml:508(para)
16750
msgid "<emphasis>uid=john:</emphasis> a \"filter\" to find the john user"
16753
#: serverguide/C/network-auth.xml:514(para)
16755
"<emphasis>cn gidNumber:</emphasis> requests certain attributes to be "
16756
"displayed (the default is to show all attributes)"
16759
#: serverguide/C/network-auth.xml:524(title)
16760
msgid "Modifying the slapd Configuration Database"
16763
#: serverguide/C/network-auth.xml:526(para)
16765
"The slapd-config DIT can also be queried and modified. Here are a few "
16769
#: serverguide/C/network-auth.xml:533(para)
16771
"Use <application>ldapmodify</application> to add an \"Index\" (DbIndex "
16772
"attribute) to your <application>{1}hdb,cn=config</application> database "
16773
"(dc=example,dc=com). Create a file, call it "
16774
"<filename>uid_index.ldif</filename>, with the following contents:"
16777
#: serverguide/C/network-auth.xml:538(programlisting)
16781
"dn: olcDatabase={1}hdb,cn=config\n"
16782
"add: olcDbIndex\n"
16783
"olcDbIndex: uid eq,pres,sub\n"
16786
#: serverguide/C/network-auth.xml:544(para)
16787
msgid "Then issue the command:"
16790
#: serverguide/C/network-auth.xml:549(command)
16791
msgid "sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f uid_index.ldif"
16794
#: serverguide/C/network-auth.xml:550(computeroutput)
16798
"modifying entry \"olcDatabase={1}hdb,cn=config\"\n"
16801
#: serverguide/C/network-auth.xml:555(para)
16802
msgid "You can confirm the change in this way:"
16805
#: serverguide/C/network-auth.xml:560(command)
16807
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \\ cn=config "
16808
"'(olcDatabase={1}hdb)' olcDbIndex"
16811
#: serverguide/C/network-auth.xml:562(computeroutput)
16815
"dn: olcDatabase={1}hdb,cn=config\n"
16816
"olcDbIndex: objectClass eq\n"
16817
"olcDbIndex: uid eq,pres,sub\n"
16820
#: serverguide/C/network-auth.xml:572(para)
16822
"Let's add a schema. It will first need to be converted to LDIF format. You "
16823
"can find unconverted schemas in addition to converted ones in the <filename "
16824
"role=\"directory\">/etc/ldap/schema</filename> directory."
16827
#: serverguide/C/network-auth.xml:580(para)
16829
"It is not trivial to remove a schema from the slapd-config database. "
16830
"Practice adding schemas on a test system."
16833
#: serverguide/C/network-auth.xml:586(para)
16835
"Before adding any schema, you should check which schemas are already "
16836
"installed (shown is a default, out-of-the-box output):"
16839
#: serverguide/C/network-auth.xml:592(command)
16841
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \\ cn=schema,cn=config dn"
16844
#: serverguide/C/network-auth.xml:594(computeroutput)
16848
"dn: cn=schema,cn=config\n"
16850
"dn: cn={0}core,cn=schema,cn=config\n"
16852
"dn: cn={1}cosine,cn=schema,cn=config\n"
16854
"dn: cn={2}nis,cn=schema,cn=config\n"
16856
"dn: cn={3}inetorgperson,cn=schema,cn=config\n"
16859
#: serverguide/C/network-auth.xml:611(para)
16860
msgid "In the following example we'll add the CORBA schema."
16863
#: serverguide/C/network-auth.xml:618(para)
16865
"Create the conversion configuration file "
16866
"<filename>schema_convert.conf</filename> containing the following lines:"
16869
#: serverguide/C/network-auth.xml:623(programlisting)
16873
"include /etc/ldap/schema/core.schema\n"
16874
"include /etc/ldap/schema/collective.schema\n"
16875
"include /etc/ldap/schema/corba.schema\n"
16876
"include /etc/ldap/schema/cosine.schema\n"
16877
"include /etc/ldap/schema/duaconf.schema\n"
16878
"include /etc/ldap/schema/dyngroup.schema\n"
16879
"include /etc/ldap/schema/inetorgperson.schema\n"
16880
"include /etc/ldap/schema/java.schema\n"
16881
"include /etc/ldap/schema/misc.schema\n"
16882
"include /etc/ldap/schema/nis.schema\n"
16883
"include /etc/ldap/schema/openldap.schema\n"
16884
"include /etc/ldap/schema/ppolicy.schema\n"
16885
"include /etc/ldap/schema/ldapns.schema\n"
16886
"include /etc/ldap/schema/pmi.schema\n"
16889
#: serverguide/C/network-auth.xml:643(para)
16890
msgid "Create the output directory <filename>ldif_output</filename>."
16893
#: serverguide/C/network-auth.xml:649(para) serverguide/C/network-auth.xml:2299(para)
16894
msgid "Determine the index of the schema:"
16897
#: serverguide/C/network-auth.xml:654(command)
16899
"slapcat -f schema_convert.conf -F ldif_output -n 0 | grep corba,cn=schema"
16902
#: serverguide/C/network-auth.xml:655(computeroutput)
16906
"cn={1}corba,cn=schema,cn=config\n"
16909
#: serverguide/C/network-auth.xml:661(para)
16911
"When slapd injests objects with the same parent DN it will create an "
16912
"<emphasis>index</emphasis> for that object. An index is contained within "
16913
"braces: <application>{X}</application>."
16916
#: serverguide/C/network-auth.xml:670(para)
16917
msgid "Use <application>slapcat</application> to perform the conversion:"
16920
#: serverguide/C/network-auth.xml:675(command)
16922
"slapcat -f schema_convert.conf -F ldif_output -n0 -H \\ "
16923
"ldap:///cn={1}corba,cn=schema,cn=config -l cn=corba.ldif"
16926
#: serverguide/C/network-auth.xml:679(para)
16927
msgid "The converted schema is now in <filename>cn=corba.ldif</filename>"
16930
#: serverguide/C/network-auth.xml:685(para)
16932
"Edit <filename>cn=corba.ldif</filename> to arrive at the following "
16936
#: serverguide/C/network-auth.xml:689(programlisting)
16940
"dn: cn=corba,cn=schema,cn=config\n"
13457
#: serverguide/C/network-auth.xml:477(para) serverguide/C/network-auth.xml:1700(para)
13458
msgid "And remove the following lines from the bottom of the file:"
13461
#: serverguide/C/network-auth.xml:481(programlisting)
16945
#: serverguide/C/network-auth.xml:695(para)
16946
msgid "Also remove the following lines from the bottom:"
16949
#: serverguide/C/network-auth.xml:699(programlisting)
13465
16953
"structuralObjectClass: olcSchemaConfig\n"
13466
"entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757\n"
16954
"entryUUID: 52109a02-66ab-1030-8be2-bbf166230478\n"
13467
16955
"creatorsName: cn=config\n"
13468
"createTimestamp: 20080826021140Z\n"
13469
"entryCSN: 20080826021140.791425Z#000000#000#000000\n"
16956
"createTimestamp: 20110829165435Z\n"
16957
"entryCSN: 20110829165435.935248Z#000000#000#000000\n"
13470
16958
"modifiersName: cn=config\n"
13471
"modifyTimestamp: 20080826021140Z\n"
13474
#: serverguide/C/network-auth.xml:492(para) serverguide/C/network-auth.xml:1715(para) serverguide/C/network-auth.xml:2751(para)
13476
"The attribute values will vary, just be sure the attributes are removed."
13479
#: serverguide/C/network-auth.xml:500(para) serverguide/C/network-auth.xml:1723(para)
13481
"Finally, using the <application>ldapadd</application> utility, add the new "
13482
"schema to the directory:"
13485
#: serverguide/C/network-auth.xml:506(command)
13486
msgid "sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/cn\\=dyngroup.ldif"
13489
#: serverguide/C/network-auth.xml:512(para)
13491
"There should now be a <emphasis>dn: "
13492
"cn={4}dyngroup,cn=schema,cn=config</emphasis> entry in the cn=config tree."
13495
#: serverguide/C/network-auth.xml:522(title)
13496
msgid "LDAP Replication"
13499
#: serverguide/C/network-auth.xml:524(para)
13501
"LDAP often quickly becomes a highly critical service to the network. "
13502
"Multiple systems will come to depend on LDAP for authentication, "
13503
"authorization, configuration, etc. It is a good idea to setup a redundant "
13504
"system through replication."
13507
#: serverguide/C/network-auth.xml:530(para)
13509
"Replication is achieved using the <emphasis>Syncrepl</emphasis> engine. "
13510
"Syncrepl allows the changes to be synced using a "
13511
"<emphasis>consumer</emphasis>, <emphasis>provider</emphasis> model. A "
13512
"provider sends directory changes to consumers."
13515
#: serverguide/C/network-auth.xml:537(title)
16959
"modifyTimestamp: 20110829165435Z\n"
16962
#: serverguide/C/network-auth.xml:709(para) serverguide/C/network-auth.xml:2349(para)
16963
msgid "Your attribute values will vary."
16966
#: serverguide/C/network-auth.xml:715(para)
16968
"Finally, use <application>ldapadd</application> to add the new schema to the "
16969
"slapd-config DIT:"
16972
#: serverguide/C/network-auth.xml:720(command)
16973
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f cn\\=corba.ldif"
16976
#: serverguide/C/network-auth.xml:721(computeroutput)
16980
"adding new entry \"cn=corba,cn=schema,cn=config\"\n"
16983
#: serverguide/C/network-auth.xml:729(para)
16984
msgid "Confirm currently loaded schemas:"
16987
#: serverguide/C/network-auth.xml:734(command)
16989
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn"
16992
#: serverguide/C/network-auth.xml:735(computeroutput)
16996
"dn: cn=schema,cn=config\n"
16998
"dn: cn={0}core,cn=schema,cn=config\n"
17000
"dn: cn={1}cosine,cn=schema,cn=config\n"
17002
"dn: cn={2}nis,cn=schema,cn=config\n"
17004
"dn: cn={3}inetorgperson,cn=schema,cn=config\n"
17006
"dn: cn={4}corba,cn=schema,cn=config\n"
17009
#: serverguide/C/network-auth.xml:759(para)
17011
"For external applications and clients to authenticate using LDAP they will "
17012
"each need to be specifically configured to do so. Refer to the appropriate "
17013
"client-side documentation for details."
17016
#: serverguide/C/network-auth.xml:768(title) serverguide/C/dns.xml:510(title)
17020
#: serverguide/C/network-auth.xml:770(para)
17022
"Activity logging for slapd is indispensible when implementing an OpenLDAP-"
17023
"based solution yet it must be manually enabled after software installation. "
17024
"Otherwise, only rudimentary messages will appear in the logs. Logging, like "
17025
"any other slapd configuration, is enabled via the slapd-config database."
17028
#: serverguide/C/network-auth.xml:776(para)
17030
"OpenLDAP comes with multiple logging subsystems (levels) with each one "
17031
"containing the lower one (additive). A good level to try is "
17032
"<emphasis>stats</emphasis>. The <ulink "
17033
"url=\"http://manpages.ubuntu.com/manpages/en/man5/slapd-"
17034
"config.5.html\">slapd-config</ulink> man page has more to say on the "
17035
"different subsystems."
17038
#: serverguide/C/network-auth.xml:782(para)
17040
"Create the file <filename>logging.ldif</filename> with the following "
17044
#: serverguide/C/network-auth.xml:786(programlisting)
17049
"changetype: modify\n"
17050
"add: olcLogLevel\n"
17051
"olcLogLevel: stats\n"
17054
#: serverguide/C/network-auth.xml:793(para)
17055
msgid "Implement the change:"
17058
#: serverguide/C/network-auth.xml:798(command)
17059
msgid "sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f logging.ldif"
17062
#: serverguide/C/network-auth.xml:801(para)
17064
"This will produce a significant amount of logging and you will want to "
17065
"throttle back to a less verbose level once your system is in production. "
17066
"While in this verbose mode your host's syslog engine (rsyslog) may have a "
17067
"hard time keeping up and may drop messages:"
17070
#: serverguide/C/network-auth.xml:807(programlisting)
17074
"rsyslogd-2177: imuxsock lost 228 messages from pid 2547 due to rate-"
17078
#: serverguide/C/network-auth.xml:811(para)
17080
"You may consider a change to rsyslog's configuration. In "
17081
"<filename>/etc/rsyslog.conf</filename>, put:"
17084
#: serverguide/C/network-auth.xml:815(programlisting)
17088
"# Disable rate limiting\n"
17089
"# (default is 200 messages in 5 seconds; below we make the 5 become 0)\n"
17090
"$SystemLogRateLimitInterval 0\n"
17093
#: serverguide/C/network-auth.xml:821(para)
17094
msgid "And then restart the rsyslog daemon:"
17097
#: serverguide/C/network-auth.xml:826(command)
17098
msgid "sudo service rsyslog restart"
17101
#: serverguide/C/network-auth.xml:832(title)
17102
msgid "Replication"
17105
#: serverguide/C/network-auth.xml:834(para)
17107
"The LDAP service becomes increasingly important as more networked systems "
17108
"begin to depend on it. In such an environment, it is standard practice to "
17109
"build redundancy (high availability) into LDAP to prevent havoc should the "
17110
"LDAP server become unresponsive. This is done through <emphasis>LDAP "
17111
"replication</emphasis>."
17114
#: serverguide/C/network-auth.xml:840(para)
17116
"Replication is achieved via the <emphasis>Syncrepl</emphasis> engine. This "
17117
"allows changes to be synchronized using a <emphasis>Consumer</emphasis> - "
17118
"<emphasis>Provider</emphasis> model. The specific kind of replication we "
17119
"will implement in this guide is a combination of the following modes: "
17120
"<emphasis>refreshAndPersist</emphasis> and <emphasis>delta-"
17121
"syncrepl</emphasis>. This has the Provider push changed entries to the "
17122
"Consumer as soon as they're made but, in addition, only actual changes will "
17123
"be sent, not entire entries."
17126
#: serverguide/C/network-auth.xml:849(title)
13516
17127
msgid "Provider Configuration"
13519
#: serverguide/C/network-auth.xml:539(para)
13521
"The following is an example of a <emphasis>Single-Master</emphasis> "
13522
"configuration. In this configuration one OpenLDAP server is configured as a "
13523
"<emphasis>provider</emphasis> and another as a <emphasis>consumer</emphasis>."
17130
#: serverguide/C/network-auth.xml:851(para)
17131
msgid "Begin by configuring the <emphasis>Provider</emphasis>."
13526
#: serverguide/C/network-auth.xml:547(para)
17134
#: serverguide/C/network-auth.xml:858(para)
13528
"First, configure the provider server. Copy the following to a file named "
17136
"Create an LDIF file with the following contents and name it "
13529
17137
"<filename>provider_sync.ldif</filename>:"
13532
#: serverguide/C/network-auth.xml:552(programlisting)
17140
#: serverguide/C/network-auth.xml:862(programlisting)
13769
17305
"olcUpdateRef: ldap://ldap01.example.com\n"
13772
#: serverguide/C/network-auth.xml:795(para)
13773
msgid "You will probably want to change the following attributes:"
13776
#: serverguide/C/network-auth.xml:800(para)
13777
msgid "<emphasis>ldap01.example.com</emphasis> to your server's hostname."
13780
#: serverguide/C/network-auth.xml:801(emphasis)
13784
#: serverguide/C/network-auth.xml:802(emphasis)
13785
msgid "credentials"
13788
#: serverguide/C/network-auth.xml:803(emphasis)
13792
#: serverguide/C/network-auth.xml:804(emphasis)
13793
msgid "olcUpdateRef:"
13796
#: serverguide/C/network-auth.xml:810(para)
13797
msgid "Add the LDIF file to the configuration tree:"
13800
#: serverguide/C/network-auth.xml:815(command)
13801
msgid "sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif"
13804
#: serverguide/C/network-auth.xml:821(para)
13806
"The frontend database should now sync between servers. You can add "
13807
"additional servers using the steps above as the need arises."
13810
#: serverguide/C/network-auth.xml:831(programlisting)
13812
msgid "127.0.0.1\tldap01.example.com ldap01"
13815
#: serverguide/C/network-auth.xml:827(para)
13817
"The <application>slapd</application> daemon will send log information to "
13818
"<filename>/var/log/syslog</filename> by default. So if all does "
13819
"<emphasis>not</emphasis> go well check there for errors and other "
13820
"troubleshooting information. Also, be sure that each server knows it's Fully "
13821
"Qualified Domain Name (FQDN). This is configured in "
13822
"<filename>/etc/hosts</filename> with a line similar to: <placeholder-1/>."
13825
#: serverguide/C/network-auth.xml:839(title)
13826
msgid "Setting up ACL"
13829
#: serverguide/C/network-auth.xml:841(para)
13831
"Authentication requires access to the password field, that should be not "
13832
"accessible by default. Also, in order for users to change their own "
13833
"password, using <command>passwd</command> or other utilities, "
13834
"<emphasis>shadowLastChange</emphasis> needs to be accessible once a user has "
13838
#: serverguide/C/network-auth.xml:848(para)
13840
"To view the Access Control List (ACL) for the <emphasis>cn=config</emphasis> "
13841
"tree, use the <application>ldapsearch</application> utility:"
13844
#: serverguide/C/network-auth.xml:854(command)
13846
"sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config "
13847
"olcDatabase=config olcAccess"
13850
#: serverguide/C/network-auth.xml:858(computeroutput)
13853
"SASL/EXTERNAL authentication started\n"
13854
"SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\n"
17308
#: serverguide/C/network-auth.xml:1013(para)
17309
msgid "Ensure the following attributes have the correct values:"
17312
#: serverguide/C/network-auth.xml:1018(para)
17314
"<emphasis>provider</emphasis> (Provider server's hostname -- "
17315
"ldap01.example.com in this example -- or IP address)"
17318
#: serverguide/C/network-auth.xml:1019(para)
17319
msgid "<emphasis>binddn</emphasis> (the admin DN you're using)"
17322
#: serverguide/C/network-auth.xml:1020(para)
17323
msgid "<emphasis>credentials</emphasis> (the admin DN password you're using)"
17326
#: serverguide/C/network-auth.xml:1021(para)
17327
msgid "<emphasis>searchbase</emphasis> (the database suffix you're using)"
17330
#: serverguide/C/network-auth.xml:1022(para)
17332
"<emphasis>olcUpdateRef</emphasis> (Provider server's hostname or IP address)"
17335
#: serverguide/C/network-auth.xml:1023(para)
17337
"<emphasis>rid</emphasis> (Replica ID, an unique 3-digit that identifies the "
17338
"replica. Each consumer should have at least one rid)"
17341
#: serverguide/C/network-auth.xml:1032(para)
17342
msgid "Add the new content:"
17345
#: serverguide/C/network-auth.xml:1037(command)
17346
msgid "sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f consumer_sync.ldif"
17349
#: serverguide/C/network-auth.xml:1044(para)
17351
"You're done. The two databases (suffix: dc=example,dc=com) should now be "
17355
#: serverguide/C/network-auth.xml:1053(para)
17356
msgid "Once replication starts, you can monitor it by running"
17359
#: serverguide/C/network-auth.xml:1058(command)
17360
msgid "ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base contextCSN"
17363
#: serverguide/C/network-auth.xml:1059(computeroutput)
17367
"dn: dc=example,dc=com\n"
17368
"contextCSN: 20120201193408.178454Z#000000#000#000000\n"
17371
#: serverguide/C/network-auth.xml:1065(para)
17373
"on both the provider and the consumer. Once the output "
17374
"(<computeroutput>20120201193408.178454Z#000000#000#000000</computeroutput> "
17375
"in the above example) for both machines match, you have replication. Every "
17376
"time a change is done in the provider, this value will change and so should "
17377
"the one in the consumer(s)."
17380
#: serverguide/C/network-auth.xml:1074(para)
17382
"If your connection is slow and/or your ldap database large, it might take a "
17383
"while for the consumer's <emphasis>contextCSN</emphasis> match the "
17384
"provider's. But, you will know it is progressing since the consumer's "
17385
"<emphasis>contextCSN</emphasis> will be steadly increasing."
17388
#: serverguide/C/network-auth.xml:1082(para)
17390
"If the consumer's <emphasis>contextCSN</emphasis> is missing or does not "
17391
"match the provider, you should stop and figure out the issue before "
17392
"continuing. Try checking the slapd (syslog) and the auth log files in the "
17393
"provider to see if the consumer's authentication requests were successful or "
17394
"its requests to retrieve data (they look like a lot of ldapsearch "
17395
"statements) return no errors."
17398
#: serverguide/C/network-auth.xml:1091(para)
17400
"To test if it worked simply query, on the Consumer, the DNs in the database:"
17403
#: serverguide/C/network-auth.xml:1096(command)
17405
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com dn"
17408
#: serverguide/C/network-auth.xml:1099(para)
17410
"You should see the user 'john' and the group 'miners' as well as the nodes "
17411
"'People' and 'Groups'."
17414
#: serverguide/C/network-auth.xml:1108(title)
17415
msgid "Access Control"
17418
#: serverguide/C/network-auth.xml:1110(para)
17420
"The management of what type of access (read, write, etc) users should be "
17421
"granted to resources is known as <emphasis>access control</emphasis>. The "
17422
"configuration directives involved are called <emphasis>access control "
17423
"lists</emphasis> or ACL."
17426
#: serverguide/C/network-auth.xml:1115(para)
17428
"When we installed the slapd package various ACL were set up automatically. "
17429
"We will look at a few important consequences of those defaults and, in so "
17430
"doing, we'll get an idea of how ACLs work and how they're configured."
17433
#: serverguide/C/network-auth.xml:1120(para)
17435
"To get the effective ACL for an LDAP query we need to look at the ACL "
17436
"entries of the database being queried as well as those of the special "
17437
"frontend database instance. The ACLs belonging to the latter act as defaults "
17438
"in case those of the former do not match. The frontend database is the "
17439
"second to be consulted and the ACL to be applied is the first to match "
17440
"(\"first match wins\") among these 2 ACL sources. The following commands "
17441
"will give, respectively, the ACLs of the hdb database "
17442
"(\"dc=example,dc=com\") and those of the frontend database:"
17445
#: serverguide/C/network-auth.xml:1129(command)
17447
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \\ cn=config "
17448
"'(olcDatabase={1}hdb)' olcAccess"
17451
#: serverguide/C/network-auth.xml:1131(computeroutput)
17455
"dn: olcDatabase={1}hdb,cn=config\n"
17456
"olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by "
17458
" auth by dn=\"cn=admin,dc=example,dc=com\" write by * none\n"
17459
"olcAccess: {1}to dn.base=\"\" by * read\n"
17460
"olcAccess: {2}to * by self write by dn=\"cn=admin,dc=example,dc=com\" write "
17465
#: serverguide/C/network-auth.xml:1142(para)
17467
"The rootDN always has full rights to it's database. Including it in an ACL "
17468
"does provide an explicit configuration but it also causes slapd to incur a "
17469
"performance penalty."
17472
#: serverguide/C/network-auth.xml:1149(command)
17474
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \\ cn=config "
17475
"'(olcDatabase={-1}frontend)' olcAccess"
17478
#: serverguide/C/network-auth.xml:1151(computeroutput)
17482
"dn: olcDatabase={-1}frontend,cn=config\n"
17483
"olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,\n"
17484
" cn=external,cn=auth manage by * break\n"
17485
"olcAccess: {1}to dn.exact=\"\" by * read\n"
17486
"olcAccess: {2}to dn.base=\"cn=Subschema\" by * read\n"
17489
#: serverguide/C/network-auth.xml:1160(para)
17490
msgid "The very first ACL is crucial:"
17493
#: serverguide/C/network-auth.xml:1164(programlisting)
17497
"olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by "
17499
" auth by dn=\"cn=admin,dc=example,dc=com\" write by * none\n"
17502
#: serverguide/C/network-auth.xml:1169(para)
17503
msgid "This can be represented differently for easier digestion:"
17506
#: serverguide/C/network-auth.xml:1173(programlisting)
17510
"to attrs=userPassword\n"
17511
"\tby self write\n"
17512
"\tby anonymous auth\n"
17513
"\tby dn=\"cn=admin,dc=example,dc=com\" write\n"
17516
"to attrs=shadowLastChange\n"
17517
"\tby self write\n"
17518
"\tby anonymous auth\n"
17519
"\tby dn=\"cn=admin,dc=example,dc=com\" write\n"
17523
#: serverguide/C/network-auth.xml:1187(para)
17524
msgid "This compound ACL (there are 2) enforces the following:"
17527
#: serverguide/C/network-auth.xml:1194(para)
17529
"Anonymous 'auth' access is provided to the <emphasis>userPassword</emphasis> "
17530
"attribute for the initial connection to occur. Perhaps counter-intuitively, "
17531
"'by anonymous auth' is needed even when anonymous access to the DIT is "
17532
"unwanted. Once the remote end is connected, howerver, authentication can "
17533
"occur (see next point)."
17536
#: serverguide/C/network-auth.xml:1202(para)
17538
"Authentication can happen because all users have 'read' (due to 'by self "
17539
"write') access to the <emphasis>userPassword</emphasis> attribute."
17542
#: serverguide/C/network-auth.xml:1208(para)
17544
"The <emphasis>userPassword</emphasis> attribute is otherwise unaccessible by "
17545
"all other users, with the exception of the rootDN, who has complete access "
17549
#: serverguide/C/network-auth.xml:1215(para)
17551
"In order for users to change their own password, using "
17552
"<command>passwd</command> or other utilities, the "
17553
"<emphasis>shadowLastChange</emphasis> attribute needs to be accessible once "
17554
"a user has authenticated."
17557
#: serverguide/C/network-auth.xml:1223(para)
17559
"This DIT can be searched anonymously because of 'by * read' in this ACL:"
17562
#: serverguide/C/network-auth.xml:1227(programlisting)
17567
"\tby self write\n"
17568
"\tby dn=\"cn=admin,dc=example,dc=com\" write\n"
17572
#: serverguide/C/network-auth.xml:1234(para)
17574
"If this is unwanted then you need to change the ACLs. To force "
17575
"authentication during a bind request you can alternatively (or in "
17576
"combination with the modified ACL) use the 'olcRequire: authc' directive."
17579
#: serverguide/C/network-auth.xml:1239(para)
17581
"As previously mentioned, there is no administrative account created for the "
17582
"slapd-config database. There is, however, a SASL identity that is granted "
17583
"full access to it. It represents the localhost's superuser (root/sudo). Here "
17587
#: serverguide/C/network-auth.xml:1244(programlisting)
17591
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth \n"
17594
#: serverguide/C/network-auth.xml:1248(para)
17596
"The following command will display the ACLs of the slapd-config database:"
17599
#: serverguide/C/network-auth.xml:1253(command)
17601
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \\ cn=config "
17602
"'(olcDatabase={0}config)' olcAccess"
17605
#: serverguide/C/network-auth.xml:1255(computeroutput)
13856
17609
"dn: olcDatabase={0}config,cn=config\n"
13857
"olcAccess: {0}to * by "
13858
"dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external\n"
13859
" ,cn=auth manage by * break\n"
13862
#: serverguide/C/network-auth.xml:867(para)
13863
msgid "To see the ACL for the frontend tree enter:"
13866
#: serverguide/C/network-auth.xml:872(command)
13868
"sudo ldapsearch -c -Y EXTERNAL -H ldapi:/// -LLL -b cn=config "
13869
"olcDatabase={1}hdb olcAccess"
13872
#: serverguide/C/network-auth.xml:878(title)
13873
msgid "TLS and SSL"
13876
#: serverguide/C/network-auth.xml:880(para)
17610
"olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,\n"
17611
" cn=external,cn=auth manage by * break\n"
17614
#: serverguide/C/network-auth.xml:1262(para)
17616
"Since this is a SASL identity we need to use a SASL "
17617
"<emphasis>mechanism</emphasis> when invoking the LDAP utility in question "
17618
"and and we have seen it plenty of times in this guide. It is the EXTERNAL "
17619
"mechanism. See the previous command for an example. Note that:"
17622
#: serverguide/C/network-auth.xml:1270(para)
17624
"You must use <emphasis>sudo</emphasis> to become the root identity in order "
17625
"for the ACL to match."
17628
#: serverguide/C/network-auth.xml:1276(para)
17630
"The EXTERNAL mechanism works via <emphasis>IPC</emphasis> (UNIX domain "
17631
"sockets). This means you must use the <emphasis>ldapi</emphasis> URI format."
17634
#: serverguide/C/network-auth.xml:1284(para)
17635
msgid "A succinct way to get all the ACLs is like this:"
17638
#: serverguide/C/network-auth.xml:1289(command)
17640
"sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \\ cn=config "
17641
"'(olcAccess=*)' olcAccess olcSuffix"
17644
#: serverguide/C/network-auth.xml:1293(para)
17646
"There is much to say on the topic of access control. See the man page for "
17648
"url=\"http://manpages.ubuntu.com/manpages/en/man5/slapd.access.5.html\">slapd"
17652
#: serverguide/C/network-auth.xml:1301(title)
17656
#: serverguide/C/network-auth.xml:1303(para)
13878
17658
"When authenticating to an OpenLDAP server it is best to do so using an "
13879
17659
"encrypted session. This can be accomplished using Transport Layer Security "
13880
"(TLS) and/or Secure Sockets Layer (SSL)."
13883
#: serverguide/C/network-auth.xml:885(para)
13885
"The first step in the process is to obtain or create a "
13886
"<emphasis>certificate</emphasis>. Because <application>slapd</application> "
13887
"is compiled using the <application>gnutls</application> library, the "
13888
"<application>certtool</application> utility will be used to create "
13892
#: serverguide/C/network-auth.xml:894(para)
13894
"First, install <application>gnutls-bin</application> by entering the "
13895
"following in a terminal:"
13898
#: serverguide/C/network-auth.xml:899(command)
13899
msgid "sudo apt-get install gnutls-bin"
13902
#: serverguide/C/network-auth.xml:905(para)
13904
"Next, create a private key for the <emphasis>Certificate "
13905
"Authority</emphasis> (CA):"
13908
#: serverguide/C/network-auth.xml:910(command)
17663
#: serverguide/C/network-auth.xml:1308(para)
17665
"Here, we will be our own <emphasis>Certificate Authority</emphasis> and then "
17666
"create and sign our LDAP server certificate as that CA. Since "
17667
"<application>slapd</application> is compiled using the "
17668
"<application>gnutls</application> library, we will use the "
17669
"<application>certtool</application> utility to complete these tasks."
17672
#: serverguide/C/network-auth.xml:1317(para)
17674
"Install the <application>gnutls-bin</application> and <application>ssl-"
17675
"cert</application> packages:"
17678
#: serverguide/C/network-auth.xml:1322(command)
17679
msgid "sudo apt-get install gnutls-bin ssl-cert"
17682
#: serverguide/C/network-auth.xml:1328(para)
17683
msgid "Create a private key for the Certificate Authority:"
17686
#: serverguide/C/network-auth.xml:1333(command)
13910
17688
"sudo sh -c \"certtool --generate-privkey > /etc/ssl/private/cakey.pem\""
13913
#: serverguide/C/network-auth.xml:916(para)
17691
#: serverguide/C/network-auth.xml:1339(para)
13915
"Create a <filename>/etc/ssl/ca.info</filename> details file to self-sign the "
13916
"CA certificate containing:"
17693
"Create the template/file <filename>/etc/ssl/ca.info</filename> to define the "
13919
#: serverguide/C/network-auth.xml:920(programlisting)
17697
#: serverguide/C/network-auth.xml:1343(programlisting)
14605
18452
"title: Employee\n"
14608
#: serverguide/C/network-auth.xml:1526(para)
18455
#: serverguide/C/network-auth.xml:1998(para)
14610
18457
"Notice the <emphasis><ask></emphasis> option used for the "
14611
"<emphasis>ssn</emphasis> value. Using <ask> will configure "
14612
"<application>ldapadduser</application> to prompt you for the attribute value "
14613
"during user creation."
14616
#: serverguide/C/network-auth.xml:1534(para)
14618
"There are more useful scripts in the package, to see a full list enter: "
14619
"<command>dpkg -L ldapscripts | grep bin</command>"
14622
#: serverguide/C/network-auth.xml:1543(para)
14624
"The <ulink url=\"https://help.ubuntu.com/community/OpenLDAPServer\">OpenLDAP "
14625
"Ubuntu Wiki</ulink> page has more details."
14628
#: serverguide/C/network-auth.xml:1548(para)
14630
"For more information see <ulink url=\"http://www.openldap.org/\">OpenLDAP "
14631
"Home Page</ulink>"
14634
#: serverguide/C/network-auth.xml:1553(para)
14636
"Though starting to show it's age, a great source for in depth LDAP "
14637
"information is O'Reilly's <ulink "
14638
"url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System "
14639
"Administration</ulink>"
14642
#: serverguide/C/network-auth.xml:1559(para)
18458
"<emphasis>sn</emphasis> attribute. This will make "
18459
"<application>ldapadduser</application> prompt you for it's value."
18462
#: serverguide/C/network-auth.xml:2006(para)
18464
"There are utilities in the package that were not covered here. Here is a "
18468
#: serverguide/C/network-auth.xml:2011(ulink)
18469
msgid "ldaprenamemachine"
18472
#: serverguide/C/network-auth.xml:2012(ulink)
18473
msgid "ldapadduser"
18476
#: serverguide/C/network-auth.xml:2013(ulink)
18477
msgid "ldapdeleteuserfromgroup"
18480
#: serverguide/C/network-auth.xml:2014(ulink)
18484
#: serverguide/C/network-auth.xml:2015(ulink)
18488
#: serverguide/C/network-auth.xml:2016(ulink)
18492
#: serverguide/C/network-auth.xml:2017(ulink)
18493
msgid "ldapmodifyuser"
18496
#: serverguide/C/network-auth.xml:2018(ulink)
18497
msgid "ldaprenameuser"
18500
#: serverguide/C/network-auth.xml:2019(ulink)
18504
#: serverguide/C/network-auth.xml:2020(ulink)
18505
msgid "ldapaddusertogroup"
18508
#: serverguide/C/network-auth.xml:2021(ulink)
18509
msgid "ldapsetpasswd"
18512
#: serverguide/C/network-auth.xml:2022(ulink)
18516
#: serverguide/C/network-auth.xml:2023(ulink)
18517
msgid "ldapaddgroup"
18520
#: serverguide/C/network-auth.xml:2024(ulink)
18521
msgid "ldapdeletegroup"
18524
#: serverguide/C/network-auth.xml:2025(ulink)
18525
msgid "ldapmodifygroup"
18528
#: serverguide/C/network-auth.xml:2026(ulink)
18529
msgid "ldapdeletemachine"
18532
#: serverguide/C/network-auth.xml:2027(ulink)
18533
msgid "ldaprenamegroup"
18536
#: serverguide/C/network-auth.xml:2028(ulink)
18537
msgid "ldapaddmachine"
18540
#: serverguide/C/network-auth.xml:2029(ulink)
18541
msgid "ldapmodifymachine"
18544
#: serverguide/C/network-auth.xml:2030(ulink)
18545
msgid "ldapsetprimarygroup"
18548
#: serverguide/C/network-auth.xml:2031(ulink)
18549
msgid "ldapdeleteuser"
18552
#: serverguide/C/network-auth.xml:2037(title)
18553
msgid "Backup and Restore"
18556
#: serverguide/C/network-auth.xml:2039(para)
18558
"Now we have ldap running just the way we want, it is time to ensure we can "
18559
"save all of our work and restore it as needed."
18562
#: serverguide/C/network-auth.xml:2044(para)
18564
"What we need is a way to backup the ldap database(s), specifically the "
18565
"backend (cn=config) and frontend (dc=example,dc=com). If we are going to "
18566
"backup those databases into, say, <filename>/export/backup</filename>, we "
18567
"could use <application>slapcat</application> as shown in the following "
18568
"script, called <filename>/usr/local/bin/ldapbackup</filename>:"
18571
#: serverguide/C/network-auth.xml:2054(programlisting)
18577
"BACKUP_PATH=/export/backup\n"
18578
"SLAPCAT=/usr/sbin/slapcat\n"
18580
"nice ${SLAPCAT} -n 0 > ${BACKUP_PATH}/config.ldif\n"
18581
"nice ${SLAPCAT} -n 1 > ${BACKUP_PATH}/example.com.ldif\n"
18582
"nice ${SLAPCAT} -n 2 > ${BACKUP_PATH}/access.ldif\n"
18583
"chmod 640 ${BACKUP_PATH}/*.ldif\n"
18586
#: serverguide/C/network-auth.xml:2067(para)
18588
"These files are uncompressed text files containing everything in your ldap "
18589
"databases including the tree layout, usernames, and every password. So, you "
18590
"might want to consider making <filename>/export/backup</filename> an "
18591
"encrypted partition and even having the script encrypt those files as it "
18592
"creates them. Ideally you should do both, but that depends on your security "
18596
#: serverguide/C/network-auth.xml:2078(para)
18598
"Then, it is just a matter of having a cron script to run this program as "
18599
"often as we feel comfortable with. For many, once a day suffices. For "
18600
"others, more often is required. Here is an example of a cron script called "
18601
"<filename>/etc/cron.d/ldapbackup</filename> that is run every night at "
18605
#: serverguide/C/network-auth.xml:2086(programlisting)
18609
"MAILTO=backup-emails@domain.com\n"
18610
"45 22 * * * root /usr/local/bin/ldapbackup\n"
18613
#: serverguide/C/network-auth.xml:2091(para)
18614
msgid "Now the files are created, they should be copied to a backup server."
18617
#: serverguide/C/network-auth.xml:2096(para)
18619
"Assuming we did a fresh reinstall of ldap, the restore process could be "
18620
"something like this:"
18623
#: serverguide/C/network-auth.xml:2102(command)
18624
msgid "sudo service slapd stop"
18627
#: serverguide/C/network-auth.xml:2103(command)
18628
msgid "sudo mkdir /var/lib/ldap/accesslog"
18631
#: serverguide/C/network-auth.xml:2104(command)
18632
msgid "sudo slapadd -F /etc/ldap/slapd.d -n 0 -l /export/backup/config.ldif"
18635
#: serverguide/C/network-auth.xml:2105(command)
18637
"sudo slapadd -F /etc/ldap/slapd.d -n 1 -l /export/backup/domain.com.ldif"
18640
#: serverguide/C/network-auth.xml:2106(command)
18641
msgid "sudo slapadd -F /etc/ldap/slapd.d -n 2 -l /export/backup/access.ldif"
18644
#: serverguide/C/network-auth.xml:2107(command)
18645
msgid "sudo chown -R openldap:openldap /etc/ldap/slapd.d/"
18648
#: serverguide/C/network-auth.xml:2108(command)
18649
msgid "sudo chown -R openldap:openldap /var/lib/ldap/"
18652
#: serverguide/C/network-auth.xml:2109(command)
18653
msgid "sudo service slapd start"
18656
#: serverguide/C/network-auth.xml:2120(para)
18658
"The primary resource is the upstream documentation: <ulink "
18659
"url=\"http://www.openldap.org/\">www.openldap.org</ulink>"
18662
#: serverguide/C/network-auth.xml:2126(para)
18664
"There are many man pages that come with the slapd package. Here are some "
18665
"important ones, especially considering the material presented in this guide:"
18668
#: serverguide/C/network-auth.xml:2132(ulink)
18672
#: serverguide/C/network-auth.xml:2133(ulink)
18673
msgid "slapd-config"
18676
#: serverguide/C/network-auth.xml:2134(ulink)
18677
msgid "slapd.access"
18680
#: serverguide/C/network-auth.xml:2135(ulink)
18681
msgid "slapo-syncprov"
18684
#: serverguide/C/network-auth.xml:2141(para)
18685
msgid "Other man pages:"
18688
#: serverguide/C/network-auth.xml:2146(ulink)
18689
msgid "auth-client-config"
18692
#: serverguide/C/network-auth.xml:2147(ulink)
18693
msgid "pam-auth-update"
18696
#: serverguide/C/network-auth.xml:2153(para)
18698
"Zytrax's <ulink url=\"http://www.zytrax.com/books/ldap/\">LDAP for Rocket "
18699
"Scientists</ulink>; a less pedantic but comprehensive treatment of LDAP"
18702
#: serverguide/C/network-auth.xml:2159(para)
18704
"A Ubuntu community <ulink "
18705
"url=\"https://help.ubuntu.com/community/OpenLDAPServer\">OpenLDAP "
18706
"wiki</ulink> page has a collection of notes"
18709
#: serverguide/C/network-auth.xml:2165(para)
18711
"O'Reilly's <ulink url=\"http://www.oreilly.com/catalog/ldapsa/\">LDAP System "
18712
"Administration</ulink> (textbook; 2003)"
18715
#: serverguide/C/network-auth.xml:2171(para)
14644
18717
"Packt's <ulink url=\"http://www.packtpub.com/OpenLDAP-Developers-Server-Open-"
14645
"Source-Linux/book\">Mastering OpenLDAP</ulink> is a great reference covering "
14646
"newer versions of OpenLDAP."
14649
#: serverguide/C/network-auth.xml:1565(para)
14651
"For more information on <application>auth-client-config</application> see "
14652
"the man page: <command>man auth-client-config</command>."
14655
#: serverguide/C/network-auth.xml:1570(para)
14657
"For more details regarding the <application>ldapscripts</application> "
14658
"package see the man pages: <command>man ldapscripts</command>, <command>man "
14659
"ldapadduser</command>, <command>man ldapaddgroup</command>, etc."
14662
#: serverguide/C/network-auth.xml:1580(title)
18718
"Source-Linux/book\">Mastering OpenLDAP</ulink> (textbook; 2007)"
18721
#: serverguide/C/network-auth.xml:2182(title)
14663
18722
msgid "Samba and LDAP"
14666
#: serverguide/C/network-auth.xml:1582(para)
14668
"This section covers configuring Samba to use LDAP for user, group, and "
14669
"machine account information and authentication. The assumption is, you "
14670
"already have a working OpenLDAP directory installed and the server is "
14671
"configured to use it for authentication. See <xref linkend=\"openldap-"
14672
"server\"/> and <xref linkend=\"openldap-auth-config\"/> for details on "
14673
"setting up OpenLDAP. For more information on installing and configuring "
14674
"Samba see <xref linkend=\"windows-networking\"/>."
14677
#: serverguide/C/network-auth.xml:1592(para)
14679
"There are three packages needed when integrating Samba with LDAP. "
18725
#: serverguide/C/network-auth.xml:2184(para)
18727
"This section covers the integration of Samba with LDAP. The Samba server's "
18728
"role will be that of a \"standalone\" server and the LDAP directory will "
18729
"provide the authentication layer in addition to containing the user, group, "
18730
"and machine account information that Samba requires in order to function (in "
18731
"any of it's 3 possible roles). The pre-requisite is an OpenLDAP server "
18732
"configured with a directory that can accept authentication requests. See "
18733
"<xref linkend=\"openldap-server\"/> for details on fulfilling this "
18734
"requirement. Once this section is completed, you will need to decide what "
18735
"specifically you want Samba to do for you and then configure it accordingly."
18738
#: serverguide/C/network-auth.xml:2193(title)
18739
msgid "Software Installation"
18742
#: serverguide/C/network-auth.xml:2195(para)
18744
"There are three packages needed when integrating Samba with LDAP: "
14680
18745
"<application>samba</application>, <application>samba-doc</application>, and "
14681
"<application>smbldap-tools</application> packages . To install the packages, "
14682
"from a terminal enter:"
14685
#: serverguide/C/network-auth.xml:1598(command)
18746
"<application>smbldap-tools</application> packages."
18749
#: serverguide/C/network-auth.xml:2200(para)
18751
"Strictly speaking, the <application>smbldap-tools</application> package "
18752
"isn't needed, but unless you have some other way to manage the various "
18753
"Samaba entities (users, groups, computers) in an LDAP context then you "
18754
"should install it."
18757
#: serverguide/C/network-auth.xml:2205(para)
18758
msgid "Install these packages now:"
18761
#: serverguide/C/network-auth.xml:2210(command)
14686
18762
msgid "sudo apt-get install samba samba-doc smbldap-tools"
14689
#: serverguide/C/network-auth.xml:1601(para)
14691
"Strictly speaking the <application>smbldap-tools</application> package isn't "
14692
"needed, but unless you have another package or custom scripts, a method of "
14693
"managing users, groups, and computer accounts is needed."
14696
#: serverguide/C/network-auth.xml:1608(title)
14697
msgid "OpenLDAP Configuration"
14700
#: serverguide/C/network-auth.xml:1610(para)
14702
"In order for Samba to use OpenLDAP as a <emphasis>passdb backend</emphasis>, "
14703
"the user objects in the directory will need additional attributes. This "
14704
"section assumes you want Samba to be configured as a Windows NT domain "
14705
"controller, and will add the necessary LDAP objects and attributes."
14708
#: serverguide/C/network-auth.xml:1618(para)
14710
"The Samba attributes are defined in the <filename>samba.schema</filename> "
14711
"file which is part of the <application>samba-doc</application> package. The "
14712
"schema file needs to be unzipped and copied to "
14713
"<filename>/etc/ldap/schema</filename>. From a terminal prompt enter:"
14716
#: serverguide/C/network-auth.xml:1625(command)
18765
#: serverguide/C/network-auth.xml:2216(title)
18766
msgid "LDAP Configuration"
18769
#: serverguide/C/network-auth.xml:2218(para)
18771
"We will now configure the LDAP server so that it can accomodate Samba data. "
18772
"We will perform three tasks in this section:"
18775
#: serverguide/C/network-auth.xml:2225(para)
18776
msgid "Import a schema"
18779
#: serverguide/C/network-auth.xml:2229(para)
18780
msgid "Index some entries"
18783
#: serverguide/C/network-auth.xml:2233(para)
18784
msgid "Add objects"
18787
#: serverguide/C/network-auth.xml:2239(title)
18788
msgid "Samba schema"
18791
#: serverguide/C/network-auth.xml:2241(para)
18793
"In order for OpenLDAP to be used as a backend for Samba, logically, the DIT "
18794
"will need to use attributes that can properly describe Samba data. Such "
18795
"attributes can be obtained by introducing a Samba LDAP schema. Let's do this "
18799
#: serverguide/C/network-auth.xml:2247(para)
18801
"For more information on schemas and their installation see <xref "
18802
"linkend=\"openldap-configuration\"/>."
18805
#: serverguide/C/network-auth.xml:2255(para)
18807
"The schema is found in the now-installed <application>samba-"
18808
"doc</application> package. It needs to be unzipped and copied to the "
18809
"<filename>/etc/ldap/schema</filename> directory:"
18812
#: serverguide/C/network-auth.xml:2261(command)
14718
18814
"sudo cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz "
14719
"/etc/ldap/schema/"
14722
#: serverguide/C/network-auth.xml:1626(command)
18818
#: serverguide/C/network-auth.xml:2262(command)
14723
18819
msgid "sudo gzip -d /etc/ldap/schema/samba.schema.gz"
14726
#: serverguide/C/network-auth.xml:1632(para)
14728
"The <emphasis>samba</emphasis> schema needs to be added to the "
14729
"<emphasis>cn=config</emphasis> tree. The procedure to add a new schema to "
14730
"<application>slapd</application> is also detailed in <xref "
14731
"linkend=\"openldap-configuration\"/>."
14734
#: serverguide/C/network-auth.xml:1640(para) serverguide/C/network-auth.xml:2676(para)
14736
"First, create a configuration file named "
14737
"<filename>schema_convert.conf</filename>, or a similar descriptive name, "
14738
"containing the following lines:"
14741
#: serverguide/C/network-auth.xml:1645(programlisting)
18822
#: serverguide/C/network-auth.xml:2268(para)
18824
"Have the configuration file <filename>schema_convert.conf</filename> that "
18825
"contains the following lines:"
18828
#: serverguide/C/network-auth.xml:2272(programlisting)
16253
#: serverguide/C/network-auth.xml:3065(command)
20560
#: serverguide/C/network-auth.xml:3875(command)
16254
20561
msgid "sudo scp /etc/krb5kdc/.k5.EXAMPLE.COM steve@kdc02.example.com:~"
16257
#: serverguide/C/network-auth.xml:3066(command)
20564
#: serverguide/C/network-auth.xml:3876(command)
16258
20565
msgid "sudo mv .k5.EXAMPLE.COM /etc/krb5kdc/"
16261
#: serverguide/C/network-auth.xml:3070(para)
20568
#: serverguide/C/network-auth.xml:3880(para)
16263
20570
"Again, replace <emphasis>EXAMPLE.COM</emphasis> with your actual realm."
16266
#: serverguide/C/network-auth.xml:3078(para)
20573
#: serverguide/C/network-auth.xml:3888(para)
20575
"Back on the <emphasis>Secondary KDC</emphasis>, (re)start the ldap server "
20579
#: serverguide/C/network-auth.xml:3900(para)
16267
20580
msgid "Finally, start the <application>krb5-kdc</application> daemon:"
16270
#: serverguide/C/network-auth.xml:3089(para)
20583
#: serverguide/C/network-auth.xml:3911(para)
20584
msgid "Verify the two ldap servers (and kerberos by extension) are in sync."
20587
#: serverguide/C/network-auth.xml:3918(para)
16272
20589
"You now have redundant KDCs on your network, and with redundant LDAP servers "
16273
20590
"you should be able to continue to authenticate users if one LDAP server, one "
16274
20591
"Kerberos server, or one LDAP and one Kerberos server become unavailable."
16277
#: serverguide/C/network-auth.xml:3101(para)
20594
#: serverguide/C/network-auth.xml:3930(para)
16279
20596
"The <ulink url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
16280
20597
"admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend\"> Kerberos Admin "
16281
20598
"Guide</ulink> has some additional details."
16284
#: serverguide/C/network-auth.xml:3107(para)
20601
#: serverguide/C/network-auth.xml:3936(para)
16286
20603
"For more information on <application>kdb5_ldap_util</application> see <ulink "
16287
20604
"url=\"http://web.mit.edu/Kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-"
16288
20605
"admin.html#Global-Operations-on-the-Kerberos-LDAP-Database\"> Section "
16289
20606
"5.6</ulink> and the <ulink "
16290
"url=\"http://manpages.ubuntu.com/manpages/maverick/en/man8/kdb5_ldap_util.8.h"
16291
"tml\">kdb5_ldap_util man page</ulink>."
20607
"url=\"http://manpages.ubuntu.com/manpages/precise/en/man8/kdb5_ldap_util.8.ht"
20608
"ml\">kdb5_ldap_util man page</ulink>."
16294
#: serverguide/C/network-auth.xml:3115(para)
20611
#: serverguide/C/network-auth.xml:3944(para)
16296
20613
"Another useful link is the <ulink "
16297
"url=\"http://manpages.ubuntu.com/manpages/maverick/en/man5/krb5.conf.5.html\""
16298
">krb5.conf man page</ulink>."
20614
"url=\"http://manpages.ubuntu.com/manpages/precise/en/man5/krb5.conf.5.html\">"
20615
"krb5.conf man page</ulink>."
16301
#: serverguide/C/network-auth.xml:3120(para)
20618
#: serverguide/C/network-auth.xml:3949(para)
16303
20620
"Also, see the <ulink "
16304
20621
"url=\"https://help.ubuntu.com/community/Kerberos#kerberos-ldap\">Kerberos "
16305
20622
"and LDAP</ulink> Ubuntu wiki page."
20625
#: serverguide/C/multipath-device-attributes-table.xml:2(title)
20626
msgid "Device Attributes"
20629
#: serverguide/C/multipath-device-attributes-table.xml:8(entry) serverguide/C/multipath-config-defaults-table.xml:12(entry) serverguide/C/multipath-attributes-table.xml:8(entry)
20633
#: serverguide/C/multipath-device-attributes-table.xml:9(entry) serverguide/C/multipath-config-defaults-table.xml:14(entry) serverguide/C/multipath-components-table.xml:12(entry) serverguide/C/multipath-attributes-table.xml:9(entry) serverguide/C/dm-multipath.xml:1624(entry)
20634
msgid "Description"
20637
#: serverguide/C/multipath-device-attributes-table.xml:15(emphasis)
20641
#: serverguide/C/multipath-device-attributes-table.xml:17(emphasis)
20645
#: serverguide/C/multipath-device-attributes-table.xml:17(entry)
20647
"Specifies the vendor name of the storage device to which the device "
20648
"attributes apply, for example <placeholder-1/>."
20651
#: serverguide/C/multipath-device-attributes-table.xml:21(emphasis)
20655
#: serverguide/C/multipath-device-attributes-table.xml:23(emphasis)
20656
msgid "HSV110 (C)COMPAQ"
20659
#: serverguide/C/multipath-device-attributes-table.xml:23(entry)
20661
"Specifies the product name of the storage device to which the device "
20662
"attributes apply, for example <placeholder-1/>."
20665
#: serverguide/C/multipath-device-attributes-table.xml:27(emphasis)
20669
#: serverguide/C/multipath-device-attributes-table.xml:29(entry)
20670
msgid "Specifies the product revision identifier of the storage device."
20673
#: serverguide/C/multipath-device-attributes-table.xml:33(emphasis)
20674
msgid "product_blacklist"
20677
#: serverguide/C/multipath-device-attributes-table.xml:35(entry)
20678
msgid "Specifies a regular expression used to blacklist devices by product."
20681
#: serverguide/C/multipath-device-attributes-table.xml:39(emphasis)
20682
msgid "hardware_handler"
20685
#: serverguide/C/multipath-device-attributes-table.xml:41(para)
20687
"Specifies a module that will be used to perform hardware specific actions "
20688
"when switching path groups or handling I/O errors. Possible values include:"
20691
#: serverguide/C/multipath-device-attributes-table.xml:44(para)
20693
"<emphasis role=\"bold\">1 emc</emphasis>: hardware handler for EMC storage "
20697
#: serverguide/C/multipath-device-attributes-table.xml:47(para)
20699
"<emphasis role=\"bold\">1 alua</emphasis>: hardware handler for SCSI-3 ALUA "
20703
#: serverguide/C/multipath-device-attributes-table.xml:49(para)
20705
"<emphasis role=\"bold\">1 hp_sw</emphasis>: hardware handler for Compaq/HP "
20709
#: serverguide/C/multipath-device-attributes-table.xml:53(para)
20711
"<emphasis role=\"bold\">1 rdac</emphasis>: hardware handler for the "
20712
"LSI/Engenio RDAC controllers."
20715
#: serverguide/C/multipath-config-defaults-table.xml:3(title)
20716
msgid "Multipath Configuration Defaults"
20719
#: serverguide/C/multipath-config-defaults-table.xml:21(emphasis) serverguide/C/multipath-config-defaults-table.xml:26(emphasis)
20720
msgid "polling_interval"
20723
#: serverguide/C/multipath-config-defaults-table.xml:27(emphasis)
20727
#: serverguide/C/multipath-config-defaults-table.xml:24(entry)
20729
"Specifies the interval between two path checks in seconds. For properly "
20730
"functioning paths, the interval between checks will gradually increase to (4 "
20731
"* <placeholder-1/>). The default value is <placeholder-2/>."
20734
#: serverguide/C/multipath-config-defaults-table.xml:32(emphasis)
20738
#: serverguide/C/multipath-config-defaults-table.xml:35(entry)
20740
"The directory where udev device nodes are created. The default value is /dev."
20743
#: serverguide/C/multipath-config-defaults-table.xml:41(emphasis)
20744
msgid "multipath_dir"
20747
#: serverguide/C/multipath-config-defaults-table.xml:46(filename)
20748
msgid "/lib/multipath"
20751
#: serverguide/C/multipath-config-defaults-table.xml:44(entry)
20753
"The directory where the dynamic shared objects are stored. The default value "
20754
"is system dependent, commonly <placeholder-1/>."
20757
#: serverguide/C/multipath-config-defaults-table.xml:51(emphasis)
20761
#: serverguide/C/multipath-config-defaults-table.xml:54(entry)
20763
"The default verbosity. Higher values increase the verbosity level. Valid "
20764
"levels are between 0 and 6. The default value is 2."
20767
#: serverguide/C/multipath-config-defaults-table.xml:61(emphasis) serverguide/C/multipath-config-defaults-table.xml:323(emphasis) serverguide/C/dm-multipath.xml:1049(parameter) serverguide/C/dm-multipath.xml:1204(parameter)
20768
msgid "path_selector"
20771
#: serverguide/C/multipath-config-defaults-table.xml:65(para)
20773
"Specifies the default algorithm to use in determining what path to use for "
20774
"the next I/O operation. Possible values include:"
20777
#: serverguide/C/multipath-config-defaults-table.xml:71(para)
20779
"<emphasis role=\"bold\">round-robin 0</emphasis>: Loop through every path in "
20780
"the path group, sending the same amount of I/O to each."
20783
#: serverguide/C/multipath-config-defaults-table.xml:77(para)
20785
"<emphasis role=\"bold\">queue-length 0</emphasis>: Send the next bunch of "
20786
"I/O down the path with the least number of outstanding I/O requests."
20789
#: serverguide/C/multipath-config-defaults-table.xml:83(para)
20791
"<emphasis role=\"bold\">service-time 0</emphasis>: Send the next bunch of "
20792
"I/O down the path with the shortest estimated service time, which is "
20793
"determined by dividing the total size of the outstanding I/O to each path by "
20794
"its relative throughput."
20797
#: serverguide/C/multipath-config-defaults-table.xml:91(para)
20799
"The default value is <emphasis role=\"bold\">round-robin 0</emphasis>."
20802
#: serverguide/C/multipath-config-defaults-table.xml:98(emphasis) serverguide/C/dm-multipath.xml:1044(parameter) serverguide/C/dm-multipath.xml:1194(parameter)
20803
msgid "path_grouping_policy"
20806
#: serverguide/C/multipath-config-defaults-table.xml:102(para)
20808
"Specifies the default path grouping policy to apply to unspecified "
20809
"multipaths. Possible values include:"
20812
#: serverguide/C/multipath-config-defaults-table.xml:107(para)
20814
"<emphasis role=\"bold\">failover</emphasis> = 1 path per priority group"
20817
#: serverguide/C/multipath-config-defaults-table.xml:112(para)
20819
"<emphasis role=\"bold\">multibus</emphasis> = all valid paths in 1 priority "
20823
#: serverguide/C/multipath-config-defaults-table.xml:117(para)
20825
"<emphasis role=\"bold\">group_by_serial</emphasis> = 1 priority group per "
20826
"detected serial number"
20829
#: serverguide/C/multipath-config-defaults-table.xml:122(para)
20831
"<emphasis role=\"bold\">group_by_prio</emphasis> = 1 priority group per path "
20835
#: serverguide/C/multipath-config-defaults-table.xml:127(para)
20837
"<emphasis role=\"bold\">group_by_node_name</emphasis> = 1 priority group per "
20838
"target node name."
20841
#: serverguide/C/multipath-config-defaults-table.xml:132(para)
20842
msgid "The default value is <emphasis role=\"bold\">failover.</emphasis>"
20845
#: serverguide/C/multipath-config-defaults-table.xml:139(emphasis) serverguide/C/dm-multipath.xml:1199(parameter)
20846
msgid "getuid_callout"
20849
#: serverguide/C/multipath-config-defaults-table.xml:144(para)
20851
"The default value is <emphasis role=\"bold\">/lib/udev/scsi_id --whitelisted "
20852
"--device=/dev/%n.</emphasis>"
20855
#: serverguide/C/multipath-config-defaults-table.xml:142(entry)
20857
"Specifies the default program and arguments to call out to obtain a unique "
20858
"path identifier. An absolute path is required. <placeholder-1/>"
20861
#: serverguide/C/multipath-config-defaults-table.xml:150(emphasis) serverguide/C/dm-multipath.xml:1058(parameter) serverguide/C/dm-multipath.xml:1223(parameter)
20865
#: serverguide/C/multipath-config-defaults-table.xml:154(para)
20867
"Specifies the default function to call to obtain a path priority value. For "
20868
"example, the ALUA bits in SPC-3 provide an exploitable prio value. Possible "
20872
#: serverguide/C/multipath-config-defaults-table.xml:160(para)
20874
"<emphasis role=\"bold\">const</emphasis>: Set a priority of 1 to all paths."
20877
#: serverguide/C/multipath-config-defaults-table.xml:165(para)
20879
"<emphasis role=\"bold\">emc</emphasis>: Generate the path priority for EMC "
20883
#: serverguide/C/multipath-config-defaults-table.xml:170(para)
20885
"<emphasis role=\"bold\">alua</emphasis>: Generate the path priority based on "
20886
"the SCSI-3 ALUA settings."
20889
#: serverguide/C/multipath-config-defaults-table.xml:175(para)
20891
"<emphasis role=\"bold\">netapp</emphasis>: Generate the path priority for "
20895
#: serverguide/C/multipath-config-defaults-table.xml:180(para)
20897
"<emphasis role=\"bold\">rdac</emphasis>: Generate the path priority for "
20898
"LSI/Engenio RDAC controller."
20901
#: serverguide/C/multipath-config-defaults-table.xml:185(para)
20903
"<emphasis role=\"bold\">hp_sw</emphasis>: Generate the path priority for "
20904
"Compaq/HP controller in active/standby mode."
20907
#: serverguide/C/multipath-config-defaults-table.xml:190(para)
20909
"<emphasis role=\"bold\">hds</emphasis>: Generate the path priority for "
20910
"Hitachi HDS Modular storage arrays."
20913
#: serverguide/C/multipath-config-defaults-table.xml:195(para)
20914
msgid "The default value is <emphasis role=\"bold\">const</emphasis>."
20917
#: serverguide/C/multipath-config-defaults-table.xml:202(emphasis) serverguide/C/dm-multipath.xml:1063(parameter) serverguide/C/dm-multipath.xml:1228(parameter)
20921
#: serverguide/C/multipath-config-defaults-table.xml:206(para)
20923
"The arguments string passed to the prio function Most prio functions do not "
20924
"need arguments. The datacore prioritizer need one. Example, <emphasis "
20925
"role=\"bold\">\"timeout=1000 preferredsds=foo\"</emphasis>. The default "
20926
"value is (null) <emphasis role=\"bold\">\"\"</emphasis>."
20929
#: serverguide/C/multipath-config-defaults-table.xml:216(emphasis) serverguide/C/dm-multipath.xml:1214(parameter)
20933
#: serverguide/C/multipath-config-defaults-table.xml:220(emphasis)
20934
msgid "queue_if_no_path"
20937
#: serverguide/C/multipath-config-defaults-table.xml:221(emphasis) serverguide/C/multipath-config-defaults-table.xml:334(emphasis) serverguide/C/dm-multipath.xml:1068(parameter) serverguide/C/dm-multipath.xml:1233(parameter)
20938
msgid "no_path_retry"
20941
#: serverguide/C/multipath-config-defaults-table.xml:222(emphasis) serverguide/C/multipath-config-defaults-table.xml:341(emphasis)
20945
#: serverguide/C/multipath-config-defaults-table.xml:223(link)
20946
msgid "\"Issues with queue_if_no_path feature\""
20949
#: serverguide/C/multipath-config-defaults-table.xml:219(entry)
20951
"The extra features of multipath devices. The only existing feature is "
20952
"<placeholder-1/>, which is the same as setting <placeholder-2/> to "
20953
"<placeholder-3/>. For information on issues that may arise when using this "
20954
"feature, see Section, <placeholder-4/>."
20957
#: serverguide/C/multipath-config-defaults-table.xml:228(emphasis) serverguide/C/dm-multipath.xml:1209(parameter)
20958
msgid "path_checker"
20961
#: serverguide/C/multipath-config-defaults-table.xml:232(para)
20963
"Specifies the default method used to determine the state of the paths. "
20964
"Possible values include:"
20967
#: serverguide/C/multipath-config-defaults-table.xml:237(para)
20969
"<emphasis role=\"bold\">readsector0</emphasis>: Read the first sector of the "
20973
#: serverguide/C/multipath-config-defaults-table.xml:242(para)
20975
"<emphasis role=\"bold\">tur</emphasis>: Issue a TEST UNIT READY to the "
20979
#: serverguide/C/multipath-config-defaults-table.xml:247(para)
20981
"<emphasis role=\"bold\">emc_clariion</emphasis>: Query the EMC Clariion "
20982
"specific EVPD page 0xC0 to determine the path."
20985
#: serverguide/C/multipath-config-defaults-table.xml:253(para)
20987
"<emphasis role=\"bold\">hp_sw</emphasis>: Check the path state for HP "
20988
"storage arrays with Active/Standby firmware."
20991
#: serverguide/C/multipath-config-defaults-table.xml:258(para)
20993
"<emphasis role=\"bold\">rdac</emphasis>: Check the path stat for LSI/Engenio "
20994
"RDAC storage controller."
20997
#: serverguide/C/multipath-config-defaults-table.xml:263(para)
20999
"<emphasis role=\"bold\">directio</emphasis>: Read the first sector with "
21003
#: serverguide/C/multipath-config-defaults-table.xml:268(para)
21004
msgid "The default value is <emphasis role=\"bold\">directio</emphasis>."
21007
#: serverguide/C/multipath-config-defaults-table.xml:275(emphasis) serverguide/C/dm-multipath.xml:1054(parameter) serverguide/C/dm-multipath.xml:1219(parameter)
21011
#: serverguide/C/multipath-config-defaults-table.xml:279(para)
21012
msgid "Manages path group failback."
21015
#: serverguide/C/multipath-config-defaults-table.xml:283(para)
21017
"A value of <emphasis role=\"bold\">immediate</emphasis> specifies immediate "
21018
"failback to the highest priority path group that contains active paths."
21021
#: serverguide/C/multipath-config-defaults-table.xml:289(para)
21023
"A value of <emphasis role=\"bold\">manual</emphasis> specifies that there "
21024
"should not be immediate failback but that failback can happen only with "
21025
"operator intervention."
21028
#: serverguide/C/multipath-config-defaults-table.xml:295(para)
21030
"A numeric value greater than zero specifies deferred failback, expressed in "
21034
#: serverguide/C/multipath-config-defaults-table.xml:300(para)
21035
msgid "The default value is <emphasis role=\"bold\">manual</emphasis>."
21038
#: serverguide/C/multipath-config-defaults-table.xml:307(emphasis) serverguide/C/multipath-config-defaults-table.xml:321(emphasis) serverguide/C/multipath-config-defaults-table.xml:325(emphasis) serverguide/C/dm-multipath.xml:1073(parameter) serverguide/C/dm-multipath.xml:1238(parameter)
21042
#: serverguide/C/multipath-config-defaults-table.xml:311(para)
21043
msgid "The default value is <literal>1000</literal>."
21046
#: serverguide/C/multipath-config-defaults-table.xml:310(entry)
21048
"Specifies the number of I/O requests to route to a path before switching to "
21049
"the next path in the current path group.<placeholder-1/>"
21052
#: serverguide/C/multipath-config-defaults-table.xml:317(emphasis) serverguide/C/dm-multipath.xml:1078(parameter) serverguide/C/dm-multipath.xml:1243(parameter)
21056
#: serverguide/C/multipath-config-defaults-table.xml:320(emphasis)
21060
#: serverguide/C/multipath-config-defaults-table.xml:327(emphasis)
21064
#: serverguide/C/multipath-config-defaults-table.xml:327(para)
21065
msgid "The default value is <emphasis role=\"bold\">uniform</emphasis>."
21068
#: serverguide/C/multipath-config-defaults-table.xml:320(entry)
21070
"If set to <placeholder-1/>, then instead of sending <placeholder-2/> "
21071
"requests to a path before calling <placeholder-3/> to choose the next path, "
21072
"the number of requests to send is determined by <placeholder-4/> times the "
21073
"path's priority, as determined by the prio function. If set to <placeholder-"
21074
"5/>, all path weights are equal. <placeholder-6/>"
21077
#: serverguide/C/multipath-config-defaults-table.xml:340(emphasis)
21081
#: serverguide/C/multipath-config-defaults-table.xml:342(para)
21082
msgid "The default value is <literal>0</literal>."
21085
#: serverguide/C/multipath-config-defaults-table.xml:337(entry)
21087
"A numeric value for this attribute specifies the number of times the system "
21088
"should attempt to use a failed path before disabling queueing. A value of "
21089
"fail indicates <placeholder-1/> failure, without queueing. A value of "
21090
"<placeholder-2/> indicates that queueing should not stop until the path is "
21091
"fixed. <placeholder-3/>"
21094
#: serverguide/C/multipath-config-defaults-table.xml:348(emphasis) serverguide/C/multipath-attributes-table.xml:30(emphasis)
21095
msgid "user_friendly_names"
21098
#: serverguide/C/multipath-config-defaults-table.xml:352(filename)
21099
msgid "/etc/multipath/bindings"
21102
#: serverguide/C/multipath-config-defaults-table.xml:353(emphasis) serverguide/C/multipath-config-defaults-table.xml:356(emphasis) serverguide/C/multipath-attributes-table.xml:25(emphasis)
21106
#: serverguide/C/multipath-config-defaults-table.xml:354(emphasis) serverguide/C/multipath-config-defaults-table.xml:357(emphasis) serverguide/C/multipath-config-defaults-table.xml:379(emphasis) serverguide/C/multipath-config-defaults-table.xml:391(emphasis) serverguide/C/multipath-components-table.xml:31(emphasis) serverguide/C/multipath-components-table.xml:44(emphasis) serverguide/C/multipath-attributes-table.xml:18(emphasis) serverguide/C/multipath-attributes-table.xml:19(emphasis) serverguide/C/multipath-attributes-table.xml:28(emphasis) serverguide/C/multipath-attributes-table.xml:29(emphasis) serverguide/C/dm-multipath.xml:764(emphasis)
21110
#: serverguide/C/multipath-config-defaults-table.xml:359(para) serverguide/C/multipath-config-defaults-table.xml:381(para)
21111
msgid "The default value is <emphasis role=\"bold\">no</emphasis>."
21114
#: serverguide/C/multipath-config-defaults-table.xml:351(entry)
21116
"If set to yes, specifies that the system should use the <placeholder-1/> "
21117
"file to assign a persistent and unique <placeholder-2/> to the <placeholder-"
21118
"3/>, in the form of mpathn. If set to no, specifies that the system should "
21119
"use the WWID as the <placeholder-4/> for the <placeholder-5/>. In either "
21120
"case, what is specified here will be overridden by any device-specific "
21121
"aliases you specify in the multipaths section of the configuration file. "
21125
#: serverguide/C/multipath-config-defaults-table.xml:365(emphasis)
21126
msgid "queue_without_daemon"
21129
#: serverguide/C/multipath-config-defaults-table.xml:368(emphasis) serverguide/C/multipath-config-defaults-table.xml:392(emphasis)
21133
#: serverguide/C/multipath-config-defaults-table.xml:370(para)
21134
msgid "The default value is <emphasis role=\"bold\">yes</emphasis>."
21137
#: serverguide/C/multipath-config-defaults-table.xml:368(entry)
21139
"If set to no, the <placeholder-1/> daemon will disable queueing for all "
21140
"devices when it is shut down. <placeholder-2/>"
21143
#: serverguide/C/multipath-config-defaults-table.xml:376(emphasis) serverguide/C/dm-multipath.xml:1083(parameter) serverguide/C/dm-multipath.xml:1258(parameter)
21144
msgid "flush_on_last_del"
21147
#: serverguide/C/multipath-config-defaults-table.xml:379(entry)
21149
"If set to yes, then <placeholder-1/> will disable queueing when the last "
21150
"path to a device has been deleted. <placeholder-2/>"
21153
#: serverguide/C/multipath-config-defaults-table.xml:387(emphasis)
21157
#: serverguide/C/multipath-config-defaults-table.xml:394(filename)
21158
msgid "/proc/sys/fs/nr_open"
21161
#: serverguide/C/multipath-config-defaults-table.xml:390(entry)
21163
"Sets the maximum number of open file descriptors that can be opened by "
21164
"<placeholder-1/> and the <placeholder-2/> daemon. This is equivalent to the "
21165
"ulimit -n command. A value of max will set this to the system limit from "
21166
"<placeholder-3/>. If this is not set, the maximum number of open file "
21167
"descriptors is taken from the calling process; it is usually 1024. To be "
21168
"safe, this should be set to the maximum number of paths plus 32, if that "
21169
"number is greater than 1024."
21172
#: serverguide/C/multipath-config-defaults-table.xml:402(emphasis)
21173
msgid "checker_timer"
21176
#: serverguide/C/multipath-config-defaults-table.xml:406(para)
21178
"The default value is taken from "
21179
"<filename>/sys/block/sdx/device/timeout</filename>, which is "
21180
"<literal>30</literal> seconds as of 12.04 LTS"
21183
#: serverguide/C/multipath-config-defaults-table.xml:405(entry)
21185
"The timeout to use for path checkers that issue SCSI commands with an "
21186
"explicit timeout, in seconds. <placeholder-1/>"
21189
#: serverguide/C/multipath-config-defaults-table.xml:413(emphasis) serverguide/C/dm-multipath.xml:1248(parameter)
21190
msgid "fast_io_fail_tmo"
21193
#: serverguide/C/multipath-config-defaults-table.xml:419(para)
21194
msgid "The default value is determined by the OS."
21197
#: serverguide/C/multipath-config-defaults-table.xml:416(entry)
21199
"The number of seconds the SCSI layer will wait after a problem has been "
21200
"detected on an FC remote port before failing I/O to devices on that remote "
21201
"port. This value should be smaller than the value of dev_loss_tmo. Setting "
21202
"this to off will disable the timeout. <placeholder-1/>"
21205
#: serverguide/C/multipath-config-defaults-table.xml:425(emphasis) serverguide/C/dm-multipath.xml:1253(parameter)
21206
msgid "dev_loss_tmo"
21209
#: serverguide/C/multipath-config-defaults-table.xml:428(entry)
21211
"The number of seconds the SCSI layer will wait after a problem has been "
21212
"detected on an FC remote port before removing it from the system. Setting "
21213
"this to infinity will set this to 2147483647 seconds, or 68 years. The "
21214
"default value is determined by the OS."
21217
#: serverguide/C/multipath-components-table.xml:3(title)
21218
msgid "DM-Multipath Components"
21221
#: serverguide/C/multipath-components-table.xml:11(entry)
21225
#: serverguide/C/multipath-components-table.xml:19(emphasis)
21226
msgid "dm_multipath kernel module"
21229
#: serverguide/C/multipath-components-table.xml:23(emphasis)
21233
#: serverguide/C/multipath-components-table.xml:22(entry)
21234
msgid "Reroutes I/O and supports <placeholder-1/> for paths and path groups."
21237
#: serverguide/C/multipath-components-table.xml:28(emphasis)
21238
msgid "multipath command"
21241
#: serverguide/C/multipath-components-table.xml:32(filename)
21242
msgid "/etc/rc.sysinit"
21245
#: serverguide/C/multipath-components-table.xml:31(entry)
21247
"Lists and configures <placeholder-1/> devices. Normally started up with "
21248
"<placeholder-2/>, it can also be started up by a udev program whenever a "
21249
"block device is added or it can be run by the initramfs file system."
21252
#: serverguide/C/multipath-components-table.xml:39(emphasis)
21253
msgid "multipathd daemon"
21256
#: serverguide/C/multipath-components-table.xml:45(filename)
21257
msgid "/etc/multipath.conf"
21260
#: serverguide/C/multipath-components-table.xml:42(entry)
21262
"Monitors paths; as paths fail and come back, it may initiate path group "
21263
"switches. Provides for interactive changes to <placeholder-1/> devices. This "
21264
"daemon must be restarted for any changes to the <placeholder-2/> file to "
21268
#: serverguide/C/multipath-components-table.xml:50(emphasis)
21269
msgid "kpartx command"
21272
#: serverguide/C/multipath-components-table.xml:56(emphasis)
21273
msgid "multipath-tools"
21276
#: serverguide/C/multipath-components-table.xml:53(entry)
21278
"Creates device mapper devices for the partitions on a device It is necessary "
21279
"to use this command for DOS-based partitions with DM-Multipath. The kpartx "
21280
"is provided in its own package, but the <placeholder-1/> package depends on "
21284
#: serverguide/C/multipath-attributes-table.xml:2(title)
21285
msgid "Multipath Attributes"
21288
#: serverguide/C/multipath-attributes-table.xml:15(emphasis)
21292
#: serverguide/C/multipath-attributes-table.xml:21(filename)
21293
msgid "multipath.conf"
21296
#: serverguide/C/multipath-attributes-table.xml:17(entry)
21298
"Specifies the WWID of the <placeholder-1/> device to which the <placeholder-"
21299
"2/> attributes apply. This parameter is mandatory for this section of the "
21300
"<placeholder-3/> file."
21303
#: serverguide/C/multipath-attributes-table.xml:27(entry)
21305
"Specifies the symbolic name for the <placeholder-1/> device to which the "
21306
"<placeholder-2/> attributes apply. If you are using <placeholder-3/>, do not "
21307
"set this value to mpathn; this may conflict with an automatically assigned "
21308
"user friendly name and give you incorrect device node names."
16308
21311
#: serverguide/C/monitoring.xml:13(title)
16309
21312
msgid "Monitoring"
22439
28007
"url=\"http://freenode.net\">freenode</ulink>."
22442
#: serverguide/C/dns.xml:643(para)
28010
#: serverguide/C/dns.xml:678(para)
22444
28012
"Also, see the <ulink "
22445
28013
"url=\"https://help.ubuntu.com/community/BIND9ServerHowto\">BIND9 Server "
22446
28014
"HOWTO</ulink> in the Ubuntu Wiki."
28017
#: serverguide/C/dm-multipath.xml:24(title)
28018
msgid "DM-Multipath"
28021
#: serverguide/C/dm-multipath.xml:27(title)
28022
msgid "Device Mapper Multipathing"
28025
#: serverguide/C/dm-multipath.xml:29(para)
28027
"Device mapper multipathing (DM-Multipath) allows you to configure multiple "
28028
"I/O paths between server nodes and storage arrays into a single device. "
28029
"These I/O paths are physical SAN connections that can include separate "
28030
"cables, switches, and controllers. Multipathing aggregates the I/O paths, "
28031
"creating a new device that consists of the aggregated paths. This chapter "
28032
"provides a summary of the features of DM-Multipath that are new for the "
28033
"initial release of Ubuntu Server 12.04. Following that, this chapter "
28034
"provides a high-level overview of DM Multipath and its components, as well "
28035
"as an overview of DM-Multipath setup."
28038
#: serverguide/C/dm-multipath.xml:40(title)
28039
msgid "New and Changed Features for Ubuntu Server 12.04"
28042
#: serverguide/C/dm-multipath.xml:42(para)
28043
msgid "Migrated from multipath-0.4.8 to multipath-0.4.9"
28046
#: serverguide/C/dm-multipath.xml:45(title)
28047
msgid "Migration from 0.4.8"
28050
#: serverguide/C/dm-multipath.xml:47(para)
28052
"The priority checkers are no longer run as standalone binaries, but as "
28053
"shared libraries. The key value name for this feature has also slightly "
28054
"changed. Copy the attribute named <emphasis "
28055
"role=\"bold\">prio_callout</emphasis> to <emphasis "
28056
"role=\"bold\">prio</emphasis>, also modify the argument the name of the "
28057
"priority checker, a system path is no longer necessary. Example "
28058
"conversion:<screen>device {\n"
28059
" vendor \"NEC\"\n"
28060
" product \"DISK ARRAY\"\n"
28061
" prio_callout mpath_prio_alua /dev/%n\n"
28066
#: serverguide/C/dm-multipath.xml:60(para)
28068
"See Table <link linkend=\"priority-checker-conversion-table\">\"Priority "
28069
"Checker Conversion\"</link> for a complete listing"
28072
#: serverguide/C/dm-multipath.xml:65(title)
28073
msgid "Priority Checker Conversion"
28076
#: serverguide/C/dm-multipath.xml:71(entry)
28080
#: serverguide/C/dm-multipath.xml:73(entry)
28084
#: serverguide/C/dm-multipath.xml:79(emphasis)
28085
msgid "prio_callout mpath_prio_emc /dev/%n"
28088
#: serverguide/C/dm-multipath.xml:82(emphasis)
28092
#: serverguide/C/dm-multipath.xml:86(emphasis)
28093
msgid "prio_callout mpath_prio_alua /dev/%n"
28096
#: serverguide/C/dm-multipath.xml:89(emphasis)
28100
#: serverguide/C/dm-multipath.xml:93(emphasis)
28101
msgid "prio_callout mpath_prio_netapp /dev/%n"
28104
#: serverguide/C/dm-multipath.xml:96(emphasis)
28105
msgid "prio netapp"
28108
#: serverguide/C/dm-multipath.xml:100(emphasis)
28109
msgid "prio_callout mpath_prio_rdac /dev/%n"
28112
#: serverguide/C/dm-multipath.xml:103(emphasis)
28116
#: serverguide/C/dm-multipath.xml:107(emphasis)
28117
msgid "prio_callout mpath_prio_hp_sw /dev/%n"
28120
#: serverguide/C/dm-multipath.xml:110(emphasis)
28124
#: serverguide/C/dm-multipath.xml:114(emphasis)
28125
msgid "prio_callout mpath_prio_hds_modular %b"
28128
#: serverguide/C/dm-multipath.xml:117(emphasis)
28132
#: serverguide/C/dm-multipath.xml:123(para)
28134
"Since the multipath config file parser essentially parses all key/value "
28135
"pairs it finds and then makes use of them, it is safe for both <emphasis "
28136
"role=\"bold\">prio_callout</emphasis> and <emphasis "
28137
"role=\"bold\">prio</emphasis> to coexist and is recommended that the "
28138
"<emphasis role=\"bold\">prio</emphasis> attribute be inserted before "
28139
"beginning migration. After which you can safely delete the legacy <emphasis "
28140
"role=\"bold\">prio_calliout</emphasis> attribute without interrupting "
28144
#: serverguide/C/dm-multipath.xml:137(para)
28145
msgid "DM-Multipath can be used to provide:"
28148
#: serverguide/C/dm-multipath.xml:141(para)
28150
"<emphasis> Redundancy </emphasis> DM-Multipath can provide failover in an "
28151
"active/passive configuration. In an active/passive configuration, only half "
28152
"the paths are used at any time for I/O. If any element of an I/O path (the "
28153
"cable, switch, or controller) fails, DM-Multipath switches to an alternate "
28157
#: serverguide/C/dm-multipath.xml:149(para)
28159
"<emphasis> Improved Performance </emphasis> Performance DM-Multipath can be "
28160
"configured in active/active mode, where I/O is spread over the paths in a "
28161
"round-robin fashion. In some configurations, DM-Multipath can detect loading "
28162
"on the I/O paths and dynamically re-balance the load."
28165
#: serverguide/C/dm-multipath.xml:159(title)
28166
msgid "Storage Array Overview"
28169
#: serverguide/C/dm-multipath.xml:161(para)
28171
"By default, DM-Multipath includes support for the most common storage arrays "
28172
"that support DM-Multipath. The supported devices can be found in the "
28173
"multipath.conf.defaults file. If your storage array supports DM-Multipath "
28174
"and is not configured by default in this file, you may need to add them to "
28175
"the DM-Multipath configuration file, multipath.conf. For information on the "
28176
"DM-Multipath configuration file, see Section, <link linkend=\"multipath-dm-"
28177
"multipath-config-file\">The DM-Multipath Configuration File</link>. Some "
28178
"storage arrays require special handling of I/O errors and path switching. "
28179
"These require separate hardware handler kernel modules."
28182
#: serverguide/C/dm-multipath.xml:174(title)
28183
msgid "DM-Multipath components"
28186
#: serverguide/C/dm-multipath.xml:176(para)
28188
"Table “<link linkend=\"multipath-components-table\">DM-Multipath "
28189
"Components”</link> describes the components of the DM-Multipath package. "
28190
"<include href=\"multipath-components-table.xml\"/>"
28193
#: serverguide/C/dm-multipath.xml:183(title)
28194
msgid "DM-Multipath Setup Overview"
28197
#: serverguide/C/dm-multipath.xml:190(para)
28199
"Install the <emphasis role=\"bold\">multipath-tools</emphasis> and <emphasis "
28200
"role=\"bold\">multipath-tools-boot</emphasis> packages"
28203
#: serverguide/C/dm-multipath.xml:196(para)
28205
"Create an empty config file, <filename>/etc/multipath.conf</filename>, that "
28206
"re-defines the <link linkend=\"multipath-skel-config\">following</link>"
28209
#: serverguide/C/dm-multipath.xml:202(para)
28211
"If necessary, edit the <emphasis role=\"bold\">multipath.conf</emphasis> "
28212
"configuration file to modify default values and save the updated file."
28215
#: serverguide/C/dm-multipath.xml:208(para)
28216
msgid "Start the multipath daemon"
28219
#: serverguide/C/dm-multipath.xml:212(para)
28220
msgid "Update initial ramdisk"
28223
#: serverguide/C/dm-multipath.xml:185(para)
28225
"DM-Multipath includes compiled-in default settings that are suitable for "
28226
"common multipath configurations. Setting up DM-multipath is often a simple "
28227
"procedure. The basic procedure for configuring your system with DM-Multipath "
28228
"is as follows: <placeholder-1/> For detailed setup instructions for "
28229
"multipath configuration see Section, <link linkend=\"multipath-setup-"
28230
"overview\">Setting Up DM-Multipath</link>."
28233
#: serverguide/C/dm-multipath.xml:222(title)
28234
msgid "Multipath Devices"
28237
#: serverguide/C/dm-multipath.xml:224(para)
28239
"Without DM-Multipath, each path from a server node to a storage controller "
28240
"is treated by the system as a separate device, even when the I/O path "
28241
"connects the same server node to the same storage controller. DM-Multipath "
28242
"provides a way of organizing the I/O paths logically, by creating a single "
28243
"multipath device on top of the underlying devices."
28246
#: serverguide/C/dm-multipath.xml:232(title)
28247
msgid "Multipath Device Identifiers"
28250
#: serverguide/C/dm-multipath.xml:260(para)
28252
"The devices in <emphasis role=\"bold\">/dev/mapper</emphasis> are created "
28253
"early in the boot process. Use these devices to access the multipathed "
28254
"devices, for example when creating logical volumes."
28257
#: serverguide/C/dm-multipath.xml:267(para)
28259
"Any devices of the form <emphasis role=\"bold\">/dev/dm-n</emphasis> are for "
28260
"internal use only and should never be used."
28263
#: serverguide/C/dm-multipath.xml:234(para)
28265
"Each multipath device has a World Wide Identifier (WWID), which is "
28266
"guaranteed to be globally unique and unchanging. By default, the name of a "
28267
"multipath device is set to its WWID. Alternately, you can set the <emphasis "
28268
"role=\"bold\"><link linkend=\"attribute-"
28269
"user_friendly_names\">user_friendly_names</link></emphasis>option in the "
28270
"multipath configuration file, which causes DM-Multipath to use a node-unique "
28271
"alias of the form <emphasis role=\"bold\">mpathn</emphasis> as the name. For "
28272
"example, a node with two HBAs attached to a storage controller with two "
28273
"ports via a single unzoned FC switch sees four devices: <emphasis "
28274
"role=\"bold\">/dev/sda</emphasis>, <emphasis "
28275
"role=\"bold\">/dev/sdb</emphasis>, <emphasis "
28276
"role=\"bold\">/dev/sdc</emphasis>, and <emphasis "
28277
"role=\"bold\">/dev/sdd</emphasis>. DM-Multipath creates a single device with "
28278
"a unique WWID that reroutes I/O to those four underlying devices according "
28279
"to the multipath configuration. When the <emphasis role=\"bold\"><link "
28280
"linkend=\"attribute-"
28281
"user_friendly_names\">user_friendly_names</link></emphasis> configuration "
28282
"option is set to <emphasis role=\"bold\">yes</emphasis>, the name of the "
28283
"multipath device is set to <emphasis role=\"bold\">mpathn</emphasis>. When "
28284
"new devices are brought under the control of DM-Multipath, the new devices "
28285
"may be seen in two different places under the <emphasis "
28286
"role=\"bold\">/dev</emphasis> directory: <emphasis "
28287
"role=\"bold\">/dev/mapper/mpathn</emphasis> and <emphasis "
28288
"role=\"bold\">/dev/dm-n</emphasis>. <placeholder-1/>For information on the "
28289
"multipath configuration defaults, including the <emphasis "
28290
"role=\"bold\"><link linkend=\"attribute-"
28291
"user_friendly_names\">user_friendly_names</link></emphasis> configuration "
28292
"option, see Section , <link linkend=\"multipath-config-"
28293
"defaults\">“Configuration File Defaults”</link>. You can also set the name "
28294
"of a multipath device to a name of your choosing by using the <emphasis "
28295
"role=\"bold\"><link linkend=\"attribute-alias\">alias</link></emphasis> "
28296
"option in the <emphasis role=\"bold\">multipaths</emphasis> section of the "
28297
"multipath configuration file. For information on the <emphasis "
28298
"role=\"bold\">multipaths</emphasis> section of the multipath configuration "
28299
"file, see Section, <link linkend=\"multipath-config-multipath\">“Multipaths "
28300
"Device Configuration Attributes”</link>."
28303
#: serverguide/C/dm-multipath.xml:288(title)
28304
msgid "Consistent Multipath Device Names in a Cluster"
28307
#: serverguide/C/dm-multipath.xml:290(para)
28309
"When the <emphasis role=\"bold\">user_friendly_names</emphasis> "
28310
"configuration option is set to yes, the name of the multipath device is "
28311
"unique to a node, but it is not guaranteed to be the same on all nodes using "
28312
"the multipath device. Similarly, if you set the <emphasis "
28313
"role=\"bold\">alias</emphasis> option for a device in the <emphasis "
28314
"role=\"bold\">multipaths</emphasis> section of the "
28315
"<filename>multipath.conf</filename> configuration file, the name is not "
28316
"automatically consistent across all nodes in the cluster. This should not "
28317
"cause any difficulties if you use LVM to create logical devices from the "
28318
"multipath device, but if you require that your multipath device names be "
28319
"consistent in every node it is recommended that you leave the <emphasis "
28320
"role=\"bold\">user_friendly_names</emphasis> option set to <emphasis "
28321
"role=\"bold\">no</emphasis> and that you not configure aliases for the "
28322
"devices. By default, if you do not set <emphasis "
28323
"role=\"bold\">user_friendly_names</emphasis> to yes or configure an alias "
28324
"for a device, a device name will be the WWID for the device, which is always "
28325
"the same. If you want the system-defined user-friendly names to be "
28326
"consistent across all nodes in the cluster, however, you can follow this "
28330
#: serverguide/C/dm-multipath.xml:312(para)
28331
msgid "Set up all of the multipath devices on one machine."
28334
#: serverguide/C/dm-multipath.xml:316(para) serverguide/C/dm-multipath.xml:353(para)
28336
"Disable all of your multipath devices on your other machines by running the "
28337
"following commands:"
28340
#: serverguide/C/dm-multipath.xml:319(screen) serverguide/C/dm-multipath.xml:356(screen)
28343
"# service multipath-tools stop\n"
28347
#: serverguide/C/dm-multipath.xml:325(para)
28349
"Copy the <filename>/etc/multipath/bindings</filename> file from the first "
28350
"machine to all the other machines in the cluster."
28353
#: serverguide/C/dm-multipath.xml:331(para) serverguide/C/dm-multipath.xml:367(para)
28355
"Re-enable the multipathd daemon on all the other machines in the cluster by "
28356
"running the following command:"
28359
#: serverguide/C/dm-multipath.xml:334(screen) serverguide/C/dm-multipath.xml:370(screen)
28361
msgid "# service multipath-tools start"
28364
#: serverguide/C/dm-multipath.xml:338(para)
28365
msgid "If you add a new device, you will need to repeat this process."
28368
#: serverguide/C/dm-multipath.xml:341(para)
28370
"Similarly, if you configure an alias for a device that you would like to be "
28371
"consistent across the nodes in the cluster, you should ensure that the "
28372
"<filename>/etc/multipath.conf</filename> file is the same for each node in "
28373
"the cluster by following the same procedure:"
28376
#: serverguide/C/dm-multipath.xml:348(para)
28378
"Configure the aliases for the multipath devices in the in the "
28379
"<filename>multipath.conf</filename> file on one machine."
28382
#: serverguide/C/dm-multipath.xml:362(para)
28384
"Copy the <filename>multipath.conf</filename> file from the first machine to "
28385
"all the other machines in the cluster."
28388
#: serverguide/C/dm-multipath.xml:374(para)
28389
msgid "When you add a new device you will need to repeat this process."
28392
#: serverguide/C/dm-multipath.xml:379(title)
28393
msgid "Multipath Device attributes"
28396
#: serverguide/C/dm-multipath.xml:381(para)
28398
"In addition to the <emphasis role=\"bold\">user_friendly_names</emphasis> "
28399
"and <emphasis role=\"bold\">alias</emphasis> options, a multipath device has "
28400
"numerous attributes. You can modify these attributes for a specific "
28401
"multipath device by creating an entry for that device in the <emphasis "
28402
"role=\"bold\">multipaths</emphasis> section of the <emphasis "
28403
"role=\"bold\">multipath</emphasis> configuration file. For information on "
28404
"the <emphasis role=\"bold\">multipaths</emphasis> section of the multipath "
28405
"configuration file, see Section, \"<link endterm=\"config-multipath-title\" "
28406
"linkend=\"multipath-config-multipath\"/>\"."
28409
#: serverguide/C/dm-multipath.xml:394(title)
28410
msgid "Multipath Devices in Logical Volumes"
28413
#: serverguide/C/dm-multipath.xml:396(para)
28415
"After creating multipath devices, you can use the multipath device names "
28416
"just as you would use a physical device name when creating an LVM physical "
28417
"volume. For example, if /dev/mapper/mpatha is the name of a multipath "
28418
"device, the following command will mark /dev/mapper/mpatha as a physical "
28419
"volume. <screen># pvcreate /dev/mapper/mpatha</screen> You can use the "
28420
"resulting LVM physical device when you create an LVM volume group just as "
28421
"you would use any other LVM physical device."
28424
#: serverguide/C/dm-multipath.xml:405(para)
28426
"If you attempt to create an LVM physical volume on a whole device on which "
28427
"you have configured partitions, the pvcreate command will fail."
28430
#: serverguide/C/dm-multipath.xml:425(para)
28432
"Every time either <filename>/etc/lvm.conf</filename> or "
28433
"<filename>/etc/multipath.conf</filename> is updated, the initrd should be "
28434
"rebuilt to reflect these changes. This is imperative when blacklists and "
28435
"filters are necessary to maintain a stable storage configuration."
28438
#: serverguide/C/dm-multipath.xml:410(para)
28440
"When you create an LVM logical volume that uses active/passive multipath "
28441
"arrays as the underlying physical devices, you should include filters in the "
28442
"<emphasis role=\"bold\">lvm.conf</emphasis> to exclude the disks that "
28443
"underlie the multipath devices. This is because if the array automatically "
28444
"changes the active path to the passive path when it receives I/O, multipath "
28445
"will failover and failback whenever LVM scans the passive path if these "
28446
"devices are not filtered. For active/passive arrays that require a command "
28447
"to make the passive path active, LVM prints a warning message when this "
28448
"occurs. To filter all SCSI devices in the LVM configuration file (lvm.conf), "
28449
"include the following filter in the devices section of the file. "
28450
"<screen>filter = [ \"r/block/\", \"r/disk/\", \"r/sd.*/\", \"a/.*/\" "
28451
"]</screen>After updating <filename>/etc/lvm.conf</filename>, it's necessary "
28452
"to update the <emphasis role=\"bold\">initrd</emphasis> so that this file "
28453
"will be copied there, where the filter matters the most, during boot. "
28454
"Perform:<screen>update-initramfs -u -k all</screen><placeholder-1/>"
28457
#: serverguide/C/dm-multipath.xml:435(title)
28458
msgid "Setting up DM-Multipath Overview"
28461
#: serverguide/C/dm-multipath.xml:437(para)
28463
"This section provides step-by-step example procedures for configuring DM-"
28464
"Multipath. It includes the following procedures:"
28467
#: serverguide/C/dm-multipath.xml:442(para)
28468
msgid "Basic DM-Multipath setup"
28471
#: serverguide/C/dm-multipath.xml:446(para)
28472
msgid "Ignoring local disks"
28475
#: serverguide/C/dm-multipath.xml:450(para)
28476
msgid "Adding more devices to the configuration file"
28479
#: serverguide/C/dm-multipath.xml:455(title)
28480
msgid "Setting Up DM-Multipath"
28483
#: serverguide/C/dm-multipath.xml:457(para)
28485
"Before setting up DM-Multipath on your system, ensure that your system has "
28486
"been updated and includes the <emphasis role=\"bold\"><application>multipath-"
28487
"tools</application></emphasis> package. If boot from SAN is desired, then "
28488
"the <emphasis role=\"bold\"><application>multipath-tools-"
28489
"boot</application></emphasis> package is also required."
28492
#: serverguide/C/dm-multipath.xml:475(para)
28494
"To work around a quirk in multipathd, when an "
28495
"<filename>/etc/multipath.conf</filename> doesn't exist, the previous command "
28496
"will return nothing, as it is the result of a <emphasis>merge</emphasis> "
28497
"between the <filename>/etc/multipath.conf</filename> and the database in "
28498
"memory. To remedy this, either define an empty "
28499
"<filename>/etc/multipath.conf</filename>, by using <emphasis "
28500
"role=\"bold\">touch</emphasis>, or create one that redefines a default value "
28501
"like:<screen>defaults {\n"
28502
" user_friendly_names no\n"
28504
"</screen>and restart multipathd:<screen># service multipath-tools "
28505
"restart</screen>Now the \"show config\" command will return the live "
28509
#: serverguide/C/dm-multipath.xml:464(para)
28511
"A basic <emphasis role=\"bold\">/etc/multipath.conf </emphasis> need not "
28512
"even exist, when <emphasis role=\"bold\">multpath</emphasis> is run without "
28513
"an accompanying <filename>/etc/multipath.conf</filename>, it draws from it's "
28514
"internal database to find a suitable configuration, it also draws from it's "
28515
"internal blacklist. If after running <emphasis role=\"bold\">multipath -"
28516
"ll</emphasis> without a config file, no multipaths are discovered. One must "
28517
"proceed to increase the verbosity to discover why a multipath was not "
28518
"created. Consider referencing the SAN vendor's documentation, the multipath "
28519
"example config files found in <filename>/usr/share/doc/multipath-"
28520
"tools/examples</filename>, and the live multipathd database:<screen "
28521
"id=\"multipath-skel-config\"># echo 'show config' | multipathd -k > "
28522
"multipath.conf-live</screen><placeholder-1/>"
28525
#: serverguide/C/dm-multipath.xml:492(title)
28526
msgid "Installing with Multipath Support"
28529
#: serverguide/C/dm-multipath.xml:494(para)
28531
"To enable <ulink "
28532
"url=\"http://wiki.debian.org/DebianInstaller/MultipathSupport\">multipath "
28533
"support during installation</ulink> use<screen>install disk-"
28534
"detect/multipath/enable=true</screen>at the installer prompt. If multipath "
28535
"devices are found these will show up as <emphasis "
28536
"role=\"bold\">/dev/mapper/mpath<X></emphasis> during installation."
28539
#: serverguide/C/dm-multipath.xml:503(title)
28540
msgid "Ignoring Local Disks When Generating Multipath Devices"
28543
#: serverguide/C/dm-multipath.xml:505(para)
28545
"Some machines have local SCSI cards for their internal disks. DM-Multipath "
28546
"is not recommended for these devices. The following procedure shows how to "
28547
"modify the multipath configuration file to ignore the local disks when "
28548
"configuring multipath."
28551
#: serverguide/C/dm-multipath.xml:512(para)
28553
"Determine which disks are the internal disks and mark them as the ones to "
28554
"blacklist. In this example, <emphasis "
28555
"role=\"bold\"><filename>/dev/sda</filename></emphasis> is the internal disk. "
28556
"Note that as originally configured in the default multipath configuration "
28557
"file, executing the <emphasis role=\"bold\">multipath -v2</emphasis> shows "
28558
"the local disk, <emphasis role=\"bold\">/dev/sda</emphasis>, in the "
28559
"multipath map. For further information on the <emphasis "
28560
"role=\"bold\">multipath</emphasis> command output, see Section <link "
28561
"linkend=\"multipath-command-output\">“Multipath Command Output”</link>."
28564
#: serverguide/C/dm-multipath.xml:524(screen)
28568
"# multipath -v2\n"
28569
"create: SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1 undef WINSYS,SF2372\n"
28570
"size=33 GB features=\"0\" hwhandler=\"0\" wp=undef\n"
28571
"`-+- policy='round-robin 0' prio=1 status=undef\n"
28572
" |- 0:0:0:0 sda 8:0 [--------- \n"
28574
"device-mapper ioctl cmd 9 failed: Invalid argument\n"
28575
"device-mapper ioctl cmd 14 failed: No such device or address\n"
28576
"create: 3600a0b80001327d80000006d43621677 undef WINSYS,SF2372\n"
28577
"size=12G features='0' hwhandler='0' wp=undef\n"
28578
"`-+- policy='round-robin 0' prio=1 status=undef\n"
28579
" |- 2:0:0:0 sdb 8:16 undef ready running\n"
28580
" `- 3:0:0:0 sdf 8:80 undef ready running\n"
28582
"create: 3600a0b80001327510000009a436215ec undef WINSYS,SF2372\n"
28583
"size=12G features='0' hwhandler='0' wp=undef\n"
28584
"`-+- policy='round-robin 0' prio=1 status=undef\n"
28585
" |- 2:0:0:1 sdc 8:32 undef ready running\n"
28586
" `- 3:0:0:1 sdg 8:96 undef ready running\n"
28588
"create: 3600a0b80001327d800000070436216b3 undef WINSYS,SF2372\n"
28589
"size=12G features='0' hwhandler='0' wp=undef\n"
28590
"`-+- policy='round-robin 0' prio=1 status=undef\n"
28591
" |- 2:0:0:2 sdd 8:48 undef ready running\n"
28592
" `- 3:0:0:2 sdg 8:112 undef ready running\n"
28594
"create: 3600a0b80001327510000009b4362163e undef WINSYS,SF2372\n"
28595
"size=12G features='0' hwhandler='0' wp=undef\n"
28596
"`-+- policy='round-robin 0' prio=1 status=undef\n"
28597
" |- 2:0:0:3 sdd 8:64 undef ready running\n"
28598
" `- 3:0:0:3 sdg 8:128 undef ready running\n"
28601
#: serverguide/C/dm-multipath.xml:560(para)
28603
"In order to prevent the device mapper from mapping <emphasis "
28604
"role=\"bold\">/dev/sda</emphasis> in its multipath maps, edit the blacklist "
28605
"section of the <filename>/etc/multipath.conf</filename> file to include this "
28606
"device. Although you could blacklist the <emphasis "
28607
"role=\"bold\">sda</emphasis> device using a <emphasis "
28608
"role=\"bold\">devnode</emphasis> type, that would not be safe procedure "
28609
"since <emphasis role=\"bold\">/dev/sda</emphasis> is not guaranteed to be "
28610
"the same on reboot. To blacklist individual devices, you can blacklist using "
28611
"the WWID of that device. Note that in the output to the <emphasis "
28612
"role=\"bold\">multipath -v2</emphasis> command, the WWID of the "
28613
"<filename>/dev/sda</filename> device is SIBM-"
28614
"ESXSST336732LC____F3ET0EP0Q000072428BX1. To blacklist this device, include "
28615
"the following in the <filename>/etc/multipath.conf</filename> file."
28618
#: serverguide/C/dm-multipath.xml:575(screen)
28623
" wwid SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1\n"
28627
#: serverguide/C/dm-multipath.xml:583(para)
28629
"After you have updated the <filename>/etc/multipath.conf</filename> file, "
28630
"you must manually tell the <emphasis role=\"bold\">multipathd</emphasis> "
28631
"daemon to reload the file. The following command reloads the updated "
28632
"<filename>/etc/multipath.conf</filename> file."
28635
#: serverguide/C/dm-multipath.xml:588(screen)
28637
msgid "# service multipath-tools reload"
28640
#: serverguide/C/dm-multipath.xml:592(para)
28641
msgid "Run the following command to remove the multipath device:"
28644
#: serverguide/C/dm-multipath.xml:595(screen)
28648
"# multipath -f SIBM-ESXSST336732LC____F3ET0EP0Q000072428BX1\n"
28651
#: serverguide/C/dm-multipath.xml:601(para)
28653
"To check whether the device removal worked, you can run the "
28654
"<command>multipath -ll</command> command to display the current multipath "
28655
"configuration. For information on the <command>multipath -ll</command> "
28656
"command, see Section <link linkend=\"multipath-queries-and-"
28657
"commands\">“Multipath Queries with multipath Command”</link>. To check that "
28658
"the blacklisted device was not added back, you can run the multipath "
28659
"command, as in the following example. The multipath command defaults to a "
28660
"verbosity level of <emphasis role=\"bold\">v2</emphasis> if you do not "
28661
"specify a <emphasis role=\"bold\">-v</emphasis> option."
28664
#: serverguide/C/dm-multipath.xml:612(screen)
28670
"create: 3600a0b80001327d80000006d43621677 undef WINSYS,SF2372\n"
28671
"size=12G features='0' hwhandler='0' wp=undef\n"
28672
"`-+- policy='round-robin 0' prio=1 status=undef\n"
28673
" |- 2:0:0:0 sdb 8:16 undef ready running\n"
28674
" `- 3:0:0:0 sdf 8:80 undef ready running\n"
28676
"create: 3600a0b80001327510000009a436215ec undef WINSYS,SF2372\n"
28677
"size=12G features='0' hwhandler='0' wp=undef\n"
28678
"`-+- policy='round-robin 0' prio=1 status=undef\n"
28679
" |- 2:0:0:1 sdc 8:32 undef ready running\n"
28680
" `- 3:0:0:1 sdg 8:96 undef ready running\n"
28682
"create: 3600a0b80001327d800000070436216b3 undef WINSYS,SF2372\n"
28683
"size=12G features='0' hwhandler='0' wp=undef\n"
28684
"`-+- policy='round-robin 0' prio=1 status=undef\n"
28685
" |- 2:0:0:2 sdd 8:48 undef ready running\n"
28686
" `- 3:0:0:2 sdg 8:112 undef ready running\n"
28688
"create: 3600a0b80001327510000009b4362163e undef WINSYS,SF2372\n"
28689
"size=12G features='0' hwhandler='0' wp=undef\n"
28690
"`-+- policy='round-robin 0' prio=1 status=undef\n"
28691
" |- 2:0:0:3 sdd 8:64 undef ready running\n"
28692
" `- 3:0:0:3 sdg 8:128 undef ready running\n"
28695
#: serverguide/C/dm-multipath.xml:644(title)
28696
msgid "Configuring Storage Devices"
28699
#: serverguide/C/dm-multipath.xml:646(para)
28701
"By default, DM-Multipath includes support for the most common storage arrays "
28702
"that support DM-Multipath. The default configuration values, including "
28703
"supported devices, can be found in the "
28704
"<filename>multipath.conf.defaults</filename> file."
28707
#: serverguide/C/dm-multipath.xml:651(para)
28709
"If you need to add a storage device that is not supported by default as a "
28710
"known multipath device, edit the <filename>/etc/multipath.conf</filename> "
28711
"file and insert the appropriate device information."
28714
#: serverguide/C/dm-multipath.xml:655(para)
28716
"For example, to add information about the HP Open-V series the entry looks "
28717
"like this, where <emphasis role=\"bold\">%n</emphasis> is the device name:"
28720
#: serverguide/C/dm-multipath.xml:659(screen)
28726
" product \"OPEN-V.\"\n"
28727
" getuid_callout \"/lib/udev/scsi_id --whitelisted --"
28728
"device=/dev/%n\"\n"
28733
#: serverguide/C/dm-multipath.xml:668(para)
28735
"For more information on the devices section of the configuration file, see "
28736
"Section <xref endterm=\"config-device-title\" linkend=\"multipath-config-"
28740
#: serverguide/C/dm-multipath.xml:675(title)
28741
msgid "The DM-Multipath Configuration File"
28744
#: serverguide/C/dm-multipath.xml:677(para)
28746
"By default, DM-Multipath provides configuration values for the most common "
28747
"uses of multipathing. In addition, DM-Multipath includes support for the "
28748
"most common storage arrays that support DM-Multipath. The default "
28749
"configuration values and the supported devices can be found in the "
28750
"<filename>multipath.conf.defaults</filename> file."
28753
#: serverguide/C/dm-multipath.xml:683(para)
28755
"You can override the default configuration values for DM-Multipath by "
28756
"editing the <filename>/etc/multipath.conf</filename> configuration file. If "
28757
"necessary, you can also add a storage array that is not supported by default "
28758
"to the configuration file. This chapter provides information on parsing and "
28759
"modifying the <filename>multipath.conf</filename> file. It contains sections "
28760
"on the following topics: <placeholder-1/>"
28763
#: serverguide/C/dm-multipath.xml:715(para)
28765
"In the multipath configuration file, you need to specify only the sections "
28766
"that you need for your configuration, or that you wish to change from the "
28767
"default values specified in the <filename>multipath.conf.defaults</filename> "
28768
"file. If there are sections of the file that are not relevant to your "
28769
"environment or for which you do not need to override the default values, you "
28770
"can leave them commented out, as they are in the initial file."
28773
#: serverguide/C/dm-multipath.xml:723(para)
28774
msgid "The configuration file allows regular expression description syntax."
28777
#: serverguide/C/dm-multipath.xml:726(para)
28779
"An annotated version of the configuration file can be found in "
28780
"<filename><filename>/usr/share/doc/multipath-"
28781
"tools/examples/multipath.conf.annotated.gz</filename></filename>."
28784
#: serverguide/C/dm-multipath.xml:730(title)
28785
msgid "Configuration File Overview"
28788
#: serverguide/C/dm-multipath.xml:732(para)
28790
"The multipath configuration file is divided into the following sections:"
28793
#: serverguide/C/dm-multipath.xml:737(emphasis)
28797
#: serverguide/C/dm-multipath.xml:740(para)
28799
"Listing of specific devices that will not be considered for multipath."
28802
#: serverguide/C/dm-multipath.xml:746(emphasis)
28803
msgid "blacklist_exceptions"
28806
#: serverguide/C/dm-multipath.xml:749(para)
28808
"Listing of multipath candidates that would otherwise be blacklisted "
28809
"according to the parameters of the blacklist section."
28812
#: serverguide/C/dm-multipath.xml:756(emphasis)
28816
#: serverguide/C/dm-multipath.xml:759(para)
28817
msgid "General default settings for DM-Multipath."
28820
#: serverguide/C/dm-multipath.xml:767(para)
28822
"Settings for the characteristics of individual multipath devices. These "
28823
"values overwrite what is specified in the <emphasis "
28824
"role=\"bold\">defaults</emphasis> and <emphasis "
28825
"role=\"bold\">devices</emphasis> sections of the configuration file."
28828
#: serverguide/C/dm-multipath.xml:776(emphasis)
28832
#: serverguide/C/dm-multipath.xml:779(para)
28834
"Settings for the individual storage controllers. These values overwrite what "
28835
"is specified in the <emphasis role=\"bold\">defaults</emphasis> section of "
28836
"the configuration file. If you are using a storage array that is not "
28837
"supported by default, you may need to create a devices subsection for your "
28841
#: serverguide/C/dm-multipath.xml:788(para)
28843
"When the system determines the attributes of a multipath device, first it "
28844
"checks the multipath settings, then the per devices settings, then the "
28845
"multipath system defaults."
28848
#: serverguide/C/dm-multipath.xml:794(title)
28849
msgid "Configuration File Blacklist"
28852
#: serverguide/C/dm-multipath.xml:796(para)
28854
"The blacklist section of the multipath configuration file specifies the "
28855
"devices that will not be used when the system configures multipath devices. "
28856
"Devices that are blacklisted will not be grouped into a multipath device."
28859
#: serverguide/C/dm-multipath.xml:803(para)
28861
"If you do need to blacklist devices, you can do so according to the "
28862
"following criteria:"
28865
#: serverguide/C/dm-multipath.xml:808(para)
28867
"By WWID, as described <xref endterm=\"config-blacklist-by-wwid-title\" "
28868
"linkend=\"multipath-config-blacklist-by-wwid\"/>"
28871
#: serverguide/C/dm-multipath.xml:814(para)
28873
"By device name, as described in <xref endterm=\"config-blacklist-by-device-"
28874
"name-title\" linkend=\"multipath-config-blacklist-by-device-name\"/>"
28877
#: serverguide/C/dm-multipath.xml:820(para)
28879
"By device type, as described in <xref endterm=\"config-blacklist-by-device-"
28880
"type-title\" linkend=\"multipath-config-blacklist-by-device-type\"/>"
28883
#: serverguide/C/dm-multipath.xml:826(para)
28885
"By default, a variety of device types are blacklisted, even after you "
28886
"comment out the initial blacklist section of the configuration file. For "
28887
"information, see <xref endterm=\"config-blacklist-by-device-name-title\" "
28888
"linkend=\"multipath-config-blacklist-by-device-name\"/>"
28891
#: serverguide/C/dm-multipath.xml:835(title)
28892
msgid "Blacklisting By WWID"
28895
#: serverguide/C/dm-multipath.xml:838(para)
28897
"You can specify individual devices to blacklist by their World-Wide "
28898
"IDentification with a <emphasis role=\"bold\">wwid</emphasis> entry in the "
28899
"<emphasis role=\"bold\">blacklist</emphasis> section of the configuration "
28903
#: serverguide/C/dm-multipath.xml:843(para)
28905
"The following example shows the lines in the configuration file that would "
28906
"blacklist a device with a WWID of 26353900f02796769."
28909
#: serverguide/C/dm-multipath.xml:846(screen)
28914
" wwid 26353900f02796769\n"
28918
#: serverguide/C/dm-multipath.xml:854(title)
28919
msgid "Blacklisting By Device Name"
28922
#: serverguide/C/dm-multipath.xml:857(para)
28924
"You can blacklist device types by device name so that they will not be "
28925
"grouped into a multipath device by specifying a <emphasis "
28926
"role=\"bold\">devnode</emphasis> entry in the <emphasis "
28927
"role=\"bold\">blacklist</emphasis> section of the configuration file."
28930
#: serverguide/C/dm-multipath.xml:863(para)
28932
"The following example shows the lines in the configuration file that would "
28933
"blacklist all SCSI devices, since it blacklists all sd* devices. <screen>\n"
28935
" devnode \"^sd[a-z]\"\n"
28939
#: serverguide/C/dm-multipath.xml:870(para)
28941
"You can use a <emphasis role=\"bold\">devnode</emphasis> entry in the "
28942
"<emphasis role=\"bold\">blacklist</emphasis> section of the configuration "
28943
"file to specify individual devices to blacklist rather than all devices of a "
28944
"specific type. This is not recommended, however, since unless it is "
28945
"statically mapped by udev rules, there is no guarantee that a specific "
28946
"device will have the same name on reboot. For example, a device name could "
28947
"change from <filename>/dev/sda</filename> to <filename>/dev/sdb</filename> "
28951
#: serverguide/C/dm-multipath.xml:880(para)
28953
"By default, the following <emphasis role=\"bold\">devnode</emphasis> entries "
28954
"are compiled in the default blacklist; the devices that these entries "
28955
"blacklist do not generally support DM-Multipath. To enable multipathing on "
28956
"any of these devices, you would need to specify them in the <emphasis "
28957
"role=\"bold\">blacklist_exceptions</emphasis> section of the configuration "
28958
"file, as described in <xref endterm=\"config-blacklist-exceptions-title\" "
28959
"linkend=\"multipath-config-blacklist-exceptions\"/><screen>\n"
28961
" devnode \"^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*\"\n"
28962
" devnode \"^hd[a-z]\"\n"
28967
#: serverguide/C/dm-multipath.xml:897(title)
28968
msgid "Blacklisting By Device Type"
28971
#: serverguide/C/dm-multipath.xml:900(para)
28973
"You can specify specific device types in the <emphasis "
28974
"role=\"bold\">blacklist</emphasis> section of the configuration file with a "
28975
"device section. The following example blacklists all IBM DS4200 and HP "
28976
"devices. <screen>\n"
28979
" vendor \"IBM\"\n"
28980
" product \"3S42\" #DS4200 Product 10\n"
28990
#: serverguide/C/dm-multipath.xml:918(title)
28991
msgid "Blacklist Exceptions"
28994
#: serverguide/C/dm-multipath.xml:921(para)
28996
"You can use the <emphasis role=\"bold\">blacklist_exceptions</emphasis> "
28997
"section of the configuration file to enable multipathing on devices that "
28998
"have been blacklisted by default."
29001
#: serverguide/C/dm-multipath.xml:926(para)
29003
"For example, if you have a large number of devices and want to multipath "
29004
"only one of them (with the WWID of 3600d0230000000000e13955cc3757803), "
29005
"instead of individually blacklisting each of the devices except the one you "
29006
"want, you could instead blacklist all of them, and then allow only the one "
29007
"you want by adding the following lines to the "
29008
"<filename>/etc/multipath.conf</filename> file. <screen>\n"
29013
"blacklist_exceptions {\n"
29014
" wwid \"3600d0230000000000e13955cc3757803\"\n"
29019
#: serverguide/C/dm-multipath.xml:941(para)
29021
"When specifying devices in the <emphasis "
29022
"role=\"bold\">blacklist_exceptions</emphasis> section of the configuration "
29023
"file, you must specify the exceptions in the same way they were specified in "
29024
"the <emphasis role=\"bold\">blacklist</emphasis>. For example, a WWID "
29025
"exception will not apply to devices specified by a <emphasis "
29026
"role=\"bold\">devnode</emphasis> blacklist entry, even if the blacklisted "
29027
"device is associated with that WWID. Similarly, devnode exceptions apply "
29028
"only to devnode entries, and device exceptions apply only to device entries."
29031
#: serverguide/C/dm-multipath.xml:954(title)
29032
msgid "Configuration File Defaults"
29035
#: serverguide/C/dm-multipath.xml:956(para)
29037
"The <filename>/etc/multipath.conf</filename> configuration file includes a "
29038
"<emphasis role=\"bold\">defaults</emphasis> section that sets the <emphasis "
29039
"role=\"bold\">user_friendly_names</emphasis> parameter to <emphasis "
29040
"role=\"bold\">yes</emphasis>, as follows."
29043
#: serverguide/C/dm-multipath.xml:961(screen)
29048
" user_friendly_names yes\n"
29052
#: serverguide/C/dm-multipath.xml:967(para)
29054
"This overwrites the default value of the <emphasis "
29055
"role=\"bold\">user_friendly_names</emphasis> parameter."
29058
#: serverguide/C/dm-multipath.xml:970(para)
29060
"The configuration file includes a template of configuration defaults. This "
29061
"section is commented out, as follows."
29064
#: serverguide/C/dm-multipath.xml:973(screen)
29069
"# udev_dir /dev\n"
29070
"# polling_interval 5\n"
29071
"# selector \"round-robin 0\"\n"
29072
"# path_grouping_policy failover\n"
29073
"# getuid_callout \"/lib/dev/scsi_id --whitelisted --"
29074
"device=/dev/%n\"\n"
29075
"#\tprio\t\t\tconst\n"
29076
"#\tpath_checker\t\tdirectio\n"
29077
"#\trr_min_io\t\t1000\n"
29078
"#\trr_weight\t\tuniform\n"
29079
"#\tfailback\t\tmanual\n"
29080
"#\tno_path_retry\t\tfail\n"
29081
"#\tuser_friendly_names\tno\n"
29085
#: serverguide/C/dm-multipath.xml:990(para)
29087
"To overwrite the default value for any of the configuration parameters, you "
29088
"can copy the relevant line from this template into the <emphasis "
29089
"role=\"bold\">defaults</emphasis> section and uncomment it. For example, to "
29090
"overwrite the <emphasis role=\"bold\">path_grouping_policy</emphasis> "
29091
"parameter so that it is <emphasis role=\"bold\">multibus</emphasis> rather "
29092
"than the default value of <emphasis role=\"bold\">failover</emphasis>, copy "
29093
"the appropriate line from the template to the initial <emphasis "
29094
"role=\"bold\">defaults</emphasis> section of the configuration file, and "
29095
"uncomment it, as follows."
29098
#: serverguide/C/dm-multipath.xml:1001(screen)
29103
" user_friendly_names yes\n"
29104
" path_grouping_policy multibus\n"
29108
#: serverguide/C/dm-multipath.xml:1008(para)
29110
"Table <xref endterm=\"config-defaults-table-title\" linkend=\"multipath-"
29111
"config-defaults-table\"/> describes the attributes that are set in the "
29112
"<emphasis role=\"bold\">defaults</emphasis> section of the "
29113
"<filename>multipath.conf</filename> configuration file. These values are "
29114
"used by DM-Multipath unless they are overwritten by the attributes specified "
29115
"in the <emphasis role=\"bold\">devices</emphasis> and <emphasis "
29116
"role=\"bold\">multipaths</emphasis> sections of the "
29117
"<filename>multipath.conf</filename> file."
29120
#: serverguide/C/dm-multipath.xml:1022(title)
29121
msgid "Configuration File Multipath Attributes"
29124
#: serverguide/C/dm-multipath.xml:1025(para)
29126
"Table <xref endterm=\"attributes-table-title\" linkend=\"multipath-"
29127
"attributes-table\"/> shows the attributes that you can set in the <emphasis "
29128
"role=\"bold\">multipaths</emphasis> section of the "
29129
"<filename>multipath.conf</filename> configuration file for each specific "
29130
"multipath device. These attributes apply only to the one specified "
29131
"multipath. These defaults are used by DM-Multipath and override attributes "
29132
"set in the <emphasis role=\"bold\">defaults</emphasis> and <emphasis "
29133
"role=\"bold\">devices</emphasis> sections of the multipath.conf file."
29136
#: serverguide/C/dm-multipath.xml:1038(para)
29138
"In addition, the following parameters may be overridden in this <emphasis "
29139
"role=\"bold\">multipath</emphasis> section"
29142
#: serverguide/C/dm-multipath.xml:1087(para)
29144
"The following example shows multipath attributes specified in the "
29145
"configuration file for two specific multipath devices. The first device has "
29146
"a WWID of 3600508b4000156d70001200000b0000 and a symbolic name of yellow."
29149
#: serverguide/C/dm-multipath.xml:1092(para)
29151
"The second multipath device in the example has a WWID of "
29152
"1DEC_____321816758474 and a symbolic name of red. In this example, the <link "
29153
"linkend=\"attribute-rr_weight\" role=\"bold\">rr_weight</link> attributes is "
29154
"set to priorities."
29157
#: serverguide/C/dm-multipath.xml:1097(screen)
29163
" wwid 3600508b4000156d70001200000b0000\n"
29165
" path_grouping_policy multibus\n"
29166
" path_selector \"round-robin 0\"\n"
29167
" failback manual\n"
29168
" rr_weight priorities\n"
29169
" no_path_retry 5\n"
29172
" wwid 1DEC_____321816758474\n"
29174
" rr_weight priorities\n"
29179
#: serverguide/C/dm-multipath.xml:1118(title)
29180
msgid "Configuration File Devices"
29183
#: serverguide/C/dm-multipath.xml:1120(para)
29185
"Table <xref endterm=\"device-attributes-table-title\" linkend=\"multipath-"
29186
"device-attributes-table\"/> shows the attributes that you can set for each "
29187
"individual storage device in the devices section of the multipath.conf "
29188
"configuration file. These attributes are used by DM-Multipath unless they "
29189
"are overwritten by the attributes specified in the <emphasis "
29190
"role=\"bold\">multipaths</emphasis> section of the "
29191
"<filename>multipath.conf</filename> file for paths that contain the device. "
29192
"These attributes override the attributes set in the <emphasis "
29193
"role=\"bold\">defaults</emphasis> section of the "
29194
"<filename>multipath.conf</filename> file."
29197
#: serverguide/C/dm-multipath.xml:1131(para)
29199
"Many devices that support multipathing are included by default in a "
29200
"multipath configuration. The values for the devices that are supported by "
29201
"default are listed in the <filename>multipath.conf.defaults</filename> file. "
29202
"You probably will not need to modify the values for these devices, but if "
29203
"you do you can overwrite the default values by including an entry in the "
29204
"configuration file for the device that overwrites those values. You can copy "
29205
"the device configuration defaults from the "
29206
"<filename>multipath.conf.annotated.gz</filename> or if you wish to have a "
29207
"brief config file, <filename>multipath.conf.synthetic</filename> file for "
29208
"the device and override the values that you want to change."
29211
#: serverguide/C/dm-multipath.xml:1143(para)
29213
"To add a device to this section of the configuration file that is not "
29214
"configured automatically by default, you must set the <emphasis "
29215
"role=\"bold\">vendor</emphasis> and <emphasis "
29216
"role=\"bold\">product</emphasis> parameters. You can find these values by "
29217
"looking at <emphasis "
29218
"role=\"bold\">/sys/block/device_name/device/vendor</emphasis> and <emphasis "
29219
"role=\"bold\">/sys/block/device_name/device/model</emphasis> where "
29220
"device_name is the device to be multipathed, as in the following example:"
29223
#: serverguide/C/dm-multipath.xml:1153(screen)
29227
"# cat /sys/block/sda/device/vendor\n"
29229
"# cat /sys/block/sda/device/model\n"
29233
#: serverguide/C/dm-multipath.xml:1160(para)
29235
"The additional parameters to specify depend on your specific device. If the "
29236
"device is active/active, you will usually not need to set additional "
29237
"parameters. You may want to set <link linkend=\"attribute-"
29238
"path_grouping_policy\">path_grouping_policy</link> to <emphasis "
29239
"role=\"bold\">multibus</emphasis>. Other parameters you may need to set are "
29240
"<link linkend=\"attribute-no_path_retry\">no_path_retry</link> and <link "
29241
"linkend=\"attribute-rr_min_io\">rr_min_io</link>, as described in Table "
29242
"<xref endterm=\"attributes-table-title\" linkend=\"multipath-attributes-"
29246
#: serverguide/C/dm-multipath.xml:1170(para)
29248
"If the device is active/passive, but it automatically switches paths with "
29249
"I/O to the passive path, you need to change the checker function to one that "
29250
"does not send I/O to the path to test if it is working (otherwise, your "
29251
"device will keep failing over). This almost always means that you set the "
29252
"<link linkend=\"attribute-path_checker\">path_checker</link> to <emphasis "
29253
"role=\"bold\">tur</emphasis>; this works for all SCSI devices that support "
29254
"the Test Unit Ready command, which most do."
29257
#: serverguide/C/dm-multipath.xml:1179(para)
29259
"If the device needs a special command to switch paths, then configuring this "
29260
"device for multipath requires a hardware handler kernel module. The current "
29261
"available hardware handler is emc. If this is not sufficient for your "
29262
"device, you may not be able to configure the device for multipath."
29265
#: serverguide/C/dm-multipath.xml:1188(para)
29267
"In addition, the following parameters may be overridden in this <emphasis "
29268
"role=\"bold\">device</emphasis> section"
29271
#: serverguide/C/dm-multipath.xml:1263(para)
29273
"Whenever a hardware_handler is specified, it is your responsibility to "
29274
"ensure that the appropriate kernel module is loaded to support the specified "
29275
"interface. These modules can be found in <emphasis "
29276
"role=\"bold\"><filename>/lib/modules/`uname -"
29277
"r`/kernel/drivers/scsi/device_handler/ </filename></emphasis>. The requisite "
29278
"module should be integrated into the initrd to ensure the necessary "
29279
"discovery and failover-failback capacity is available during boot time. "
29280
"Example,<screen># cat scsi_dh_alua >> /etc/initramfs-tools/modules ## "
29281
"append module to file\n"
29282
"# update-initramfs -u -k all</screen>"
29285
#: serverguide/C/dm-multipath.xml:1274(para)
29287
"The following example shows a device entry in the multipath configuration "
29291
#: serverguide/C/dm-multipath.xml:1277(screen)
29298
"#\t\tvendor\t\t\t\"COMPAQ \"\n"
29299
"#\t\tproduct\t\t\t\"MSA1000 \"\n"
29300
"#\t\tpath_grouping_policy\tmultibus\n"
29301
"#\t\tpath_checker\t\ttur\n"
29302
"#\t\trr_weight\t\tpriorities\n"
29307
#: serverguide/C/dm-multipath.xml:1290(para)
29309
"The spacing reserved in the <emphasis role=\"bold\">vendor</emphasis>, "
29310
"<emphasis role=\"bold\">product</emphasis>, and <emphasis "
29311
"role=\"bold\">revision</emphasis> fields are significant as multipath is "
29312
"performing a direct match against these attributes, whose format is defined "
29313
"by the SCSI specification, specifically the <ulink "
29314
"url=\"http://en.wikipedia.org/wiki/SCSI_Inquiry_Command\">Standard "
29315
"INQUIRY</ulink> command. When quotes are used, the vendor, product, and "
29316
"revision fields will be interpreted strictly according to the spec. Regular "
29317
"expressions may be integrated into the quoted strings. Should a field be "
29318
"defined without the requisite spacing, multipath will copy the string into "
29319
"the properly sized buffer and pad with the appropriate number of spaces. The "
29320
"specification expects the entire field to be populated by printable "
29321
"characters or spaces, as seen in the example above"
29324
#: serverguide/C/dm-multipath.xml:1307(para)
29325
msgid "vendor: 8 characters"
29328
#: serverguide/C/dm-multipath.xml:1311(para)
29329
msgid "product: 16 characters"
29332
#: serverguide/C/dm-multipath.xml:1315(para)
29333
msgid "revision: 4 characters"
29336
#: serverguide/C/dm-multipath.xml:1319(para)
29338
"To create a more robust configuration file, regular expressions can also be "
29339
"used. Operators include <emphasis role=\"bold\">^ $ [ ] . * ? +</emphasis>. "
29340
"Examples of functional regular expressions can be found by examining the "
29341
"live multipath database and <filename>multipath.conf </filename>example "
29342
"files found in <filename>/usr/share/doc/multipath-tools/examples:</filename>"
29345
#: serverguide/C/dm-multipath.xml:1326(screen)
29347
msgid "# echo 'show config' | multipathd -k"
29350
#: serverguide/C/dm-multipath.xml:1331(title)
29351
msgid "DM-Multipath Administration and Troubleshooting"
29354
#: serverguide/C/dm-multipath.xml:1334(title)
29355
msgid "Resizing an Online Multipath Device"
29358
#: serverguide/C/dm-multipath.xml:1336(para)
29360
"If you need to resize an online multipath device, use the following procedure"
29363
#: serverguide/C/dm-multipath.xml:1341(para)
29364
msgid "Resize your physical device. This is storage platform specific."
29367
#: serverguide/C/dm-multipath.xml:1346(para)
29368
msgid "Use the following command to find the paths to the LUN:"
29371
#: serverguide/C/dm-multipath.xml:1348(screen)
29373
msgid "# multipath -l"
29376
#: serverguide/C/dm-multipath.xml:1352(para)
29378
"Resize your paths. For SCSI devices, writing 1 to the "
29379
"<filename>rescan</filename> file for the device causes the SCSI driver to "
29380
"rescan, as in the following command:"
29383
#: serverguide/C/dm-multipath.xml:1356(screen)
29385
msgid "# echo 1 > /sys/block/device_name/device/rescan"
29388
#: serverguide/C/dm-multipath.xml:1360(para)
29390
"Resize your multipath device by running the multipathd resize command:"
29393
#: serverguide/C/dm-multipath.xml:1363(screen)
29395
msgid "# multipathd -k 'resize map mpatha'"
29398
#: serverguide/C/dm-multipath.xml:1367(para)
29399
msgid "Resize the file system (assuming no LVM or DOS partitions are used):"
29402
#: serverguide/C/dm-multipath.xml:1370(screen)
29404
msgid "# resize2fs /dev/mapper/mpatha"
29407
#: serverguide/C/dm-multipath.xml:1376(title)
29409
"Moving root File Systems from a Single Path Device to a Multipath Device"
29412
#: serverguide/C/dm-multipath.xml:1379(para)
29414
"This is dramatically simplified by the use of UUIDs to identify devices as "
29415
"an intrinsic label. Simply install <emphasis role=\"bold\">multipath-tools-"
29416
"boot</emphasis> and reboot. This will rebuild the initial ramdisk and afford "
29417
"multipath the opportunity to build it's paths before the root file system is "
29421
#: serverguide/C/dm-multipath.xml:1386(para)
29423
"Whenever <filename>multipath.conf</filename> is updated, so should the "
29424
"initrd by executing <command>update-initramfs -u -k all</command>. The "
29425
"reason being is <filename>multipath.conf</filename> is copied to the ramdisk "
29426
"and is integral to determining the available devices for grouping via it's "
29427
"blacklist and device sections."
29430
#: serverguide/C/dm-multipath.xml:1395(title)
29432
"Moving swap File Systems from a Single Path Device to a Multipath Device"
29435
#: serverguide/C/dm-multipath.xml:1398(para)
29437
"The procedure is exactly the same as illustrated in the previous section "
29438
"called <link linkend=\"multipath-moving-rootfs-from-single-path-to-multipath-"
29439
"device\">Moving root File Systems from a Single Path to a Multipath "
29443
#: serverguide/C/dm-multipath.xml:1406(title)
29444
msgid "The Multipath Daemon"
29447
#: serverguide/C/dm-multipath.xml:1408(para)
29449
"If you find you have trouble implementing a multipath configuration, you "
29450
"should ensure the multipath daemon is running as described in <link "
29451
"linkend=\"multipath-setting-up-dm-multipath\">\"Setting up DM-"
29452
"Multipath\"</link>. The <command>multipathd</command> daemon must be running "
29453
"in order to use multipathd devices. Also see section <link "
29454
"linkend=\"multipath-interacting-with-multipathd\">Troubleshooting with the "
29455
"multipathd interactive console</link> concerning interacting with "
29456
"<command>multipathd</command> as a debugging aid."
29459
#: serverguide/C/dm-multipath.xml:1448(title)
29460
msgid "Issues with queue_if_no_path"
29463
#: serverguide/C/dm-multipath.xml:1450(para)
29465
"If <emphasis role=\"bold\">features \"1 queue_if_no_path\"</emphasis> is "
29466
"specified in the <filename>/etc/multipath.conf</filename> file, then any "
29467
"process that uses I/O will hang until one or more paths are restored. To "
29468
"avoid this, set the <emphasis role=\"bold\"><link linkend=\"attribute-"
29469
"no_path_retry\">no_path_retry</link> N</emphasis> parameter in the "
29470
"<filename>/etc/multipath.conf</filename>."
29473
#: serverguide/C/dm-multipath.xml:1457(para)
29475
"When you set the <emphasis role=\"bold\">no_path_retry</emphasis> parameter, "
29476
"remove the <emphasis role=\"bold\">features \"1 "
29477
"queue_if_no_path\"</emphasis> option from the "
29478
"<filename>/etc/multipath.conf</filename> file as well. If, however, you are "
29479
"using a multipathed device for which the <option>features \"1 "
29480
"queue_if_no_path\"</option> option is set as a compiled in default, as it is "
29481
"for many SAN devices, you must add <option>features \"0\"</option> to "
29482
"override this default. You can do this by copying the existing <emphasis "
29483
"role=\"bold\">devices</emphasis> section, and just that section (not the "
29484
"entire file), from <filename>/usr/share/doc/multipath-"
29485
"tools/examples/multipath.conf.annotated.gz</filename> into "
29486
"<filename>/etc/multipath.conf</filename> and editing to suit your needs."
29489
#: serverguide/C/dm-multipath.xml:1471(para)
29491
"If you need to use the <option>features \"1 queue_if_no_path\"</option> "
29492
"option and you experience the issue noted here, use the "
29493
"<command>dmsetup</command> command to edit the policy at runtime for a "
29494
"particular LUN (that is, for which all the paths are unavailable). For "
29495
"example, if you want to change the policy on the multipath device "
29496
"<filename>mpathc</filename> from <option>\"queue_if_no_path\"</option> to "
29497
"<option> \"fail_if_no_path\"</option>, execute the following command."
29500
#: serverguide/C/dm-multipath.xml:1480(screen)
29502
msgid "# dmsetup message mpathc 0 \"fail_if_no_path\""
29505
#: serverguide/C/dm-multipath.xml:1483(para)
29507
"You must specify the <filename>mpathN</filename> alias rather than the path"
29510
#: serverguide/C/dm-multipath.xml:1489(title)
29511
msgid "Multipath Command Output"
29514
#: serverguide/C/dm-multipath.xml:1491(para)
29516
"When you create, modify, or list a multipath device, you get a printout of "
29517
"the current device setup. The format is as follows. For each multipath "
29521
#: serverguide/C/dm-multipath.xml:1495(screen)
29524
" action_if_any: alias (wwid_if_different_from_alias) "
29525
"dm_device_name_if_known vendor,product\n"
29526
" size=size features='features' hwhandler='hardware_handler' "
29527
"wp=write_permission_if_known"
29530
#: serverguide/C/dm-multipath.xml:1498(para)
29531
msgid "For each path group:"
29534
#: serverguide/C/dm-multipath.xml:1500(screen)
29537
" -+- policy='scheduling_policy' prio=prio_if_known\n"
29538
" status=path_group_status_if_known"
29541
#: serverguide/C/dm-multipath.xml:1503(para)
29542
msgid "For each path:"
29545
#: serverguide/C/dm-multipath.xml:1505(screen)
29548
" `- host:channel:id:lun devnode major:minor dm_status_if_known "
29553
#: serverguide/C/dm-multipath.xml:1508(para)
29555
"For example, the output of a multipath command might appear as follows:"
29558
#: serverguide/C/dm-multipath.xml:1511(screen)
29561
" 3600d0230000000000e13955cc3757800 dm-1 WINSYS,SF2372\n"
29562
" size=269G features='0' hwhandler='0' wp=rw\n"
29563
" |-+- policy='round-robin 0' prio=1 status=active\n"
29564
" | `- 6:0:0:0 sdb 8:16 active ready running\n"
29565
" `-+- policy='round-robin 0' prio=1 status=enabled\n"
29566
" `- 7:0:0:0 sdf 8:80 active ready running"
29569
#: serverguide/C/dm-multipath.xml:1518(para)
29571
"If the path is up and ready for I/O, the status of the path is <emphasis "
29572
"role=\"bold\">ready</emphasis> or <emphasis "
29573
"role=\"emphasis\">ghost</emphasis>. If the path is down, the status is "
29574
"<emphasis role=\"bold\">faulty</emphasis> or <emphasis "
29575
"role=\"bold\">shaky</emphasis>. The path status is updated periodically by "
29576
"the <command>multipathd</command> daemon based on the polling interval "
29577
"defined in the <filename>/etc/multipath.conf</filename> file."
29580
#: serverguide/C/dm-multipath.xml:1526(para)
29582
"The dm status is similar to the path status, but from the kernel's point of "
29583
"view. The dm status has two states: <emphasis "
29584
"role=\"bold\">failed</emphasis>, which is analogous to <emphasis "
29585
"role=\"bold\">faulty</emphasis>, and <emphasis "
29586
"role=\"bold\">active</emphasis> which covers all other path states. "
29587
"Occasionally, the path state and the dm state of a device will temporarily "
29591
#: serverguide/C/dm-multipath.xml:1534(para)
29593
"The possible values for <emphasis role=\"bold\">online_status</emphasis> are "
29594
"<emphasis role=\"bold\">running</emphasis> and <emphasis "
29595
"role=\"bold\">offline</emphasis>. A status of <emphasis "
29596
"role=\"emphasis\">offline</emphasis> means that the SCSI device has been "
29600
#: serverguide/C/dm-multipath.xml:1542(para)
29602
"When a multipath device is being created or modified , the path group "
29603
"status, the dm device name, the write permissions, and the dm status are not "
29604
"known. Also, the features are not always correct"
29607
#: serverguide/C/dm-multipath.xml:1549(title)
29608
msgid "Multipath Queries with multipath Command"
29611
#: serverguide/C/dm-multipath.xml:1551(para)
29613
"You can use the <emphasis role=\"bold\">-l </emphasis>and <emphasis "
29614
"role=\"bold\">-ll</emphasis> options of the <emphasis "
29615
"role=\"bold\">multipath</emphasis> command to display the current multipath "
29616
"configuration. The <emphasis role=\"bold\">-l</emphasis> option displays "
29617
"multipath topology gathered from information in sysfs and the device mapper. "
29618
"The <emphasis role=\"bold\">-ll</emphasis> option displays the information "
29619
"the <emphasis role=\"bold\">-l</emphasis> displays in addition to all other "
29620
"available components of the system."
29623
#: serverguide/C/dm-multipath.xml:1560(para)
29625
"When displaying the multipath configuration, there are three verbosity "
29626
"levels you can specify with the <emphasis role=\"bold\">-v</emphasis> option "
29627
"of the multipath command. Specifying <emphasis role=\"bold\">-v0</emphasis> "
29628
"yields no output. Specifying<emphasis role=\"bold\"> -v1</emphasis> outputs "
29629
"the created or updated multipath names only, which you can then feed to "
29630
"other tools such as kpartx. Specifying <emphasis role=\"bold\">-"
29631
"v2</emphasis> prints all detected paths, multipaths, and device maps."
29634
#: serverguide/C/dm-multipath.xml:1570(para)
29636
"The default <emphasis role=\"bold\">verbosity</emphasis> level of multipath "
29637
"is <emphasis role=\"bold\">2</emphasis> and can be globally modified by "
29638
"defining the <link linkend=\"attribute-verbosity\">verbosity "
29639
"attribute</link> in the <emphasis role=\"bold\">defaults</emphasis> section "
29640
"of <filename>multipath.conf</filename>."
29643
#: serverguide/C/dm-multipath.xml:1577(para)
29645
"The following example shows the output of a <emphasis "
29646
"role=\"bold\">multipath -l</emphasis> command."
29649
#: serverguide/C/dm-multipath.xml:1580(screen)
29653
" 3600d0230000000000e13955cc3757800 dm-1 WINSYS,SF2372\n"
29654
" size=269G features='0' hwhandler='0' wp=rw\n"
29655
" |-+- policy='round-robin 0' prio=1 status=active\n"
29656
" | `- 6:0:0:0 sdb 8:16 active ready running\n"
29657
" `-+- policy='round-robin 0' prio=1 status=enabled\n"
29658
" `- 7:0:0:0 sdf 8:80 active ready running"
29661
#: serverguide/C/dm-multipath.xml:1588(para)
29663
"The following example shows the output of a <emphasis "
29664
"role=\"bold\">multipath -ll</emphasis> command."
29667
#: serverguide/C/dm-multipath.xml:1591(screen)
29670
"# multipath -ll\n"
29671
" 3600d0230000000000e13955cc3757801 dm-10 WINSYS,SF2372\n"
29672
" size=269G features='0' hwhandler='0' wp=rw\n"
29673
" |-+- policy='round-robin 0' prio=1 status=enabled\n"
29674
" | `- 19:0:0:1 sdc 8:32 active ready running\n"
29675
" `-+- policy='round-robin 0' prio=1 status=enabled\n"
29676
" `- 18:0:0:1 sdh 8:112 active ready running\n"
29677
" 3600d0230000000000e13955cc3757803 dm-2 WINSYS,SF2372\n"
29678
" size=125G features='0' hwhandler='0' wp=rw\n"
29679
" `-+- policy='round-robin 0' prio=1 status=active\n"
29680
" |- 19:0:0:3 sde 8:64 active ready running\n"
29681
" `- 18:0:0:3 sdj 8:144 active ready running"
29684
#: serverguide/C/dm-multipath.xml:1606(title)
29685
msgid "Multipath Command Options"
29688
#: serverguide/C/dm-multipath.xml:1608(para)
29690
"Table <link linkend=\"useful-multipath-command-options\">\"Useful multipath "
29691
"Command Options\"</link> describes some options of the <emphasis "
29692
"role=\"bold\">multipath</emphasis> command that you find useful"
29695
#: serverguide/C/dm-multipath.xml:1614(title)
29696
msgid "Useful multipath Command Options"
29699
#: serverguide/C/dm-multipath.xml:1623(entry)
29703
#: serverguide/C/dm-multipath.xml:1630(emphasis)
29707
#: serverguide/C/dm-multipath.xml:1632(emphasis) serverguide/C/dm-multipath.xml:1639(emphasis)
29711
#: serverguide/C/dm-multipath.xml:1631(entry)
29713
"Display the current multipath configuration gathered from <placeholder-1/> "
29714
"and the device mapper."
29717
#: serverguide/C/dm-multipath.xml:1637(emphasis)
29721
#: serverguide/C/dm-multipath.xml:1638(entry)
29723
"Display the current multipath configuration gathered from <placeholder-1/>, "
29724
"the device mapper, and all other available components on the system."
29727
#: serverguide/C/dm-multipath.xml:1644(emphasis)
29731
#: serverguide/C/dm-multipath.xml:1645(entry)
29732
msgid "Remove the named multipath device."
29735
#: serverguide/C/dm-multipath.xml:1649(emphasis)
29739
#: serverguide/C/dm-multipath.xml:1650(entry)
29740
msgid "Remove all unused multipath devices."
29743
#: serverguide/C/dm-multipath.xml:1658(title)
29744
msgid "Determining Device Mapper Entries with dmsetup Command"
29747
#: serverguide/C/dm-multipath.xml:1660(para)
29749
"You can use the <emphasis role=\"bold\">dmsetup</emphasis> command to find "
29750
"out which device mapper entries match the <emphasis "
29751
"role=\"bold\">multipathed</emphasis> devices."
29754
#: serverguide/C/dm-multipath.xml:1664(para)
29756
"The following command displays all the device mapper devices and their major "
29757
"and minor numbers. The minor numbers determine the name of the dm device. "
29758
"For example, a minor number of <emphasis role=\"bold\">3</emphasis> "
29759
"corresponds to the multipathed device <emphasis "
29760
"role=\"bold\"><filename>/dev/dm-3</filename></emphasis>."
29763
#: serverguide/C/dm-multipath.xml:1670(screen)
29768
"mpathd (253, 4)\n"
29769
"mpathep1 (253, 12)\n"
29770
"mpathfp1 (253, 11)\n"
29771
"mpathb (253, 3)\n"
29772
"mpathgp1 (253, 14)\n"
29773
"mpathhp1 (253, 13)\n"
29774
"mpatha (253, 2)\n"
29775
"mpathh (253, 9)\n"
29776
"mpathg (253, 8)\n"
29777
"VolGroup00-LogVol01 (253, 1)\n"
29778
"mpathf (253, 7)\n"
29779
"VolGroup00-LogVol00 (253, 0)\n"
29780
"mpathe (253, 6)\n"
29781
"mpathbp1 (253, 10)\n"
29782
"mpathd (253, 5)\n"
29786
#: serverguide/C/dm-multipath.xml:1691(title)
29787
msgid "Troubleshooting with the multipathd interactive console"
29790
#: serverguide/C/dm-multipath.xml:1693(para)
29792
"The <emphasis role=\"bold\">multipathd -k</emphasis> command is an "
29793
"interactive interface to the <emphasis role=\"bold\">multipathd</emphasis> "
29794
"daemon. Entering this command brings up an interactive multipath console. "
29795
"After entering this command, you can enter help to get a list of available "
29796
"commands, you can enter a interactive command, or you can enter <emphasis "
29797
"role=\"bold\">CTRL-D</emphasis> to quit."
29800
#: serverguide/C/dm-multipath.xml:1700(para)
29802
"The multipathd interactive console can be used to troubleshoot problems you "
29803
"may be having with your system. For example, the following command sequence "
29804
"displays the multipath configuration, including the defaults, before exiting "
29805
"the console. See the IBM article <ulink url=\"http://www-"
29806
"01.ibm.com/support/docview.wss?uid=isg3T1011985\">\"Tricks with "
29807
"Multipathd\"</ulink> for more examples."
29810
#: serverguide/C/dm-multipath.xml:1707(screen)
29813
"# multipathd -k\n"
29814
" > > show config\n"
29815
" > > CTRL-D"
29818
#: serverguide/C/dm-multipath.xml:1711(para)
29820
"The following command sequence ensures that multipath has picked up any "
29821
"changes to the multipath.conf,"
29824
#: serverguide/C/dm-multipath.xml:1714(screen)
29828
"# multipathd -k\n"
29829
"> > reconfigure\n"
29830
"> > CTRL-D\n"
29833
#: serverguide/C/dm-multipath.xml:1720(para)
29835
"Use the following command sequence to ensure that the path checker is "
29836
"working properly."
29839
#: serverguide/C/dm-multipath.xml:1723(screen)
29843
"# multipathd -k\n"
29844
"> > show paths\n"
29845
"> > CTRL-D\n"
29848
#: serverguide/C/dm-multipath.xml:1729(para)
29850
"Commands can also be streamed into multipathd using stdin like so:<screen># "
29851
"echo 'show config' | multipathd -k</screen>"
22449
29854
#: serverguide/C/databases.xml:13(title)
22450
29855
msgid "Databases"
22510
29919
"to start it:"
22513
#: serverguide/C/databases.xml:79(command) serverguide/C/databases.xml:104(command)
22514
msgid "sudo /etc/init.d/mysql restart"
29922
#: serverguide/C/databases.xml:78(command) serverguide/C/databases.xml:102(command)
29923
msgid "sudo service mysql restart"
22517
#: serverguide/C/databases.xml:85(para)
29926
#: serverguide/C/databases.xml:83(para)
22519
29928
"You can edit the <filename>/etc/mysql/my.cnf</filename> file to configure "
22520
29929
"the basic settings -- log file, port number, etc. For example, to configure "
22521
"<application>MySQL</application> to listen for connections from network "
22522
"hosts, change the <emphasis>bind-address</emphasis> directive to the "
22523
"server's IP address:"
29930
"MySQL to listen for connections from network hosts, change the "
29931
"<emphasis>bind-address</emphasis> directive to the server's IP address:"
22526
#: serverguide/C/databases.xml:91(programlisting)
29934
#: serverguide/C/databases.xml:89(programlisting)
22530
29938
"bind-address = 192.168.0.5\n"
22533
#: serverguide/C/databases.xml:95(para)
29941
#: serverguide/C/databases.xml:93(para)
22534
29942
msgid "Replace 192.168.0.5 with the appropriate address."
22537
#: serverguide/C/databases.xml:99(para)
22539
"After making a change to <filename>/etc/mysql/my.cnf</filename> the "
22540
"<application>mysql</application> daemon will need to be restarted:"
22543
#: serverguide/C/databases.xml:107(para)
22545
"If you would like to change the "
22546
"<application>MySQL</application><emphasis>root</emphasis> password, in a "
22550
#: serverguide/C/databases.xml:113(command)
22551
msgid "sudo dpkg-reconfigure mysql-server-5.1"
22554
#: serverguide/C/databases.xml:116(para)
22556
"The <application>mysql</application> daemon will be stopped, and you will be "
22557
"prompted to enter a new password."
22560
#: serverguide/C/databases.xml:125(para)
29945
#: serverguide/C/databases.xml:97(para)
29947
"After making a change to <filename>/etc/mysql/my.cnf</filename> the MySQL "
29948
"daemon will need to be restarted:"
29951
#: serverguide/C/databases.xml:104(para)
29953
"If you would like to change the MySQL <emphasis>root</emphasis> password, in "
29954
"a terminal enter:"
29957
#: serverguide/C/databases.xml:109(command)
29958
msgid "sudo dpkg-reconfigure mysql-server-5.5"
29961
#: serverguide/C/databases.xml:111(para)
29963
"The MySQL daemon will be stopped, and you will be prompted to enter a new "
29967
#: serverguide/C/databases.xml:116(title)
29968
msgid "Database Engines"
29971
#: serverguide/C/databases.xml:117(para)
29973
"Whilst the default configuration of MySQL provided by the Ubuntu packages is "
29974
"perfectly functional and performs well there are things you may wish to "
29975
"consider before you proceed."
29978
#: serverguide/C/databases.xml:121(para)
29980
"MySQL is designed to allow data to be stored in different ways. These "
29981
"methods are referred to as either database or storage engines. There are two "
29982
"main engines that you'll be interested in: InnoDB and MyISAM. Storage "
29983
"engines are transparent to the end user. MySQL will handle things "
29984
"differently under the surface, but regardless of which storage engine is in "
29985
"use, you will interact with the database in the same way."
29988
#: serverguide/C/databases.xml:128(para)
29989
msgid "Each engine has its own advantages and disadvantages."
29992
#: serverguide/C/databases.xml:131(para)
29994
"While it is possible, and may be advantageous to mix and match database "
29995
"engines on a table level, doing so reduces the effectiveness of the "
29996
"performance tuning you can do as you'll be splitting the resources between "
29997
"two engines instead of dedicating them to one."
30000
#: serverguide/C/databases.xml:138(para)
30002
"MyISAM is the older of the two. It can be faster than InnoDB under certain "
30003
"circumstances and favours a read only workload. Some web applications have "
30004
"been tuned around MyISAM (though that's not to imply that they will slow "
30005
"under InnoDB). MyISAM also supports the FULLTEXT data type, which allows "
30006
"very fast searches of large quantities of text data. However MyISAM is only "
30007
"capable of locking an entire table for writing. This means only one process "
30008
"can update a table at a time. As any application that uses the table scales "
30009
"this may prove to be a hindrance. It also lacks journaling, which makes it "
30010
"harder for data to be recovered after a crash. The following link provides "
30011
"some points for consideration about using <ulink "
30012
"url=\"http://www.mysqlperformanceblog.com/2006/06/17/using-myisam-in-"
30013
"production/\">MyISAM on a production database</ulink>."
30016
#: serverguide/C/databases.xml:152(para)
30018
"InnoDB is a more modern database engine, designed to be <ulink "
30019
"url=\"http://en.wikipedia.org/wiki/ACID\">ACID compliant</ulink> which "
30020
"guarantees database transactions are processed reliably. Write locking can "
30021
"occur on a row level basis within a table. That means multiple updates can "
30022
"occur on a single table simultaneously. Data caching is also handled in "
30023
"memory within the database engine, allowing caching on a more efficient row "
30024
"level basis rather than file block. To meet ACID compliance all transactions "
30025
"are journaled independently of the main tables. This allows for much more "
30026
"reliable data recovery as data consistency can be checked."
30029
#: serverguide/C/databases.xml:165(para)
30031
"As of MySQL 5.5 InnoDB is the default engine, and is highly recommended over "
30032
"MyISAM unless you have specific need for features unique to the engine."
30035
#: serverguide/C/databases.xml:170(title)
30036
msgid "Advanced configuration"
30039
#: serverguide/C/databases.xml:172(title)
30040
msgid "Creating a tuned my.cnf file"
30043
#: serverguide/C/databases.xml:173(para)
30045
"There are a number of parameters that can be adjusted within MySQL's "
30046
"configuration file that will allow you to improve the performance of the "
30047
"server over time. For initial set-up you may find <ulink "
30048
"url=\"http://tools.percona.com/members/wizard\">Percona's my.cnf generating "
30049
"tool</ulink> useful. This tool will help generate a my.cnf file that will be "
30050
"much more optimised for your specific server capabilities and your "
30054
#: serverguide/C/databases.xml:178(para)
30056
"<emphasis>Do not</emphasis> replace your existing my.cnf file with Percona's "
30057
"one if you have already loaded data into the database. Some of the changes "
30058
"that will be in the file will be incompatible as they alter how data is "
30059
"stored on the hard disk and you'll be unable to start MySQL. If you do wish "
30060
"to use it and you have existing data, you will need to carry out a mysqldump "
30061
"and reload: <screen>\n"
30062
"mysqldump --all-databases --all-routines -u root -p > ~/fulldump.sql\n"
30063
"</screen> This will then prompt you for the root password before creating a "
30064
"copy of the data. It is advisable to make sure there are no other users or "
30065
"processes using the database whilst this takes place. Depending on how much "
30066
"data you've got in your database, this may take a while. You won't see "
30067
"anything on the screen during this process."
30070
#: serverguide/C/databases.xml:189(para)
30072
"Once the dump has been completed, shut down MySQL: <screen>\n"
30073
"<command>sudo service mysql stop</command>\n"
30074
"</screen> Now backup the original my.cnf file and replace with the new one: "
30076
"<command>sudo cp /etc/my.cnf /etc/my.cnf.backup</command>\n"
30077
"<command>sudo cp /path/to/new/my.cnf /etc/my.cnf</command>\n"
30078
"</screen> Then delete and re-initialise the database space and make sure "
30079
"ownership is correct before restarting MySQL: <screen>\n"
30080
"<command>sudo rm -rf /var/lib/mysql/*</command>\n"
30081
"<command>sudo mysql_install_db</command>\n"
30082
"<command>sudo chown -R mysql: /var/lib/mysql</command>\n"
30083
"<command>sudo service start mysql</command>\n"
30084
"</screen> Finally all that's left is to re-import your data. To give us an "
30085
"idea of how far the import process has got you may find the 'Pipe Viewer' "
30086
"utility, pv, useful. The following shows how to install and use pv for this "
30087
"case, but if you'd rather not use it just replace pv with cat in the "
30088
"following command. Ignore any ETA times produced by pv, they're based on the "
30089
"average time taken to handle each row of the file, but the speed of "
30090
"inserting can vary wildly from row to row with mysqldumps: <screen>\n"
30091
"<command>sudo apt-get install pv</command>\n"
30092
"<command>pv ~/fulldump.sql | mysql</command>\n"
30093
"</screen> Once that is complete all is good to go!"
30096
#: serverguide/C/databases.xml:215(para)
30098
"This is not necessary for all my.cnf changes. Most of the variables you may "
30099
"wish to change to improve performance are adjustable even whilst the server "
30100
"is running. As with anything, make sure to have a good backup copy of config "
30101
"files and data before making changes."
30104
#: serverguide/C/databases.xml:224(title)
30105
msgid "MySQL Tuner"
30108
#: serverguide/C/databases.xml:225(para)
30110
"<application>MySQL Tuner</application> is a useful tool that will connect to "
30111
"a running MySQL instance and offer suggestions for how it can be best "
30112
"configured for your workload. The longer the server has been running for, "
30113
"the better the advice mysqltuner can provide. In a production environment, "
30114
"consider waiting for at least 24 hours before running the tool. You can get "
30115
"install mysqltuner from the Ubuntu repositories: <screen>\n"
30116
"<command>sudo apt-get install mysqltuner</command>\n"
30117
"</screen> Then once its been installed, run it: <screen>\n"
30118
"<command>mysqltuner</command>\n"
30119
"</screen> and wait for its final report. The top section provides general "
30120
"information about the database server, and the bottom section provides "
30121
"tuning suggestions to alter in your my.cnf. Most of these can be altered "
30122
"live on the server without restarting, look through the official MySQL "
30123
"documentation (link in Resources section) for the relevant variables to "
30124
"change in production. The following is part of an example report from a "
30125
"production database which shows there may be some benefit from increasing "
30126
"the amount of query cache: <screen>\n"
30127
"-------- Recommendations ----------------------------------------------------"
30129
"General recommendations:\n"
30130
" Run OPTIMIZE TABLE to defragment tables for better performance\n"
30131
" Increase table_cache gradually to avoid file descriptor limits\n"
30132
"Variables to adjust:\n"
30133
" key_buffer_size (> 1.4G)\n"
30134
" query_cache_size (> 32M)\n"
30135
" table_cache (> 64)\n"
30136
" innodb_buffer_pool_size (>= 22G)\n"
30140
#: serverguide/C/databases.xml:259(para)
30142
"One final comment on tuning databases: Whilst we can broadly say that "
30143
"certain settings are the best, performance can vary from application to "
30144
"application. For example, what works best for Wordpress might not be the "
30145
"best for Drupal, Joomla or proprietary applications. Performance is "
30146
"dependent on the types of queries, use of indexes, how efficient the "
30147
"database design is and so on. You may find it useful to spend some time "
30148
"searching for database tuning tips based on what applications you're using "
30149
"it for. Once you get past a certain point any adjustments you make will only "
30150
"result in minor improvements, and you'll be better off either improving the "
30151
"application, or looking at scaling up your database environment through "
30152
"either using more powerful hardware or by adding slave servers."
30155
#: serverguide/C/databases.xml:276(para)
22562
30157
"See the <ulink url=\"http://www.mysql.com/\">MySQL Home Page</ulink> for "
22563
30158
"more information."
22566
#: serverguide/C/databases.xml:130(para)
22568
"The <emphasis>MySQL Handbook</emphasis> is also available in the "
22569
"<application>mysql-doc-5.0</application> package. To install the package "
22570
"enter the following in a terminal:"
22573
#: serverguide/C/databases.xml:135(command)
22574
msgid "sudo apt-get install mysql-doc-5.0"
22577
#: serverguide/C/databases.xml:137(para)
22579
"The documentation is in HTML format, to view them enter "
22580
"<command>file:///usr/share/doc/mysql-doc-5.0/refman-5.0-en.html-"
22581
"chapter/index.html</command> in your browser's address bar."
22584
#: serverguide/C/databases.xml:143(para) serverguide/C/databases.xml:290(para)
30161
#: serverguide/C/databases.xml:281(para)
30163
"Full documentation is available in both online and offline formats from the "
30164
"<ulink url=\"http://dev.mysql.com/doc/\"> MySQL Developers portal</ulink>"
30167
#: serverguide/C/databases.xml:287(para)
22586
30169
"For general SQL information see <ulink "
22587
"url=\"http://www.informit.com/store/product.aspx?isbn=0768664128\">Using SQL "
22588
"Special Edition</ulink> by Rafe Colburn."
30170
"url=\"http://www.informit.com/store/product.aspx?isbn=0768664128\"> Using "
30171
"SQL Special Edition</ulink> by Rafe Colburn."
22591
#: serverguide/C/databases.xml:149(para)
30174
#: serverguide/C/databases.xml:293(para)
22593
30176
"The <ulink url=\"https://help.ubuntu.com/community/ApacheMySQLPHP\">Apache "
22594
30177
"MySQL PHP Ubuntu Wiki</ulink> page also has useful information."
22597
#: serverguide/C/databases.xml:158(para)
30180
#: serverguide/C/databases.xml:303(para)
22599
30182
"PostgreSQL is an object-relational database system that has the features of "
22600
30183
"traditional commercial database systems with enhancements to be found in "
22601
30184
"next-generation DBMS systems."
22604
#: serverguide/C/databases.xml:165(para)
30187
#: serverguide/C/databases.xml:310(para)
22606
30189
"To install PostgreSQL, run the following command in the command prompt:"
22609
#: serverguide/C/databases.xml:172(command)
30192
#: serverguide/C/databases.xml:316(command)
22610
30193
msgid "sudo apt-get install postgresql"
22613
#: serverguide/C/databases.xml:176(para)
30196
#: serverguide/C/databases.xml:319(para)
22615
30198
"Once the installation is complete, you should configure the PostgreSQL "
22616
30199
"server based on your needs, although the default configuration is viable."
22619
#: serverguide/C/databases.xml:184(para)
30202
#: serverguide/C/databases.xml:326(para)
22621
30204
"By default, connection via TCP/IP is disabled. PostgreSQL supports multiple "
22622
"client authentication methods. By default, IDENT authentication method is "
22623
"used for <application>postgres</application> and local users. Please refer "
22624
"<ulink url=\"http://www.postgresql.org/docs/8.4/static/admin.html\"> the "
22625
"PostgreSQL Administrator's Guide</ulink>."
30205
"client authentication methods. IDENT authentication method is used for "
30206
"<application>postgres</application> and local users, unless otherwise "
30207
"configured. Please refer <ulink "
30208
"url=\"http://www.postgresql.org/docs/8.4/static/admin.html\"> the PostgreSQL "
30209
"Administrator's Guide if you would like to configure alternatives like "
30210
"Kerberos</ulink>."
22628
#: serverguide/C/databases.xml:191(para)
30213
#: serverguide/C/databases.xml:332(para)
22630
30215
"The following discussion assumes that you wish to enable TCP/IP connections "
22631
30216
"and use the MD5 method for client authentication. PostgreSQL configuration "