Annotation of wikisrc/the_netbsd_system_manager__39__s_manual.mdwn, revision 1.4

1.2       schmonz     1: This is the NetBSD System Manager's Manual, derived from the [bsdwiki book](http://bsdwiki.reedmedia.net/). 
                      2: 
                      3: **Contents**
                      4: 
                      5: [[!toc levels=3]]
                      6: 
                      7: #  Installing and Upgrading NetBSD 
                      8: 
                      9: ##  Recognize the installation program used by NetBSD 
                     10: 
                     11: ##  Recognize which commands are available for upgrading 
                     12: 
                     13: ##  Understand the difference between a pre-compiled binary and compiling from source 
                     14: 
                     15: ##  Understand when it is preferable to install a pre-compiled binary and how to do so 
                     16: 
                     17: if cpu power is low and or disk space is limited. 
                     18: 
                     19: ##  Recognize the available methods for compiling a customized binary 
                     20: 
                     21: ##  Determine what software is installed on a system 
                     22: 
                     23: To obtain a list of all third-party software installed on a NetBSD system using the [pkgsrc](http://www.pkgsrc.org) package management system, execute the [pkg_info(1)](http://netbsd.gw.com/cgi-bin/man-cgi?pkg_info++NetBSD-current) command with no arguments. 
                     24: 
                     25: $ pkg_info
                     26:     
                     27: 
                     28: ##  Determine which software requires upgrading 
                     29: 
                     30: To determine which software requires upgrading, you have to install pkg_chk first, which is available in [pkgtools/pkg_chk](http://pkgsrc.se/pkgtools/pkg_chk) from pkgsrc. When done, asure that your pkgsrc tree is up to date and enter: 
                     31: 
                     32:     # pkg_chk -q -u
                     33:     
                     34: 
                     35: to see which packages needs to be upgraded. 
                     36: 
                     37: ##  Upgrade installed software 
                     38: 
                     39: There are many ways to upgrade installed software use one of the following 
                     40: 
                     41:   * pkgtools/[pkg_rolling-replace](http://pkgsrc.se/pkgtools/pkg_rolling-replace)
                     42:   * pkgtools/[pkg_chk](http://pkgsrc.se/pkgtools/pkg_chk)
                     43: 
                     44: or use `make update` in the pkgsrc directory of the package that needs to be updated. 
                     45: 
                     46: ##  Determine which software have outstanding security advisories 
                     47: 
                     48: You can use pkgsrc's auditing feature to (periodicaly) check for package vulnerabilites. 
                     49: 
                     50: Install [security/audit-packages](http://pkgsrc.se/security/audit-packages) first. 
                     51: 
                     52: _If you dont know how to install a package, read the section about installing packages, or the [pkgsrc user guide](http://www.netbsd.org/docs/pkgsrc/).
                     53: 
                     54: To audit the packages, you have to download the vulnerability list: 
                     55:     
                     56:     # download-vulenability-list
                     57:     
                     58: 
                     59: You can put the following to your crontab to automate this: 
                     60:     
                     61:     0 3 * * * /usr/pkg/sbin/download-vulnerability-list >/dev/null 2>&1
                     62:     
                     63: 
                     64: This will update the vulnerability list every day at 3AM. You may wish to do this more often than once a day. 
                     65: 
                     66: You can also ask NetBSD to include the vulnerability check in the security report: 
                     67: 
                     68: Put this into `/etc/security.local`: 
                     69:     
                     70:     if [ -x /usr/pkg/sbin/audit-packages ]; then
                     71:             /usr/pkg/sbin/audit-packages
                     72:     fi
                     73:     
                     74: 
                     75: ##  Follow the instructions in a security advisory to apply a security patch 
                     76: 
                     77: #  Securing the NetBSD Operating System 
                     78: 
                     79: ##  Determine the system's security level 
                     80: 
                     81: See the value of `kern.securelevel` (cf. [sysctl(8)](http://netbsd.gw.com/cgi-bin/man-cgi?sysctl+8+NetBSD-current)) : 
                     82: 
                     83: $ sysctl kern.securelevel
                     84:     kern.securelevel = 1
                     85:     
                     86: 
                     87: ##  Recognize basic recommended access methods 
                     88: 
                     89: ##  Configure an SSH server according to a set of requirements 
                     90: 
                     91: Edit `/etc/ssh/sshd_config`. When all seems fine, relaunch [sshd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?sshd++NetBSD-current) daemon with : 
                     92: 
                     93:     # /etc/rc.d/sshd restart
                     94:     
                     95: 
                     96: If you are working remotely via an SSH connexion, don't worry: with privileges separation (as default), your working connexion won't be claused. 
                     97: 
                     98: ##  Configure an SSH server to use a key pair for authentication 
                     99: 
                    100: In `/etc/ssh/sshd_config`, uncomment lines: 
                    101:     
                    102:     PasswordAuthentication no
                    103:     PermitEmptyPasswords no
                    104:     
                    105: 
                    106: If you want to connect as root (don't do this), at least use keys with: 
                    107:     
                    108:     PermitRootLogin without-password
                    109:     
                    110: 
                    111: Don't forget to relaunch daemon. 
                    112: 
                    113: ##  Preserve existing SSH host keys during a system upgrade 
                    114: 
                    115: The SSH keys live under `/etc/ssh`. Just [tar(1)](http://netbsd.gw.com/cgi-bin/man-cgi?atr++NetBSD-current) up all key files and extract the archive on the new system. 
                    116: 
                    117: ##  Recognize alternate authentication mechanisms 
                    118: 
                    119: ##  Recognize alternate authorization schemes 
                    120: 
                    121: ##  Recognize firewalls and rulesets 
                    122: 
                    123: To see input rules: 
                    124:     
                    125:     # ipfstat -hin
                    126:     
                    127: 
                    128: `-o` (instead of `-i`) option gives output rules. `-6` option manipulates IPv6 rules. `-n` display groups and rules numbers, useful when searching from logs. 
                    129: 
                    130: IPNAT rules can be listed with: 
                    131:     
                    132:     # ipnat -l
                    133:     
                    134: 
                    135: ##  Recognize utilities that shape traffic or control bandwidth 
                    136: 
                    137: ##  Recognize mechanisms for encrypting devices 
                    138:     
                    139:     $ man cgd
                    140:     
                    141: 
                    142: ##  Recognize methods for verifying the validity of binaries 
                    143: 
                    144: By default, `/etc/daily` launch `/etc/security` which uses [mtree(8)](http://netbsd.gw.com/cgi-bin/man-cgi?mtree++NetBSD-current). 
                    145: 
                    146: 
                    147: To check if [veriexec(4)](http://netbsd.gw.com/cgi-bin/man-cgi?veriexec++NetBSD-current) is up: 
                    148:     
                    149: 
                    150: $ sysctl kern.veriexec.strict
                    151:     kern.veriexec.strict=1
                    152:     
                    153: 
                    154: Read [veriexec chapter](http://www.netbsd.org/docs/guide/en/chap-veriexec.html) from [NetBSD Guide](http://www.netbsd.org/docs/guide/en/) for more information. 
                    155: 
                    156: ##  Enable exploit mitigation 
                    157: 
1.4     ! sevan     158: Follow advices in [security(7)](http://netbsd.gw.com/cgi-bin/man-cgi?security++NetBSD-current) man page. 
1.2       schmonz   159: 
                    160: 
                    161: ##  Recognize methods for restraining a service 
                    162: 
                    163:   * [chroot(8)](http://netbsd.gw.com/cgi-bin/man-cgi?chroot+8+NetBSD-current)
                    164:   * [systrace(1)](http://netbsd.gw.com/cgi-bin/man-cgi?systrace+1+NetBSD-current)
                    165:   * [Xen](http://www.netbsd.org/ports/xen)
                    166: 
                    167: ##  Modify the system banner 
                    168: 
                    169: Edit `/etc/motd`. 
                    170: 
                    171: You can also add a banner before SSH connexion; to do that, add: 
                    172:     
                    173:     Banner /etc/ssh/issue
                    174:     
                    175: 
                    176: in `/etc/ssh/sshd_config` and put what you want to be displayed before SSH auth in file `/etc/ssh/issue`. 
                    177: 
                    178: #  Files, Filesystems and Disks 
                    179: 
                    180: ##  Mount or unmount local filesystems 
                    181: 
                    182: To mount a file system, use the [mount(8)](http://netbsd.gw.com/cgi-bin/man-cgi?mount++NetBSD-current) command. The general syntax is: 
                    183:     
                    184: 
                    185:     # mount [options] device_node mount_point
                    186:     
                    187: 
                    188: The available options may be found in the man page. Typically, it will be necessary to at least use the `-t` command to specify the type of filesystem to be mounted. For example, to mount a CD-ROM device, specify the ISO 9660 format with a command like the following: 
                    189:     
                    190:     # mount -t cd9660 /dev/cd0d /mnt/cdrom
                    191:     
                    192: 
                    193: To unmount a mounted filesystem, use the [umount(8)](http://netbsd.gw.com/cgi-bin/man-cgi?umount++NetBSD-current) command. To unmount the mounted filesystem `/mnt/cdrom`, simply execute: 
                    194:     
                    195:     # umount /mnt/cdrom
                    196:     
                    197: 
                    198: Note that unmounting a filesystem will fail if any running process has a directory in that filesystem as its present working directory. For example: 
                    199:     
                    200:     # mount -t cd9660 /dev/cd0d /mnt/cdrom
                    201:     # cd /mnt/cdrom
                    202:     # umount /mnt/cdrom
                    203:     umount: /mnt/cdrom: Device busy
                    204:     # cd
                    205:     # umount /mnt/cdrom
                    206:     #
                    207:     
                    208: 
                    209: ##  Configure data to be available through NFS 
                    210: 
                    211: Let's share `/export/data`. Create the file `/etc/exports` as: 
                    212:     
                    213:     $ cat /etc/exports
                    214:     /export/data -maproot=nobody -ro -network 192.168.1.0 -mask 255.255.255.0
                    215:     
                    216: 
                    217: Here, the file system will be read only (option `-ro`), available only for clients from `192.168.1.0/24` and root access from clients will be mapped as `nobody` access on server (we don't have confidence with our clients). The syntax and options are documented in [exports(5)](http://netbsd.gw.com/cgi-bin/man-cgi?exports+5+NetBSD-current). 
                    218: 
                    219: We have to start [rpcbind(8)](http://netbsd.gw.com/cgi-bin/man-cgi?rpcbind+8+NetBSD-current), [mountd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?mountd+8+NetBSD-current), [rpc.lockd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?rpc.lockd+8+NetBSD-current), [nfsd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?nfsd+8+NetBSD-current) and [rpc.statd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?rpc.statd+8+NetBSD-current). In order to do that, edit `/etc/rc.conf` and set: 
                    220:     
                    221: rpcbind=YES   rpcbind_flags="-l"
                    222:     mountd=YES
                    223:     nfs_server=YES
                    224:     statd=YES
                    225:     lockd=YES
                    226:     
                    227: 
                    228: The flag `-l` tells [rpcbind(8)](http://netbsd.gw.com/cgi-bin/man-cgi?rpcbind+8+NetBSD-current) to use _libwrap_ ([hosts_options(5)](http://netbsd.gw.com/cgi-bin/man-cgi?hosts_options+5+NetBSD-current)). Edit the `/etc/hosts.access` and set: 
                    229:     
                    230: rpcbind: 192.168.1.0/255.255.255.0 ALLOW
                    231:     
                    232: 
                    233: to allow clients to connect to the server. 
                    234: 
                    235: On the clients, we have to start [rpcbind(8)](http://netbsd.gw.com/cgi-bin/man-cgi?rpcbind+8+NetBSD-current), [rpc.statd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?rpc.statd+8+NetBSD-current) and [rpc.lockd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?rpc.lockd+8+NetBSD-current); edit `/etc/rc.conf` and set: 
                    236:     
                    237: rpcbind=YES   rpcbind_flags="-l"
                    238:     nfs_client=YES
                    239:     statd=YES
                    240:     lockd=YES
                    241:     
                    242: 
                    243: Now, lets mount the file system on the client: 
                    244:     
                    245:     # mount -o ro server:/export/data /data
                    246:     $ mount | grep data
                    247:     server:/export/data on /data type nfs (read-only)
                    248:     
                    249: 
                    250: Don't forget to add a line in `/etc/fstab` ([fstab(5)](http://netbsd.gw.com/cgi-bin/man-cgi?fstab+5+NetBSD-current)): 
                    251:     
                    252: 
                    253: server:/export/data /data nfs ro 0 0
                    254:     
                    255: 
                    256: to mount the file system at boot time. That's all. 
                    257: 
                    258: See the NetBSD Guide [[1]](http://www.netbsd.org/docs/guide/en/chap-net-misc.html#chap-net-misc-nfs) for more details. 
                    259: 
                    260: ##  Determine which filesystems are currently mounted and which will be mounted at system boot 
                    261: 
                    262: A list of currently mounted filesystems can be obtained by running the [mount(8)](http://netbsd.gw.com/cgi-bin/man-cgi?mount++NetBSD-current) command without any arguments. 
                    263: 
                    264: The file [fstab(5)](http://netbsd.gw.com/cgi-bin/man-cgi?fstab++NetBSD-current) in `/etc` contains information about which files are mounted at system boot and what options they are mounted with, whether they should be [fsck(8)](http://netbsd.gw.com/cgi-bin/man-cgi?fsck++NetBSD-current)ed and if so in what order, etc. 
                    265: 
                    266: ##  Determine disk capacity and which files are consuming the most disk space 
                    267: 
                    268: Disk capacity: 
                    269:     
                    270:     $ df -h
                    271:     
                    272: 
                    273: Find the size of files in a directory: 
                    274:     
                    275:     $ du -sk
                    276:     
                    277: 
                    278: Report by file size: 
                    279:     
                    280:     $ du -k | sort -n
                    281:     
                    282: 
                    283: ##  Create and view symbolic or hard links 
                    284: 
                    285: Symbolic link: 
                    286:     
                    287:     $ ln -s sourcefile targetfile
                    288:     
                    289: 
                    290: Hard link: 
                    291:     
                    292:     $ ln sourcefile targetfile
                    293:     
                    294: 
                    295: ##  View file permissions and modify them using either symbolic or octal mode 
                    296: 
                    297: View file permissions: 
                    298:     
                    299:     $ ls -l filename
                    300:     
                    301: 
                    302: Change file permissions 
                    303:     
                    304:     $ chmod 644 filename
                    305:     
                    306: 
                    307: ##  Modify a file's owner or group 
                    308: 
                    309: The [chown(8)](http://netbsd.gw.com/cgi-bin/man-cgi?chown++NetBSD-current) command can be used to modify a file's owner or group. 
                    310: 
                    311: 
                    312: To change the owner of the file `somefile` to the user `someuser`, execute: 
                    313:     
                    314:     chown someuser somefile
                    315:     
                    316: 
                    317: Similarly, to change the group of the file `somefile` to the group `somegroup`, execute: 
                    318:     
                    319:     chown :somegroup somefile
                    320:     
                    321: 
                    322: If you like, can change both the group and owner of a file with a single command. To implement both of the modifications made by the two commands above, execute: 
                    323:     
                    324:     chown someuser:somegroup somefile
                    325:     
                    326: 
                    327: Note that there is also a [chgrp(1)](http://netbsd.gw.com/cgi-bin/man-cgi?chgrp++NetBSD-current) command to change the group of a file. 
                    328: 
                    329: 
                    330: To change the group of the file `somefile` to the group `somegroup`, execute: 
                    331:     
                    332:     chgrp somegroup somefile
                    333:     
                    334: 
                    335: ##  Backup and restore a specified set of files and directories to local disk or tape 
                    336: 
                    337: Create your (compressed) archive with: 
                    338:     
                    339:     $ tar cvfz backup.tgz somedirectory/
                    340:     
                    341: 
                    342:   * `c` option: create the archive, 
                    343:   * `z` option: compress the archive whith [gzip(1)](http://netbsd.gw.com/cgi-bin/man-cgi?gzip++NetBSD-current), 
                    344:   * `f` option: output to a file; if you miss this option, [tar(1)](http://netbsd.gw.com/cgi-bin/man-cgi?tar++NetBSD-current) will output archive to `/dev/st0` (default tape), 
                    345:   * `v` option: verbose output ie. files added to archive will be displayed. 
                    346: 
                    347: To restore, use: 
                    348:     
                    349:     $ tar xzpf backup.tgz
                    350:     
                    351: 
                    352:   * `x` option: extract the archive, 
                    353:   * `p` option: preserve ownership. 
                    354: 
                    355: See also [pax(1)](http://netbsd.gw.com/cgi-bin/man-cgi?pax++NetBSD-current) and [cpio(1)](http://netbsd.gw.com/cgi-bin/man-cgi?cpio++NetBSD-current). 
                    356: 
                    357: ##  Backup and restore a file system 
                    358:     
                    359:     # dump 0f - | (cd /altroot; retore rf -)
                    360:     
                    361: 
                    362: See [dump(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dump++NetBSD-current) and [restore(8)](http://netbsd.gw.com/cgi-bin/man-cgi?restore++NetBSD-current). 
                    363: 
                    364: 
                    365: ##  Backup using ffs snapshots 
                    366: 
                    367: Snapshots allows to work with an atomic file system copy taken at a the time of the snapshot. This is very useful to for instance backup a file system on which there may be running database applications such as PostgreSQL, without the need to stop and restart the database application. 
                    368: 
                    369: See [fssconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?fssconfig++NetBSD-current) and [fss(4)](http://netbsd.gw.com/cgi-bin/man-cfi?fss++NetBSD-current) for more details. Here for the sake of an example we will suppose that we want to backup a live `/` file system using `rsync` to a `/backup` file system. 
                    370: 
                    371: 
                    372: Let's first create the "atomic" snapshot of the `/` file system: 
                    373:     
                    374:     # fssconfig -cx fss0 / /tmp/back
                    375:     
                    376: 
                    377: We now have configured the device `/dev/fss0` to be a snapshot mirror of the `/` file system, using a temporary log of `/tmp/back` to which new writes will be added for as long as the snapshot device is configured. This file will be automatically deleted at device unconfiguration because of the optional `-x` switch. You may now use that device with the `dump` command or mount it and use other backup commands such as `pax`, `tar` or `rsync` as you wish. 
                    378:     
                    379:     # mount -o ro /dev/fss0 /mnt
                    380:     
                    381: 
                    382: We have now mounted the atomic copy of the file system to `/mnt`. Let's update our `/backup` file system from it: 
                    383:     
                    384:     # rsync -vaHx --delete /mnt/ /backup/
                    385:     
                    386: 
                    387: So our "atomic" live backup is done and we now no longer need our snapshot: 
                    388:     
                    389:     # umount /mnt
                    390:     # fssconfig -u fss0
                    391:     
                    392: 
                    393: ##  Determine the directory structure of a system 
                    394: 
                    395: ##  Manually run the file system checker and repair tool 
                    396: 
                    397: For FFS filesystems (example, in this case is the first slice on your first IDE hard disk): 
                    398:     
                    399:     # fsck /dev/rwd0a
                    400:     
                    401: 
                    402: The `-y` option should be added with caution: [fsck(8)](http://netbsd.gw.com/cgi-bin/man-cgi?fsck+8+NetBSD-current) assumes yes as the default answer for all its questions. Use it at your own risks. 
                    403: 
                    404: 
                    405: ##  View and modify file flags 
                    406: 
                    407: use chflags to modify file flags, for example: 
                    408:     
                    409:     $ chflag uchange pkgsrc.tar.gz
                    410:     $ ls -lo pkgsrc.tar.gz
                    411:     -rw-r--r--  1 zafer  users  uchg 32072480 May 19 09:12 pkgsrc.tar.gz
                    412:     
                    413: 
                    414: ##  Monitor the virtual memory system 
                    415: 
                    416: #  Users and Accounts Management 
                    417: 
                    418: ##  Protect authentication data 
                    419: 
                    420: ##  Create, modify and remove user accounts 
                    421: 
                    422: create 
                    423:     
                    424:     # useradd -m johndoe 
                    425:     
                    426: 
                    427: delete 
                    428:     
                    429:     # userdel johndoe
                    430:     
                    431: 
                    432: modify 
                    433:     
                    434:     # usermod -m -d /home/foo johndoe
                    435:     
                    436: 
                    437: ##  Create a system account 
                    438: 
                    439: ##  Control which files are copied to a new user's home directory during account creation 
                    440: 
                    441: The _-k_ option of the [useradd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?useradd++NetBSD-current) command can be used to specify a "skeleton directory". The contents of the specified skeleton directory will be copied to the new user's home directory. If no skeleton directory is specified with _-k_, the default of `/usr/skel/` is used. 
                    442: 
                    443: 
                    444: ##  Change a password 
                    445: 
                    446: The [passwd(1)](http://netbsd.gw.com/cgi-bin/man-cgi?passwd++NetBSD-current) command can be used to change a password. 
                    447: 
                    448: 
                    449: Executing passwd with no arguments will change the password of the executing user. The existing password must be supplied before changes can be made. The new password must be entered identically twice, to ensure the password is not set to a misspelling of the intended password. The process looks something like this - note that passwords do not echo: 
                    450:     
                    451:     $ passwd
                    452:     Changing local password for user.
                    453:     Old password:
                    454:     New password:
                    455:     Retype new password:
                    456:     
                    457: 
                    458: The superuser may change the password of an arbitrary user by supplying that user's name as the only argument to passwd. Root does not need to supply the user's existing password, and may simply supply a new one. The process looks something like this: 
                    459:     
                    460:     # passwd user
                    461:     Changing local password for user.
                    462:     New password:
                    463:     Retype new password
                    464:     
                    465: 
                    466: ##  Force the user to change their password upon next login 
                    467:     
                    468:     # usermod -F johndoe
                    469:     
                    470: 
                    471: ##  Change the encryption algorithm used to encrypt the password database 
                    472: 
                    473: The encryption algorithm or algorithms used to encrypt the password database are specified in the [passwd.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?passwd.conf++NetBSD-current) file in `/etc`. 
                    474: 
                    475: 
                    476: The syntax of the file is straightforward and is made clear by the following example, taken from the man page: 
                    477: 
                    478: _Use MD5 as the local cipher and old-style DES as the YP cipher. Use blowfish with 2^5 rounds for root:_
                    479:     
                    480:           default:
                    481:                localcipher = md5
                    482:                ypcipher = old
                    483:     
                    484:     
                    485:           root:
                    486:                localcipher = blowfish,5
                    487:     
                    488: 
                    489: The algorithm choices are: `old', `newsalt,<rounds>', `md5', `sha1,<rounds>', and `blowfish,<rounds>'. Consult the man page for details on allowable round parameters. 
                    490: 
                    491: ##  Change a user's default shell 
                    492: 
                    493: Make your market in `/etc/shells` file and pick up one. For example, we want to change the shell of _johndoe_ to `/bin/ksh`: 
                    494:     
                    495:     # chsh -s /bin/ksh johndoe
                    496:     
                    497: 
                    498: or 
                    499:     
                    500:     # chpass -s /bin/ksh johndoe
                    501:     
                    502: 
                    503: See [chsh(1)](http://netbsd.gw.com/cgi-bin/man-cgi?chsh+1+NetBSD-current) for mor details. 
                    504: 
                    505: 
                    506: ##  Lock a user account or reset a locked user account 
                    507: 
                    508: Lock 
                    509:     
                    510:     # usermod -C yes johndoe
                    511:     
                    512: 
                    513: Unlock 
                    514:     
                    515:     # usermod -C no johndoe
                    516:     
                    517: 
                    518: ##  Determine identity and group membership 
                    519:     
                    520:     $ id
                    521:     
                    522: 
                    523: ##  Determine who is currently on the system or the last time a user was on the system 
                    524: 
                    525: Enter 
                    526:     
                    527:     $ w
                    528:     
                    529: 
                    530: to determine who is currently on the system. 
                    531: 
                    532: Enter 
                    533:     
                    534:     $ last
                    535:     
                    536: 
                    537: to determine the last time a user was on the system. 
                    538: 
                    539: ##  Enable accounting and view system usage statistics 
                    540: 
                    541: #  Basic System Administration 
                    542: 
                    543: ##  Determine which process are consuming the most CPU 
                    544: 
                    545: The [top(1)](http://netbsd.gw.com/cgi-bin/man-cgi?top++NetBSD-current) command displays and regularly updates a list of top CPU consuming processes. The list includes details such as the command used to create the process, the user who ran that command, the process' PID, what state the process is currently in and how much memory and CPU time the process is consuming. 
                    546: 
                    547: 
                    548: ##  View and send signals to active processes 
                    549: 
                    550: The [ps(1)](http://netbsd.gw.com/cgi-bin/man-cgi?ps++NetBSD-current) command can be used to view a list of names and details (such as PID) currently active processes. Exactly which processes and what details about them are displayed can be customised using the options described in the man page. To get the default details of _all_ processes, execute: 
                    551: 
                    552: 
                    553:     $ ps ax
                    554:     
                    555: 
                    556: Sending signals to processes is done using the [kill(1)](http://netbsd.gw.com/cgi-bin/man-cgi?kill++NetBSD-current) command. The signal to be sent may be specified either by name (e.g. HUP, INT, QUIT, ABRT, KILL, ALRM, TERM; see also `kill -l` output) or by an integer code, as specified in the man page. 
                    557: 
                    558: 
                    559: The simplest syntax for [kill(1)](http://netbsd.gw.com/cgi-bin/man-cgi?kill++NetBSD-current) is: 
                    560: 
                    561: 
                    562: $ kill {signal name or code} pid
                    563:     
                    564: 
                    565: where `pid` is the PID of the process to be killed. Note that if no signal name or code is specified (i.e. just `kill pid` is used) then a TERM signal is sent by default. 
                    566: 
                    567: Note that it is not typical to immediately know the PID of a process one wants to signal. One can either use the [ps(1)](http://netbsd.gw.com/cgi-bin/man-cgi?ps++NetBSD-current) command as described above to find the pid (perhaps with the assistance of [grep(1)](http://netbsd.gw.com/cgi-bin/man-cgi?grep++NetBSD-current), or one can use the [pkill(1)](http://netbsd.gw.com/cgi-bin/man-cgi?pkill++NetBSD-current) command, which works like [kill(1)](http://netbsd.gw.com/cgi-bin/man-cgi?kill++NetBSD-current) except that it accepts a process name rather than a PID. 
                    568: 
                    569: ##  Use an rc(8) script to determine if a service is running and start, restart or stop it as required 
                    570: 
                    571: To see if a service is running, execute that service's [rc(8)](http://netbsd.gw.com/cgi-bin/man-cgi?rc++NetBSD-current) script with an argument of `status`. The output will indicate if that service is running. Not all rc scripts have a `status` option. For example: 
                    572: 
                    573: 
                    574:     # /etc/rc.d/sshd status                                                      
                    575:     sshd is not running.
                    576:     # /etc/rc.d/sshd start
                    577:     # /etc/rc.d/sshd status                                                    
                    578:     sshd is running as pid 383.
                    579:     # /etc/rc.d/sshd stop
                    580:     
                    581: 
                    582:   
                    583: Note that while every script in `/etc/rc.d` is _supposed_ to accept the `status` argument, many do not. 
                    584: 
                    585: If a service is not running, it can be started by executing its [rc(8)](http://netbsd.gw.com/cgi-bin/man-cgi?rc++NetBSD-current) script with an argument of `start`. Once a service is running, it can be restarted or stopped in a similar manner, using the arguments `restart` and `stop`. 
                    586: 
                    587: 
                    588: Note that an rc script can not launch a service if this service is not marked as runable in `/etc/rc.conf` (via `service=YES` entry). 
                    589: 
                    590: ##  Configure a service to start at boot time 
                    591: 
                    592: Add or copy the rc skript to /etc/rc.d/ and then add the service to your /etc/rc.conf 
                    593: 
                    594: ##  View and configure system hardware 
                    595: 
                    596: View pci bus (use pci0 - 2) 
                    597:     
                    598:     $ pcictl /dev/pci0 list
                    599:     
                    600: 
                    601: ##  View, load, or unload a kernel module 
                    602: 
                    603: View 
                    604:     
                    605:     $ modstat
                    606:     
                    607: 
                    608: Load 
                    609:     
                    610:     # modload file
                    611:     
                    612: 
                    613: Unload 
                    614:     
                    615:     # modunload -i id
                    616:     
                    617: 
                    618: See the manual page for lkm.conf(5) for information on how to automatically load modules at boot time. Please note that for this to work, lkm=YES must be set in /etc/rc.conf. Also note the critical_filesystems_local setting in rc.conf(5), which may be required for bootloaded modules located under /usr if /usr is on a separate partition than /. 
                    619: 
                    620: ##  Modify a kernel parameter on the fly 
                    621:     
                    622:     # sysctl -w <variable>=<value>
                    623:     
                    624: 
                    625: ##  View the status of a software RAID mirror or stripe 
                    626: 
                    627: Verify parity: 
                    628:     
                    629:     # raidctl -p raid0
                    630:     /dev/rraid0c: Parity status: clean
                    631:     
                    632: 
                    633: View configuration and state: 
                    634:     
                    635:     # raidctl -s raid0
                    636:     
                    637: 
                    638: [raidctl(8)](http://netbsd.gw.com/cgi-bin/man-cgi?raidctl++NetBSD-current) man page is very useful, don't miss it. 
                    639: 
                    640: ##  Configure system logging 
                    641: 
                    642: Verify that [syslogd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?syslogd++NetBSD-current) is running. If not, enable it in `/etc/rc.conf` and launch it: 
                    643:     
                    644: 
                    645:     # /etc/rc.d/syslogd start
                    646:     
                    647: 
                    648: The logging daemon is configured with `/etc/syslog.conf` (see [syslog.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?syslog.conf++NetBSD-current). When you have modified this file, you have to tell to the daemon to reread it: 
                    649:     
                    650: 
                    651:     # pkill -HUP syslogd 
                    652:     
                    653: 
                    654: by sending a `SIGHUP`. 
                    655: 
                    656: If you add files in `/etc/syslog.conf`, don't forget to configure rotation in `/etc/newsyslog.conf` ([newsyslog.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?newsyslog.conf++NetBSD-current)). 
                    657: 
                    658: 
                    659: If the original daemon's filtering features are too poor for you, try [sysutils/syslog-ng](http://pkgsrc.se/sysutils/syslog-ng) package. 
                    660: 
                    661: To log signals sent to processes: 
                    662:     
                    663:     # sysctl -w kern.logsigexit=1
                    664:     
                    665: 
                    666: ##  Review log files to troubleshoot and monitor system behavior 
                    667:     
                    668:     $ tail -f /var/log/messages |grep daemon
                    669:     
                    670: 
                    671: Try also these packages: 
                    672: 
                    673:   * [misc/root-tail](http://pkgsrc.se/misc/root-tail) or [misc/xtail](http://pkgsrc.se/misc/xtail) if you use X11, 
                    674:   * [misc/colortail](http://pkgsrc.se/misc/colortail) or [misc/mail](http://pkgsrc.se/misc/mtail) if you want colors, 
                    675:   * [sysutils/wtail](http://pkgsrc.se/sysutils/wtail) or [misc/multitail](http://pkgsrc.se/misc/multitail) to view multiples files. 
                    676: 
                    677: ##  Determine which MTA is being used on the system 
                    678:     
                    679:     $ less /etc/mailer.conf
                    680:     
                    681: 
                    682: ##  Create or modify email aliases for Sendmail or Postfix 
                    683: 
                    684: ##  View the Sendmail or Postfix mail queue 
                    685:     
                    686:     $ mailq
                    687:     
                    688: 
                    689: ##  Read mail on the local system 
                    690:     
                    691:     $ mail
                    692:     
                    693: 
                    694: ##  Understand basic printer troubleshooting 
                    695: 
                    696: ##  Halt, reboot, or bring the system to single-user mode 
                    697: 
                    698: to halt enter: 
                    699:     
                    700:     # shutdown -h now
                    701:     
                    702: 
                    703: to reboot enter either: 
                    704:     
                    705:     # reboot
                    706:     
                    707: 
                    708: or 
                    709:     
                    710:     # shutdown -r now
                    711:     
                    712: 
                    713: to bring the system to single-user mode press any key during boot countdown and then enter: 
                    714:     
                    715:     boot -s
                    716:     
                    717: 
                    718: From multi-user mode, you should: 
                    719:     
                    720:     # kill -TERM 1
                    721:     
                    722: 
                    723: to return to single-user mode. 
                    724: 
                    725: ##  Recognize the difference between hard and soft limits and modify existing resource limits 
                    726: 
                    727: ##  Recognize common, possibly third-party, server configuration files 
                    728: 
                    729: ##  Configure the scripts that run periodically to perform various system maintenance tasks 
                    730: 
                    731: ##  Determine the last system boot time and the workload on the system 
                    732:     
                    733:     $ uptime
                    734:     
                    735: 
                    736: or 
                    737:     
                    738:     $ w
                    739:     
                    740: 
                    741: ##  Monitor disk input/output 
                    742:     
                    743:     $ iostat -w 1
                    744:     
                    745: 
                    746: ##  Deal with busy devices 
                    747: 
                    748: ##  Determine information regarding the operating system 
                    749:     
                    750:     $ uname -a
                    751:     
                    752: 
                    753: ##  Understand the advantages of using a BSD license 
                    754: 
                    755: #  Network Administration 
                    756: 
                    757: ##  Determine the current TCP/IP settings on a system 
                    758: 
                    759: First, see the interfaces which are connected: 
                    760:     
                    761:     $ ifconfig -ls
                    762:     wm0 wm1 wm2 wm3 wm4 lo0 pflog0 vlan0 vlan1 vlan2 vlan3
                    763:     
                    764: 
                    765: To see the IP adress of an interface: 
                    766:     
                    767:     $ ifconfig vlan3
                    768:     vlan3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
                    769:            vlan: 847 parent: wm4
                    770:            address: 00:04:23:af:f1:e4
                    771:            inet 172.17.13.254 netmask 0xfffffe00 broadcast 172.17.13.255
                    772:     
                    773: 
                    774: We have the MAC (hardware adress, here `00:04:23:af:f1:e4`) and the IP adress with netmask (here `172.17.13.254` with `255.255.254.0`). 
                    775: 
                    776: Now, we want to know IPv4 routing settings: 
                    777:     
                    778:     $ netstat -rn -f inet | head -5
                    779:     Routing tables
                    780:     
                    781:     Internet:
                    782:     Destination        Gateway            Flags    Refs      Use    Mtu  Interface
                    783:     default            172.16.200.130     UG1         0  9607369      -  wm0
                    784:     
                    785: 
                    786: The default route is tagged `default`, here it is `172.16.200.130` on `wm0` interface. 
                    787: 
                    788: See [ifconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ifconfig+8+NetBSD-current) and [netstat(8)](http://netbsd.gw.com/cgi-bin/man-cgi?netstat+8+NetBSD-current) for more details. 
                    789: 
                    790: ##  Set a system's TCP/IP settings 
                    791:     
                    792:     # ifconfig fxp0 192.168.0.1 netmask 255.255.255.0 up
                    793:     
                    794: 
                    795: ##  Determine which TCP or UDP ports are open on a system 
                    796:     
                    797:     $ sockstat -cl
                    798:     
                    799: 
                    800: ##  Verify the availability of a TCP/IP service 
                    801:     
                    802:     $ sockstat -l
                    803:     
                    804: 
                    805: ##  Query a DNS server 
                    806: 
                    807: Find responsible nameservers for a given domain 
                    808:     
                    809:     $ dig ns netbsd.org
                    810:     
                    811: 
                    812: Query a DNS server 
                    813:     
                    814:     $ dig @adns1.berkeley.edu A www.netbsd.org
                    815:     
                    816: 
                    817: ##  Determine who is responsible for a DNS zone 
                    818: 
                    819: Use [dig(1)](http://netbsd.gw.com/cgi-bin/man-cgi?dig+1+NetBSD-current) to check the SOA section: 
                    820:     
                    821: 
                    822: $ dig www.netbsd.org soa
                    823:     ; <<>> DiG 9.3.2 <<>> www.netbsd.org soa
                    824:     ;; global options:  printcmd
                    825:     ;; Got answer:
                    826:     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22618
                    827:     ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
                    828:     
                    829:     ;; QUESTION SECTION:
                    830:     ;www.netbsd.org.                        IN      SOA
                    831:     
                    832:     ;; AUTHORITY SECTION:
                    833:     netbsd.org.             10800   IN      SOA     ns.netbsd.org. hostmaster.netbsd.org.  2007032701 21600 10800 2419200 86400
                    834:     
                    835:     ;; Query time: 163 msec
                    836:     ;; SERVER: 191.168.1.1#53(191.168.1.1)
                    837:     ;; WHEN: Sun Jul  1 11:56:27 2007
                    838:     ;; MSG SIZE  rcvd: 92
                    839:     
                    840: 
                    841: The master server is `ns.netbsd.org` and the responsible is `hostmaster [at] netbsd [dot] org`. 
                    842: 
                    843: ##  Change the order of name resolution 
                    844: 
                    845: You live in `home.org` but you often work on hosts in `work.com`. To avoid typing FQDN all the time, put this in `/etc/resolv.conf`: 
                    846:     
                    847:     nameserver 1.2.3.4
                    848:     nameserver 5.6.7.8
                    849:     domain home.org
                    850:     search home.org work.com
                    851:     
                    852: 
                    853: The first two lines say which DNS servers to use. The third says that the resolver has to search host first in `home.org`. The last tells it search also in `work.com`. After that, you should have: 
                    854:     
                    855:     $ host www
                    856:     www.work.com has address 192.168.1.2
                    857:     
                    858: 
                    859: ##  Convert a subnet mask between dotted decimal, hexadecimal or CIDR notation 
                    860: 
                    861: Use either: 
                    862: 
                    863:   * [net/ipcalc](http://pkgsrc.se/net/ipcalc)
                    864:   * [net/cidr](http://pkgsrc.se/net/cidr)
                    865:   * [net/sipcalc](http://pkgsrc.se/net/sipcalc)
                    866: 
                    867: 
                    868: ##  Gather information using an IP address and subnet mask 
                    869: 
                    870: ##  Understand IPv6 address theory 
                    871: 
                    872: ##  Demonstrate basic tcpdump(1) skills 
                    873:     
                    874:     # tcpdump -i fxp0 not port 22
                    875:     
                    876: 
                    877: ##  Manipulate ARP and neighbor discovery caches 
                    878: 
                    879: View ARP cache 
                    880:     
                    881:     $ arp -a
                    882:     
                    883: 
                    884: ##  Configure a system to use NTP 
                    885: 
                    886:   * Edit `/etc/ntp.conf` and choose from the list at least two servers, or add two new ones. The time servers should be located as close as possible (network topology) to your server. 
                    887: 
                    888:   * Add `ntpd=yes` to `/etc/rc.conf`
                    889: 
                    890:   * Start the ntp daemon by entering: `/etc/rc.d/ntpd start`
                    891: 
                    892:   * Verify the service, by entering `ntpq` and then `peers`. 
                    893: 
                    894: ##  View and renew a DHCP lease 
                    895: 
                    896: Renew a DHCP lease 
                    897:     
1.3       maya      898:     # dhcpcd -k
                    899:     # dhcpcd
1.2       schmonz   900:     
                    901: 
                    902: ##  Recognize when and how to set or remove an interface alias 
                    903: 
                    904: set alias 
                    905:     
                    906:     # ifconfig fxp0 inet 192.168.0.2 netmask 255.255.255.0 alias
                    907:     
                    908: 
                    909: remove alias 
                    910:     
                    911:     # ifconfig fxp0 inet 192.168.0.2 netmask 255.255.255.0 -alias
                    912:     
                    913: 
                    914: #  Basic Unix Skills 
                    915: 
                    916: ##  Demonstrate proficiency in using redirection, pipes and tees 
                    917: 
                    918: ###  Output redirection 
                    919:     
                    920:     $ ls > myfiles.txt
                    921:     
                    922: 
                    923: runs `ls` and redirects the output in the file myfiles.txt 
                    924:     
                    925:     $ ls >> myfiles.txt
                    926:     
                    927: 
                    928: runs `ls` and appends the output to the file myfiles.txt 
                    929: 
                    930: ###  Pipes 
                    931:     
                    932:     $ ls -l | wc -l
                    933:     
                    934: 
                    935: runs `ls -l` and uses its output as the input for the command `wc -l`
                    936: 
                    937: ##  Recognize, view and modify environmental variables 
                    938: 
                    939: ###  Viewing environmental variables 
                    940: 
                    941: On sh based shells like sh, ksh, bash this is done with the command `export`
                    942:     
                    943:     $ export
                    944:     
                    945: 
                    946: On csh, tcsh with `env`
                    947:     
                    948:     $ env
                    949:     
                    950: 
                    951: ###  Modifying environmental variables 
                    952: 
                    953: On sh based shells you assign the variable on the left side the value on the right side using an equal sign. 
                    954:     
                    955:     $ export MYVAR="hello kitty"
                    956:     
                    957: 
                    958: On csh, tcsh to assign use a single space instead of an equal sign. 
                    959:     
                    960:     $ setenv MYVAR "hello kitty"
                    961:     
                    962: 
                    963: ##  Be familiar with the vi(1) editor 
                    964: 
                    965: hjkl movement 
                    966: 
                    967: i insert 
                    968: 
                    969: 0 beginning of line 
                    970: 
                    971: $ end of line 
                    972: 
                    973: o/O insert new line 
                    974: 
                    975: x/X delete char 
                    976: 
                    977: w/W Word 
                    978: 
                    979: e/E End of word 
                    980: 
                    981: b/B begin of word 
                    982: 
                    983: dd delete a line 
                    984: 
                    985: yy yank a line 
                    986: 
                    987: ##  Determine if a file is a binary, text, or data file 
                    988: 
                    989: The [file(1)](http://netbsd.gw.com/cgi-bin/man-cgi?file++NetBSD-current) command is capable of discerning between executable (binary) files, text files and data files. In many cases it is able to determine further information about data files, e.g. it can recognise image files as being GIFs or JPGs. 
                    990:     
                    991: 
                    992: $ file /bin/sh
                    993:     /bin/sh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for NetBSD 4.99.72, dynamically linked (uses shared libs), not stripped
                    994:     
                    995:     
                    996:     $ file /etc/wscons.conf
                    997:     /etc/wscons.conf: ASCII English text
                    998:     
                    999:     
                   1000:     $  file AnsweringMachine.ogg
                   1001:     AnsweringMachine.ogg: Ogg data, Vorbis audio, stereo, 44100 Hz, ~256000 bps, created by: Xiph.Org libVorbis I (1.1.0 RC1)
                   1002:     
                   1003:     
                   1004:     $ file photo.jpg
                   1005:     photo.jpg: JPEG image data, JFIF standard 1.01
                   1006:     
                   1007: 
                   1008: ##  Locate files and binaries on a system 
                   1009: 
                   1010: Binaries 
                   1011:     
                   1012:     $ whereis netstat
                   1013:     
                   1014: 
                   1015: ##  Overcome command line length limitations 
                   1016: 
                   1017: ##  Find a file with a given set of attributes 
                   1018: 
                   1019: ##  Create a simple Bourne shell script 
                   1020:     
                   1021:     vi myshellscript.sh
                   1022:     
                   1023: 
                   1024: ##  Find appropriate documentation 
                   1025:     
                   1026:     $ apropos keyword
                   1027:     $ man command
                   1028:     
                   1029: 
                   1030: ##  Recognize the different sections of the manual 
                   1031: 
                   1032: Sections are from 1 to 9 
                   1033: 
                   1034:   * 1 General commands manual 
                   1035:     
                   1036:     $ man 1 df
                   1037:     
                   1038: 
                   1039:   * 2 System calls manual 
                   1040:     
                   1041:     $ man 2 lseek
                   1042:     
                   1043: 
                   1044:   * 3 Library functions manual 
                   1045:     
                   1046:     $ man 3 sprintf
                   1047:     
                   1048: 
                   1049:   * 4 Kernel interfaces manual 
                   1050:     
                   1051:     $ man 4 null
                   1052:     
                   1053: 
                   1054:   * 5 File formats manual 
                   1055:     
                   1056:     $ man 5 exports
                   1057:     
                   1058: 
                   1059:   * 6 Games manual 
                   1060:     
                   1061:     $ man 6 tetris
                   1062:     
                   1063: 
                   1064:   * 7 Miscellanea 
                   1065:     
                   1066:     $ man 7 me
                   1067:     
                   1068: 
                   1069:   * 8 System manager's manual 
                   1070:     
                   1071:     $ man 8 reboot
                   1072:     
                   1073: 
                   1074:   * 9 Kernel developer's manual 
                   1075:     
                   1076:     $ man 9 kauth
                   1077:     
                   1078: 
                   1079: ##  Verify a file's message digest fingerprint (checksum) 
                   1080: 
                   1081: Depending on what sort of digest is used enter either: 
                   1082:     
                   1083:     $ md5 _filename_
                   1084:     
                   1085: 
                   1086: or 
                   1087:     
                   1088:     $ sha1 _filename_
                   1089:     
                   1090: 
                   1091: and compare the output. 
                   1092: 
                   1093: ##  Demonstrate familiarity with the default shell 
                   1094: 
                   1095: ##  Use job control 
                   1096: 
                   1097: List jobs 
                   1098:     
                   1099:     $ jobs -l
                   1100:     
                   1101: 
                   1102: Put job into background 
                   1103:     
                   1104:     # /usr/libexec/locate.updatedb &
                   1105:     
                   1106: 
                   1107: Put job into foreground 
                   1108:     
                   1109:     # fg pid
                   1110:     
                   1111: 
                   1112: Put job into background 
                   1113:     
                   1114:     # bg pid
                   1115:     
                   1116: 
                   1117: ##  Demonstrate proficiency with regular expressions 
                   1118: 
                   1119: ##  Understand various "domain" contexts 
                   1120: 
                   1121: ##  Configure an action to be scheduled by cron(8) 
                   1122: 
                   1123: There are two ways to accomplish this task. You either put the cronjob in the global crontab file `/etc/crontab` or you edit your own crontab with `crontab -e`. 
                   1124:     
                   1125:     $ crontab -e
                   1126:     
                   1127: 
                   1128: (this command invokes your favorite text editor specified by `$EDITOR` environment variable or `VISUAL`, by default `/usr/bin/vi`). 
                   1129: 
                   1130: Add a cronjob: 
                   1131:     
                   1132:     0 23 * * *     sh /my/home/shellskript
                   1133:     
                   1134: 
                   1135: Here, the script will be run all days at 23:00. The fields order is minute, hour, day of month, month and day of week; the last field is the command to run. See [crontab(5)](http://netbsd.gw.com/cgi-bin/man-cgi?crontab+5+NetBSD-current) for details. List your current crontab: 
                   1136:     
                   1137: 
                   1138: $ crontab -l
                   1139:     
                   1140: 
                   1141: As root you can see and edit any users crontab by supplying `-u` username 
                   1142:     
                   1143:     # crontab -l -u john
                   1144:     
                   1145: 
                   1146: or edit it 
                   1147:     
                   1148:     # crontab -e -u john
                   1149:     
                   1150: 
                   1151: When using the global `/etc/crontab` you have to supply the user who is executing the cronjob: 
                   1152:     
                   1153:     # vi /etc/crontab
                   1154:     0 22 * * *    john    sh /johns/work/shellskript
                   1155:     
                   1156: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb