Linux Administrators' Resource Kit

 Neville Richter and Lynda Thater © CQU 2006

 Faculty of Business and Informatics,
Central Queensland University,
n.richter@cqu.edu.au, l.thater@bris.cqu.edu.au
 

Abstract: The Linux Administrators Resource Kit (LARK) started out as a simple web site to support teaching of practical subjects taught as part of Information Technology studies at University. The LARK has since developed to provide students with a user-friendly online access to resources such as Linux manuals, Linux HOWTOs, IETF Request for Comments (RFCs), lecture notes and practical exercises for subjects in the Network Administration, Management and Security.  The LARK site has since become useful to other Internet users as well.  Many remote users from around the world read documents hosted at http://os.cqu.edu.au/lark. The site requires the students to authenticate using an University Single-Sign-On system to access lecture notes and practical exercises.  This report describes the software loaded on the LARK web server and also describes the modifications required of the Apache Web server software.  The whole site excluding the public area /pub, which is used to download software, has been ported to CDROM for home use and can be downloaded from http://os.cqu.edu.au/pub/iso.

 1 Introduction

 The Linux Administrators Resource Kit (LARK) web site now hosted at http://os.cqu.edu.au started in 1996 with a desktop PC running Linux RedHat 5.2 and an early version of Apache Web Server [1].  As newer versions of RedHat Linux and now Fedora Core Linux [10] were released with newer versions of Apache Web Server it became apparent that the best way to service student requirements for online documentation was to build a Web Server for distributing lecture notes and practical exercises, this was before the university decided to create a centralised web content management system for lecture notes.  The release of SSL software extensions, which enhanced Apache Web server software allowed the material to be accessed via the student’s personal login name and password.  Alternatively a class username and password could be used but shared passwords typically end up being shared on other web sites and limiting access to workstation on the University network.  At the same time as the web server was being developed an automated download and installation procedure was developed to provide students in the laboratory a fresh copy of the workstation operating system and associated web browsers.  This allowed students to copy new software directly from the web server and install it on the workstation, while reading documentation from the web server on what steps they need to take to configure the software. 

 In 2000 the Web Server was upgraded to a server class machine.   This has improved the performance of the software that can be processed.  The operating system images, which are hosted on the web server, are typically about 200 to 700 MB in size and are downloaded onto client machines via a network of 100Mbps Ethernet Switches.  The client workstations only download a new copy of the operating system image when it becomes corrupted, which also reduces the load considerably.  A copy of the image is maintained on a separate partition on each workstation.  The use of compressed OS images means that the actual size of the downloaded filesystem is about 2 GBs.  For more information on the ADIOS boot CD see http://os.cqu.edu.au/adios [19]. 

 2  Administration Resource Kit Information

 What is available on the LARK site? Firstly the LARK site is a library of Linux documentation and downloadable copies of software and OS images to help Linux Administrators.   The site also has local copies of lecture notes and practical exercises for students.  The reason the LARK web server is accessed by many users outside of the University campus is that it categorises the information on Linux.  The LARK site is used to access local copies of:

 The web server uses CGI scripts to provide searching and formatting of documents. The use of SSL web pages allows the students to be authenticated before browsing lecture notes and practical exercises as well as providing online quizzes and sample practical examinations. 

 The LARK web server is used to supply example configuration files for network services, example diagnostic tools and example web based network management tools.  The URL http://os.cqu.edu.au/etc contains example configuration files to help students learn how to configure Linux services.   The real system directory /etc is considerably different and is hopefully hidden from web clients, thanks to the alias directive supplied with the Apache web server software a special example configuration directory /etc is accessible.  The Linux documentation directory located at /usr/share/doc is accessible and searchable.  The RFC text index file is modified via a PERL [17] script to become a HTML hypertext index, which allows users to search the RFCs for keywords.   The "rpm.cgi" script allows users to access the RPMs via a web browser and search for files and read documentation.   Access to web based network management tools, which are located on another web server, is enabled using redirect directives. 

 Access to Linux man and info entries is done with CGI tools, which convert the man and info text documents to html documents on the fly.  The main advantage of having the Linux man and info documents on the web is that users can access all manual entries quickly and search documents using a web browser.   In addition other manual such as those for Apache and Perl can also be accessed via a web browser.

 The “htdig” [2] web search engine is used to generate a quick way of accessing the huge number of files stored on the LARK web server.  To build the configuration file read the documentations at http://os.cqu.edu.au/cgi-bin/doc.cgi?htdig.  The ADIOS boot CD version of LARK could not afford the large database used by “htdig” and so it uses the “swish-e” [14] web search engine instead, see an example at http://os.cqu.edu.au/cgi-bin/search.cgi.   The “robots.txt” file is used to restrict the extent of searches from other search engines from the Internet.

 Download of operating systems in the laboratory requires a simple CGI install script and access to preconfigured operating system images.  These OS images are built in the laboratory and then uploaded onto the web server.  There are two types of OS images available to download, production and development versions. The production working versions are setup so that the majority of the filesystem mainly /usr is read-only and the users configuration and home directory are placed on separate read-write partition.  The development version of the OS also places the /usr part of the filesystem on the read-write partition.

 Although “yum” [18] servers have become popular in the last year, having web access to RPM package files is still useful especially if you can read the information inside the RPM before you download it.  Providing local copies of the RPMs and ISO images for Linux distribution is useful to students who want to burn their own copy of CDs.

 The University requires that the Nessus [8] software be run at regular intervals to validate the security of the operating system of the web server.  Security is achieved by using “iptables” [9] firewall rules, limiting the number of services run on the server, running patches to upgrade services when required, and inspecting log files.  It has been argued that running a trusted operating system such SELinux is not really required if the server is only providing a single service.

 2.1 Linux Library

 Why distributed Linux documentation from a web server?  One problem encountered by new users of Linux is knowing where and how to find information about each of the services available.  Although most of the documentation is distributed with each package most of this information is limited to access on the system it is installed on.  Providing access via a web server to all documents files is the ideal way of sharing information.  The Linux Library on the LARK site is an attempt to provide an overview on where to start.  The information is categorised into the following headings: 

2.2 Users of LARK

Who uses it?  The Administrators Resource Kit web site was primarily designed to help student access information about Linux network administration that is, how to configure and manage services, that is students studying subjects in Network Administration and Network Management.  The site also help students with programming in many languages and has technical reference material about writing network client/server software, device drivers and kernel modules, that is for students studying Operating Systems and Unix Systems Programming.  A local copy of the RFCs means that students have access to network protocol standards, which is useful for students studying Internetworking protocols and Network Administration.  The site also has examples of security tools used in Computer Forensics, Network Security and Network Management.

Although the web server was designed primarily for access from local university students, there has been an increase in the number of users from other sites around the world.  For 2004 approximately 25% of web hits were from within the University network.  Statistics about who is using the web server change each month. See the Webalizer [16] usage statistics page at http://os.cqu.edu.au/usage.  The fact that so many people from around the world accessing the site is good public relations for the University.   To create a higher profile on the Internet a web server needs to attract the attention of other Internet users.  Creating software such as the ADIOS live CD and releasing it as open source to everyone does increase the visibility of the site.  This may help the University to be more visible and may be acquire potentially more students.     

Why is LARK different to Online Learning and Teaching (OLT) web site?  The University created the Online Learning and Teaching web site for web access to teaching resources used with subjects taught at the University.   LARK predates the OLT web site, and ARK could be integrated into such a facility.  There are several reasons why this is not as an attractive proposition.  Although all Lecture Notes and Tutorial Exercises have all been moved to the OLT system there are other reasons for maintaining a web server for a Linux distribution. 

 3  Laboratory Setup

 How to deploy operating system images in a laboratory?   The LARK site uses web servers to download operating system images onto PCs in the laboratory.  CGI scripts have been setup to allow download of operating system images in the laboratories.  The Linux laboratories are setup to teach Network Administration, Network Management and other classes, which require the user to have Administrator privileges.  Thus, students can be the administrator and therefore will be able to create user accounts on the network operating systems (OS) installed on the PCs.  The University Single-Sign-On authentication system has been implemented on the installed OS.  The setup may change from one year to the next due to new versions of operating systems and applications.

Upon Laboratory PC startup, the boot loader allows the user to select one of the following:

The Setup option requires either a boot CD or a setup partition on the hard disk. The Setup menu allows students to download Windows or Linux, or burn CDs. Some of the operating systems have multiple images.  Some images have been designed for "users" who require a friendly environment and provide access to their personal files on the student server and to printers.  Other images may be for "development" and allow students to try out new software and practice administration skills.

One objective of studying Network Administration is to prepare students for the workforce by providing them with an opportunity to practice Network Administration skills.  To achieve this objective, students are exposed to various operating systems during their studies. It is a requirement of the laboratories that students must be able to access network operating systems at administrator level.  The operating system must not have been tampered with by other users or corrupted in any way.

Several operating systems are accommodated in the laboratories, the two most used are: Microsoft Windows [6] and RedHat Fedora Core Linux workstation. Many methods of installing these systems have been investigated.  The main factor was speed of installation, as students in each practical session need a “clean” copy of the operating system before beginning their practical exercises.  The traditional method of installing Windows or Linux from scratch is too time consuming.  Therefore, downloading the operating system over the network from a server seemed to be more appropriate.  Instead of requiring support staff to download the operating system using such tools as Symantec Ghost [15] or Rembo [11], it was decided that students would have a more flexible environment if they could install the software when they arrive.  The most suitable protocol for downloading documents is of course HTTP.

It was decided that students would need to have two different levels of access to the operating system: User mode and Admin mode.  Naturally students require administrator access in order to complete network administration practical exercises.  However, in many cases students may only want to access the Internet or servers outside of the laboratory subnet and thus a pre-built system where the user is university authenticated is also available on each workstation.

The User mode was built and then archived on the server, so that it can be downloaded when required.  User mode can be used again and again by different users without being repeatedly downloaded, by selecting the operating system without downloading and re-installing an operating system.  Where as the Admin mode allows students full control of the workstation and must be downloaded for each student.  This has been simplified by storing the files on a backup partition and only downloading files if the checksum comparison fails.

The server supplies the workstations either a partial or complete copy of the operating system depending on the option selected by the student when configuring the PC. Another server provides the authentication of users when they want to access their files on the workstation.  To minimise the number of downloads each of the two most popular operating systems is assigned a separate partition on the hard disk.  

The Windows and Linux options assume that the operating system already installed is acceptable for the user. The disk is partitioned differently depending on the total disk space available.  A typical partition table would have windows in partition 1, Linux admin in partition 2 and setup in partition 4, other operating systems would be located in partition 3.

The "Setup" partition is a copy of the initial ram disk and kernel used on the ADIOS boot CD. If the "Setup" partition has been destroyed then the system can be booted via Network card or boot CD.  The "Setup" software will automatically run the "install" script, which will present you with a menu of options  

  1. install (download) laboratory setup mode
  2. install (download) Linux Admin
  3. install (download) Windows Admin

3.1 RedHat Fedora Core Linux User mode

This downloads a cutdown but complete system of the LINUX operating system, which has been tailored to present a user-friendly interface. Users can be authenticated via the iuniversity authentication system and have access to their own files stored on the student and staff servers. The user is not able to login as the administrator and the security of the operating system has been tightened.   The X windows system is configured to start XDM and requires the user to enter their username and password, which is authenticated from the University Authentication server. This provides the end user access to their files and use of utilities such as a web browser, email, IRC, and local compilers such as C, C++, Java, and PERL.

The Linux user mode was built and tested on one machine in the laboratory and then saved with the "tar" command with the compress option.  The file was then moved to the server so that the Apache web server software could distribute the software on request from a client workstation.  An installation CGI script on the web server will download documents and operating systems as requested by the client workstation.  The workstation then runs a simple program to "download" and save the operating system on the workstation.

3.2 RedHat Fedora Core Linux Admin mode

This downloads a small sub-section of RedHat Fedora Core Linux and allows the administrator to mount a full set of compilers and other applications from a local server.  The user has full control of the local workstation.  When installing software the student may need to modify the installation scripts or “Makefile” files to avoid attempting to write to read-only mounted filesystems. The first time you logon, you will be authenticated via the University authentication system and your account will be given administrator privileges. The Linux administrator mode was created in a similar manner as the Linux user mode.  Students can backup their files with "ftp", "smb", "scp" or write them to USB device.

3.3 Windows XP Admin mode

This downloads a cutdown version of the operating system all other applications are available via connections with servers. The student is added to the Administrator group after being authenticated via the University authentication system.   One of the exercises may require you to convert a FAT partition to NTFS with the "convert" command.  This will allow the administrator to set ownership of files and complete the practical exercises.

3.4 Windows XP Setup mode

This will allow you to setup Windows XP onto the local workstation. To create the Setup mode, Windows XP was partially installed from CDROM onto one of the workstations in laboratory.  When the first section of the installation requires the machine to reboot to start the graphics mode of the installation process, the workstation was started up in Linux "Install" mode and the files on the "vfat" partition were saved using the "tar" command and transferred to the server.  Later when the file is copied onto a workstation and the system is rebooted the installation process continues.

3.5 Setup mode

Purpose of setup mode is to allow students to install either Microsoft Windows or RedHat Fedora Core Linux onto a PC in the laboratories.  This is referred to as the download process, and has been devised to save student's time in the laboratories.  After rebooting the PC, at the LILO or GRUB prompt they select setup.  At the setup menu> command prompt a user can enter h for help to display the following list of options:

When it is finished, the setup menu> prompt will appear. At this time, the user can enter q to quit or <CTRL><ALT><DEL> or the reboot key on the front of the PC to restart.  The setup mode partition can be used to store read-only copies of the downloaded image.  Changes can then be written to another partition and erased after the user logs off.

4  Conclusion

The creation and maintenance of a secure web server is time consuming and also a rewarding experience.  The system is upgraded once a year with software to be used for the following year.  Students want to use the latest software available so it is important to upgrade at least yearly.  The old cliché "practice what you preach" is certainly true.  Simple tasks such as backup and implementation of RAID, user and security policies, and the implementation of firewalls are all important tasks for network administrators.  Setting up services in addition to the web server can be setup on laboratory machines for demonstrating how to customise services.

The administrator’s resource kit provides a catalogue into the Linux documentation for applications and servers as well as access to packages and files for download both in the laboratory and at remote sites.  Tools have been installed and created to aid with the searching and presentation of the online documentation.  In addition the web server provides operating system images for download onto workstations within laboratory environments.   The laboratory environment can be downloaded into any laboratory within the University network only the bandwidth being the limiting factor for remote sites.

4.1 Plans for future

Build more tools to automate the upgrade of documents with changes with distribution releases.  The number of broken web links created each time an upgrade is performed is large.  Even documents from The Linux Documentation Project have to be edited to correct links before going online.  Whereas the RFCs are easily maintained, as the documents are plain text, online indexing and search engines still have to be updated at regular intervals.  Filters to convert documents from text or from other formats to HTML files need to be investigated and tested.  The use of content management systems could be integrated into the web server to provide access to FAQs, Forums and upload of files.  The ADIOS live CD/DVD project can be extended to incorporate the development of free OS images so that downloading OS images can be performed in laboratories at any institution.   

5  References 

[1]        Apache Web Server 2005. http://www.apache.org last accessed 1 October 2005.

[2]        ht://Dig 2005. http://www.htdig.org/ last accessed 1 October 2005.

[3]        Internet Engineering Task Force Request for Comments 2005. http://www.ietf.org last accessed 1 October 2005.

[4]        The Linux Document Project 2005. http://www.tldp.org last accessed 1 October 2005.

[5]        Linux Intrusion Detection System 2005. http://www.lids.org/ last accessed 2 October 2005.

[6]        Microsoft Windows 2005. http://www.microsoft.com last accessed 1 October 2005.

[7]        National Institute of Standards and Technology Comuter Security Resource Center 2005. http://csrc.nist.gov/publications/nistpubs/index.html last accessed 2 October 2005.

[8]        Nessus Vulnerability Scanner 2005. http://www.nessus.org/ last accessed 2 October 2005.

[9]        The Perl Directory at Perl.org 2005. http://www.perl.org/ last accessed 1 October 2005.

[10]      RedHat Fedora Core Linux 2005. http://fedora.redhat.com last accessed 1 October 2005.

[11]      Rembo Auto-Deploy 2005. http://www.rembo.com/roii_eduandgov.htm last accessed 1 October 2005.

[12]      RPM Package Manager 2005. http://www.rpm.org/ last accessed 1 October 2005.

[13]      Security Enhanced Linux 2005. http://www.nsa.gov/selinux/index.cfm last accessed 1 October 2005.

[14]      Swish-e 2005. http://swish-e.org/ last accessed 2 October 2005.

[15]      Symantec Ghost™ Solution Suite 2005. http://sea.symantec.com/content/product.cfm?productid=9 last accessed 2 October 2005.

[16]      The Webalizer 2005. http://www.mrunix.net/webalizer/ last accessed 1 October 2005.

[17]      The Xen virtual machine monitor 2005. http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ last accessed 1 October 2005.

[18]      Yellow dog Updater, Modified 2005. http://linux.duke.edu/projects/yum/ last accessed 2 October 2005.

[19]      Richter, N., Huth, M., and Thater, L., ADIOS 2005. http://os.cqu.edu.au/adios last accessed 1 October 2005.