6. System Administration
System administration is a huge topic that incorporates tasks such as configuring services, maintaining the health of the operating system, and keeping the system secure. Whole volumes have been devoted to teaching individuals how to administer a Linux distribution. As a developer, you should consider leaving the heavy lifting aspects of system administration to full-time system administrators.
However, that doesn’t mean that you should never take on some of the responsibilities of system administration. Some tasks you will want to be able to accomplish without having to bother a system administrator. These tasks include installing software and maintaining user accounts. This chapter focuses on the essential system administration tasks that all software developers should have in their skill set.
Essential Tasks
In almost all cases, you should log in to the system using a regular user account and avoid logging in as the root user (the system administrator account). Routinely executing commands as the root user is just asking for trouble.
The root user has full control over the system, including the capability to delete all files and directories. The problem with working as the root user on a regular basis is that you can potentially damage your operating system, making it unusable. For example, consider the following command (but don’t run this command!):
[root@fedora ~]$ rm -rf /
If you ran the preceding command while you were logged in as the root user, every file and directory on the system would be removed. As a regular user, this could result in loss of files in your home directory, but even that could be avoided by pressing Ctrl+C after you noticed all the error messages that would appear as you try to delete files that you don’t have permission to delete.
So to summarize, the best practice is this: Log in as a regular user and only assume the identity of the root user if you need to perform a specific task as the root user.
Gaining Access to the Root Account
You can use three techniques to assume the identity of the root user:
Log in directly as the root user: As previously mentioned, this is not the ideal method. Even system administrators avoid logging in directly as the root user.
Use the su command: With the su command you can switch user to the root account if you know the root password. This command opens a new shell, and in that new shell you can commands as the root user. To return to your regular user account, you close the shell by executing the exit command.
Use the sudo command: With the sudo command, you can execute commands as the root user without having to even know the root password. However, this feature does need to be set up by the system administrator to work properly.
Let’s look at the su and sudo commands in a little more depth.
Using the su Command
To use the su command, execute the command as shown:
[student@localhost ~]$ id
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) context=unconfined_
u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[student@localhost ~]$ su - root
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_
t:s0-s0:c0.c1023
Note that the id command displays your current user account. In this case the id command wasn’t necessary because you can see the current user name in the prompt.
You will often see the argument root omitted when using the su command. If you don’t specify a user account name, the root user is assumed by default:
[student@localhost ~]$ su -
Password:
[root@localhost ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
The - option is not only strange because it lacks a character after the -, but it is also very important.1 Without the - character, you will not fully switch to the root user account because the login scripts for the root user do not execute. The best way to demonstrate the difference between using the - and not using it is by looking at the code in Listing 6.1.
Listing 6.1 The - option of the su command
[student@localhost ~]$ su root
Password:
[root@localhost student]# pwd
/home/student
[root@localhost student]# echo $PATH
/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/student/.local/bin:/home/student/bin
[root@localhost student]# exit
exit
[student@localhost ~]$ su - root
Password:
[root@localhost ~]# pwd
/root
[root@localhost ~]# echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
Note that in Listing 6.1 when the - was not used, the current directory did not change and the value of the $PATH variable didn’t change to the value for the root user. Using the - character fully switches you to the root account, the current directory switches to the root user’s home directory, and the $PATH variable is set to the proper value for the root user (look at the end: /root/bin).
In many cases, it won’t matter if you use the - character or not. However, sometimes not fully switching to the root user account can cause problems. The best practice is to use the - character when switching to the root account.
Important Note
Always remember that when you finish executing commands that require root privileges, switch back to your regular user account by executing the exit command.
Using the sudo Command
The sudo command allows you to execute commands as the root user without even knowing the root password but only if this feature has already been configured. On some distributions, notably Ubuntu and Mint, the sudo command is set up for the first user account by default:
bo@mintos:~ > sudo id
[sudo] password for bo:
uid=0(root) gid=0(root) groups=0(root)
Note that the password that was requested was not the root password, but rather the password of the current user (the bo user in this case). The sudo command takes another command as its argument and will execute that other command as the root user provided the correct password is provided and the sudo command has been set up correctly.
To set up the sudo command, add a line like the following in the /etc/sudoers file2:
The previous line would allow the user bo to use the sudo command to execute commands as the root user. Note that you can also apply this feature to entire groups3 as shown in the following:
bo@mintos:~ > sudo grep %sudo /etc/sudoers
%sudo ALL=(ALL:ALL) ALL
bo@mintos:~ > id
uid=1000(bo) gid=1000(bo) groups=1000(bo),4(adm),24(cdrom),27(sudo),30(dip), 46(plugdev),108(lpadmin),111(sambashare)
So, the reason why the bo user in the previous example can execute commands as the root user using the sudo command is because the bo user is a member of the sudo group.
If you need to give sudo access to a user or group, first switch to the root account and then execute the visudo command. This command automatically edits the /etc/sudoers file using the vi or vim editor. One advantage of using the visudo command rather than the regular vi or vim editor is that the visudo command performs some basic error checking when you save your changes.
Displaying Disk Usage
As a developer, displaying disk usage can be an important task. The amount of free space available will have an impact regarding what software you can install on the system. In addition, the programs you create might be very large or create large files, so displaying disk usage can be critical to making sure enough room exists for your program data.
On a Linux system, the space on the hard drive is broken into chunks called partitions or volumes. This is also true on other operating systems, such as Microsoft Windows; however, typically the result is a bit different. Making a partition out of an entire hard disk is common practice on Windows OS, whereas in Linux creating several partitions (or volumes4) on one hard disk is common.
To display these partitions, including how much space is available, execute the df command as shown in the following:5
[student@localhost ~]$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos-root 6.7G 4.1G 2.6G 61% /
devtmpfs 1.9G 0 1.9G 0% /dev
tmpfs 1.9G 88K 1.9G 1% /dev/shm
tmpfs 1.9G 17M 1.9G 1% /run
tmpfs 1.9G 0 1.9G 0% /sys/fs/cgroup
/dev/sda1 497M 196M 302M 40% /boot
tmpfs 389M 8.0K 389M 1% /run/user/0
The Filesystem column is used to indicate the partition (/dev/sda1) or volume (/dev/mapper/centos-root). Lines that don’t represent a path to a file, such as devtmpfs or tmpfs, are memory-based filesystems and are not important for this topic.
The Mounted on column indicates to which directory structure the partition or volume is attached. Recall that, unlike Microsoft Windows, devices are not assigned drive letters but rather are placed under directory structures, like the /boot directory.
Based on the output of the df command, you can see how much space is available. For example, in the previous output, the /boot directory structure could support up to 302MB more data. The following directory structures are normally the most critical for developers to be aware of the available space:
/usr—Location where new software will be installed
/home—Home directories for regular users, including your own account
/tmp—A location to store temporary files. As a developer you might need to create a file to hold data while your program is executing. Placing this file in the home directory of the user who is running the program is not ideal (they might delete it accidently). The /tmp directory is the best place to store such a file.
Note
If you don’t see /usr, /home, or /tmp in the Mounted on column of the output of the df command, then these directories are not separate partitions or volumes, but rather are part of the / directory structure.
Determining how much space the files in a specific directory use on the hard disk is also useful. This can be important when you want to see how much space the removal of some large files within a directory can free up. To see how much space the files in a directory (and all subdirectories) are using, use the du command:
[student@localhost ~]$ du -sh /usr/sbin
54M /usr/sbin
The -s option displays a summary of the entire base directory, rather than each separate subdirectory. The -h option shows human-readable sizes.
Managing Software
Most of what appears in this book works the same (or at least similarly) on different distributions. Software management is different, because three different sets of tools are available to enable you to add and remove software. Which set of tools you use depends on the distribution on which you are working:
yum and rpm—These tools enable you to manage software on Red Hat Enterprise Linux, CentOS, Fedora, and other Red Hat–based distributions.
apt-get and dpkg—These tools enable you to manage software on Debian, Ubuntu, Mint, and other Debian-based distributions.
zypper and rpm—These tools enable you to manage software on SUSE and SUSE-based distributions.
The rpm and dpkg commands perform very similar tasks. Historically, they were designed to install software packages that had been downloaded to the local system. This function is now normally handled by the yum, apt-get, and zypper commands, which are used to both download the package and install it. These commands download the package from a server called a repository.
The advantage of the yum, apt-get and zypper commands over the rpm and dpkg commands is that package dependencies are automatically taken care of. So, if a package needs three other packages to work successfully, the yum, apt-get, and zypper commands would also download and install these packages.
You can also use all of these commands to remove software packages. Again, the yum, apt-get, and zypper commands have an advantage over the rpm and dpkg commands because they check dependency issues before removing the package. So, if you try to remove a package that is required by another package, an error message appears.
So why would you ever use the rpm or dpkg commands? The yum, apt-get, and zypper commands are really front-end programs that eventually run rpm and dpkg commands. The rpm and dpkg commands have some more powerful options that can’t be accessed by the yum, apt-get, or zypper commands, particularly options regarding querying information regarding packages. This is much more critical for system administrators than it is for developers, so you will likely run the yum, apt-get, and zypper commands much more often than rpm or dpkg.
Developers often install new software packages to enhance what features (or programming languages) they can use on the system. Keep in mind that installing and removing software requires root privileges.
Listing and Finding Software
Sometimes one of the challenges to installing software is trying to find the correct name for the software package. On Red Hat–based systems, you can execute the yum search command to query the repository for packages that match a word or pattern:
[root@localhost ~]# yum search editor | head
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.mia.host-engine.com
* epel: linux.mirrors.es.net
* extras: mirrors.sonic.net
* updates: mirror.steadfast.net
======================== N/S matched: editor =========================
ckeditor.noarch : WYSIWYG text editor to be used inside web pages
ckeditor-samples.noarch : Sample files for ckeditor
dconf-editor.x86_64 : Configuration editor for dconf
The yum search command can produce a lot of output, so consider using the grep command to perform a secondary filter:
[root@localhost ~]# yum search editor | grep GUI
nedit.x86_64 : A GUI text editor for systems with X
root-guibuilder.x86_64 : GUI editor library for ROOT
torrent-file-editor.x86_64 : Qt based GUI tool designed to create and edit
To search for a package on a Debian-based system, use the apt-get search term command (replace term with your search term). To install a package on a SUSE-based system, use the zypper search -t term command.
To list currently installed packages on Red Hat–based systems, use the yum list installed command:
[root@localhost ~]# yum list installed | tail
yelp-libs.x86_64 1:3.14.2-1.el7 @base
yelp-xsl.noarch 3.14.0-1.el7 @base
yum.noarch 3.4.3-132.el7.centos.0.1 @base
yum-langpacks.noarch 0.4.2-4.el7 @base
yum-metadata-parser.x86_64 1.1.4-10.el7 @anaconda
yum-plugin-fastestmirror.noarch 1.1.31-34.el7 @base
yum-utils.noarch 1.1.31-34.el7 @base
zenity.x86_64 3.8.0-5.el7 @base
zip.x86_64 3.0-10.el7 @anaconda
zlib.x86_64 1.2.7-15.el7 @base
The yum list installed command also produces a lot of output. Consider piping the output to the more or grep command. Note that the first column of the output of this command displays the package name, the second column displays the version of the package, and the third column displays the repository name where the package was installed from.
To list all installed packages on a Debian-based system, use the dpkg -l command. To list all installed packages on a Red Hat–based system, use the rpm -qa command.
Installing Software
On Red Hat–based systems, install a package using the yum install command as shown in Listing 6.2.
Listing 6.2 The yum install command
[student@localhost Desktop]$ su -
Password:
[root@localhost ~]# yum install kernel-doc
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: centos.mia.host-engine.com
* epel: linux.mirrors.es.net
* extras: mirrors.sonic.net
* updates: mirror.steadfast.net
Resolving Dependencies
--> Running transaction check
---> Package kernel-doc.noarch 0:3.10.0-327.28.2.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================
Package Arch Version Repository Size
==========================================================================
Installing:
kernel-doc noarch 3.10.0-327.28.2.el7 updates 13 M
Transaction Summary
==========================================================================
Install 1 Package
Total download size: 13 M
Installed size: 48 M
Is this ok [y/d/N]: y
Downloading packages:
kernel-doc-3.10.0-327.28.2.el7.noarch.rpm | 13 MB 00:03
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : kernel-doc-3.10.0-327.28.2.el7.noarch 1/1
Verifying : kernel-doc-3.10.0-327.28.2.el7.noarch 1/1
Installed:
kernel-doc.noarch 0:3.10.0-327.28.2.el7
Complete!
To install a package on a Debian-based system, use the apt-get install command. To install a package on a SUSE-based system, use the zypper install command.
Removing Packages
Although developers often want to install packages on their own systems, wanting to remove or perform more advanced package manipulation commands is not as common. The rpm and dpkg commands were mentioned in the event you want to learn more about package management, but this is normally something that interests system administrators more.
In the event you do want to remove a software package, switch to the root account and run the proper command for your distribution:6
yum remove package_name
apt-get remove package_name or apt-get purge package_name
zypper remove package_name
User Accounts
Typically, maintaining user accounts is the responsibility of the system administrator. However, this can also be an important task for a software developer because you might want to be able to test your software using different user accounts. For example, you might want to have different accounts to test access for unprivileged users to a database.
This section focuses on the basics of creating, modifying, and deleting user accounts, and also explores the topic of group accounts.
Adding User Accounts
To add a user account, you need root privileges. GUI-based tools are available that you can use to create user accounts. However, they differ between distributions. The command-line tools are easy enough and you can use them to quickly create user accounts.
To create a user account, execute the useradd command as shown in the following:
[root@localhost ~]# useradd julia
[root@localhost ~]# tail -1 /etc/passwd
julia:x:1001:1001::/home/julia:/bin/bash
[root@localhost ~]# ls /home
julia student
Notice the new entry in the /etc/password file, one of the files that contains user account information. To see details about the format of this file, execute the man 5 passwd command.
The new user was provided with a home directory automatically (/home/julia). This does not happen on all distributions; on some distros you must specify the name of the home directory with the -d option and tell the useradd command to create this home directory with the -m option:
[root@localhost ~]# useradd -d /home/julia -m julia
Typically the default settings for the user account are fine for accounts that you are creating for testing purposes. A few settings that you might want to modify include the following:
-s Specify the login shell. For example: -s /bin/tcsh
-g Specify the primary group for the account. For example: -g sudo
-G Specify the primary group(s) for the account. For example: -G sudo,payroll
After creating the user account, assign the new account with a password by executing the passwd command as shown in the following:
[root@localhost ~]# passwd julia
Changing password for user julia.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Bad Passwords
You might get a warning message like the following when assigning a password to a user account:
BAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word
If the system you are working on has access to the Internet, you should heed this warning and use a more complex password. However, if this is an internal-only system, making a more complex password can be more trouble than it is worth.
Ask yourself, “Will I ever connect this system to the Internet?” If the answer is “yes,” make a more complex password.
Modifying User Accounts
To change a user account, use the usermod command. The usermod command accepts the same options as the useradd command. So, to change the login shell for a user, use the -s option as shown in the following:
[root@localhost ~]# grep julia /etc/passwd
julia:x:1001:1001::/home/julia:/bin/bash
[root@localhost ~]# usermod -s /bin/tcsh julia
[root@localhost ~]# grep julia /etc/passwd
julia:x:1001:1001::/home/julia:/bin/tcsh
If you look at the last field of data in the “julia” line of the /etc/passwd file, you can see that the login shell has changed from /bin/bash to /bin/tcsh.
Deleting User Accounts
To delete a user account, use the userdel command. If you want to delete both the account and the user’s home directory, use the -r option. Not using the -r option removes the account from the /etc/passwd file (and other files that contain user account information), but does not remove the user’s home directory and its contents.
[root@localhost ~]# userdel -r julia
Understanding Groups
Chapter 4, “Essential Commands” mentioned group accounts during the discussion on permissions. To understand how important group membership is, consider the output of the following commands:
[root@localhost ~]# id sarah
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah)
[root@localhost ~]# ls -l /tmp/sample.txt
-rw-r-----. 1 root wheel 158 Aug 16 21:11 /tmp/sample.txt
Based on the output of the previous id command, you can see that the user sarah is a member of one group (the group named sarah). If you look at the output of the previous ls -l command, you can see that the /tmp/sample.txt file is owned by the user root and the wheel group. So, in this situation, the permissions for the user sarah are ---, the “others” section of permissions.
What if the root user wanted the user sarah to be able to view this file? By adding the user sarah to the wheel group, she would have the permissions r--, allowing her to view the contents of the file:
[root@localhost ~]# usermod -aG wheel sarah
[root@localhost ~]# id sarah
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah),10(wheel)
[root@localhost ~]# ls -l /tmp/sample.txt
-rw-r-----. 1 root wheel 158 Aug 16 21:11 /tmp/sample.txt
Managing Groups
To create a new group, use the groupadd command:
[root@localhost ~]# groupadd staff
To add a user to a group, use the -G option to the usermod command. Very important: Make sure you use the -a option with the -G option. Using -G alone removes the user from all of their secondary groups. See the following for the wrong way to do this:
[root@localhost ~]# id sarah
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah),10(wheel)
[root@localhost ~]# usermod -G staff sarah
[root@localhost ~]# id sarah
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah),1003(staff)
Notice the output of the previous id commands. You can see that the usermod command removed the user sarah from the wheel group. The following demonstrates the right way to add a user to a group:
[root@localhost ~]# id sarah
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah),10(wheel)
[root@localhost ~]# usermod -a -G staff sarah
[root@localhost ~]# id sarah
uid=1002(sarah) gid=1002(sarah) groups=1002(sarah),10(wheel),1003(staff)
To remove a group, you might want to first use the find command to search the filesystem for all files owned by that group:
[root@localhost ~]# find / -group staff -ls 2> /dev/null
27304379 4 -rw-r----- 1 root staff 158 Aug 16 21:11 /tmp/sample.txt
This is an important step because you should change the group ownership of these files to another group before removing the group. After you change the group ownership, you can use the groupdel command to delete the group:
[root@localhost ~]# chgrp wheel /tmp/sample.txt
[root@localhost ~]# ls -l /tmp/sample.txt
-rw-r-----. 1 root wheel 158 Aug 16 21:11 /tmp/sample.txt
[root@localhost ~]# groupdel staff
Linux Humor
If you are like me (or 99% of folks who work in Linux), you will eventually end up typing the command sl instead of the ls command. Why not make the result a bit more interesting than bash: sl: command not found...?
First, install the package named sl (choose the right command for your distribution):
yum install sl
apt-get install sl
zypper install sl
Now, type sl and press the Enter key!
Summary
A system administrator performs many additional tasks that were not covered in this chapter. However, the chapter did cover the administrative tasks that you, as a software developer, might routinely perform. You should now know to switch to the root account to perform system administration tasks. You also learned how to display disk usage, add and remove software, and manage group and user accounts.
1 The - option is the same as the -l or -login options.
2 Note that this is a very simple example and perfectly fine for a standalone system. However, for a system in which security is a concern, you should learn more about the sudo command or have a system administrator set up this feature.
3 A group in Linux is a collection of user accounts. Managing groups is covered in detail later in this chapter.
4 The difference between a partition and a volume is not critical for developers to understand. If you choose to become a system administrator, the difference becomes very important because they are managed differently. Because this book is for developers, I have chosen not to describe these differences. Consider them both to be a container where files and directories can be stored.
5 Use the -h option to show the output in human-readable sizes rather than one kilobyte block sizes.
6 The purge argument to apt-get removes the package entirely. The remove argument removes everything except the configuration files (left behind in case you reinstall the software at a later date).