Gentoo Linux 安裝實錄
超完整的 Gentoo Linux 安裝,看完之後 , 相信你也會跟我一樣佩服這位作者.他的恆心與毅力真的是超越常人
發信人: lloyd.bbs@bbs.nsysu.edu.tw (HUANG YU HSIN), 看板: linux
標 題: [紀錄] Gentoo Linux 安裝實錄
發信站: 中山計中美麗之島 (Sat Aug 17 18:54:19 2002)
轉信站: KKCITY!news.kkcity.com.tw!news.ee.ntu!bbs.ee.ntu!news.ntu!spring!news.n
Origin: bbs.nsysu.edu.tw
我真的該去睡覺了,但是我無法按捺著內心的激動
如果我不稱現在寫下來,我一定會偷懶而不寫
而且再過幾個小時,也許我睡醒之後就無法紀錄下我現在的心情
雖然我現在還沒安裝完畢但(就快要好了)(14:30),
我實在是太感動了,你一定無法想像我是如何的他媽的感動..
來表達我此刻的心情。
真是宇宙無敵的變態級的偉大。
因為真的所有讚美的言詞都無法表達我內心的高興。
抓下來一個 16M 的 ISO 檔,我想恩好小的系統,應該跟 Debian 一樣
安裝好一個小系統然後上網抓檔案安裝(透過網路安裝)
光碟檔案內容
du -a
2 ./isolinux/boot.catalog
9 ./isolinux/isolinux.bin
1 ./isolinux/isolinux.cfg
1117 ./isolinux/kernel
1 ./isolinux/message.txt
7317 ./isolinux/rescue.gz
8448 ./isolinux
7962 ./stage1-ix86-1.2.tbz2
16412 .
開機之後..恩硬體偵測作的不錯能夠自動以 hardware screan 的方式
抓到我的網路卡。< --果然是網路安裝型
喔 busybox 喔還開了六個 console 。喔叫我看 install.txt ..
不錯嗎..有 telnet ifconfig route less fdisk 工具還真不少
這個小系統還真不賴。
nano <-- 這是什麼阿.. 喔一個小小的 全螢幕 editer..
以下就引用 install.txt 作為說明..因為我也是照著他 setup by setup 作的
細節請上他的網站看,我就我覺得重要的說明
Code listing 1
# modprobe pcnet32
(replace pcnet32 with your NIC module)
Code listing 2
# modprobe aic7xxx
# modprobe sr_mod
# modprobe sd_mod
Code listing 3
# insmod pcmcia_core
# insmod i82365
# insmod ds
# cardmgr -f
modprobe the aic7xxx SCSI driver
Loading PCMCIA kernel modules
我網路卡直接就抓到了,我用 IDE 這些我都不用作了
5.Configure installation networking
Code listing 5
# /sbin/ifconfig $IFACE $IPNUM broadcast $BCAST netmask $NMASK
# /sbin/route add -net default gw $GTWAY netmask 0.0.0.0 metric 1
我使用 static IP 設定網路
Code listing 6: /etc/resolv.conf template
domain mydomain.com
nameserver 10.0.0.1
nameserver 10.0.0.2
設定 DNS 這時候 nano 就派上用場了..自己寫一個
nameserver 168.95.1.1
Network testing
Code listing 7: /sbin/ifconfig for a working network card
eth0 Link encap:Ethernet HWaddr 00:50:BA:8F:61:7A
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::50:ba8f:617a/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1498792 errors:0 dropped:0 overruns:0 frame:0
TX packets:1284980 errors:0 dropped:0 overruns:0 carrier:0
collisions:1984 txqueuelen:100
RX bytes:485691215 (463.1 Mb) TX bytes:123951388 (118.2 Mb)
Interrupt:11
很好網路會動了!!!
6.Set up partitions
用 fdisk 切割一下硬碟吧,喔 devfs 還真不賴喔,自動就將 device 造出來了。真好
光碟上的 kernel 支援XFS, ext2, ext3 (journaling) and ReiserFS. 這四種檔案格式
OK!自己動手規劃一下硬碟分割吧
Code listing 8
# mkswap /dev/hda2
格式化 swap
You can use the mke2fs command to create ext2 filesystems:
Code listing 9
# mke2fs /dev/hda1
格式化 ext2
To create an XFS filesystem, use the mkfs.xfs command:
Code listing 10
# mkfs.xfs /dev/hda3
格式化 XFS
Code listing 11
# mke2fs -j /dev/hda3
格式化 ext3
Code listing 12
# mkreiserfs /dev/hda3
格式化 Reiserfs
7.Mount partitions (掛上硬碟)
Now, we'll activate our new swap, since we may need the additional
virtual memory that provides later:
Code listing 13
# swapon /dev/hda2 啟動 swap
Next, we'll create the /mnt/gentoo and /mnt/gentoo/boot mountpoints,
and we'll mount our filesystems to these mountpoints.
Code listing 14
# mkdir /mnt/gentoo
# mount /dev/hda3 /mnt/gentoo
# mkdir /mnt/gentoo/boot
# mount /dev/hda1 /mnt/gentoo/boot
反正你怎麼切就怎麼 mount
8.Mounting the CD-ROM
Even though we've booted from the CD-ROM, the CD-ROM itself is not
mounted under our minimal Linux boot CD environment. We'll need to
mount it so that we can access the compressed build image tarball
contained on the CD-ROM. To mount the CD-ROM, one typically types:
Code listing 15
# mount /dev/cdroms/cdrom0 /mnt/cdrom -o ro -t iso9660
掛上光碟機 ^^^^^^^^^^^^^^^^^^^^ 看看不錯吧 devfs 耶...
9.Unpack the stage you want to use
Code listing 16
# cd /mnt/gentoo
# tar -xvjpf /mnt/cdrom/stage?-*.tbz2
# mount -o bind /proc /mnt/gentoo/proc
# cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
解開 stage1-ix86-1.2.tbz2 喔喔!!在安裝小系統了喔。
(非也非也這個說真的還稱不上小系統) 等一下說明。
掛上 proc
將 DNS 設定 copy 過去
4.0k ./tmp
4.0k ./var/tmp
4.0k ./var/cache/edb/dep
16k ./var/cache/edb
20k ./var/cache
72k ./var/db/pkg/sys-apps/baselayout-1.7.8-r1
76k ./var/db/pkg/sys-apps
116k ./var/db/pkg/sys-kernel/linux-headers-2.4.18
120k ./var/db/pkg/sys-kernel
92k ./var/db/pkg/sys-libs/glibc-2.2.5-r2
96k ./var/db/pkg/sys-libs
60k ./var/db/pkg/sys-devel/gcc-2.95.3-r5
60k ./var/db/pkg/sys-devel/binutils-2.11.92.0.12.3-r2
124k ./var/db/pkg/sys-devel
420k ./var/db/pkg
424k ./var/db
4.0k ./var/run
4.0k ./var/lock/subsys
8.0k ./var/lock
4.0k ./var/log/news
8.0k ./var/log
4.0k ./var/spool/locate
8.0k ./var/spool
4.0k ./var/lib/misc
8.0k ./var/lib
488k ./var
12k ./etc/env.d
4.0k ./etc/cron.hourly
4.0k ./etc/cron.daily
4.0k ./etc/cron.hourly
4.0k ./etc/cron.daily
4.0k ./etc/cron.weekly
4.0k ./etc/cron.monthly
12k ./etc/modules.d
16k ./etc/conf.d
8.0k ./etc/ppp
96k ./etc/init.d
12k ./etc/skel
4.0k ./etc/runlevels/default
4.0k ./etc/runlevels/boot
4.0k ./etc/runlevels/nonetwork
4.0k ./etc/runlevels/single
20k ./etc/runlevels
304k ./etc
920k ./sbin
4.4M ./usr/bin
148k ./usr/lib/python2.2/site-packages
120k ./usr/lib/python2.2/lib-old
304k ./usr/lib/python2.2/lib-tk
344k ./usr/lib/python2.2/test/output
112k ./usr/lib/python2.2/test/data
2.4M ./usr/lib/python2.2/test
472k ./usr/lib/python2.2/encodings
88k ./usr/lib/python2.2/email
196k ./usr/lib/python2.2/compiler
20k ./usr/lib/python2.2/hotshot
232k ./usr/lib/python2.2/distutils/command
600k ./usr/lib/python2.2/distutils
56k ./usr/lib/python2.2/xml/dom
12k ./usr/lib/python2.2/xml/parsers
68k ./usr/lib/python2.2/xml/sax
144k ./usr/lib/python2.2/xml
36k ./usr/lib/python2.2/curses
40k ./usr/lib/python2.2/plat-linux2
120k ./usr/lib/python2.2/config
980k ./usr/lib/python2.2/lib-dynload
7.8M ./usr/lib/python2.2
332k ./usr/lib/portage/bin
7.8M ./usr/lib/python2.2
332k ./usr/lib/portage/bin
8.0k ./usr/lib/portage/lib
344k ./usr/lib/portage
12k ./usr/lib/misc
28k ./usr/lib/find
12k ./usr/lib/awk
8.0k ./usr/lib/gcc-lib/i486-pc-linux-gnu/2.95.3/include/asm
8.0k ./usr/lib/gcc-lib/i486-pc-linux-gnu/2.95.3/include/gnu
180k ./usr/lib/gcc-lib/i486-pc-linux-gnu/2.95.3/include
2.9M ./usr/lib/gcc-lib/i486-pc-linux-gnu/2.95.3
2.9M ./usr/lib/gcc-lib/i486-pc-linux-gnu
2.9M ./usr/lib/gcc-lib
12M ./usr/lib
188k ./usr/sbin
36k ./usr/include/linux/byteorder
8.0k ./usr/include/linux/isdn
40k ./usr/include/linux/lockd
96k ./usr/include/linux/mtd
184k ./usr/include/linux/netfilter_ipv4
48k ./usr/include/linux/netfilter_ipv6
68k ./usr/include/linux/nfsd
68k ./usr/include/linux/raid
68k ./usr/include/linux/sunrpc
4.7M ./usr/include/linux
636k ./usr/include/asm
388k ./usr/include/sys
540k ./usr/include/bits
16k ./usr/include/gnu
28k ./usr/include/scsi
60k ./usr/include/net
64k ./usr/include/arpa
92k ./usr/include/netinet
24k ./usr/include/protocols
8.0k ./usr/include/netipx
8.0k ./usr/include/netash
12k ./usr/include/netax25
8.0k ./usr/include/netatalk
8.0k ./usr/include/netrom
8.0k ./usr/include/netpacket
8.0k ./usr/include/netrose
8.0k ./usr/include/neteconet
120k ./usr/include/rpc
272k ./usr/include/rpcsvc
8.0k ./usr/include/nfs
448k ./usr/include/python2.2
8.7M ./usr/include
4.0k ./usr/src
4.0k ./usr/portage
4.0k ./usr/X11R6/include/GL
8.0k ./usr/X11R6/include
4.0k ./usr/X11R6/share
4.0k ./usr/X11R6/lib
4.0k ./usr/X11R6/man
24k ./usr/X11R6
4.0k ./usr/share/man
4.0k ./usr/share/info
4.0k ./usr/share/doc
680k ./usr/share/misc
36k ./usr/share/bison
8.0k ./usr/share/terminfo/l
8.0k ./usr/share/terminfo/x
8.0k ./usr/share/terminfo/v
28k ./usr/share/terminfo
20k ./usr/share/tabset
780k ./usr/share
4.0k ./usr/local/games
4.0k ./usr/local/lib
4.0k ./usr/local/sbin
4.0k ./usr/local/share/doc
4.0k ./usr/local/share/man
12k ./usr/local/share
4.0k ./usr/local/bin
4.0k ./usr/local/src
36k ./usr/local
1.7M ./usr/i486-pc-linux-gnu/bin
88k ./usr/i486-pc-linux-gnu/lib/ldscripts
92k ./usr/i486-pc-linux-gnu/lib
4.0k ./usr/i486-pc-linux-gnu/include
1.8M ./usr/i486-pc-linux-gnu
28M ./usr
4.0k ./home
4.0k ./opt
4.0k ./root
4.0k ./proc
4.0k ./lib/dev-state
2.3M ./lib
4.0k ./mnt/floppy
4.0k ./mnt/cdrom
4.0k ./mnt/.init.d
16k ./mnt
4.0k ./dev/pts
4.0k ./dev/shm
28k ./dev
4.0k ./boot
1.9M ./bin
34M .
我本想將所有的檔案列上來,但是實在是太長了,簡單看一下吧!
明眼人一看,應該就知道我再說什麼了。
他沒有 kernel ,連要作開機的工具也沒有。夠扯吧!
一些簡單的工具,還都是 busybox 提供的,
不過重點來了,他可是有個 gcc compile 還有 python
34M大部份都被這兩個給吃掉了。
Code listing 17
# chroot /mnt/gentoo /bin/bash
# env-update
Regenerating /etc/ld.so.cache...
# source /etc/profile
chroot 到硬碟上,OK! 如果你要說可以 chroot 這樣也算是小系統。
那我也認了。:-) 算了這樣也算了。
設定一下環境,ldconfig 以及 path 等 shell 會用到的環境參數
10.Rsync
Code listing 18
# emerge rsync
嘿嘿!遠端抓檔案了喔 rsync 資料回來了。抓 bin 執行檔??
他去抓整個 portge 的 source tree 的 path。
怎麼樣,像不像 posts 啊!還真的很像。cvsup 嘿嘿
11.Progressing from stage1 to stage2
到現在你終於完成第一階段了,來來來還有第二階段喔
Code listing 19
# nano -w /etc/make.conf (Adjust these settings)
這個檔案就是 Gentoo 效能的魔力檔案,他用來設定你
CFLAGS CXFLAGS 的參數
檔案檢列如下
GENTOO_MIRRORS="http://www.ibiblio.org/gentoo"
#SYNC="cvs://:pserver:anonymous@gentoo.org:/home/anoncvs"
Uncomment to use Lukemftp for download
# you need to merge lukemftp first!
#FETCHCOMMAND='/usr/bin/lukemftp -s -a -o ${DISTDIR}/${FILE} ${URI}'
#RESUMECOMMAND='/usr/bin/lukemftp -s -a -R -o ${DISTDIR}/${FILE} ${URI}'
# Uncomment if you wanna use Prozilla for download
# you need to merge prozilla first!
#FETCHCOMMAND='/usr/bin/proz --no-getch -s ${URI} -P ${DISTDIR}'
# Pentium Pro/Pentium II/Pentium III+/Pentium 4/Athlon optimized (but binaries
# will run on any x86 system)
#CHOST="i686-pc-linux-gnu"
#CFLAGS="-mcpu=i686 -O3 -pipe"
#CXXFLAGS="-mcpu=i686 -O3 -pipe"
# Pentium Pro/Pentium II/Pentium III+/Pentium 4/Athlon exclusive (binaries
# will use the P6 instruction set and only run on P6+ systems)
CHOST="i686-pc-linux-gnu"
CFLAGS="-march=i686 -O3 -pipe"
CXXFLAGS="-march=i686 -O3 -pipe"
# Pentium/Pentium MMX+ exclusive (requires a Pentium Classic or K6 or beyond)
#CHOST="i586-pc-linux-gnu"
#CFLAGS="-march=i586 -O3 -pipe"
#CXXFLAGS="-march=i586 -O3 -pipe"
# PowerPC exclusive (requires a PPC)
#CHOST="powerpc-unknown-linux-gnu"
#CFLAGS="-O2 -pipe"
#CXXFLAGS="-O2 -pipe"
怕太長了挑幾個重點 show 一下,mirror site 位置
cvs 的位置,抓檔用什麼工具抓,沒設定預設用 wget
還有 compile MAGIC 參數!!!!!!! 還滿多平台的
Code listing 20
# cd /usr/portage
# scripts/bootstrap.sh
剛剛我有 rsync 抓 portage 所以現在這有資料了
這個 scripts 就是我剛剛前幾封 post 說的 gcc compile gcc 的動作
i486-gcc compile static binutils
i486-gcc compile static i686-gcc
static i686-gcc compile glibc <-- 我 build 到這裡應該有一半了吧,
的時候應該已經過了六個小時了
static i686-gcc compile shard i686-gcc
其實他還有 compile 一些檔案,但是我沒看清楚,映像中有 getext 等工具
有興趣的人自己去看
Code listing 22
# export CONFIG_PROTECT=""
# emerge --pretend system
[lists the packages to be installed]
# emerge system
check 一下你還有那些工具要 compile <-- 請注意,是 compile 而不是安裝 bin code。
emerge system 好吧抓檔案了開始 make 吧!!!!
..
.....
...... 然後就是漫長的等待!!!!!!! 等這個 make 完大概已經 過了 10 小時了。
請注意!!!我們還沒有 kernel 耶!!!!!!
連 lilo 都還沒作。
再接再厲!!
13.Final steps: timezone
Code listing 23
# ln -sf /usr/share/zoneinfo/path/to/timezonefile /etc/localtime
glibc 有了可以設定時區了<- 稿不好這時候才有 ln 這個工具也說不一定 :-)
link 亞洲台北
14.Final steps: kernel and system logger
Code listing 24
# emerge sys-kernel/gentoo-sources
抓 kernel source 回來酷吧! 全身上下全部都用 make 的。
你說夠不夠變態!! 真是完美的變態
Code listing 25
# cd /usr/src/linux
# make menuconfig
# make dep && make clean bzImage modules modules_install
# mv /boot/bzImage /boot/bzImage.orig [if bzImage already exists]
# cp /usr/src/linux/arch/i386/boot/bzImage /boot
不用講了吧 make kernel 啦
make menuconfig <-- 先前 build ncouse lib 我記得這是很辛苦的
不要想說他會幫你選好,自己好好選吧..可別偷懶到時候沒辦法開機,你就去哭吧
不過還好有救援光碟。不過還是好好選。既然是自己選 cpu 型號就要對喔
網路,硬碟,檔案系統。不要選 devfs <-- 千萬
他只有在安裝時才用這個。實際上應該是沒有。算啦老實一點
就是我對 devfs 沒把握。所以我沒選。但是我現在可是安裝成功了喔 ... 嘿嘿嘿嘿
Code listing 26
# emerge sys-apps/sysklogd
# rc-update add sysklogd default
or
# emerge app-admin/syslog-ng
# rc-update add syslog-ng default
or
# emerge app-admin/metalog
# rc-update add metalog default
裝 syslog 挑一個作吧..我選 sysklog <--因為我認識他..嘿嘿
Code listing 27
# emerge sys-apps/dcron
# crontab /etc/crontab
or
# emerge sys-apps/fcron
# crontab /etc/crontab
or
# emerge sys-apps/vcron
crontab 也挑一個來作吧.. 我還是第一次知道有這麼多 cron
管他我挑 dcron.
using XFS, you should emerge the xfsprogs ebuild:
Code listing 28
# emerge sys-apps/xfsprogs
If you're using LVM, you should emerge the lvm-user ebuild:
Code listing 29
# emerge --usepkg sys-apps/lvm-user
這兩個對我沒用..我沒作
16.Final steps: /etc/fstab
好像從 13 就是 Final steps <-- 他媽的
好像被媽媽騙著走,快到了快到了
Code listing 30
# /etc/fstab: static file system information.
#
# noatime turns of atimes for increased performance (atimes normally aren't
# needed; notail increases performance of ReiserFS (at the expense of storage
# efficiency). It's safe to drop the noatime options if you want and to
# switch between notail and tail freely.
#
# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
/dev/BOOT /boot ext2 noauto,noatime 1 2
/dev/ROOT / ext3 noatime 0 1
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro 0 0
proc /proc proc defaults 0 0
沒錯!!自己用 nano 改! 帥吧!!!
Final steps: set the root password
媽媽還有多遠才會到阿??? 快了快了......
Before you forget, set the root password by typing:
Code listing 31
# passwd
別忘記幫 root 改個密碼吧...沒改可是進不去
Final steps: /etc/hostname
媽媽人家我好累! 快到了快到了喝口水就到了!!
Edit this file so that it contains your fully-qualified domain name on
a single line, i.e. mymachine.mydomain.com.
幫你自己的機器取個名字吧...
nano /etc/hostname 寫下你機器的名字吧。寶貝
其實還滿慶幸的他不是用 VI , nano 跟 emacse 有點像,賺到了。
Vi vim 派的改學 emacse 吧.. 不要再受 billy joy 毒害了。
Final steps: /etc/hosts
媽媽你騙我怎麼還沒到?? 好啦好啦快了快了
This file contains a list of ip addresses and their associated
hostnames. It's used by the system to resolve the IP addresses of any
hostnames that may not be in your nameservers. Here's a template for
this file:
Code listing 32
127.0.0.1 localhost
# the next line contains your IP for your local LAN, and your associated machin
e name
192.168.1.1 mymachine.mydomain.com mymachine
把自己機器的資料加進來吧...
Final network configuration
媽媽怎麼還沒到?? 這個弄一弄待會就有車車坐了!!
Add the names of any modules that are necessary for the proper
functioning of your system to /etc/modules.autoload file (you can also
add any options you need to the same line.) When Gentoo Linux boots,
these modules will be automatically loaded. Of particular importance
is your ethernet card module, if you happened to compile it as a
module:
Code listing 33: /etc/modules.autoload
3c59x
這個檔案用來自動 load modules 的.跟 debian 作法一樣.檔名不同罷了。
靠!自己編的當然就 build 死在 kernel 啦!我還在那傻勒!要就變態到極致。
Edit the /etc/conf.d/net script to get your network configured for
your first boot:
Code listing 34
# nano -w /etc/conf.d/net
# rc-update add net.eth0 default
人客看一下吧,這到底像 FreeBSD 還是像 Slawkware
我覺得比較像 BSD
# Copyright 1999-2002 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or later
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/conf.d/net,v 1.4 2002/05/12
21:48:18 azarah Exp $
# This is basically the ifconfig argument without the ifconfig $iface
#
iface_eth0="192.168.23.33 broadcast 192.168.23.255 netmask 255.255.252.0"
#iface_eth1="207.170.82.202 broadcast 207.0.255.255 netmask 255.255.0.0"
怎樣一樣吧!!!漂亮
# For DHCP set iface_eth? to "dhcp"
# For passing options to dhcpcd use dhcpcd_eth?
#
#iface_eth0="dhcp"
#dhcpcd_eth0="..."
# For adding aliases to a interface
#
#alias_eth0="192.168.0.3 192.168.0.4"
# NB: The next is only used for aliases.
#
# To add a custom netmask/broadcast address to created aliases,
# uncomment and change accordingly.
#
#broadcast_eth0="192.168.0.255"
#netmask_eth0="255.255.255.0"
# For setting the default gateway
#
gateway="eth0/192.168.23.26"
帥呆了!!
Code listing 35: Multiple network interfaces
# cd /etc/init.d
# cp net.eth0 net.ethx
# rc-update add net.ethx default
沒細查,看起來應該是設定 runlevel 用的 rc-update
沒錯,是 runlevel script..
If you have a PCMCIA card installed, have a quick look into
/etc/init.d/pcmcia to verify that things seem all right for your
setup, then add
Code listing 36
depend() {
need pcmcia
}
PCMCIA 閃一邊!不關我事。
Code listing 37: basic configuration
# nano -w /etc/rc.conf
酷了吧!酷了吧!酷了吧!
rc.conf 耶!!!!!!!
映像中好像 Slackware 好像也是同樣的作法,年代太久了記不清楚了!
FreeBSD 我可以確定是這樣作的
對喔!! Slackware 是 BSD SYSV 各半。這個 Gentoo 也是!!
# Copyright 1999-2001 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or later
# Author: Daniel Robbins
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/rc.conf,v 1.10 2002/04/28
08:18:00 azarah Exp $
# /etc/rc.conf: Global startup script configuration settings
# Use KEYMAP to specify the default console keymap. There is a complete tree
# of keymaps in /usr/share/keymaps to choose from. This setting is used by the
# /etc/init.d/keymaps script.
KEYMAP="us"
# CONSOLEFONT specifies the default font that you'd like Linux to use on the
# console. You can find a good selection of fonts in /usr/share/consolefonts;
# you shouldn't specify the trailing ".psf.gz", just the font name below.
# To use the default console font, comment out the CONSOLEFONT setting below.
# This setting is used by the /etc/init.d/consolefont script (NOTE: if you do
# not want to use it, run "rc-update del consolefont" as root).
CONSOLEFONT="default8x16"
# CONSOLETRANSALTION is the charset map file to use. Leave commented to use
# the default one. Have a look in /usr/share/consoletrans for a selection of
# map files you can use.
#CONSOLETRANSLATION="8859-1_to_uni"
# Set CLOCK to "UTC" if your system clock is set to UTC (also known as
# Greenwich Mean Time). If your clock is set to the local time, then set CLOCK
# to "local". This setting is used by the /etc/init.d/clock script.
CLOCK="UTC"
# Set protocols to the protocols that you plan to use. Gentoo Linux will only
# enable module auto-loading for these protocols, eliminating annoying module
# not found errors.
# Num Protocol
# 1: Unix
# 2: IPv4
# 3: Amateur Radio AX.25
# 4: IPX
# 5: DDP / appletalk
# 6: Amateur Radio NET/ROM
# 9: X.25
# 10: IPv6
# 11: ROSE / Amateur Radio X.25 PLP
# 19: Acorn Econet
# Most users want this:
PROTOCOLS="1 2"
#For IPv6 support:
#PROTOCOLS="1 2 10"
# What display manager do you use ? [ xdm | gdm | kdm ]
#DISPLAYMANAGER=xdm
# XSESSION is a new variable to control what window manager to start
# default with X if run with xdm, startx or xinit. The default behavior
# is to look in /etc/X11/Sessions/ and run the script in matching the
# value that XSESSION is set to. The support scripts is smart enouth to
# look in all bin directories if it cant find a match in /etc/X11/Sessions/,
# so setting it to "enligtenment" can also work. This is basically used
# as a way for the system admin to configure a default system wide WM,
# allthough it will work if the user export XSESSION in his .bash_profile, etc.
#
# NOTE: this behaviour is overridden when a ~/.xinitrc or ~/.xsession exists
# for the particular program run ( ~/.xinitrc for startx, ... ).
#
# Defaults depending on what you install currently include:
#
# Gnome - will start gnome-session
# KDE - will start startkde
# Xsession - will start a terminal and a few other nice apps
#XSESSION=Gnome
Final steps: configure GRUB
媽媽到了沒啦!我的手沒力氣了!!! 來來來你看你看 GRUB 外婆家不就在那邊嗎
媽媽怎麼不是 LILO 奶奶.. GRUB 婆婆是誰阿??? 我們為什麼要來 GRUB 婆婆家阿!!好
遠喔!
GRUB 婆婆比較漂亮阿! LILO 奶奶也很可愛阿! GRUB 婆婆家比較漂亮,反正過來玩玩看嗎?
喔!!! 怎麼辦沒用過耶,算了反正還有救援光碟。GRUB 婆婆我來了。
Code listing 38
# grub
You'll be presented with the grub> grub command-line prompt. Now, you
need to type in the right commands to install the GRUB boot record
onto your hard drive. In my example configuration, I want to install
the GRUB boot record on my hard drive's MBR (master boot record), so
that the first thing I see when I turn on the computer is the GRUB
prompt. In my case, the commands I want to type are:
nano -w /boot/grub/menu.lst
Code listing 39
grub> root (hd0,0)
grub> setup (hd0)
grub> quit
Code listing 40
default 0
timeout 30
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title=My example Gentoo Linux
root (hd0,0)
kernel /boot/bzImage root=/dev/hda3
# Below needed only for people who dual-boot
title=Windows NT Workstation
root (hd0,5)
chainloader +1
不要問我..我照著打罷了。我也看不懂,反正 LILO 奶奶也蠻能幹的。管他,不喜歡換回來。
17.Installation complete!
媽的!怎麼還有。
Code listing 41
# exit
// This exits the chrooted shell; you can also type ^D
# cd /
# umount /mnt/gentoo/boot
# umount /mnt/gentoo/proc
# umount /mnt/gentoo
# reboot
退出 chroot , umount 所有的 partation . 重開機!!!
== 完 ==
不沒完!!
我的 GRUB 看來設定錯了,不過還好 GRUB 認得 file system
可以直接用檔名 load 進來開機。
哇靠!!抄 FreeBSD 也不用抄這麼像吧...
做完這些後你就有個自己 make 的系統!!全新的!!是金色的!!!
總共 約 /usr <-- 571M / <-- 53M
我做完 的時間大約是 (16:27)
OK! 現在是 (18:10)
我大概是在今天早上 (01:00) 或 (0:10)十幾分開始的吧!!
我有 24-9+18=33 個小時沒睡覺了!!
安裝過程大約花了 15 個小時。時間不重要!!
重要的是我看見了一場很精彩的表演!! 真的這真的很精彩
這就很像我們在蓋大樓不是都會有在建築物上的高樓起重機嗎?
他會隨著樓層長高,三層三層爬高,到最後建築物蓋好了,高樓起重機
要能夠自身拆卸,並一部份一部份卸下來。這是有順序以及流程的。真是工藝上的結晶。
我收回我前幾封說的我會找時間用 debian 裝 starge1.tgbz2。
這部份交給其他網路上的英雄豪傑去試吧!
請原諒我... 謝謝 ..好累
因為以目前這樣的環境要到 X <--- 還好遠好遠好遠喔....
我的機器又好慢好慢喔...
» 加入書籤
» 引用網址
Linux ADSL Multipath Routing Solution
說明如何使用Linux 的 Equal-Cost MultiPath Routing (ECMP)
功能來實現兩條線路頻寬合用的功能
Linux ADSL Multipath Routing Solution
By Tommy Wu
由於前些日子, 我所服務的單位, 決定將原本使用的專線退租, 改用 ADSL 來提供
上網的服務, 為了降低 ADSL 斷線無法連線的情形, 所以由 SeedNet, Hinet 各申
請了一條單機型的 T1/384 ADSL 來使用.
但是一般 ISP 業者似乎沒有提供兩條線路頻寬合用的服務, 更何況是使用兩家不同
ISP 的線路, 所以決定自己利用 Linux 的 Equal-Cost MultiPath Routing (ECMP)
功能來解決這個問題.
關於 ECMP 的設定說明, 可以參考
http://www.study-area.org/tips/m_routing.htm
初期, 我利用上述的功能來處理, 但是發現效率不怎麼好, 由於路由的決定, 並不
是依據 packet 來傳送, 所以出去的時候, 同一個 session 只會使用一條線路,
仍然會常常造成, 明明另一條線路沒有什麼流量, 但是大家都擠在同一條線路的情
形發生.
在 iproute2 的說明中有提到 equalize 參數, 會將 packet 分散到不同的線路上
面, 但是 kernel 需要另外的 patch 才能運作, 上網查了一下, 有找到下面這個
patch:
http://www.van-dijk.net/linuxkernel/200212/att-0980/01-equalize_2.4.18.patch
測試後發現的確可以同時使用不同的線路傳送 packet. 現在說明一下, 如何做到這
個功能:
1. 你必須要有 iproute2 套件. 另外由於要對 kernel 加上另外的 patch, 所以相關
的工具也是必要的.
2. 由 www.kernel.org 抓下 linux-2.4.18.tar.bz2 與上述的 patch.
上述的 patch, 我在 2.4.18 之後的版本都裝過, 都可以正常使用, 之前的 kernel
沒有試過, 並不清楚... 不過 2.4.18 應該算是 2.4 版本中最穩定的一個版本, 如
果你還在用舊的 kernel, 建議升級到這個版本.
tommywu@fw:/usr/src$ tar jxvf linux-2.4.18.tar.bz2
..
..
tommywu@fw:/usr/src$ cd linux
tommywu@fw:/usr/src/linux$ patch -p1 < ../01-equalize_2.4.18.patch
patching file Documentation/networking/load-balancing.txt
patching file include/linux/in_route.h
patching file net/ipv4/fib_semantics.c
patching file net/ipv4/ip_output.c
patching file net/ipv4/route.c
patching file net/ipv4/udp.c
這個 patch 並不會新增任何的設定, 所以你可以參考上述 ECMP 文件中的設定選
項來設定你的 kernel. 然後重新 make 一個新的 kernel 來使用. 我通常會選取
下面這幾個功能:
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
3. 利用上面的 kernel 重新開機之後, 就應該可以使用 equalize 參數了. 多數的設
定都與上述的 ECMP 文件相同, 只是多了一個 equalize 參數. 舉例來說:
# 對外網卡
EXT_IF="eth0"
# HiNet IP
EXT_IP1="111.111.111.111"
EXT_MASK1="24"
GW1="111.111.111.1"
# SeedNet IP
EXT_IP2="222.222.222.222"
EXT_MASK2="24"
GW2="222.222.222.1"
# 設定 ip
ip addr add $EXT_IP1/$EXT_MASK1 dev $EXT_IF
ip addr add $EXT_IP2/$EXT_MASK2 dev $EXT_IF
# 設定 HiNet routing
ip rule add from $EXT_IP1 lookup 201
ip route add default via $GW1 dev $EXT_IF table 201
# 設定 SeedNet routing
ip rule add from $EXT_IP2 lookup 202
ip route add default via $GW2 dev $EXT_IF table 202
# 設定 Default route
ip route replace default equalize \
nexthop via $GW1 dev $EXT_IF \
nexthop via $GW2 dev $EXT_IF
# 清除 route cache
ip route flush cache
利用上面的設定, 我們就可以將兩條線路合併使用. 以 T1/384 的 ADSL 來說, 一般
上傳的頻寬約可到 40KB 上下, 現在利用這個 patch, 我們上傳一個檔案試看看:
tommywu@hisstby:/usr/src$ ftp ftp.teatime.com.tw
Connected to www.teatime.com.tw.
220 ProFTPD 1.2.5rc1 Server (Debian) [211.23.144.122]
Name (ftp.teatime.com.tw:tommywu): tommy
331 Password required for tommy.
Password:
230 User tommy logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin
200 Type set to I.
ftp> put patch-2.4.19-pre6.bz2
local: patch-2.4.19-pre6.bz2 remote: patch-2.4.19-pre6.bz2
200 PORT command successful.
150 Opening BINARY mode data connection for patch-2.4.19-pre6.bz2.
226 Transfer complete.
3858685 bytes sent in 49.92 secs (75.5 kB/s)
ftp> quit
221 Goodbye.
tommywu@hisstby:/usr/src$
可以超過 40KB, 也就是的確會同時使用到兩條線路來傳送.
如果有興趣, 可以到下列的網址查看流量:
http://fw1.tahsda.org.tw/stats/mrtg/
http://fw2.tahsda.org.tw/stats/mrtg/
要注意這只有出去的 packet 是我們這端所能控制的, 回來的 packet 就不是我們
可以控制了, 所以出去的流量在不同的線路上看起來是類似的, 但是回來的流量就
不一定了. 如果要控制進來的流量, 可能要利用 DNS 的方式來控制了.
接下來, 要考慮一條線路斷線時, 要改變 routing table 的設定. 由於 ADSL router
應該都有支援 SNMP 的功能, 所以我們可以利用 SNMP 來判斷是否斷線. 你要先確定你
的 linux 中有 snmpd, snmp 套件.
我們有兩種方式來處理, 第一種是利用 snmp traps.
以 arcatel 340 來說, 內定的 password 應該是 12345.
telnet 192.168.1.1 之後, 打入密碼, 在 > 符號打入 snmp, 就會進入 snmp> 設定
目錄, 打入 snmp trap help 有說明如下:
snmp trap add
- add a trap destination
snmp trap delete
- delete a trap destination
snmp trap flush - delete all trap destinations
snmp trap list - list trap destinations
假定你要收 trap 的 ip 是 192.168.1.254, 就打入
snmp trap add public 192.168.1.254
就可以了. 這樣就應該在該機器可以收到相對的 snmp traps.
以上面 Hinet/SeedNet 兩個線路來說, 如果要在同一網段上, 要先改變其中一個 ATU-R
的 ip 才可以, 內定都是 192.168.1.1, 我們把其中一個改成 192.168.1.2
然後在 192.168.1.254 機器上安裝 snmptrapd, 修改 /etc/snmp/snmptrapd.conf
加上下面兩行:
traphandle .1.3.6.1.6.3.1.1.5.2 /usr/local/bin/adsl_up
traphandle .1.3.6.1.6.3.1.1.5.3 /usr/local/bin/adsl_down
然後寫 adsl_up, adsl_down 兩個 script 來更改 route table.
內容大約是:
#!/bin/bash
read DUMMY_HOST
read ROUTE_IP
case "$ROUTE_IP" in
192.168.1.1)
ip route replace default ....
;;
*)
echo "snmp traps from unknown ip?"
esac
這樣子就會在每次斷線或恢復連線時收到 ATU-R 的通知了.
另外, 如果不想使用 snmp trap, 要使用 polling 的方式, 主動去查詢線路情形,
可以使用 snmpwalk 來處理, 用上面的例子, 可以先執行
snmpwalk 192.168.1.1 public interfaces.ifTable.ifEntry
會出現一堆資料, 看一下 adsl 在的 index 是 20.
interfaces.ifTable.ifEntry.ifDescr.20 = ADSL physical interface
interfaces.ifTable.ifEntry.ifType.20 = adsl(94)
線路狀態在
interfaces.ifTable.ifEntry.ifOperStatus.20 = up(1)
up(1) 表示連線中, 所以執行
snmpwalk 192.168.1.1 public interfaces.ifTable.ifEntry.ifOperStatus.20
會得到
interfaces.ifTable.ifEntry.ifOperStatus.20 = up(1)
當斷線時, 上面就不會在 up(1) 的狀態.
所以可以寫個 adsl_test 的 script
snmpwalk 192.168.1.1 public interfaces.ifTable.ifEntry.ifOperStatus.20 |
grep "up(1)" | wc -l
如果得到 0 就是斷線.
上面就是使用 snmpwalk 來查詢線路的方法. 這個我在 arcatel 340 上面使用,
可以正確得知線路的情形. 另外, 在我家的 cisco 677 上, 在 bridge mode 下,
使用 snmpwalk 查詢線路都是 up(1), 無法知道線路情形... 不過如有異動, 仍可
以收到對應的 snmp traps.
這兩種方式各有利弊, 第一種方式無法得知一開始的狀態, 第二種方式無法即時
得知狀態的改變, 所以通常會同時利用兩種方式來處理, 以上述的例子來說, 我
們可以使用下列的 script 來處理:
#!/bin/bash
# chk_adsl: check the status of ADSL and change routing table
# SNMP tree
SNMP_KEY="interfaces.ifTable.ifEntry.ifOperStatus.20"
# 對外網卡
EXT_IF="eth0"
# HiNet IP
EXT_ATUR1="192.168.1.1"
EXT_IP1="111.111.111.111"
EXT_MASK1="24"
GW1="111.111.111.1"
# SeedNet IP
EXT_ATUR2="192.168.1.2"
EXT_IP2="222.222.222.222"
EXT_MASK2="24"
GW2="222.222.222.1"
STATUS1=`snmpwalk $EXT_ATUR1 public $SNMP_KEY | grep "up(1)" | wc -l`
STATUS2=`snmpwalk $EXT_ATUR2 public $SNMP_KEY | grep "up(1)" | wc -l`
if [ "$STATUS1" = "0" ]; then
if [ "$STATUS2" = "0" ]; then
# ALL line down
echo -e "\n\
ALL ADSL DOWN!\n\
Date: $(date)\n\
Host: $(hostname)\n\
" | /bin/mail -s "$(date) ALL ADSL DOWN!" root
else
# ATUR1 down, ATUR2 up
echo -e "\n\
ADSL $EXT_ATUR1 DOWN!\n\
Date: $(date)\n\
Host: $(hostname)\n\
" | /bin/mail -s "$(date) ADSL $EXT_ATUR1 DOWN!" root
ip route relpace default via $GW2 dev $EXT_IF
ip route flush cache
fi
else
if [ "$STATUS2" = "0" ]; then
# ATUR1 up, ATUR2 down
echo -e "\n\
ADSL $EXT_ATUR2 DOWN!\n\
Date: $(date)\n\
Host: $(hostname)\n\
" | /bin/mail -s "$(date) ADSL $EXT_ATUR2 DOWN!" root
ip route relpace default via $GW1 dev $EXT_IF
ip route flush cache
else
# All line up
echo -e "\n\
ALL ADSL UP!\n\
Date: $(date)\n\
Host: $(hostname)\n\
" | /bin/mail -s "$(date) ALL ADSL UP!" root
ip route replace default equalize \
nexthop via $GW1 dev $EXT_IF \
nexthop via $GW2 dev $EXT_IF
ip route flush cache
fi
fi
利用上面的 script, 我們只要在 snmptrapd.conf 中將相關的 traphandle
指到這一個 script, 就可以依照線路的狀態來做對應的處理. 當然, 如果你
的線路不只兩條, 我想應該也可以照上面的作法自己試試看.
本文的最新版本可以由下列的網頁取得:
http://www.teatime.com.tw/~tommy/doc/multipath.txt
» 加入書籤
» 引用網址
MySQL Replication
-以下這份文件是針對兩台MySQL伺服器進行One-way Replication
-Starting in Version 3.23.15, MySQL supports one-way replication internally.
-參考文件
1. http://www.mysql.com/doc/en/Replication.html
-測試環境
RedHat 7.3 + MySQL 3.23.49
MySQL資料庫路徑: /var/lib/mysql
MySQL設定檔: /etc/my.cnf
Master IP: 192.168.1.1
Slave IP: 192.168.1.2
-設定步驟Master/Slave
-設定Master
1.確認Master/Slave機器上所裝的MySQL版本能進行replication.Use Version 3.23.29 or higher.
2.在Master MySQL上開放一個帳號給Slave
#mysql –u root –p
mysql>GRANT FILE ON *.* TO repl@192.168.1.2 IDENTIFIED BY ‘abc123’;
mysql>q
#
上面是Master開放一個帳號repl密碼abc123給IP:192.168.1.2有檔案處理的權限.
3.shutdown MySQL on the Master
#mysqladmin –u root –p shutdown
4.備份Master所有資料庫..通常都用tar指令.
#tar –cvf /tmp/mysql-snapshot.tar /var/lib/mysql
注意:tar的時候,MySQL是要在stop情況下
不過在mysql網站的FAQ有不用shutdown的方法
5.在master機器上修改/etc/my.cnf
在[mysqld]區段內加入參數
log-bin
server-id=這邊設定server-id=1
sql-bin-update-same
binlog-do-db=phpBB只針對phpBB資料庫做紀錄
6.Restart MySQL on the master
此時因為有加入log-bin參數,因此開始有index產生了,在/var/lib/mysql目錄下有.index檔案紀錄資料庫的異動log.
-接下來設定Slave
7.在slave設定/etc/my.cnf
在[mysqld]區段加入
master-host=
master-user=
master-password=
master-port=
server-id=
這邊設定
master-host=192.168.1.1
master-user=repl
master-password=abc123
master-port=3306
server-id=2
master-connect-retry=60預設重試間隔60秒
replicate-do-db=phpBB告訴slave只做phpBB資料庫的更新
log-slave-updates
8.將master上的mysql-snapshot.tar copy到slave上
用ftp傳到slave的/tmp
9.解壓縮
#cd /var/lib/
#tar xvf /tmp/mysql-snapshot.tar
#chown –R mysql:mysql mysql
#chmod –R 770 mysql(視情況)
10.Restart MySQL on the slave server
這時在/var/lib/mysql目錄會出現master.info,此檔案紀錄了Master MySQL server的資訊.
-狀況測試
1.Master跟Slave網路及服務都正常情況下,由Master端異動資料後,
到Slave端瀏覽資料,檢視是否有進行replication?!
2.模擬Slave掛點,可用在於slave真的掛點,或是slave不一定需要一直跟master connect.
將Slave MySQL server shutdown,由Master端異動資料,到slave端瀏覽,
此時Slave應該沒有被replication更新,然後再將Slave端MySQL server start起來,
預設60秒後Slave會嘗試跟Master要求進行replication.再去Slave端檢視是否有更新資料?!
3.模擬Master掛點.那沒搞頭了,因為是設定One-way replication.一旦Master掛點,
Slave端沒有Master的source可以download,所以沒搞頭了.
4.基於第3點狀況於是發展雙向Replication,即A/B都分別擔任Master/Slave身分
-以下是針對兩台MySQL伺服器進行雙向Replication
觀念同單向replication只是改成Master也有Slave身分, Slave也有Master的身分.
先分別在A/B都去grant一個進行replication的身分
[A]mysql>GRANT FILE ON *.* TO repl@192.168.1.2 IDENTIFIED BY ‘abc123’;
[B]mysql> GRANT FILE ON *.* TO repl@192.168.1.1 IDENTIFIED BY ‘abc123’;
做完單向replication後,stop A/B MySQL service,此時A/B資料是一樣的.
修改/etc/my.cnf設定
範例:
Server A
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
server-id=1
log-bin
sql-bin-update-same
binlog-do-db=phpBB
master-host=192.168.1.2
master-user=repl
master-password=abc123
log-slave-updates
master-connect-retry=60
replicate-do-db=phpBB
Server B
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
server-id=2
log-bin
sql-bin-update-same
binlog-do-db=phpBB
master-host=192.168.1.1
master-user=repl
master-password=abc123
log-slave-updates
master-connect-retry=60
replicate-do-db=phpBB
分別start A/B MySQL後,此時雙方都是Master/Slave身分,
一但哪一方資料異動就會通知對方來replication.
-若replication失效,我的做法是將A/B的master.info及.index,.00x都砍掉,
然後分別restart MySQL server,進行測試.檢視成果.
-再來由雙向replication延伸出replication chain/(circular),即A->B->C->…(->A)
觀念chain是單向replication的延伸, circular是chain的尾巴接回頭.
舉例A-B-C-A
A為B的master,B是C的master,而C是A的master.
反過來說
B是A的slave,C是B的slave,而A是C的slave.
只要將/etc/my.cnf檔案[mysqld]區段都加入master/slave對應的參數
宣告為master是
server-id=x其中x為主機id=1,2,3
log-bin
sql-bin-update-same
binlog-do-db=phpBB
定義slave是
master-host=192.168.1.x其中x為主機ip=1,2,3
master-user=repl
master-password=abc123
log-slave-updates
master-connect-retry=60
replicate-do-db=phpBB
-測試
1.各server(A/B/C)都運作正常下,任一台異動資料,就會通知slave進行replication
2.模擬其中一台掛點.如B,則A異動時,因為B掛點,故此chain已經斷了,所以C並不會被更新.
所以這種chain的方式缺點在於說其中一個環節點失效時,其後的都不會更新了,
但可由手動方式change master將下個節點change master from掛點的 to 上一個ok的節點.
優點是有很多台server都有replication備份.
-------------
作者﹕myz
最後更新日期﹕
2002/09/06
» 加入書籤
» 引用網址
Secure MySQL Database Design
When it comes to installing software, secure design is often the last consideration.
The first goal is usually just to get it to work. This is particularly true of databases.
Databases are commonly referred to the keys to the kingdom:
meaning that once they are compromised,
all the valuable data that is stored there could fall into the hands of the attacker.
With this in mind, this article will discuss various methods to secure databases,
specifically one of the most popular freeware databases in use today, MySQL.
Introduction to MySQL
MySQL can be found at http://www.mysql.com or at http://sourceforge.net/projects/mysql/.
MySQL is used in over 4 million installations all over the world. It is licensed under both GNU GPL (General Public License) and commercial licenses, depending upon what level of support that you require. It has a large user community, which makes it somewhat easier to use under the GPL license. There are actually four versions of MySQL:
MySQL Standard includes the standard storage TYPE, as well as the InnoDB storage TYPE,
which is touted as a “transaction-safe, ACID-compliant database” with some additional features over the standard version.
MySQL Pro is the commercial version.
MySQL Max includes the more technologically advanced features that are available during early access programs.
MySQL Classic is the standard storage TYPE without the InnoDB TYPE. This is another commercial version.
Most of the recommendations discussed in this article apply to all versions of MySQL unless otherwise noted.
Introducing Security Into MySQL Design
As with securing a network, securing a database by looking at the various layers that are involved is an effective approach. Security of databases can be defined as preventing unauthorized or accidental disclosure, alteration, or destruction of data [2]. In addition, the confidentiality of data that exists in the database must be considered, as should the availability of that data. The following section will discuss a secure database design; while not all-inclusive, it should provide a good, basic starting point.
Three-Tier Design
Also referred to as n-tier design, this design incorporates the three layers of a Web application running on different servers, usually set apart by firewalls that have specific rules to only let traffic through to the specific port on a specific server at whichever layer that the user is trying to access:
Internet -> Firewall -> Web -> Firewall -> Application -> Firewall -> Database
Something else that it should demonstrate is that it is very costly to implement such a design because firewalls and servers are not cheap. Oftentimes, a sys admin will choose a compromise, combining the application and database servers. This isn’t ideal from a security perspective; nevertheless, it is a vast improvement over leaving a sensitive database facing the Internet directly. The point is that if one of the layers closest to the Internet is compromised, then several more layers still need to be compromised before access to the vital information can be gained.
Access Control
Access to information contained in the tables must be properly regulated. This can be done with control over direct access to the tables, and also through views. Views and privileges assigned to the views can be created to limit users to only see specified portions of data contained within a table [2]. Through the use of the selects, projections and joins, existing relations between tables in a relational database, as well as a single table, can be created. Control over the read, insert, update and delete commands must also be assigned appropriately within those views.
Roles
Role-based authentication should be considered when adding access to any database. Typical roles for access include administrator, user, programmer and operator. For the first three roles, it is fairly obvious what access should be granted; it is the operator role that can be a sticking point. Operators are expected to play an essential part in the production operation of a system, yet they are often restricted in what type of access they are granted. Segregation of duties should be considered in the operator role, instead of just granting one operator control over an entire process. Operators’ roles do need to be carefully defined and kept within the realm of production support as much as possible. Furthermore, all roles should have logging enabled to keep track of what occurs [3].
Integrity
Another key ingredient in database design is data integrity, or ensuring that the data that is stored in the database is in fact valid and accurate. It is best to determine very early in the design process that it will be responsible for ensuring the integrity of the database. No matter the sensitivity of the data (credit card information vs. your record collection), if the data isn’t right, then what good is the database? When the owner is determined, they should maintain this role and appropriate access only, not attempting to dole this out to others less it become diluted and possibly become corrupt.
A good process for ensuring the integrity of the data includes understanding what is processed and then identifying what can be considered personal, critical, or proprietary. As with any security issue, risk must be assigned according to the likelihood that something could occur to that data and the potential effect of such an occurence. Most of all, accountability must be assigned and designed into the environment where the database resides. Otherwise, the goals of privacy and security cannot be met [3].
Encryption
The sensitivity of the data will logically determine the need for the use of encryption. There are a few things to consider when thinking about implementing encryption:
Will the data stored in the database need to be encrypted or just the user passwords?
Will you need to encrypt the data only in the local instance of the database, or do you need to also encrypt the data in transit?
Change Control
It is important to remember that changes made to the database, whether structural or to the data itself, must be tracked and regulated by interested parties. Whether formal or informal, the process must be defined and followed by all roles defined in the database structure.
Specific MySQL Security Considerations
Now that we have covered some of the general principals of database security, we can examine some specific considerations for the MySQL database. Please note that many variables that are mentioned in the following discussion are set in the “my.cnf” file. The location of this depends on how the MySQL database is installed. Essentially, you can create the file on your own, or use one of the handy sample files that come with the distribution (see the “support-files” directory). Then, if you would like the parameters to apply all MySQL users, you can place the “my.cnf” file in /etc. If you want the parameters to apply to specific users, then you can set the file in their respective home directory as “.my.cnf”. Make sure that the appropriate permissions are applied to the file wherever it resides, ensuring that the unauthorizedusers cannot write to it.
A discussion of the basic post-installation configuration of MySQL is beyond the scope of this discussion. For that information, please refer to the MySQL documentation, Post-Installation Set-up and Testing, and Setting Up the Initial MySQL Privileges, as well as Ryan W. Maple's article MySQL Security.
The MySQL Permission Model
In order to fully implement a secure MySQL database, it is necessary to learn the MySQL access control system (your friends the GRANT and REVOKE commands). There are four privilege levels that apply:
Global: these privileges apply to all databases on a server.
Database: these privileges apply to all tables in a database.
Table: these apply to all columns within a table.
Column: these apply to individual columns in a table.
The usage of these commands is varied:
GRANT priv_type [(column_list)] [, priv_type [(column_list)] ...]
ON {tbl_name | * | *.* | db_name.*}
TO user_name [IDENTIFIED BY [PASSWORD] 'password']
[, user_name [IDENTIFIED BY 'password'] ...]
[REQUIRE
NONE |
[{SSL| X509}]
[CIPHER cipher [AND]]
[ISSUER issuer [AND]]
[SUBJECT subject]]
[WITH [GRANT OPTION | MAX_QUERIES_PER_HOUR # |
MAX_UPDATES_PER_HOUR # |
MAX_CONNECTIONS_PER_HOUR #]]
REVOKE priv_type [(column_list)] [, priv_type [(column_list)] ...]
ON {tbl_name | * | *.* | db_name.*}
FROM user_name [, user_name ...]
The privileges can get very granular, so it is important that they are used in a well planned fashion. The types of privileges include:
Alter
Delete
Create
Drop
Execute
Select
Update
Once a database is completely set up, these privileges should be reviewed prior to going to any usage of the database to ensure that the privileges were set up appropriately.
For instance, if you wanted to limit the alter privilege only to the user kristyw for table called CreditCards, you would use the command as follows:
Mysql> GRANT alter on CreditCards to kristyw
Mysql> IDENTIFIED by "password";
This could take some time if multiple privileges for the same user are to be added. In this case, wildcards can be used, but use caution in doing so! You never want to add more privilege than is necessary or intended. Further, if a user account is compromised, then the use of blanket permissions to numerous hosts can open up unexpected trust relationships between systems. Additionally, if the hostname is left blank for connections, which also effectively works as a wildcard [7].
For example, say the user kristyw should now have all the privileges to everything in the database, as well as be required to connect to the database via an SSL connection:
Mysql> GRANT all on *.* to kristyw
Mysql> IDENTIFIED by ‘password’ REQUIRE SSL;
The wildcards that apply with the GRANT and REVOKE permissions include the “*”, which when used with grant privileges to *.* indicates global permissions, the “_”’, which if not used with a “” in front of it (as in “_”) could unintentionally indicate access to other databases, and lastly, the “%” can be used in hostnames.
Another privilege that can be assigned controls via GRANT and REVOKE is the PROCESS privilege, which should be restricted to only appropriate users. When used in the format: “mysqladmin processlist”, disclosure of password information is possible. This is especially true if the user excecuted the query with the syntax of “UPDATE user SET password=PASSWORD(‘not_secure')” in their query. Furthermore, restrict the use of the FILE privilege. This privilege allows the assigned user to write a file wherever the mysqld daemon has privileges too. In addtion, the FILE privilege can be used to view any file within the UNIX filesystem that the user has privileges to [7].
More Advanced Tips…
If a database only needs to be accessed locally, TCP networking can be disabled. You can achieve this by editing the safe_mysqld script (located in /mysq_linstall_dir/bin). Search for “skip-locking”, and add the “skip-networking” flag to the beginning of the line that includes “–skip-locking”:
--skip-networking --skip-locking > > $err_log 2> &1
--skip-networking --skip-locking "$@" > > $err_log 2> &1
Now no one will be able to remotely connect to the database [4].
Start up MySQL with the parameter to disable the use of symlinks (via the –skip-symlink option). This will prevent the possibility of escalated privileges given to the owner of whoever started the mysqld process. Ultimately this could result in accidental or deliberate overwriting of files on your system, so it is best to just remove their usage.
To prevent a type of denial of service by one compromised or careless user account, you should restrict connections for a single user, by setting the max_user_connections variable in mysqld. These options can be viewed via the SHOW VARIABLES command, and can be updated via the SET command [7].
There are a few methods to encrypt stored data in a MySQL database: you can use the ENCRYPT or ENCODE commands. The difference between the two is that ENCRYPT uses the Unix crypt call, where as ENCODE uses a password provided in the command to encrypt the string. Both MD5 and SHA1 hash algorithms are available, as well as AES and DES. (Note: SHA1, DES and AES algorithms only available in version 4.0.2 and later).
By default, passwords are inserted into tables using encryption. Also by default, passwords in MySQL are unrelated to operating system passwords. There is no length limit on passwords in MySQL; they can be as short or as long as you want (however, the OS may restrict that length). User names can be up to sixteen characters, but can also be shorter. Therefore, any strict password parameters will have to be encouraged by setting policies and enforced by auditing. Overall, just make sure that all accounts do have passwords, just like you should on their operating system accounts.
All the Other Goodies
Another thing to keep in mind when securing your database is all of the other possible tools that are installed on your server. If you are on a tight budget, and have placed your Web server with the database (which is still not recommended), then tools like Apache, PHP or Java may be loaded on the same server. If these tools are not kept up-to-date (just as with the OS), then possible exploits may apply, and the server may be vulnerable to intrusion.
The same principle applies to the other utility packages that may be loaded on your server, such as: SSH, zlib, or wu-ftp. Always remember to apply security checklists to your servers, know what is running on them, and keep up with the latest vulnerabilities.
We have considered many things here to design into the database itself, but one item that needs to be considered is how the traffic is transmitted between the client and the server. If the data is sensitive and/or going over the Internet, then SSL should be employed. Version 4.0 of MySQL will satisfy this requirement. To have your version of MySQL use SSL, configure it with the following flags: --with-vio --with-openssl.
There are also ways to lock down the usage of SSL once you have it properly installed. If the REQUIRE SSL option is used, no non-SSL connections can be made to this server. Be cautious when employng the REQUIRE X509 option, though, because its usage alone does not mean that the certificate will be validated, only that the user must have one. Other REQUIRE options must be set to have proper validation (e.g. ISSUER, SUBJECT). Lastly, REQUIRE CIPHER is the parameter that requires that certain ciphers and keylengths be used [6].
For older versions of MySQL, an encrytped SSH tunnel is a viable option.
And All That Other Stuff…
Don’t forget the other layers of your servers!!! When I say this, I mean that the security of the operating system, the server authentication, and the server access control must all be taken care of as well, because if these are weak, then why even bother securing your database?
Database Backups
Another area that often gets lost in the layers of security is the critical area of database backup and recovery. As a part of whatever backup type is used, testing recovery of data is mandatory. Further, since version 3.23.47, checkpointing (where copies of the database are saved at defined times while processing) has been improved to be done more frequently, also easing the recovery process. With frequent checkpointing, as well as transaction logging (now available with InnoDB) and making regular backup copies, backup and recovery of databases is made more straightforward.
Specifically, the InnoDB transactional model allows for commit, rollback and crash recovery. By adding locking capabilities for users, having many users access the database at the same time becomes faster and more stable. To ensure that InnoDB is available with your installation, configure your package with the ‘—with-innodb’ flags. You will also want to specify InnoDB options in your ‘my.cnf’ file. Details on these set-up options can be found at the MySQL Documentation on InnoDB Start-up Options.
Add-Ons
As is the case with a lot of popular freeware tools, MySQL has spawned many other tools that can help improve the management of MySQL databases; thus, making the improving the security of the databases as well. If you are looking for a tool to help scan your network for blank MySQL passwords, try this MySQL Network Scanner script. It was originally compiled for Linux and to scan a class C network, but could be modified if needed.
There are several GUI consoles available to make the management of MySQL database easier. For instance, MySQL Explorer allows several management processes to be done via an interface that runs on several windows platforms. The MySQL team also has a version in beta called MySQLGUI, and the source code is available here. Just keep in mind when using these graphical tools and editors to help you manage a MySQL database that security needs to apply to them as well. This can be done through use of the ACLs to make sure that only certain servers can connect to your database on certain ports.
Conclusion
Many of the standard secure database design principles apply to MySQL. Of course, it has many of its own intricacies that need to be understood and audited carefully before any database is fully implemented. Lastly, it is important to keep in mind that other layers of security apply when hosting a database, such as network and operating system security. The good news is that the makers of MySQL have an excellent documentation area on their Web site that, although sometimes cumbersome to navigate, is well stocked with information for the MySQL developer and administrator.
References
[1] Database Management and Design, Gary W. Hansen and James V. Hansen, Prentice Hall, 1992
[2] A Primer on SQL, Roy Ageloff, Times Mirror/Mosby College Publishing, 1988
[3] Database: Structure Techniques for Design, Performance and Management, 2nd Edition, Shaku Atre, John Wiley and Sons, 1988
[4] mysql security, Ryan W. Maple, http://www.linuxsecurity.com/tips/tip-24.html
[5] General Security Guidelines, http://www.mysql.com/doc/en/General_security.html
[6] SSL Usage Requirements http://www.mysql.com/doc/en/Secure_requirements.html
[7] How to Make MySQL Secure Against Crackers http://www.mysql.com/doc/en/Security.html
» 加入書籤
» 引用網址
