Here are some practical examples on usages of rpm or yum for RPM based package management. A package name should be used as parameter in most examples, and it was omitted. A '?????' indicates that I have no clue on how to complete the task using rpm/yum. All comments are welcome if you know proper solution.
1. Install an RPM Package
rpm -ivh
yum install
2. Remove an RPM Package
rpm -evh
yum remove
3. Upgrade an RPM Package
rpm -Uvh
yum upgrade
4. List all installed RPM Packages
rpm -qa
yum list installed
5. List all (installed + available) RPM Packages
?????
yum list
6. Check dependencies of an RPM Package
rpm -qR
yum deplist
7. Query the information of Installed RPM Package
rpm -qi
yum info # both installed + available
8. List all files of an installed RPM package
rpm -ql
repoquery -ql # need to install yum-utils
9. Query a file that belongs which RPM Package
rpm -qf /path/to/file
yum whatprovides /path/to/file
10. Query the Information of RPM Package Before Installing
rpm -qip foo.rpm # rpm package needs to be downloaded first
yum info
11. Search for a Package
?????
yum search
12. Find out which package provides some feature or file
rpm -qf /path/to/file # for file only
yum whatprovides
13. List the package specific scriptlet
rpm -q --scripts
?????
Monday, September 9, 2013
Saturday, September 7, 2013
Manage Autostart Applications in GNOME
After login in GNOME a lot of applications can be automatically started to make life easier. System-wide autostart applications can be found in /etc/xdg/autostart and in /usr/share/gnome/autostart. Users have choices to edit a autostart application by disabling it, editing its name, command or description; additionally, users may add their own autostart applications.
Gnome provides the tool gnome-session-properties, which allows us to add, modify and remove autostart applications. Once we are done with gnome-session-properties, new entries (files) are generated and saved in directory ~/.config/autostart/.
Here is an example file skype.desktop created and saved after adding skype as a new autostart application:
[Desktop Entry]
Type=Application
Exec=/usr/bin/skype
X-GNOME-Autostart-enabled=true
Name=Skype
A new file named gnome-keyring-ssh.desktop is created (and saved in directory ~/.config/autostart) after removing the default autostart application SSH key agent. The contents in it are the same as that in file /etc/xdg/autostart/gnome-keyring-ssh.desktop, except in one line:
X-GNOME-Autostart-enabled=false
which specifies that the autostart is disabled.
Gnome provides the tool gnome-session-properties, which allows us to add, modify and remove autostart applications. Once we are done with gnome-session-properties, new entries (files) are generated and saved in directory ~/.config/autostart/.
Here is an example file skype.desktop created and saved after adding skype as a new autostart application:
[Desktop Entry]
Type=Application
Exec=/usr/bin/skype
X-GNOME-Autostart-enabled=true
Name=Skype
A new file named gnome-keyring-ssh.desktop is created (and saved in directory ~/.config/autostart) after removing the default autostart application SSH key agent. The contents in it are the same as that in file /etc/xdg/autostart/gnome-keyring-ssh.desktop, except in one line:
X-GNOME-Autostart-enabled=false
which specifies that the autostart is disabled.
Sunday, August 25, 2013
Automated Remote Backups with Rdiff-backup
One subtle feature of rdiff-backup is that it allows users to make remote backups over Internet using SSH, which makes remote backups very secure since data transferred is encrypted.
One problem is that SSH requires a password for logging, which is not convenient if we want to run rdiff-backup as a cron job. Here we show how to initiate rdiff-backups from a central backup server, and pull data from a farm of hosts to be backed up. For security reasons, the central server uses a non-root user account (rdiffbk) to perform backups, whereas root account is used on each host being backed up. Though root accounts are used on hosts being backed up, they are protected by SSH public-key authentication mechanism with forced-command-only option.
For convenience, I'll call the central backup server canine and three hosts to be backed up beagle, shepherd and terrier. For short, only works on canine and beagle will be shown.
Here is the procedure for backup server canine:
To generate RSA type pair for host beagle, we issue
ssh-keygen -t rsa -f id_beagle-backup
where private key will be saved in file id_beagle-backup and public key id_beagle-backup.pub.
Step 2: move corresponding ssh key to each host
To move id_beagle-backup.pub to host beagle, we may choose to use any preferred method (for example, ftp, sftp, or ssh-copy-id), since public key is not sensitive. Other hosts can be done similarly.
Step 3: create SSH configuration file
To define how to connect to host beagle with backup key, we place the following lines into file ~rdiffbk/.ssh/config. Other hosts need to be configured similarly.
host beagle-backup
hostname beagle
user root
identifyfile ~rdiffbk/.ssh/id_beagle-backup
protocol 2
Step 4: create a cron job file
The following cron job file automates the remote backups daily at 200am, 210am, and 220am, respectively.
0 2 * * * rdiff-backup beagle-backup::/remote_dir beagle/remote_dir
10 2 * * * rdiff-backup shepherd-backup::/remote_dir shepherd/remote_dir
20 2 * * * rdiff-backup terrier-backup::/remote_dir terrier/remote_dir
By default setting, rdiff-backup uses SSH to pipe remote data. Therefore, both SSH server and rdiff-backup are required in hosts to be backed up.
What left on host beagle and others (shepherd, terrier) is simply to give permission to canine to access it (through SSH) and run rdiff-backup. This can be done in the following two steps:
Step I: create an authorized-keys file for root account
To enable SSH public key authentication for root account, we need to create the file /root/.ssh/authorized_keys, which consists public key for user rdiffbk@canine, forced command and other options. The public key (id_beagle-backup.pub) should be available for beagle once we have done Step 2. A sample authorized_keys file is as follows:
command="rdiff-backup --server --restrict-read-only /",from="canine",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3.... rdiffbk@canine
Here, for security reason, rdiff-backup server is restricted to real only, and
we disable port-forward, X11-forward and pty options. See here for more details.
Step II: configure SSH server for root access
As we saw here, this can be done by put the following line in the SSH server configuration file (sshd_config):
PermitRootLogin forced-commands-only
One problem is that SSH requires a password for logging, which is not convenient if we want to run rdiff-backup as a cron job. Here we show how to initiate rdiff-backups from a central backup server, and pull data from a farm of hosts to be backed up. For security reasons, the central server uses a non-root user account (rdiffbk) to perform backups, whereas root account is used on each host being backed up. Though root accounts are used on hosts being backed up, they are protected by SSH public-key authentication mechanism with forced-command-only option.
For convenience, I'll call the central backup server canine and three hosts to be backed up beagle, shepherd and terrier. For short, only works on canine and beagle will be shown.
Here is the procedure for backup server canine:
- generate one passphrase-free SSH key pair for each host being backed up,
- move corresponding ssh key to each host,
- create SSH configuration file, and
- create a cron job file
To generate RSA type pair for host beagle, we issue
ssh-keygen -t rsa -f id_beagle-backup
where private key will be saved in file id_beagle-backup and public key id_beagle-backup.pub.
Step 2: move corresponding ssh key to each host
To move id_beagle-backup.pub to host beagle, we may choose to use any preferred method (for example, ftp, sftp, or ssh-copy-id), since public key is not sensitive. Other hosts can be done similarly.
Step 3: create SSH configuration file
To define how to connect to host beagle with backup key, we place the following lines into file ~rdiffbk/.ssh/config. Other hosts need to be configured similarly.
host beagle-backup
hostname beagle
user root
identifyfile ~rdiffbk/.ssh/id_beagle-backup
protocol 2
Step 4: create a cron job file
The following cron job file automates the remote backups daily at 200am, 210am, and 220am, respectively.
0 2 * * * rdiff-backup beagle-backup::/remote_dir beagle/remote_dir
10 2 * * * rdiff-backup shepherd-backup::/remote_dir shepherd/remote_dir
20 2 * * * rdiff-backup terrier-backup::/remote_dir terrier/remote_dir
By default setting, rdiff-backup uses SSH to pipe remote data. Therefore, both SSH server and rdiff-backup are required in hosts to be backed up.
What left on host beagle and others (shepherd, terrier) is simply to give permission to canine to access it (through SSH) and run rdiff-backup. This can be done in the following two steps:
Step I: create an authorized-keys file for root account
To enable SSH public key authentication for root account, we need to create the file /root/.ssh/authorized_keys, which consists public key for user rdiffbk@canine, forced command and other options. The public key (id_beagle-backup.pub) should be available for beagle once we have done Step 2. A sample authorized_keys file is as follows:
command="rdiff-backup --server --restrict-read-only /",from="canine",no-port-forwarding,no-X11-forwarding,no-pty ssh-rsa AAAAB3.... rdiffbk@canine
Here, for security reason, rdiff-backup server is restricted to real only, and
we disable port-forward, X11-forward and pty options. See here for more details.
Step II: configure SSH server for root access
As we saw here, this can be done by put the following line in the SSH server configuration file (sshd_config):
PermitRootLogin forced-commands-only
Thursday, August 22, 2013
Tips on Forced Command for SSH
In general, an SSH connection invokes a remote command chosen by the client. There are times that server should decide which command the client will run. The forced command enables us to achieve this goal.
There are two ways to forced command. One is through public-key authentication configuration in the file authorized_keys as we saw here. The other is thought the usage of the keyword ForceCommand in sshd_config. To restrict users run nothing but the alpine command, we put the following line in sshd_config:
ForceCommand /usr/bin/alpine
The major difference between these two are: configuration though public-key authentication applies to one user, and each user may have her/his own option; configuration through ForceCommand keyword may be system-wide, keyword Match should be used combinedly if ForceCommand should apply to certain user(s).
What if we want the user to not only execute a single command, but few fixed commands at user's choice, such as:
With environment variable SSH_ORIGINAL_COMMAND,
the following script (wrapper.sh) wraps all permitted commands:
#!/bin/sh
# Script: /usr/local/bin/wrapper.sh
case "$SSH_ORIGINAL_COMMAND" in
"ps")
ps aux
;;
"uname")
uname -a
;;
"who")
who
;;
"rdiff")
rdiff-backup --server --restrict-read-only /
;;
*)
echo "Only the following commands are available to you:"
echo "ps, uname, who and rdiff"
exit 1
;;
esac
The configuration (sshd_config) of ForceCommand with Match (user backup) is as follows:
Match User backup
ForceCommand /usr/local/bin/wrapper.sh
To show process list on ssh server, one issues:
ssh backup@server ps
where original command "ps" was passed to the wrapper script by environment variable SSH_ORIGINAL_COMMAND.
To backup directory tree /path_to_src on server to local directory /path_to_dst, one issues:
rdiff-backup --remote-schema "ssh -C %s rdiff" backup@server::/path_to_src /path_to_dst
There are two ways to forced command. One is through public-key authentication configuration in the file authorized_keys as we saw here. The other is thought the usage of the keyword ForceCommand in sshd_config. To restrict users run nothing but the alpine command, we put the following line in sshd_config:
ForceCommand /usr/bin/alpine
The major difference between these two are: configuration though public-key authentication applies to one user, and each user may have her/his own option; configuration through ForceCommand keyword may be system-wide, keyword Match should be used combinedly if ForceCommand should apply to certain user(s).
What if we want the user to not only execute a single command, but few fixed commands at user's choice, such as:
- show process list (ps aux),
- print system information (uname -a),
- show who is logged on (who), or
- start rdiff-backup server (rdiff-backup --server --restrict-read-only /)
With environment variable SSH_ORIGINAL_COMMAND,
the following script (wrapper.sh) wraps all permitted commands:
#!/bin/sh
# Script: /usr/local/bin/wrapper.sh
case "$SSH_ORIGINAL_COMMAND" in
"ps")
ps aux
;;
"uname")
uname -a
;;
"who")
who
;;
"rdiff")
rdiff-backup --server --restrict-read-only /
;;
*)
echo "Only the following commands are available to you:"
echo "ps, uname, who and rdiff"
exit 1
;;
esac
The configuration (sshd_config) of ForceCommand with Match (user backup) is as follows:
Match User backup
ForceCommand /usr/local/bin/wrapper.sh
To show process list on ssh server, one issues:
ssh backup@server ps
where original command "ps" was passed to the wrapper script by environment variable SSH_ORIGINAL_COMMAND.
To backup directory tree /path_to_src on server to local directory /path_to_dst, one issues:
rdiff-backup --remote-schema "ssh -C %s rdiff" backup@server::/path_to_src /path_to_dst
Wednesday, August 21, 2013
Root Access Control for SSH
Sshd has a separate access control mechanism for the root (superuser). The keyword PermitRootLogin specifies its usage.
The argument (option) for PermitRootLogin must be "no", "yes'', "without-password'', or ``forced-commands-only''. If this option is set to "no'', root is not allowed to log in.
If this option is set to "without-password'', password authentication is disabled for root. However, root may login in with GSSAPIAuthentication, HostbasedAuthentication or PubkeyAuthentication, if they are set properly.
If this option is set to "forced-commands-only'', root login with public key authentication is allowed, but only if the command option is specified (which may be useful for remote backup as we saw in the example of public-key-based configuration). All other authentication methods are disabled in this setting.
The argument (option) for PermitRootLogin must be "no", "yes'', "without-password'', or ``forced-commands-only''. If this option is set to "no'', root is not allowed to log in.
If this option is set to "without-password'', password authentication is disabled for root. However, root may login in with GSSAPIAuthentication, HostbasedAuthentication or PubkeyAuthentication, if they are set properly.
If this option is set to "forced-commands-only'', root login with public key authentication is allowed, but only if the command option is specified (which may be useful for remote backup as we saw in the example of public-key-based configuration). All other authentication methods are disabled in this setting.
Public-key-based Configuration for SSH server
Public key is one of the frequently used authentication methods in SSH. To set up public-key authentication for one's account on an SSH server, one creates an authentication file named authorized_keys (for OpenSSH), and lists key and options that provide access to one's account.
Each line (SSH protocol 2) in authorized_keys may contain:
command="command": Specifies that the command to be executed
from="pattern-list": Specifies the permitted client name or IP address
no-port-forwarding: Forbids TCP forwarding
no-X11-forwarding: Forbids X11 forwarding
no-pty: Prevents tty allocation
The following example file specifies that:
the command "rdiff-backup --server --restrict-read-only /" to be executed if client is from the machine named "beagle" where no port, X11 forwarding is allowed. Notice that all settings are in one line.
command="rdiff-backup --server --restrict-read-only /",from="beagle",no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3.... root@beagle
Each line (SSH protocol 2) in authorized_keys may contain:
- An (optional) set of authorization options for the key.
- A (required) key type string: ssh-dss for a DSA key, or ssh-rsa for an RSA key.
- The (required) base64-encoded public key.
- An (optional) descriptive comment.
command="command": Specifies that the command to be executed
from="pattern-list": Specifies the permitted client name or IP address
no-port-forwarding: Forbids TCP forwarding
no-X11-forwarding: Forbids X11 forwarding
no-pty: Prevents tty allocation
The following example file specifies that:
the command "rdiff-backup --server --restrict-read-only /" to be executed if client is from the machine named "beagle" where no port, X11 forwarding is allowed. Notice that all settings are in one line.
command="rdiff-backup --server --restrict-read-only /",from="beagle",no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3.... root@beagle
Saturday, August 17, 2013
Tips on SSH Client Configuration
OpenSSH client ssh obtains configuration data from sources in the following order:
Here are some frequently used parameters:
Each configuration file contains sections separated by host specifications that applies to all matching hosts specified by the Host parameter. The host is the hostname argument given on the command line.
Hostname: Specifies the real host name to log into.
IdentityFile: Specifies a file from which the user's public key authentication identity is read.
Port: Specifies the port number to connect on the remote host (if it is not 22).
User: Specifies the user to log in as.
Here is an example configuration file (~/.ssh/config) for remote machine robert.some.net:
host bob
hostname robert.some.net
identityfile /somepath/.ssh/id_rsa_bob
port 2222
user root
With the above configuration file, once we issue:
ssh bob
which is equivalent to
ssh -i /somepath/.ssh/id_rsa_bob -p 2222 root@robert.some.net
- command-line options,
- user's configuration file (~/.ssh/config),
- system-wide configuration file (/etc/ssh/ssh_config)
For each parameter, the first obtained value will be used.
Here are some frequently used parameters:
Each configuration file contains sections separated by host specifications that applies to all matching hosts specified by the Host parameter. The host is the hostname argument given on the command line.
Hostname: Specifies the real host name to log into.
IdentityFile: Specifies a file from which the user's public key authentication identity is read.
Port: Specifies the port number to connect on the remote host (if it is not 22).
User: Specifies the user to log in as.
Here is an example configuration file (~/.ssh/config) for remote machine robert.some.net:
host bob
hostname robert.some.net
identityfile /somepath/.ssh/id_rsa_bob
port 2222
user root
With the above configuration file, once we issue:
ssh bob
which is equivalent to
ssh -i /somepath/.ssh/id_rsa_bob -p 2222 root@robert.some.net
Subscribe to:
Posts (Atom)