Cover V03, I04
Article

jul94.tar

Questions and Answers

Bjorn Satdeva

The first book dedicated to firewall configuration is now available. It is Firewalls and Internet Security by William R. Cheswick and Steven M. Bellowin, and is published by Addison-Wesley in the Professional Computing Series. The book is generally well written and gives many good tips on setting up and maintaining a firewall, though practical examples are relatively sparse. If you are responsible for a firewall, this book will be a good investment.

USENIX is sponsoring a symposium on high-speed networking, August 1-3, 1994, at Berkeley. Judging from the preliminary program, the symposium appears to be aimed at the people developing the next generation of networks, but if your site is moving in that direction, it might be worth checking out. What looks most interesting to me are the two keynote talks, to be given by Craig Partridge and Van Jacobson.

I have received many requests for more information about SAGE. Unfortunately, there is not much good news to report, as many of the SAGE working groups have become inactive. While this may be in part because many system administrators are very busy, it has in my opinion largely been brought on by the SAGE board itself. There appears to have been very little real support from the board, and of the two working groups who did complete the tasks set forth in their charters, the SAGE-Locals working groups proposal has been completely ignored, while the result produced by the SAGE Job Description working group was barely passed by the board on a four-to-three vote. The unfortunate fact is that most of the successful activities SAGE is associated with have been undertaken by individual members, often in spite of the action of the board. If you think I am wrong, please get in touch with me, as I would be glad to learn that my interpretation is all wrong. Enough said -- let's get on to more useful matters.

I have received several requests for information about where to get the proceedings from the LISA and SANS conferences. All LISA proceedings, as well as the SANS III proceedings, are available from the USENIX conference office:

USENIX Conference Office 22672 Lambert Street, Suite 613 El Toro, CA 92630 USA (714) 588-8649; FAX: (714) 588-9706 E-mail: conference@usenix.org

LISA is the USENIX System Administration Conference (formerly known as the Large Installation System Administration Conference), and SANS is the System Administration, Networking and Security Conference. If you have not checked out these proceedings, I suggest you do so at your first opportunity. They contain much information that can be applied to your daily work.

And now to the questions for this issue:

Q Excuse me if this is a stupid question: What is the difference between downsizing and rightsizing?

A There are no stupid questions. If one person is asking about a topic, there will be plenty of others who have wondered about the same thing, but who have not dared to ask, because it could be a "stupid question." In this case, there is no difference at all. The "rightsizing" phrase was thought up by some UNIX vendor's marketing people, because they thought that the "down" in "downsizing" had a negative influence on their product. Go figure.

Q I have followed your advice from the January issue and have installed the Firewall Toolkit from tis.com on our gateway. However, many of our users wants to be able to use xmosaic, and there is no proxy server included for this. What can be done?

A The Firewall Toolkit does not support any proxies for xmosaic and lynx, or any of the similar clients, because the people at TIS do not think it can be done in a secure manner. However, in the real world, we are faced with users who demand tools such as Mosaic, and we will therefore often be forced to support them, even though it is not advisable from a security standpoint. One possible solution is to use the WWW server httpd from info.cern.ch configured as a proxy server.

Q I need to make changes to our e-mail configuration, and wondered if I should try to learn sendmail, or if it would be better to switch to smail3.

A As your question did not include any site-specific information, it's difficult to give a specific answer. However, if you are mainly a UUCP site, smail3 might work very well for you, as smail integrates better with UUCP than does sendmail. At a larger site, or a site which has a direct Internet connection, you are probably much better off learning to work with sendmail. I recommend that you get Bryan Costales' book, sendmail, from O'Reilly and Associates, if you have not already done so. The book gives a very thorough introduction to sendmail, and if you are using the latest version (currently sendmail 8.6.9, available from ftp.cs.berkeley.edu in the ucb/sendmail directory), you can take advantage of the m4 configuration Eric Allman has put together for people who do not want to delve too deeply into the sendmail.cf file.

Q I need to establish some kind of inexpensive call-back facility for our modem lines. DO you know of any software which does this?

A No freely distributable software exists, to my knowledge. If you are setting up a new facility, you can purchase modems with the call-back feature built in. Another alternative, if your version of UNIX supports a working ct command (several examples of vendors ship the ct command without testing it). The ct command is kind of a marriage between cu/tip and getty, allowing you to dial out to a remote modem, and then spawn a getty when you get the connection. If neither dial-back modems nor the ct command are available, then a last resort could be to get the sources for tip and getty from the BSD Net2 or 4.4-lite distributions, and use them to hack your own ct-like command.

Q I understand that it is important to monitor my system, but what should I be looking for?

A Some of the most important things to look for include how busy the disks are (shown by the iostat command), whether or not the system is swapping (shown by the vmstat command), and, overall, what kind of processes are running on the machine (shown by the ps command, or top if you have it). In addition, if the System V accounting package is available, I encourage you to use it to get overall statistics on system usage. The goal here is to develop an understanding of how the system works and where the possible bottlenecks are. If you know how your system behaves normally, it is much easier to locate the source of trouble when the system does not perform as expected. Other things to look out for include, of course, disks filling up (use df) and network congestion (use netstat). In addition, you should read the various log files generated by the system every day. While it can be very boring to sift through thousands of lines of logging information, of which much is useful only as input for statistical programs, you must do this to look for critical messages, such as a disk drive starting to fail, or a program running out of critical resources. Way too often, I come out to a new client, where a system has "suddenly" started to fail, only to find a long trail of warning messages from the system which have been ignored because nobody has read the logs. Doing all of this is part of pro-active system administration, which will help you avoid getting into situations where you have to fight fires.

Q I suppose (by your definition in Nov/Dec 1993 issue of Sys Admin), I'm a Novice System Administrator. Well, I won't bore you with the details, except to tell you that I use an RS6000 running AIX 3.2.3 which has a 150Mb tape drive (IBM model 7207). My question is this: I want to make backup copies of tapes (I suppose it's the equivalent of DOS's diskcopy command) -- will the command

cpio -i < /dev/rst0 | cpio -o > /dev/rst0

work ?

Also, in your column in the same issue, you use the acronym SAGE. What does this stand for? (I can figure out the "Systems Administrator" part.)

A Your cpio pipe will not work for you, as the first part will restore the content of the tape to disk, and the second part will attempt to write an End-Of-Tape, effectively erasing the tape. You can do one of two things: if you have plenty of disk space, you can restore the tape in an otherwise empty partition, and then back it up again. This is the safest way of doing it, but also the most cumbersome. An alternative, which will require two tape drives, is to use dd something like this (you will need to specify the correct blocking factor):

dd if=/dev/rst0 of=/dev/rst1 bs=$BLOCKFACTOR

however, this method will only work if both tapes are perfect (and you will not necessarily learn about problems until you want to restore the tape). To be able to do something like the MS-DOS diskcopy command, you would have to switch the tapes between each read and write operation, which will not work well with a streaming tape device, and for 150 Mb, could take hours.

As for your question about the SAGE acronym, we did it backwards in the working group that developed the original proposal for the SAGE organization. Several members really liked the name SAGE, and we spent a lot of time trying to find something the acronym would fit. We finally came up with System Administrators Guild, but that left the "E" unaccounted for. My proposal was that the "E" in SAGE is the "E" that Denis Ritchie left off in the creat system call so many years ago. In an interview some years back, he was asked if there were anything he would do differently if he were to implement UNIX all over again, and he replied that he would not leave the "e" off in the create system call. Well, we have not been able to fix the creat, but we have at least balanced it, by adding an "E" to SAGE (and who would like the organization to be called SAG?).

Q I want to keep better track of how I use my time in administrating our systems. Is there any software which can do this?

A If you're looking for something more or less automatic, I think the answer is no. However, you might check out timecard, from ftp.cs.colorado.edu. It is a perl script which allows you to keep track of the time used on various projects.

About the Author

Bjorn Satdeva is the president of /sys/admin, inc., a consulting firm which specializes in large installation system administration. Bjorn is also co-founder and former president of Bay-LISA, a San Francisco Bay Area user's group for system administrators of large sites. Bjorn can be contacted at /sys/admin, inc., 2787 Moorpark Ave., San Jose, CA 95128; electronically at bjorn@sysadmin.com; or by phone at (408) 241-3111.


 

© 2003 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com