Selected info on administering an HP-UX system. This is taken from a document that described the administration of acad1 when it was running HP-UX version 10.10. Some of the items use home-grown scripts. ------------------------------------------------------------------------------ Items to do daily: Put in the backup tape for the next day's automated backup. tail -200 /var/mail/root | pg -- check root's mail bdf -i -- check on disk space who -T -- watch for users who failed to log out w -- check processes for anything unusual ------------------------------------------------------------------------------ Items to do weekly: If possible, shut down the mini and modems, then restart. It will run better. ------------------------------------------------------------------------------ Items to do monthly: Copy log files (especially /var/adm/syslog/mail.log) to /u2/sav and then zero the file. These log files cannot be left to grow indefinitely. One way to get a 0-byte file is: cp /dev/null mail.log ------------------------------------------------------------------------------ Items to do once per semester: Use the archive script to copy files for old accounts and then use userdel to remove the accounts. I would suggest leaving accounts in place for recent graduates for a month or two to allow them time to find their own ISP. Perhaps a message should be posted about this in the labs and/or in /etc/motd. Note that some Spring graduates return in the Fall to finish their education requirements or similar. ------------------------------------------------------------------------------ Finding info: man -- manual information on item (manual 1) man -- manual n info on item (where n > 1) man - > -- manual info redirected into text file f whereis -- find where program is located find -name -- find locations of files named f in dir (or subdirs) uname -a -- get system id number, OS version number, etc. ------------------------------------------------------------------------------ Accounts and passwords: passwd -- for a user to change his password password -- change a user's password (renamed passwd program) userdel -r -- delete a user account (including home directory) Before deleting an account, copy the user's files to /u2/sav/oldusers and copy the user's mail, if any, to /u2/sav/oldmail. That way you can easily put it back if need be. Eventually, the files in /u2/sav can be put on tape and the /u2/sav directory cleaned out. There is an archive script in /users/ic/hpmini/scripts to do this: ./archive To create accounts, do the following. Note that you must have in the directory named below a file called student-data containing data on validly registered students. su root cd /users/ic/hpmini/admin ./test-cid -- will assist in creating a file of new ids and fullnames ./acs -- account creation script ./print-id -- makes text file print.output of ids and passwords just ftp it to a PC and print onto cards rm print.output To adjust the passwd file: vipw -- edits the password file (with appropriate file locks) useful if you need to edit someone's fullname To put someone in a group: vi /etc/group When an account is created, the user is placed in the group users. Use the above to add a user to another group. To change to another group: For example, to change temporarily from the users group to the admin group: newgrp - admin To change back to the users group: newgrp - users Default profile: /etc/profile -- default profile for all users, executed at login time ------------------------------------------------------------------------------ Things to check: Check the following daily: who -HT Look for users who have been logged in for hours. Then check if they have been idle for hours: finger If so, kill off their csh to log them out. Read root's mail often, daily if possible. For example, to look at the most recent stuff use something like: tail -120 /var/mail/root | pg bdf -i -- check on disk space and inodes du -- another report on disk space (recursive) du -s * -- same, but only shows info on stuff in current dir Check especially on disk space in /tmp, /users, and /var (where mail is). Other things to check: top -- check what processes are using a lot of CPU time w -- check processes ps -aef | pg -- check processes ps -aef | grep -- check processes for user who -T -- info on who is logged on /etc/whodo -- check on who's doing what last -R -n -- list the last n users logged in (-R adds IP address) lastb -R -n -- list the last n bad login attempts pg /var/adm/sulog -- see who has tried to use su pg /var/adm/messages -- see system messages Also look for trouble in /var/adm/syslog/* For example, the mail.log file contains a record of sendmail transactions. The logging of system messages is handled by the syslogd daemon. It's configuration file is /etc/syslog.conf. Look for more info with: man syslogd If logging stops, use the following to force syslogd to re-read its config: kill -HUP `cat /var/run/syslog.pid` To find setuid files (a common security problem): find / -perm -4000 -user root > out Once in a while it is good to run fsck to check out the integrity of the file systems. The file systems have to be unmounted, usually by going to single-user mode using sam. Then run: fsck If a file system is dirty, fsck will be run on it when the machine is booted. ------------------------------------------------------------------------------ Accessing a user's account: su root You can then cd to any user's directory to work on files, etc. However, you have the privileges, path, and environment of root. To get closer to what the user sees, do the following as root: su You are then logged in as that user. However, you have root's environment. To get even closer to what the user actually sees, you can have the user's environment if you use: su - ------------------------------------------------------------------------------ Email and other types of messages: mesg n -- prohibit incoming write messages elm -- our usual mailer mail -- a primitive mailer man sendmail -- to find out about sendmail, the low-level mail program Common elm problems: The user fails to log out properly, so when the person tries to use elm again, it says that "another elm is already reading this mail". First find the pid (process id) for the user's csh: ps -aef | grep The pid is in the first numerical column. Be sure to get the line for the csh entry. If this user has more than once, then the person is logged in more than once. Pick the oldest one. You can tell which is oldest with: who | grep Kill the user's login with: kill -KILL or kill -s kill The message "another elm is already reading this mail" or other elm error messages may appear if the temporary copy of the mail queue did not get removed. Either the user or root can remove it as follows. First, make sure that /tmp contains this file. ls -l /tmp | grep The file should have the name mbox. rm mbox. Aliases in elm: The script /users/ic/hpmini/util/ElmCopy can be used to copy aliases to .elm directories of multiple users. Be forewarned that it will overwrite existing alias files. ElmCopy is useful if someone wants a group of users to be able to send email to everyone in the group. Just create a group alias by using elm, say in a guest account, and entering multiple userids to go with the alias. Then use ElmCopy to copy them to the appropriate user's accounts. Aliases can be regenerated as long as you have the aliases.text file in the user's .elm directory. The elmalias command should generate new aliases.data and aliases.hash files. Or, use the script /usr/local/bin/fixalias. If a user already has aliases and you need to add some group aliases for a class, you can append the new stuff to the users's existing aliases.text file found in the person's .elm directory. If the new text file is new.text use: cat new.text >> aliases.text Edit aliases.text if need be, to make any changes. Then, log in as the user: su - and use the elmalias command to regenerate the person's aliases (with the new ones added). Sendmail configuration: This is set up in /etc/mail/sendmail.cf and by the command-line for the sendmail daemon. Currently the latter is: sendmail -bd -q30m This is set up by /sbin/inet.d/sendmail and is not supposed to be changed. This indicates that the mail queue is retried every 30 minutes to see if these message can now be sent. Our sendmail.cf is set up to keep mail in the queue for up to 1 day. Cautious changes to sendmail.cf can be tried. To see what is in the queue, use: mailq mailstats -- shows statistics on email praliases -- shows system-wide email aliases ------------------------------------------------------------------------------ Shutting things down: Should you want to shut down SPSS, do the following 2 lines: cd /apps/SPSS6 ./shutdown-spss (to shut down SPSS) kill -KILL -- sure kill of process with given id (use ps -aef to get) To shut down the mini, log into the console as root. Enter sam to start HP's menu-driven system admin program. Under routine tasks you should find shutdown. It will tell you when it is safe to shut off the system. Note that shutting the system down (along with the modems) every few weeks is useful in that it allows things to be reset, clears out zombie processes, and so on. This has helped to clear up email problems in the past. Note that you can check what the current run level is by using: who -r You can check the time of the last reboot with: who -b ------------------------------------------------------------------------------ Starting things up: If the mini has been off, either because you shut it down or due to a power failure, simply turn the power back on. It should start itself. The only thing that currently must be manually restart is SPSS, which is done as follows: cd /apps/SPSS6 ./start-spss (to start SPSS) To check the status of the spss license manager do this: cd /apps/SPSS6 ./check-spss ------------------------------------------------------------------------------ Network-related: /etc/ping -- ping another machine to see if can get message back 199.234.125.253 gateway 199.234.124.1 Sun (DNS) 199.234.125.19 acad1 netstat -rs -- check network routing status netstat -s -- check network protocols /etc/ifconfig lan0 -- check network status /usr/sbin/lanadmin -- check status of (or reset) the LAN card ------------------------------------------------------------------------------ Permissions and access control lists: Permissions are r (read), w (write), and x (execute). For a directory, the x permission means searchable. Permissions are listed first for the owner, then the group, then for others. For example, -rwxr-x--- would mean that the owner has rwx permission, those in the group that this file is listed under would have r and x permission, others would have no permission. ls -l -- shows the permissions on this file To change the permissions on a file, use chmod. Since there are a lot of details to this, use the following for info: man chmod It is possible to recursively set permissions for a whole directory subtree. For example: chmod -R ug+r,o-r,a+X would go through the whole subtree starting at path and make all regular files to be readable by the user (owner) and group, but not readable by others. In addition, all executables and directories are given the x permission. lsacl -l -- shows access control list info for file or directory chacl -z -- remove added access control permissions from file chacl -r '' -- remove all permissions from file man 5 acl -- for more info on access control lists Access control lists are used, for example, in the scripts cs270hw and stats-hw. Both of these are found in /usr/local/bin, the typical home for scripts that you add for your users to use. ------------------------------------------------------------------------------ Printing: lpstat -t -- check status of printers cancel -u -a -- cancel user's print job(s) lpadmin enable -- enable a given printer disable ------------------------------------------------------------------------------ Finger: finger -- get info on user /users/ic/usr/bin/chfn change finger entry - beware of extra commas in passwd ------------------------------------------------------------------------------ Patches and HP support: Check the HP Web site http://us.external.hp.com for info on patches, many of which fix security flaws. These patches can be downloaded over the Internet. The swinstall program is typically used to install these. See the software installation section below for how to use swinstall. Look in /usr/adm/sw/patch for more info. Other HP Web addresses include: http://www.hp.com http://us-support.external.hp.com Also of interest: ftp://info.cert.org/pub/vendors/hp ------------------------------------------------------------------------------ Directory management: rm -R -- remove a directory cp -R -- copy directory to ------------------------------------------------------------------------------ Recover file(s) from tape: To recover a file from tape, su to root and use something like the following, which recovers to the current directory. Normally, then, you would first cd to the appropriate directory. frecover -x -F -i /var/mail/smithj This example recovers smithj's mail queue. If there is an existing mail queue, mv it elsewhere first, then append it to the recovered file. For example: cd /var/mail mv smithj smithj.save frecover -x -F -i /var/mail/smithj cat smithj.save >> smithj rm smithj.save To recover a directory of files, say /users/smith, to the SAME directory (and subdirectories) use: frecover -x -i /users/smith To recover the same directory of files to the current directory (with any files from subdirectories also going to the current directory) use: frecover -x -F -i /users/smith ------------------------------------------------------------------------------ Disk space management: Use bdf to watch disk space. Things will start to go wrong when a file system approaches 100% usage. (Note that the cdrom registers as 100% normally.) Note that /tmp is cleaned out at night (see crontab for root). You can use find to remove common junk files: To remove dead.letter files: find /users -name dead.letter -exec rm {} \; To remove core dumps (dangerous since someone may have named a file core): find /users -name core -exec rm {} \; To remove both: find /users \( -name dead.letter -o -name core \) -exec rm {} \; Watch user's mail queues in /var/mail as they can grow quickly. Currently there is a crontab process that checks for mail queues over 1 MB in size every weekend. A message is mailed to the offending user and the system administrators are notified. If need be, move a user's large mail queue to some place with more room, like /u2, and then ftp it to a floppy disk or two. Watch that the size of /users doesn't get too big. If need be, write a script to delete backup files from user's directories. Such backup files typically end in ~ or .bak or have # characters at the front and end. Also remove core dumps from user directories (filename core). Note that the following files grow a lot and must be cleared to 0 byte files once in a while: btmp (used by last) and wtmp in /var/adm, as well as mail.log in /var/admin/syslog. Do not just remove them, check the info for evidence of hackers and problems, then move them to tape, and put files of size 0 in their place. (If you remove the files, then the logging stops.) Make sure permissions are OK on wtmp as finger uses this file. Also, wtmp does NOT like a leading newline, so make sure to use something like the following to create a 0-byte file: echo '\c' > wtmp or cp /dev/null wtmp Another file that may need to be trimmed down to size is /var/adm/messages. Do not simply remove the file, the file must exist, even if it's a 0-byte file. Only root should be able to read it. ------------------------------------------------------------------------------ Crontab entries: The cron runs these entries automatically at the times you schedule. Only authorized users have access to this. crontab -l -- list your cron entries crontab -e -- edit your cron entries (using vi) ------------------------------------------------------------------------------ Automated backup and other crontab entries for root: Some of the current crontab entries for root: 5,15,25,35,45,55 0,1,2,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23 * * * /usr/sbin/dmesg - >> /var/adm/messages 15 4 * * 0,6 /users/ic/hpmini/scripts/deltmp 20 3 * * 1-5 /usr/sam/lbin/br_backup DAT FULL Y /dev/rmt/0m /etc/sam/br/graphVBAa25787 root Y 1 N > /var/tmp/SAM_br_msgs 2>&1 #sambackup The first entry puts any system messages in /var/adm/messages. The second entry cleans out /tmp on Sat and Sun. The third is the scheduled tape backup at 3:20 am, Mon - Fri. (set up by sam) Check /var/mail/root for a report on each night's backup and other system events. Backups: The nightly backup (shown above) handles /users, /etc, /usr, and /var. These are the file systems that change most often. Near the mini is a tape with a backup of everything NOT on this nightly backup. This backup was made using sam. Note that sam should be run from the console as root. Select an interactive backup for one that you want to run immediately. Select a scheduled backup for one that you want to have run periodically at a set time. Note that u1 and u2 are convenient places to put old users' directories when their accounts are going to be removed -- just in case you end up having to put the files back. This is also a good place for old mail for deleted users or current users whose mail queues have gotten too large. You can also put old log files here, such as those in /var/adm, when they get to be too large. ------------------------------------------------------------------------------ Software installation: HP software seems to be installed using the swinstall program. Since it has well-known security flaws that can allow users to gain root privileges, it has been disabled. To install software, you should have no users on the system. Pick a quiet time, then run the following as root. The first disables logins by anyone except root. The second re-enables swinstall. cd /users/ic/hpmini/scripts ./disablelogins ./swenable Then run swinstall with any arguments needed and as described in your installation instructions. When finished, disable swinstall and then re-enable logins as follows: cd /users/ic/hpmini/scripts ./swdisable ./enablelogins ------------------------------------------------------------------------------ SPSS: This is currently installed in /apps/SPSS6. For info on starting and shutting down SPSS, see the sections above on "starting things up" and "shutting things down". ------------------------------------------------------------------------------ CD-ROM: To unmount the cdrom, do the following as root: umount /cdrom To mount a cd, do the following as root: mount /dev/dsk/c1t2d0 /cdrom To install lrom, the cdrom-based HP documentation, do the following as root: Run the indicated SETUP script to extract from the tar file. In /users/ic/hpmini/scripts, run swenable: ./swenable Go to the lrom directory, and run swinstall (with no arguments it will run assuming you have an ordinary terminal, not X Windows). In /users/ic/hpmini/scripts, run swdisable: ./swdisable ------------------------------------------------------------------------------ Documentation under lrom: With the documentation CD mounted, give the lrom command to view the documentation. Some of the more useful items might be: Configuring HP-UX for Peripherals (includes modems, printers, etc) HP-UX 10.0 File System Layout HP-UX 10.0 Memory Management HP-UX 10.0 Process Management HP-UX System Administration Tasks Mail Systems: User's Guide (includes elm) Shells: User's Guide (we have a paper copy too) Using the X Window System ------------------------------------------------------------------------------ Quotas: To learn how to deal with quotas (for disk space and number of files) use: man 5 quota To check a user's quota use: quota -v To change a user's quota use: edquota ------------------------------------------------------------------------------ FORTRAN compiler and numerical library: f77 -- invokes the compiler via a script in /usr/local/bin includes nms library, provides output filename of the form filename.x em -- start the emacs editor on a FORTRAN source file press F4 to compile, just fill in source file name and press ENTER Numerical subroutine library, archived version, was created using: cd /users/ic/hpmini/fortran /opt/fortran/bin/f77 -c *.f -- compile all .f files to object code files buildlib -- a script to created libnms.a The libnms.a file was placed in /opt/fortran/lib. The manual command to create a library would be something like the following, but it doesn't get the .o files into the correct order. If a routine in file A called a routine in file B, then file A must precede file B. See fortran.readme for info on ordering. ar r libnms.a *.o -- put all .o files into nms library To try creating a shared library instead, use: /opt/fortran/bin/f77 -c +z *.f ld -b -o libnms.sl *.o -- put all .o files into the nms shared library The libnms.sl library would be placed into a location such as /usr/lib. There are some test programs for FORTRAN in /users/ic/hpmini/fortran/test. ------------------------------------------------------------------------------ Other utilities: Most of the following utility programs can be found in /users/ic/hpmini/util. That directory contains many more as well, including some that simply show how to write a loop in a script, etc. file -- to find out what type of files these are isacii -- is this file (or files) ascii or binary? dosnames -- convert between UNIX and DOS filenames (suggested usage: dosnames * for whole directory -- will rename your UNIX files) ids -- shows login ids starting with letter(s) ------------------------------------------------------------------------------ Running programs: Just enter the name of the program or shell script. Currently user's paths are set up to contain the current directory as well as typical locations like /usr/bin. To see your path use: echo $PATH (output may not all fit on the line) or showpath (a script that can be found in /users/ic/hpmini/util ) If logged in as root you can run any program in root's path by the above method. Note that root's path normally does not contain the current directory (as that is considered to be too dangerous for root), so to run a program in the current directory, say pgm, use: ./pgm Put an & at the end of the commandline to try to run something in the background. Items that need keyboard input or output to the screen probably cannot be run in the background. ------------------------------------------------------------------------------ Logical volume manager, disk drives: To see what hard drives you have, use: iostat -nfC disk The lvm software is used for managing logical volumes (virtual disks) on the hard drives. Be wary of making changes as it could mess up a lot of stuff fast. For info on it, use: man lvm To see info on a logical volume use something like this example: lvdisplay /dev/vg00/lvol1 To see what logical volumes there are use something like: ls /dev/vg00/lvol* To see info on a physical volume use something like this example: pvdisplay /dev/dsk/c1t0d0 To see what physical volumes there are use something like: ls /dev/dsk To see volume group info use: vgdisplay ------------------------------------------------------------------------------ Compressed and archived files: A file such as sample.tar.gzip is a tar achive of a program where the tar archive was then compressed with gzip. To uncompress and un-tar it use: gzip -d < sample.tar.gzip | tar -xvf - If compress was used to compress the tar archive, the file might be called sample.tar.Z and can be uncompressed and un-tared with: compress -d < sample.tar.Z | tar -xvf - All 3 programs (compress, gzip, and tar) are on acad1. Use whereis to find the location of the program . ------------------------------------------------------------------------------