Linux Admin (syslog ( Logging rules consist of 2 fields ( selector field…
- Linux uses syslog standard for msg logging
- This allows programs & applications to generate msgs that can be captured, processed & stored by a system logger
- It eliminate the need for every app to implement a logging mechanism
- logging can be configured & controlled in a central location
- syslog standard uses facilities & severities to categorise msgs
- Each msg is labelled with a facility code & a severity level
- Facilities are used to indicate what type of prog or what part of system the msg originated from. Ex 'kern' facility originates from kernel. You can use the 'local' facility for ur own custom apps
- The severities are from 'Emergency(0)' to 'Debug(7)'
- A syslog server accepts syslog msgs & process those msgs based on a set of config rules
- Traditionally 'syslogd' daemon filled this role
- Now alternatives are 'rsyslog' & 'syslog-ng'
- The main config file for rsyslog is /etc/rsyslog.conf
- Logging rules consist of 2 fields
- selector field: it lists the facilities & severities of msgs to include in the rule
- Action field: it determines what will happen to msgs matched by selector field. The common action is to write msgs to a log file
Caching vs non-caching
- In caching mode, rsyslog doesn't perform a sync operation for each log msg.
- So msg might be lost if a system crash immediately after a write attempt
- You see perf imp in caching mode
- The default config that ship with Linux dist will have a mix of caching & non-caching rules with less critical msgs using caching
- Use 'logger' to generate syslog msgs
- logger [options] message
- -p FACILTY.SEVERITY
- -t tag
- logger -p mail.info -t mailtest "Test."
- sudo tail -1 /var/log/mail.log
- Use 'logrotate' tool to rotate, compress, remove & mail log files
- The logrotate config file is at /etc/logrotate.conf
- 'weekly' keyword ensures that log files will be rotated every week
- 'rotate 4' tells to keep 4 weeks worth of logs and remove logs older than this.
- 'create' makes sure that a new empty log file is created after it is rotated
- if you make changes to logrotate config, use 'logrotate -fv /etc/logrotate.conf' to test it
Linux Boot Process
- The Linux kernel, initrd & other files needed to boot OS are stored in /boot.
- The kernel is typically named "vmlinux" or "vmlinux"
- If the kernel is compressed it's name ends in 'z'
- Kernel Ring Buffer contains messages from the Linux Kernel
- A ring buffer is a data str i.e. always same size. Once the buffer is full, old msgs are discarded
- Use dmesg command to see the contents of ring buffer
- these msgs are also stored on disk in /var/log/dmesg file
- It determines what process and services to start
- traditionally run levels were controlled by init program
- The init config stored in /etc/inittab & you could change default run level by editing this file
- init alternatives like systemd & upstart are taking place of init
- instead of run levels, systemd has targets, which is similar to run levels
- systemctl set-default grapical.target (new way)
- telinit 5 (old init way to switch to GUI)
- systemctl isolate grapical.target (new way)
- telinit 6 or systemctl isolate reboot.target
- primary purpose of bootloader is to start OS
- If they are multiple OS installed, you can tell bootloader which OS to run
- GRUB (Grand Unified Bootloader)
- Typically GRUB bootloader will be used
- LILO(Linux Loader)
- Older Linux systems may still use LILO boot loader
- Partitioning a disk allows you to allocate different sections of the disk for different purposes
- Ex partitioning schemes: 4 partitions: 1) for OS data, 2) application data, 3) user data, 4) dedicated to swap space
- Ex: 2 partitions: 1) OS 2) user home dirs
MBR (Master Boot Record)
- It's a boot sector at the beginning of storage device
- The partition table that resides in MBR contains info on how the logical partitions are organised on the disk
- partition table in MBR can only address storage space upto 2 TB
- The MBR partitioning scheme allows upto 4 primary partitions
- To create more than 4 partitions, use an extended partition
- Extended partition is a special kind of primary partition i.e. used as a container for other partitions
- Extended partition allows to create unlimited num of logical partitions
- It's a simple dir used to access data on partition
- At least one partition will be mounted '/mount point'
- Any additional partitions will be mounted on mount points below / in the directory tree.
- Ex. user home partition mounted at /home. The files under /home reside in that partition
- You can mount partition over existing data.
- Ex. if files are created in /home before /home is mounted, those files will not be accessible until you unmount it
- mount /dev/sdb2 /home
- unmount /home
- used to create & modify partitions on a disk
- alternatives are gdisk & parted
- latest version of fdisk supports GPT
- fdisk /path/to/device
- fdisk -l -> display list of devices
- Ex: a server may have 3 disks 1) /dev/sda 2) /dev/sdb 3) /dev/sdc
- 1st disk /dev/sda can be partitioned in to two 1) /dev/sda1 2) /dev/sda2
- To create MBR partition table "fdisk /dev/sdb"
- ex. create 3 partitions 1) 1GB swap 2) 20GB partition 3) remaining space
- the default partition type created by fdisk is 'Linux'
- Other partition types are 'Linux swap' , 'Linux extended', 'NTFS', 'Linux LVM' and many
- Before a partition can be used by a Linux system, it needs a file system
- The extended FS (ext) was created specifically for Linux
- it was soon replaced by ext2, ext3, ext4
- Other FS: ReiserFS, JFS, XFS, ZFS, Btrfs
- to create FS use
mkfs - t TYPE DEVICE
mkfs -t ext3 /dev/sdb2
- To mount parition:
mount DEVICE MOUNT_POINT
mount /dev/sdb2 /opt
- To list current mount points just use
mount will show both physical & virtual FS
- These virtual FS are RAM based FS that provide ways to interact with other parts of the system. ex. proc, sysfs
- To just list storage device mount points use
- manually mounting a FS with
mount cmd will not persist between reboots
- To make mount point permanent, make an entry in
- To unmount :
unmount /opt or
- The primary function of swap space is to substitute disk space for RAM memory when real RAM fills up and more space is needed.
- The kernel uses a memory management program that detects blocks, aka pages, of memory in which the contents have not been used recently.
- The memory management program swaps enough of these infrequently used pages of memory out to a special partition on the hard drive designated for “paging,” or swapping.
- To prepare swap area for use:
- To enable the swap partition:
- To see swap devices in use:
/etc/fstab - The File System Table
- /etc/fstab file controls where devices are mounted on a Linux system & what options to use when mounting those devices
- Each line entry consists 6 columns
- device mount-point filesystem-type mount-options dump fsck order
- ex: /dev/sda2 / xfs defaults 0 1
- /dev/sda1 swap swap defaults 0 1
- device column contains path to a device or label of device or UUID of a device
- mount-point column tells where the device will be mounted
- dump column is used by dump utility. If it's 0, dump will ignore this FS. If it's 1, dump will backup this file system
- dump is rarely used for backups
- fsck column is used by fsck (FS check) program at boot time to determine if a FS is to be checked & if so, in what order to check them
- if 0, FS, fsck will skip checking this FS
- If 1, it will be checked 1st & 2 will be checked next