• What processes are running • How much available memory the system has • Whether disks are being used excessively • Whether the network is being used heavily • What software dependencie
Trang 18.9 GAME-THEORETICAL STRATEGY SELECTION 311
0 0.1 0.2 0.3 0.4 0.5
Figure 8.14:The absolute values of payoff contributions as a function of time (in hours),
For daily tidying T p = 24 User numbers are set in the ratio (n g , n b ) = (99, 1), based on
rough ratios from the author’s College environment, i.e one percent of users are considered
mischievous The filling rates are in the same ratio: r b /Rtot= 0.99, r g /Rtot= 0.01, r a /Rtot=
0.1 The flat dot-slashed line is |π q|, the quota payoff The lower wavy line is the cumulativepayoff resulting from good users, while the upper line represents the payoff from bad users.The upper line doubles as the magnitude of the payoff|π a | ≥ |π u|, if we apply the restrictionthat an automatic system can never win back more than users have already taken Withoutthis restriction,|π a| would be steeper
As drawn, the daily ripples of the automatic system are in phase with the users’ activity This is not realistic, since tidying would normally be done at night when user activity is low, however such details need not concern us in this illustrative example.
The policy created in setting up the rules of play for the game penalizes the system administrator for employing strict quotas which restrict users’ activities Even so, users do not gain much from this, because quotas are constant for all time A quota is a severe handicap to users in the game, except for very short times before users reach their quota limits Quotas could be considered cheating by the system administrator, since they determine the final outcome even before play commences There is no longer an adaptive allocation of resources Users cannot create temporary files which exceed these hard and fast quotas An immunity-type model which allows fluctuations is a more resource-efficient strategy in this respect, since it allows users to span all the available resources for short periods of time, without consuming them for ever.
According to the minimax theorem, proved by John von Neumann, any person zero-sum game has a solution, either in terms of a pair of optimal pure strategies or as a pair of optimal mixed strategies [225, 96] The solution is found
two-as the balance between one player’s attempt to maximize his payoff and the other player’s attempt to minimize the opponent’s result In general, one can say of the
Trang 2312 CHAPTER 8 DIAGNOSTICS, FAULT AND CHANGE MANAGEMENT
payoff matrix that
max
↓ min→ π rc ≤ min→ max
where the arrows refer to the directions of increasing rows ( ↓) and columns (→) The
left-hand side is the least users can hope to win (or conversely the most that the system administrator can hope to keep) and the right is the most users can hope to win (or conversely the least the system administrator can hope to keep) If we have
max
↓ min→ π rc = min
it implies the existence of a pair of single, pure strategies (r∗, c∗) which are optimal
for both players, regardless of what the other does If the equality is not satisfied, then the minimax theorem tells us that there exist optimal mixtures of strategies, where each player selects at random from a number of pure strategies with a certain probability weight.
The situation for our time-dependent example matrix is different for small t and for large t The distinction depends on whether users have had time to exceed fixed quotas or not; thus ‘small t’ refers to times when users are not impeded by the imposition of quotas For small t, one has:
is removed (perhaps through an improved technology), then the next best strategy
is for users to bluff by changing the date, assuming that the tidying looks at the
Trang 38.10 Monitoring
Having set policy and implemented it to some degree, it is important to verifythe success of this programme by measuring the state of the system Variousmonitoring tools exist for this purpose, depending upon the level at which we wish
to evaluate the system:
• Machine performance level
• Abstract policy level
While these two levels are never unrelated, they pose somewhat different questions
A very interesting idea which might be used both in fault diagnosis and security
intrusion detection is the idea of anomaly detection In anomaly detection we are
looking for anything abnormal That could come from abnormal traffic, patterns ofkernel activity, or changes in the statistical profiles of usage An anomaly can beresponded to as a punishable offence, or as a correctable transgression that leads
to regulation of behavior, depending on its nature and the policy of the systemadministrator (see figure 8.15)
Automated self-regulation in host management has been discussed in refs.[41, 42, 44, 48], as well as adaptive behavior [274] and network intrusion detection[102, 156] In their insightful paper [159], Hoogenboom and Lepreau anticipatedthe need for monitoring time series data with feedback regulation in order toadjust policy automatically Today much effort is aimed at detecting anomaliesfor security related intrusion detection rather than for general maintenance,
or capacity planning This has focused attention on mainly short-term changes;however, long-term changes can also be of interest in connection with maintenance
of host state and its adaptability to changing demand
SNMP tools such as MRTG, RRDtool and Cricket specialize in collecting datafrom SNMP devices like routers and switches Cfengine’s environment daemonadopts a less deterministic approach to anomaly detection over longer time scales,that can be used to trigger automated policy countermeasures [50] For many,monitoring means feeding a graphical representation of the system to a human inorder to provide an executive summary of its state
Trang 4314 CHAPTER 8 DIAGNOSTICS, FAULT AND CHANGE MANAGEMENT
Time (hrs)0
Figure 8.15:An average summary of system activity over the course of a week, as generated
by cfengine’s environment daemon
8.11 System performance tuning
When is a fault not a fault? When it is an inefficiency Sooner or later, userperception of system performance passes a threshold Beyond that threshold wedeem the performance of a computer to be unacceptably slow and we becomeirritated Long before that happens, the system itself recognizes the symptoms of
a lack of resources and takes action to try to counter the problem, but not always
in the way we would like
Efficiency and users’ perception of efficiency are usually two separate things.The host operating system itself can be timesharing perfectly and performingreal work at a break-neck pace, while one user sits and waits for minutes forsomething as simple as a window to refresh For anyone who has been in thissituation, it is painfully obvious that system performance is a highly subjectiveissue If we aim to please one type of user, another will be disappointed To extractmaximal performance from a host, we must focus on specific issues and makeparticular compromises Note that the system itself is already well adjusted toshare resources: that is what a kernel is designed to do The point of performancetuning is that what is good for one task is not necessarily good for another Generickernel configurations try to walk the line of being adequate for everyone, and indoing so they are not great at doing any of them in particular The only way wecan truly achieve maximal performance is to specialize Ideally, we would haveone host per task and optimize each host for that one task Of course this is a
Trang 58.11 SYSTEM PERFORMANCE TUNING 315
huge waste of resources, which is why multitasking operating systems exist Theinevitability of sharing resources between many tasks is to strike compromise.This is the paradox of multitasking
Whole books have been written on the subject of performance tuning, so weshall hardly be able to explore all of the avenues of the topic in a brief account.See for instance refs [159, 97, 200, 307, 16, 318, 293, 266] Our modest aim
in this book is, as usual, to extract the essence of the topic, pointing fingers atthe key performance bottlenecks If we are to tune a system, we need to identifywhat it is we wish to optimize, i.e what is most important to us We cannot makeeverything optimal, so we must pick out a few things which are most important to
us, and work on those
System performance tuning is a complex subject, in which no part of the system
is sacrosanct Although it is quite easy to pin-point general performance problems,
it is harder to make general recommendations to fix these Most details are unique
to each operating system A few generic pointers can nonetheless offer the greatestand most obvious gains, while the tweaking of system-dependent parameters willput the icing on the cake
In order to identify a problem, we must first measure the performance Again
there are the two issues: user perception of performance (interactive response time) and system throughput and we have to choose the criterion we wish to meet When
the system is running slowly, it is natural to look at what resources are beingtested, i.e
• What processes are running
• How much available memory the system has
• Whether disks are being used excessively
• Whether the network is being used heavily
• What software dependencies the system has (e.g DNS, NFS)
The last point is easy to overlook If we make one host dependent on another thenthe dependant host will always be limited by the host on which it depends This
is particularly true of file-servers (e.g NFS, DFS, Netware distributed filesystems)and of the DNS service
Principle 48 (Symptoms and cause) Always try to fix problems at the root,
rather than patching symptoms.
8.11.1 Resources and dependencies
Since all resources are scheduled by processes, it is natural to check the processtable first and then look at resource usage On Windows, one has the processmanager and performance monitor for this On Unix-like systems, we check theprocess listing with ps aux, if a BSD compatible ps command exists, or ps -efl ifthe system is derived from System V If the system has both, or a BSD compatibleoutput mode, as in Solaris and Digital Unix (OSF1), for instance, then the BSD
Trang 6316 CHAPTER 8 DIAGNOSTICS, FAULT AND CHANGE MANAGEMENT
style output is recommended This provides more useful information and ordersthe processes so that the heaviest process comes at the top This saves time.Another useful Unix tool is top A BSD process listing looks like this:
host% ps aux | more
USER PID %CPU %MEM SZ RSS TT S START TIME COMMAND
root 22112 0.1 0.5 1464 1112 pts/2 O 15:39:54 0:00 ps aux
mark 22113 0.1 0.3 1144 720 pts/2 O 15:39:54 0:00 more
root 340 0.1 0.4 1792 968 ? S Jun 15 3:13 /bin/fingerd
This one was taken on a quiet system, with no load The columns show the user
ID of the process, the process ID, an indication of the amount of CPU time used
in executing the program (the percentage scale can be taken with a pinch of salt,since it means different things for different kernels), and an indication of theamount of memory allocated The SZ post is the size of the process in total (codeplus data plus stack), while RSS is the resident size, or how much of the programcode is actually resident in RAM, as opposed to being paged out, or never evenloaded TIME shows the amount of CPU time accumulated by the process, whileSTART indicates the amount of clock time which has elapsed since the processstarted Problem processes are usually identified by:
• %CPU is large A CPU-intensive process, or a process which has gone into
an endless loop TIME is large A program which has been CPU intensive, orwhich has been stuck in a loop for a long period
• %MEM is large SZ is large A large and steadily growing value can indicate amemory leak
One thing we notice is that the ps command itself uses quite a lot of resources
If the system is low on resources, running constant process monitoring is anexpensive intrusion
Unix-like systems also tell us about memory performance through the virtualmemory statistics, e.g the vmstat command This command gives a differentoutput on each operating system, but summarizes the amount of free memory aswell as paging performance etc It can be used to get an idea of whether or not thesystem is paging a lot (a sign that memory is low) Another way of seeing this is toexamine the amount of swap space which is in use:
Digital Unix/OSF1 swapon -sSolaris 1 or SunOS 3/4 pstat -sSolaris 2 or SunOS 5 swap -l
Trang 78.11 SYSTEM PERFORMANCE TUNING 317
Excessive network traffic is also a cause of impaired performance We should try
to eliminate unnecessary network traffic whenever possible Before any complexanalysis of network resources is undertaken, we can make sure that we havecovered the basics:
• Make sure that there is a DNS server on each large subnet to avoid sendingunnecessary queries through a router (On small subnets this would beoverkill.)
• Make sure that the nameservers themselves use the loopback address127.0.0.1 as the primary nameserver on Unix-like hosts, so that we donot cause collisions by having the nameserver talk to itself on the publicnetwork
• Try to avoid distributed file accesses on a different subnet This loads therouter If possible, file-servers and clients should be on the same subnet
• If we are running X-windows, make sure that each workstation has itsDISPLAY variable set to :0.0 rather than hostname:0.0, to avoid sendingdata out onto the network, only to come back to the same host
Some operating systems have nice graphical tools for viewing network statistics,while others have only netstat, with its varying options Collision statisticscan be seen with netstat -i for Unix-like OSs or netstat /S on Windows DNSefficiency is an important consideration, since all hosts are more or less completelyreliant on this service
Measuring performance reliably, in a scientifically stringent fashion is a difficult
problem (see chapter 13), but adequate measurements can be made, for the
purpose of improving efficiency, using the process tables and virtual memorystatistics If we see frantic activity in the virtual memory system, it means that weare suffering from a lack of resources, or that some process has run amok.Once a problem is identified, we need a strategy for solving it Performancetuning can involve everything from changing hardware to tweaking software
• Optimizing choice of hardware
• Optimizing chosen hardware
• Optimizing kernel behavior
• Optimizing software configurations
• (Optimizing service availability)
Hardware has physical limitations For instance, the heads of a hard-disk can only
be in one place at a time If we want to share a hard-disk between two processes,the heads have to be moved around between two regions of the disk, back andforth Moving the read heads over the disk platter is the slowest operation in diskaccess and perhaps the computer as a whole, and unfortunately something wecan do nothing about It is a fundamental limitation Moreover, to get the datafrom disk into RAM, it is necessary to interrupt processes and involve the kernel
Trang 8318 CHAPTER 8 DIAGNOSTICS, FAULT AND CHANGE MANAGEMENT
Time spent executing kernel code is time not spent on executing user code, and so
it is a performance burden Resource sharing is about balancing overheads We
must look for the sources of overheads and try to minimize them, or mitigate theireffects by cunning
8.11.2 Hardware
The fundamental principle of any performance analysis is:
Principle 49 (Weakest link) The performance of any system is limited by the
weakest link amongst its components System optimization should begin with the
source If performance is weak at the source, nothing which follows can make it
better.
Obviously, any effect which is introduced after the source will only reduce theperformance in a chain of data handling A later component cannot ‘suck’ the dataout of the source faster than the source wants to deliver it This tells us that thelogical place to begin is with the system hardware A corollary to this principlefollows from a straightforward observation about hardware As Scotty said, wecannot change the laws of physics:
Corollary to principle (Performance) A system is limited by its slowest
mov-ing parts Resources with slowly movmov-ing parts, like disks, CD-ROMs and tapes, transfer data slowly and delay the system Resources which work purely with electronics, like RAM memory and CPU calculation, are quick However, electronic motion/communication over long distances takes much longer than communication over short distances (internally within a host) because of impedances and switching.
Already, these principles tell us that RAM is one of the best investments wecan make Why? In order to avoid mechanical devices like disks as much aspossible, we store things in RAM; in order to avoid sending unnecessary trafficover networks, we cache data in RAM Hence RAM is the primary workhorse ofany computer system After we have exhausted the possibilities of RAM usage, wecan go on to look at disk and network infrastructure
• Disks: When assigning partitions to new disks, it pays to use the fastest disks
for the data which are accessed most often, e.g for user home directories Toimprove disk performance, we can do two things One is to buy faster disks
and the other is to use parallelism to overcome the time it takes for physical
motions to be executed The mechanical problem which is inherent in diskdrives is that the heads which read and write data have to move as a unit
If we need to collect two files concurrently which lie spread all over the disk,
this has to be done serially Disk striping is a technique whereby filesystems
are spread over several disks By spreading files over several disks, we haveseveral sets of disk heads which can seek independently of one another, andwork in parallel This does not necessarily increase the transfer rate, but itdoes lower seek times, and thus performance improvement can approach as
much as N times with N disks RAID technologies employ striping techniques
and are widely available commercially GNU/Linux also has RAID support
Trang 98.11 SYSTEM PERFORMANCE TUNING 319
Spreading disks and files across multiple disk controllers will also increaseparallelism
• Network: To improve network performance, we need fast interfaces All
inter-faces, whether they be Ethernet or some other technology, vary in qualityand speed This is particularly true in the PC world, where the number
of competing products is huge Network interfaces should not be trusted
to give the performance they advertise Some interfaces which are sold as100Mbits/sec, Fast Ethernet, manage little more than 40Mbits/sec Somenetwork interfaces have intelligent behavior and try to detect the best avail-
able transmission rate For instance, newer Sun machines use the hme
fast Ethernet interface This has the ability to detect the best transmissionprotocol for the line a host is connected to The best transmission type is100Mbits/sec, full duplex (simultaneous send and receive), but the interfacewill switch down to 10Mbits/sec, half duplex (send or receive, one direction
at a time) if it detects a problem This can have a huge performance effect.One problem with auto-detection is that, if both ends of the connection haveauto-detection, it can become an unpredictable matter which speed we end
up with Sometimes it helps to try setting the rate explicitly, assuming thatthe network hardware supports that rate There are other optimizations also,for TCP/IP tuning, which we shall return to below Refs [295, 312] areexcellent references on this topic
The sharing of resources between many users and processes is what networking
is about The competition for resources between several tasks leads to anotherperformance issue
Principle 50 (Contention/competition) When two processes compete for a
resource, performance can be dramatically reduced as the processes fight over the right to use the resource This is called contention The benefits of sharing have to be weighed against the pitfalls.
Contention could almost be called a strategy, in some situations, since there existtechnologies for avoiding contention altogether For example, Ethernet technologyallows contention to take place, whereas Token Ring technology avoids it We shallnot go into the arguments for and against contention Suffice it to say that manywidely used technologies experience this problem
• Ethernet collisions: Ethernet communication is like a television panel of
politi-cians: many parties shouting at random, without waiting for others to finish.The Ethernet cable is a shared bus When a host wishes to communicatewith another host, it simply tries If another host happens to be using thebus at that time, there is a collision and the host must try again at randomuntil it is heard This method naturally leads to contention for bandwidth.The system works quite well when traffic is low, but as the number of hostscompeting for bandwidth increases, the probability of a collision increases instep Contention can only be reduced by reducing the amount of traffic onthe network segment The illusion of many collisions can also be caused by
Trang 10320 CHAPTER 8 DIAGNOSTICS, FAULT AND CHANGE MANAGEMENT
incorrect wiring, or incorrectly terminated cable, which leads to reflections
If collision rates are high, a wiring check might also be in order
• Disk thrashing: Thrashing2is a problem which occurs because of the slowness
of disk head movements, compared with the speed of kernel time-sharingalgorithms If two processes attempt to take control of a resource simultane-ously, the kernel and its device drivers attempt to minimize the motion of theheads by queuing requested blocks in a special order The algorithms reallytry to make the disks traverse the disk platter uniformly, but the requests
do not always come in a predictable or congenial order The result is that thedisk heads can be forced back and forth across the disk, driven by differentprocesses and slowing the system to a virtual standstill The time for diskheads to move is an eternity to the kernel, some hundreds of times slowerthan context switching times
An even worse situation can arise with the virtual memory system If ahost begins paging to disk because it is low on memory, then there can besimultaneous contention both for memory and for disk Imagine, for instance,that there are many processes, each loading files into memory, when there is
no free RAM In order to use RAM, some has to be freed by paging to disk; butthe disk is already busy seeking files In order to load a file, memory has to
be freed, but memory can’t be freed until the disk is free to page, this dragsthe heads to another partition, then back again and so on This nightmarebrings the system to a virtual standstill as it fights both over free RAM anddisk head placement The system spends more time juggling its resourcesthan it does performing real work, i.e the overhead to work ratio blows up.The only cure for thrashing is to increase memory, or reduce the number ofprocesses contending for resources
A final point to mention in connection with disks is to do with standards Disktransfer rates are limited by the protocols and hardware of the disk interfaces.This applies to the interfaces in the computer and to the interfaces in the disks.Most serious performance systems will use SCSI disks, for their speed (see section2.2) However, there are many versions of the SCSI disk design If we mix versionnumbers, the faster disks will be delayed by the slower disks while the bus isbusy, i.e the average transfer rate is limited by the weakest link or the slowestdisk If one needs to support legacy disks together with new disks, then it pays tocollect like disks with a special host for each type, or alternatively buy a seconddisk controller rather than to mix disks on the same controller
8.11.3 Software tuning and kernel configuration
It is true that software is constrained by the hardware on which it runs, but it isequally true that hardware can only follow the instructions it has received fromsoftware If software asks hardware to be inefficient, hardware will be inefficient.Software introduces many inefficiencies of its own Hardware and software tuningare inextricably intertwined
2For non-native English speakers, note the difference between thrash and trash Thrashing refers to
a beating, or the futile fight for survival, e.g when drowning.
Trang 118.11 SYSTEM PERFORMANCE TUNING 321
Software performance tuning is a more complex problem than hardware formance tuning, simply because the options we have for tuning software depend
per-on what the software is, how it is written and whether or not the designer made
it easy for us to tune its performance Some software is designed to be stablerather than efficient Efficiency is not a fundamental requirement; there are otherpriorities, such as simplicity and robustness
In software the potential number of variables is much greater than in hardwaretuning Some software systems can be tuned individually For instance, high-availability server software such as WWW servers and SMTP (E-mail) servers can
be tuned to handle traffic optimally for heavy loads See, for instance, tips ontuning sendmail [62, 185], and other general tuning tips [307, 200, 303]
More often than not, performance tuning is related to the availability or sharing
of system resources This requires tuning the system kernel The most configurablepiece of software on the system is the kernel All Unix-like systems kernel param-eters can be altered and tuned The most elegant approach to this is taken byUnix SVR4, and Solaris Here, many kernel parameters can be set at run timeusing the kernel module configuration command ndd Others can be configured
in a single file /etc/system The parameters in this file can be set with a reboot
of the kernel, using the reconfigure flag
reboot -r
For instance, on a heavily loaded system which allows many users to run externallogins, terminals, or X-terminal software, we need to increase many of the defaultsystem parameters The maxusers parameter (actually in most Unix-like systems)
is used as a guide to estimating the size of many tables and limits on resources.Its default value is based on the amount of available RAM, so one should becareful about changing its value in Solaris, though other OSs are less intelligent.Solaris also has a separate parameter pt cnt for extending the number of virtualterminals (pty’s) It is possible to run out if many users are logged in to the samehost simultaneously Many graphics-intensive programs use shared memory inlarge blocks The default limit for shared memory segments is only a megabyte,
so it can be increased to optimize for intensive graphics use, but should not
be increased on heavily loaded file-servers, where memory for caching is moreimportant The file /etc/system, then looks like this:
For busy servers which handle many TCP connections, the time it takes
an operating system to open and close connections is important There is alimit on the number of available connections and open sockets (see chapter 9);
if finished socket connections are not purged quickly from the kernel tables,new connections cannot be opened in their place On non-tuned hosts, used
Trang 12322 CHAPTER 8 DIAGNOSTICS, FAULT AND CHANGE MANAGEMENT
sockets can hang around for five minutes or longer on a Solaris host On
a heavily loaded server, this is unacceptable The close time on sockets can
be shortened to half a minute so as to allow newer sockets to be openedsooner (though note that this contravenes RFC 793) The parameters can beset when the system boots, or patched at any later time The times are mea-sured in milliseconds See refs [312, 295] for excellent discussions of thesevalues
/usr/sbin/ndd -set /dev/tcp tcp_keepalive_interval 900000
/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 30000
Prior to Solaris 2.7 (SunOS 5.7) the latter line would have read:
/usr/sbin/ndd -set /dev/tcp tcp_close_wait_interval 30000
which illustrates the futility of documenting these fickle parameters in a staticmedium like a book Note that setting these parameters to ultra-short valuescould cause file transmissions to be terminated incorrectly This might lead tocorruption of data On a web server, this is a nuisance for the client, but it isnot mission-critical data For security, longer close times are desirable, to ensurecorrect closure of sockets After setting these values, the network interface needs
to be restarted, by taking it down and up with ifconfig Alternatively, the valuescan be configured in a startup script which is executed before the interface isbrought up at boot time
Suggestion 11 Do not change operating system defaults unless you have good
cause, and really know what you are doing Deviations from expert defaults must
be on a case-by-case basis.
Most Unix-like operating systems do not permit run-time configuration Newkernels have to be compiled and the values hard-coded into the kernel Thisrequires not just a reboot, but a recompilation of the kernel in order to make achange This is not an optimal way to experiment with parameters Modularity inkernel design can save us memory, since it means that static code does not have
to take up valuable memory space However, the downside of this is that modulestake time to load from disk, on demand Thus a modular kernel can be slower than
a statically compiled kernel For frequently used hardware, static compilation is
a must, since it eliminates the load-time for the module, at the expense of extramemory consumption
The GNU/Linux system kernel is a modular kernel, which can load drivers forspecial hardware at run time, in order to remain small in the memory When webuild a kernel, we have the option to compile in modules statically See section4.8 Tips for Linux kernel configuration can readily be found by searching theInternet, so we shall not reproduce these tips here, where they would quicklybecome stale See, for instance ref [97]
Windows performance tuning can be undertaken by perusing the multitudinousscreens in the graphical performance monitor and editing the values For once,this useful tool is a standard part of the Windows system
Trang 138.11 SYSTEM PERFORMANCE TUNING 323
8.11.4 Data efficiency
Efficiency of storage and transmission depends on the configuration parametersused to manage disks and networks, and also on the amount of traffic the devicessee We have already mentioned the problem of contention
Some filesystem formatting programs on Unix-like systems allow us to reserve
a certain percentage of disk space for privileged users For instance, the defaultfor BSD is to reserve ten percent of the size of a partition for use by privilegedprocesses only The idea here is to prevent the operating system from choking due
to the activities of users This practice goes back to the early times when diskswere small and expensive and partition numbers were limited Today, these limitsare somewhat inappropriate Ten percent of a gigabyte disk is a huge amount
of space, which many users could live happily with for many weeks If we havepartitioned a host so as to separate users from the operating system, then there
is no need to reserve space on user disks Better to let users utilize the existingspace until a real problem occurs Preventative tidying helps to avoid full disks.Whether one regards this as maintenance or performance tuning is a moot point.The effect is to save us time and loss of resource availability See section 4.4.3about making filesystems
Another issue with disk efficiency is the configuration of block sizes This is
a technical issue which one probably does not want to play with too liberally
Briefly, the standard unit of space which is allocated on a filesystem is a block.
Blocks are quite large, usually around 8 kilobytes Even if we allocate a filewhich is one byte long, it will be stored as a separate unit, in a block by
itself, or in a fragment Fragments are usually around 1 kilobyte If we have
many small files, this can clearly lead to a large wastage of space and it might
be prudent to decrease the filesystem block size If, conversely, we deal withmostly large files, then the block size could be increased to improve transferefficiency The filesystem parameters can, in other words, be tuned to balancefile size and transfer-rate efficiency Normally the default settings are a goodcompromise
Tuning the network is a complex subject and few operating systems allow us
to do it at all Solaris’ ndd command can be used to configure TCP/IP ters which can lead to noticeable performance improvements See the excellentdiscussion in refs [312, 68] As far as software tuning is concerned, we have few
parame-options The time we wait for a service to reply to a query is called the latency.
Latency clearly depends on many factors, so it is difficult to pin down, but it
is a useful concept since it reflects users’ perceptions of performance Networkperformance can degrade for a variety of reasons Latency can increase as a result
of network collisions, making traffic congested, and it can be increased due toserver load, making the server slow to respond Network latencies clearly increasewith distance from the server: the more routers, switches and cables a signal has
to travel through, the slower it will be Our options are to reduce traffic congestion,increase server performance, and increase parallelism (if possible) with fail-overservers [139] Some network services are multi-threaded (using either light orheavyweight processes) and can be configured to spawn more server threads tohandle a greater number of simultaneous connections (e.g nfsd, httpd, cfservd)
If traffic congestion is not the problem, then a larger number of servers might help
Trang 14324 CHAPTER 8 DIAGNOSTICS, FAULT AND CHANGE MANAGEMENT
in expediting multiple connections (many multi-threaded servers set limits on thenumber of threads allowed, so as not to run a machine into the ground in theevent of spamming) These measures help to reduce the need for retransmission ofTCP segments and timeouts on connection Assuming that the network interface
is working as fast as it can (see previous section), a server will then respond asquickly as it can
8.12 Principles of quality assurance
Quality assurance in service provision is a topic that is increasingly discussed inthe world of network services (see section 10.8), but quality assurance is a processthat has far wider implications than the commercially motivated issue of valuefor money A system administrator also performs a service for the system and forusers Quality assurance take up three related issues:
• Accuracy of service (result)
• Efficiency of service (time)
• Predictability (result/time)
8.12.1 ISO 9000 series
The ISO 9000 series of standards represent an international consensus on agement practices that apply to any process or organization The aim of thestandards is to provide a schematic quality management system and a frameworkfor continual assessment and improvement ISO 9000 has become quite important
man-in some sectors of man-industry, man-in the countries that have adopted it
First published in 1987, the ISO 9000 standards are widely used and aquick search of the net reveals that they are also money-making enterprises.Courses in these methods are numerous and costly The principles, however, arestraightforward The idea is that a standard approach to quality assurance leads
to less uncertainty in the outcome Quality is associated with certainty Here, weshall not dwell on the issue of ISO 9000 certification, but rather on the guidingprinciples that the standard embodies
8.12.2 Creating a quality control system
Quality is clearly a subjective criterion It is a matter for policy to decide what
quality means Quality control is an iterative process, with a number of keyelements It is a process, rather than a one-off task, because the environment inwhich we execute our work is never static Even as we plan our quality handbooksand verification forms, the world is changing and has made them partially obsolete
Principle 51 (Rapid maintenance) The speed of response to a problem can be
crucial to its success or failure, because the environment is constantly changing the conditions for work If one procrastinates, procedures will be out of date, or inappropriate.
Trang 158.12 PRINCIPLES OF QUALITY ASSURANCE 325
ISO 9000 reiterates one of the central messages of system administration and rity: namely that they are on-going, dynamical processes rather than achievablegoals (see figure 8.16)
secu-• Determine quality goals: One begins by determining policy: what is it that
we wish to accomplish? Until we know this, we cannot set about devising astrategy to accomplish the goals
• Assess the current situation: We need to know where we stand, in order to
determine how to get where we are going How much work will it take to carryout the plan?
• Devise a strategy: Strategy determination is a complex issue Sometimes
one needs to back-track in order to go forward This is reminiscent of thestory of the stranger who comes to a city and asks a local how to get tothe post office The local shakes his head and replies ‘If I were going to thePost Office, I certainly wouldn’t start from here’ Clearly, this is not a helpfulobservation We must always find a way to achieve our goals, even if it meansfirst back-tracking to a more useful starting point
• Project management: How we carry out a process is at least as important as
the process itself If the process is faulty, the result will be faulty Above all,there must be progress Something has to happen in order for somethinggood to happen Often, several actors collaborate in the execution of a project.Projects cost resources to execute – how will this be budgeted? Are resourcesadequate for the goals specified?
• Documentation and verification: A key reason for system failure is when a
system becomes so complex that its users can no longer understand it.Humans, moreover, are naturally lazy, and their performance with regard to
a standard needs to be policed Documentation can help prevent errors andmisunderstandings, while verification procedures are essential for ensuringthe conformance of the work to the quality guidelines
• Fault-handling procedure: Quality implies a line between the acceptable and
unacceptable When we discover something that falls short of the mark, weneed a procedure for putting the problem right That procedure should itself
be quality assured, hence we see that quality assurance has a feedbackstructure It requires self-assessment
In principle 40, we found that standardization leads to predictability It canalso lead to limitations, but we shall assume that this problem can also be dealtwith by a quality assurance programme
The formulation of a quality assurance scheme is not something that can bedone generically; one needs expert insight into specific issues, in order to know andevaluate the limitations and likely avenues for error recovery Quality Assuranceinvolves:
1 A definition of quality
2 A fault tree or cause tree analysis for the system quality
Trang 16326 CHAPTER 8 DIAGNOSTICS, FAULT AND CHANGE MANAGEMENT
Strategic plan Quality definition
Procedures Methods
Verification Documentation Policy goals
Figure 8.16:Elements of a quality assurance system
3 Formulating a strategic remedial policy
4 The formalization of remedies as a checklist
5 Acknowledging and accepting inherent system limitations
6 Checklists to document compliance with policy
7 Examination of results and feedback into policy
Measurements of tolerances, uncertainties and limitations need to be incorporatedinto this procedure in a continual feedback process Quality is achieved throughthis continued process: it is not an achievable goal, but rather a never-endingjourney
Exercises
Self-test objectives
1 What is meant by the principle of predictable failure?
2 Explain the meaning of ‘single point of failure’
3 Explain how a meshed network can be both more robust and more susceptible
to failure
4 What is the ‘small worlds’ phenomenon and how does it apply to systemadministration?
5 Explain the principle of causality
6 What is meant by an interaction?
7 How do interactions underline the importance of the principle of causality?
Trang 17EXERCISES 327
8 What is meant by the environment of a system?
9 How does one find the boundary between system and environment?
10 What kind of faults can occur in a human–computer system?
11 Describe some typical strategies for finding faults
12 Describe some typical strategies for correcting faults
13 Explain how a cause tree can be used help locate problems in a system Whatare the limitations of cause-tree analysis?
14 Explain how fault trees can provide predictive power for the occurrence offaults What are the limitations of this predictive power?
15 Explain the relationship between change management and cause-tree ysis
anal-16 Explain the role of game theory in system management Comment on itslimitations
17 Explain how game theory reveals the principle of communities by findingoptimal equilibria
18 What role does monitoring the system play in a rational decision-makingprocess?
19 Explain the weakest link principle in performance analysis
20 Explain how competition for resources can lead to wasted resources
21 What is ISO 9000?
22 Describe some of the issues in quality control
23 Explain how the rate of maintenance affects the likely state of a system
Problems
1 Find out about process priorities How are process priorities changed onthe computer systems on your network? Formulate a policy for handlingprocesses which load the system heavily Should they be left alone, killed,rescheduled etc?
2 Describe the process you would use to troubleshoot a slowly running host.Formalize this process as an algorithm
3 Suppose you are performance tuning, trying to find out why one host is slower
than another Write a program which tests the efficiency of CPU-intensive
work only Write programs which test the speed of memory-intensive work
and disk-intensive work Would comparing the time it takes to compile a
program on the hosts be a good way of comparing them?
Trang 18328 CHAPTER 8 DIAGNOSTICS, FAULT AND CHANGE MANAGEMENT
4 Determine the network transmission speed on the servers on your network.Are they as high as possible? Do they have auto-detection of the interfacetransmission rates on their network connections (e.g 10Mb/s or 100Mb/s)?
If not, how are they configured? Find out how you can choose the assumedtransmission rate
5 What is meant by an Ethernet collision? How might doubling the speed of allhosts on an Ethernet segment make the total system slower?
6 Consider the fault tree in figure 8.17
Timing hole Read error Physical damage Software error
Data loss
Magnet Heat Crinkle Sched RAID?
OR
Figure 8.17:Partial fault tree for data loss due to backup failure
(a) Given that the probability that data will be lost in a backup hole (datachanged between scheduled backups) is approximately the same as theprobability of physical media damage, what strategy would you suggestfor improving security against data loss? Explain your answer
(b) What security principle does RAID employ to protect data? Explain howRAID might be used at several places in this tree in order to help preventdata loss
(c) Describe a fault tree for loss of service in a high availability web serverplaced in a server room Describe how you would go about estimatingthe probabilities Based on your analysis, concoct a number of long-termstrategies for countering these failures; draw a provisional payoff matrixfor these strategies versus the failure modes, and use this to estimatethe most cost-effective long-term strategies
(d) Design a change plan and schedule for upgrading 400 Windows hosts.Your plan should include a fault tree analysis for the upgrade andcontingency plan for loss of some of the hosts
Trang 19(e) By inspection, find the defensive strategies that minimize the payoff tothe user.
(f) Use the minimax theorem to find the optimal strategy or strategies andcompare your answer with the one you chose by inspection
Trang 21or two hosts, whose special function it is to perform the tasks on behalf of thenetwork community.
Note also that although the details of the chapter will likely be out of date bythe time the book comes to press, the principles should remain fairly constant.Readers are encouraged to verify the information using the latest informationabout the software concerned
9.1 Application-level services
Internet networks use many high-level protocols to provide the distributed serviceswhich most users take for granted Here are a few examples:
• FTP The File transfer protocol Passwords are normally sent in clear text
• HTTP The hypertext transfer protocol for the transmission of data on theWorld Wide Web All data are sent in clear text
Trang 22332 CHAPTER 9 APPLICATION-LEVEL SERVICES
• S-HTTP is a superset of HTTP, which allows messages to be lated for increased security Encapsulations include encryption, signing andMAC-based authentication An S-HTTP message can have several securitytransformations applied to it S-HTTP also includes support for key trans-fer, certificate transfer and similar administrative functions It is generallyregarded as being superior to HTTPS, but is now obsolete
encapsu-• HTTPS The secure World Wide Web protocol for exchanging hypertext andmultimedia data All data are encrypting using Netscape’s Secure SocketLayer (SSL), now called Transmission Layer Security (TLS) by IETF standard
• SSH The secure shell A replacement for the remote shell (rsh) Unix protocol.The secure shell provides full encryption and forwarding of X11 display datathrough a secure pipe
• LDAP The Lightweight Directory Access Protocol is a generalized protocol for
looking up data in simple databases It is a lightweight version of the DirectorAccess Protocol originally written for X.500 and is currently at Version
3 LDAP can be used to register user information, passwords, telephonenumbers etc and interfaces through gateways to the NDS (Novell DirectoryService), Microsoft’s Exchange server and NIS (Sun’s Network InformationService) The advantage of LDAP will be a uniform protocol for accessingtable lookups Currently the spread of LDAP is hindered by few up-to-dateimplementations of the protocol
• NTP is the network time protocol, used for synchronizing clocks throughoutthe network
• IMAP Internet Mail Access Protocol provides a number of network services for
reading and transferring mail over the network Other mail protocols includePOP (Post Office Protocol)
• SMTP The Simple Mail Transfer Protocol is used to address and transfer
E-mail over the network
There is an almost endless list of services which are registered by the /etc/servicesfile These named services perform a wide range of functions
9.2 Proxies and agents
A proxy is an agent which works on behalf of another Proxies are used for twomain reasons: for security and for caching (sometimes also for load-balancing).Some proxy agents collect information and cache it locally so that traffic over aslow network can be minimized Web proxies can perform this kind of function.Rather than sending WWW requests out directly, they are sent to a proxy serverwhich registers the requests and builds a list of popular requests These requestsare collected by the proxy and copied into local storage so that the next time therequest is made, the data can be served from local storage This improves bothspeed and traffic load, in principle The proxy’s agents make sure that its cachedcopies are up to date
Trang 239.3 INSTALLING A NEW SERVICE 333
Another type of proxy is the firewall type One of the advantages of askinganother to do a job is that the original agent doesn’t need to get its hands dirty
It is a little bit like the robots which bomb squads use to defuse bombs: better
to send in a robot than get blown to bits yourself Firewall proxies exist for mostservices to avoid handling potentially dangerous network connections directly
We shall return to the issue of proxy services in the discussion of firewalls insection 12.12
9.3 Installing a new service
We need to configure the system to accept a new service by editing the file/etc/services This file contains the names of services and their protocol typesand port numbers
The format of entries is like this:
an outside connection wishes to use it; this method is used for less frequentlyused services In the second case, a master Internet daemon is used, which listensfor connections for several services at once and starts the correct daemon onlylong enough to handle one connection The aim is to save the overhead of runningmany daemons
If we want to run a daemon all the time, then we just need to make sure that
it is started in the appropriate rc startup files for the system To add the service
to the Internet daemon, on the other hand, we need to add a line of the followingfrom the configuration file /etc/inetd.conf
service type proto serial user-id server-program commandpop3 stream tcp nowait root /local/etc/pop3d pop3dThe software installation instructions for the new network service tell us what weshould add to this file
Once we have configured a new service, it must be started by running theappropriate daemon, or by reinitializing inetd Note that xinetd also exists,adding checks and controls to network service requests
9.4 Summoning daemons
Network services are run by daemons Having done the deed of configuring anetwork service, see section 9.3, by editing textfiles and ritually sacrificing a few
Trang 24334 CHAPTER 9 APPLICATION-LEVEL SERVICES
doughnuts, we reach the point where we have to actually start the daemon inorder to see the fruits of those labors There are two ways to start networkdaemons:
• When the system boots, by adding an appropriate shell-command to one ofthe system’s startup scripts When we use this method, the daemon hangsaround in the background all the time waiting for connections
• On demand: that is, only when a network request arrives We use the inetddaemon to monitor requests for a new service It starts the daemon to handlerequests on a one-off basis Not all services should be started in this way Oneshould normally follow the guidelines in the documentation for the serviceconcerned
a directory called /etc/rc?.d and executes scripts in this directory For instance,
if we are entering run-level 2, init would look in the directory /etc/rc2.d andexecute scripts lying there in order to start necessary services for this run-level.All one has to do to add a new service is to make a new file here which conforms
to init’s simple rules The files in these directories are usually labelled according
to the following pattern:
S number- function
K number- function
Files beginning with S are for starting services and files beginning with K are forkilling them again when the system is halted The number is used to determinethe order in which the scripts are read It does not matter if two scripts have thesame number, as long as it does not matter what order they are executed Finallythe function tells us what the script does
Each script is supposed to accept a single argument, the word ‘start’ or theword ‘stop’, or ‘restart’ etc Let’s consider an example of how we might start thehttpddaemon using init Here is a checklist:
1 Determine the correct run-level for the service Let us suppose that it isrun-level 2
2 Choose an unused filename, say S99http
3 Create a script accepting a single argument:
Trang 259.4 SUMMONING DAEMONS 335
#!/bin/sh
case $1 in
start) /usr/local/bin/httpd -d /usr/local/lib/httpd ;;
stop) kill ‘cat /usr/local/lib/httpd/logs/httpd.pid‘ ;;
*) echo Syntax error starting http
esac
The advantage of this system is that software packages can be added and removedtransparently just by adding or removing a file No special editing is required as isthe case for BSD Unix
9.4.2 BSD init
The BSD style is rather simple It starts executing a shell script called /etc/rcwhich then generally calls other child-scripts These scripts start important dae-mons and configure the system To add our own local modifications, we have toedit the file /etc/rc.local This is a Bourne shell script
The BSD approach has a simpler structure than the system 5 inittab directories,but it is harder to manipulate package-wise
9.4.3 inetd configuration
The Internet daemon is a service demultiplexer In English, that means that
it is a daemon which listens on the network for messages to several servicessimultaneously When it receives a message intended for a specific port, it startsthe relevant daemon to handle the request just long enough to handle one request.inetdsaves the system some resources by starting daemons only when they arerequired, rather than having to clutter up the process table all the time
The format of this file can differ slightly on older systems The best way to gleanits format is to look at the entries which are already there Here is a commonexample of the format
ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd -a
telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd
finger stream tcp nowait finger /local/etc/in.fingerd in.fingerd
cfinger stream tcp nowait finger /local/etc/in.cfingerd in.cfingerd
The first column is the name of the service from /etc/services The next column
is the type of connection (stream or dgram or tli), then comes the protocol type
Trang 26336 CHAPTER 9 APPLICATION-LEVEL SERVICES
(tcp/udp etc) The wait column indicates whether the service is to be single ormulti-transaction, i.e whether new requests should wait for an existing request
to complete or whether a new daemon should be started in parallel The last twocolumns contain the location of the program which should handle the request andthe actual command line (including options) which should be executed Noticethat the finger daemon runs as a special user with no privileges
To add a new service, we edit the file /etc/inetd.conf and then send theinetdprocess the HUP signal To do this, we find the process id:
ps aux | grep inetd
Then we type:
kill -HUP process-id
9.4.4 Binding to sockets
When a daemon is started, it creates a listening socket or port with a specific port
number, which then gets ‘bound’ to the host running the service concerned Theact of binding a socket to a host’s IP address identifies a fixed port service withthat host This has a specific consequence It is only possible to bind a socket port
to an address once If we try to start another daemon, we will often see the errormessage
host: Couldn’t bind to socket
bind: Address already in use
This means that another daemon is already running This error can occur if twocopies of inetd are started, or if we try to start a daemon twice, or indeed if wetry to place a service in inetd and start a daemon at the same time The errorcan also occur within a finite time-window after a service has crashed, but theproblem should right itself within a few minutes.1
9.4.5 TCP wrapper security
One of the problems with inetd is that it accepts connections from any host andpasses them to services registered in its configuration file without question Intoday’s network climate this is a dangerous step and it is usually desirable tolimit the availability of certain services For instance, services which are purelylocal (like RPC) should never be left open so that outside users could try to exploitthem In short, services should only be made available to those who need them Ifthey are left open to those who do not need them, we invite attacks on the system.TCP wrappers is a solution to this problem for IPv4 connections only Inshort, it gives us the possibility of adding Access Control Lists (ACLs) to networkservices TCP wrappers exists in two forms: as the tcpd daemon, and as a librarywhich stand-alone programs can link to, called libwrap.a Services which are not
1 Most network services set the SO REUSEADDR socket option so that it can restart immediately and not have to wait for TIME WAIT to time out.
Trang 279.5 SETTING UP THE DNS NAMESERVICE 337
explicitly compiled with the library can use the daemon as a wrapper, if the servicescan be started from inetd TCP wrapper expects to find the daemons it proxiesfor in a special directory It requires two configuration files, one which grantsaccess to services and which denies access If services are not listed explicitlyTCP wrappers does nothing to prevent connection The file to allow access to aservice overrides the file to deny access, thus one normally denies access to allservices as a default measure and opens specific services one by one (see below).The hosts.allow file contains the names of daemons followed by a list of hosts
or IP addresses, or domains or network series The word LOCAL matches any hostwhich has an unqualified host name If we are opening a service to our localdomain, it is often necessary to have both the domain suffix and the word LOCAL,since different operating systems employ different name services in different ways.(LOCAL matches hostnames without any domain ending.)
# hosts.allow
in.fingerd: domain.tld LOCAL
in.cfingerd: domain.tld LOCAL
The TCP wrapper service works mainly for plain TCP streams, but in someoperating systems (notably GNU/Linux) RPC services can also be placed underits umbrella The portmapper and NFS mount daemons are also subject to TCPwrapper access controls Note that we have to use IP addresses here Hostnamesare not accepted
Apart from those explicitly mentioned above, all other services are deniedaccess like this in /etc/hosts.deny:
ALL: ALL
9.5 Setting up the DNS nameservice
The Domain Name System (DNS) is that most important of Internet serviceswhich converts host names, such as host.domain.tld, into IP addresses, such
as 192.0.2.10, and vice versa If a host name includes its complete domainname, it is said to be a Fully Qualified Host Name (FQHN) In the Unix world, themost popular implementation of the DNS client and server is called the BerkeleyInternet Name Domain (BIND) The DNS client is called the ‘resolver’, and the DNSserver is called the ‘name server’
Trang 28338 CHAPTER 9 APPLICATION-LEVEL SERVICES
Establishing a name service is not difficult, but BIND is complex and we shallonly skim the surface in this book More detailed accounts of DNS configurationcan be found in refs [7, 223] A tool for managing domain naming and electronicmail has been described in ref [267]
9.5.1 Master and slave servers
Each domain which is responsible for its own host registration requires at leastone master name server A master name server is a name server whose datalie in authoritative source files on the server-host, maintained by a local systemadministrator A domain can also have a number of slave name servers whichmirror the master data A slave name server (or slave) does not use sourcefile data, but downloads its data second-hand from a master server at regularintervals – thus its data are also considered authoritative for other domains Thepurpose of a slave name server is to function as a backup to the master server
or to spread the load of serving all the hosts in the domain The only difference
in setting up master and slave servers is one word in a configuration file and thelocation of the name data
In practice, master and slave servers are identical, as seen from the outside.The only difference is in the source of the data: a master or master server knowsthat it should propagate changes to all slave servers, while a slave or slave serverknows that it should accept updates
The name server daemon is started once by root, since the DNS port is aprivileged port In order to function, the daemon needs to be told about its statuswithin the DNS hierarchy and it needs to be told where to find the files of domaindata This requires us to set up a number of configuration files The files canseem cryptic at first, but they are easy to maintain once we have a workingconfiguration
9.5.2 File structure on the master
Since the mapping of (even fully qualified) hostnames to IP addresses is not to-one (a host can have several aliases and a single hostname can point to multiple
one-IP addresses), the DNS database needs information about conversion both fromFQHN to IP address and the other way around That requires two sets of data Toset up a master name server, we need to complete a checklist
• We need to make a directory in our local or site-dependent files where theDNS domain data can be installed, called for instance dns or named andchange to this directory
• We then make subdirectories master and slave for master and slave data
We might not need both on the same host, but some servers can be masterservers for a zone and slave servers for another zone We shall only refer tothe master data in this book, but we might want to add slave servers later,for whatever reason Slave data are cached files which can be placed in thisdirectory
Trang 299.5 SETTING UP THE DNS NAMESERVICE 339
• Assuming that our domain name is domain.tld, we create a file master/domain.tld
We shall worry about its contents shortly This file will contain data forconverting names into addresses
• Now we need files which will perform the reverse translation It is convenient,but not essential, to keep different subnet addresses separate, for clarity This
is easy if we have a netmask which gives the subnets in our domain easily arable addresses The domain iu.hio.no, for instance, has four networks:128.39.89.0, 128.39.73.0, 128.39.74.0 which includes 128.38.75.* So
sep-we would create files master/rev.128.39.89, master/rev.128.39.73 etc.,one for each network These files will contain data for converting addressesinto ‘canonical’ names, or official hostnames (as opposed to aliases) We shallcall these network files generically master/subnet Of course, we can callany of the files anything we like, since the filenames must be declared in theconfiguration boot file
• Dealing with the Unix loopback address requires some special attention
We handle this by creating a file for the loopback pseudo-network master/rev.127.0.0
• Create a cache file named.cache which will contain the names of the net’s master (root) name servers
Inter-• Create a configuration file named.conf We shall later link or synchronizethis file to /etc/named.conf where the daemon expects to find it We place
it here, however, so that it doesn’t get lost or destroyed if we should choose
to upgrade or reinstall the operating system
At this stage one should have the following directory structure in site-dependentfiles
9.5.3 Sample named.conf for BIND 9.x
Using current BIND software, the file looks something like this:
options
{
directory "/local/site/dns";
Trang 30340 CHAPTER 9 APPLICATION-LEVEL SERVICES
check-names master ignore;
check-names response ignore;
check-names slave warn;
named-xfer "/local/site/bind/bin/named-xfer"; /* Location of daemon */
! 192.0.2.11; // Not this host!
192.0.2.0/24; // Net with 24 bit netmask set i.e 255.255.255.0
allow-transfer // Allows ls domain.tld in nslookup
trustedhosts; // Access Control List defined above
}
};
Trang 319.5 SETTING UP THE DNS NAMESERVICE 341
// dns.domain.tld server options
Trang 32342 CHAPTER 9 APPLICATION-LEVEL SERVICES
Note the allow-transfer statement which allows a user of nslookup to obtain
a dump of the local domain, using the ‘ls’ command within the nslookup shell Ifthis is not present, version 8 and 9 BIND will not allow such a listing BIND nowallows ACLs to control access to these data In the example we have created anACL alias for all of the trusted hosts on our network The ACLs use an increasinglypopular, if somewhat obscure, notation for groups of IP addresses The ‘slash’notation is supposed to represent all of the hosts on a subnet In order to fully