Linux Networking Cookbook

dinotrac writes "Somebody special is coming over for dinner. You're not a chef, but you can cook well enough to get by, so you grab your best cookbook and get to work. That's the idea behind O'Reilly's Linux Networking Cookbook, by Carla Schroder. Carla has gathered a group of networking recipes that a reasonably Linux-savvy reader can use to address network needs like a seasoned sysadmin. If you want to find out how to hook your Linux workstation to a LAN, get another book. If you are reasonably comfortable with Linux, need to set up an LDAP server, configure single sign-on with Samba for a mixed Linux/Windows LAN, set up a VPN, or troubleshoot network problems without some uppity online geek telling you to RTFM, this book may be what you're looking for." Read below for the rest of Dean's review. Linux Networking Cookbook author Carla Schroder pages 638 publisher O'Reilly rating 9 reviewer Dean R. Pannell ISBN 0596102488 summary The perfect tool when you need to be a network sysadmin but aren't One of the great strengths and weaknesses of Linux is that everything you could possibly need to know is already on your computer in the form of man pages, or out on the internet in newsgroups, forums, or a massive autumn's leaf-pile of how-tos. Finding what you need in a form that you can use is sometimes a bigger problem than the problem you're trying to solve.

The Linux Networking Cookbook improves on that situation in a couple of ways. First is the author herself. Carla is an experienced System Administrator and a good technical writer. She was one of the early Linuxchix, and has spent years mentoring and otherwise helping new and experienced Linux folk through their assorted dilemmas. The result is a friendly and direct, information-packed and ego-free writing style. Unlike the typical how-to that provides a list of steps that have worked for the author, Carla's discussions fill in the blanks and tell you why she takes the steps that she does.

The Cookbook is organized into an introduction followed by 18 chapters that are complete stand-alone solutions to specific problems.

The obligatory introduction is short and is not required by any of the solutions in the book, but it's worth reading. Its' eleven pages read quickly, but contain, among other things, a good explanation of the difference between bandwidth and latency and a decent overview of the whys and whens of linux-based computers as routers versus mid-range and high-end commercial routers.

Each chapter begins with an introduction of the overall topic, Routing with Linux, for example, followed by a series of short recipes organized as problem-solution-discussion. This format is convenient for diving right into work and takes advantage Carla's mentoring talents.

One problem facing any writer of Linux books is the sheer number of Linux distributions, many of which have their own distinct ways of doing things. The Linux Networking Cookbook provides solutions for both Debian and Fedora Linux. It's an excellent choice when you consider that most Linuxes derive from one of those two bases, including all of the *buntus, Knoppix, Mandriva, PCLinuxOS, CentOS, and many more. The recipes employ generic tools, which makes them easier to transport across distributions, even the SuSEs, which are based on neither Debian nor Red Hat.

For example, before obtaining The Cookbook, I needed to create a self-signed SSL certificate for a PostgreSQL server on an Ubuntu server. I'd done it a few times, but not enough to remember, so I went off to the net. The Ubuntu-themed How-To I found relied on a script called apache2-ssl-certificate. An apache script didn't bother me because I could move the pieces when I was done, or just break open the script and make it do what I wanted done. Ubuntu Feisty, however, had managed to leave the script out of the distribution, so I had to go back to the net to find an alternative approach.

Had I used The Cookboock, my task would have been simpler, though not quite as easy as it should be. Inexplicably for a book that includes network security and SSL-based VPNs, there is no entry for SSL Certificate in the index. A browse through the table of contents turns up a couple of recipes for Creating SSL-Keys for a Syslog-ng Server: one for Debian and one for Fedora. Fortunately, the Table of Contents is short and can be browsed completely in seconds, because those recipes are in the Troubleshooting Networks chapter, which is not intuitively obvious. They appear in that chapter because it contains the recipes for network monitoring, which includes installation of Syslog-ng.

The recipe itself is suitably generic, using the CA.sh script, which is part of openssl, and openssl itself to generate keys and certificates. A quick check of my Ubuntu servers, my Fedora VPS server, and my OpenSuSE workstation found CA.sh on all of them.

My OpenSuSE machine did throw one small curve:

CA.sh on my openSUSE box was located in /usr/lib/ssl/misc, as on the other boxes. However, the book tells us that CA.sh, and a moderately competent Linux user is likely to know that rpm -ql openssl will list all of the files in the openssl package or that rpm-ql openssl | grep CA.sh will spit out the location of the script.

Given the variety of Linux distributions, it is hard to imagine a better approach to take.

The Glossary of Networking Terms in Appendix B deserves special mention. Each term is explained in plain but precise language that goes beyond the cursory definitions so common in glossaries. For example, the explanation for WEP notes that it is very weak protection and urges the reader to use WPA/WPA2 instead.

Sometimes, the extra information can soften a definition's focus, but, overall, the glossary is an outstanding tool for anyone who doesn't spend his or her time knee-deep in subnet definitions, routers, and tcp dumps. The same is true of the book.

As is usual for O'Reilly, updates, errata, and scripts from the book are available on the web.

You can purchase Linux Networking Cookbook from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

RPM knowledge

[morgan_greywolf]

CA.sh on my openSUSE box was located in /usr/lib/ssl/misc, as on the other boxes. However, the book tells us that CA.sh, and a moderately competent Linux user is likely to know that rpm -ql openssl will list all of the files in the openssl package or that rpm-ql openssl | grep CA.sh will spit out the location of the script.

Ignoring the fact that this has got to be one of the most awkwardly-written English sentences in the entire history of the language, *ahem*, I would say "Yes". If you use OpenSuSE (or any other RPM-based distro) and are moderately competent, then you should know how to query the RPM database to get such information. If you didn't, you don't qualify as 'moderately competent', and definitely don't fit the target audience for Linux Networking Cookbook.

Re:RPM knowledge

Of course its awkward, its Linux. That's still the problem with the adoption of linux (myself included) is the fact that they have shorthands/acronyms for EVERY command (why can't they have a long word list and a shorthand?!).

How annoying is it that every simple task/installation requires you to have to read an online documentation step by step. Other open source projects suffer this same problem. It shouldn't use obscure words to make the programmer sound smart. If it compiles, make a preserved word called compile, not make, not gen, not create (or allow all 4 of these words, as long as you have the first one). This is 2008, disk space is cheap, coding in an extra word list isn't going to expand your program too much. We have no need to save that extra 6 bytes in our compiled code.

Just what the heck is dash bash kash hash slash crash smash mean? If it doesn't sound like what it should be doing, don't use it.

Anonymous obviously cause I don't want to get lynched by the /. crowd for being "OMG You don't use Linux?", I'm no MS/MAC fanboy, I just hate having to read an hour for each application I want to install, then another hour of which commands I have to do to make the program work.

Re:RPM knowledge

[morgan_greywolf]

f course its awkward, its Linux. That's still the problem with the adoption of linux (myself included) is the fact that they have shorthands/acronyms for EVERY command (why can't they have a long word list and a shorthand?!).

Uh, they do.

Look, if it makes you feel any better, Mr. Anonymous Cobol Programmer, you can type 'rpmquery --list openssl'

Re:RPM knowledge

$>give me all files from openssl
That ought to be enough for anybody!

Re:RPM knowledge

[strabes]

I don't think there is one sentence in your entire post that is truthful.

Re:RPM knowledge

[morgan_greywolf]

*sigh*

Try reading manpages sometime.

Sheesh.

Re:RPM knowledge

[ATMD]

Anybody remember HyperTalk?

"go to the next card"
"select the brush tool"
"drag from 5,5 to 10,10"

Those were the days...

Re:RPM knowledge

[turbidostato]

" If you use OpenSuSE (or any other RPM-based distro) and are moderately competent, then you should know how to query the RPM database to get such information. If you didn't, you don't qualify as 'moderately competent'"

If you are moderately competent, and much more on the lines of the book itself (since it seems it tries to be distribution-agnostic) you wouldn't query the RPM database when `find / -type f -name CA.sh -print`, while certainly slowerly, will find the file 100 times out of 100, no matter what the distribution is (it won't even need to be Linux, any unix-like will fit).

On the other hand, I don't see why the heck using the CA.sh script, specially if you are going to use openssl directly for everything else. Being so, why just don't use openssl for everything and avoid the CA.sh script dependency?

Re:RPM knowledge

[styrotech]

$>give me all files from openssl
That ought to be enough for anybody!

The trouble is that computers have terrible telepathy and intuition - they have very black and white personalities. You have to tell them exactly what to do as they are too stupid to work it out for themselves.

What do you mean by "give"? List the filenames? List the filenames and paths? List the contents? Copy the files to you somehow?

What do you mean by "me"? The user account? The shell? The client computer you are on?

What do you mean by "all files"? Does that include hidden files? Should it include directories?

What do you mean by "from openssl"? Is that openssl the package or openssl the project or maybe the user on your system called "openssl"? Should it include files from just that package or from subpackages? Should it include only the files that came in the package, or any data files (eg certs) created with the package?

Re:RPM knowledge

[putaro]

I'm not sure about your comments about the target audience not fitting into the "moderately competent" range. I've been doing systems admin for over 20 years, starting with DEC RSTS/E and going through just about every flavor of Unix. Mostly I do software development, though, and if the boxes in my business are working I don't spend my days messing with them.

Linux is a moving target for competence. Different distributions do things differently and they are all constantly changing. A lot of times I know how to do something - I just don't always know the *right* way to do something. I can build and install packages from the source, fix bugs in the scripts, etc. But then, the next update of the distribution comes along and screws me. So, I wind up spending more time than I would like to trying to figure out what the *right* way to do things is. Or, I know *what* I want to do, but how to do it under Linux is not immediately obvious.

I will probably order a copy of the book because it will be helpful when I have to do a task that I only do once a year or so. I hope they will continue to update it, though, as it will be out of date quite soon.

Re:RPM knowledge

[aproposofwhat]

`find / -type f -name CA.sh -print`

OK, we'll get off your lawn :P

Re:RPM knowledge

[morgan_greywolf]

find / -type f -name CA.sh -print

Old fart who still uses -print, even though in every modern implementation it's implied now. :P

Yeah, it works, but on Linux using the package manager is always much quicker and, after all, that's what its there for. Your method is, however, portable to *BSD and other *nixes.

Being so, why just don't use openssl for everything and avoid the CA.sh script dependency?

Convenience. Remembering all of the steps and switches to create a certificate can be difficult for someone (like me) who doesn't do it very often. I usually have to look it up in the (very well-written) OpenSSL docs.

Re:RPM knowledge

[turbidostato]

"Old fart who still uses -print, even though in every modern implementation it's implied now. :P"

Yes. Firstly I wrote it without the "-print", but then, when I was previewing, I saw I said it would work on any unix-like system so I went for the safe side (I really don't know for sure if, say, HP-Ux or AIX will default to print or still do it the old way).

"Yeah, it works, but on Linux using the package manager is always much quicker"

Well, I explicitly said "find" would work surely but slowerly, so I fart a "-1 redundant" on your general direction. And then, do you really know the syntax to ask the package manager on Debian, Red Hat, Gentoo, Lunar, Arch and, oh my god, Slackware? If you don't, your answer is not a general one (and it is not anyway to find a file not under package management), and if you do, then you probably don't qualify just as "moderately competent".

"Convenience."

Using two tools when you can use just one with more or less the same level of complexity is neither convenient nor "the unix way".

"Remembering all of the steps and switches to create a certificate can be difficult for someone (like me) who doesn't do it very often. I usually have to look it up in the (very well-written) OpenSSL docs."

Me too. But then again, if you do like me and "copy/paste" the recipe from anywhere else, it's just the same copying "CA.sh something" than "openssl something" so depending on two tools (CA.sh and openssl) is still inconvenient and unnecesary.

To Serve Files

[Archangel+Michael]

Its a cookbook!!!!!!!

Re:To Serve Files

[AragornSonOfArathorn]

Goddammit, NO SPOILERS!!!!

asshat...

Re:To Serve Files

[analog_line]

Soylent Green is made from Linux!!!

Re:To Serve Files

[RegTooLate]

No, there is lots of space dust on the book, as you can see the real title is "To Serve Files Beowulf Clusters"

Re:To Serve Files

[jimrob]

Oh look, there's even more dust: "To Serve Files To Beowulf Clusters"

Re:To Serve Files

[harrypelles]

No, are you mad? It's made from people! (Wow... Soylent Green... blast from the past.)

"RTFM"

[bsDaemon]

But, this book *IS* the FM... so, you're just accomplishing the goal of the advice from the IRC line, without giving them the pleasure of being the one to tell you...

This whole article wreaks of preemptive RTFM snobbery.

Re:"RTFM"

[_Sprocket_]

BTFB - buy the f'n book?

Re:"RTFM"

[Talderas]

I have this book, and the summary barely reminded me of the topics contained in it. It starts out with topics that discuss using a Linux server to handle many of the functions that you would frequently have a piece of hardware. Gateway routers, wireless routers, firewall.

Then it goes into using a Linux server for some other services, remote administration, VPNs, Samba and LDAP, Network Monitoring.

Finally it ends with with a chaptor on IPv6, Serial Console management, Linux Dial-Up servers and a chapter on troubleshooting.

Re:"RTFM"

[Sancho]

Does the book touch on the limitations of commodity PC hardware as a router, firewall, etc? Most specifically, the inability to provide line-rate filtering at small packet sizes?

But aren't you doing just that?

[JavaBasedOS]

"... without some uppity online geek telling you to RTFM..."

In essence, you're doing just the 'uppity online geek' is telling you to do. TFM gives you the pieces and expects you to find out how to piece them together, while this just has the convenience of said commands and scripts already pieced together.

Re:But aren't you doing just that?

[KGBear]

Yes, with the "advantage" that you don't really learn anything in the process...

What CA.sh or a moderately competent Linux user kn

[Lengyel]

"However, the book tells us that CA.sh, and a moderately competent Linux user is likely to know that rpm -ql openssl will list all of the files in the openssl package..." What else is CA.sh likely to know?

smbmount

[Toreo+asesino]

Does anyone know if you can mount a Win2k3 partition yet with smbmount without turning off client signing on network?

I last tried this a few years back, but failed because you had to turn off signing for the DCs...kinda stops Linux being able to connect to valuable resources.

Linux as a data-store in a Windows network is pretty awesome though with samba + lvm once configured well.

Re:smbmount

Does anyone know if you can mount a Win2k3 partition yet with smbmount without turning off client signing on network?

I last tried this a few years back, but failed because you had to turn off signing for the DCs...kinda stops Linux being able to connect to valuable resources.

Linux as a data-store in a Windows network is pretty awesome though with samba + lvm once configured well. RTFM

Re:smbmount

[BobMcD]

Mount by ip, rather than by name. E.g. \\192.168.1.102\share, instead of \\server\share...

Re:smbmount

[Broken+Toys]

Good point and oddly enough, that's about the only way you can get MS Vista, XP, and W2K to share resources on a home network.

The only problem is that you have to boot up your computers so that they grab the correct IP addresses via DHCP. Or you use static IP addresses to get around that.

Scheeze, I just want to connect a couple computers. It shouldn't be this difficult.

Re:smbmount

[BobMcD]

DHCP reservations would do the trick, too.

Re:smbmount

[dosle]

I've also had to go this route for OS X systems accessing w2k3 servers/shares using smb://192.168.1.272

works like a charm now

Re:smbmount

[Rutulian]

I believe you are looking for the option,

client use spnego = yes

in your smb.conf file. That at least works for linux clients on our Win2k3 domain.

"some uppity online geek"

[Bryansix]

Is this month "some uppity online geek awareness month"? I've been running into a lot of these lately like they want to make their presence in this world apparent to me somehow.

Re:"some uppity online geek"

[neowolf]

Unfortunately- there are a lot of "uppity online geeks" out there right now. They seem to delight in telling people to RTFM, flagging bug reports as dupes, and sending people on wild goose chases through the Internet. All requiring more effort than simply answering the damn question or throwing out a command line entry.

It's really sad- because it is one of the things that is really holding Linux back. I've been using Linux as a server platform for over a decade, and have been using Desktop Linux for about two years now. I still come across problems I can't find answers to online. Admittedly I'm usually asking the wrong question, or I can't figure out exactly what package or program is causing the problem. If I can't find an answer- I'll post a question or report a bug. Inevitably some "uppity online geek" will post some smart-ass response, instead of actually providing a solution to the problem or pointing me in the right direction. I can't imagine how this looks to someone NEW to Linux who has no idea where to go or what to do.

Re:"some uppity online geek"

[debatem1]

They don't answer because they don't know.

Re:"some uppity online geek"

Is this month "some uppity online geek awareness month"? RTFM and find out yourself.

Re:"some uppity online geek"

[Sancho]

Unfortunately- there are a lot of "uppity online geeks" out there right now. They seem to delight in telling people to RTFM, flagging bug reports as dupes, and sending people on wild goose chases through the Internet. All requiring more effort than simply answering the damn question or throwing out a command line entry. Unfortunately, there are a lot of people out there who can't seem to search bug tracking software for duplicate bugs, can't seem to search Google for answers to their commonly asked questions, and refuse to read the manual for the software they're trying to use. While "uppity online geeks" certainly answer questions when appropriate, if the answer is in a FAQ or easily found elsewhere, repeatedly answering the same questions gets tiresome.

I think that the only thing more frustrating than people asking repeatedly-answered questions is people who ask for help on an uncommon issue, then post a little later with, "Nevermind, I fixed it." Maybe if they included how they fixed it, they would save someone else from having to ask the same damned question.

Re:"some uppity online geek"

You're making this shit up, or exaggerating your experiences into an overly broad generalization.

The only time I've gotten a "smart-ass response" was when I asked a stupid question. Eventually, if you're not too stupid, you learn how to ask smart questions. And that's how you learn even more.

Re:"some uppity online geek"

[Jherek+Carnelian]

if the answer is in a FAQ or easily found elsewhere, repeatedly answering the same questions gets tiresome. Favorite topical quote from over a decade ago:

"I am not your AI interface to the internet."

Re:"some uppity online geek"

[Sancho]

I like that :) I'll have to keep it in mind for the future.

this is ridiculous

[nova.alpha]

Is it just me, or /. frontpage just got abused by "no,really"'s ad? Hate ads :(

Re:this is ridiculous

Is it just me, or /. frontpage just got abused by "no,really"'s ad?
Hate ads :( It's probably just you since most people here us adblock.

Re:What CA.sh or a moderately competent Linux user

[pablomme]

Apparently what both CA.sh and the moderately competent Linux user don't know is that "find / -name CA.sh" is more likely to work on deb-based systems, and less likely to force one to read the rpm manpage to remember what options do what.

Re:What CA.sh or a moderately competent Linux user

[Lengyel]

Neither did the the moderately competent Linux networking book reviewer.

I am an uppity geek

[Weaselmancer]

...you insensitive clod.

Locating CA.sh

[keknehv]

"CA.sh on my openSUSE box was located in /usr/lib/ssl/misc, as on the other boxes. However, the book tells us that CA.sh, and a moderately competent Linux user is likely to know that rpm -ql openssl will list all of the files in the openssl package or that rpm-ql openssl | grep CA.sh will spit out the location of the script."
or, perhaps,
$ locate CA.sh
/etc/ssl/misc/CA.sh

Re:Locating CA.sh

[plus_M]

$ locate CA.sh bash: locate: command not found
Arch.

Re:Locating CA.sh

[plus_M]

Ugh... let's try that again
$ locate CA.sh
bash: locate: command not found

Re:Locating CA.sh

findutils is part of the base even in Arch: http://www.archlinux.org/packages/13285/

Re:Locating CA.sh

Try this

$ locate locate /usr/bin/locate

PS: See? Not all linux users are uppity geeks, some of us are ready to help new users like you.

Re:Locating CA.sh

[goarilla]

try slocate

Re:What CA.sh or a moderately competent Linux user

[mrbooze]

Or hell, just "locate CA.sh" is likely to work on a lot of systems.

Find or locate have the advantage that they'll work even if the package you're looking for wasn't installed via the package manager. (Assuming you are savvy enough with find to prevent it from scavenging off down unnecessary NFS mounts, massive spool directories, and the like.)

Of course my Solaris years left "grep FOO /var/sadm/install/contents" burned into my brain.

Hmm...

Does it tell you how to Shell Korn to get the Kernel?

I couldn't resist. I'm punny.

Re:What CA.sh or a moderately competent Linux user

[pablomme]

My QuickBASIC years left "locate 1,2: print a$" burned into my brain; I can't take UNIX's locate seriously. Wish I could..

Re:What CA.sh knows

[Lengyel]

Wait a minute: "..."find / -name CA.sh" is more likely to work on deb-based systems, and less likely to force one to read the rpm manpage to remember what options do what." Find isn't less likely to work on non-deb-based Linux systems, as far as I know. On the other hand, at least on my distros, I agree that "find / -name CA.sh [-print]" has never "forced" anyone to read the rpm manpage, nor has find ever forced itself upon anyone. Perhaps the license agreement covers this case.

Re:What CA.sh knows

[Sancho]

find is more likely to work than rpm on deb-based systems.

Re:What CA.sh knows

[Lengyel]

Yes, but that's not what the parent wrote.

Re:What CA.sh knows

[Sancho]

Yes, but I have a feeling that it's what the parent meant

Globbing

Surely, if you're globbing by using '*', you should refer to "all of the *buntu", rather than "all of the *buntus" ?

Notwithstanding that, I think that the ordinary English plural of "Ubuntu" is "Ubuntu" anyway, because it is a noun of indefinite quantity.

Another good one

[WindShadow]

I just got the cookbook and "Linux Firewalls" by Michael Rash. Different solutions and problems, but they complement each other.