LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity

updated

This commit is contained in:
gleblanc 2000-06-26 18:51:19 +00:00
parent 0b5e3a56c8
commit 2e5f44ace4
4 changed files with 1326 additions and 371 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

236
LDP/howto/linuxdoc/AI-Alife-HOWTO.sgml
View File

@ -4,9 +4,9 @@
<article>
<title>Linux AI &amp; Alife HOWTO
<title>GNU/Linux AI &amp; Alife HOWTO
<author>by <htmlurl url="mailto:jae@NOSPAM-zhar.net" name="John Eikenberry">
<date>v1.3, 02 April 2000
<date>v1.4, 23 June 2000
<!-- hhmts start -->
<!-- hhmts end -->
@ -14,7 +14,7 @@
<abstract>
This howto mainly contains information about, and links to,
various AI related software libraries, applications, etc.
that work on the Linux platform. All of it is (at least)
that work on the GNU/Linux platform. All of it is (at least)
free for personal use.
The new master page for this document is
@ -29,22 +29,21 @@ The new master page for this document is
<sect1>Purpose
<p>
The Linux OS has evolved from its origins in hackerdom to a full blown
UNIX, capable of rivaling any commercial UNIX. It now provides an
inexpensive base to build a great workstation. It has shed its
hardware dependencies, having been ported to DEC Alphas, Sparcs,
PowerPCs, with others on the way. This potential speed
boost along with its networking support will make it great for
workstation clusters. As a workstation it allows for all sorts of
research and development, including artificial intelligence and
artificial life.
The GNU/Linux OS has evolved from its origins in hackerdom to a full
blown UNIX, capable of rivaling any commercial UNIX. It now provides
an inexpensive base to build a great workstation. It has shed its
hardware dependencies, having been ported to DEC Alphas, Sparcs,
PowerPCs, and many others. This potential speed boost along with its
networking support will make it great for workstation clusters. As a
workstation it allows for all sorts of research and development,
including artificial intelligence and artificial life.
The purpose of this Mini-Howto is to provide a source to find out
about various software packages, code libraries, and anything else
that will help someone get started working with (and find resources
for) artificial intelligence and artificial life. All done with Linux
specifically in mind.
for) artificial intelligence, artificial life, etc. All done with
GNU/Linux specifically in mind.
<sect1>Where to find this software
@ -79,7 +78,7 @@ a bit of work. So please be patient (I do have other projects). I hope you
will find this document helpful.
<sect1>Copyright/License
<p>
Copyright (c) 1996-2000 John A. Eikenberry
LICENSE
@ -151,6 +150,21 @@ LICENSE
<descrip>
<label id="ACL2">
<tag/ACL2/
<itemize>
<item>Web site: <htmlurl
url="http://ww.telent.net/cliki/ACL2"
name="www.telent.net/cliki/ACL2">
</itemize>
ACL2 (A Computational Logic for Applicative Common Lisp) is a theorem
prover for industrial applications. It is both a mathematical logic and
a system of tools for constructing proofs in the logic. ACL2 works
with GCL (GNU Common Lisp).
<label id="AI Search II">
<tag/AI Search II/
<itemize>
@ -223,8 +237,6 @@ LICENSE
</itemize>
<label id="Nyquist">
<tag/Nyquist/
<itemize>
@ -597,8 +609,23 @@ LICENSE
calculator and has an embedded equational programming system.
<label id="NICOLE">
<tag/NICOLE/
<itemize>
<item>Web site: <htmlurl
url="http://nicole.sourceforge.net/"
name="nicole.sourceforge.net">
</itemize>
It is an attempt to simulate a conversation by learning how words are
related to other words. A Human communicates with NICOLE via the
keyboard and NICOLE responds back with its own sentences which are
automatically generated, based on what NICOLE has stored in it's
database. Each new sentence that has been typed in, and NICOLE doesn't
know about it, it is included into NICOLE's database, thus extending
the knowledge base of NICOLE.
<label id="PVS">
<tag/PVS/
<itemize>
@ -788,6 +815,15 @@ LICENSE
has limited support for second order models (probability
distributions on parameters).
<label id="bpnn.py">
<tag/bpnn.py/
<itemize>
<item>Web site: <htmlurl
url="http://www.enme.ucalgary.ca/~nascheme/python/"
name="www.enme.ucalgary.ca/~nascheme/python/">
</itemize>
A simple back-propogation ANN in Python.
<label id="CONICAL">
@ -2142,6 +2178,24 @@ LICENSE
</itemize>
<label id="Cyphesis">
<tag/Cyphesis/
<itemize>
<item>Web site: <htmlurl
url="http://www.worldforge.org/website/servers/cyphesis/"
name="www.worldforge.org/website/servers/cyphesis/">
</itemize>
Cyphesis will be the AI Engine, or more plainly, the intelligence
behind Worldforge (WF). Cyphesis will aims to achieve 'live'
virtual worlds. Animals will have young, prey on each other and
eventually die. Plants grow, flower, bear fruit and even die just
as they do in real life. When completed, NPCs in Cyphesis will do
all sorts of interesting things like attempt to acomplish
ever-changing goals that NPCs set for themselves, gossip to PCs and
other NPCs, live, die and raise children. Cyphesis aims to make
NPCs act just like you and me.
<label id="dblife-dblifelib">
<tag/dblife &amp; dblifelib/
@ -2181,6 +2235,25 @@ LICENSE
framework, but Drone can be used with any simulation program that
reads parameters from the command line or from an input file.
<label id="EBISS">
<tag/EBISS/
<itemize>
<item>Web site: <htmlurl url="http://www.ebiss.org/english/"
name="www.ebiss.org/english/">
</itemize>
EBISS is a multi-disciplinary, open, collaborative project aimed
at investigating social problems by means of computational
modeling and social simulations. During the past four years we
have been developing SARA, a multi-agent gaming simulation
platform providing for easy construction of simulations and gamings.
We believe that in order to have a break-through in the difficult
task of understanding real-world complex social
problems, we need to gather researchers and experts with different
backgrounds not only in discussion forums, but in a
tighter cooperative task of building and sharing common
experimental platforms.
<label id="EcoLab">
@ -2526,6 +2599,25 @@ name="theory.org/software/ant/">
supports J-AAPI.
<label id="A.L.I.C.E.">
<tag/A.L.I.C.E./
<itemize>
<item>Web site: <htmlurl
url="http://www.alicebot.org/"
name="www.alicebot.org">
</itemize>
The ALICE software implements AIML (Artificial Intelligence Markup
Language), a non-standard evolving markup language for creating chat
robots. The primary design feature of AIML is minimalism. Compared with
other chat robot languages, AIML is perhaps the simplest. The pattern
matching language is very simple, for example permitting only one
wild-card ('*') match character per pattern. AIML is an XML language,
implying that it obeys certain grammatical meta-rules. The choice of
XML syntax permits integration with other tools such as XML editors.
Another motivation for XML is its familiar look and feel, especially to
people with HTML experience.
<label id="Ara">
<tag/Ara/
@ -2561,6 +2653,43 @@ name="theory.org/software/ant/">
developers to build flexible open distributed systems that make optimal
use of existing applications.
<label id="Bots">
<tag/Bots/
<itemize>
<item>Web site: <htmlurl
url="http://utenti.tripod.it/Claudio1977/bots.html"
name="utenti.tripod.it/Claudio1977/bots.html">
</itemize>
Another AI-robot battle simulation. Utilizing probablistic logic as a
machine learning technique. Written in C++ (with C++ bots).
<label id="Cadaver">
<tag/Cadaver/
<itemize>
<item>Web site: <htmlurl
url="http://www.erikyyy.de/cadaver/"
name="www.erikyyy.de/cadaver/">
</itemize>
Cadaver is a simulated world of cyborgs and nature in realtime. The
battlefield consists of forests, grain, water, grass, carcass (of
course) and lots of other things. The game server manages the game and
the rules. You start a server and connect some clients. The clients
communicate with the server using a very primitive protocol. They can
order cyborgs to harvest grain, attack enemies or cut forest. The game
is not intended to be played by humans! There is too much to control.
Only for die-hards: Just telnet to the server and you can enter
commands by hand. Instead the idea is that you write artificial
intelligence clients to beat the other artificial intelligences. You
can choose a language (and operating system) of your choice to do that
task. It is enough to write a program that communicates on standard
input and standard output channels. Then you can use programs like
"socket" to connect your clients to the server. It is NOT needed to
write TCP/IP code, although i did so :) The battle shall not be boring,
and so there is the so called spyboss client that displays the action
graphically on screen.
<label id="Dunce">
@ -2843,6 +2972,18 @@ name="members.home.net/marcush/IRS/">
algorithm. It is mainly oriented toward to researchers studying autonomous
agents.
<label id="lyntin">
<tag/lyntin/
<itemize>
<item>Web site: <htmlurl
url="http://lyntin.sourceforge.net/"
name="lyntin.sourceforge.net/">
</itemize>
Lyntin is an extensible Mud client and framework for the creation of
autonomous agents, or bots, as well as mudding in general. Lyntin is
centered around Python, a dynamic, object-oriented, and fun programming
language and based on TinTin++ a lovely mud client.
<label id="Mole">
@ -3214,6 +3355,25 @@ name="members.home.net/marcush/IRS/">
generally considered to be one of the better lisp platforms.
<label id="APRIL">
<tag/APRIL/
<itemize>
<item>Web site: <htmlurl
url="http://sourceforge.net/project/?group_id=3173"
name="sourceforge.net/project/?group_id=3173">
</itemize>
APRIL is a symbolic programming language that is designed for writing
mobile, distributed and agent-based systems especially in an Internet
environment. It has advanced features such as a macro sub-language,
asynchronous message sending and receiving, code mobility, pattern
matching, higher-order functions and strong typing. The language is
compiled to byte-code which is then interpreted by the APRIL
runtime-engine. APRIL now requires the InterAgent Communications Model
(ICM) to be installed before it can be installed. [Ed. ICM can be found
at the same web site]
<label id="B-Prolog">
<tag/B-Prolog/
<itemize>
@ -3359,12 +3519,19 @@ name="members.home.net/marcush/IRS/">
<label id="CLisp">
<tag/CLisp (Lisp)/
<itemize>
<item>FTP site: <htmlurl url="ftp://sunsite.unc.edu/pub/Linux/devel/lang/lisp/" name="sunsite.unc.edu/pub/Linux/devel/lang/lisp/">
<item>Web page: <htmlurl
url="http://clisp.sourceforge.net/"
name="clisp.sourceforge.net">
<item>FTP site: <htmlurl
url="ftp://clisp.cons.org/pub/lisp/clisp/source/"
name="clisp.cons.org/pub/lisp/clisp/source">
</itemize>
CLISP is a Common Lisp implementation by Bruno Haible and Michael
Stoll. It mostly supports the Lisp described by
<htmlurl url="http://www.cs.cmu.edu/afs/cs.cmu.edu/project/ai-repository/ai/html/cltl/clm/clm.html" name="Common LISP: The Language (2nd edition)">
<htmlurl
url="http://www.cs.cmu.edu/afs/cs.cmu.edu/project/ai-repository/ai/html/cltl/cltl2.html"
name="Common LISP: The Language (2nd edition)">
and the ANSI Common Lisp
standard. CLISP includes an interpreter, a byte-compiler, a large
subset of CLOS (Object-Oriented Lisp) , a foreign language interface
@ -3376,14 +3543,21 @@ name="members.home.net/marcush/IRS/">
CLISP needs only 2 MB of memory.
<label id="CMU CL">
<tag/CMU Common Lisp/
<itemize>
<item>Web page: <htmlurl url="http://www.mv.com/users/pw/lisp/index.html" name="www.mv.com/users/pw/lisp/index.html">
<item>FTP site: <htmlurl url="ftp://sunsite.unc.edu/pub/Linux/devel/lang/lisp/" name="sunsite.unc.edu/pub/Linux/devel/lang/lisp/">
<item>Linux Installation: <htmlurl url="http://www.telent.net/lisp/howto.html" name="www.telent.net/lisp/howto.html">
<item>Web page: <htmlurl
url="http://www.cons.org/cmucl/"
name="www.cons.org/cmucl/">
<item>Old Web page: <htmlurl
url="http://www.mv.com/users/pw/lisp/index.html"
name="www.mv.com/users/pw/lisp/index.html">
<item>FTP site: <htmlurl
url="ftp://ftp2.cons.org/pub/languages/lisp/cmucl/release/"
name="ftp2.cons.org/pub/languages/lisp/cmucl/release/">
<item>Linux Installation: <htmlurl
url="http://www.telent.net/lisp/howto.html"
name="www.telent.net/lisp/howto.html">
</itemize>
@ -3399,7 +3573,9 @@ name="members.home.net/marcush/IRS/">
<label id="Gnu-CL">
<tag/GCL (Lisp)/
<itemize>
<item>FTP site: <htmlurl url="ftp://sunsite.unc.edu/pub/Linux/devel/lang/lisp/" name="sunsite.unc.edu/pub/Linux/devel/lang/lisp/">
<item>FTP site: <htmlurl
url="ftp://ftp.ma.utexas.edu/pub/gcl/"
name="ftp.ma.utexas.edu/pub/gcl/">
</itemize>
@ -3545,8 +3721,12 @@ name="members.home.net/marcush/IRS/">
<label id="RScheme">
<tag/RScheme/
<itemize>
<item>Web site:<htmlurl url="http://www.rosette.com/&tilde;donovan/rs/rscheme.html" name="www.rosette.com/&tilde;donovan/rs/rscheme.html">
<item>FTP site: <htmlurl url="ftp://ftp.rosette.com/pub/rscheme/" name="ftp.rosette.com/pub/rscheme">
<item>Web site:<htmlurl
url="http://www.rscheme.org/"
name="www.rscheme.org">
<item>FTP site: <htmlurl
url="ftp://ftp.rscheme.org/pub/rscheme/"
name="ftp.rscheme.org/pub/rscheme/">
</itemize>

363
LDP/howto/linuxdoc/Chroot-BIND-HOWTO.sgml
View File

@ -5,8 +5,8 @@
<!-- Title information -->
<title>Chroot-BIND HOWTO
<author>Scott Wunsch, <tt/scott at wunsch.org/
<date>v1.0, 13 March 2000
<author>Scott Wunsch, <tt>scott at wunsch.org</>
<date>v1.1, 24 June 2000
<abstract>
This document describes installing the BIND 8 nameserver to run in a chroot
jail and as a non-root user, to provide added security and minimise the
@ -21,28 +21,25 @@ potential effects of a security compromise.
<sect>Introduction
<p>
This is the Chroot-BIND HOWTO; see <ref id="where" Name="Where?">
for t he master site, which contains the latest copy. It is assumed
that you already know how to configure and use BIND (the Berkeley
Internet Name Domain). If not, I would recommend that you read the
DNS HOWTO first. It is also assumed that you have a basic
familiarity with compiling and installing software on your UNIX-like
This is the Chroot-BIND HOWTO; see <ref id="where" Name="Where?"> for the master
site, which contains the latest copy. It is assumed that you already know how
to configure and use BIND (the Berkeley Internet Name Domain). If not, I would
recommend that you read the DNS HOWTO first. It is also assumed that you have
a basic familiarity with compiling and installing software on your UNIX-like
system.
<sect1>What?
<p>
This document describes some extra security precautions that you can
take when you install BIND. It explains how to configure BIND so
that it resides in a ``chroot jail'', meaning that it cannot see or
access files outside its own little directory tree. We shall also
configure it to run as a non-root user.
This document describes some extra security precautions that you can take when
you install BIND. It explains how to configure BIND so that it resides in a
``chroot jail'', meaning that it cannot see or access files outside its own
little directory tree. We shall also configure it to run as a non-root user.
The idea behind chroot is fairly simple. When you run BIND (or any other
process) in a chroot jail, the process is simply unable to see any part of
the filesystem outside the jail. For example, in this document, we'll set BIND
up to run chrooted to the directory <tt>/chroot/named</>. Well, to BIND, the
process) in a chroot jail, the process is simply unable to see any part of the
filesystem outside the jail. For example, in this document, we'll set BIND up
to run chrooted to the directory <tt>/chroot/named</>. Well, to BIND, the
contents of this directory will appear to be <tt>/</>, the root directory.
Nothing outside this directory will be accessible to it. You've probably
encounted a chroot jail before, if you've ever ftped into a public system.
@ -51,68 +48,72 @@ encounted a chroot jail before, if you've ever ftped into a public system.
<p>
The idea behind running BIND in a chroot jail is to limit the amount of access
any malicious individual could gain by exploiting vulnerabilities in BIND.
It is for the same reason that we run BIND as a non-root user.
any malicious individual could gain by exploiting vulnerabilities in BIND. It
is for the same reason that we run BIND as a non-root user.
This should be considered as a supplement to the normal security precautions
(running the latest version, using access control, etc.), not a replacement
for them.
(running the latest version, using access control, etc.), not a replacement for
them.
If you're interested in DNS security, you might also be interested in a few
other products. Building BIND with <url
url="http://www.immunix.org/products.html#stackguard" name="StackGuard"> would
probably be a good idea for even more protection. Using it is easy; it's
just like using ordinary gcc. Also, <url
url="http://cr.yp.to/dnscache.html" name="DNScache"> is a secure replacement
for BIND, written by Dan Bernstein. Dan is the author of qmail, and DNScache
appears to follow a similar philosophy.
<sect1>Where?<label id="where">
<p>
The latest version of this document is always available from the web site of
the Linux/Open Source Users of Regina, Sask., at
<url url="http://www.losurs.org/docs/howto/Chroot-BIND.html">.
The latest version of this document is always available from the web site of the
Linux/Open Source Users of Regina, Sask., at <url
url="http://www.losurs.org/docs/howto/Chroot-BIND.html">.
BIND is available from <url url="http://www.isc.org/" name="the Internet
Software Consortium"> at <url url="http://www.isc.org/bind.html">. As of
this writing, the current version of BIND is 8.2.2_P5.
Software Consortium"> at <url url="http://www.isc.org/bind.html">. As of this
writing, the current version of BIND is 8.2.2_P5.
<sect1>How?
<p>
I wrote this document based on my experiences in setting BIND up in a chroot
environment. In my case, I already had an existing BIND installation in the
form of a package that came with my Linux distribution. I'll assume that
most of you are probably in the same situation, and will simply be transferring
over and modifying the configuration files from your existing BIND installation,
and
form of a package that came with my Linux distribution. I'll assume that most
of you are probably in the same situation, and will simply be transferring over
and modifying the configuration files from your existing BIND installation, and
then removing the package before installing the new one. Don't remove the
package yet, though; we may want some files from it first.
If this is not the case for you, you should still be able to follow this
document. The only difference is that, where I refer to copying an existing
file, you first have to create it yourself. The DNS HOWTO may be helpful
for this.
file, you first have to create it yourself. The DNS HOWTO may be helpful for
this.
<sect1>Disclaimer
<p>
These steps worked for me, on my system. Your mileage may vary. This is
but one way to approach this; there are other ways to set the same thing up
(although the general approach will be the same).
These steps worked for me, on my system. Your mileage may vary. This is but
one way to approach this; there are other ways to set the same thing up
(although the general approach will be the same). It just happens that this
was the first way that I tried that worked, so I wrote it down.
My BIND experience to date has been installing on Linux servers. However,
most of the instructions in this document should be easily applicable to other
flavours of UNIX as well, and I shall try to point out differences of which
I am aware.
</sect>
My BIND experience to date has been installing on Linux servers. However, most
of the instructions in this document should be easily applicable to other
flavours of UNIX as well, and I shall try to point out differences of which I am
aware.
<sect>Preparing the Jail
<sect1>Creating a User
<p>
As mentioned in the introduction, it's not a good idea to run BIND as
root. So, before we begin, let's create a separate user for BIND.
Note that you should never use an existing user like <tt/nobody/
for this purpose.
As mentioned in the introduction, it's not a good idea to run BIND as root. So,
before we begin, let's create a separate user for BIND. Note that you should
never use an existing user like <tt>nobody</> for this purpose.
This requires adding a line something like the following to <tt>/etc/passwd</>:
<tscreen><verb>
named:x:200:200:Nameserver:/chroot/named:/bin/false
</verb></tscreen>
@ -120,21 +121,18 @@ And one like this to <tt>/etc/group</>:
<tscreen><verb>
named:x:200:
</verb></tscreen>
This creates a user and group called <tt/named/ for BIND. Make sure
that the UID and GID (both 200 in this example) are unique on your
system. The shell is set to <tt>/bin/false</> because this user
will never need to log in.
This creates a user and group called <tt>named</> for BIND. Make sure that the
UID and GID (both 200 in this example) are unique on your system. The shell is
set to <tt>/bin/false</> because this user will never need to log in.
<sect1>Directory Structure
<p>
Now, we must set up the directory structure that we will use for the
chroot jail in which BIND will live. This can be anywhere on your
filesystem; the truly paranoid may even want to put it on a separate
volume. I shall assume that you will use <tt>/chroot/named</>.
Let's start by creating the following directory structure:
Now, we must set up the directory structure that we will use for the chroot jail
in which BIND will live. This can be anywhere on your filesystem; the truly
paranoid may even want to put it on a separate volume. I shall assume that you
will use <tt>/chroot/named</>. Let's start by creating the following directory
structure:
<tscreen><verb>
/chroot
@ -151,25 +149,22 @@ Let's start by creating the following directory structure:
<sect1>Placing the BIND Data
<p>
Assuming that you have already done a conventional installation of
BIND and are using it, you will already have an existing
<tt/named.conf/ and zone files. These files must now be moved (or
copied, to be safe) into the chroot jail, so that BIND can get at
them. <tt/named.conf/ goes in <tt>/chroot/named/etc</>, and the
zone files can go in <tt>/chroot/named/etc/namedb</>. For example:
Assuming that you have already done a conventional installation of BIND and are
using it, you will already have an existing <tt>named.conf</> and zone files.
These files must now be moved (or copied, to be safe) into the chroot jail, so
that BIND can get at them. <tt>named.conf</> goes in <tt>/chroot/named/etc</>,
and the zone files can go in <tt>/chroot/named/etc/namedb</>. For example:
<tscreen><verb>
# cp -p /etc/named.conf /chroot/named/etc/
# cp -a /var/named/* /chroot/named/etc/namedb/
</verb></tscreen>
BIND will likely need to write to the <tt/namedb/ directory, and
probably some of the files in it. For example, if your DNS serves
as a slave for a zone, it will have to update that zone file. Also,
BIND can dump statistical information, and does so in this
directory. For that reason, you should probably make the <tt/named/
user the owner of this directory and its contents:
BIND will likely need to write to the <tt>namedb</> directory, and probably some
of the files in it. For example, if your DNS serves as a slave for a zone, it
will have to update that zone file. Also, BIND can dump statistical
information, and does so in this directory. For that reason, you should
probably make the <tt>named</> user the owner of this directory and its contents:
<tscreen><verb>
# chown -R named:named /chroot/named/etc/namedb
</verb></tscreen>
@ -182,12 +177,11 @@ pidfile and ndc socket there, so let's allow it to do so:
<sect1>System Support Files
<p>
Once BIND is running in the chroot jail, it will not be able to
access files outside the jail <bf/at all/. However, it needs to
access a few key files, such as the system's C library. Exactly
what libraries are required will depend on your flavour of UNIX.
For most modern Linux systems, the following commands will be
sufficient to put the necessary libraries in place:
Once BIND is running in the chroot jail, it will not be able to access files
outside the jail <bf>at all</>. However, it needs to access a few key files, such
as the system's C library. Exactly what libraries are required will depend on
your flavour of UNIX. For most modern Linux systems, the following commands
will be sufficient to put the necessary libraries in place:
<tscreen><verb>
# cd /chroot/named/lib
# cp -p /lib/libc-2.*.so .
@ -195,43 +189,47 @@ sufficient to put the necessary libraries in place:
# cp -p /lib/ld-2.*.so .
# ln -s ld-2.*.so ld-linux.so.2
</verb></tscreen>
As an alternative, you could simply build statically-linked versions
of the BIND binaries to put in your chroot jail.
<P>
BIND needs one more system file in its jail: good ol' <tt>/dev/null</>.
Again, the exact command necessary to create this
device node may vary from system
to system; check your <tt>/dev/MAKEDEV</> script to be sure. For
most Linux systems, we can use the following command:
As an alternative, you could simply build statically-linked versions of the BIND
binaries to put in your chroot jail. You should also copy <tt>ldconfig</> into
the jail, and run it to create an <tt>etc/ld.so.conf</> for the jail environment.
The following commands could take care of this:
<tscreen><verb>
# cp /sbin/ldconfig /chroot/named/bin/
# chroot /chroot/named /bin/ldconfig -v
</verb></tscreen>
BIND needs one more system file in its jail: good ol' <tt>/dev/null</>. Again,
the exact command necessary to create this device node may vary from system to
system; check your <tt>/dev/MAKEDEV</> script to be sure. Some systems may also
require <tt>/dev/zero</>. For most Linux systems, we can use the following
command:
<tscreen><verb>
# mknod /chroot/named/dev/null c 1 3
</verb></tscreen>
Finally, you need a couple extra files in the <tt>/etc</> directory
inside the jail. In particular, you must copy
<tt>/etc/localtime</> in there so that BIND logs things with the
right time on them, and you must make a simple <tt/group/ file with
the <tt/named/ group in it. The following two commands will take
care of this:
Finally, you need a couple extra files in the <tt>/etc</> directory inside the
jail. In particular, you must copy <tt>/etc/localtime</> (this sometimes known
as <tt>/usr/lib/zoneinfo/localtime</> on some systems) in there so that BIND
logs things with the right time on them, and you must make a simple <tt/group/
file with the <tt/named/ group in it. The following two commands will take care
of this:
<tscreen><verb>
# cp /etc/localtime /chroot/named/etc/
# echo 'named:x:200:' > /chroot/named/etc/group
</verb></tscreen>
Keep in mind that the GID, 200 in this example, must match the one
you defined in the real <tt>/etc/group</> above.
Keep in mind that the GID, 200 in this example, must match the one you defined
in the real <tt>/etc/group</> above.
<sect1>Logging<label id="logging">
<p>
Unlike a conventional jailbird, BIND can't just scribble its log
entries on the walls :-). Normally, BIND logs through <tt/syslogd/,
the system logging daemon. However, this type of logging is
performed by sending the log entries to the special socket
<tt>/dev/log</>. Since this is outside the jail, BIND can't use it
any more. Fortuantely, there are a couple options to work around
this.
Unlike a conventional jailbird, BIND can't just scribble its log entries on the
walls :-). Normally, BIND logs through <tt/syslogd/, the system logging daemon.
However, this type of logging is performed by sending the log entries to the
special socket <tt>/dev/log</>. Since this is outside the jail, BIND can't use
it any more. Fortuantely, there are a couple options to work around this.
<sect2>The Ideal Solution
@ -240,12 +238,11 @@ The ideal solution to this dilemma requires a reasonably recent version of
<tt/syslogd/ which supports the <tt/-a/ switch introduced by OpenBSD. Check the
manpage for your <tt/syslogd(8)/ to see if you have such a version.
If you do, all you have to do is add the switch
``<tt>-a/chroot/named/dev/log</>'' to the command line when you
launch <tt/syslogd/. On
If you do, all you have to do is add the switch ``<tt>-a
/chroot/named/dev/log</>'' to the command line when you launch <tt/syslogd/. On
systems which use a full SysV-init (which includes most Linux distributions),
this is typically done in the file <tt>/etc/rc.d/init.d/syslog</>. For
example, on my Red Hat Linux system, I changed the line
this is typically done in the file <tt>/etc/rc.d/init.d/syslog</>. For example,
on my Red Hat Linux system, I changed the line
<tscreen><verb>
daemon syslogd -m 0
</verb></tscreen>
@ -253,8 +250,8 @@ to
<tscreen><verb>
daemon syslogd -m 0 -a /chroot/named/dev/log
</verb></tscreen>
The simply restart <tt/syslogd/, either by killing it and launching it again,
or by using the SysV-init script to do it for you:
The simply restart <tt/syslogd/, either by killing it and launching it again, or
by using the SysV-init script to do it for you:
<tscreen><verb>
# /etc/rc.d/init.d/syslog stop
# /etc/rc.d/init.d/syslog start
@ -268,41 +265,37 @@ called <tt/log/, that looks something like this:
<sect2>The Other Solutions
<p>
If you have an older <tt/syslogd/, then you'll have to find another
way to do your logging. There are a couple programs out there,
such as <tt/holelogd/, which are designed to help by acting as a
``proxy'' and accepting log entries from the chrooted BIND and
passing them out to the regular <tt>/dev/log</> socket.
If you have an older <tt/syslogd/, then you'll have to find another way to do
your logging. There are a couple programs out there, such as <tt/holelogd/,
which are designed to help by acting as a ``proxy'' and accepting log entries
from the chrooted BIND and passing them out to the regular <tt>/dev/log</>
socket.
Alteratively, you can simply configure BIND to log to files instead
of going through syslog. See the BIND documentation for more details
if you choose to go this route.
</sect>
Alteratively, you can simply configure BIND to log to files instead of going
through syslog. See the BIND documentation for more details if you choose to go
this route.
<sect>Compiling BIND
<p>
You should be able to find the BIND source by visiting
<url url="http://www.isc.org/bind.html">. You need the
<tt/bind-src.tar.gz/ package. Be sure to get the latest version!
You should be able to find the BIND source by visiting <url
url="http://www.isc.org/bind.html">. You need the <tt/bind-src.tar.gz/ package.
Be sure to get the latest version!
<sect1>Modifying Paths
<p>
Things can get a bit confusing at this point, because different parts of the
BIND package will be referring to the same directories by different names
(depending on whether or not they're running inside the jail). I'll try
not to confuse you <bf/too/ much :-).
(depending on whether or not they're running inside the jail). I'll try not to
confuse you <bf/too/ much :-).
The main directory that we have to worry about here is
<tt>/var/run</>, because its contents are required for both the
main <tt/named/ daemon (inside the jail), and the <tt/ndc/ utility
(on the outside). We'll start by setting everything up to find
this directory from the outside world. To do this, we need to modify
<tt>src/port/linux/Makefile.set</> (substitute your port's
directory if you're not running Linux), and change the line
The main directory that we have to worry about here is <tt>/var/run</>, because
its contents are required for both the main <tt/named/ daemon (inside the jail),
and the <tt/ndc/ utility (on the outside). We'll start by setting everything up
to find this directory from the outside world. To do this, we need to modify
<tt>src/port/linux/Makefile.set</> (substitute your port's directory if you're
not running Linux), and change the line
<tscreen><verb>
DESTRUN=/var/run
</verb></tscreen>
@ -310,13 +303,12 @@ to
<tscreen><verb>
DESTRUN=/chroot/named/var/run
</verb></tscreen>
While you're in there, you may want to change the other destination paths
from <tt>/usr</> to <tt>/usr/local</>.
While you're in there, you may want to change the other destination paths from
<tt>/usr</> to <tt>/usr/local</>.
Now everything should be able to find that directory... except the
<tt/named/ daemon itself, to which it's still just <tt>/var/run</>
inside the jail. We can get around this by making a small change
in the <tt/named/ source. In the file
Now everything should be able to find that directory... except the <tt/named/
daemon itself, to which it's still just <tt>/var/run</> inside the jail. We can
get around this by making a small change in the <tt/named/ source. In the file
<tt>src/bin/named/named.h</>, find the line
<tscreen><verb>
#include "pathnames.h"
@ -333,45 +325,39 @@ _PATH_NDCSOCK when you do the build; just ignore them.
<sect1>Doing the Build
<p>
You should now be able to compile BIND as normal, following the
instructions in the <tt/INSTALL/ file. At this stage, we only want
to compile BIND, not install it. Don't go too far when following
the <tt/INSTALL/ file. Essentially, it's just <tt/make clean/,
<tt/make depend/, and <tt/make/.
</sect>
You should now be able to compile BIND as normal, following the instructions in
the <tt/INSTALL/ file. At this stage, we only want to compile BIND, not install
it. Don't go too far when following the <tt/INSTALL/ file. Essentially, it's
just <tt/make clean/, <tt/make depend/, and <tt/make/.
<sect>Installing Your Shiny New BIND
<p>
I should mention that if you have an existing installation of BIND,
such as from an RPM, you should probably remove it before installing
the new one. On Red Hat systems, this probably means removing the
packages <tt/bind/ and <tt/bind-utils/, and possibly <tt/bind-devel/
and <tt/caching-nameserver/, if you have them.
I should mention that if you have an existing installation of BIND, such as from
an RPM, you should probably remove it before installing the new one. On Red Hat
systems, this probably means removing the packages <tt/bind/ and
<tt/bind-utils/, and possibly <tt/bind-devel/ and <tt/caching-nameserver/, if
you have them.
You may want to save a copy of the init script (e.g.,
<tt>/etc/rc.d/init.d/named</>), if any, before doing so; it'll be
useful later on.
<tt>/etc/rc.d/init.d/named</>), if any, before doing so; it'll be useful later
on.
<sect1>Installing the Tools Outside the Jail
<p>
This is the easy part :-). Just run <tt/make install/ and let it
take care of it for you. You may want to <tt>chmod 000
/usr/local/sbin/named</> afterwards, to make sure you don't
accidentally run the non-chrooted copy of BIND. (This is
<tt>/usr/sbin/named</> if you didn't tell it to go in
<tt>/usr/local/sbin</> like I suggested.)
This is the easy part :-). Just run <tt/make install/ and let it take care of
it for you. You may want to <tt>chmod 000 /usr/local/sbin/named</> afterwards,
to make sure you don't accidentally run the non-chrooted copy of BIND. (This
is <tt>/usr/sbin/named</> if you didn't tell it to go in <tt>/usr/local/sbin</>
like I suggested.)
<sect1>Installing the Binaries in the Jail
<p>
Only two parts of the package have to live inside the chroot jail: the main
<tt/named/ daemon itself, and <tt/named-xfer/, which it uses for zone
transfers. You can simply copy them in from the source tree:
<tt/named/ daemon itself, and <tt/named-xfer/, which it uses for zone transfers.
You can simply copy them in from the source tree:
<tscreen><verb>
# cp src/bin/named/named /chroot/named/bin
@ -381,21 +367,23 @@ transfers. You can simply copy them in from the source tree:
<sect1>Setting up the Init Script
<p>
If you have an existing init script from your distribution, it would
probably be best simply to modify it to run
<tt>/chroot/named/bin/named</>, with the appropriate switches. The
switches are... <it/(drumroll please...)/
If you have an existing init script from your distribution, it would probably be
best simply to modify it to run <tt>/chroot/named/bin/named</>, with the
appropriate switches. The switches are... <it/(drumroll please...)/
<itemize>
<item><tt/-u named/, which tells BIND to run as the user <tt/named/, rather
than <tt/root/.
<item><tt/-u named/, which tells BIND to run as the user <tt/named/, rather than
<tt/root/.
<item><tt/-g named/, to run BIND under the group <tt/named/ too, rather than
<tt/root/ or <tt/wheel/.
<item><tt>-t /chroot/named</>, which tells BIND to chroot itself to the jail
that we've set up.
</itemize>
The following is the init script I use with my Red Hat 6.0 system. As you
can see, it is almost exactly the same as the way it shipped from Red Hat.
The following is the init script I use with my Red Hat 6.0 system. As you can
see, it is almost exactly the same as the way it shipped from Red Hat. I have
also modified the <tt>ndc restart</> command so that it restarts the server
properly, and keeps it chrooted. You should probably do the same in your init
script, even if you don't copy this one.
<tscreen><code>
#!/bin/sh
#
@ -441,19 +429,20 @@ case "$1" in
exit $?
;;
restart)
/usr/local/sbin/ndc restart
/usr/local/sbin/ndc -n /chroot/named/bin/named "restart -u named -g named -t /chroot/named"
exit $?
;;
reload)
/usr/local/sbin/ndc reload
exit $?
;;
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/sbin/ndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart}"
exit 1
@ -465,10 +454,10 @@ exit 0
<sect1>Configuration Changes
<p>
You will also have to add or change a few options in your
<tt/named.conf/ to keep the various directories straight. In
particular, you should add (or change, if you already have them) the
following directives in the <tt/options/ section:
You will also have to add or change a few options in your <tt/named.conf/ to
keep the various directories straight. In particular, you should add (or
change, if you already have them) the following directives in the <tt/options/
section:
<tscreen><code>
directory "/etc/namedb";
pid-file "/var/run/named.pid";
@ -477,25 +466,23 @@ named-xfer "/bin/named-xfer";
Since this file is being read by the <tt/named/ daemon, all the paths are of
course relative to the chroot jail.
</sect>
<sect>The End
<sect1>Launching BIND
<p>
Everything should be set up, and you should be ready to put your new, more
secure BIND into action. Assuming you set up a SysV-style init script, you
can simply launch it as:
secure BIND into action. Assuming you set up a SysV-style init script, you can
simply launch it as:
<tscreen><verb>
# /etc/rc.d/init.d/named start
</verb></tscreen>
Make sure you kill any old versions of BIND still running before doing this.
If you take a look at your logs, you should find the initialisation messages
that BIND spits out when it loads. (If not, there's a problem with your
<ref id="logging" name="logging configuration"> that you need to fix.)
Amongst those messages, BIND should tell you that it chrooted successfully, and that it is
that BIND spits out when it loads. (If not, there's a problem with your <ref
id="logging" name="logging configuration"> that you need to fix.) Amongst those
messages, BIND should tell you that it chrooted successfully, and that it is
running as the user and group <tt/named/. If not, you have a problem.
<sect1>That's It!
@ -507,15 +494,13 @@ You can go take a nap now ;-).
<p>
Copyright &copy; Scott Wunsch, 2000. This document may be distributed only
subject to the terms set forth in the LDP licence at
<url url="http://metalab.unc.edu/LDP/COPYRIGHT.html">.
subject to the terms set forth in the LDP licence at <url
url="http://metalab.unc.edu/LDP/COPYRIGHT.html">.
This HOWTO is free documentation; you can redistribute it and/or modify
it under the terms of the LDP licence. It is distributed in the hope that it will be
This HOWTO is free documentation; you can redistribute it and/or modify it under
the terms of the LDP licence. It is distributed in the hope that it will be
useful, but <bf/without any warranty/; without even the impled warranty of
merchantability or fitness for a particular purpose. See the LDP licence
for more details.
</sect>
merchantability or fitness for a particular purpose. See the LDP licence for
more details.
</article>

265
LDP/howto/linuxdoc/Oracle-8-HOWTO.sgml
View File

@ -4,7 +4,7 @@
<title>Oracle for Linux Installation HOWTO
<author>Stephen Darlington, <tt/&lt;stephen@zx81.org.uk&gt;/
<date>$Id$
<date>$Revision$, $Date$
<abstract>
With this HOWTO, and a little luck, you will be able to get "Oracle 8i
@ -39,44 +39,34 @@ hubris, but I document them for completeness.
<sect1>Who is this HOWTO for?
<p>
First, this document is for people who want to install Oracle 8i
version 8.1.5 on Linux. It does not cover any earlier versions. If you
want to install 8.0, I recommend you try <url name="Linux Journals
guide"
version 8.1.5 on Linux. It does not cover any earlier versions,
although it should work with similar later versions such as 8.1.6.
If you want to install 8.0, I recommend you try <url name="Linux
Journals guide"
url="http://www2.linuxjournal.com/lj-issues/issue67/3572.html">, and
if you want to install any of the previous versions you're going to
have to use the SCO version and follow Paul Haigh's <url name="Oracle
Database HOWTO"
url="http://www.linuxdoc.org/HOWTO/Oracle-HOWTO.html">.
If you're trying to install the 'right' version, here is a little of
my back-ground. Clearly if yours is similar we're going to be on the
same wave-length.
If you're trying to install the 'right' version, what level of
background knowledge will you need?
<itemize>
<item>I've used Unix before. In fact, it's probably my 'specialist'
area. At university I picked up the rudiments of SunOS/Solaris and,
since then, I've built on that and added HP-UX (about a year) and
Linux (five years, but in my own time rather than commercially).
Perhaps the easiest way is if I explain a little of my background,
clearly if yours is similar we're going to be on the same
wave-length. I've used a lot of Unix and Oracle over the last few
years. At home I've been running Linux since 1994 and I've been using
Solaris and HP-UX on-and-off since 1992. I first came across Oracle in
1996 and have worked with both versions 7 and 8. I'm mainly a
developer, but I have done DBA and sysadmin-type work.
I think if you're coming from a Windows or NT background, installing
Oracle on Linux could be quite difficult. There are lots of concepts
and terminology to pick up even before you get held up by the bugs.
<item>I've used Oracle before. I've installed and DBA'd versions 7.1
and 7.3, and have developed on 8.0 (all on Solaris). Fortunately, the
Oracle installation procedure is getting easier. Unfortunately it's
not very stable at the moment, at least not on Linux.
The bottom line is, if you've not used Oracle before, this might not
be a good product to start with unless you have a lot of time and patience.
</itemize>
I'm assuming that you have a certain amount of knowledge in this
area. Even installing Oracle isn't a trivial exercise, so I don't
intend writing a 'press this key now' type of guide. If you want this
kind of 'dummies guide,' neither this HOWTO nor Oracle are probably
the right thing for you.
In summary, I can find my way around a Unix box and I know much of the
Oracle terminology. You'll need both to brave the rest of this
document. But don't worry if you have a different background, follow
this guide closely and keep asking questions. The Linux community are
a helpful bunch, just don't expect an answer if you haven't at least
made an effort to solve the problem yourself.
<sect1>New versions of this document
<p>
@ -100,7 +90,8 @@ that keep posting and sorry that I can't credit you all individually!
Thanks to the following people, in no particular order, for their
contributions to this document: Ton Haver, Guy Cole, Iain Frerichs,
Albert Braun, Steve Morando and Krill Kokoshka.
Albert Braun, Steve Morando, Krill Kokoshka, Brain Slesinsky, Galen G
Burk and Bill Gathen.
I welcome any constructive feedback on this HOWTO and any general
Linux or Oracle issues. Email me at <url
@ -131,91 +122,60 @@ HOWTO.)
<sect1>Overview
<p>
In this section, we'll set up Linux so that you're in a position to
get Oracle 8i from the CD that they sent you into your
hard-disk.
get Oracle 8i from the CD that they sent you into your hard-disk.
The Oracle installation process begins when you've built your PC,
installed Linux, configured it and connected it to your network.
<sect1>Prerequisites
<sect2>Hardware
<p>
I think that the most important part of the prerequisites is not to
underestimate them and, as far as the software is concerned, not to
differ unless you have to.
underestimate them. Oracle is a very big and complex application and
you won't get the best out of it if you skimp too much on the
hardware.
My sad tale is as follows:
<itemize>
<item>My first and biggest mistake was to assume that Oracle were
joking when they said that you need 128Mb of RAM. I've installed
Oracle a couple of times on Sun servers with that much, why would I
need more on a CISC machine?
My biggest mistake was to assume that Oracle were joking when they
said that you need 128Mb of RAM. I've installed Oracle a couple of
times on Sun servers with that much, why would I need more on a CISC
machine?
Believe Oracle not my gut. My machine with 32Mb of Ram ground on for
less than half an hour before I realised that it was hopeless.
<item>When Oracle say that you need the Java Runtime Environment
version 1.1.6, that's what they mean. Don't think 'newer versions will
be less buggy' as the installer probably won't work.
I was trying to use the bare minimum of hardware, and that's generally
a bad idea. If you can't afford the hardware you certainly won't be
able to afford the licences!
Summary: download Blackdown's JRE 1.1.6v5 as the documentation tells
you. You'll end up doing that anyway.
Things to look for on a production server are many disks, possibly
RAIDed, and fast CPU's. Database access is relatively easy to break
down into smaller parallel phases so having a number of processors
really does help.
</itemize>
Oracle seem to have done most of their development on RedHat
Linux. For a fuss-free installation, do the same. I've heard horror
stories about trying to get it installed on other distributions.
I used a fairly vanilla RH6 setup and had very few problems. I
downloaded and installed the JRE version 1.1.6v5, added all the
patches up to August 1999 and upgraded the kernel to 2.2.13, but that
was in order to support my network card. I have no reason to suspect
that Oracle won't work with the RedHat supplied 2.2.5 kernel.
Note, the Oracle installer seems to be hard-coded to expect the JRE
executable to be at <tt>/usr/local/jre/bin/jre</tt>. While this
doesn't mean that you have to install it there (see below), it does
mean that you can't get away with using the JDK. This is an important
point so I'll repeat it: you must use the JRE, the Oracle installer
won't work with the JDK!
I performed the following steps to get a working copy of the JRE:
<enum>
<item>Download the Java Runtime Environment from the <url
name="Blackdown website" url="http://www.blackdown.org">
<item>Move to where you want to install the JRE:
<verb>cd /usr/local</verb>
<item>Uncompress the archive:
<verb>bzip2 -d -c jre-1.1.6-v5-glibc-x86.tar.bz2 | tar xvf -</verb>
<item>Create a symbolic link between where Oracle thinks it is and
where it actually is: <verb>ln -s jre116_v5 jre</verb>
</enum>
As for the hardware, once you get above a certain 'base' level Oracle
should work on almost any hardware you get get Linux running on. My
system, for reference, is an Intel Celeron 466Mhz with 128Mb memory,
an 8Gb hard-disk and a DM9102 network card. This is not a machine for
heavy database applications, but is perfectly sufficient for a small
test or development system.
On the other hand, any machine that can run Linux and that has enough
memory should be in with a chance. My other machine, the one I used
for the rest of this document, is fine as a development machine. It is
a Celeron 466Mhz with 128Mb of memory, an 8Gb hard disk, an Intel
graphics card and a DM9102 network card.
<sect1>Linux setup
<sect2>Choice of distribution
<p>
Oracle seem to have done most of their development on RedHat Linux
6.0. For a fuss-free installation, do the same. I've heard horror
stories about trying to get it installed on other distributions.
However, anything <it/like/ RedHat should also do the trick. A recent
version of Mandrake or SuSE should be fine (SuSE, in fact, are fairly
active in supporting Oracle), and newer versions of RH pose no
problems either.
<sect2>Distribution Setup
<p>
As mentioned in the previous section, Oracle do their development
using RedHat 6.0, so for a hassle-free installation this is what you
should probably use.
But what options do you make and which of the vast number of packages
need to be installed to make Oracle work?
Now that you've decided on which RedHat-like distribution you're going
to use, you'll need to work out which options to set and which of the
vast number of packages need to be installed to make Oracle work.
Firstly you need two to three times the amount of memory you have for
your swap space. (You'll need around 200Mb of memory, real or virtual,
@ -224,8 +184,8 @@ Linux swap partitions can be larger than 128Mb.
The arrangements of your other partitions can also be important. Make
sure that the Oracle software is on a different partition to your
operating system, and make sure that the Oracle data-files are on yet
another partition. The idea here is to make sure that your data-files
operating system, and make sure that the Oracle datafiles are on yet
another partition. The idea here is to make sure that your datafiles
do not get fragmented. (In a live environment, you're likely to have a
number of disk with Oracle spread across them. There are a number of
good books that you consult for more information on this.)
@ -266,6 +226,39 @@ You can make any other user a DBA by putting them in the DBA group. If
you have several DBA's this is probably a good idea for auditing
purposes.
<sect2>Installing the right Java Virtual Machine
<p>
If you check the official documentation, you'll find that Oracle
recommend the Blackdown Java Runtime Environment version 1.1.6v5.
That's what they mean. Don't think 'newer versions will be less buggy'
as the installer probably won't work. And don't think, 'I'll be
developing software so I'll just get the JDK,' as that won't work
either.
There is one caveat to using this version of the JRE: the Oracle
installer seems to be hard-coded to expect the JRE executable to be at
<tt>/usr/local/jre/bin/jre</tt>. While this is inconvenient, it does
not mean that you have to install it there.
I performed the following steps to get a working copy of the JRE:
<enum>
<item>Download the Java Runtime Environment from the <url
name="Blackdown website" url="http://www.blackdown.org">
<item>Move to where you want to install the JRE:
<verb>cd /usr/local</verb>
<item>Uncompress the archive:
<verb>bzip2 -d -c jre-1.1.6-v5-glibc-x86.tar.bz2 | tar xvf -</verb>
<item>Create a symbolic link between where Oracle thinks it is and
where it actually is: <verb>ln -s jre116_v5 jre</verb>
</enum>
<sect1>Starting off questions and answers
<sect2>Do I really need 128Mb RAM?
@ -284,12 +277,13 @@ sense. I've heard reports of the installer using 150Mb of memory and
I've seen it well over 120Mb myself. If you have 64Mb or less of
memory, make sure you have lots of swap space and patience.
An alternative that <it/should/ work is as follows (although I've not
had chance to test it): install Oracle on another, bigger machine and
copy across the <tt/$ORACLE_HOME/ directory. If you have all the same
users and groups I can't see why if wouldn't work.
An alternative if you absolutely can't add more memory: install Oracle
on another, bigger machine and copy across the <tt/$ORACLE_HOME/
directory. You'll need to make sure that you have all the same users
and groups (preferably with the same numeric codes) and take special
care with SUID executables like <tt>$ORACLE_HOME/bin/oracle/</tt>.
<sect2>Does it work with RedHat 6.1?
<sect2>Does it work with RedHat 6.1 or above?
<p>
I'm still running 6.0 myself, so all I can say is that a number of
people have claimed success with this configuration.
@ -317,6 +311,19 @@ the time didn't -- but unless there's a pressing need it's certainly
safest to stay well clear. I switched back to the stable series as
soon as the driver was included.
<sect2>Where do I get Oracle from?
<p>
Firstly, if you're brave, have a very fast Internet connection or
inexhaustible patience (and unmetered access) you can download it from
<url name="Oracle Technet" url="http://technet.oracle.com/">. Beware:
it's nearly 200Mb, and 8.1.6 is even bigger.
A better option is to get the CD. Oracle sometimes offer to send you a
free development CD when you join Technet. It's certainly worth
spending some time looking round their web site for
that. Alternatively, you can buy them from the Oracle Store for around
$40. It includes lots of other software too and comes on 15 discs.
<sect>The installer
<sect1>How?
<p>
@ -336,8 +343,11 @@ questions. Generally they're not too difficult but let's see what I
entered and why.
<enum>
<item>Run the installation program (<tt/runInstaller/) as user
'oracle'.
<item>Many people make the mistake of following Oracle's documentation
and, therefore, fail at the first hurdle. Don't execute
<tt/runInstaller/ as it almost always fails. Instead move to
<tt>install/linux</tt> on the CD and run <tt/runIns.sh/ while logged
in as 'oracle'.
<item>It should show a title screen. Click 'Next.'
@ -380,14 +390,11 @@ good reason to should you change it. Click 'Next' when you're done.
asked it to. This will probably take quite a while and will use far
more memory than is reasonable.
<item>It should ask you if you want to create a database. I recommend
you select 'No' here unless you have lots of memory or patience. The
reason for this is that it seems to fire up another Java Virtual
Machine and X Windows. Unfortunately two JVM's plus the Oracle
back-end don't really fit into 128Mb. If you want to persevere jump to
the next section and come back here when you're done. (People have
commented that it doesn't actually work if you try to build a database
at this point.)
<item>It should ask you if you want to create a database. Select
'no'. There are two reasons for this: it often doesn't work and, even
when it does, it's very slow (it seems to fire up another JVM, leaving
X, the Oracle back-end and <it/two/ virtual machines in memory; not
good with 128Mb of memory).
<item>The installer should now ask you about the network protocols
that you want Oracle to support. The boxes all came up blank for me. I
@ -409,7 +416,7 @@ described here is a cumulative patch, i.e., it includes all the files
required to move from version 8.1.5.0.0 to 8.1.5.0.2.
The file you need is on <url name="the Oracle web site"
url="http://technet.oracle.com/support/tech/linux/files/linux_815patches.gz">
url="http://technet.oracle.com/software/products/oracle8i/software_index.htm">
and is relatively easy to install.
<enum>
@ -424,7 +431,7 @@ directory called "patches" somewhere convenient (mine is in
cd /tmp/orapatch</verb>
<item>Uncompress the file:
<verb>tar zvxf $ORACLE_HOME/patches/linux815patches.gz</verb>
<verb>tar zvxf $ORACLE_HOME/patches/linux815patches.tgz</verb>
<item>Run the shell script that's now in the current directory:
<verb>./linux_815patches.sh</verb>
@ -580,6 +587,11 @@ The solution is not pretty. Since you can't extract an individual file
from the CD you need to install the whole thing again, this time
adding Oracle Programmer before the patch.
<sect2>Oracle thinks I don't have enough disk space
<p>
There's something wrong with the installation program. Assuming you
<it/do/ have enough space it will install okay.
<sect>Creating a database
<sect1>Overview
<p>
@ -691,6 +703,11 @@ system/&lt;password&gt;</tt>). Then type:
The question-mark is an alias for the <tt/$ORACLE_HOME/ directory.
<item>This is an optional step used to define the default editor for
SQL*Plus (it defaults to <tt/ed/ so you do!). Open
<tt>$ORACLE_HOME/sqlplus/admin/glogin.sql</tt> in your favourite
editor and add <tt>define_editor=&lt;editor name&gt;</tt> to the end.
</enum>
And that's it. You should now have an operational database that you
@ -747,6 +764,11 @@ easiest option is to unset it. If you really want to use it, make sure
that you have it exactly right. Make sure you don't transpose any '1's
(one's) for 'l's (the twelfth letter of the alphabet)!
<sect2>Can datafiles only be 1Gb in size?
<p>
'dbassist' won't let you create a datafile bigger than 1Gb. I believe
this to be a bug as Linux has no problem with files up to 2Gb.
<sect>Configuration
<sect1>Overview
<p>
@ -881,8 +903,9 @@ significantly more expensive than free but is not bad value.
name="Quest Software">. I've not really used it but it's been highly
recommended by all who have.
<item><url url="http://www.kkitts.com/orac-dba/" name="Orac">. A nice,
configurable DBA-tool.
<item><url url="http://www.kkitts.com/orac-dba/" name="Orac">. Another
that I've not used much, but has been described as a nice,
configurable DBA-tool by a number of people.
</itemize>
@ -912,14 +935,14 @@ Associates, ISBN 1-56592-268-9.
url="http://www.amazon.com/exec/obidos/ASIN/1565923359/zx81orguk00"
name="PL/SQL Programming,"></#if>
<#unless output=html>"PL/SQL Programming,"</#unless>
"PL/SQL Programming," Steven Feuerstein, O'Reilly and
Steven Feuerstein, O'Reilly and
Associates, ISBN 1-56592-335-9.
<item><#if output=html><url
url="http://www.amazon.com/exec/obidos/ASIN/1565923758/zx81orguk00"
name="PL/SQL Built-in Packages,"></#if>
<#unless output=html>"PL/SQL Built-in Packages,"</#unless>
"PL/SQL Built-in Packages," Steven Feuerstein, O'Reilly and
Steven Feuerstein, O'Reilly and
Associates, ISBN 1-56592-375-8.
</itemize>

833
LDP/howto/linuxdoc/PostgreSQL-HOWTO.sgml
View File

@ -40,7 +40,7 @@ Covers PostgreSQL Version 6.5.3
<author>Al Dev (Alavoor Vasudevan)
<htmlurl url="mailto:alavoor@yahoo.com"
name="alavoor@yahoo.com">
<date>v23.0, 02 Jun 2000
<date>v26.0, 24 June 2000
<abstract>
This document is a "practical guide" to very quickly setup a SQL Database
engine and
@ -248,23 +248,34 @@ millions of galaxies, each galaxy has millions of stars, some stars
system have many planets, each planet in turn is made up
billions of atoms.<it>(In the history of this world, <bf>only one universe was
created by a man</bf> in ancient India eons ago, but no other case had been
reported in the modern history. Creating a universe is a much more advanced
reported in the modern history. Nations around the world are trying to create
a universe).</it> Creating a universe is a much more advanced
technology and is more advanced than the atomic bomb which was dropped on
Hiroshima and Nagasaki causing
<bf>horrible destruction</bf>). Modern nuclear weapons are so tiny and powerful
that if such a single nuclear bomb is dropped then it can completely
vaporise the planet earth! But there are also weapons which will completely <bf>NULLIFY
and NEUTRALISE</bf> all the nuclear weapons in the world!! Total variety
of weapons are infinity!</it>. Software like MS Windows 95 is created simply by "C"
<bf>horrible destruction</bf>.
Modern nuclear weapons are so tiny and powerful
that if such a single nuclear bomb is dropped in pacific ocean then it
can completely vaporise the planet earth!
The total variety of weapons are infinity!! Nuclear weapons and other
more <bf>powerful divine weapons</bf> were used
in the battle field in ancient India! Nobody believed Albert
Eienstein (a scientist of 1900's) when he said nuclear weapons can
be made which can vaporise big cities. And today nobody believes
that man can create a universe.
Software like MS Windows 95 is created simply by "C"
and assembler language programs which simply uses 1 and 0 and <it><bf>universes like
ours are created simply by dashing TWO dissimilar but proper of combination of
tiny atomic particles of other dimensions.</bf></it>
<it>(Something interesting happened <bf>just before</bf> dashing of tiny particles)</it>
A human body is created by dashing two dissimilar but
proper combination of tiny cells!! Humans inherited the properties of this universe.
proper combination of tiny cells!!
<it>(Something interesting happened <bf>just before</bf> dashing of tiny cells)</it>
Humans inherited the properties of this universe.
The universe you are
currently living in was NOT there - all the atoms inside the universe was not there
and not even TIME was existing!! Baby universe was born during big bang and started
expanding and kept growing. Even today the universe is still expanding!!
expanding and kept growing. Even today our universe is still expanding!!
A person from another universe by name <bf>'Brahma'</bf> created
this universe you are currently living in.
It is indeed possible for man to create a new universe.
@ -273,7 +284,8 @@ is <bf>INFINITY</bf> and similarly total number of operating systems that
can be created is also <bf>infinity</bf>!! Infinite number
universes and infinite
variety of multi-dimensional atoms collapse down
into few <it>primary-dimensional-universe</it>.
into few <it>primary-dimensional-universe</it>. Very advanced mathematical
equations support this theory.
The laws of science and statistics favour the open-source
code system like PostgreSQL and Linux.
@ -345,7 +357,10 @@ where 'c' is the speed of light and 'm' is the mass.
where n = number of persons working on the project.
</code>
From the above equation it is clear that increasing the 'n' will greatly improve
the quality of product.
the quality of product. Greater the 'n' then greater will be the power (in KiloWatts).
You can wonder how much total
energy (in KiloJoules) and total power (in KiloWatts)
the global internet can focus on a system like Linux and PostgreSQL!
It is very clear that internet can network a vast number of people, which implies
internet has a lot of energy and time which can produce much higher quality
@ -467,11 +482,30 @@ The white paper on PostgreSQL is at
MySQL is another open-source SQL server, but it does not support
transactions. It is suitable for very small databases and does not
support advanced SQL functionalities. Whereas PostgreSQL is a enterprise strength database
supporting transactions and almost all SQL constructs. In near future
development of MySQL will be dropped and all MySQL users will be
migrated to PostgreSQL since MySQL is duplicate product working towards ANSI SQL.
Also MySQL is a 'quasi-commercial' product unlike PostgreSQL which is open-source
and there is no license fee.
supporting transactions and almost all SQL constructs.
PostgreSQL is much more advanced than commercial databases like Oracle, Sybase
and Informix. PostgreSQL supports very advanced locking mechanisms and many more
advanced features which are not available in commercial database systems!!
In near future development of MySQL will be dropped,
since MySQL is duplicate product working towards ANSI SQL.
And all the MySQL users will be migrated to PostgreSQL.
Also MySQL is a 'quasi-commercial' product unlike
PostgreSQL which is open-source and there is no license fee.
There is no need for another SQL database system as PostgreSQL is already
here in this world!!
Duplicate products like MySQL confuse the user base and causes division of
resources. For a <bf>"NEAR PERFECT"</bf> system there must be <bf>only one</bf>
system and everybody in the world must work on it!!
Duplicate products cause more harm than good and hence division of
resources must be strongly discouraged. This already happened in case of
commercial database systems like Oracle, Sybase, Informix and MS SQL server
which caused splintering of user base and often they are incompatible.
<bf>WARNING: </bf> It is possible to create infinite number of database systems
for a given specification like ANSI SQL!!
MySQL is at <url url="http://www.tcx.se">
<!--
*******************************************
@ -558,7 +592,7 @@ PostgreSQL source code is also available at all the mirror sites of sunsite unc
<chapt>PostgreSQL Quick-Installation Instructions
-->
<sect>PostgreSQL Quick-Installation Instructions
<sect>PostgreSQL Quick-Installation Instructions <label id="Quick-Installation">
<p>
This chapter will help you to install and run the database very quickly in less than 5 minutes.
@ -918,6 +952,321 @@ The patch files are located in
<chapt> Quick Start Guide
-->
<sect> Quick Start Guide
<p>
Refer also to <ref id="Quick-Installation" name="Quick Installation"> chapter.
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Creating, Dropping, Renaming Database
<p>
You can use the user friendly GUI called 'pgaccess' to create and drop databases,
or you can use the command line 'psql' utility.
<code>
If you are logged in as root, switch user to 'postgres' :
# xhost + (To give display access for pgaccess)
# su - postgres
bash$ man createdb
bash$ createdb mydatabase
bash$ man psql
bash$ psql mydatabase
..... in psql press up/down arrow keys for history line editing or \s
bash$ export DISPLAY=<hostname>:0.0
bash$ man pgaccess
bash$ pgaccess mydatabase
</code>
Now you can start <bf>rapidly BANGING away</bf> SQL commands at psql or pgaccess !!
To drop the database do :
<code>
bash$ man dropdb
bash$ dropdb <dbname>
</code>
It is also possible to destroy a database from within an SQL session by using:
<code>
> drop database <dbname>
</code>
To rename a database see <ref id="backup_restore" name="Backup and Restore">
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Creating, Dropping users
<p>
To create new users, login as unix user 'postgres'.
You can use user friendly GUI tool called 'pgacess' to create, drop users.
<code>
bash$ man pgaccess
bash$ pgaccess <database_name>
</code>
and click on "Users" tab and then click Object|New or Object|Delete
You can also use command line scripts.
Use the shell script called 'createuser' which invokes psql
<code>
bash$ man createuser
bash$ createuser <username>
bash$ createuser -h host -p port -i userid <username>
</code>
To drop a postgres user, use shell script 'destroyuser' -
<code>
bash$ man destroyuser
bash$ destroyuser
</code>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Creating, Dropping Groups
<p>
Currently, there is no easy interface to set up user groups. You have
to explicitly insert/update the <bf>pg_group</bf> table. For example:
<code>
bash$ su - postgres
bash$ psql <database_name>
..... in psql press up/down arrow keys for history line editing or \s
psql=> insert into pg_group (groname, grosysid, grolist)
psql=> values ('posthackers', '1234', '{5443, 8261}' );
INSERT 58224
psql=> grant insert on foo to group posthackers;
CHANGE
psql=>
</code>
The fields in <bf>pg_group</bf> are:
<bf>groname</bf> The group name. This name should be purely alphanumeric; do not
include underscores or other punctuation.
<bf>grosysid</bf> The group id. This is an int4, and should be unique for each group.
<bf>grolist</bf> The list of <bf>pg_user</bf> IDs that belong in the group. This is
an int4[].
To drop the group:
<code>
bash$ su - postgres
bash$ psql <database_name>
..... in psql press up/down arrow keys for history line editing or \s
psql=> delete from pg_group where groname = 'posthackers';
</code>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Create, Edit, Drop a table
<p>
You can use user friendly GUI tool 'pgaccess' or command line tool 'psql'
to create, edit or drop a table in a database.
<code>
bash$ man pgaccess
bash$ pgaccess <database_name>
</code>
Click on Table | New | Design buttons.
<code>
bash$ man psql
bash$ psql <database_name>
..... in psql press up/down arrow keys for history line editing or \s
</code>
At psql prompt, give standard SQL statements like 'create table', 'alter table'
or 'drop table' to manipulate the tables.
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Create, Edit, Drop records in a table
<p>
You can use user friendly GUI tool 'pgaccess' or command line tool 'psql'
to create, edit or drop records in a database table.
<code>
bash$ man pgaccess
bash$ pgaccess <database_name>
</code>
Click on Table | &lt pick a table &gt | Open buttons.
<code>
bash$ man psql
bash$ psql <database_name>
..... in psql press up/down arrow keys for history line editing or \s
</code>
At psql prompt, give standard SQL statements like 'insert into table_name', 'update table_name'
or 'delete from table_name' to manipulate the tables.
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Switch active Database
<p>
You can use user friendly GUI tool 'pgaccess' or command line tool 'psql'
to switch active database.
<code>
bash$ man pgaccess
bash$ pgaccess <database_name>
</code>
Click on Database | Open buttons.
<code>
bash$ man psql
bash$ psql <database_name>
..... in psql press up/down arrow keys for history line editing or \s
psql=> connect <database_name> <user>
</code>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Backup and Restore database <label id="backup_restore">
<p>
PostgreSQL provides two utilities to back up your system: <bf>pg_dump</bf>
to backup individual databases, and <bf>pg_dumpall</bf> to back up all the
databases in just one step.
<code>
bash$ su - postgres
bash$ man pd_dump
bash$ pd_dump <database_name> > database_name.pgdump
</code>
and can be restored using:
<code>
bash$ cat database_name.pgdump | psql <database_name>
</code>
This technique can be used to move databases to new locations, and to rename
existing databases.
<bf>WARNING:</bf> Every database should be backed up on a regular basis. Since
PostgreSQL manages its own files in the file sysetem, it is not advisable to rely
on system backups of your file system for your database backups; there is
no guarantee that the files will be in a usable, consistent
state after restoration.
<bf>BACKUP LARGE DATABASES:</bf> Since Postgres allows tables larger than the
maximum file size on your system, it can be problematic to dump the table to
a file, because the resulting file likely will be larger than the maximum
size allowed by your system. As <bf>pg_dump</bf> writes to <bf>stdout</bf>,
you can just use standard unix tools to work around this possible problem:
Use compressed dumps:
<code>
bash$ pg_dump <database_name> | gzip > filename.dump.gz
</code>
reload with:
<code>
bash$ createdb <database_name>
bash$ gunzip -c filename.dump.gz | psql <database_name>
</code>
or
<code>
bash$ cat filename.dump.gz | gunzip | psql <database_name>
</code>
Use split:
<code>
bash$ pg_dump <database_name> | split -b 1m - filename.dump.
</code>
Note: There is a dot (.) after filename.dump in the above command!! You can
reload with:
<code>
bash$ man createdb
bash$ createdb <database_name>
bash$ cat filename.dump.* | pgsql <database_name>
</code>
Of course, the name of the file (filename) and the content of the <bf>pg_dump</bf>
output need not match the name of the database. Also, the restored database
can have an arbitrary new name, so this mechanism is also suitable for
renaming databases.
To dump all the databases in PostgreSQL use <bf>pg_dumpall</bf>
<code>
bash$ man pg_dumpall
bash$ pg_dumpall -o > db.out
To reload:
bash$ psql -e template1 < db.out
</code>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Security of database
<p>
See the chapter on <ref id="security" name="PostgreSQL Security">.
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Online help
<p>
It is very important that you should know how to use online help facilities of PostgreSQL,
since it will save you lot of time and provides very quick access to information.
See the online man pages on various commands like createdb, createuser, etc..
<code>
bash$ man createdb
</code>
See also online help of psql, by typing \h at psql prompt
<code>
bash$ psql mydatabase
psql> \h
Tip: In psql press up/down arrow keys for history line editing or \s
</code>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> PostgreSQL Documentation
<p>
More questions, read the fine manuals of PostgreSQL which are very
extensive.
PostgreSQL documentation is distributed with package. See the
'User's Guide', 'Programmer's Guide', 'Administrator's Guide' and
other manuals.
<!--
*******************************************
************ End of Section ***************
*******************************************
<chapt>PostgreSQL Supports Extremely Large Databases greater than 200 Gig
-->
<sect>PostgreSQL Supports Extremely Large Databases greater than 200 Gig
@ -984,6 +1333,312 @@ If a functionality, syntax or feature exists in the regression test package
then it is supported, and all others which are NOT listed in the
package MAY not be supported by PostgreSQL!! You may need to verify those and
add it to regression test package.
<!--
*******************************************
************ End of Section ***************
*******************************************
<chapt> Security of Database <label id="security">
-->
<sect> Security of Database <label id="security">
<p>
Database security is addressed at several levels:
<itemize>
<item> Database file protection. All files stored within the database are
protected from reading by any account other than the <it>postgres</it>
superuser account
<item> Connections from a client to the database server are, by default,
allowed only via a local UNIX socket, not via TCP/IP sockets. The back-end
must be started with the -i option to allow nonlocal clients to connect.
<item> Client connections can be restricted by IP address and/or username
via the <bf>pg_hba.conf</bf> file in <bf>$PG_DATA</bf>.
<item> Client connections may be authenticated via other external packages.
<item> Each user in Postgres is assigned a username and (optionally) a password.
By default, users do not have write access to databases they did not create.
<item> Users may be assigned to groups, and table access may be restricted based
on group priveleges.
</itemize>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> User Authentication
<p>
Authentication is the process by which the backend server and postmaster
ensure that the user requesting access to data is in fact who he/she
claims to be. All users who invoke Postgres are checked against the contents
of the <bf>pg_user</bf> class to ensure that they are authorized to do so. However,
verification of the user's actual identity is performed in a variety
of ways:
<itemize>
<item> <bf>From the user shell:</bf> A backend server started from a user shell
notes the user's (effective) user-id before performing a
<bf>setuid</bf> to the user-id of user <bf>postgres</bf>. The effective user-id is used as
the basis for access control checks. No other authentication is conducted.
<item> <bf>From the network:</bf> If the Postgres system is built as distributed, access to the
Internet TCP port of the postmaster process is available to anyone. The DBA
configures the <bf>pg_hba.conf</bf> file in the <bf>$PGDATA</bf> directory to specify what
authentication system is to be used according to the host making the connection
and which database it is connecting to.
See <bf>pg_hba.conf(5)</bf> (man 5 pg_hba.conf)
for a description
of the authentication systems available. Of course, host-based authentication
is not fool-proof in Unix, either. It is possible for determined intruders
to also masquerade the origination host. Those security issues are beyond
the scope of Postgres.
</itemize>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Host-Based Access Control
<p>
Host-based access control is the name for the basic controls PostgreSQL
exercises on what clients are
allowed to access a database and how the users on those clients must
authenticate themselves.
Each database system contains a file named <bf>pg_hba.conf</bf>, in its
<bf>$PGDATA</bf> directory, which controls who
can connect to each database.
Every client accessing a database must be covered by one of the
entries in <bf>pg_hba.conf</bf>. Otherwise all
attempted connections from that client will be rejected with a
<bf>"User authentication failed"</bf> error message.
See online man page of <bf>pg_hba.conf(5)</bf> (man 5 pg_hba.conf).
The general format of the <bf>pg_hba.conf</bf> file is of a set of records, one
per line. Blank lines and lines
beginning with a hash character ("#") are ignored. A record is made up of
a number of fields which
are
separated by spaces and/or tabs.
Connections from clients can be made using Unix domain sockets or Internet
domain sockets (ie.
TCP/IP). Connections made using Unix domain sockets are controlled using
records of the following
format:
<code>
local database authentication method
</code>
where
<bf>database</bf> specifies the database that this record applies to. The value
<bf>all</bf> specifies that it applies to
all databases.
<bf>authentication method</bf> specifies the method a user must use to authenticate
themselves when
connecting to that database using Unix domain sockets. The different
methods are described
below.
Connections made using Internet domain sockets are controlled using
records of the following format.
<code>
host database TCP/IP-address TCP/IP-mask authentication method
</code>
The <bf>TCP/IP</bf> address is <it>logically and'ed</it> to both the specified TCP/IP mask
and the TCP/IP address of the
connecting client. If the two resulting values are equal then the record
is used for this connection. If a
connection matches more than one record then the earliest one in the
file is used. Both the TCP/IP
address and the TCP/IP mask are specified in dotted decimal notation.
If a connection fails to match any record then the reject authentication
method is applied (see <ref id="auth_method" name="Authentication Methods">).
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Authentication Methods <label id="auth_method">
<p>
The following authentication methods are supported for both Unix and TCP/IP domain sockets:
<itemize>
<item> <bf>trust</bf>
The connection is allowed unconditionally.
<item> <bf>reject</bf>
The connection is rejected unconditionally.
<item> <bf>crypt</bf>
The client is asked for a password for the user. This is sent encrypted (using crypt(3)) and compared
against the password held in the pg_shadow table. If the passwords match, the connection is allowed.
<item> <bf>password</bf>
The client is asked for a password for the user. This is sent in clear and compared against the
password held in the <bf>pg_shadow</bf> table. If the passwords match, the connection is allowed. An
optional password file may be specified after the password keyword which is used to match the
supplied password rather than the <bf>pg_shadow</bf> table. See <bf>pg_passwd</bf>.
</itemize>
The following authentication methods are supported for TCP/IP domain sockets only:
<itemize>
<item> <bf>krb4</bf>
Kerberos V4 is used to authenticate the user.
<item> <bf>krb5</bf>
Kerberos V5 is used to authenticate the user.
<item> <bf>ident</bf>
The ident server on the client is used to authenticate the user (RFC 1413). An optional map name
may be specified after the <bf>ident</bf> keyword which allows ident user names to be mapped onto Postgres
user names. Maps are held in the file <bf>$PGDATA/pg_ident.conf</bf>.
</itemize>
Here are some examples:
<code>
# Trust any connection via Unix domain sockets.
local trust
# Trust any connection via TCP/IP from this machine.
host all 127.0.0.1 255.255.255.255 trust
# We don't like this machine.
host all 192.168.0.10 255.255.255.0 reject
# This machine can't encrypt so we ask for passwords in clear.
host all 192.168.0.3 255.255.255.0 password
# The rest of this group of machines should provide encrypted passwords.
host all 192.168.0.0 255.255.255.0 crypt
</code>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Access Control
<p>
Postgres provides mechanisms to allow users to limit the access to their data that is provided to other
users.
<itemize>
<item> <bf>Database superusers</bf>
Database super-users (i.e., users who have <bf>pg_user.usesuper</bf> set) silently bypass all of the access
controls described below with two exceptions: manual system catalog updates are not permitted if the
user does not have <bf>pg_user.usecatupd</bf> set, and destruction of system catalogs (or modification of their
schemas) is never allowed.
<item> <bf>Access Privilege</bf>
The use of access privilege to limit reading, writing and setting of rules on
classes is covered in SQL <bf>grant/revoke(l)</bf>.
<item> <bf>Class removal and schema modification</bf>
Commands that destroy or modify the structure of an existing class, such as alter, drop table, and
drop index, only operate for the owner of the class. As
mentioned above, these operations are never
permitted on system catalogs.
</itemize>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Secure TCP/IP Connection via SSH
<p>
You can use <bf>ssh</bf> to encrypt the network connection between clients and a Postgres server. Done properly,
this should lead to an adequately secure network connection.
The documentation for <bf>ssh</bf> provides most of the information to get started. Please refer to
<url url="http://www.heimhardt.de/htdocs/ssh.html"> for better insight.
A step-by-step explanation can be done in just two steps.
<bf>Running a secure tunnel via ssh: </bf>
A step-by-step explanation can be done in just two steps.
<itemize>
<item> Establish a tunnel to the back-end machine, like this:
<code>
ssh -L 3333:wit.mcs.anl.gov:5432 postgres@wit.mcs.anl.gov
</code>
<item> The first number in the <bf>-L</bf> argument, <bf>3333</bf>, is the port number of your end of the tunnel. The
second number, <bf>5432</bf>, is the remote end of the tunnel -- the port number your backend is using.
The name or the address in between the port numbers belongs to the server machine, as does the
last argument to <bf>ssh</bf> that also includes the optional user name. Without the user name, <bf>ssh</bf> will try
the name you are currently logged on as on the client machine. You can use any user name the
server machine will accept, not necessarily those related to postgres.
<item> Now that you have a running <bf>ssh</bf> session, you can connect a postgres client to your local host at the
port number you specified in the previous step. If it's <bf>psql</bf>, you will need another shell because the
shell session you used in step 1 is now occupied with <bf>ssh</bf>.
<code>
psql -h localhost -p 3333 -d mpw
</code>
<item> Note that you have to specify the <bf>-h</bf> argument to cause your client to use the TCP socket instead
of the Unix socket. You can omit the port argument if you chose <bf>5432</bf> as your end of the tunnel.
</itemize>
<!--
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> Kerberos Authentication
<p>
Kerberos is an industry-standard secure authentication system suitable for distributed computing over a
public network.
<bf>Availability: </bf>
The Kerberos authentication system is not distributed with Postgres. Versions of Kerberos are typically
available as optional software from operating system vendors. In addition, a source code distribution may
be obtained through MIT Project Athena.
<code>
Note: You may wish to obtain the MIT version even if your vendor provides a version, since
some vendor ports have been deliberately crippled or rendered non-interoperable with the MIT
version.
</code>
Inquiries regarding your Kerberos should be directed to your vendor or MIT Project Athena. Note that
FAQLs (Frequently-Asked Questions Lists) are periodically posted to the Kerberos mailing list (send mail
to subscribe), and USENET news group.
<bf>Installation: </bf>
Installation of Kerberos itself is covered in detail in the Kerberos Installation Notes . Make sure that the
server key file (the <bf>srvtab</bf> or <bf>keytab</bf>) is somehow readable by the Postgres account.
Postgres and its clients can be compiled to use either Version 4 or Version 5 of the MIT Kerberos
protocols by setting the KRBVERS variable in the file <bf>src/Makefile.global</bf> to the appropriate value. You
can also change the location where Postgres expects to find the associated libraries, header files
and its
own server key file.
After compilation is complete, Postgres must be registered as a Kerberos service. See the Kerberos
Operations Notes and related manual pages for more details on registering services.
<bf>Operation: </bf>
After initial installation, Postgres should operate in all ways as a normal Kerberos service. For details on
the use of authentication, see the <it>PostgreSQL User's Guide</it> reference sections for <bf>postmaster</bf> and <bf>psql</bf>.
In the Kerberos Version 5 hooks, the following assumptions are made about user and service naming(also, see Table below):
<itemize>
<item> User principal names (anames) are assumed to contain the actual Unix/Postgres user name in the
first component.
<item> The Postgres service is assumed to be have two components, the service name and a hostname,
canonicalized as in Version 4 (i.e., with all domain suffixes removed).
</itemize>
<code>
Table: Kerberos Parameter Examples
------------------------------------------------------
Parameter Example
------------------------------------------------------
user frew@S2K.ORG
user aoki/HOST=miyu.S2K.Berkeley.EDU@S2K.ORG
host postgres_dbms/ucbvax@S2K.ORG
------------------------------------------------------
</code>
<!--
*******************************************
************ End of Section ***************
@ -997,16 +1652,22 @@ add it to regression test package.
<sect>GUI FrontEnd Tool for PostgreSQL (Graphical User Interface)
<p>
Web browser will be the most popular GUI front-end in the future.
A major portion of code should be written in Web server scripting (and compiling)
language <ref id="PHP" name="PHP+Zend compiler">, HTML, DHTML
and with little bit of JavaScript and Java-Applets on web-client side.
It is recommended that you migrate all of your "legacy" Windows 95/NT
applications to PHP + HTML + DHTML and Zend compiler. <bf>PHP</bf> is extremely
applications to Web-based application.
You should use Web-Application Servers like <ref id="Enhydra"> (Java based)
or <ref id="Zope"> (Python based).
Best web-scripting (and compiling) language
is <ref id="PHP" name="PHP+Zend compiler">
<bf>PHP</bf> is extremely
powerful as it combines the power of Perl, Java, C++, Javascript into one
single language and it runs on all OSes - unixes and Windows NT/95.
The best tools in the order of preference are -
<itemize>
<item> Enhydra at <ref id="Enhydra"> plus Borland Java JBuilder for Linux <url url="http://www.inprise.com">
<item> Zope at <ref id="Zope">
<item> PHP script and Zend compiler at <ref id="PHP" name="PHP+Zend compiler">
<item> X-Designer supports C++, Java and MFC <url url="http://www.ist.co.uk/xd">
<item> Qt for Windows95 and Unix at <url url="http://www.troll.no"> and <url url="ftp://ftp.troll.no">
@ -1019,6 +1680,9 @@ The best tools in the order of preference are -
Language choices in the order of preference are -
<enum>
<item> Java but its programs run very slow and has license
fees. C++ is <bf>5 times faster</bf> than Java!!
<item> Python (Powerful object oriented scripting language).
<item> PHP Web server scripting, HTML, DHTML with Javascrpt client scripting and Java-Applets.
<item> Perl scripting language using Perl-Qt or Perl-Tk <ref id="Perl Database Interface">
<item> Omnipresent and Omnipotent language C++ (GNU g++):
@ -1027,8 +1691,6 @@ Language choices in the order of preference are -
<item> GNU C++ and QtEZ or QT
<item> GNU C++ with Lesstiff or Motif.
</itemize>
<item> Java but its programs run very slow and has license
fees. C++ is <bf>20 times faster</bf> than Java!!
</enum>
There are other tools available -
@ -1759,6 +2421,41 @@ it at
<htmlurl url="mailto:de@ucolick.org"
name="de@ucolick.org">
</itemize>
<!--
*******************************************
************ End of Section ***************
*******************************************
<chapt>CPUs for PostgreSQL
-->
<sect>CPUs for PostgreSQL
<p>
The following CPUs (both 64-bit and 32-bit) are available for PostgreSQL. All these
CPUs run Linux.
<itemize>
<item> GNU/GPL Freedom 64-bit F-CPU <url url="http://f-cpu.tux.org">
<item> Russian E2k 64-bit CPU (The world's fastest CPU as of June, 2000 ???!!!)
website : <url url="http://www.elbrus.ru/roadmap/e2k.html">
Elbrus is now partnered (alliance) with Sun Microsystems of USA
<item> Korean CPU from Samsung 64-bit CPU original from DEC Alpha
<url url="http://www.samsungsemi.com">
Alpha-64bit CPU is at <url url="http://www.alpha-processor.com">
Now there is collaboration between Samsumg, Compaq of USA on Alpha CPU
<item> Intel IA 64 <url url="http://developer.intel.com/design/ia-64">
<item> Transmeta crusoe CPU and in near future Transmeta's 64-bit CPU
<item> Sun Ultra-sparc 64-bit CPU
<item> Silicon Graphics MIPS Architecture CPUs <url url="http://www.sgi.com/processors">
<item> IBM Power PC (motorola) <url url="http://www.motorola.com/SPS/PowerPC/index.html">
<item> Seimens Pyramid CPU from Pyramid Technologies
<item> Intel X86 series 32-bit CPUs Pentiums, Celeron etc..
<item> AMDs X86 series 32-bit CPUs K-6, Athlon etc..
<item> National's Cyrix X86 series 32-bit CPUs Cyrix etc..
<item> European Space Agency's ESA-32bit and ESA-64bit CPUs
<item> Other CPUs from other countries ?? Let me know...
</itemize>
<!--
*******************************************
************ End of Section ***************
@ -1813,6 +2510,15 @@ only intel box, 13" monochrome monitor (very low cost monitor). Local vendors
sell just the hardware <bf>without</bf> any Microsoft Windows/DOS.
You do not need a color monitor for the database server, as you can do
remote administration from color PC workstation.
You can buy bare-bone computer hardware from online stores. You can get good
rates in "Online Auctions"
<itemize>
<item>Online store and auction hall <url url="http://www.egghead.com">
<item>Online store <url url="http://www.buy.com">
<item>Bidding store <url url="http://www.ubid.com">
</itemize>
Get RedHat (or some other distribution of) Linux cdrom from below -
<itemize>
<item>Linux System Labs Web site: <url url="http://www.lsl.com/"> 7 (U.S. dollars)
@ -1851,14 +2557,20 @@ BEA Weblogic.
-->
<sect1> Enhydra
<sect1> Lutris Corp "Enhydra" <label id="Enhydra">
<p>
Enhydra is a immensely popular Web-Application-Server created by 'Lutris Corporation'.
Enhydra supports PostgreSQL database.
Enhydra is a immensely popular Java/XML Web-Application-Server created by 'Lutris Corporation'. It is the world's best Java/XML Web-Application server.
It supports EJB, Servlets, JSP, JNDI, JDBC, JTA, CORBA, XMLC/Rocks, DODS
and internationalization.
It is written in 100% pure Java and is available from
<url url="http://www.enhydra.org">. Enhydra is a open-sourcecode project but is
<url url="http://www.enhydra.org">. Enhydra is a open source code project but is
commercially sold and supported by Lutris Corp. Visit
<url url="http://www.lutris.com">
You would use Borland Corp's JBuilder along with Enhydra. JBuilder is at
<url url="http://www.inprise.com">
See also Enterprise Java HOWTO at
<url url="http://www.linuxdoc.org/HOWTO/Enterprise-Java-for-Linux-HOWTO.html">
<!--
@ -1870,7 +2582,7 @@ See also Enterprise Java HOWTO at
-->
<sect1> Zope
<sect1> Zope <label id="Zope">
<p>
Python is becoming immensely popular "pure" object-oriented scripting language.
Zope is a Web-Application server and provides interfaces to PostgreSQL.
@ -2426,9 +3138,9 @@ with full source code you will probably like PHP.
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1>
Major Features
<sect1> Major Features
<p>
<itemize>
<item>Standard CGI, FastCGI and Apache module support -
@ -2742,6 +3454,25 @@ this option if you like.
************ End of Section ***************
*******************************************
-->
<sect1> PHPGem package
<p>
PHPGem is a PHP-script which accelerates the creation of PHP-scripts
for working with tables. It works with different SQL-servers such as
PostgreSQL, MySQL, mSQL, ODBC, and Adabas. You input a description of
and parameters for your tables' fields (field name, on/off searching
in the field, etc.), and PHPGem outputs another PHP-script which will
work with the tables (view/add/edit/delete/duplicate entries and
search). PHPGem works with multi-level nested tables. PHPGem allows
you to specify a level of access for each table and for each field for
each user. PHPGem also support images.
PHPGem is at <url url="http://sptl.org/phpgem">
<!--
*******************************************
************ End of Section ***************
*******************************************
@ -4932,7 +5663,29 @@ Compiling the source you will get the following commands like
<item>sgml2latex databasehowto.sgml (to generate latex file)
</itemize>
This document is located at -
LaTeX documents may be converted into PDF files simply by
producing a Postscript output using <bf>sgml2ps</bf> ( or dvips) and running the
output through the Acrobat <bf>distill</bf> (<url url="http://www.adobe.com">) command as follows:
<code>
bash$ man sgml2latex
bash$ sgml2latex filename.sgml
bash$ man dvips
bash$ dvips -o filename.ps filename.dvi
bash$ distill filename.ps
bash$ man ghostscript
bash$ man ps2pdf
bash$ ps2pdf input.ps output.pdf
bash$ acroread output.pdf &
</code>
Or you can use Ghostscript command <bf>ps2pdf</bf>.
ps2pdf is a work-alike for nearly all the functionality of
Adobe's Acrobat Distiller product: it
converts PostScript files to Portable Document Format (PDF) files.
<bf>ps2pdf</bf> is implemented as a very small command script (batch file) that invokes Ghostscript, selecting a special "output device"
called <bf>pdfwrite</bf>. In order to use ps2pdf, the pdfwrite device must be included in the makefile when Ghostscript was compiled;
see the documentation on building Ghostscript for details.
This howto document is located at -
<itemize>
<item> <url url="http://sunsite.unc.edu/LDP/HOWTO/PostgreSQL-HOWTO.html">
</itemize>
@ -4997,11 +5750,13 @@ You can read the latex, LyX output using LyX a X-Windows front end to latex.
<chapt change> Copyright Notice
<chapt change> Copyright and License
-->
<sect> Copyright Notice
<sect> Copyright and License
<p>
Copyright policy is GNU/GPL as per LDP (Linux Documentation project).
Copyright Al Dev (Alavoor Vasudevan) 1997-2000.
License policy is GNU/GPL as per LDP (Linux Documentation project).
LDP is a GNU/GPL project.
Additional restrictions are - you must retain the author's name, email address
and this copyright notice on all the copies. If you make any changes
@ -7704,6 +8459,18 @@ The following are the sites suggested by John Hoffman:
*******************************************
************ End of Section ***************
*******************************************
-->
<sect1> On-line SQL tutorials
<p>
Visit the following sites for on-line SQL tutorials
<itemize>
<item> SQL beginner course <url url="http://sqlcourse.com">
<item> SQL advanced course <url url="http://sqlcourse2.com">
</itemize>
<!--
*******************************************
************ End of Section ***************
*******************************************