mirror of https://github.com/tLDP/LDP
updated
This commit is contained in:
parent
0b5e3a56c8
commit
2e5f44ace4
|
@ -4,9 +4,9 @@
|
|||
|
||||
<article>
|
||||
|
||||
<title>Linux AI & Alife HOWTO
|
||||
<title>GNU/Linux AI & Alife HOWTO
|
||||
<author>by <htmlurl url="mailto:jae@NOSPAM-zhar.net" name="John Eikenberry">
|
||||
<date>v1.3, 02 April 2000
|
||||
<date>v1.4, 23 June 2000
|
||||
|
||||
<!-- hhmts start -->
|
||||
<!-- hhmts end -->
|
||||
|
@ -14,7 +14,7 @@
|
|||
<abstract>
|
||||
This howto mainly contains information about, and links to,
|
||||
various AI related software libraries, applications, etc.
|
||||
that work on the Linux platform. All of it is (at least)
|
||||
that work on the GNU/Linux platform. All of it is (at least)
|
||||
free for personal use.
|
||||
|
||||
The new master page for this document is
|
||||
|
@ -29,22 +29,21 @@ The new master page for this document is
|
|||
<sect1>Purpose
|
||||
<p>
|
||||
|
||||
The Linux OS has evolved from its origins in hackerdom to a full blown
|
||||
UNIX, capable of rivaling any commercial UNIX. It now provides an
|
||||
inexpensive base to build a great workstation. It has shed its
|
||||
hardware dependencies, having been ported to DEC Alphas, Sparcs,
|
||||
PowerPCs, with others on the way. This potential speed
|
||||
boost along with its networking support will make it great for
|
||||
workstation clusters. As a workstation it allows for all sorts of
|
||||
research and development, including artificial intelligence and
|
||||
artificial life.
|
||||
The GNU/Linux OS has evolved from its origins in hackerdom to a full
|
||||
blown UNIX, capable of rivaling any commercial UNIX. It now provides
|
||||
an inexpensive base to build a great workstation. It has shed its
|
||||
hardware dependencies, having been ported to DEC Alphas, Sparcs,
|
||||
PowerPCs, and many others. This potential speed boost along with its
|
||||
networking support will make it great for workstation clusters. As a
|
||||
workstation it allows for all sorts of research and development,
|
||||
including artificial intelligence and artificial life.
|
||||
|
||||
|
||||
The purpose of this Mini-Howto is to provide a source to find out
|
||||
about various software packages, code libraries, and anything else
|
||||
that will help someone get started working with (and find resources
|
||||
for) artificial intelligence and artificial life. All done with Linux
|
||||
specifically in mind.
|
||||
for) artificial intelligence, artificial life, etc. All done with
|
||||
GNU/Linux specifically in mind.
|
||||
|
||||
|
||||
<sect1>Where to find this software
|
||||
|
@ -79,7 +78,7 @@ a bit of work. So please be patient (I do have other projects). I hope you
|
|||
will find this document helpful.
|
||||
|
||||
<sect1>Copyright/License
|
||||
|
||||
<p>
|
||||
Copyright (c) 1996-2000 John A. Eikenberry
|
||||
|
||||
LICENSE
|
||||
|
@ -151,6 +150,21 @@ LICENSE
|
|||
|
||||
|
||||
<descrip>
|
||||
|
||||
<label id="ACL2">
|
||||
<tag/ACL2/
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl
|
||||
url="http://ww.telent.net/cliki/ACL2"
|
||||
name="www.telent.net/cliki/ACL2">
|
||||
</itemize>
|
||||
|
||||
ACL2 (A Computational Logic for Applicative Common Lisp) is a theorem
|
||||
prover for industrial applications. It is both a mathematical logic and
|
||||
a system of tools for constructing proofs in the logic. ACL2 works
|
||||
with GCL (GNU Common Lisp).
|
||||
|
||||
|
||||
<label id="AI Search II">
|
||||
<tag/AI Search II/
|
||||
<itemize>
|
||||
|
@ -223,8 +237,6 @@ LICENSE
|
|||
</itemize>
|
||||
|
||||
|
||||
|
||||
|
||||
<label id="Nyquist">
|
||||
<tag/Nyquist/
|
||||
<itemize>
|
||||
|
@ -597,8 +609,23 @@ LICENSE
|
|||
calculator and has an embedded equational programming system.
|
||||
|
||||
|
||||
<label id="NICOLE">
|
||||
<tag/NICOLE/
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl
|
||||
url="http://nicole.sourceforge.net/"
|
||||
name="nicole.sourceforge.net">
|
||||
</itemize>
|
||||
|
||||
It is an attempt to simulate a conversation by learning how words are
|
||||
related to other words. A Human communicates with NICOLE via the
|
||||
keyboard and NICOLE responds back with its own sentences which are
|
||||
automatically generated, based on what NICOLE has stored in it's
|
||||
database. Each new sentence that has been typed in, and NICOLE doesn't
|
||||
know about it, it is included into NICOLE's database, thus extending
|
||||
the knowledge base of NICOLE.
|
||||
|
||||
|
||||
|
||||
<label id="PVS">
|
||||
<tag/PVS/
|
||||
<itemize>
|
||||
|
@ -788,6 +815,15 @@ LICENSE
|
|||
has limited support for second order models (probability
|
||||
distributions on parameters).
|
||||
|
||||
<label id="bpnn.py">
|
||||
<tag/bpnn.py/
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl
|
||||
url="http://www.enme.ucalgary.ca/~nascheme/python/"
|
||||
name="www.enme.ucalgary.ca/~nascheme/python/">
|
||||
</itemize>
|
||||
|
||||
A simple back-propogation ANN in Python.
|
||||
|
||||
|
||||
<label id="CONICAL">
|
||||
|
@ -2142,6 +2178,24 @@ LICENSE
|
|||
</itemize>
|
||||
|
||||
|
||||
<label id="Cyphesis">
|
||||
<tag/Cyphesis/
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl
|
||||
url="http://www.worldforge.org/website/servers/cyphesis/"
|
||||
name="www.worldforge.org/website/servers/cyphesis/">
|
||||
</itemize>
|
||||
|
||||
Cyphesis will be the AI Engine, or more plainly, the intelligence
|
||||
behind Worldforge (WF). Cyphesis will aims to achieve 'live'
|
||||
virtual worlds. Animals will have young, prey on each other and
|
||||
eventually die. Plants grow, flower, bear fruit and even die just
|
||||
as they do in real life. When completed, NPCs in Cyphesis will do
|
||||
all sorts of interesting things like attempt to acomplish
|
||||
ever-changing goals that NPCs set for themselves, gossip to PCs and
|
||||
other NPCs, live, die and raise children. Cyphesis aims to make
|
||||
NPCs act just like you and me.
|
||||
|
||||
|
||||
<label id="dblife-dblifelib">
|
||||
<tag/dblife & dblifelib/
|
||||
|
@ -2181,6 +2235,25 @@ LICENSE
|
|||
framework, but Drone can be used with any simulation program that
|
||||
reads parameters from the command line or from an input file.
|
||||
|
||||
<label id="EBISS">
|
||||
<tag/EBISS/
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl url="http://www.ebiss.org/english/"
|
||||
name="www.ebiss.org/english/">
|
||||
</itemize>
|
||||
|
||||
EBISS is a multi-disciplinary, open, collaborative project aimed
|
||||
at investigating social problems by means of computational
|
||||
modeling and social simulations. During the past four years we
|
||||
have been developing SARA, a multi-agent gaming simulation
|
||||
platform providing for easy construction of simulations and gamings.
|
||||
|
||||
We believe that in order to have a break-through in the difficult
|
||||
task of understanding real-world complex social
|
||||
problems, we need to gather researchers and experts with different
|
||||
backgrounds not only in discussion forums, but in a
|
||||
tighter cooperative task of building and sharing common
|
||||
experimental platforms.
|
||||
|
||||
|
||||
<label id="EcoLab">
|
||||
|
@ -2526,6 +2599,25 @@ name="theory.org/software/ant/">
|
|||
supports J-AAPI.
|
||||
|
||||
|
||||
<label id="A.L.I.C.E.">
|
||||
<tag/A.L.I.C.E./
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl
|
||||
url="http://www.alicebot.org/"
|
||||
name="www.alicebot.org">
|
||||
</itemize>
|
||||
|
||||
The ALICE software implements AIML (Artificial Intelligence Markup
|
||||
Language), a non-standard evolving markup language for creating chat
|
||||
robots. The primary design feature of AIML is minimalism. Compared with
|
||||
other chat robot languages, AIML is perhaps the simplest. The pattern
|
||||
matching language is very simple, for example permitting only one
|
||||
wild-card ('*') match character per pattern. AIML is an XML language,
|
||||
implying that it obeys certain grammatical meta-rules. The choice of
|
||||
XML syntax permits integration with other tools such as XML editors.
|
||||
Another motivation for XML is its familiar look and feel, especially to
|
||||
people with HTML experience.
|
||||
|
||||
|
||||
<label id="Ara">
|
||||
<tag/Ara/
|
||||
|
@ -2561,6 +2653,43 @@ name="theory.org/software/ant/">
|
|||
developers to build flexible open distributed systems that make optimal
|
||||
use of existing applications.
|
||||
|
||||
<label id="Bots">
|
||||
<tag/Bots/
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl
|
||||
url="http://utenti.tripod.it/Claudio1977/bots.html"
|
||||
name="utenti.tripod.it/Claudio1977/bots.html">
|
||||
</itemize>
|
||||
|
||||
Another AI-robot battle simulation. Utilizing probablistic logic as a
|
||||
machine learning technique. Written in C++ (with C++ bots).
|
||||
|
||||
|
||||
<label id="Cadaver">
|
||||
<tag/Cadaver/
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl
|
||||
url="http://www.erikyyy.de/cadaver/"
|
||||
name="www.erikyyy.de/cadaver/">
|
||||
</itemize>
|
||||
|
||||
Cadaver is a simulated world of cyborgs and nature in realtime. The
|
||||
battlefield consists of forests, grain, water, grass, carcass (of
|
||||
course) and lots of other things. The game server manages the game and
|
||||
the rules. You start a server and connect some clients. The clients
|
||||
communicate with the server using a very primitive protocol. They can
|
||||
order cyborgs to harvest grain, attack enemies or cut forest. The game
|
||||
is not intended to be played by humans! There is too much to control.
|
||||
Only for die-hards: Just telnet to the server and you can enter
|
||||
commands by hand. Instead the idea is that you write artificial
|
||||
intelligence clients to beat the other artificial intelligences. You
|
||||
can choose a language (and operating system) of your choice to do that
|
||||
task. It is enough to write a program that communicates on standard
|
||||
input and standard output channels. Then you can use programs like
|
||||
"socket" to connect your clients to the server. It is NOT needed to
|
||||
write TCP/IP code, although i did so :) The battle shall not be boring,
|
||||
and so there is the so called spyboss client that displays the action
|
||||
graphically on screen.
|
||||
|
||||
|
||||
<label id="Dunce">
|
||||
|
@ -2843,6 +2972,18 @@ name="members.home.net/marcush/IRS/">
|
|||
algorithm. It is mainly oriented toward to researchers studying autonomous
|
||||
agents.
|
||||
|
||||
<label id="lyntin">
|
||||
<tag/lyntin/
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl
|
||||
url="http://lyntin.sourceforge.net/"
|
||||
name="lyntin.sourceforge.net/">
|
||||
</itemize>
|
||||
|
||||
Lyntin is an extensible Mud client and framework for the creation of
|
||||
autonomous agents, or bots, as well as mudding in general. Lyntin is
|
||||
centered around Python, a dynamic, object-oriented, and fun programming
|
||||
language and based on TinTin++ a lovely mud client.
|
||||
|
||||
|
||||
<label id="Mole">
|
||||
|
@ -3214,6 +3355,25 @@ name="members.home.net/marcush/IRS/">
|
|||
generally considered to be one of the better lisp platforms.
|
||||
|
||||
|
||||
<label id="APRIL">
|
||||
<tag/APRIL/
|
||||
<itemize>
|
||||
<item>Web site: <htmlurl
|
||||
url="http://sourceforge.net/project/?group_id=3173"
|
||||
name="sourceforge.net/project/?group_id=3173">
|
||||
</itemize>
|
||||
|
||||
APRIL is a symbolic programming language that is designed for writing
|
||||
mobile, distributed and agent-based systems especially in an Internet
|
||||
environment. It has advanced features such as a macro sub-language,
|
||||
asynchronous message sending and receiving, code mobility, pattern
|
||||
matching, higher-order functions and strong typing. The language is
|
||||
compiled to byte-code which is then interpreted by the APRIL
|
||||
runtime-engine. APRIL now requires the InterAgent Communications Model
|
||||
(ICM) to be installed before it can be installed. [Ed. ICM can be found
|
||||
at the same web site]
|
||||
|
||||
|
||||
<label id="B-Prolog">
|
||||
<tag/B-Prolog/
|
||||
<itemize>
|
||||
|
@ -3359,12 +3519,19 @@ name="members.home.net/marcush/IRS/">
|
|||
<label id="CLisp">
|
||||
<tag/CLisp (Lisp)/
|
||||
<itemize>
|
||||
<item>FTP site: <htmlurl url="ftp://sunsite.unc.edu/pub/Linux/devel/lang/lisp/" name="sunsite.unc.edu/pub/Linux/devel/lang/lisp/">
|
||||
<item>Web page: <htmlurl
|
||||
url="http://clisp.sourceforge.net/"
|
||||
name="clisp.sourceforge.net">
|
||||
<item>FTP site: <htmlurl
|
||||
url="ftp://clisp.cons.org/pub/lisp/clisp/source/"
|
||||
name="clisp.cons.org/pub/lisp/clisp/source">
|
||||
</itemize>
|
||||
|
||||
CLISP is a Common Lisp implementation by Bruno Haible and Michael
|
||||
Stoll. It mostly supports the Lisp described by
|
||||
<htmlurl url="http://www.cs.cmu.edu/afs/cs.cmu.edu/project/ai-repository/ai/html/cltl/clm/clm.html" name="Common LISP: The Language (2nd edition)">
|
||||
<htmlurl
|
||||
url="http://www.cs.cmu.edu/afs/cs.cmu.edu/project/ai-repository/ai/html/cltl/cltl2.html"
|
||||
name="Common LISP: The Language (2nd edition)">
|
||||
and the ANSI Common Lisp
|
||||
standard. CLISP includes an interpreter, a byte-compiler, a large
|
||||
subset of CLOS (Object-Oriented Lisp) , a foreign language interface
|
||||
|
@ -3376,14 +3543,21 @@ name="members.home.net/marcush/IRS/">
|
|||
CLISP needs only 2 MB of memory.
|
||||
|
||||
|
||||
|
||||
|
||||
<label id="CMU CL">
|
||||
<tag/CMU Common Lisp/
|
||||
<itemize>
|
||||
<item>Web page: <htmlurl url="http://www.mv.com/users/pw/lisp/index.html" name="www.mv.com/users/pw/lisp/index.html">
|
||||
<item>FTP site: <htmlurl url="ftp://sunsite.unc.edu/pub/Linux/devel/lang/lisp/" name="sunsite.unc.edu/pub/Linux/devel/lang/lisp/">
|
||||
<item>Linux Installation: <htmlurl url="http://www.telent.net/lisp/howto.html" name="www.telent.net/lisp/howto.html">
|
||||
<item>Web page: <htmlurl
|
||||
url="http://www.cons.org/cmucl/"
|
||||
name="www.cons.org/cmucl/">
|
||||
<item>Old Web page: <htmlurl
|
||||
url="http://www.mv.com/users/pw/lisp/index.html"
|
||||
name="www.mv.com/users/pw/lisp/index.html">
|
||||
<item>FTP site: <htmlurl
|
||||
url="ftp://ftp2.cons.org/pub/languages/lisp/cmucl/release/"
|
||||
name="ftp2.cons.org/pub/languages/lisp/cmucl/release/">
|
||||
<item>Linux Installation: <htmlurl
|
||||
url="http://www.telent.net/lisp/howto.html"
|
||||
name="www.telent.net/lisp/howto.html">
|
||||
</itemize>
|
||||
|
||||
|
||||
|
@ -3399,7 +3573,9 @@ name="members.home.net/marcush/IRS/">
|
|||
<label id="Gnu-CL">
|
||||
<tag/GCL (Lisp)/
|
||||
<itemize>
|
||||
<item>FTP site: <htmlurl url="ftp://sunsite.unc.edu/pub/Linux/devel/lang/lisp/" name="sunsite.unc.edu/pub/Linux/devel/lang/lisp/">
|
||||
<item>FTP site: <htmlurl
|
||||
url="ftp://ftp.ma.utexas.edu/pub/gcl/"
|
||||
name="ftp.ma.utexas.edu/pub/gcl/">
|
||||
</itemize>
|
||||
|
||||
|
||||
|
@ -3545,8 +3721,12 @@ name="members.home.net/marcush/IRS/">
|
|||
<label id="RScheme">
|
||||
<tag/RScheme/
|
||||
<itemize>
|
||||
<item>Web site:<htmlurl url="http://www.rosette.com/˜donovan/rs/rscheme.html" name="www.rosette.com/˜donovan/rs/rscheme.html">
|
||||
<item>FTP site: <htmlurl url="ftp://ftp.rosette.com/pub/rscheme/" name="ftp.rosette.com/pub/rscheme">
|
||||
<item>Web site:<htmlurl
|
||||
url="http://www.rscheme.org/"
|
||||
name="www.rscheme.org">
|
||||
<item>FTP site: <htmlurl
|
||||
url="ftp://ftp.rscheme.org/pub/rscheme/"
|
||||
name="ftp.rscheme.org/pub/rscheme/">
|
||||
</itemize>
|
||||
|
||||
|
||||
|
|
|
@ -5,8 +5,8 @@
|
|||
<!-- Title information -->
|
||||
|
||||
<title>Chroot-BIND HOWTO
|
||||
<author>Scott Wunsch, <tt/scott at wunsch.org/
|
||||
<date>v1.0, 13 March 2000
|
||||
<author>Scott Wunsch, <tt>scott at wunsch.org</>
|
||||
<date>v1.1, 24 June 2000
|
||||
<abstract>
|
||||
This document describes installing the BIND 8 nameserver to run in a chroot
|
||||
jail and as a non-root user, to provide added security and minimise the
|
||||
|
@ -21,28 +21,25 @@ potential effects of a security compromise.
|
|||
<sect>Introduction
|
||||
|
||||
<p>
|
||||
This is the Chroot-BIND HOWTO; see <ref id="where" Name="Where?">
|
||||
for t he master site, which contains the latest copy. It is assumed
|
||||
that you already know how to configure and use BIND (the Berkeley
|
||||
Internet Name Domain). If not, I would recommend that you read the
|
||||
DNS HOWTO first. It is also assumed that you have a basic
|
||||
familiarity with compiling and installing software on your UNIX-like
|
||||
This is the Chroot-BIND HOWTO; see <ref id="where" Name="Where?"> for the master
|
||||
site, which contains the latest copy. It is assumed that you already know how
|
||||
to configure and use BIND (the Berkeley Internet Name Domain). If not, I would
|
||||
recommend that you read the DNS HOWTO first. It is also assumed that you have
|
||||
a basic familiarity with compiling and installing software on your UNIX-like
|
||||
system.
|
||||
|
||||
<sect1>What?
|
||||
|
||||
<p>
|
||||
|
||||
This document describes some extra security precautions that you can
|
||||
take when you install BIND. It explains how to configure BIND so
|
||||
that it resides in a ``chroot jail'', meaning that it cannot see or
|
||||
access files outside its own little directory tree. We shall also
|
||||
configure it to run as a non-root user.
|
||||
This document describes some extra security precautions that you can take when
|
||||
you install BIND. It explains how to configure BIND so that it resides in a
|
||||
``chroot jail'', meaning that it cannot see or access files outside its own
|
||||
little directory tree. We shall also configure it to run as a non-root user.
|
||||
|
||||
The idea behind chroot is fairly simple. When you run BIND (or any other
|
||||
process) in a chroot jail, the process is simply unable to see any part of
|
||||
the filesystem outside the jail. For example, in this document, we'll set BIND
|
||||
up to run chrooted to the directory <tt>/chroot/named</>. Well, to BIND, the
|
||||
process) in a chroot jail, the process is simply unable to see any part of the
|
||||
filesystem outside the jail. For example, in this document, we'll set BIND up
|
||||
to run chrooted to the directory <tt>/chroot/named</>. Well, to BIND, the
|
||||
contents of this directory will appear to be <tt>/</>, the root directory.
|
||||
Nothing outside this directory will be accessible to it. You've probably
|
||||
encounted a chroot jail before, if you've ever ftped into a public system.
|
||||
|
@ -51,68 +48,72 @@ encounted a chroot jail before, if you've ever ftped into a public system.
|
|||
|
||||
<p>
|
||||
The idea behind running BIND in a chroot jail is to limit the amount of access
|
||||
any malicious individual could gain by exploiting vulnerabilities in BIND.
|
||||
It is for the same reason that we run BIND as a non-root user.
|
||||
any malicious individual could gain by exploiting vulnerabilities in BIND. It
|
||||
is for the same reason that we run BIND as a non-root user.
|
||||
|
||||
This should be considered as a supplement to the normal security precautions
|
||||
(running the latest version, using access control, etc.), not a replacement
|
||||
for them.
|
||||
(running the latest version, using access control, etc.), not a replacement for
|
||||
them.
|
||||
|
||||
If you're interested in DNS security, you might also be interested in a few
|
||||
other products. Building BIND with <url
|
||||
url="http://www.immunix.org/products.html#stackguard" name="StackGuard"> would
|
||||
probably be a good idea for even more protection. Using it is easy; it's
|
||||
just like using ordinary gcc. Also, <url
|
||||
url="http://cr.yp.to/dnscache.html" name="DNScache"> is a secure replacement
|
||||
for BIND, written by Dan Bernstein. Dan is the author of qmail, and DNScache
|
||||
appears to follow a similar philosophy.
|
||||
|
||||
<sect1>Where?<label id="where">
|
||||
|
||||
<p>
|
||||
|
||||
The latest version of this document is always available from the web site of
|
||||
the Linux/Open Source Users of Regina, Sask., at
|
||||
<url url="http://www.losurs.org/docs/howto/Chroot-BIND.html">.
|
||||
The latest version of this document is always available from the web site of the
|
||||
Linux/Open Source Users of Regina, Sask., at <url
|
||||
url="http://www.losurs.org/docs/howto/Chroot-BIND.html">.
|
||||
|
||||
BIND is available from <url url="http://www.isc.org/" name="the Internet
|
||||
Software Consortium"> at <url url="http://www.isc.org/bind.html">. As of
|
||||
this writing, the current version of BIND is 8.2.2_P5.
|
||||
Software Consortium"> at <url url="http://www.isc.org/bind.html">. As of this
|
||||
writing, the current version of BIND is 8.2.2_P5.
|
||||
|
||||
<sect1>How?
|
||||
|
||||
<p>
|
||||
I wrote this document based on my experiences in setting BIND up in a chroot
|
||||
environment. In my case, I already had an existing BIND installation in the
|
||||
form of a package that came with my Linux distribution. I'll assume that
|
||||
most of you are probably in the same situation, and will simply be transferring
|
||||
over and modifying the configuration files from your existing BIND installation,
|
||||
and
|
||||
form of a package that came with my Linux distribution. I'll assume that most
|
||||
of you are probably in the same situation, and will simply be transferring over
|
||||
and modifying the configuration files from your existing BIND installation, and
|
||||
then removing the package before installing the new one. Don't remove the
|
||||
package yet, though; we may want some files from it first.
|
||||
|
||||
If this is not the case for you, you should still be able to follow this
|
||||
document. The only difference is that, where I refer to copying an existing
|
||||
file, you first have to create it yourself. The DNS HOWTO may be helpful
|
||||
for this.
|
||||
file, you first have to create it yourself. The DNS HOWTO may be helpful for
|
||||
this.
|
||||
|
||||
<sect1>Disclaimer
|
||||
|
||||
<p>
|
||||
These steps worked for me, on my system. Your mileage may vary. This is
|
||||
but one way to approach this; there are other ways to set the same thing up
|
||||
(although the general approach will be the same).
|
||||
These steps worked for me, on my system. Your mileage may vary. This is but
|
||||
one way to approach this; there are other ways to set the same thing up
|
||||
(although the general approach will be the same). It just happens that this
|
||||
was the first way that I tried that worked, so I wrote it down.
|
||||
|
||||
My BIND experience to date has been installing on Linux servers. However,
|
||||
most of the instructions in this document should be easily applicable to other
|
||||
flavours of UNIX as well, and I shall try to point out differences of which
|
||||
I am aware.
|
||||
|
||||
</sect>
|
||||
My BIND experience to date has been installing on Linux servers. However, most
|
||||
of the instructions in this document should be easily applicable to other
|
||||
flavours of UNIX as well, and I shall try to point out differences of which I am
|
||||
aware.
|
||||
|
||||
<sect>Preparing the Jail
|
||||
|
||||
<sect1>Creating a User
|
||||
|
||||
<p>
|
||||
As mentioned in the introduction, it's not a good idea to run BIND as
|
||||
root. So, before we begin, let's create a separate user for BIND.
|
||||
Note that you should never use an existing user like <tt/nobody/
|
||||
for this purpose.
|
||||
As mentioned in the introduction, it's not a good idea to run BIND as root. So,
|
||||
before we begin, let's create a separate user for BIND. Note that you should
|
||||
never use an existing user like <tt>nobody</> for this purpose.
|
||||
|
||||
This requires adding a line something like the following to <tt>/etc/passwd</>:
|
||||
|
||||
<tscreen><verb>
|
||||
named:x:200:200:Nameserver:/chroot/named:/bin/false
|
||||
</verb></tscreen>
|
||||
|
@ -120,21 +121,18 @@ And one like this to <tt>/etc/group</>:
|
|||
<tscreen><verb>
|
||||
named:x:200:
|
||||
</verb></tscreen>
|
||||
|
||||
This creates a user and group called <tt/named/ for BIND. Make sure
|
||||
that the UID and GID (both 200 in this example) are unique on your
|
||||
system. The shell is set to <tt>/bin/false</> because this user
|
||||
will never need to log in.
|
||||
This creates a user and group called <tt>named</> for BIND. Make sure that the
|
||||
UID and GID (both 200 in this example) are unique on your system. The shell is
|
||||
set to <tt>/bin/false</> because this user will never need to log in.
|
||||
|
||||
<sect1>Directory Structure
|
||||
|
||||
<p>
|
||||
|
||||
Now, we must set up the directory structure that we will use for the
|
||||
chroot jail in which BIND will live. This can be anywhere on your
|
||||
filesystem; the truly paranoid may even want to put it on a separate
|
||||
volume. I shall assume that you will use <tt>/chroot/named</>.
|
||||
Let's start by creating the following directory structure:
|
||||
Now, we must set up the directory structure that we will use for the chroot jail
|
||||
in which BIND will live. This can be anywhere on your filesystem; the truly
|
||||
paranoid may even want to put it on a separate volume. I shall assume that you
|
||||
will use <tt>/chroot/named</>. Let's start by creating the following directory
|
||||
structure:
|
||||
|
||||
<tscreen><verb>
|
||||
/chroot
|
||||
|
@ -151,25 +149,22 @@ Let's start by creating the following directory structure:
|
|||
<sect1>Placing the BIND Data
|
||||
|
||||
<p>
|
||||
|
||||
Assuming that you have already done a conventional installation of
|
||||
BIND and are using it, you will already have an existing
|
||||
<tt/named.conf/ and zone files. These files must now be moved (or
|
||||
copied, to be safe) into the chroot jail, so that BIND can get at
|
||||
them. <tt/named.conf/ goes in <tt>/chroot/named/etc</>, and the
|
||||
zone files can go in <tt>/chroot/named/etc/namedb</>. For example:
|
||||
Assuming that you have already done a conventional installation of BIND and are
|
||||
using it, you will already have an existing <tt>named.conf</> and zone files.
|
||||
These files must now be moved (or copied, to be safe) into the chroot jail, so
|
||||
that BIND can get at them. <tt>named.conf</> goes in <tt>/chroot/named/etc</>,
|
||||
and the zone files can go in <tt>/chroot/named/etc/namedb</>. For example:
|
||||
<tscreen><verb>
|
||||
# cp -p /etc/named.conf /chroot/named/etc/
|
||||
|
||||
# cp -a /var/named/* /chroot/named/etc/namedb/
|
||||
</verb></tscreen>
|
||||
BIND will likely need to write to the <tt/namedb/ directory, and
|
||||
probably some of the files in it. For example, if your DNS serves
|
||||
as a slave for a zone, it will have to update that zone file. Also,
|
||||
BIND can dump statistical information, and does so in this
|
||||
directory. For that reason, you should probably make the <tt/named/
|
||||
user the owner of this directory and its contents:
|
||||
|
||||
BIND will likely need to write to the <tt>namedb</> directory, and probably some
|
||||
of the files in it. For example, if your DNS serves as a slave for a zone, it
|
||||
will have to update that zone file. Also, BIND can dump statistical
|
||||
information, and does so in this directory. For that reason, you should
|
||||
probably make the <tt>named</> user the owner of this directory and its contents:
|
||||
<tscreen><verb>
|
||||
# chown -R named:named /chroot/named/etc/namedb
|
||||
</verb></tscreen>
|
||||
|
@ -182,12 +177,11 @@ pidfile and ndc socket there, so let's allow it to do so:
|
|||
<sect1>System Support Files
|
||||
|
||||
<p>
|
||||
Once BIND is running in the chroot jail, it will not be able to
|
||||
access files outside the jail <bf/at all/. However, it needs to
|
||||
access a few key files, such as the system's C library. Exactly
|
||||
what libraries are required will depend on your flavour of UNIX.
|
||||
For most modern Linux systems, the following commands will be
|
||||
sufficient to put the necessary libraries in place:
|
||||
Once BIND is running in the chroot jail, it will not be able to access files
|
||||
outside the jail <bf>at all</>. However, it needs to access a few key files, such
|
||||
as the system's C library. Exactly what libraries are required will depend on
|
||||
your flavour of UNIX. For most modern Linux systems, the following commands
|
||||
will be sufficient to put the necessary libraries in place:
|
||||
<tscreen><verb>
|
||||
# cd /chroot/named/lib
|
||||
# cp -p /lib/libc-2.*.so .
|
||||
|
@ -195,43 +189,47 @@ sufficient to put the necessary libraries in place:
|
|||
# cp -p /lib/ld-2.*.so .
|
||||
# ln -s ld-2.*.so ld-linux.so.2
|
||||
</verb></tscreen>
|
||||
As an alternative, you could simply build statically-linked versions
|
||||
of the BIND binaries to put in your chroot jail.
|
||||
<P>
|
||||
BIND needs one more system file in its jail: good ol' <tt>/dev/null</>.
|
||||
Again, the exact command necessary to create this
|
||||
device node may vary from system
|
||||
to system; check your <tt>/dev/MAKEDEV</> script to be sure. For
|
||||
most Linux systems, we can use the following command:
|
||||
As an alternative, you could simply build statically-linked versions of the BIND
|
||||
binaries to put in your chroot jail. You should also copy <tt>ldconfig</> into
|
||||
the jail, and run it to create an <tt>etc/ld.so.conf</> for the jail environment.
|
||||
The following commands could take care of this:
|
||||
<tscreen><verb>
|
||||
# cp /sbin/ldconfig /chroot/named/bin/
|
||||
# chroot /chroot/named /bin/ldconfig -v
|
||||
</verb></tscreen>
|
||||
|
||||
BIND needs one more system file in its jail: good ol' <tt>/dev/null</>. Again,
|
||||
the exact command necessary to create this device node may vary from system to
|
||||
system; check your <tt>/dev/MAKEDEV</> script to be sure. Some systems may also
|
||||
require <tt>/dev/zero</>. For most Linux systems, we can use the following
|
||||
command:
|
||||
<tscreen><verb>
|
||||
# mknod /chroot/named/dev/null c 1 3
|
||||
</verb></tscreen>
|
||||
|
||||
Finally, you need a couple extra files in the <tt>/etc</> directory
|
||||
inside the jail. In particular, you must copy
|
||||
<tt>/etc/localtime</> in there so that BIND logs things with the
|
||||
right time on them, and you must make a simple <tt/group/ file with
|
||||
the <tt/named/ group in it. The following two commands will take
|
||||
care of this:
|
||||
Finally, you need a couple extra files in the <tt>/etc</> directory inside the
|
||||
jail. In particular, you must copy <tt>/etc/localtime</> (this sometimes known
|
||||
as <tt>/usr/lib/zoneinfo/localtime</> on some systems) in there so that BIND
|
||||
logs things with the right time on them, and you must make a simple <tt/group/
|
||||
file with the <tt/named/ group in it. The following two commands will take care
|
||||
of this:
|
||||
<tscreen><verb>
|
||||
# cp /etc/localtime /chroot/named/etc/
|
||||
|
||||
# echo 'named:x:200:' > /chroot/named/etc/group
|
||||
</verb></tscreen>
|
||||
|
||||
Keep in mind that the GID, 200 in this example, must match the one
|
||||
you defined in the real <tt>/etc/group</> above.
|
||||
Keep in mind that the GID, 200 in this example, must match the one you defined
|
||||
in the real <tt>/etc/group</> above.
|
||||
|
||||
<sect1>Logging<label id="logging">
|
||||
|
||||
<p>
|
||||
Unlike a conventional jailbird, BIND can't just scribble its log
|
||||
entries on the walls :-). Normally, BIND logs through <tt/syslogd/,
|
||||
the system logging daemon. However, this type of logging is
|
||||
performed by sending the log entries to the special socket
|
||||
<tt>/dev/log</>. Since this is outside the jail, BIND can't use it
|
||||
any more. Fortuantely, there are a couple options to work around
|
||||
this.
|
||||
Unlike a conventional jailbird, BIND can't just scribble its log entries on the
|
||||
walls :-). Normally, BIND logs through <tt/syslogd/, the system logging daemon.
|
||||
However, this type of logging is performed by sending the log entries to the
|
||||
special socket <tt>/dev/log</>. Since this is outside the jail, BIND can't use
|
||||
it any more. Fortuantely, there are a couple options to work around this.
|
||||
|
||||
<sect2>The Ideal Solution
|
||||
|
||||
|
@ -240,12 +238,11 @@ The ideal solution to this dilemma requires a reasonably recent version of
|
|||
<tt/syslogd/ which supports the <tt/-a/ switch introduced by OpenBSD. Check the
|
||||
manpage for your <tt/syslogd(8)/ to see if you have such a version.
|
||||
|
||||
If you do, all you have to do is add the switch
|
||||
``<tt>-a/chroot/named/dev/log</>'' to the command line when you
|
||||
launch <tt/syslogd/. On
|
||||
If you do, all you have to do is add the switch ``<tt>-a
|
||||
/chroot/named/dev/log</>'' to the command line when you launch <tt/syslogd/. On
|
||||
systems which use a full SysV-init (which includes most Linux distributions),
|
||||
this is typically done in the file <tt>/etc/rc.d/init.d/syslog</>. For
|
||||
example, on my Red Hat Linux system, I changed the line
|
||||
this is typically done in the file <tt>/etc/rc.d/init.d/syslog</>. For example,
|
||||
on my Red Hat Linux system, I changed the line
|
||||
<tscreen><verb>
|
||||
daemon syslogd -m 0
|
||||
</verb></tscreen>
|
||||
|
@ -253,8 +250,8 @@ to
|
|||
<tscreen><verb>
|
||||
daemon syslogd -m 0 -a /chroot/named/dev/log
|
||||
</verb></tscreen>
|
||||
The simply restart <tt/syslogd/, either by killing it and launching it again,
|
||||
or by using the SysV-init script to do it for you:
|
||||
The simply restart <tt/syslogd/, either by killing it and launching it again, or
|
||||
by using the SysV-init script to do it for you:
|
||||
<tscreen><verb>
|
||||
# /etc/rc.d/init.d/syslog stop
|
||||
# /etc/rc.d/init.d/syslog start
|
||||
|
@ -268,41 +265,37 @@ called <tt/log/, that looks something like this:
|
|||
<sect2>The Other Solutions
|
||||
|
||||
<p>
|
||||
If you have an older <tt/syslogd/, then you'll have to find another
|
||||
way to do your logging. There are a couple programs out there,
|
||||
such as <tt/holelogd/, which are designed to help by acting as a
|
||||
``proxy'' and accepting log entries from the chrooted BIND and
|
||||
passing them out to the regular <tt>/dev/log</> socket.
|
||||
If you have an older <tt/syslogd/, then you'll have to find another way to do
|
||||
your logging. There are a couple programs out there, such as <tt/holelogd/,
|
||||
which are designed to help by acting as a ``proxy'' and accepting log entries
|
||||
from the chrooted BIND and passing them out to the regular <tt>/dev/log</>
|
||||
socket.
|
||||
|
||||
Alteratively, you can simply configure BIND to log to files instead
|
||||
of going through syslog. See the BIND documentation for more details
|
||||
if you choose to go this route.
|
||||
|
||||
</sect>
|
||||
Alteratively, you can simply configure BIND to log to files instead of going
|
||||
through syslog. See the BIND documentation for more details if you choose to go
|
||||
this route.
|
||||
|
||||
<sect>Compiling BIND
|
||||
|
||||
<p>
|
||||
|
||||
You should be able to find the BIND source by visiting
|
||||
<url url="http://www.isc.org/bind.html">. You need the
|
||||
<tt/bind-src.tar.gz/ package. Be sure to get the latest version!
|
||||
You should be able to find the BIND source by visiting <url
|
||||
url="http://www.isc.org/bind.html">. You need the <tt/bind-src.tar.gz/ package.
|
||||
Be sure to get the latest version!
|
||||
|
||||
<sect1>Modifying Paths
|
||||
|
||||
<p>
|
||||
Things can get a bit confusing at this point, because different parts of the
|
||||
BIND package will be referring to the same directories by different names
|
||||
(depending on whether or not they're running inside the jail). I'll try
|
||||
not to confuse you <bf/too/ much :-).
|
||||
(depending on whether or not they're running inside the jail). I'll try not to
|
||||
confuse you <bf/too/ much :-).
|
||||
|
||||
The main directory that we have to worry about here is
|
||||
<tt>/var/run</>, because its contents are required for both the
|
||||
main <tt/named/ daemon (inside the jail), and the <tt/ndc/ utility
|
||||
(on the outside). We'll start by setting everything up to find
|
||||
this directory from the outside world. To do this, we need to modify
|
||||
<tt>src/port/linux/Makefile.set</> (substitute your port's
|
||||
directory if you're not running Linux), and change the line
|
||||
The main directory that we have to worry about here is <tt>/var/run</>, because
|
||||
its contents are required for both the main <tt/named/ daemon (inside the jail),
|
||||
and the <tt/ndc/ utility (on the outside). We'll start by setting everything up
|
||||
to find this directory from the outside world. To do this, we need to modify
|
||||
<tt>src/port/linux/Makefile.set</> (substitute your port's directory if you're
|
||||
not running Linux), and change the line
|
||||
<tscreen><verb>
|
||||
DESTRUN=/var/run
|
||||
</verb></tscreen>
|
||||
|
@ -310,13 +303,12 @@ to
|
|||
<tscreen><verb>
|
||||
DESTRUN=/chroot/named/var/run
|
||||
</verb></tscreen>
|
||||
While you're in there, you may want to change the other destination paths
|
||||
from <tt>/usr</> to <tt>/usr/local</>.
|
||||
While you're in there, you may want to change the other destination paths from
|
||||
<tt>/usr</> to <tt>/usr/local</>.
|
||||
|
||||
Now everything should be able to find that directory... except the
|
||||
<tt/named/ daemon itself, to which it's still just <tt>/var/run</>
|
||||
inside the jail. We can get around this by making a small change
|
||||
in the <tt/named/ source. In the file
|
||||
Now everything should be able to find that directory... except the <tt/named/
|
||||
daemon itself, to which it's still just <tt>/var/run</> inside the jail. We can
|
||||
get around this by making a small change in the <tt/named/ source. In the file
|
||||
<tt>src/bin/named/named.h</>, find the line
|
||||
<tscreen><verb>
|
||||
#include "pathnames.h"
|
||||
|
@ -333,45 +325,39 @@ _PATH_NDCSOCK when you do the build; just ignore them.
|
|||
<sect1>Doing the Build
|
||||
|
||||
<p>
|
||||
You should now be able to compile BIND as normal, following the
|
||||
instructions in the <tt/INSTALL/ file. At this stage, we only want
|
||||
to compile BIND, not install it. Don't go too far when following
|
||||
the <tt/INSTALL/ file. Essentially, it's just <tt/make clean/,
|
||||
<tt/make depend/, and <tt/make/.
|
||||
|
||||
</sect>
|
||||
|
||||
You should now be able to compile BIND as normal, following the instructions in
|
||||
the <tt/INSTALL/ file. At this stage, we only want to compile BIND, not install
|
||||
it. Don't go too far when following the <tt/INSTALL/ file. Essentially, it's
|
||||
just <tt/make clean/, <tt/make depend/, and <tt/make/.
|
||||
|
||||
<sect>Installing Your Shiny New BIND
|
||||
|
||||
<p>
|
||||
I should mention that if you have an existing installation of BIND,
|
||||
such as from an RPM, you should probably remove it before installing
|
||||
the new one. On Red Hat systems, this probably means removing the
|
||||
packages <tt/bind/ and <tt/bind-utils/, and possibly <tt/bind-devel/
|
||||
and <tt/caching-nameserver/, if you have them.
|
||||
I should mention that if you have an existing installation of BIND, such as from
|
||||
an RPM, you should probably remove it before installing the new one. On Red Hat
|
||||
systems, this probably means removing the packages <tt/bind/ and
|
||||
<tt/bind-utils/, and possibly <tt/bind-devel/ and <tt/caching-nameserver/, if
|
||||
you have them.
|
||||
|
||||
You may want to save a copy of the init script (e.g.,
|
||||
<tt>/etc/rc.d/init.d/named</>), if any, before doing so; it'll be
|
||||
useful later on.
|
||||
<tt>/etc/rc.d/init.d/named</>), if any, before doing so; it'll be useful later
|
||||
on.
|
||||
|
||||
<sect1>Installing the Tools Outside the Jail
|
||||
|
||||
<p>
|
||||
|
||||
This is the easy part :-). Just run <tt/make install/ and let it
|
||||
take care of it for you. You may want to <tt>chmod 000
|
||||
/usr/local/sbin/named</> afterwards, to make sure you don't
|
||||
accidentally run the non-chrooted copy of BIND. (This is
|
||||
<tt>/usr/sbin/named</> if you didn't tell it to go in
|
||||
<tt>/usr/local/sbin</> like I suggested.)
|
||||
This is the easy part :-). Just run <tt/make install/ and let it take care of
|
||||
it for you. You may want to <tt>chmod 000 /usr/local/sbin/named</> afterwards,
|
||||
to make sure you don't accidentally run the non-chrooted copy of BIND. (This
|
||||
is <tt>/usr/sbin/named</> if you didn't tell it to go in <tt>/usr/local/sbin</>
|
||||
like I suggested.)
|
||||
|
||||
<sect1>Installing the Binaries in the Jail
|
||||
|
||||
<p>
|
||||
Only two parts of the package have to live inside the chroot jail: the main
|
||||
<tt/named/ daemon itself, and <tt/named-xfer/, which it uses for zone
|
||||
transfers. You can simply copy them in from the source tree:
|
||||
<tt/named/ daemon itself, and <tt/named-xfer/, which it uses for zone transfers.
|
||||
You can simply copy them in from the source tree:
|
||||
<tscreen><verb>
|
||||
# cp src/bin/named/named /chroot/named/bin
|
||||
|
||||
|
@ -381,21 +367,23 @@ transfers. You can simply copy them in from the source tree:
|
|||
<sect1>Setting up the Init Script
|
||||
|
||||
<p>
|
||||
If you have an existing init script from your distribution, it would
|
||||
probably be best simply to modify it to run
|
||||
<tt>/chroot/named/bin/named</>, with the appropriate switches. The
|
||||
switches are... <it/(drumroll please...)/
|
||||
If you have an existing init script from your distribution, it would probably be
|
||||
best simply to modify it to run <tt>/chroot/named/bin/named</>, with the
|
||||
appropriate switches. The switches are... <it/(drumroll please...)/
|
||||
<itemize>
|
||||
<item><tt/-u named/, which tells BIND to run as the user <tt/named/, rather
|
||||
than <tt/root/.
|
||||
<item><tt/-u named/, which tells BIND to run as the user <tt/named/, rather than
|
||||
<tt/root/.
|
||||
<item><tt/-g named/, to run BIND under the group <tt/named/ too, rather than
|
||||
<tt/root/ or <tt/wheel/.
|
||||
<item><tt>-t /chroot/named</>, which tells BIND to chroot itself to the jail
|
||||
that we've set up.
|
||||
</itemize>
|
||||
|
||||
The following is the init script I use with my Red Hat 6.0 system. As you
|
||||
can see, it is almost exactly the same as the way it shipped from Red Hat.
|
||||
The following is the init script I use with my Red Hat 6.0 system. As you can
|
||||
see, it is almost exactly the same as the way it shipped from Red Hat. I have
|
||||
also modified the <tt>ndc restart</> command so that it restarts the server
|
||||
properly, and keeps it chrooted. You should probably do the same in your init
|
||||
script, even if you don't copy this one.
|
||||
<tscreen><code>
|
||||
#!/bin/sh
|
||||
#
|
||||
|
@ -441,19 +429,20 @@ case "$1" in
|
|||
exit $?
|
||||
;;
|
||||
restart)
|
||||
/usr/local/sbin/ndc restart
|
||||
/usr/local/sbin/ndc -n /chroot/named/bin/named "restart -u named -g named -t /chroot/named"
|
||||
exit $?
|
||||
;;
|
||||
reload)
|
||||
/usr/local/sbin/ndc reload
|
||||
exit $?
|
||||
;;
|
||||
;;
|
||||
probe)
|
||||
# named knows how to reload intelligently; we don't want linuxconf
|
||||
# to offer to restart every time
|
||||
/usr/local/sbin/ndc reload >/dev/null 2>&1 || echo start
|
||||
exit 0
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "Usage: named {start|stop|status|restart}"
|
||||
exit 1
|
||||
|
@ -465,10 +454,10 @@ exit 0
|
|||
<sect1>Configuration Changes
|
||||
|
||||
<p>
|
||||
You will also have to add or change a few options in your
|
||||
<tt/named.conf/ to keep the various directories straight. In
|
||||
particular, you should add (or change, if you already have them) the
|
||||
following directives in the <tt/options/ section:
|
||||
You will also have to add or change a few options in your <tt/named.conf/ to
|
||||
keep the various directories straight. In particular, you should add (or
|
||||
change, if you already have them) the following directives in the <tt/options/
|
||||
section:
|
||||
<tscreen><code>
|
||||
directory "/etc/namedb";
|
||||
pid-file "/var/run/named.pid";
|
||||
|
@ -477,25 +466,23 @@ named-xfer "/bin/named-xfer";
|
|||
Since this file is being read by the <tt/named/ daemon, all the paths are of
|
||||
course relative to the chroot jail.
|
||||
|
||||
</sect>
|
||||
|
||||
<sect>The End
|
||||
|
||||
<sect1>Launching BIND
|
||||
|
||||
<p>
|
||||
Everything should be set up, and you should be ready to put your new, more
|
||||
secure BIND into action. Assuming you set up a SysV-style init script, you
|
||||
can simply launch it as:
|
||||
secure BIND into action. Assuming you set up a SysV-style init script, you can
|
||||
simply launch it as:
|
||||
<tscreen><verb>
|
||||
# /etc/rc.d/init.d/named start
|
||||
</verb></tscreen>
|
||||
Make sure you kill any old versions of BIND still running before doing this.
|
||||
|
||||
If you take a look at your logs, you should find the initialisation messages
|
||||
that BIND spits out when it loads. (If not, there's a problem with your
|
||||
<ref id="logging" name="logging configuration"> that you need to fix.)
|
||||
Amongst those messages, BIND should tell you that it chrooted successfully, and that it is
|
||||
that BIND spits out when it loads. (If not, there's a problem with your <ref
|
||||
id="logging" name="logging configuration"> that you need to fix.) Amongst those
|
||||
messages, BIND should tell you that it chrooted successfully, and that it is
|
||||
running as the user and group <tt/named/. If not, you have a problem.
|
||||
|
||||
<sect1>That's It!
|
||||
|
@ -507,15 +494,13 @@ You can go take a nap now ;-).
|
|||
|
||||
<p>
|
||||
Copyright © Scott Wunsch, 2000. This document may be distributed only
|
||||
subject to the terms set forth in the LDP licence at
|
||||
<url url="http://metalab.unc.edu/LDP/COPYRIGHT.html">.
|
||||
subject to the terms set forth in the LDP licence at <url
|
||||
url="http://metalab.unc.edu/LDP/COPYRIGHT.html">.
|
||||
|
||||
This HOWTO is free documentation; you can redistribute it and/or modify
|
||||
it under the terms of the LDP licence. It is distributed in the hope that it will be
|
||||
This HOWTO is free documentation; you can redistribute it and/or modify it under
|
||||
the terms of the LDP licence. It is distributed in the hope that it will be
|
||||
useful, but <bf/without any warranty/; without even the impled warranty of
|
||||
merchantability or fitness for a particular purpose. See the LDP licence
|
||||
for more details.
|
||||
|
||||
</sect>
|
||||
merchantability or fitness for a particular purpose. See the LDP licence for
|
||||
more details.
|
||||
|
||||
</article>
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
<title>Oracle for Linux Installation HOWTO
|
||||
<author>Stephen Darlington, <tt/<stephen@zx81.org.uk>/
|
||||
<date>$Id$
|
||||
<date>$Revision$, $Date$
|
||||
|
||||
<abstract>
|
||||
With this HOWTO, and a little luck, you will be able to get "Oracle 8i
|
||||
|
@ -39,44 +39,34 @@ hubris, but I document them for completeness.
|
|||
<sect1>Who is this HOWTO for?
|
||||
<p>
|
||||
First, this document is for people who want to install Oracle 8i
|
||||
version 8.1.5 on Linux. It does not cover any earlier versions. If you
|
||||
want to install 8.0, I recommend you try <url name="Linux Journals
|
||||
guide"
|
||||
version 8.1.5 on Linux. It does not cover any earlier versions,
|
||||
although it should work with similar later versions such as 8.1.6.
|
||||
|
||||
If you want to install 8.0, I recommend you try <url name="Linux
|
||||
Journals guide"
|
||||
url="http://www2.linuxjournal.com/lj-issues/issue67/3572.html">, and
|
||||
if you want to install any of the previous versions you're going to
|
||||
have to use the SCO version and follow Paul Haigh's <url name="Oracle
|
||||
Database HOWTO"
|
||||
url="http://www.linuxdoc.org/HOWTO/Oracle-HOWTO.html">.
|
||||
|
||||
If you're trying to install the 'right' version, here is a little of
|
||||
my back-ground. Clearly if yours is similar we're going to be on the
|
||||
same wave-length.
|
||||
If you're trying to install the 'right' version, what level of
|
||||
background knowledge will you need?
|
||||
|
||||
<itemize>
|
||||
<item>I've used Unix before. In fact, it's probably my 'specialist'
|
||||
area. At university I picked up the rudiments of SunOS/Solaris and,
|
||||
since then, I've built on that and added HP-UX (about a year) and
|
||||
Linux (five years, but in my own time rather than commercially).
|
||||
Perhaps the easiest way is if I explain a little of my background,
|
||||
clearly if yours is similar we're going to be on the same
|
||||
wave-length. I've used a lot of Unix and Oracle over the last few
|
||||
years. At home I've been running Linux since 1994 and I've been using
|
||||
Solaris and HP-UX on-and-off since 1992. I first came across Oracle in
|
||||
1996 and have worked with both versions 7 and 8. I'm mainly a
|
||||
developer, but I have done DBA and sysadmin-type work.
|
||||
|
||||
I think if you're coming from a Windows or NT background, installing
|
||||
Oracle on Linux could be quite difficult. There are lots of concepts
|
||||
and terminology to pick up even before you get held up by the bugs.
|
||||
|
||||
<item>I've used Oracle before. I've installed and DBA'd versions 7.1
|
||||
and 7.3, and have developed on 8.0 (all on Solaris). Fortunately, the
|
||||
Oracle installation procedure is getting easier. Unfortunately it's
|
||||
not very stable at the moment, at least not on Linux.
|
||||
|
||||
The bottom line is, if you've not used Oracle before, this might not
|
||||
be a good product to start with unless you have a lot of time and patience.
|
||||
|
||||
</itemize>
|
||||
|
||||
I'm assuming that you have a certain amount of knowledge in this
|
||||
area. Even installing Oracle isn't a trivial exercise, so I don't
|
||||
intend writing a 'press this key now' type of guide. If you want this
|
||||
kind of 'dummies guide,' neither this HOWTO nor Oracle are probably
|
||||
the right thing for you.
|
||||
In summary, I can find my way around a Unix box and I know much of the
|
||||
Oracle terminology. You'll need both to brave the rest of this
|
||||
document. But don't worry if you have a different background, follow
|
||||
this guide closely and keep asking questions. The Linux community are
|
||||
a helpful bunch, just don't expect an answer if you haven't at least
|
||||
made an effort to solve the problem yourself.
|
||||
|
||||
<sect1>New versions of this document
|
||||
<p>
|
||||
|
@ -100,7 +90,8 @@ that keep posting and sorry that I can't credit you all individually!
|
|||
|
||||
Thanks to the following people, in no particular order, for their
|
||||
contributions to this document: Ton Haver, Guy Cole, Iain Frerichs,
|
||||
Albert Braun, Steve Morando and Krill Kokoshka.
|
||||
Albert Braun, Steve Morando, Krill Kokoshka, Brain Slesinsky, Galen G
|
||||
Burk and Bill Gathen.
|
||||
|
||||
I welcome any constructive feedback on this HOWTO and any general
|
||||
Linux or Oracle issues. Email me at <url
|
||||
|
@ -131,91 +122,60 @@ HOWTO.)
|
|||
<sect1>Overview
|
||||
<p>
|
||||
In this section, we'll set up Linux so that you're in a position to
|
||||
get Oracle 8i from the CD that they sent you into your
|
||||
hard-disk.
|
||||
get Oracle 8i from the CD that they sent you into your hard-disk.
|
||||
|
||||
The Oracle installation process begins when you've built your PC,
|
||||
installed Linux, configured it and connected it to your network.
|
||||
|
||||
<sect1>Prerequisites
|
||||
<sect2>Hardware
|
||||
<p>
|
||||
I think that the most important part of the prerequisites is not to
|
||||
underestimate them and, as far as the software is concerned, not to
|
||||
differ unless you have to.
|
||||
underestimate them. Oracle is a very big and complex application and
|
||||
you won't get the best out of it if you skimp too much on the
|
||||
hardware.
|
||||
|
||||
My sad tale is as follows:
|
||||
<itemize>
|
||||
|
||||
<item>My first and biggest mistake was to assume that Oracle were
|
||||
joking when they said that you need 128Mb of RAM. I've installed
|
||||
Oracle a couple of times on Sun servers with that much, why would I
|
||||
need more on a CISC machine?
|
||||
My biggest mistake was to assume that Oracle were joking when they
|
||||
said that you need 128Mb of RAM. I've installed Oracle a couple of
|
||||
times on Sun servers with that much, why would I need more on a CISC
|
||||
machine?
|
||||
|
||||
Believe Oracle not my gut. My machine with 32Mb of Ram ground on for
|
||||
less than half an hour before I realised that it was hopeless.
|
||||
|
||||
<item>When Oracle say that you need the Java Runtime Environment
|
||||
version 1.1.6, that's what they mean. Don't think 'newer versions will
|
||||
be less buggy' as the installer probably won't work.
|
||||
I was trying to use the bare minimum of hardware, and that's generally
|
||||
a bad idea. If you can't afford the hardware you certainly won't be
|
||||
able to afford the licences!
|
||||
|
||||
Summary: download Blackdown's JRE 1.1.6v5 as the documentation tells
|
||||
you. You'll end up doing that anyway.
|
||||
Things to look for on a production server are many disks, possibly
|
||||
RAIDed, and fast CPU's. Database access is relatively easy to break
|
||||
down into smaller parallel phases so having a number of processors
|
||||
really does help.
|
||||
|
||||
</itemize>
|
||||
|
||||
Oracle seem to have done most of their development on RedHat
|
||||
Linux. For a fuss-free installation, do the same. I've heard horror
|
||||
stories about trying to get it installed on other distributions.
|
||||
|
||||
I used a fairly vanilla RH6 setup and had very few problems. I
|
||||
downloaded and installed the JRE version 1.1.6v5, added all the
|
||||
patches up to August 1999 and upgraded the kernel to 2.2.13, but that
|
||||
was in order to support my network card. I have no reason to suspect
|
||||
that Oracle won't work with the RedHat supplied 2.2.5 kernel.
|
||||
|
||||
Note, the Oracle installer seems to be hard-coded to expect the JRE
|
||||
executable to be at <tt>/usr/local/jre/bin/jre</tt>. While this
|
||||
doesn't mean that you have to install it there (see below), it does
|
||||
mean that you can't get away with using the JDK. This is an important
|
||||
point so I'll repeat it: you must use the JRE, the Oracle installer
|
||||
won't work with the JDK!
|
||||
|
||||
I performed the following steps to get a working copy of the JRE:
|
||||
|
||||
<enum>
|
||||
<item>Download the Java Runtime Environment from the <url
|
||||
name="Blackdown website" url="http://www.blackdown.org">
|
||||
|
||||
<item>Move to where you want to install the JRE:
|
||||
|
||||
<verb>cd /usr/local</verb>
|
||||
|
||||
<item>Uncompress the archive:
|
||||
|
||||
<verb>bzip2 -d -c jre-1.1.6-v5-glibc-x86.tar.bz2 | tar xvf -</verb>
|
||||
|
||||
<item>Create a symbolic link between where Oracle thinks it is and
|
||||
where it actually is: <verb>ln -s jre116_v5 jre</verb>
|
||||
|
||||
</enum>
|
||||
|
||||
As for the hardware, once you get above a certain 'base' level Oracle
|
||||
should work on almost any hardware you get get Linux running on. My
|
||||
system, for reference, is an Intel Celeron 466Mhz with 128Mb memory,
|
||||
an 8Gb hard-disk and a DM9102 network card. This is not a machine for
|
||||
heavy database applications, but is perfectly sufficient for a small
|
||||
test or development system.
|
||||
On the other hand, any machine that can run Linux and that has enough
|
||||
memory should be in with a chance. My other machine, the one I used
|
||||
for the rest of this document, is fine as a development machine. It is
|
||||
a Celeron 466Mhz with 128Mb of memory, an 8Gb hard disk, an Intel
|
||||
graphics card and a DM9102 network card.
|
||||
|
||||
<sect1>Linux setup
|
||||
|
||||
<sect2>Choice of distribution
|
||||
<p>
|
||||
Oracle seem to have done most of their development on RedHat Linux
|
||||
6.0. For a fuss-free installation, do the same. I've heard horror
|
||||
stories about trying to get it installed on other distributions.
|
||||
|
||||
However, anything <it/like/ RedHat should also do the trick. A recent
|
||||
version of Mandrake or SuSE should be fine (SuSE, in fact, are fairly
|
||||
active in supporting Oracle), and newer versions of RH pose no
|
||||
problems either.
|
||||
|
||||
<sect2>Distribution Setup
|
||||
<p>
|
||||
As mentioned in the previous section, Oracle do their development
|
||||
using RedHat 6.0, so for a hassle-free installation this is what you
|
||||
should probably use.
|
||||
|
||||
But what options do you make and which of the vast number of packages
|
||||
need to be installed to make Oracle work?
|
||||
Now that you've decided on which RedHat-like distribution you're going
|
||||
to use, you'll need to work out which options to set and which of the
|
||||
vast number of packages need to be installed to make Oracle work.
|
||||
|
||||
Firstly you need two to three times the amount of memory you have for
|
||||
your swap space. (You'll need around 200Mb of memory, real or virtual,
|
||||
|
@ -224,8 +184,8 @@ Linux swap partitions can be larger than 128Mb.
|
|||
|
||||
The arrangements of your other partitions can also be important. Make
|
||||
sure that the Oracle software is on a different partition to your
|
||||
operating system, and make sure that the Oracle data-files are on yet
|
||||
another partition. The idea here is to make sure that your data-files
|
||||
operating system, and make sure that the Oracle datafiles are on yet
|
||||
another partition. The idea here is to make sure that your datafiles
|
||||
do not get fragmented. (In a live environment, you're likely to have a
|
||||
number of disk with Oracle spread across them. There are a number of
|
||||
good books that you consult for more information on this.)
|
||||
|
@ -266,6 +226,39 @@ You can make any other user a DBA by putting them in the DBA group. If
|
|||
you have several DBA's this is probably a good idea for auditing
|
||||
purposes.
|
||||
|
||||
<sect2>Installing the right Java Virtual Machine
|
||||
<p>
|
||||
If you check the official documentation, you'll find that Oracle
|
||||
recommend the Blackdown Java Runtime Environment version 1.1.6v5.
|
||||
That's what they mean. Don't think 'newer versions will be less buggy'
|
||||
as the installer probably won't work. And don't think, 'I'll be
|
||||
developing software so I'll just get the JDK,' as that won't work
|
||||
either.
|
||||
|
||||
There is one caveat to using this version of the JRE: the Oracle
|
||||
installer seems to be hard-coded to expect the JRE executable to be at
|
||||
<tt>/usr/local/jre/bin/jre</tt>. While this is inconvenient, it does
|
||||
not mean that you have to install it there.
|
||||
|
||||
I performed the following steps to get a working copy of the JRE:
|
||||
|
||||
<enum>
|
||||
<item>Download the Java Runtime Environment from the <url
|
||||
name="Blackdown website" url="http://www.blackdown.org">
|
||||
|
||||
<item>Move to where you want to install the JRE:
|
||||
|
||||
<verb>cd /usr/local</verb>
|
||||
|
||||
<item>Uncompress the archive:
|
||||
|
||||
<verb>bzip2 -d -c jre-1.1.6-v5-glibc-x86.tar.bz2 | tar xvf -</verb>
|
||||
|
||||
<item>Create a symbolic link between where Oracle thinks it is and
|
||||
where it actually is: <verb>ln -s jre116_v5 jre</verb>
|
||||
|
||||
</enum>
|
||||
|
||||
<sect1>Starting off questions and answers
|
||||
|
||||
<sect2>Do I really need 128Mb RAM?
|
||||
|
@ -284,12 +277,13 @@ sense. I've heard reports of the installer using 150Mb of memory and
|
|||
I've seen it well over 120Mb myself. If you have 64Mb or less of
|
||||
memory, make sure you have lots of swap space and patience.
|
||||
|
||||
An alternative that <it/should/ work is as follows (although I've not
|
||||
had chance to test it): install Oracle on another, bigger machine and
|
||||
copy across the <tt/$ORACLE_HOME/ directory. If you have all the same
|
||||
users and groups I can't see why if wouldn't work.
|
||||
An alternative if you absolutely can't add more memory: install Oracle
|
||||
on another, bigger machine and copy across the <tt/$ORACLE_HOME/
|
||||
directory. You'll need to make sure that you have all the same users
|
||||
and groups (preferably with the same numeric codes) and take special
|
||||
care with SUID executables like <tt>$ORACLE_HOME/bin/oracle/</tt>.
|
||||
|
||||
<sect2>Does it work with RedHat 6.1?
|
||||
<sect2>Does it work with RedHat 6.1 or above?
|
||||
<p>
|
||||
I'm still running 6.0 myself, so all I can say is that a number of
|
||||
people have claimed success with this configuration.
|
||||
|
@ -317,6 +311,19 @@ the time didn't -- but unless there's a pressing need it's certainly
|
|||
safest to stay well clear. I switched back to the stable series as
|
||||
soon as the driver was included.
|
||||
|
||||
<sect2>Where do I get Oracle from?
|
||||
<p>
|
||||
Firstly, if you're brave, have a very fast Internet connection or
|
||||
inexhaustible patience (and unmetered access) you can download it from
|
||||
<url name="Oracle Technet" url="http://technet.oracle.com/">. Beware:
|
||||
it's nearly 200Mb, and 8.1.6 is even bigger.
|
||||
|
||||
A better option is to get the CD. Oracle sometimes offer to send you a
|
||||
free development CD when you join Technet. It's certainly worth
|
||||
spending some time looking round their web site for
|
||||
that. Alternatively, you can buy them from the Oracle Store for around
|
||||
$40. It includes lots of other software too and comes on 15 discs.
|
||||
|
||||
<sect>The installer
|
||||
<sect1>How?
|
||||
<p>
|
||||
|
@ -336,8 +343,11 @@ questions. Generally they're not too difficult but let's see what I
|
|||
entered and why.
|
||||
|
||||
<enum>
|
||||
<item>Run the installation program (<tt/runInstaller/) as user
|
||||
'oracle'.
|
||||
<item>Many people make the mistake of following Oracle's documentation
|
||||
and, therefore, fail at the first hurdle. Don't execute
|
||||
<tt/runInstaller/ as it almost always fails. Instead move to
|
||||
<tt>install/linux</tt> on the CD and run <tt/runIns.sh/ while logged
|
||||
in as 'oracle'.
|
||||
|
||||
<item>It should show a title screen. Click 'Next.'
|
||||
|
||||
|
@ -380,14 +390,11 @@ good reason to should you change it. Click 'Next' when you're done.
|
|||
asked it to. This will probably take quite a while and will use far
|
||||
more memory than is reasonable.
|
||||
|
||||
<item>It should ask you if you want to create a database. I recommend
|
||||
you select 'No' here unless you have lots of memory or patience. The
|
||||
reason for this is that it seems to fire up another Java Virtual
|
||||
Machine and X Windows. Unfortunately two JVM's plus the Oracle
|
||||
back-end don't really fit into 128Mb. If you want to persevere jump to
|
||||
the next section and come back here when you're done. (People have
|
||||
commented that it doesn't actually work if you try to build a database
|
||||
at this point.)
|
||||
<item>It should ask you if you want to create a database. Select
|
||||
'no'. There are two reasons for this: it often doesn't work and, even
|
||||
when it does, it's very slow (it seems to fire up another JVM, leaving
|
||||
X, the Oracle back-end and <it/two/ virtual machines in memory; not
|
||||
good with 128Mb of memory).
|
||||
|
||||
<item>The installer should now ask you about the network protocols
|
||||
that you want Oracle to support. The boxes all came up blank for me. I
|
||||
|
@ -409,7 +416,7 @@ described here is a cumulative patch, i.e., it includes all the files
|
|||
required to move from version 8.1.5.0.0 to 8.1.5.0.2.
|
||||
|
||||
The file you need is on <url name="the Oracle web site"
|
||||
url="http://technet.oracle.com/support/tech/linux/files/linux_815patches.gz">
|
||||
url="http://technet.oracle.com/software/products/oracle8i/software_index.htm">
|
||||
and is relatively easy to install.
|
||||
|
||||
<enum>
|
||||
|
@ -424,7 +431,7 @@ directory called "patches" somewhere convenient (mine is in
|
|||
cd /tmp/orapatch</verb>
|
||||
|
||||
<item>Uncompress the file:
|
||||
<verb>tar zvxf $ORACLE_HOME/patches/linux815patches.gz</verb>
|
||||
<verb>tar zvxf $ORACLE_HOME/patches/linux815patches.tgz</verb>
|
||||
|
||||
<item>Run the shell script that's now in the current directory:
|
||||
<verb>./linux_815patches.sh</verb>
|
||||
|
@ -580,6 +587,11 @@ The solution is not pretty. Since you can't extract an individual file
|
|||
from the CD you need to install the whole thing again, this time
|
||||
adding Oracle Programmer before the patch.
|
||||
|
||||
<sect2>Oracle thinks I don't have enough disk space
|
||||
<p>
|
||||
There's something wrong with the installation program. Assuming you
|
||||
<it/do/ have enough space it will install okay.
|
||||
|
||||
<sect>Creating a database
|
||||
<sect1>Overview
|
||||
<p>
|
||||
|
@ -691,6 +703,11 @@ system/<password></tt>). Then type:
|
|||
|
||||
The question-mark is an alias for the <tt/$ORACLE_HOME/ directory.
|
||||
|
||||
<item>This is an optional step used to define the default editor for
|
||||
SQL*Plus (it defaults to <tt/ed/ so you do!). Open
|
||||
<tt>$ORACLE_HOME/sqlplus/admin/glogin.sql</tt> in your favourite
|
||||
editor and add <tt>define_editor=<editor name></tt> to the end.
|
||||
|
||||
</enum>
|
||||
|
||||
And that's it. You should now have an operational database that you
|
||||
|
@ -747,6 +764,11 @@ easiest option is to unset it. If you really want to use it, make sure
|
|||
that you have it exactly right. Make sure you don't transpose any '1's
|
||||
(one's) for 'l's (the twelfth letter of the alphabet)!
|
||||
|
||||
<sect2>Can datafiles only be 1Gb in size?
|
||||
<p>
|
||||
'dbassist' won't let you create a datafile bigger than 1Gb. I believe
|
||||
this to be a bug as Linux has no problem with files up to 2Gb.
|
||||
|
||||
<sect>Configuration
|
||||
<sect1>Overview
|
||||
<p>
|
||||
|
@ -881,8 +903,9 @@ significantly more expensive than free but is not bad value.
|
|||
name="Quest Software">. I've not really used it but it's been highly
|
||||
recommended by all who have.
|
||||
|
||||
<item><url url="http://www.kkitts.com/orac-dba/" name="Orac">. A nice,
|
||||
configurable DBA-tool.
|
||||
<item><url url="http://www.kkitts.com/orac-dba/" name="Orac">. Another
|
||||
that I've not used much, but has been described as a nice,
|
||||
configurable DBA-tool by a number of people.
|
||||
|
||||
</itemize>
|
||||
|
||||
|
@ -912,14 +935,14 @@ Associates, ISBN 1-56592-268-9.
|
|||
url="http://www.amazon.com/exec/obidos/ASIN/1565923359/zx81orguk00"
|
||||
name="PL/SQL Programming,"></#if>
|
||||
<#unless output=html>"PL/SQL Programming,"</#unless>
|
||||
"PL/SQL Programming," Steven Feuerstein, O'Reilly and
|
||||
Steven Feuerstein, O'Reilly and
|
||||
Associates, ISBN 1-56592-335-9.
|
||||
|
||||
<item><#if output=html><url
|
||||
url="http://www.amazon.com/exec/obidos/ASIN/1565923758/zx81orguk00"
|
||||
name="PL/SQL Built-in Packages,"></#if>
|
||||
<#unless output=html>"PL/SQL Built-in Packages,"</#unless>
|
||||
"PL/SQL Built-in Packages," Steven Feuerstein, O'Reilly and
|
||||
Steven Feuerstein, O'Reilly and
|
||||
Associates, ISBN 1-56592-375-8.
|
||||
|
||||
</itemize>
|
||||
|
|
|
@ -40,7 +40,7 @@ Covers PostgreSQL Version 6.5.3
|
|||
<author>Al Dev (Alavoor Vasudevan)
|
||||
<htmlurl url="mailto:alavoor@yahoo.com"
|
||||
name="alavoor@yahoo.com">
|
||||
<date>v23.0, 02 Jun 2000
|
||||
<date>v26.0, 24 June 2000
|
||||
<abstract>
|
||||
This document is a "practical guide" to very quickly setup a SQL Database
|
||||
engine and
|
||||
|
@ -248,23 +248,34 @@ millions of galaxies, each galaxy has millions of stars, some stars
|
|||
system have many planets, each planet in turn is made up
|
||||
billions of atoms.<it>(In the history of this world, <bf>only one universe was
|
||||
created by a man</bf> in ancient India eons ago, but no other case had been
|
||||
reported in the modern history. Creating a universe is a much more advanced
|
||||
reported in the modern history. Nations around the world are trying to create
|
||||
a universe).</it> Creating a universe is a much more advanced
|
||||
technology and is more advanced than the atomic bomb which was dropped on
|
||||
Hiroshima and Nagasaki causing
|
||||
<bf>horrible destruction</bf>). Modern nuclear weapons are so tiny and powerful
|
||||
that if such a single nuclear bomb is dropped then it can completely
|
||||
vaporise the planet earth! But there are also weapons which will completely <bf>NULLIFY
|
||||
and NEUTRALISE</bf> all the nuclear weapons in the world!! Total variety
|
||||
of weapons are infinity!</it>. Software like MS Windows 95 is created simply by "C"
|
||||
<bf>horrible destruction</bf>.
|
||||
Modern nuclear weapons are so tiny and powerful
|
||||
that if such a single nuclear bomb is dropped in pacific ocean then it
|
||||
can completely vaporise the planet earth!
|
||||
The total variety of weapons are infinity!! Nuclear weapons and other
|
||||
more <bf>powerful divine weapons</bf> were used
|
||||
in the battle field in ancient India! Nobody believed Albert
|
||||
Eienstein (a scientist of 1900's) when he said nuclear weapons can
|
||||
be made which can vaporise big cities. And today nobody believes
|
||||
that man can create a universe.
|
||||
|
||||
Software like MS Windows 95 is created simply by "C"
|
||||
and assembler language programs which simply uses 1 and 0 and <it><bf>universes like
|
||||
ours are created simply by dashing TWO dissimilar but proper of combination of
|
||||
tiny atomic particles of other dimensions.</bf></it>
|
||||
<it>(Something interesting happened <bf>just before</bf> dashing of tiny particles)</it>
|
||||
A human body is created by dashing two dissimilar but
|
||||
proper combination of tiny cells!! Humans inherited the properties of this universe.
|
||||
proper combination of tiny cells!!
|
||||
<it>(Something interesting happened <bf>just before</bf> dashing of tiny cells)</it>
|
||||
Humans inherited the properties of this universe.
|
||||
The universe you are
|
||||
currently living in was NOT there - all the atoms inside the universe was not there
|
||||
and not even TIME was existing!! Baby universe was born during big bang and started
|
||||
expanding and kept growing. Even today the universe is still expanding!!
|
||||
expanding and kept growing. Even today our universe is still expanding!!
|
||||
A person from another universe by name <bf>'Brahma'</bf> created
|
||||
this universe you are currently living in.
|
||||
It is indeed possible for man to create a new universe.
|
||||
|
@ -273,7 +284,8 @@ is <bf>INFINITY</bf> and similarly total number of operating systems that
|
|||
can be created is also <bf>infinity</bf>!! Infinite number
|
||||
universes and infinite
|
||||
variety of multi-dimensional atoms collapse down
|
||||
into few <it>primary-dimensional-universe</it>.
|
||||
into few <it>primary-dimensional-universe</it>. Very advanced mathematical
|
||||
equations support this theory.
|
||||
|
||||
The laws of science and statistics favour the open-source
|
||||
code system like PostgreSQL and Linux.
|
||||
|
@ -345,7 +357,10 @@ where 'c' is the speed of light and 'm' is the mass.
|
|||
where n = number of persons working on the project.
|
||||
</code>
|
||||
From the above equation it is clear that increasing the 'n' will greatly improve
|
||||
the quality of product.
|
||||
the quality of product. Greater the 'n' then greater will be the power (in KiloWatts).
|
||||
You can wonder how much total
|
||||
energy (in KiloJoules) and total power (in KiloWatts)
|
||||
the global internet can focus on a system like Linux and PostgreSQL!
|
||||
|
||||
It is very clear that internet can network a vast number of people, which implies
|
||||
internet has a lot of energy and time which can produce much higher quality
|
||||
|
@ -467,11 +482,30 @@ The white paper on PostgreSQL is at
|
|||
MySQL is another open-source SQL server, but it does not support
|
||||
transactions. It is suitable for very small databases and does not
|
||||
support advanced SQL functionalities. Whereas PostgreSQL is a enterprise strength database
|
||||
supporting transactions and almost all SQL constructs. In near future
|
||||
development of MySQL will be dropped and all MySQL users will be
|
||||
migrated to PostgreSQL since MySQL is duplicate product working towards ANSI SQL.
|
||||
Also MySQL is a 'quasi-commercial' product unlike PostgreSQL which is open-source
|
||||
and there is no license fee.
|
||||
supporting transactions and almost all SQL constructs.
|
||||
PostgreSQL is much more advanced than commercial databases like Oracle, Sybase
|
||||
and Informix. PostgreSQL supports very advanced locking mechanisms and many more
|
||||
advanced features which are not available in commercial database systems!!
|
||||
|
||||
In near future development of MySQL will be dropped,
|
||||
since MySQL is duplicate product working towards ANSI SQL.
|
||||
And all the MySQL users will be migrated to PostgreSQL.
|
||||
Also MySQL is a 'quasi-commercial' product unlike
|
||||
PostgreSQL which is open-source and there is no license fee.
|
||||
There is no need for another SQL database system as PostgreSQL is already
|
||||
here in this world!!
|
||||
|
||||
Duplicate products like MySQL confuse the user base and causes division of
|
||||
resources. For a <bf>"NEAR PERFECT"</bf> system there must be <bf>only one</bf>
|
||||
system and everybody in the world must work on it!!
|
||||
Duplicate products cause more harm than good and hence division of
|
||||
resources must be strongly discouraged. This already happened in case of
|
||||
commercial database systems like Oracle, Sybase, Informix and MS SQL server
|
||||
which caused splintering of user base and often they are incompatible.
|
||||
|
||||
<bf>WARNING: </bf> It is possible to create infinite number of database systems
|
||||
for a given specification like ANSI SQL!!
|
||||
|
||||
MySQL is at <url url="http://www.tcx.se">
|
||||
<!--
|
||||
*******************************************
|
||||
|
@ -558,7 +592,7 @@ PostgreSQL source code is also available at all the mirror sites of sunsite unc
|
|||
|
||||
<chapt>PostgreSQL Quick-Installation Instructions
|
||||
-->
|
||||
<sect>PostgreSQL Quick-Installation Instructions
|
||||
<sect>PostgreSQL Quick-Installation Instructions <label id="Quick-Installation">
|
||||
<p>
|
||||
This chapter will help you to install and run the database very quickly in less than 5 minutes.
|
||||
|
||||
|
@ -918,6 +952,321 @@ The patch files are located in
|
|||
|
||||
|
||||
|
||||
<chapt> Quick Start Guide
|
||||
-->
|
||||
<sect> Quick Start Guide
|
||||
<p>
|
||||
Refer also to <ref id="Quick-Installation" name="Quick Installation"> chapter.
|
||||
<!--
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Creating, Dropping, Renaming Database
|
||||
<p>
|
||||
You can use the user friendly GUI called 'pgaccess' to create and drop databases,
|
||||
or you can use the command line 'psql' utility.
|
||||
<code>
|
||||
If you are logged in as root, switch user to 'postgres' :
|
||||
# xhost + (To give display access for pgaccess)
|
||||
# su - postgres
|
||||
bash$ man createdb
|
||||
bash$ createdb mydatabase
|
||||
bash$ man psql
|
||||
bash$ psql mydatabase
|
||||
..... in psql press up/down arrow keys for history line editing or \s
|
||||
|
||||
bash$ export DISPLAY=<hostname>:0.0
|
||||
bash$ man pgaccess
|
||||
bash$ pgaccess mydatabase
|
||||
</code>
|
||||
Now you can start <bf>rapidly BANGING away</bf> SQL commands at psql or pgaccess !!
|
||||
|
||||
To drop the database do :
|
||||
<code>
|
||||
bash$ man dropdb
|
||||
bash$ dropdb <dbname>
|
||||
</code>
|
||||
It is also possible to destroy a database from within an SQL session by using:
|
||||
<code>
|
||||
> drop database <dbname>
|
||||
</code>
|
||||
To rename a database see <ref id="backup_restore" name="Backup and Restore">
|
||||
<!--
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Creating, Dropping users
|
||||
<p>
|
||||
To create new users, login as unix user 'postgres'.
|
||||
You can use user friendly GUI tool called 'pgacess' to create, drop users.
|
||||
<code>
|
||||
bash$ man pgaccess
|
||||
bash$ pgaccess <database_name>
|
||||
</code>
|
||||
and click on "Users" tab and then click Object|New or Object|Delete
|
||||
|
||||
You can also use command line scripts.
|
||||
Use the shell script called 'createuser' which invokes psql
|
||||
<code>
|
||||
bash$ man createuser
|
||||
bash$ createuser <username>
|
||||
bash$ createuser -h host -p port -i userid <username>
|
||||
</code>
|
||||
|
||||
To drop a postgres user, use shell script 'destroyuser' -
|
||||
<code>
|
||||
bash$ man destroyuser
|
||||
bash$ destroyuser
|
||||
</code>
|
||||
<!--
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Creating, Dropping Groups
|
||||
<p>
|
||||
Currently, there is no easy interface to set up user groups. You have
|
||||
to explicitly insert/update the <bf>pg_group</bf> table. For example:
|
||||
<code>
|
||||
bash$ su - postgres
|
||||
bash$ psql <database_name>
|
||||
..... in psql press up/down arrow keys for history line editing or \s
|
||||
|
||||
psql=> insert into pg_group (groname, grosysid, grolist)
|
||||
psql=> values ('posthackers', '1234', '{5443, 8261}' );
|
||||
INSERT 58224
|
||||
psql=> grant insert on foo to group posthackers;
|
||||
CHANGE
|
||||
psql=>
|
||||
</code>
|
||||
The fields in <bf>pg_group</bf> are:
|
||||
<bf>groname</bf> The group name. This name should be purely alphanumeric; do not
|
||||
include underscores or other punctuation.
|
||||
|
||||
<bf>grosysid</bf> The group id. This is an int4, and should be unique for each group.
|
||||
|
||||
<bf>grolist</bf> The list of <bf>pg_user</bf> IDs that belong in the group. This is
|
||||
an int4[].
|
||||
|
||||
To drop the group:
|
||||
<code>
|
||||
bash$ su - postgres
|
||||
bash$ psql <database_name>
|
||||
..... in psql press up/down arrow keys for history line editing or \s
|
||||
|
||||
psql=> delete from pg_group where groname = 'posthackers';
|
||||
</code>
|
||||
<!--
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Create, Edit, Drop a table
|
||||
<p>
|
||||
You can use user friendly GUI tool 'pgaccess' or command line tool 'psql'
|
||||
to create, edit or drop a table in a database.
|
||||
<code>
|
||||
bash$ man pgaccess
|
||||
bash$ pgaccess <database_name>
|
||||
</code>
|
||||
Click on Table | New | Design buttons.
|
||||
<code>
|
||||
bash$ man psql
|
||||
bash$ psql <database_name>
|
||||
..... in psql press up/down arrow keys for history line editing or \s
|
||||
</code>
|
||||
At psql prompt, give standard SQL statements like 'create table', 'alter table'
|
||||
or 'drop table' to manipulate the tables.
|
||||
<!--
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Create, Edit, Drop records in a table
|
||||
<p>
|
||||
You can use user friendly GUI tool 'pgaccess' or command line tool 'psql'
|
||||
to create, edit or drop records in a database table.
|
||||
<code>
|
||||
bash$ man pgaccess
|
||||
bash$ pgaccess <database_name>
|
||||
</code>
|
||||
Click on Table | < pick a table > | Open buttons.
|
||||
<code>
|
||||
bash$ man psql
|
||||
bash$ psql <database_name>
|
||||
..... in psql press up/down arrow keys for history line editing or \s
|
||||
|
||||
</code>
|
||||
At psql prompt, give standard SQL statements like 'insert into table_name', 'update table_name'
|
||||
or 'delete from table_name' to manipulate the tables.
|
||||
<!--
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Switch active Database
|
||||
<p>
|
||||
You can use user friendly GUI tool 'pgaccess' or command line tool 'psql'
|
||||
to switch active database.
|
||||
<code>
|
||||
bash$ man pgaccess
|
||||
bash$ pgaccess <database_name>
|
||||
</code>
|
||||
Click on Database | Open buttons.
|
||||
<code>
|
||||
bash$ man psql
|
||||
bash$ psql <database_name>
|
||||
..... in psql press up/down arrow keys for history line editing or \s
|
||||
|
||||
psql=> connect <database_name> <user>
|
||||
</code>
|
||||
<!--
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Backup and Restore database <label id="backup_restore">
|
||||
<p>
|
||||
PostgreSQL provides two utilities to back up your system: <bf>pg_dump</bf>
|
||||
to backup individual databases, and <bf>pg_dumpall</bf> to back up all the
|
||||
databases in just one step.
|
||||
<code>
|
||||
bash$ su - postgres
|
||||
bash$ man pd_dump
|
||||
bash$ pd_dump <database_name> > database_name.pgdump
|
||||
</code>
|
||||
and can be restored using:
|
||||
<code>
|
||||
bash$ cat database_name.pgdump | psql <database_name>
|
||||
</code>
|
||||
This technique can be used to move databases to new locations, and to rename
|
||||
existing databases.
|
||||
|
||||
<bf>WARNING:</bf> Every database should be backed up on a regular basis. Since
|
||||
PostgreSQL manages its own files in the file sysetem, it is not advisable to rely
|
||||
on system backups of your file system for your database backups; there is
|
||||
no guarantee that the files will be in a usable, consistent
|
||||
state after restoration.
|
||||
|
||||
<bf>BACKUP LARGE DATABASES:</bf> Since Postgres allows tables larger than the
|
||||
maximum file size on your system, it can be problematic to dump the table to
|
||||
a file, because the resulting file likely will be larger than the maximum
|
||||
size allowed by your system. As <bf>pg_dump</bf> writes to <bf>stdout</bf>,
|
||||
you can just use standard unix tools to work around this possible problem:
|
||||
|
||||
Use compressed dumps:
|
||||
<code>
|
||||
bash$ pg_dump <database_name> | gzip > filename.dump.gz
|
||||
</code>
|
||||
reload with:
|
||||
<code>
|
||||
bash$ createdb <database_name>
|
||||
bash$ gunzip -c filename.dump.gz | psql <database_name>
|
||||
</code>
|
||||
or
|
||||
<code>
|
||||
bash$ cat filename.dump.gz | gunzip | psql <database_name>
|
||||
</code>
|
||||
|
||||
Use split:
|
||||
<code>
|
||||
bash$ pg_dump <database_name> | split -b 1m - filename.dump.
|
||||
</code>
|
||||
Note: There is a dot (.) after filename.dump in the above command!! You can
|
||||
reload with:
|
||||
<code>
|
||||
bash$ man createdb
|
||||
bash$ createdb <database_name>
|
||||
bash$ cat filename.dump.* | pgsql <database_name>
|
||||
</code>
|
||||
Of course, the name of the file (filename) and the content of the <bf>pg_dump</bf>
|
||||
output need not match the name of the database. Also, the restored database
|
||||
can have an arbitrary new name, so this mechanism is also suitable for
|
||||
renaming databases.
|
||||
|
||||
To dump all the databases in PostgreSQL use <bf>pg_dumpall</bf>
|
||||
<code>
|
||||
bash$ man pg_dumpall
|
||||
bash$ pg_dumpall -o > db.out
|
||||
To reload:
|
||||
bash$ psql -e template1 < db.out
|
||||
</code>
|
||||
<!--
|
||||
|
||||
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Security of database
|
||||
<p>
|
||||
See the chapter on <ref id="security" name="PostgreSQL Security">.
|
||||
<!--
|
||||
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Online help
|
||||
<p>
|
||||
It is very important that you should know how to use online help facilities of PostgreSQL,
|
||||
since it will save you lot of time and provides very quick access to information.
|
||||
|
||||
See the online man pages on various commands like createdb, createuser, etc..
|
||||
<code>
|
||||
bash$ man createdb
|
||||
</code>
|
||||
|
||||
See also online help of psql, by typing \h at psql prompt
|
||||
<code>
|
||||
bash$ psql mydatabase
|
||||
psql> \h
|
||||
|
||||
Tip: In psql press up/down arrow keys for history line editing or \s
|
||||
</code>
|
||||
<!--
|
||||
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> PostgreSQL Documentation
|
||||
<p>
|
||||
More questions, read the fine manuals of PostgreSQL which are very
|
||||
extensive.
|
||||
PostgreSQL documentation is distributed with package. See the
|
||||
'User's Guide', 'Programmer's Guide', 'Administrator's Guide' and
|
||||
other manuals.
|
||||
<!--
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
|
||||
|
||||
|
||||
<chapt>PostgreSQL Supports Extremely Large Databases greater than 200 Gig
|
||||
-->
|
||||
<sect>PostgreSQL Supports Extremely Large Databases greater than 200 Gig
|
||||
|
@ -984,6 +1333,312 @@ If a functionality, syntax or feature exists in the regression test package
|
|||
then it is supported, and all others which are NOT listed in the
|
||||
package MAY not be supported by PostgreSQL!! You may need to verify those and
|
||||
add it to regression test package.
|
||||
<!--
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
|
||||
|
||||
<chapt> Security of Database <label id="security">
|
||||
-->
|
||||
<sect> Security of Database <label id="security">
|
||||
<p>
|
||||
Database security is addressed at several levels:
|
||||
<itemize>
|
||||
<item> Database file protection. All files stored within the database are
|
||||
protected from reading by any account other than the <it>postgres</it>
|
||||
superuser account
|
||||
<item> Connections from a client to the database server are, by default,
|
||||
allowed only via a local UNIX socket, not via TCP/IP sockets. The back-end
|
||||
must be started with the -i option to allow nonlocal clients to connect.
|
||||
<item> Client connections can be restricted by IP address and/or username
|
||||
via the <bf>pg_hba.conf</bf> file in <bf>$PG_DATA</bf>.
|
||||
<item> Client connections may be authenticated via other external packages.
|
||||
<item> Each user in Postgres is assigned a username and (optionally) a password.
|
||||
By default, users do not have write access to databases they did not create.
|
||||
<item> Users may be assigned to groups, and table access may be restricted based
|
||||
on group priveleges.
|
||||
</itemize>
|
||||
<!--
|
||||
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> User Authentication
|
||||
<p>
|
||||
Authentication is the process by which the backend server and postmaster
|
||||
ensure that the user requesting access to data is in fact who he/she
|
||||
claims to be. All users who invoke Postgres are checked against the contents
|
||||
of the <bf>pg_user</bf> class to ensure that they are authorized to do so. However,
|
||||
verification of the user's actual identity is performed in a variety
|
||||
of ways:
|
||||
<itemize>
|
||||
<item> <bf>From the user shell:</bf> A backend server started from a user shell
|
||||
notes the user's (effective) user-id before performing a
|
||||
<bf>setuid</bf> to the user-id of user <bf>postgres</bf>. The effective user-id is used as
|
||||
the basis for access control checks. No other authentication is conducted.
|
||||
<item> <bf>From the network:</bf> If the Postgres system is built as distributed, access to the
|
||||
Internet TCP port of the postmaster process is available to anyone. The DBA
|
||||
configures the <bf>pg_hba.conf</bf> file in the <bf>$PGDATA</bf> directory to specify what
|
||||
authentication system is to be used according to the host making the connection
|
||||
and which database it is connecting to.
|
||||
See <bf>pg_hba.conf(5)</bf> (man 5 pg_hba.conf)
|
||||
for a description
|
||||
of the authentication systems available. Of course, host-based authentication
|
||||
is not fool-proof in Unix, either. It is possible for determined intruders
|
||||
to also masquerade the origination host. Those security issues are beyond
|
||||
the scope of Postgres.
|
||||
</itemize>
|
||||
<!--
|
||||
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Host-Based Access Control
|
||||
<p>
|
||||
Host-based access control is the name for the basic controls PostgreSQL
|
||||
exercises on what clients are
|
||||
allowed to access a database and how the users on those clients must
|
||||
authenticate themselves.
|
||||
Each database system contains a file named <bf>pg_hba.conf</bf>, in its
|
||||
<bf>$PGDATA</bf> directory, which controls who
|
||||
can connect to each database.
|
||||
Every client accessing a database must be covered by one of the
|
||||
entries in <bf>pg_hba.conf</bf>. Otherwise all
|
||||
attempted connections from that client will be rejected with a
|
||||
<bf>"User authentication failed"</bf> error message.
|
||||
|
||||
See online man page of <bf>pg_hba.conf(5)</bf> (man 5 pg_hba.conf).
|
||||
|
||||
The general format of the <bf>pg_hba.conf</bf> file is of a set of records, one
|
||||
per line. Blank lines and lines
|
||||
beginning with a hash character ("#") are ignored. A record is made up of
|
||||
a number of fields which
|
||||
are
|
||||
separated by spaces and/or tabs.
|
||||
|
||||
Connections from clients can be made using Unix domain sockets or Internet
|
||||
domain sockets (ie.
|
||||
TCP/IP). Connections made using Unix domain sockets are controlled using
|
||||
records of the following
|
||||
format:
|
||||
<code>
|
||||
local database authentication method
|
||||
</code>
|
||||
where
|
||||
|
||||
<bf>database</bf> specifies the database that this record applies to. The value
|
||||
<bf>all</bf> specifies that it applies to
|
||||
all databases.
|
||||
|
||||
<bf>authentication method</bf> specifies the method a user must use to authenticate
|
||||
themselves when
|
||||
connecting to that database using Unix domain sockets. The different
|
||||
methods are described
|
||||
below.
|
||||
|
||||
Connections made using Internet domain sockets are controlled using
|
||||
records of the following format.
|
||||
|
||||
<code>
|
||||
host database TCP/IP-address TCP/IP-mask authentication method
|
||||
</code>
|
||||
|
||||
The <bf>TCP/IP</bf> address is <it>logically and'ed</it> to both the specified TCP/IP mask
|
||||
and the TCP/IP address of the
|
||||
connecting client. If the two resulting values are equal then the record
|
||||
is used for this connection. If a
|
||||
connection matches more than one record then the earliest one in the
|
||||
file is used. Both the TCP/IP
|
||||
address and the TCP/IP mask are specified in dotted decimal notation.
|
||||
If a connection fails to match any record then the reject authentication
|
||||
method is applied (see <ref id="auth_method" name="Authentication Methods">).
|
||||
<!--
|
||||
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Authentication Methods <label id="auth_method">
|
||||
<p>
|
||||
The following authentication methods are supported for both Unix and TCP/IP domain sockets:
|
||||
<itemize>
|
||||
<item> <bf>trust</bf>
|
||||
The connection is allowed unconditionally.
|
||||
<item> <bf>reject</bf>
|
||||
The connection is rejected unconditionally.
|
||||
<item> <bf>crypt</bf>
|
||||
The client is asked for a password for the user. This is sent encrypted (using crypt(3)) and compared
|
||||
against the password held in the pg_shadow table. If the passwords match, the connection is allowed.
|
||||
<item> <bf>password</bf>
|
||||
The client is asked for a password for the user. This is sent in clear and compared against the
|
||||
password held in the <bf>pg_shadow</bf> table. If the passwords match, the connection is allowed. An
|
||||
optional password file may be specified after the password keyword which is used to match the
|
||||
supplied password rather than the <bf>pg_shadow</bf> table. See <bf>pg_passwd</bf>.
|
||||
</itemize>
|
||||
|
||||
The following authentication methods are supported for TCP/IP domain sockets only:
|
||||
<itemize>
|
||||
<item> <bf>krb4</bf>
|
||||
Kerberos V4 is used to authenticate the user.
|
||||
<item> <bf>krb5</bf>
|
||||
Kerberos V5 is used to authenticate the user.
|
||||
<item> <bf>ident</bf>
|
||||
The ident server on the client is used to authenticate the user (RFC 1413). An optional map name
|
||||
may be specified after the <bf>ident</bf> keyword which allows ident user names to be mapped onto Postgres
|
||||
user names. Maps are held in the file <bf>$PGDATA/pg_ident.conf</bf>.
|
||||
</itemize>
|
||||
|
||||
Here are some examples:
|
||||
<code>
|
||||
# Trust any connection via Unix domain sockets.
|
||||
local trust
|
||||
# Trust any connection via TCP/IP from this machine.
|
||||
host all 127.0.0.1 255.255.255.255 trust
|
||||
# We don't like this machine.
|
||||
host all 192.168.0.10 255.255.255.0 reject
|
||||
# This machine can't encrypt so we ask for passwords in clear.
|
||||
host all 192.168.0.3 255.255.255.0 password
|
||||
# The rest of this group of machines should provide encrypted passwords.
|
||||
host all 192.168.0.0 255.255.255.0 crypt
|
||||
</code>
|
||||
<!--
|
||||
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Access Control
|
||||
<p>
|
||||
Postgres provides mechanisms to allow users to limit the access to their data that is provided to other
|
||||
users.
|
||||
<itemize>
|
||||
<item> <bf>Database superusers</bf>
|
||||
Database super-users (i.e., users who have <bf>pg_user.usesuper</bf> set) silently bypass all of the access
|
||||
controls described below with two exceptions: manual system catalog updates are not permitted if the
|
||||
user does not have <bf>pg_user.usecatupd</bf> set, and destruction of system catalogs (or modification of their
|
||||
schemas) is never allowed.
|
||||
<item> <bf>Access Privilege</bf>
|
||||
The use of access privilege to limit reading, writing and setting of rules on
|
||||
classes is covered in SQL <bf>grant/revoke(l)</bf>.
|
||||
<item> <bf>Class removal and schema modification</bf>
|
||||
Commands that destroy or modify the structure of an existing class, such as alter, drop table, and
|
||||
drop index, only operate for the owner of the class. As
|
||||
mentioned above, these operations are never
|
||||
permitted on system catalogs.
|
||||
</itemize>
|
||||
<!--
|
||||
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Secure TCP/IP Connection via SSH
|
||||
<p>
|
||||
You can use <bf>ssh</bf> to encrypt the network connection between clients and a Postgres server. Done properly,
|
||||
this should lead to an adequately secure network connection.
|
||||
|
||||
The documentation for <bf>ssh</bf> provides most of the information to get started. Please refer to
|
||||
<url url="http://www.heimhardt.de/htdocs/ssh.html"> for better insight.
|
||||
A step-by-step explanation can be done in just two steps.
|
||||
|
||||
<bf>Running a secure tunnel via ssh: </bf>
|
||||
A step-by-step explanation can be done in just two steps.
|
||||
<itemize>
|
||||
<item> Establish a tunnel to the back-end machine, like this:
|
||||
<code>
|
||||
ssh -L 3333:wit.mcs.anl.gov:5432 postgres@wit.mcs.anl.gov
|
||||
</code>
|
||||
<item> The first number in the <bf>-L</bf> argument, <bf>3333</bf>, is the port number of your end of the tunnel. The
|
||||
second number, <bf>5432</bf>, is the remote end of the tunnel -- the port number your backend is using.
|
||||
The name or the address in between the port numbers belongs to the server machine, as does the
|
||||
last argument to <bf>ssh</bf> that also includes the optional user name. Without the user name, <bf>ssh</bf> will try
|
||||
the name you are currently logged on as on the client machine. You can use any user name the
|
||||
server machine will accept, not necessarily those related to postgres.
|
||||
<item> Now that you have a running <bf>ssh</bf> session, you can connect a postgres client to your local host at the
|
||||
port number you specified in the previous step. If it's <bf>psql</bf>, you will need another shell because the
|
||||
shell session you used in step 1 is now occupied with <bf>ssh</bf>.
|
||||
<code>
|
||||
psql -h localhost -p 3333 -d mpw
|
||||
</code>
|
||||
<item> Note that you have to specify the <bf>-h</bf> argument to cause your client to use the TCP socket instead
|
||||
of the Unix socket. You can omit the port argument if you chose <bf>5432</bf> as your end of the tunnel.
|
||||
</itemize>
|
||||
<!--
|
||||
|
||||
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> Kerberos Authentication
|
||||
<p>
|
||||
Kerberos is an industry-standard secure authentication system suitable for distributed computing over a
|
||||
public network.
|
||||
|
||||
<bf>Availability: </bf>
|
||||
The Kerberos authentication system is not distributed with Postgres. Versions of Kerberos are typically
|
||||
available as optional software from operating system vendors. In addition, a source code distribution may
|
||||
be obtained through MIT Project Athena.
|
||||
|
||||
<code>
|
||||
Note: You may wish to obtain the MIT version even if your vendor provides a version, since
|
||||
some vendor ports have been deliberately crippled or rendered non-interoperable with the MIT
|
||||
version.
|
||||
</code>
|
||||
|
||||
Inquiries regarding your Kerberos should be directed to your vendor or MIT Project Athena. Note that
|
||||
FAQLs (Frequently-Asked Questions Lists) are periodically posted to the Kerberos mailing list (send mail
|
||||
to subscribe), and USENET news group.
|
||||
|
||||
<bf>Installation: </bf>
|
||||
Installation of Kerberos itself is covered in detail in the Kerberos Installation Notes . Make sure that the
|
||||
server key file (the <bf>srvtab</bf> or <bf>keytab</bf>) is somehow readable by the Postgres account.
|
||||
Postgres and its clients can be compiled to use either Version 4 or Version 5 of the MIT Kerberos
|
||||
protocols by setting the KRBVERS variable in the file <bf>src/Makefile.global</bf> to the appropriate value. You
|
||||
can also change the location where Postgres expects to find the associated libraries, header files
|
||||
and its
|
||||
own server key file.
|
||||
After compilation is complete, Postgres must be registered as a Kerberos service. See the Kerberos
|
||||
Operations Notes and related manual pages for more details on registering services.
|
||||
|
||||
<bf>Operation: </bf>
|
||||
After initial installation, Postgres should operate in all ways as a normal Kerberos service. For details on
|
||||
the use of authentication, see the <it>PostgreSQL User's Guide</it> reference sections for <bf>postmaster</bf> and <bf>psql</bf>.
|
||||
|
||||
In the Kerberos Version 5 hooks, the following assumptions are made about user and service naming(also, see Table below):
|
||||
<itemize>
|
||||
<item> User principal names (anames) are assumed to contain the actual Unix/Postgres user name in the
|
||||
first component.
|
||||
<item> The Postgres service is assumed to be have two components, the service name and a hostname,
|
||||
canonicalized as in Version 4 (i.e., with all domain suffixes removed).
|
||||
</itemize>
|
||||
|
||||
<code>
|
||||
Table: Kerberos Parameter Examples
|
||||
------------------------------------------------------
|
||||
Parameter Example
|
||||
------------------------------------------------------
|
||||
user frew@S2K.ORG
|
||||
user aoki/HOST=miyu.S2K.Berkeley.EDU@S2K.ORG
|
||||
host postgres_dbms/ucbvax@S2K.ORG
|
||||
------------------------------------------------------
|
||||
</code>
|
||||
<!--
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
|
@ -997,16 +1652,22 @@ add it to regression test package.
|
|||
<sect>GUI FrontEnd Tool for PostgreSQL (Graphical User Interface)
|
||||
<p>
|
||||
Web browser will be the most popular GUI front-end in the future.
|
||||
A major portion of code should be written in Web server scripting (and compiling)
|
||||
language <ref id="PHP" name="PHP+Zend compiler">, HTML, DHTML
|
||||
and with little bit of JavaScript and Java-Applets on web-client side.
|
||||
It is recommended that you migrate all of your "legacy" Windows 95/NT
|
||||
applications to PHP + HTML + DHTML and Zend compiler. <bf>PHP</bf> is extremely
|
||||
applications to Web-based application.
|
||||
|
||||
You should use Web-Application Servers like <ref id="Enhydra"> (Java based)
|
||||
or <ref id="Zope"> (Python based).
|
||||
|
||||
Best web-scripting (and compiling) language
|
||||
is <ref id="PHP" name="PHP+Zend compiler">
|
||||
<bf>PHP</bf> is extremely
|
||||
powerful as it combines the power of Perl, Java, C++, Javascript into one
|
||||
single language and it runs on all OSes - unixes and Windows NT/95.
|
||||
|
||||
The best tools in the order of preference are -
|
||||
<itemize>
|
||||
<item> Enhydra at <ref id="Enhydra"> plus Borland Java JBuilder for Linux <url url="http://www.inprise.com">
|
||||
<item> Zope at <ref id="Zope">
|
||||
<item> PHP script and Zend compiler at <ref id="PHP" name="PHP+Zend compiler">
|
||||
<item> X-Designer supports C++, Java and MFC <url url="http://www.ist.co.uk/xd">
|
||||
<item> Qt for Windows95 and Unix at <url url="http://www.troll.no"> and <url url="ftp://ftp.troll.no">
|
||||
|
@ -1019,6 +1680,9 @@ The best tools in the order of preference are -
|
|||
|
||||
Language choices in the order of preference are -
|
||||
<enum>
|
||||
<item> Java but its programs run very slow and has license
|
||||
fees. C++ is <bf>5 times faster</bf> than Java!!
|
||||
<item> Python (Powerful object oriented scripting language).
|
||||
<item> PHP Web server scripting, HTML, DHTML with Javascrpt client scripting and Java-Applets.
|
||||
<item> Perl scripting language using Perl-Qt or Perl-Tk <ref id="Perl Database Interface">
|
||||
<item> Omnipresent and Omnipotent language C++ (GNU g++):
|
||||
|
@ -1027,8 +1691,6 @@ Language choices in the order of preference are -
|
|||
<item> GNU C++ and QtEZ or QT
|
||||
<item> GNU C++ with Lesstiff or Motif.
|
||||
</itemize>
|
||||
<item> Java but its programs run very slow and has license
|
||||
fees. C++ is <bf>20 times faster</bf> than Java!!
|
||||
</enum>
|
||||
|
||||
There are other tools available -
|
||||
|
@ -1759,6 +2421,41 @@ it at
|
|||
<htmlurl url="mailto:de@ucolick.org"
|
||||
name="de@ucolick.org">
|
||||
</itemize>
|
||||
<!--
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
|
||||
|
||||
|
||||
<chapt>CPUs for PostgreSQL
|
||||
-->
|
||||
<sect>CPUs for PostgreSQL
|
||||
<p>
|
||||
The following CPUs (both 64-bit and 32-bit) are available for PostgreSQL. All these
|
||||
CPUs run Linux.
|
||||
<itemize>
|
||||
<item> GNU/GPL Freedom 64-bit F-CPU <url url="http://f-cpu.tux.org">
|
||||
<item> Russian E2k 64-bit CPU (The world's fastest CPU as of June, 2000 ???!!!)
|
||||
website : <url url="http://www.elbrus.ru/roadmap/e2k.html">
|
||||
Elbrus is now partnered (alliance) with Sun Microsystems of USA
|
||||
<item> Korean CPU from Samsung 64-bit CPU original from DEC Alpha
|
||||
<url url="http://www.samsungsemi.com">
|
||||
Alpha-64bit CPU is at <url url="http://www.alpha-processor.com">
|
||||
Now there is collaboration between Samsumg, Compaq of USA on Alpha CPU
|
||||
<item> Intel IA 64 <url url="http://developer.intel.com/design/ia-64">
|
||||
<item> Transmeta crusoe CPU and in near future Transmeta's 64-bit CPU
|
||||
<item> Sun Ultra-sparc 64-bit CPU
|
||||
<item> Silicon Graphics MIPS Architecture CPUs <url url="http://www.sgi.com/processors">
|
||||
<item> IBM Power PC (motorola) <url url="http://www.motorola.com/SPS/PowerPC/index.html">
|
||||
<item> Seimens Pyramid CPU from Pyramid Technologies
|
||||
<item> Intel X86 series 32-bit CPUs Pentiums, Celeron etc..
|
||||
<item> AMDs X86 series 32-bit CPUs K-6, Athlon etc..
|
||||
<item> National's Cyrix X86 series 32-bit CPUs Cyrix etc..
|
||||
<item> European Space Agency's ESA-32bit and ESA-64bit CPUs
|
||||
<item> Other CPUs from other countries ?? Let me know...
|
||||
</itemize>
|
||||
<!--
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
|
@ -1813,6 +2510,15 @@ only intel box, 13" monochrome monitor (very low cost monitor). Local vendors
|
|||
sell just the hardware <bf>without</bf> any Microsoft Windows/DOS.
|
||||
You do not need a color monitor for the database server, as you can do
|
||||
remote administration from color PC workstation.
|
||||
|
||||
You can buy bare-bone computer hardware from online stores. You can get good
|
||||
rates in "Online Auctions"
|
||||
<itemize>
|
||||
<item>Online store and auction hall <url url="http://www.egghead.com">
|
||||
<item>Online store <url url="http://www.buy.com">
|
||||
<item>Bidding store <url url="http://www.ubid.com">
|
||||
</itemize>
|
||||
|
||||
Get RedHat (or some other distribution of) Linux cdrom from below -
|
||||
<itemize>
|
||||
<item>Linux System Labs Web site: <url url="http://www.lsl.com/"> 7 (U.S. dollars)
|
||||
|
@ -1851,14 +2557,20 @@ BEA Weblogic.
|
|||
|
||||
|
||||
-->
|
||||
<sect1> Enhydra
|
||||
<sect1> Lutris Corp "Enhydra" <label id="Enhydra">
|
||||
<p>
|
||||
Enhydra is a immensely popular Web-Application-Server created by 'Lutris Corporation'.
|
||||
Enhydra supports PostgreSQL database.
|
||||
Enhydra is a immensely popular Java/XML Web-Application-Server created by 'Lutris Corporation'. It is the world's best Java/XML Web-Application server.
|
||||
It supports EJB, Servlets, JSP, JNDI, JDBC, JTA, CORBA, XMLC/Rocks, DODS
|
||||
and internationalization.
|
||||
It is written in 100% pure Java and is available from
|
||||
<url url="http://www.enhydra.org">. Enhydra is a open-sourcecode project but is
|
||||
<url url="http://www.enhydra.org">. Enhydra is a open source code project but is
|
||||
commercially sold and supported by Lutris Corp. Visit
|
||||
<url url="http://www.lutris.com">
|
||||
|
||||
You would use Borland Corp's JBuilder along with Enhydra. JBuilder is at
|
||||
<url url="http://www.inprise.com">
|
||||
|
||||
See also Enterprise Java HOWTO at
|
||||
<url url="http://www.linuxdoc.org/HOWTO/Enterprise-Java-for-Linux-HOWTO.html">
|
||||
<!--
|
||||
|
@ -1870,7 +2582,7 @@ See also Enterprise Java HOWTO at
|
|||
|
||||
|
||||
-->
|
||||
<sect1> Zope
|
||||
<sect1> Zope <label id="Zope">
|
||||
<p>
|
||||
Python is becoming immensely popular "pure" object-oriented scripting language.
|
||||
Zope is a Web-Application server and provides interfaces to PostgreSQL.
|
||||
|
@ -2426,9 +3138,9 @@ with full source code you will probably like PHP.
|
|||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1>
|
||||
Major Features
|
||||
<sect1> Major Features
|
||||
<p>
|
||||
<itemize>
|
||||
<item>Standard CGI, FastCGI and Apache module support -
|
||||
|
@ -2742,6 +3454,25 @@ this option if you like.
|
|||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
-->
|
||||
<sect1> PHPGem package
|
||||
<p>
|
||||
PHPGem is a PHP-script which accelerates the creation of PHP-scripts
|
||||
for working with tables. It works with different SQL-servers such as
|
||||
PostgreSQL, MySQL, mSQL, ODBC, and Adabas. You input a description of
|
||||
and parameters for your tables' fields (field name, on/off searching
|
||||
in the field, etc.), and PHPGem outputs another PHP-script which will
|
||||
work with the tables (view/add/edit/delete/duplicate entries and
|
||||
search). PHPGem works with multi-level nested tables. PHPGem allows
|
||||
you to specify a level of access for each table and for each field for
|
||||
each user. PHPGem also support images.
|
||||
|
||||
PHPGem is at <url url="http://sptl.org/phpgem">
|
||||
<!--
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
|
||||
|
||||
|
||||
|
@ -4932,7 +5663,29 @@ Compiling the source you will get the following commands like
|
|||
<item>sgml2latex databasehowto.sgml (to generate latex file)
|
||||
</itemize>
|
||||
|
||||
This document is located at -
|
||||
LaTeX documents may be converted into PDF files simply by
|
||||
producing a Postscript output using <bf>sgml2ps</bf> ( or dvips) and running the
|
||||
output through the Acrobat <bf>distill</bf> (<url url="http://www.adobe.com">) command as follows:
|
||||
<code>
|
||||
bash$ man sgml2latex
|
||||
bash$ sgml2latex filename.sgml
|
||||
bash$ man dvips
|
||||
bash$ dvips -o filename.ps filename.dvi
|
||||
bash$ distill filename.ps
|
||||
bash$ man ghostscript
|
||||
bash$ man ps2pdf
|
||||
bash$ ps2pdf input.ps output.pdf
|
||||
bash$ acroread output.pdf &
|
||||
</code>
|
||||
Or you can use Ghostscript command <bf>ps2pdf</bf>.
|
||||
ps2pdf is a work-alike for nearly all the functionality of
|
||||
Adobe's Acrobat Distiller product: it
|
||||
converts PostScript files to Portable Document Format (PDF) files.
|
||||
<bf>ps2pdf</bf> is implemented as a very small command script (batch file) that invokes Ghostscript, selecting a special "output device"
|
||||
called <bf>pdfwrite</bf>. In order to use ps2pdf, the pdfwrite device must be included in the makefile when Ghostscript was compiled;
|
||||
see the documentation on building Ghostscript for details.
|
||||
|
||||
This howto document is located at -
|
||||
<itemize>
|
||||
<item> <url url="http://sunsite.unc.edu/LDP/HOWTO/PostgreSQL-HOWTO.html">
|
||||
</itemize>
|
||||
|
@ -4997,11 +5750,13 @@ You can read the latex, LyX output using LyX a X-Windows front end to latex.
|
|||
|
||||
|
||||
|
||||
<chapt change> Copyright Notice
|
||||
<chapt change> Copyright and License
|
||||
-->
|
||||
<sect> Copyright Notice
|
||||
<sect> Copyright and License
|
||||
<p>
|
||||
Copyright policy is GNU/GPL as per LDP (Linux Documentation project).
|
||||
Copyright Al Dev (Alavoor Vasudevan) 1997-2000.
|
||||
|
||||
License policy is GNU/GPL as per LDP (Linux Documentation project).
|
||||
LDP is a GNU/GPL project.
|
||||
Additional restrictions are - you must retain the author's name, email address
|
||||
and this copyright notice on all the copies. If you make any changes
|
||||
|
@ -7704,6 +8459,18 @@ The following are the sites suggested by John Hoffman:
|
|||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
-->
|
||||
<sect1> On-line SQL tutorials
|
||||
<p>
|
||||
Visit the following sites for on-line SQL tutorials
|
||||
<itemize>
|
||||
<item> SQL beginner course <url url="http://sqlcourse.com">
|
||||
<item> SQL advanced course <url url="http://sqlcourse2.com">
|
||||
</itemize>
|
||||
<!--
|
||||
*******************************************
|
||||
************ End of Section ***************
|
||||
*******************************************
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue