Tải bản đầy đủ - 0trang
10 Enabling File and Printer Sharing, and Multimedia in Nxclient
TCAM—Ternary Content Addressable Memory
Unlike normal RAM in a computer where data is stored in many addresses and
the RAM can only be queried for the contents at a given address, Content
Addressable Memory (CAM) works in the other direction. CAM is provided
with content, then searches its memory in order to return a list of addresses
where the content was found. With RAM, a search requires software to repeatedly read from a memory address, compare the contents of memory to the
content being searched for, then move on to the next address, repeating until the
area of RAM to be searched is exhausted. With CAM, content can be provided,
and the list of addresses containing that content is returned in one operation,
which provides a phenomenal speedup for searching the contents of memory.
Ternary Content Addressable Memory takes this a step further. With normal
CAM, the stored data is only in the form of bits—a word at an address may be
10011101, but TCAM may contain a third state of “don’t care” or “X” in memory—so a word at an address could be 10011X01, which would match the
search for 10011101 and 10011001. CAM and TCAM are often used in switches
and routers to store MAC lookup tables and routing tables, respectively. A
router may have a network address in memory, and when a packet arrives to be
routed, its destination IP address can be searched for in TCAM, which will
instantly return the address of a routing table entry for its destination address,
stored with only the network part of the destination network as 1 or 0, and host
part as X. CAM and TCAM are far more complex, expensive, and power-hungry
memory-wise than normal RAM, but are necessary for applications like routing
where a search through a routing table must be done thousands or millions of
times per second.
TCP—Transmission Control Protocol
One of the central protocols essential to the function of the Internet, TCP allows
applications to create connections that, once established, the applications can
stream data across. TCP stacks in an operating system do the hard work of splitting the stream of data into segments with a sequence number, and sending
them out over an IP-based network. At the remote end, the TCP stack acknowledges packets that have been received (so that missing packets can be resent)
and reassembles received packets in the correct order to provide an in-order data
stream to the remote application.
TLS/SSL—Transport Layer Security/Secure Sockets Layer
TTL—Time To Live
A TTL is a limit on how long a piece of information can exist before it should be
discarded. One example is a DNS record. When first looked up by a caching
DNS server, a domain’s DNS records will be cached and the TTL will be
recorded in seconds. Before the number of seconds has passed, any subsequent
DNS lookups of that record will come from the cache. Once the TTL has passed,
the cached record expires, and should be looked up again from an authoritative
source. The time may also be a number of transmissions or hops on a network,
for example performing a traceroute depends on a TTL being reduced by 1 on
every hop. When a traceroute runs, a series of packets are sent towards a destination with increasing TTL values. With each hop, the TTL is reduced—when it
reaches 0, the packet is considered expired, and an ICMP Time Exceeded packet
is returned to the sender. The traceroute utility is able to record the origin of
each ICMP packet returned as each successive longer TTL allows the packet to
reach further through a network, then display the list of hosts a packet passes
through to reach the destination.
UART—Universal Asynchronous Receiver/Transmitter
A UART is a device that performs a conversion between data in parallel form,
such as bytes in memory, and a serial stream for transmission over a serial connection. Universal refers to the ability of the Asynchronous Receiver/Transmitter to operate at a number of different bit rates, depending on the need at the
A method whereby multiple logical LAN segments are created on top of an existing
physical LAN. An existing LAN segment may consist of 10 computers physically
connected as a LAN. Along comes the concept of a VLAN, and it defines three of
those computers as belonging to VLAN1, with the remaining seven on VLAN2. To
software running on the machines in VLAN1, the entire LAN consists of just
three computers, and the other seven (although physically connected as if they
were part of the same LAN) are not seen. This logical subnetting reduces traffic
on the network by providing smaller (and more numerous) broadcast domains,
and subnets can be created without needing to rewire or relocate hardware physically. VLANs are implemented through the use of IEEE 802.1Q, which allows
the tagging of Ethernet frames with information that identifies which VLAN they
Appendix B: Glossary of Networking Terms
VNC—Virtual Network Computing
VNC is a remote display system where a user can view or control the desktop
environment of a remote computer that may be across the room, or on the other
side of the world over the Internet. When controlling, communication goes both
ways—keyboard and mouse events are sent from the viewer (the client) to the
remote machine, and the remote (the server) provides updates of the screen display back to the client. VNC works on a framebuffer level, and does not require
higher-level protocols to display windows, text, animation and so on—all screen
updates are purely image based. A user may connect to a server, use its desktop
for a time, then disconnect and move to another location. Upon reconnecting to
the server, the user will see the exact desktop, down to the mouse pointer being
in the same place.
There are many VNC implementations; you can control two PCs from a single
keyboard and mouse, attach to an existing session, and mix-and-match operating systems.
VoIP—Voice over IP
Using packet-switched networks to transmit voice traffic instead of the traditional
circuit-switched networks. Packet-switching allows the physical circuits to carry
far more traffic.
VPN—Virtual Private Network
In its broadest sense, a network tunneled through another network. In the term’s
usage in this book, it is a tunnel used to connect trusted remote users (such as
those on laptops working from home), or other remote networks (such as a
branch office) into a LAN, so that the remote users may have full network access
as if their computer were connected directly to the LAN. The connection is tunneled over the Internet, and the two endpoints authenticate to one another and
encrypt communications. Think of it as a long, private Ethernet cable that
extends over the Internet to your users in the field.
WAN—Wide Area Network
A Wide Area Network is a network that spans a large geographic area relative to
a LAN. It will likely contain a paid network connection by a telecommunications provider, and cross legal (including national) boundaries. A school campus
may consider its entire on-campus network to be a LAN (even if that supplies
hundreds of buildings on the one site), and the connection to other campuses in
different cities to be part of the WAN. On a different scale, a community wireless network may consider home computer networks of one or two machines to
each be LANs, and the wireless network that connects them all across one part
of a city to be their WAN. The Internet can be considered the largest of all
WAP—Wireless Access Point
The device that connects a wired LAN to a wireless network, and acts to move
data between wireless devices and the wired LAN, or directly to the Internet.
The WAP contains the antenna that transmits/receives wireless signals to/from
any wireless-connected devices such as laptops, and is the device that implements the encryption required for good wireless security.
WEP—Wired Equivalent Privacy (or Wireless Encryption Protocol)
An encryption scheme used to secure wireless networks, part of the 802.11 standard. WEP is particularly weak protection, and vulnerable to an attacker within
minutes using freely available tools such as AirSnort and WEPCrack. If your
hardware only supports WEP, upgrade to something supporting WPA/WPA2.
As of August 2003, Wi-Fi certification is not possible without WPA support.
Wi-Fi refers to standards (the 802.11 family) that define wireless networking
most commonly used on LANs. While IEEE formally defines the 802.11 standards, testing and certification of products following the standard is performed
by the Wi-Fi Alliance, an industry group formed to push the adoption of standard wireless networking. Only products tested by the Wi-Fi Alliance may carry
the Wi-Fi trademark. Wi-Fi certification is a moving target that involves not just
the wireless connection itself, but relevant technologies such as encryption, QoS,
and power saving. As new wireless developments are ratified, the requirements
for Wi-Fi certification change, too. One example is security; WPA2 certification
is compulsory in order to obtain Wi-Fi certification as of 2006.
A Name Service Switch (NSS) module that allows a Linux (and Unix/Unix-alike)
system to join a Windows domain and obtain login information from the
domain, instead of from the Linux system’s local user database. Essentially, this
means Windows domain users (NT or Active Directory) can appear and operate
as Linux users on the Linux machine, and gain access to Windows domain services. Winbind is part of the Samba suite.
WINS—Windows Internet Name Service
WINS is Microsoft’s name resolution service for NetBIOS computer names. A
WINS server allows computers to register their NetBIOS names and IP addresses
dynamically upon joining a network. A computer queries the WINS server by
providing the NetBIOS name of a machine it is interested in, and the WINS
server returns that machine’s IP address. WINS is essentially to NetBIOS names
as DNS is to domain names. Under Linux, Samba is perfectly capable of acting
as a WINS server.
Appendix B: Glossary of Networking Terms
WPA/WPA2—Wi-Fi Protected Access
Encryption schemes used to secure wireless networks. There are two flavors of
WPA: WPA and WPA2. WPA is an upgrade of WEP; both use RC4 stream
encryption. It was designed to be a transitional protocol between WEP and
WPA2. WPA is stronger than WEP, but not as strong as WPA2. WPA2 uses a
new strong encryption protocol called Counter Mode with CBC-MAC Protocol
(CCMP), which is based on Advanced Encryption Standard (AES).
Linux Kernel Building
This is a quick guide to building a custom 2.6 kernel, patching the kernel, and adding loadable kernel modules. You’ll find detailed recipes in Linux Cookbook
(O’Reilly) in Chapter 10, “Patching, Customizing, and Upgrading Kernels,” and
Chapter 12, “Managing the Bootloader and Multi-Booting,” which tells how to
customize your GRUB or LILO boot menus for different kernels.
Why would you want to build a custom kernel? To add features or remove unnecessary features. On routers and firewalls, it adds a bit of security to use kernels that
have had all the unnecessary features removed, and you can reduce the size considerably to fit on devices with limited storage.
Building a Custom Kernel
Many distributions have their own distribution-specific tools for building kernels.
You don’t need these for building vanilla kernels from kernel.org. But, it’s a different
story when you’re using distribution-specific kernel sources. Red Hat and Fedora
package theirs as source RPMs, so you can’t just build the kernel, but must also
build an RPM. Fear not, for this appendix reveals how. Red Hat/Fedora kernels are
heavily patched, to the point that a vanilla kernel may not even work, so you need to
know the Red Hat Way of customizing kernels.
Debian, on the other hand, does very little modification to Linux kernels. They
remove any bits that don’t meet their policies, and that’s all. So, vanilla kernels work
fine on Debian systems.
You’ll need a build environment, kernel source code for your distribution, and at
least 2 GB of free disk space. You can build a kernel on any system, then copy it to
other systems. If you like to modify kernels a lot, you might set up an old PC as a
dedicated kernel-building station. Then, you’ll only have to maintain source trees
and utilities on a single box.
Most documentation tells you to unpack kernel sources into /usr/src/linux. Don’t do
this. As the kernel README says:
Do NOT use the /usr/src/linux area! This area has a (usually incomplete) set of kernel
headers that are used by the library header files. They should match the library, and
not get messed up by whatever the kernel-du-jour happens to be.
You may store binaries and source trees anywhere, and execute almost every step as
an unprivileged user. Only the final steps require superuser privileges.
You may install as many kernels as you like, selecting the one you want to use at
You need a build environment and some helpful utilities. You should have the lshw
and lspci commands installed in case you need to look up hardware information.
Run the update-pciids command first to bring them up-to-date. Run cat /proc/
cpuinfo to display your CPU specs.
Next, on Fedora, install these packages to get a basic build environment:
# yum groupinstall 'Development Tools'
# yum install qt-devel
On Debian, install these packages:
# aptitude install build-essential libqt3-mt-dev qt3-dev-tools
Building a Vanilla Kernel
Obtaining a kernel that has not been altered by distribution vendors is easy—go to
http://kernel.org/, the mothership of the Linux kernel. Download and unpack it into a
folder in your own home directory; for example ~/kernel:
[carla@windbag:~/kernel]$ wget http://kernel.org/pub/linux/kernel/v2.6/linux-188.8.131.52
[carla@windbag:~/kernel]$ tar zxvf linux-184.108.40.206
This is about a 40 MB download that will unpack to about 240 MB.
Change to the top-level directory of your new source tree. All of the following commands will be run from here:
$ cd linux-220.127.116.11
Read the Documentation/Changes file to make sure you have the correct gcc version
and other necessary utilities. Read the README for installation tips and other useful information.
Edit the new kernel makefile (~/kernel/linux-18.104.22.168/Makefile) to give a custom
value to EXTRAVERSION, such as EXTRAVERSION =-test. Or, in the kernel configuration,
enter your custom value in General Setup ➝ Local version ➝ append to kernel
Building a Custom Kernel |
Let’s see what options the make command has:
$ make help
Even though this is a brand-new source tree, run a cleanup first:
$ make mrproper
At this point, you may copy your own custom config file to this directory, or just let
make take care of it for you. If you don’t provide one, it will use your /boot/config-*
file. You can change everything anyway, so it doesn’t matter all that much.
Now, run these commands:
mkinitrd -o /boot/initrd-linux-22.214.171.124
cp linux-126.96.36.199/arch/i386/boot/bzImage /boot/vmlinuz-linux-188.8.131.52
cp linux-184.108.40.206/System.map /boot/System.map-linux-220.127.116.11
Save a copy of your new config file in a directory outside of the build tree. Add the
new kernel to your GRUB bootloader menu:
new test kernel
/boot/vmlinuz-18.104.22.168 root=UUID=b099f554-db0b-45d4-843e-0d6a1c43ba44 ro
Where does the UUID come from? From running the blkid command:
/dev/sda1: UUID="b099f554-db0b-45d4-843e-0d6a1c43ba44" SEC_TYPE="ext2" TYPE="ext3"
/dev/hda1: UUID="1a5408ad-7d1d-4e24-b9db-d132d76e9e8e" SEC_TYPE="ext2" TYPE="ext3"
Remember that GRUB counts from zero, so hd0,0 means /dev/hda1, or the first partition of the first block device. In this era of mixed PATA and SATA drives, this
depends on the BIOS order of your hard drives, so you may need to dig around in
your BIOS settings to see which drive the BIOS recognizes as the first, second, and so
Reboot to your new kernel and enjoy. If it doesn’t work, simply reboot to your old
kernel, and try again.
You should use UUIDs to identify your block devices because /dev names are no
longer static, but at the mercy of udev. You need to create an initrd image because
the /dev directory is not populated until after boot, so there is no way to build the
boot device into the kernel anymore.
Appendix C: Linux Kernel Building Reference
make xconfig is time-consuming, but very important. If you leave out anything important, some things won’t work, or it might not boot at all. Every configuration item
has a Help entry. The kernel source tree has reams of help in the Documentation/
You have three options for each configuration item: leave it out, build it into the
kernel, or build it as a loadable module. These things should be built-in to the kernel:
• Module support and kmod, for automatic module loading
• a.out binaries, ELF binaries, and MISC binaries
• VGA text console
• All filesystems you’ll be using, such as ext2/3, ReiserFS, JFS, XFS, loopback,
VFAT, NTFS, UDF, etc.
Any hardware support related to boot devices should be built into the kernel:
• IDE, ATA, and ATAPI block devices
• SCSI support (note that the 2.6 kernel does not need IDE-SCSI, so if you have no
SCSI devices, you can omit this)
• USB support
• Any on-board controllers
• ACPI power management
These are fine to have as loadable modules:
• NIC drivers
• USB drivers
• Sound card drivers
• PCI hotplug
• Video drivers
It doesn’t matter if you prefer a large statically built kernel, or a lean kernel with lots
of loadable modules. Don’t obsess over building the leanest possible kernel because
it doesn’t matter—performance is the same either way. Just be sure to enable loadable module support so that you can add additional modules as needed; this is a lot
quicker and easier than rebuilding a kernel. Your best chance of improving performance is to select support for your particular CPU, rather than generic i386.
Building a Custom Kernel |
Adding New Loadable Kernel Modules
Change to the directory that contains the build tree, like ~/kernel/linux-22.214.171.124.
Then, you’ll need a good up-to-date config file. Copy it to the top level of your build
tree, then run:
$ make oldconfig
This takes your existing configuration, and lets you add new features. As you go
through the configuration, find the driver you need, and select it as a module. For
example, the tulip module is a common driver for many Ethernet cards. Then, run
Load the module with modprobe:
# modprobe tulip
If you remembered to enable kmod in the kernel configuration, the kernel will try to
find and load all necessary modules at boot. If it doesn’t, add them to /etc/modules
(Debian) or /etc/modules.conf (most other Linux distributions).
Vendor-supplied modules come with their own installation instructions. For example, Nvidia provides a script that does everything for you. Others have different
methods, so it all depends on the vendor.
Patching a Kernel
If you wish to apply patches to your new kernel, this must be done before building it.
The patch must be in the next-highest directory upstream from your build tree; for
$ ls ~/kernel
Now, change to the top level of your build tree, then unpack and apply the patch:
$ cd linux-126.96.36.199
$ bzip2 -dc ../patch-188.8.131.52.bz2 | patch -s -p1
Or, you can do a test-drive first with the --dry-run option:
$ bzip2 -dc ../patch-184.108.40.206.bz2 | patch -s -p1 --dry-run
Now, configure and build your kernel, and away you go.
Your kernel build tree includes a script to handle applying patches for you, in scripts/
patch-kernel. This is a great little script when you have several patches to apply
Appendix C: Linux Kernel Building Reference
because it automatically applies them in the correct order. Have all of your patches
in the correct directory; then, from your top-level source directory, run this command:
Patches must be applied in order, and you must have all of them. For example, to use
patch-220.127.116.11-pre3.bz2, you also need the first two in the series, unless you downloaded a kernel that already includes the first set of patches.
Customizing Fedora Kernels
Fedora patches kernels heavily; a vanilla kernel from kernel.org may or may not
work. So, let’s do this the 100 percent Fedora way.
Fedora supplies only source RPMs, so you’ll have to customize your kernel and then
package it into an RPM. Download your kernel SRPM from your favorite Fedora
mirror, such as:
$ wget http://mirrors.kernel.org/fedora/core/development/source/SRPMS/kernel-18.104.22.16894.fc7.src.rpm
Then, make sure you have all the build tools you need:
# yum install rpmdevtools
Now, set up a build tree in your home directory, and make sure to do this as yourself and not as the root user:
This creates an rpmbuildtree directory populated with BUILD, RPMS, SOURCES,
SPECS, and SRPMS directories.
Now, install the source RPM. This will unpack files into your new rpmbuildtree
$ rpm -ivh 2.6.21-1.3194.fc7.src.rpm
Ignore any warnings about “group kojibuilder does not exist.”
Next, run the %prep stage of the RPM rebuild. Make the --target option match your
$ rpmbuild -bp --target=i686 ~/rpmbuild/SPECS/kernel-2.6.spec
The kernel tarball has been extracted, and all the Fedora patches applied. Change to
the source directory of your new build tree:
$ cd ~/rpmbuild/BUILD/kernel-2.6.21/linux-2.6.21-1.3194.i686/
$ make mrproper
Now, let’s get started with configuring the new kernel:
$ make xconfig
Building a Custom Kernel |