Figure 16-1 Typical VNC client and server configuration. The output is important. The first line after setting the password indi- cates that Xvnc has created a new display, :1 on the host coondog.example .com. You will need this information when you connect from the client sys- tem. vncserver asks for a password only the first time you start it. You can change the password later using the command vncpasswd or by removing the file $HOME/.vnc/passwd. The next two lines tell you that a startup script, /home/bubba/.vnc /xstartup, has been created and that the script has been executed, that is, the applications it specifies are running on the Xvnc display. This means that when you connect to the VNC server, the client will have those applications already running. This also means that if you want to customize the desktop provided by the server, you can edit the xstartup file. Finally, vncserver tells you where to find the log file it creates, which will simplify troubleshoot- ing the VNC server problems if you encounter any. When vncserver com- pletes, a simple, unadorned VNC desktop is ready to accept connections. Configuring Your Firewall for VNC Well, your VNC server is almost ready to accept connections. VNC listens on port 5500 plus the X display number for incoming VNC client sessions. On a properly secured system, these ports are blocked at the firewall. You have to punch a hole in the firewall for that port so that VNC clients can get through to the server. This configuration step requires root access because you need to use the Security Level Configuration tool to modify your system’s firewall setup (you are running a firewall, right?). 1. To start the Security Level Configuration tool, select Red Hat ➪ System Settings ➪ Security Level or type system-config-securitylevel at a command prompt. Figure 16-2 shows the Security Level Configura- tion tool’s main screen. INTERNET Corporate Firewall Home Firewall V NC Server VNC Clien t 384 Chapter 16 22_599496 ch16.qxd 8/30/05 6:40 PM Page 384 Figure 16-2 The Security Level Configuration tool. The firewall configuration shown in Figure 16-2 is tight: no external access of any sort is permitted on this machine. You’re about to change this. In the Other ports: (1029:tcp) text box, type 5901:tcp. By default, VNC uses ports numbered 5900 plus the display number. In this exam- ple, the display number is :1, so the port number is 5901. If you were using display number :21, the port number would be 5912. The :tcp portion of the port number tells the firewall to open port 5901 for TCP connections because the remote framebuffer protocol uses TCP, not UDP. 2. After you have entered the appropriate port number (see Figure 16-3), click OK to save your change and close the Security Level Configura- tion tool. Click Yes when the tool warns you that you are about to over- write your existing firewall configuration. VNC clients can now access the VNC server, so the server configuration is complete. Creating a VNC Server 385 22_599496 ch16.qxd 8/30/05 6:40 PM Page 385 Figure 16-3 Opening TCP port 5901 with the Security Level Configuration tool. Customizing the VNC Server Sure, the server configuration is complete, but the default desktop (jump ahead to Figure 16-5) is ugly, unless you like the twm window manager and the plain gray background. Remember that xstartup file, /home/bubba/ .vnc/xstartup? You can edit that to change the default desktop. Listing 16-1 shows the default xstartup file: #!/bin/sh # Uncomment the following two lines for normal desktop: # unset SESSION_MANAGER # exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & xterm -geometry 80x24+10+10 -ls -title “$VNCDESKTOP Desktop” & twm & Listing 16-1 The default xstartup file. 386 Chapter 16 22_599496 ch16.qxd 8/30/05 6:40 PM Page 386 As you learned in Chapter 9, X Window System startup files configure your X environment and start certain X programs each time you log in. In this case, xstartup does the following: 1. Executes the file /etc/vnc/xstartup if it exists and is executable. 2. Loads any X resources stored in the file .Xresources if it exists and is readable. 3. Invokes xsetroot to set the background color to solid gray. 4. Starts the vncconfig program minimized. 5. Starts an 80x24 xterm with a specific title. 6. Starts twm, the Tab Window Manager. If you want your usual desktop, the one you get when you are sitting in front of the system, do what the instructions suggest and uncomment the fol- lowing two lines: # unset SESSION_MANAGER # exec /etc/X11/xinit/xinitrc You should also comment out the last four lines. The modified file should resemble Listing 16-2. #!/bin/sh # Uncomment the following two lines for normal desktop: unset SESSION_MANAGER exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources #xsetroot -solid grey #vncconfig -iconic & #xterm -geometry 80x24+10+10 -ls -title “$VNCDESKTOP Desktop” & #twm & Listing 16-2 xstartup modified to display your standard desktop. The modified xstartup file starts your usual desktop because it invokes the system xinitrc file, which starts the standard X initialization process. You might want to stick with the default VNC server configuration, though. Running X over a network connection is always going to be slower than run- ning it directly unless you have a very fat pipe and no network congestion. The default VNC configuration runs the twm window manager, which is consider- ably faster than X desktop environments like KDE and GNOME. twm is also Creating a VNC Server 387 22_599496 ch16.qxd 8/30/05 6:40 PM Page 387 faster than many modern window managers too. The point is that the less eye candy transmitted over the wire, the faster your VNC setup will be. Yes, twm might make your eyes bleed, and it definitely lacks features that many have come to expect from your window manager. However, if you are working remotely, you might not need the application integration and the eye candy as much as you need a responsive “desktop.” You can also customize twm by edit- ing (or creating) a twmrc file, which might make it a little easier on your eyes. Testing the VNC Testing your VNC setup is simple. First, make sure that it works locally by starting a VNC client on the same system as the VNC server. If the VNC server you started in the section “Setting Up a VNC Server” isn’t running, restart it: $ vncserver New ‘luther.kurtwerks.com:1 (kwall)’ desktop is luther.kurtwerks.com:1 Starting applications specified in /home/kwall/.vnc/xstartup Log file is /home/kwall/.vnc/luther.kurtwerks.com:1.log Next, in a terminal window, start the VNC client, or viewer, by executing the command vncviewer :n, replacing n with the display number vncserver reported when it started (1, in the example). You will see the password prompt shown in Figure 16-4. $ vncviewer :1 VNC Viewer Free Edition 4.1.1 for X - built Apr 27 2005 02:25:46 Copyright (C) 2002-2005 RealVNC Ltd. See http://www.realvnc.com for information on VNC. Sat May 21 01:01:32 2005 CConn: connected to host localhost port 5901 CConnection: Server supports RFB protocol version 3.8 CConnection: Using RFB protocol version 3.8 Figure 16-4 The VNC authentication dialog box. 388 Chapter 16 22_599496 ch16.qxd 8/30/05 6:40 PM Page 388 Type the password you provided when you configured the VNC server and press Enter. Assuming that you are using the default VNC server configura- tion (the one that uses twm), the resulting screen should resemble Figure 16-5. Figure 16-5 doesn’t look terribly impressive, but the purpose of this exercise is to satisfy yourself that the server is working. You should be able to start applications, surf the Web (assuming that the server is connected to the Inter- net), and use the remote computer just as if you were sitting in front of it. Fig- ure 16-6, for example, shows the Fedora Project Web site in a Mozilla browser session started from the VNC client. Figure 16-5 Viewing the default VNC desktop in a VNC client. Figure 16-6 Using Mozilla in the VNC client. Creating a VNC Server 389 22_599496 ch16.qxd 8/30/05 6:40 PM Page 389 You can also start the VNC client by selecting Red Hat ➪ Accessories ➪ VNC Viewer. If you use the menu, you will have to specify the VNC server to which to connect, as shown in Figure 16-7. The server specification shown in Figure 16-7 included the display number. If you don’t include this value, you won’t get a connection. You can use either the IP address, as shown in the figure, or the hostname. In fact, if you use the hostname, you can use the FQDN or the alias, if one is defined in /etc/hosts. After establishing that the server is working, close the client session by pressing F8 while the viewer has the focus and selecting Exit Viewer from the pop-up menu. (See Figure 16-8.) Now, test the configuration from a remote machine. Figure 16-9 shows a VNC client session running on Microsoft Windows XP. The client software is the RealVNC for Windows, which is the same product as used on Fedora Core and RHEL systems. Figure 16-7 Specifying the target VNC server. Figure 16-8 The VNC viewer pop-up menu. 390 Chapter 16 22_599496 ch16.qxd 8/30/05 6:40 PM Page 390 Figure 16-9 Using a Linux VNC server from Microsoft Windows. To get the full effect of VNC, especially when you use the viewer from a Windows system, consider Figure 16-10, which shows a VNC session to the server configured in the first section of this chapter. In this case, the server was started using the modified xstartup in Listing 16-2, which displays the stan- dard system desktop (KDE, in this case) rather than the faster, nimbler, and uglier twm. To reiterate the point made earlier, running X across a network, especially the Internet, is going to be a slower affair than running it directly. On a LAN such as a home network (the environment in which the Figures 16-9 and 16-10 were taken), the performance hit will be minimal, and you might not notice or mind the difference. Across the Internet, you will find it intolerably slow run- ning something like KDE, GNOME, or the more, shall we say, feature-rich window managers. Whether you use KDE with all the trimmings or some- thing leaner like twm, you will definitely appreciate being able to access your desktop system from a remote location. Creating a VNC Server 391 22_599496 ch16.qxd 8/30/05 6:40 PM Page 391 Figure 16-10 Running KDE on Microsoft Windows via VNC. When you are done running the VNC server, you can kill the running process by passing the -kill option to vncserver: $ vncserver -kill :1 Killing Xvnc process ID 30790 Replace :1 with the display number on which the VNC server was running. Summary Providing road warriors and telecommuters access to LAN-based services is an increasingly important requirement that system administrators are asked to meet. VNC is one way to meet that requirement. With minimal configuration on the server side and no configuration on the client side, you can provide remote access to one or more Linux systems using VNC. As always, poking a hole in your firewall to permit external access poses a security risk, so you have to weigh that risk against the advantages and decide whether VNC is the way you want to go. As you saw in this chapter, the advantages of remote access to your desktop system are hard to dispute. 392 Chapter 16 22_599496 ch16.qxd 8/30/05 6:40 PM Page 392 393 Any system administrator can testify that requests for new or enhanced ser- vices pop up constantly. Sometimes they arrive in a trickle; other times a fire hose delivers them. One commonly requested service is a time server, a service that provides the authoritative clock against which all other systems on the LAN sync their clocks. Perhaps the boss wants people to be able to share infor- mation on the company intranet and asks you to create a way to post Web doc- uments to the intranet Web server. This chapter describes setting up two nonessential LAN-based services that select groups of intranet users (or you) might find useful. These services fall into the nonessential category because they provide functionality that is nice to have but without your LAN is still amply serviceable. The nonessential services described in this chapter include an NTP-based time server and a caching proxy server. Naturally, these two topics hardly exhaust the possible list of conveniences users (and managers) can and do request. Some of the topics that might seem appropriate for this chapter are cov- ered elsewhere in the book. For example, Chapter 16 describes how to set up a VNC server to give remote users access to their desktops. Building a Web server for your company intranet is no different from building a Web server that faces the Internet, a topic covered in Chapter 23. Likewise, Chapter 24 shows you how to configure some of the Web-based services users typically want, such as mail- ing lists, Web-based email, site search functionality, and RSS feeds. Providing Additional Network Services IN THIS CHAPTER ■■ Configuring a Time Server ■■ Providing a Caching Proxy Server CHAPTER 17 23_599496 ch17.qxd 8/30/05 6:41 PM Page 393 [...]... Synchronization” at Mills’ Web site, eecis.udel.edu/~mills/exec.html For more information about NTP, the authoritative Web site is ntp.org NTP consists of a daemon (ntpd ), a small set of utility programs (ntpq, ntpdc, ntpdate, ntptrace, tickadj, ntptime, ntiptime, ntp-kegen, and ntpdsim ), and the all-important configuration file, /etc/ntp.conf The NTP daemon is dual-purpose It acts as a server, listening for time... entries, beginning with the restrict directive, are, not surprisingly, restrictions on the listed IP addresses or hostnames The first entry uses the keyword default, which means an IP address and mask of 0.0.0.0 The option flags, nomodify, notrap, and noquery, prevent the listed IP address from modifying, logging, or querying the NTP service on the server The second rule, restrict 127.0.0. 1, permits... backbone providers The theory is that if one backbone or a segment of one provider’s backbone fails (because the fiber-optic cable is cut by a backhoe, say ), access to that time server will be impaired NTP is engineered to select an alternative server, but if all your servers use that same severed backbone, you’re hosed So, for example, if your primary network access uses UUNet, good geographic dispersal... The most common time server solution, especially for small(ish) networks and organizations, is strictly software-based The simplest approach is to use the date program to set your system clock to the time broadcast by another system The kid-tested, mom-approved, and syadmin-preferred method, though, is to use the Network Time Protocol, or NTP NTP is an open standard that defines how Internet time servers... client systems to coordinate their system clocks with the NFS server’s clock, the problem went away and has not returned Eventually, we set up a time server for the entire LAN and configured all systems to synchronize to that time server Selecting a Time Server Solution If you’ve decided (or have been told) that you need a time server, your options fall into three categories: hardware, software, or both... select the server to use as a reference clock, start the NTP daemon, ntpd, and you’re done The GUI-addicted can use the Date/Time Properties tool Either start it from the menu (Red Hat ➪ System Settings ➪ Date & Time) or type system- config-date at a command prompt Either way, you should see the screen shown in Figure 17-1 If NTP is already running on your system, the Date & Time tab will be disabled (grayed... preferred practice is to set up a time server inside your firewall (you do have firewall, right? ), synchronize it with an external reference clock, and then synchronize your LAN clients with your internal time server If you have a large network, that is, one with more than 100 NTP clients, it might be prudent to invest in a dedicated hardware clock and use that as your time server Such a measure would reduce... network, system, and CPU resources better used for other purposes In still other cases, you might simply lack the personnel or time to manage any more services Whatever the case, you must be able and willing to say no to such requests, if only to preserve your sanity Configuring a Time Server For this chapter’s purposes, a time server is a daemon that runs on one machine and to which other systems... clocks that use, say, Sprint, MCI, or AT&T As a practical matter, you can use the traceroute command to examine the network paths packets follow to reach a given time server and then compare those paths, confirming that there are as few routing points in common between each time server as possible It is a tedious undertaking, but if your network and the services it provides rely on accurate, consistent... proxy server, set httpd_accel_uses_ host_header to on The default value, off, means that clients have to configure their Web clients to use a proxy server, which can be quite inconvenient for users and a pain for administrators to manage, especially across a LAN that is geographically dispersed or if some users are, shall we say, technically challenged The final value to configure is httpd_access, which . (ntpq, ntpdc, ntpdate, ntptrace, tickadj, ntptime, ntiptime, ntp-kegen, and ntpdsim ), and the all-important configuration file, /etc/ntp.conf. The NTP daemon is dual-purpose. It acts as a server, listening. that a startup script, /home/bubba/.vnc /xstartup, has been created and that the script has been executed, that is, the applications it specifies are running on the Xvnc display. This means that when. The option flags, nomodify, notrap, and noquery, prevent the listed IP address from modifying, logging, or querying the NTP service on the server. The second rule, restrict 127.0.0. 1, permits all