Foreword to the present, along with a variety of handheld, wireless, and the rapid development of embedded devices, the appropriate hardware and software design has undergone great changes.
Many devices use the Intel, MIPS, Motorola's 32-bit microprocessor and large-screen LCD graphics display. As in the past 10 years, desktop operation mode has made great success, so many developers in embedded design started using similar to desktop operating system. One of the better solution is to use the Linux operating system. As a result of Linux in embedded systems with the desktop computers of all functions and features, while at the same time as an open source code, it allows a wide range of modifications, and also according to the user's specific requirements. Microwindows overview Microwindows is a famous open-source embedded GUI software, which aims to introduce modern graphical Windows environment to run Linux on small devices and platforms. As the XWindow alternatives Microwindows can use less RAM and file storage space (100K-600K) provide similar functionality with the XWindow. This architecture allows designers to easily into a variety of display devices, mouse, touch screen and keyboard, etc. Linux2.2 above version of the kernel code allows the user to the graphics card memory as frame buffer access, so when the user writes to the display device, the control can avoid memory-mapped area of operation, the user can not understand the underlying graphics hardware or haven't used XWindow of graphics programs of development. This is why it is now in widespread use in embedded systems Microwindows. Microwindows portability is very good, basically using C language implementation, only some of the critical code to use the compendium for increased speed. Microwindows support Intel16 bit, 32-bit CPU, as well as arm chips MIPSR4000. Microwindows has been ported to some handheld. It's graphics engine is designed to run on any supported readpixel, writepixel, drawhorzline and drawvertline, and above the setpalette system. In support of the underlying function, upper-class implements the bitmap, cursor, font, and color support. Microwindows support new Linux kernel frame buffer structure that provides each pixel 1, 2, 4, 8, 16, 24 and 32-bit support and additional support for color and grayscale display with color display including true color (each pixel 15, 16 and 32-bit) and color palette (1 per pixel, 2, 4 and 8 bit) two modes. In the color display mode, all color using RGB format is given, the system then converts it to the most similar and can display color and monochrome mode is converted in different shades. Microwindows support window coverage and child window concept, complete client area of the window and cut, proportional and fixed fonts, fonts and bitmap file processing tool. The system uses an optimized drawing functions, so when the user moves a window can provide a better response. Memory graphics draw and moved towards making screen drawing is very smooth, especially when displaying animation, polygon rendering, any area fill, cuts when useful. Although the Microwindows full support for Linux, but its internal structure of portable is based on a relatively simple screen device interface, available in many different RTOS and bare metal. The advantage of this feature prominently reflected in user-designed graphics program does not need to override can be shared by different projects, or even can run on different objects at different RTOS. Microwindows system graphically supported host platforms of simulation of the target platform. In this way, the design of Linux for Microwindows applications can be written on the desktop and development without cross-compile it to test and run, and directly run on the target platform. Desktop running on the host in the target application, which appears in the Xwindow is provided by the Microwindows Xwindow screen-driven, rather than through a frame buffer drivers. This driver can pixel bit depth and color, accurate simulation of the monitor on the target platform, so that even if the desktop system is a 24-bit color, it also can preview display 2bpp shades of the target application. Microwindows uses layered design methods. At the bottom of the screen, mouse/touch screen and keyboard driver that provides access to the physical device. In the middle tier, a portable graphics engine that supports line drawing, area fill, cut and color models. In the upper deck, for various API to accommodate different application environments. Two API: Microwindows Win32 and Nano-X use two popular graphical programming interface: MicrosoftWindowsWin32/WinCE graphics display interface (GDI) and Xlib-like interface. The former applies to all WindowsCE and Win32 application, the latter as Nano-X, apply to all LinuxX plug-in sets the bottom. This will enable a large number of Windows programmers developing graphics applications, similarly you can also have Linux graphics programmer with X interface development graphics applications. Nano-X programming this article will be used in the design of an application Nano-XAPI, and discuss the underlying Nano-X program design issues. Nano-X allows applications to use client/server network protocol or a local UNIX domain interface. This allows several shouldUse the procedures in embedded device or running on the remote host to connect to the server displays the Microwindows, these characteristics makes the operation much like Nano-X XWindows system. On the ground floor and most of the window for creating, deleting, and basic drawing functions, Nano-XAPI and X's are very similar to Xlib library. In addition, because the Microwindows is designed very small, there are many options that can be used for resource configuration files in the package. The following procedure is to create a server-specific Nano-X. (1) initialize Mcrowindows resources package can be downloaded from http://microwindows.org. First compiled to host and embedded target platform to build a Nano-X server. Most of the settings option in the configuration file, extract the resource pack into the microwin/src directory, edit the configuration file. The following are some of the most important ARCH option: ARCH = LINUX-NATIVE ARCH = LINUX-arm ARCH = LINUX-MIPS ARCH = LINUX-POWERPC set for LINUX-NATIVE ARCH option is notification system is currently running the host Linux system-generated program, and for other options set ARCH is to give a RISC target platform for cross-compilation. Use the Microwindows Arch.rules file for each of the options to determine a specific setting. The following settings are used to provide the image support Nano-X server: HAVE_BMP_SUPPORT = Y HAVE_GIF_SUPPORT = Y HAVE_JPEG_SUPPORT = Y settings JPEG images option must give external jpeg decompression Library locations, such as LIBJPEG =/usr/lib/libjpeg.a. Most systems provide unzip library can also be downloaded from the Microwindows Web site. Another important item to choose whether or not to provide support for variable font size, default is in the drivers/genfont.c provides fixed-size bitmap fonts. If you want to display a larger font, such as running an embedded browser, you can join on TrueType fonts or AdobeType1. When the option is determined, you can display the need to specify the font file and pixel size, the Microwindows based external font files to generate the appropriate font size. The latest version also supports external Chinese fonts, all fonts are available in 8-bit ASCII, Unicode-16 or UTF-8. With UTF-8 is Unicode byte-stream encoding scheme. The characters supported options are as follows: HAVE_FREETYPE_SUPPORT = Y HAVE_T1LIB_SUPPORT = Y HAVE_HZK_SUPPORT = Y FreeType and external libraries for T1lib support TrueType fonts and AdobeType1. These libraries must be compiled in advance and in the configuration file should specify its location. Microwindows Web site all the library functions provided for download. (2) configure the output displays the device as Microwindows can frame buffer system and run under XWindows, each display driver is necessary to determine the different settings. If you are already running a Linux desktop, it is best to start with X X screen driver build system, and then for embedded devices to generate a frame buffer. The following options to configure the X screen driver: X11 = Y SCREEN_WIDT = 640 SCREEN_HEIGHT = 480 SCREEN_PIXTYPE = MWPF_TRUECOLOR0888 Microwindows through these options in the X desktop builds a 640 x 480 virtual window, using 8-bit color mode (red, green and blue all use 8-bit representation) output. By changing the settings, you can own the desktop control targets embedded devices simulation. For example, simulate a 16 bits per pixel display, SCREEN_PIXTYPE = MWPF_TRUECOLOR565. One constant in the src/MWPF include/mwtypes.h header file with detailed explanation. Because you must determine the Linux kernel support frame buffer, so set the frame buffer to display more complex. The settings are as follows: X11 = N FRAMEBUFFER = Y FBVGA = Y VTSWITC = Y PORTRAIT_MODE = N FBVGA options introduced in 16-color VGA graphic mode screen driver support, but this option is not available for embedded systems. VTSWITCH option allows Microwindows in the frame buffer controller running, hold down the ALT key you can open another virtual controller. Some embedded systems require this option turned off. PORTRAIT_MODE options using L/R key to specify the system to the left/right to run, and Compaq Corporation of iPAQPDA is very similar. (3) Linux kernel frame buffer support if you run the show "Nano-X server Can ' topen/dev/fb0" that no open frame buffer or the system kernel is not introduced into the frame buffer drivers. The simplest way is to identify when starting the system did you see a Penguin icon, if you do not have an icon you confirm that the following options are in/usr/src/linux/.config file: CONFIG_ CONFIG_B = yFB_VGA16 = y CONFIG_FBCON_VGA = y CONFIG_FBCON_CFB4 = y CONFIG_FBCON_CFB8 = y if the system supports graphics card instead of the standard old VGA, can be CONFIG_FB_VGA16 options. Before rebuilding the kernel, you need to backup the old kernel, and in the lilo.conf file in the backup location. Enable the frame buffer is most of the standard set of embedded systems. The last important configuration for Microwindows specified mouse or touch screen input driver. Current Microwindows is passed on mouse GPM tool or directly using the serial port. Directive GPMMOUSE = Y is select set GPM support, after running gpm tools, such as ' gpm-R – tps2 ' (support for PS/2 mouse); directive SERMOUSE = Y is to choose the serial port, also in src/drivers/mou_ser.c MOUSE_PORT MOUSE_TYPE and set two environment variables. (4) to create a complete demo system once in the configuration file to set a good option, as long as the user no longer changes parameters remain unchanged. At the same time in the src directory, there are many different platform samples configuration files. To create a Nano-X server and run demo, first enter the microwin/src directory, then type "make". All programs in the microwin/src/bin directory of the generated client link libraries are also placed in the microwin/src/lib directory. To run the demo, first run Nano-X server (in the bin/nano-X), and then run the application. Bin/nano-X&sleep1; bin/world running programs before running the Hugh demonstrationworldplottingFriday, May 20, 2011
Skills: Linux for Fedora 8 set local updates source
FedoraCore8 after installation, you have to do is: using yum to update.
Add yum update source, the system comes with updates so odd slow, did not finish. Here is the method of installation used httpd httpd package: # yuminstallhttpd # chkconfighttpdon # servicehttpdstartor #/etc/init.d/httpdstart then install createrepo Kit: # yuminstallcreaterepo and then create the package directory fedora8 and update packages directory: # mkdir-p/var/www/html/yum/base/8/i386 # mkdir-p/var/www/html/yum/updates/8/i386 if any CD, copy all the RPM packages to/var/www/html/yum/base/8/i386 directory: # cd/misc/cd/Packages; cp-V */var/www/html/yum/base/8/i386 # cd or go here to find a mirror http://mirrors.fedoraproject.org/mirrorlists/publiclist/fedora/8, then use rsync to download; example: rsync-avrtrsync://ftp-stud.hs-esslingen.de/fedora/linux/releases/8/everything/i386/os/packages//var/www/html/yum/base/8/i386 note red part must be '/' symbols; down run createrepo command: # createrepo/var/www/html/yum/base/8/i386 this command will create a directory/var/www/html/yum/base/8/i386 repodata folder, which contains the following files: # ls-l/var/www/html/yum/base/8/i386/repodata/total9268-rw-r-r-1rootroot22272752008-01-1221: 11filelists.xml.gz-rw-r-r-1rootroot64874532008-01-1221: 11other.xml.gz-rw-r-r-1rootroot7477142008-01-1221: 11primary.xml.gz-rw-r-r-1rootroot9512008-01-1221: 11repomd.xml then enter/var/www/html/yum/updates/8/i386 directory in the directory using rsync to download the latest rpm packages: rsync-avrtrsync://ftp-stud.hs-esslingen.de/fedora/linux/updates/8/i386/--exclude = debug//var/www/html/yum/updates/8 i386 and then set up/crontab to automatically download the latest packages: 234 */2 ***/usr/bin/rsync-avrtrsync://ftp-stud.hs-esslingen.de/fedora/linux/updates/8/i386/--exclude = debug//var/www/html/yum/updates/8/i386 Finally, access/etc/yum.repos.d/directory, create a repo to the end of the file, as follows: [base-local] name = Fedora $ releasever-$ basearcfailovermethod = prioritybaseurl = http://192.168.0.100/yum/base/$ releasever/$ basearch # mirrorlist = http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$ arch = $ releasever & basearchenabled = 1gpgcheck = 0 [updates-local] name = Fedora $ releasever-$ basearch-Updatesfailovermethod = prioritybaseurl = http://192.168.0.100/yum/updates/$ releasever/$ basearch/# mirrorlist = http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f $ arch = $ releasever & basearcenabled = 1gpgcheck = 0Debian Linux ADSL dial-up and the use of dynamic domain name
Debian ADSL dial-up and under dynamic domain names use I.ADSL dial ADSL general use PPPoE protocol, which is the Debian software is used: apt-getinstallpppoepppoecon rp-pppoe, just install the software.
Then run pppoeconf, automatically detect connection ADSL network adapter, and then enter the corresponding parameter, such as user name, password, etc., you can use to connect Internet pon. The generated profile:/etc/ppp/peers/dsl-providerII. dynamic domain name first to apply dynamic domain name http://www.3322.org/. Application after http://www.3322.org/dyndnspage/client.html his client. Then unzip, I was extracted to/usr/local/bin/ez-ipupdate. In the following directory/etc/ppp/ip-up.d shell, in time, ppp will be executed automatically, so the dynamic domain name updates here, you can automatically update. In addition you can also place this file inside the firewall rules and NAT rules, as I mentioned in the directory below to generate a 02nat (note the property you want to change the executable chmod75502nat: #!/bin/bas # IPTABLES = \ "/sbin/iptables\" # loading the appropriate module modprobeiptable_nat # clearing all rule $ {IPTABLES}-tfilter-FINPUT $ {IPTABLES}-$ {IPTABLES} tfilter-FOUTPUT-tfilter-FFORWARD $ {IPTABLES}-$ {IPTABLES} tfilter-X-tnat-FPREROUTING $ {IPTABLES}-$ {IPTABLES} tnat-FOUTPUT-tnat-FPOSTROUTING $ {IPTABLES}-$ {IPTABLES} tnat-X-tmangle-FPREROUTING $ {IPTABLES}-$ {IPTABLES} tmangle-FOUTPUT-tmangle-X # NAT rule $ {IPTABLES}-tnat-APOSTROUTING-oppp0-jMASQUERADE # open packet forwarding echo1 >/proc/sys/net/ipv4/ip_forward # dynamic domain name update/usr/local/bin/ez-ipupdate-hxxx.3322.org-ippp0-Sqdns-uusername: password which you are applying for xxx.3322.org is the domain name, username is the username, password is password.Reinforcement of the Linux server trick
We all know, network security is a very important issue, and the server is a network security key.
Linux is considered a safer Internet server as an open-source operating system, Linux system security vulnerabilities are found, the Internet from all over the world, volunteers are eager to fix it. However, administrators often fail to timely and correct information, it will give a hacker to exploit. However, relative to these vulnerabilities of the system itself, more security problems are caused by incorrect configuration, you can pass the appropriate configuration to prevent. Services running on the server, the more inappropriate configuration of the opportunities the more, the possibility of a security problem. To this end, this article will explain some of the enhancements to Linux/Unix server system security knowledge. System security records files the operating system's internal log files is to detect whether there is a network intrusion of important clues. If your system is directly connected to the Internet, you find that there are a lot of people on your system to do Telnet/FTP login attempts, you can run "# more/var/log/secure greprefused" to check the system by an attacker to take the appropriate measures, such as the use of SSH to replace Telnet/rlogin, etc. Start and login security 1.BIOS security setting BIOS password and change the boot order to boot the system from the floppy disk. 2. user password user password is a basic Linux security as a starting point, a lot of people are using the user password is too simple, this equals to the trespasser opened, although in theory, as long as there is sufficient time and resources you can use, there is nothing we cannot crack the password of the user. But the password is selected properly are hard to break, the better the user passwords are those that only his own easy to remember and understand a string of characters, and never write it out in any place. 3. the default account should prohibit all default start of the operating system itself and does not need an account, when you first install the system should do, Linux provides many default account number, account number, the more the system more vulnerable to attack. You can use the following command to delete the account. # Userdel username or use the following command to delete the user account. # Groupdelusername4. password file chattr command to the following file plus the unchangeable properties, thereby preventing non-authorized user access permissions. # Chattr + I/etc/passwd # chattr + I/etc/sadow # chattr + I/etc/group # chattr + I/etc/gshadow5. Prohibition of Ctrl + Alt + Delete to restart the machine commands modify/etc/inittab file, the "ca:: ctrlaltdel:/sbin/shutdown-t3-rnow" line commented out. Then reset your/etc/rc.d/init.d/directory permissions of all files, run the following command: # chmod-R700/etc/rc.d/init.d/* so that only root can read, write, or execute all script files. 6. limitation su command if you do not want anybody to be able to su as root, you can edit the file, add the following/etc/pam.d/su two rows: authsufficient/lib/security/pam_rootok.sodebugauthrequired/lib/security/pam_wheel.sogroup = isd at this point, only the isd Group, you can use su as root. Subsequently, if you want the user admin to use su as root, you can run the following command # usermod-G10admin7. the deletion of your login information by default, the login prompt information including Linux distributions and kernel versions of the name and the server host name. For a security demand higher machine, thus revealing too much information. You can edit the/etc/rc.d/rc.local will output system information following line commented out. # Thiswilloverwrite/etc/issueateveryboot.So, makeanychangesyou # wanttomaketo/etc/issuehereoryouwilllosethemwhenyoureboot # echo "" >/etc/issue # echo "" ¾/etc/issue # echo "Kernel100100uname-r) on100100uname-m)" ¾/etc/issue # cp-f/etc/issue/etc/issue.net # echo ¾/etc/issue then, do the following: # rm-f/etc/issue # rm-f/etc/issue.net # touch/etc/issue # touch/etc/issue.netUse Linux firewalls pretend to against hacker attacks
A firewall can be divided into several different security levels.
On Linux, because there are many different firewall software to choose from, security can be low to high, the most complex software can provide almost no penetration protection. However, the Linux kernel itself has a built in is called the "camouflage" simple mechanisms, in addition to the most dedicated hacker attack, can withstand live most of the attacks. When we dial-up link on the Internet, our computer will be assigned to one IP address, allowing online information to others who return to our computer. A hacker is to use your IP to access the information on your computer. Linux uses the "IP masquerading" method, is to hide your IP, do not let others on the network. There are several groups of IP addresses is specifically reserved for the local network using the Internet backbone routers, and does not recognize. Like the author's computer IP is 192.168.1.127, but if you enter this address into your browser, to believe anything or not received, this is because Internet backbone is they do not know the 192.168.X.X IP-group. On the other Intranet has innumerable computer that is using the same IP, because you cannot access, of course not penetrated or cracked. So, to solve the security issues on the Internet, it seems to be a simple matter, as long as your computer selected a someone else cannot access by IP address, anything. Wrong! because when you browse the Internet, also require a server data sent to you at your screen can't see anything, but the server can only be sent to the information in Internet backbone on legitimate IP addresses. "IP masquerading" is used to resolve this dilemma. When you have a Linux computer, setting to use "IP masquerading", it adds the two internal and external network bridge, and automatically translating from the inside to the outside or from external to internal IP address, usually this movement is called network address translation. In fact, the "IP masquerading" than the more complicated. Basically, the "IP masquerading" server set up between two networks. If you use analog dial-up modem to access the data on the Internet, this is one of the network; your internal network usually corresponds to an Ethernet card, this is the second network. If you are using a DSL modem or cable modem (CableModem), then the system will have a second Ethernet card, instead of an analog modem. Which Linux can manage each of these network IP address, so if you have a Windows computer (IP to 192.168.1.25), located on the second network (Etherneteth1), to access is located in the Internet (Etherneteth0), cable modem (207.176.253.15), Linux "IP masquerading" will be blocked from your browser by all TCP/IP packets, taking the original local addresses (192.168.1.25), then the real address (207.176.253.15). Then, when the server returns the information to 207.176.253.15, Linux will automatically block return packets, and back to the correct local address (192.168.1.25). Linux manages several local computer, and handle every packet, without confusion. Authors have an installation of old 486 computer SlackWareLinux, can simultaneously handle four computer sent to cable modem packets, but does not reduce the speed. In the second edition of the core, "IP masquerading" is sent to the IP management module (IPFWADM, IPfwadm) to manage. The second edition of core while providing a faster, more complex IPCHAINS, continued to provide IPFWADMwrapper to maintain backward compatibility.Saturday, May 7, 2011
Embedded systems and system-level programmable data sheet
6 apply to embedded system programmable chip embedded system hardware volume, weight, power consumption, cost, reliability, have different levels of requirements, some indicators will have special requirements.
For example, mobile phone type of mobile device on power consumption particularly sensitive, information appliances for cost sensitive, and military equipment on reliability index requires extremely high. Therefore, the different application areas, the focus of their needs are different, we need to give serious consideration to choose the right hardware platform. IC has entered a submicron, even very large scale integration of nano-era, with system-level programmable chips embedded system hardware, regardless of size, weight, power consumption, cost, reliability, and so you can achieve the desired result will be the best option. Therefore, specific chip design is an embedded system design of one of the core technology. Applies to the chip for embedded systems can be divided into General and specific chip two categories are discussed as follows: 6.1 universal chip chips mainly standard cell IC, FPGA and gate arrays, etc. Now compare: IC 6.1.1 standard units (that is, half a custom ASIC chip) · advantages: optimal space utilization · can · get the best!. · shortcomings: the establishment of a solid design · Foundation development resources investment. Design difficult ·, request design tools features strong, design with technology continually upgrading; in the design rules length is less than 0.25 μm deep sub-micron (DSM) design, designers typically takes a lot of effort to resolve DSM effect, such as migration, antenna effect. The problem is mainly composed of very small physical structure. This is in the back-end design processes used for the development of tools to address these effects cause. · design staff professional knowledge has set higher requirements, while also need some professional design company provides tools to use. The developer tools area of expertise, the more likely they are to obtain optimal design (smallest at best performance). Design for existing · and tools apply two challenges, shorten design times naturally become project scheduling a determining factor. · prospective unit IC related non-recurring design cost (NRENon-recurringEngineering) costs. The fee is predominantly for etching mask, mask design rule length in MCU μ m following the NRE cost typically up to thousands of dollars, in this case to maintain the balance of payments requires that the chip has enough sales. 6.1.2FPGA (field-programmable gate array) ·: · PGA-costly. · standard cell IC and gate array, the advantages of having programmable FPGA, mask costs; chip completes can be modified through programming, hardware risks. ·: (as technology advances, some shortcomings are gradually overcome) when doing mass production, the FPGA has cost advantages will weaken. · PGA programmability of Silicon area, and thus require larger higher power consumption. In order to adapt to the increased external pin, package prices are more expensive. Even the small batch production, mask-programmable ASIC programme costs can sometimes lower number. 6.1.3 gate array · advantages: · for door structure complete chip, such as "door sea" structure, the design engineer only need to do is through the metal layer of ASIC gate level routing implementation. · gate array technology can achieve the system frequency exceeding current FPGA technology can provide frequency. · gate array development work is relatively easy, as most of you can auto-complete. Gate array development costs much less than the standard unit of IC, because the circuit is only necessary to increase the metal layer, greatly reducing the design steps. · bad: compared with the standard unit of IC, gate array's main drawback is that the area utilization and performance are relatively low. standard cell · IC (i.e. semi-custom ASIC chip) · advantages: optimal area utilization. Get the best performance. · bad: to establish a solid basis for the design, development and resource investment.Anatomy of Linux flash file systems
Flash memory challenges in addition to the previously mentioned some restrictions, management flash devices also faces many challenges.
The three most important challenges are garbage collection, management, bad blocks and average read and write. Garbage collecting garbage collection is a collection of invalid block process (invalid block contains invalid data). Recycling process including valid data moved to the new block, and then erase invalid block so that it becomes available. If the file system of the available space is less, so often in the background this process (or as needed). Management of bad blocks used for a long time, flash devices will occur, or even from the factory will occur but cannot be used. If the flash actions (e.g. Erase) fails or a Write operation is not valid (via invalid error correction code found, ErrorCorrectionCode, ECC), to indicate that there is a bad block. Identify bad blocks, in the internal flash is bad block flag to a bad block table. Specific action depends on the device, but can be done by a group of independent reserved blocks to (different from ordinary block management). On bad blocks are processed in the process — whether it be the factory or in the use process — called bad block management. In some cases, you can pass an internal microcontroller implementation in hardware, file system for the upper layer is transparent. Average read and write to the previously mentioned flash devices belong to the attrition products: become a bad block previously, you can perform a limited number of repeated Erase operation (and therefore a bad block management must be marked). Average read and write algorithms to maximize the life of a flash. Average read and write has two forms: dynamic average read and write and static average read and write. Dynamic average read and write to the address block Erase cycle limit on the number of times. Dynamic average read and write algorithm is not a random block using available, but the average use of blocks, each block is used to obtain the same. Static average read and write algorithm to solve a more interesting question. In addition to maximize the number of times the Erase cycle, some flash devices in two Erase cycle is affected by maximizing Read cycle. This means that if the data in the block storage time is too long and read many times, the data will gradually consumption until lost. Static average read and write algorithm solves this problem because it can periodically move data to a new block.The new format of the source packages deb
In this article the reader tumashu mandpkg-source process for reading notes containing the deb source some of the new format, maybe a friend is interested.
I. benefits of the new format support bzip2, lzma (7z format is estimated), gzip compression format supports multiple upstream tarballs containing binary files, use the old format diff files (diff.gz) to store the package in the source code changes, but the diff file is a text file, so if you want to add a binary file (for example, png icon), you need to use the uuencode converts the binary file as a text file, the more trouble not needed because stripdebian directory and repackage the upstream tarball (debian directory in the source code package unzip deb when automatically .debian.tar. {Gz, bz2, lzma} inside content replace) the change isn't Debian-specific is saved in a single .diff.gz files but saved in debian/patches/multiple patch files. That approach and quilt approach compatible but do not need to use quilt as dpkg-source can handle all the things that extract the patch files during use, in the process of building binary packages in update patchseriesNMUworkflowisnowreally: unpack, hack, rebuild (forall3.0 (quilt) packages). II. new format type Format: 1.0Format: 2.0Format: 3.0 (native) Format: 3.0 (quilt) Format: 3.0 (git) Format: 3.0 (bzr) Sam .Format: 1.0 format describes the format of this is the original: a .dsc files, a file, a .orig.tar.gz .diff.gz file four .Format: 2.0 format describes this formatting is not recommended for wide use, is a transitional form five .Format: 3.0 (native) format describes the format is an extension of the Format: 1.0, can support a variety of compression methods {gz, bz2, lzma} six .Format: 3.0 (quilt) format describes this formatting may be the next version of debian, it is an extension of the Format: 2.0 because it patches are handled and quilt compatible, so naming the source code package: a .orig.tar. {Gz, bz2, lzma} compressed packages, this package is the upstream source code was changed from a .debian.tar. {Gz, bz2, lzma} compressed packages, this package contains a debian-based all changes of zero or more .orig-FreeBsd5.4 + pf + squid reverse proxy battle notes
(The last two in a real application is unreliable, we should first of all, and then gradually open its own services) pf settings to this basic complete the following to start squid part 1, installation of squid./configure--enable-useragent-log--enable-referer-log--enable-default-err-language = Simplify_Chinese--enable-err-languages = "Simplify_ChineseEnglis"--disable-internal-dns--enable-pf-transparent # make # makeinstall # mkdir/home/cache (create the directory where cache) 2, increase the squid running on user and user group (my are set to squid) chownsquid: caceee squid/home/usr/local/squid/etc//add the/etc/hosts squid.con internal DNS resolution, such as my: 192.168.2.2www.aaa.com192.168.2.3mail.aaa.com3, following begin configuring squid.conf file (here's my profile) visible_hostnamecache.example.comcache_dirufs/home/cache102416256cache_mem100MBcache_effective_usersquidcache_effective_groupsquidhttp_port80httpd_accel_hostvirtualhttpd_accel_single_hostofhttpd_accel_port80httpd_accel_uses_host_headeronhttpd_accel_with_proxyon # acceleratermydomainonlyaclacceleratedHostAdstdomain.example1.com # aclacceleratedHostBdstdomain.example2.com # aclacceleratedHostCdstdomain.example3.com # acceleraterhttpprotocolonport80aclacceleratedProtocolprotocolTTPaclacceleratedPortport80 # accessarcaclallsrc0.0.0.0/0.0.0.0 # AllowrequestswhentheyaretotheacceleratedmachineANDtote # rightportwithrightprotocolhttp_accessallowacceleratedProtocolacceleratedPortacceleratedostA # http_accessallowacceleratedProtocolacceleratedPortacceleratedostB # http_accessallowacceleratedProtocolacceleratedPortacceleratedostC # loggingemulate_httpd_logoncache_store_lognone # manageraclmanagerprotocache_objecthttp_accessallowmanagerallcachemgr_passwdpassallsquid.conf file configuration completed 4, directory permissions settings chown-Rsquid: squid/home/cace creates a log file, the default in/usr/local/squid/var/access.log5, create a cache directory:/usr/local/squid/sbin/squid-z start squid/usr/local/squid/sbin/squid in the notes the intention of my building is a Web service through the squid reverse proxy to complete as other (I now only ftp) services through pf to complete it in order to accomplish this goal we need to add the pf rule is the following statement rdron $ lan_ifprototcpfrom $ lan_iftoanyport80-> $ lan_ifport80 ($ lan_if is my gateway of the network card) where access to port 80, you are forwarded to the gateway listening on port 80, Squid in pf rules only allow ftp service (questions about the extranet access, also need to add a similar sentence?) so far, FreeBsd5.4 + pf + squid reverse proxy basically completed.
Linux system depth security hardening (1)
Linux system with its stable and source code publicly available, on the Internet are being used to make the Web server and database server has been more and more, along with it, Linux system security has also been increasingly attach importance to the reinforcement of Linux systems for many people, is imminent.
So, to better consolidation of Linux system to deal with all kinds of emergencies and hacker attacks, we need to start from what? 1. install and upgrade to use the latest Linux distributions, unplug the network cable before installing, disconnect, installs when the physical connections use custom custom installation packages, as well as a small number. Generally speaking, the server is not necessary to install lilo/X-windows, grub boot loader and password restrictions that prevent to physical contact by malicious users. Because Linux install CD rescue mode can bypass this limit, it shall be given to BIOS plus password or locked the server chassis. /Var,/home,/usr, and the use of independent/root etc directory of the physical partitions that prevent garbage data and log filling up the hard drive causing d.o.s attacks. The root account to give strong password. Installed immediately with up2date or apt upgrade system software, sometimes upgrade kernel is necessary because the kernel problems will also provide an opportunity for attackers. Apt is a powerful DebianGNULinux package management tool that can also be used for other versions of Linux. 2. account number if the system user, you can edit/etc/login.defs, change the password policy to delete system unnecessary accounts and groups, if not open anonymous FTP, you can also delete the ftp account. Delete account command as follows: root @ ayazero/] # userdel-r username is the most secure way, but the local maintenance is not very practical, but still need to limit the root remote access, administrators can use an ordinary account to log on remotely, and then su to root, we can use the su users added to the wheel group to improve security. In/etc/pam.d/su file in the head to the following two lines of code: edit/etc/securetty, comment out all allow remote login console root, and the prohibition of the use of all the console program, its commands are as follows: login using ssn is encrypted, if the administrator only from fixed terminal login, you should restrict legitimate ssn client, prevent sniffing and-the-middle attack. At the same time, it will command history back to zero, as the hidden things you did, the command is: 3. service adopts the principle of least service, any unneeded services are commented out. In/etc/inetd.conf in unneeded services with a "#", a higher version already not inetd, but replaced with Xinetd; abolition of post automatically run under the service, do not need to run/etc/rc.d/rc3.d's fertilizer services of first letter "S" to "K", other unchanged. If you want simple, you can use/etc/host.allow and/etc/host.deny these two files, but is recommended to use iptables firewall, so I do not go into the details. (To be continued)Monday, April 25, 2011
Embedded systems and system-level programmable data sheet
7 embedded system design issues 7.1 system although embedded system applications face a very broad, the complexity of application vary, personalized requirements.
However, the overall design of embedded system requires consideration of key issues still can be summarized into the following areas: · in-depth analysis of the system, have a thorough understanding of the application depending on the application needs. ·, forming the overall scheme, select or to build a development platform, complete algorithms and architectures for mapping; formation of hardware and software co-design programme; · embedded processor selection; · real-time operating system (RTOS) selection; · development tools (such as compilers, emulators) selection or development; design · data paths; · Testability design; design · reusability; · to imitated card, verify that the establishment of the environment; · the target node of planning; 7.2 embedded processor embedded processor is based on application and user-oriented core embedded system, because the application-oriented, object-oriented features of the industry, for different applications and different semiconductor process, various kinds of embedded processors variants include more than 1000 can be divided into: · embedded microprocessor: arm, MIPS, PowerPC, 68000, 386EX; · embedded microcontroller: 8051, MC68HC05, MC68HC11, 68300, Am186, TMS320C2X; · embedded DSP processors: TMS320 series, DSP56000 series; · embedded SOC (System on chip): OMAP, M-Core; 7.3 embedded processor development with embedded applications of expanding, such as disk drives, mobile phone, PDA, network switches, printers, and so on, to define the concept of the "embedded" in itself is becoming increasingly difficult. But what is certain is that many embedded applications in areas such as performance, cost, power consumption, and other indicators are ever-changing requirements. In order to adapt to the different requirements of the application for a variety of processors are also rapidly. The following to apply a broad United Kingdom ARM company's embedded ARM processor, for example, for analysis. ARM processor microarchitecture of evolution--for the past 10 years, ARM processor developed from simple ARM7TDMI core development to the latest arm11EJ-S kernel, its major progress: · from simple three-line to 8-level advanced pipeline architecture. Single clock for comparison, the performance difference was not significant. · ARM11 is the ARM family of performance of a series. ARM7TM usually only in the following frequencies of 200MHz; in 0.13 Micron process, arm11TM run frequency up to 500-700MHz, brought more powerful ARM processors · performance. increasing line series, structure and design improvements. In arm1026EJ-STM kernel, with a return stack, reduce the subroutine returns the line refresh time, improves system performance arm11 increased ·. static and dynamic combinations of jump prejudging. · arm11 support single instruction multiple data (SIMD) instructions. 7.4 real-time operating system (RTOS) software is one of the core for embedded systems, embedded systems often have real-time requirements, and real-time operating systems with simple, compact, and other characteristics, as a result, embedded systems often use embedded real-time operating system. For embedded systems and real-time operating systems, however, not every embedded real-time operating system can support the embedded processor. Therefore, the embedded processor with embedded real-time operating system selection must also consider. Common embedded real-time operating system: VxWorks; · OS-9 ·; · PSOS; · QNX · VRTX;; · real time operating system based on Linux; · real time operating system based on Windows; · domestic independent development of real-time operating systems;Linux operations command log
In a Linux Terminal, for the convenience of checking operations possible errors, as well as avoid screen scroll limit, we may record the operations log.
Common tool screen, script, and the tee. 1.screen — screenmanagerwithVT100/ANSIterminalemulatio > screen-L > here is what we do > exit after a similar file name: screenlog.0 > morescreenlog.0 so you can see what you have just done, find possible problems 2.script — maketypescriptofterminalsession > script > our operations > exit generates one such file: typescript > moretypescript here we do 3.tee – readfromstandardinputandwritetostandardoutputandfiles this command can read Terminal input and output to a terminal or file, sometimes it can be used to record make commands can produce output to the terminal by a large amount of content is output to the file. This way you can easily record a log of these commands. > Make2 > & 1 | teemake.log, of course, we can also redirect to a file > make > make.logPS: 2 > & 1 to log the error log ifyouwanttofilterthecontrolsymbols, trytousethe "col" commandliketis: $ catscreenlog.0 | col-b > screenlogor $ cattypescript | col-b > scriptlogCreateProcessW implementation on full control of process creation
【 Preface 】 write this document when I met enough food, many problems, I would like to thank bkbll, SobeIt a1rsupply and pointing, TCH of hard work, only the birth of this document, this article there may be some errors, the error is due to my mistake, if you have any comments, welcome to http://www.itaq.org noted or E-mail: zf35@citiz.net 【 overview 】 implementation on the server to process created by the control has a great significance, by monitoring the process of creating, we can make the process of being allowed to run correctly, and it is not permitted by the program will create fails, this can prevent unknown Trojans, virus and worm threats on the server.
To achieve these purposes, you must create a process-related hookwindows API, under the insidethewindowsNT "and" NativeAPIReference records, plus the actual track, softIce windows create process API call procedures are as follows: 【 code 】 CreateProcessA-> CreateProcessW-> CreateProcessInternalW-> ... > end call-ZwCreateProcess this document we use CreateProcessW to achieve our goal, of course, you can also use other several API. This document demonstrates code is a little changes can be applied to arbitrary Ring3 function. For hook an API, you can use a lot of ways, this article use override function entry point approach to achieve hook CreateProcessW, more detailed information please refer to the windows SobeIt write down some way hookAPI. 【 Copy-on-write 】 initial test, I use the rewrite function aCreateProcessW softice is the entry point code, F5 to switch back to windows after the discovery of all things, but when I write a program to modify the entry point code CreateProcessW, your changes are only valid for this process, other processes for system did not produce any effect. Use softice track and found this process CreateProcessW virtual address is mapped to a new, and other process on a different physical address, if you read the Webcrazy copy-on-write mechanism ", it is not hard to see that this is the impact of copy-on-write mechanism. For the system DLLs, each DLL that is mapped to a different process on the same virtual address, these virtual address and point to the same physical address by which system the lowest resource consumption when a process tries to overwrite data in physical memory, in order not to affect other processes, the system automatically assigns a new physical memory, the original data in physical memory copy, overwrite, and then to overwrite memory of the process's virtual address remap it to a new physical memory, and other process or map in the original physical memory, this is the "copy-on-write technique" (copy-on-write), then the system is how to determine when you should use copy-on-write? this is a virtual address to determine, PTE when copy-on-write flag in the PTE is set, any of the virtual address of the write operation will cause a copy-on-writ 【 three viable 】 in order to achieve a global hook, we cannot be restricted by copy-on-write mechanism, now I thought of three approaches to achieving our aim. 1. through the driver to modify the page table entry (PTE) properties so that the corresponding virtual address CreateProcessW lost copy-on-write property, which in itself processes on CreateProcessW entry point code modifications will take effect for all processes in the system, enabling global hook. 2. through the windows themselves an object to the physical memory \\phymem for direct reading and writing, first positioning itself processes Eprocess (KTEB) (PS: how to navigate in Ring3 arbitrary process Eprocess please refer to the written before I get process Eprocess "), you can get after Eprocess process page catalog, and then use \\phymem read stored page catalog contents of physical memory, and then simulate operating system virtual address-> physical memory address conversion, the resulting CreateProcessW corresponding physical address, use \\phymem we avoid copy-on-write mechanism directly overwrite CreateProcessW. 3. through the most conventional means to achieve the objective, the first enumeration system all processes and then by VirtualAllocEx, VirtualProtectEx VirtualQueryEx, etc functions modify each process page properties, allocate new space. Finally our code using WriteProcessMemory wrote all process space, the use of override CreateProcessW entrance to Jmp * ** * ** * to go to our code, change the function of the flow of execution. The above three methods, method 1 is only a concept, not a reality, drop, I go back and try the page Welcome to master to achieve, and then mail a copy of the code give me: P method 2 I wrote a complete code to implement it, but in this documentNot for discussion, the document will become very long, I will be in a separate document specifically describes the approach of specific implementation. Method 3 so that the focus of this article, the following is a detailed description of the method 3. Query the base address and CreateProcessW properties here we use the function, its VirtualQueryEx prototype is as follows: SIZE_T VirtualQueryEx (HANDLEhProcess, LPCVOIDlpAddress, PMEMORY_BASIC_INFORMATIONlpBufer, SIZE_TdwLengt); Parameter description: HANDLEhProcess want to query the memory information on the process handle LPCVOIDlpAddress point to a memory area you want to query the pointer PMEMORY_BASIC_INFORMATIONlpBuffer MEMORY_BASIC_INFORMATION structure pointer points to SIZE_TdwLengthlpBuffer size after you call this function, related information is stored in the structure pointed to by lpBuffer is modified in the page properties for CreateProcessW a page that has the following properties: PAGE_EXECUTE PAGE_EXECUTE_READ PAGE_EXECUTE_READWRITE PAGE_EXECUTE_WRITECOPY PAGE_NOACCESS PAGE_READONLY PAGE_READWRITE PAGE_WRITECOPY we modify by VirtualProtectEx page properties: BOOL VirtualProtectEx (HANDLEhProcess, LPVOIDlpAddress, SIZE_TdwSize, DWORDflNewProtect, PDWORDlpflOldProtect); Parameter description: HANDLEhProce ss process handle LPVOIDlpAddress point to want to modify a pointer to the memory region SIZE_TdwSize modify the size of the memory area DWORDflNewProtect new page attributes PDWORDlpflOldProtect links to save the old page property of memory from the back of the code we can see that in order to overwrite the function entry point code, we must give it PAGE_EXECUTE_READWRITE property. In the process of allocating free space optical modify function entry point code is not enough. We must have written some code to take over the work, as CreateProcessW process space is isolated, in order to achieve the goal of a global hook, we must provide each process for a piece of space to store our code, this is going to use this function, VirtualAllocEx VirtualAllocEx prototype is as follows: LPVOID VirtualAllocEx (HANDLEhProcess, LPVOIDlpAddress, SIZE_TdwSize, DWORDflAllocationType, DWORDflProtect); Parameter description: HANDLEhProcess process handle LPVOIDlpAddress points to a pointer to the allocated memory area SIZE_TdwSize assigned area DWORDflAllocationType memory type DWORDflProtect new memory properties we use WriteProcessMemory function to write to the remote process's code and data, the prototype is as follows: BOOL WriteProcessMemory (HANDLEhProcess, LPVOIDlpBaseAddress, LPCVOIDlpBufer, SIZE_TnSize, SIZE_T * lpNumberOfBytesWritten); Parameter description: HANDLEhProcess process handle LPVOIDlpBaseAddress point to write address pointer LPCVOIDlpBuffer point to write the data pointer size of SIZE_T * SIZE_TnSizelpBuffer lpNumberOfBytesWritten actual number of bytes written for the magic in my compiler using WriteProcessMemory put myself to write a function JmpToAddress writes the contents of the remote process space, regardless of my JmpToAddress content is written to the space are E9 ** ** the few bytes, which made me very confused, from machine code, this is a relative jump instruction. It is come from it, in order to understand this problem, I used the VC Debug it, enter in the watch window, showing JmpToAddress JmpToAddress virtual address 0x00410XXX, and then open the memory window to view the memory storage of content, discovery is JmpToAddress code, this is strange, mysterious E9 * *** fromWhat to do, so I ask the a1rsupply, he told me that the debug version of the VC will generate a jump table, light, original play of magic is a compiler. In order to remote processes properly written code, we must calculate the real function address, the following I wrote a piece of code to calculate the real function address: __asm {pusad leaeax, JmpToAddress movecx, JmpToAddress shrecx, 8 addeax addeax, ecx, eax, 5 movJmpAfterCalc popad} solve trouble-positioning problem in writing the code, I encountered another big question is how to locate the address. I write JmpToAddress () function as follows: JmpToAddress void__declspec (naked) (void) {__a smjmp [HookedAddr]} in the local process this code no problem, but when it is written to the remote process problems will arise, we take a look at its assembly code, following jmp [00401Cxxx] we note this process in the virtual address is deposited in the HookedAddr address, but the remote process, this address points to is something else, jmp past will produce unexpected results, in order to achieve the correct behavior, we'll write to the remote process WriteProcessMemory HookedAddr content, and then use a relative address references it JmpAddress void__declspec (naked) (void) {__asmcalllag flag: __asmmovebx __asmpopeax __asmaddeax, 0x0e, [eax] __asmjmpebx} popeax, eax is deposited inside of this directive, the address of the virtual, plus a fixed value, [eax] is through WritePrFirefox upgrade: System Administrator security considerations
Mozilla's Firefox is recognized as not only is an excellent browser, but its safety factor is also very high.
Many have used InternetExplorer or ActiveX technology in institutions because of their security and ease of operation and prepare for change to Firefox. High safety factor does not mean that Firefox can shield all viruses or no security vulnerabilities. However, in the most recent version, Mozilla 1.0 issued a series of upgrade package to make up for the Firefox security vulnerability in the latest version 1.0.6, the system has been up for a series of code vulnerabilities. However, the problem is that an organization's network administrator whether it is necessary to constantly track Firefox version updates and keep pace with it. In General, you can have two situations, to distinguish between the approach: one is the personal that is the system user end, desktop users, to be responsible for your own system's update, we called a poweruser. Another case is the software installed by system administrators control the end user only permission to run the program, you cannot remove the installation, we called JoeUser. 1.Powerusers Firefox's default settings, once a day to prompt for a new core program or plug-in, when Firefox found can be used to do the upgrade plugin, a green arrow will appear next to the throbber, this in the browser icon in the upper right corner of the download process will blink. If the user clicks on the green arrow, Firefox will start to download the latest version, before beginning the installation, Firefox will prompt the user to close the browser. In short, powerusers if necessary their own program of upgrading and installation. For an experienced user, these operations do not bother. But on the other hand, if your environment requires that the user won't have to install a program on the system, then this convenient and free will. 2. "JoeUsers" Firefox is as a cross-platform applications to write, so it on Windows, does not automatically through the central authentication system upgrade, or even automatically in the enterprise for new product configurations. This has always been considered to be the Firefox of the biggest flaws. At the same time, it is also the problem of Firefox users cannot change system settings, because many Firefox settings are not retained in the registry, but only as text exists. MozillaFirefox near new FrontMotion, is considered the most comprehensive solution to the problem of software, and therefore also has been a large number of users install MozillaFirefoxMSI, MSIs (MicrosoftInstallerpackages) was installed at the same time, it will issue a series of directives, so that the MSIs to each whole unit installed in the computer. MSIs has many advantages, such as its send mode for many administrators with a convenient, at the same time, it can first reconnaissance out during the upgrade process if there is a running Firefox process and prompts the user to close. More convenient is that FrontMotion also created a Firefox community to help administrators through Active Directory settings for Firefox to download, if you are just starting to set in the Organization and use Firefox, and you want to rely on existing systems rather than a specific solution, you can get help in the Firefox community. In addition, the FFDeploy script package BobTempleton is also a good choice, it is easier to configure, because use is the VBS script, programmers can easily be modified to configure a Firefox image. This is a relatively simple way, since it avoids a manageable environment deployment complexity of Firefox.Linux system some SU command security recommendations
First of all we see su in man help page for an explanation, that is to say by su-runashellwithsubstituteuserandgroupIDs su we do not provide user and group name you can start a shell program.
Su is a binary executable file, command file path which is/bin/su, the following is from the command line query su file type and the path: case study 1: islab $ whic su/bin/su case study two: islab $ file/bin/su/bin/su: setuidELF32-bitLSBsharedobject, Intel80386, version1 (SYSV), forGNU/Linux2.6.9, stripped cases III: islab $ ll/bin/su-rwsr-xr-x1rootroot24060Jan102007/bin/su cases and cases II we can see the su is a setuid program (the setuid bit chmodu + s can be used, such as ls displays su file owner property hired setuid bit), in this case, you can get su than its owner higher privileges, i.e. run su, your permission will be promoted, with root permissions equivalent. Case study three we can see the file type is ELF32-bitLSBsharedobject (set the setuid bit), which means that the program requires libc functions library, also requires the use of the ELF interpreter, and comply with the LSB specification. Question: normal user can copy from other machines in the su command. A: they can copy from the other machine su command, but they will not be able to su to correct permissions settings such as chownroot and chmodu + s, and so on. So the copy over the su is not working correctly. Question 2: how to prevent normal users from executing the su command. A: 1.) You can set up a special group, only members of the group to perform the su command islab # groupaddweelislab # useraddweelislab # chownroot: mysql/bin/bas islab # chmod4750/bin/su2). Only the root user can perform the su command. islab#chmod4700/bin/su3)。 By pam library implementation only wheel group membership required to perform the su command, the following example adds the account to the wheel group zhaoke. Islab # groupaddweelislab # useraddweelislab # usermod-Gwheelzhaokeislab # ll/lib/security/pam_wheel.so-rwxr-xr-x1rootroot5692Feb222007/lib/security/pam_wheel.soislab # vi/etc/pam.d/su increase following line authrequired/lib/security/pam_wheel.souse_uid then save exit su profile. Question three: the average user though unable to perform the su command, but it is also possible through brute force attacks to obtain root password answer: normal user can shell or ssh on the root account for brute force attacks. We can consider a number of security tools such as pam_abl for ssh for protection. Pam_abl will be able to set the time on error log-in account to a temporary block. Of course, normal users can also elevate privileges through program vulnerabilities such as buffer overflows.Friday, April 15, 2011
Embedded Linux in industrial control applications
4.2 software design for embedded operating system is the core of the entire embedded system.
As mentioned earlier, the embedded system memory and storage capacity is insufficient, you must design for reduction of linux. In the cutting process, the main technologies involved are the following. (1) the streamlining of the standard Linux kernel is oriented to the PC, it integrates many of the needs of the embedded PC system and unwanted features. Therefore, you can add or remove the independence of function block, you can compile the kernel, the only embedded system function modules and remove unnecessary function block. Then, recompile the kernel will be significantly reduced. (2) of the virtual memory system shield after analysis found that virtual memory is the leading Linux real-time is not strong. In the industrial control, certain tasks must meet certain requirements of real-time, shielding the kernel virtual memory management mechanism to enhance real-time Linux. When you want to change the kernel of a mechanism, generally do not have to write code on a large scale, you can use conditional compilation method. At the same time as the linux system on the application process is fair time allocation scheduling algorithm, this algorithm cannot guarantee that the system of real-time requirements, and requirements change. Change the way there are two: one by POSIX, the second is through the underlying programming. The author is linux real-time named pipe (FIFO) queue of special handling real-time task sequencing. In fact, real time named pipe like as never change real-time tasks, so the page can dramatically reduce the memory page without delay caused by uncertainty. (3) written device driver determines the basic functionality of the kernel, is written for a specific device driver, you can follow to write a Linux driver under the rules for writing. Writing a device driver should have the following features: • the initialize and release; • complete data from the kernel to the hardware device delivery and read data from hardware two functions; • read application passed to the device file data as well as the echo application requests for data; • the detection and treatment equipment error. (4) development of Flash-based JFS file system applications and critical data is typically a document to be stored in the Flash file system. JFFS2 file system is a log-structured, which means that it is essentially a long column node. Each node contains information about the parts of the file. JFFS2 is specifically designed for that kind of like flash chip embedded device creation, so it's entire design provides better Flash management with other file systems, incomparable advantages. Follows: ● JFFS2 at sector level Flash erase/write/read operations than Ext2 file system. ● JFFS2 provides better than Ext2fs crash/power-down protection. When you want to change small amounts of data, the Ext2 file system will copy the entire sectors into memory (DRAM), and in memory to be merged into a new data and then written back to the entire sector. But you can always change the JFFS2 need (not override) the entire sector, and also has a crash/power-down function security. Implementation of the above steps, a mini Linux operating system is constructed. Structure of Linux including process management, memory management and document management, etc. It supports multiple tasks in parallel, there is a complete TCP/IP Protocol, while Linux built-in on Ethernet controllers support, you can connect through Ethernet to Ethernet for remote configuration and monitoring. Will crop the good kernel porting to the target Board, first of all should be compiled into the kernel for the processor of the target code. Because of different hardware system of the transplantations boot code will differ, therefore, some kernel program may want to overwrite. Involves writing a Linux boot code and modify the relevant part of the architecture code mainly boot, memory management and interrupt handling. The company will be M-System DOC2000 as system boot device, the boot code can be placed in DOC. This system is powered on, boot code to perform basic hardware initialization, then the kernel image is loaded into memory and runs, in the end, then debug the good kernel and applications programming in Flash memory. Because of this crop of Linux was successfully ported to target platforms, so that you can run the start of the development system, you can apply under specific to developing applications. If the data acquisition module, data processing module, communications and data dissemination module and so on. 5 conclusion today, Internet applications are go to embedded device as the Center, therefore, labor control system combined with the Internet to achieve Internet is an inevitable trend. The embedded Linux kernel embedded microprocessor-based StrongarmSA1110 32-bit MCU system, and then by constructing a TCP/IP multiple network protocols and basic network communication protocols, and then use the embedded operating system on the underlying hardware and network protocols support, as well as on requirements of industrial control system real-time lin-ux kernel and virtual memory mechanisms to ensure the transformation, and control tasks to complete in real-time and reliability. It is foreseeable that this programme in the field of industrial control with good prospects, and a short development cycle, performance stable reliable, adaptable, and so on.Linux + NT OS Loader mini-HOWTO translation Edition
1. the summary 2.NTOSLoader work?
3. how to install a WindowsNT and Linux on the same system on 3.1. install WindowsNT 3.2. partitioning 3.3. install Linux 3.4.Lilo 4.Bootpart 5.Linux part of some work 7 6.WindowsNT-do it again 8. exclude issues 9. other 9.1. reference 9.2. thanks 9.3. feedback 9.4. tainted NTLoader starts: FreeBSD 1. abstract this document describes using WindowsNTbootloader to start Linux method. this procedure has been in WindowsNT4.0Workstation Edition and tested Linux2.0.2.NTOSLoader work? NTOSloader hope from other operating system boot sectors into a file that Access reads the records. it and start the selected operating system, that is, or the operation of the different models of WindowsNT or any other operating system. (3) how to install a WindowsNT and Linux on the same system on 3.1. install WindowsNT first try installing WindowsNT. If you want to use NTFS as your file WindowsNT partition system, remember, the current version of Linux is unable to access NTFS partitions, one can read NTFS partitions of the Alpha version of the drivers can be found at http://www.informatik.hu-berlin.de/~loewis/ntfs. you can create another FAT partition as a data interchange, or you can use the DOS format of soft disc. 3.2. partitioning another mini-howto recommended to not use NT's "Disk Administrator" to build a Linux replacement as well as the root partition, it will leave some space, I also recommend using Linux fdisk. 3.3. install Linux boot from floppy disks, replacement and Linux root partition .Fdisk NTFS partitions will be considered as HPFS partitions, this is normal. start again from the magnet Linux and press your preferences Setup Linux. during the installation it is recommended you hang up the HPFS partition found: ignore when it vs. 3.4.Lilo when you do install Lilo's part, specify your Linux root partition as your boot device for your floppy disk's master boot record (MBR) is now a WindowsNT all. This means that your/etc/lilo.conf for root project and boot project will have the same value if you have an IDE hard disk and your Linux partition is in the second partition on your/etc/lilo.conf for boot project will look like: boot =/dev/da2 if you have two drives and your Linux lies on the second disc of the first partition on your/etc/lilo.conf for boot project will look like: boot =/dev/db1 to match your system's core implementation lilo. If you are not sure, then start from the magnet to examine core. If you are unable to start the WindowsNT, you are in trouble, I hope that you have established the most recent fix magnet. 4.Bootpart has a G.Vollant written by NT program called bootpasr can do for you the following two points made in this .Bootpart: http://ourworld.compuserve.com/homepages/gvollant/bootpart.htm. If you want to know how it operates, with the fifth and sixth section describes some of the steps. work your 5.Linux must start from the magnet Linux until some changing for the better until NT. now you need from your Linux root partition to start out of the magnetic zone if/dev/hda2 is your Linux partition, the dd command is: # ddif =/dev/hda2of =/bootsect.lnxbs = 512count = 1 if your bootsect.lnx exceeds 512 bit tuples so that something was amiss. now copy the files to a bootsect.lnx DOS formatted the disk, if this is your file transfer to the NTFS partition area method so you can do to copy # mcopy/bootsect.lnxa: or # mount-tmsdos/dev/fd0/mnt # copy/bootsect.lnx/mnt # umount/mnt 6.WindowsNT portion of work from copies of the files on disk to the c: ootsect.lnx. I will not tell you what to do. (translation: copya: bootsect.lnxc:, should be.) just like Linux lilo.conf, under WindowsNT is c: oot.ini. in compiling it before you use this command to remove its system and read-only properties: C:attrib-s-rc: oot.ini now use an editor to change the boot.ini file, for example notepad, like this:[bootloader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)WINNT [operatingsystems] multi(0)disk(0)rdisk(0)partition(1)WINNT="WindowsNTWorkstation... multi(0)disk(0)rdisk(0)partition(1)WINNT="WindowsNTWorkstation... C:BOOTSECT.LNX = "Linux" in this case only joined the last line in your store with this directive after the boot.ini back its properties: C:attrib + s + rc: oot.ini in turn off your WindowsNT and restarted after you should see something like this: OSLoaderV4.00 please select what you want to start the operating system: WindowsNTWorkstationVersion4.0 WindowsNTWorkstationVersion4.0 [VGAmode] Linux using the ↑ and ↓ keys to the options you want, select highlight theearth please press ENTER to confirm the selection of Linux and see LILOloadingzImage .... 7. do it again each time your Linux partition boot sectors are modified after the publication of a new copy of bootsect.lnx must transfer to C:BOOTSECT.LNX. one example is when you use lilo installation a new core when so you can see that such a system is not designed to test the core. 8. exclude problem if things are not working as expected, with a magnet to check if you can start a sexual/dev/hdb1 is your Linux partition, your/etc/lilo.conf has the following items: root =/dev/db1 boot =/dev/d0 insert a magnet and execute lilo. now try to start from magnet. If you're on Linux cannot/dev/hdb1 was activated, then NTOSloader also will not start it if you see a pile of 01010101, that your root disks do not have access to. check all your disks are detected by the BIOS. If the magnet you can boot your Linux partition, you can use the following instructions to check out your boot sectors to NTOSloader used: # ddif =/dev/fd0of =/bootsect.lnxbs = 512count = 1 you can retain this magnet in your WindowsNT Setup problems when you first aid magnet. 9. other 9.1. reference TheLinux + WindowsNTmini-OWTO TheFAQforFreeBSD2.X 9.2. thank thank XiaomingYi prompts these procedures in addition to the first floppy disk on a different disk for the operation. provide disk skills FrankDennler. 9.3. feedback comments are very welcome. 9.4. translation: to start FreeBSD because the translator NTLoader PC and Linux in addition to WindowsNT4.0, installed, then just follow the FreeBSD2.2 above to try NTLoader is there a way to start FreeBSD. my FreeBSD installed in/dev/sda2, FreeBSD 's/dev/sd0s2. follow the above practices I first put the bootsector stored/dev/sda2 into one archive: # ddif =/dev/sda2of =/bootsect.bsdbs = 512count = 1 and copy it to c: boot.ini again to add C:BOOTSECT.BSD = "FreeBSD", but this method could fail to boot FreeBSD! On the one hand, think that down, on the one hand, and did not give up suddenly thought, lilo, or you can take to start FreeBSD. Hence, do the following experiment, after entering the Linux will change to:/etc/lilo.conf boot =/dev/d0 install =/boot/boot.b vga = normal other =/dev/sda2 label = FreeBSD table =/dev/sda loader =/dev/os2_d.b into a format the disk, and then run lilo-v. then will the boot sectors disk into a file: # ddif =/dev/fd0of =/bootsect.bsdbs = 512count = 1 and into c:. Remove magnet after reboot, NTLoader menu under Select FreeBSD, then you see: LILOloadingFreeBSD > > FreeBSDBOOT @ 0x10000: 639/65536kofmemory Usage: [[0:] [fd] (0, a)]/kernel] [-abcCdrsv] Use1: sd (0, a)/kerneltobootsd0ifitisBIOSdrive1 forfilelistorpressEnterforde Use?faults Boot:CentOS 4.4 and most commonly used under Linux is the most effective security settings
CentOS or users to first RedHadEnterpriseLinux4 to open SElinux by modifying/etc/selinux/config file SELINUX = "" for enforcing.
It can ensure that your system does not crash the non-normal. Some people think it should be shut down, I strongly recommend not, of course only be centos to play, not for actual server then does not matter. Iptables firewall 2, enable, and increase system security has many benefits. Set up firewall rules. 3. Execute setup off those unwanted services, keep in mind less open a service, the less a risk. 4. prohibit Control-Alt-Delete keyboard close command/etc/inittab "file, comment out this line (using #): ca:: ctrlaltdel:/sbin/shutdown-r now t3-read: # ca:: ctrlaltdel:/sbin/shutdown-t3-r now in order to make the changes take effect, enter the following command: #/sbin/init q5, to the script file in/etc/rc.d/init.d" set the permissions to execute, or turn off the startup of the program is executed when the script file to set permissions. # Chmod-R 700/etc/rc.d/init.d/* This means that only the root are allowed to read, write, and execute the script file. 6. modify the/etc/host.conf file/etc/host.conf "explains how to resolve the address. Editing/etc/host.conf file (vi/etc/host.conf) by adding the following line: # Lookup names via DNS first then fall back to/etc/hosts. order bind,hosts # We have machines with multiple IP addresses. multi on # Check for IP address spoofing. Nospoof on the first one sets the first DNS resolving IP address, and then through the hosts file to resolve. The second set test whether "/etc/hosts" file in the host has multiple IP addresses (for example, has more than one Ethernet interface card). The third Setup instructions to note on native unauthorized spoofing. 7. enable "/etc/services" file immune to "/etc/services" file to prevent unauthorized immunization, delete or add services: # chattr + I/etc/services8. prevent your system from the response any external/internal to ping request. Since no one can ping-pass your machine and receive a response, you can greatly enhance the security of your site. You can add the following line to/etc/rc.d/rc.local so that each time you start to run automatically after. Echo1 >/proc/sys/net/ipv4/icmp_echo_ignore_all9, on your system, all of the user to set resource limits can prevent DOS type attack (denialofserviceattacks) as the maximum number of processes, the amount of memory. For example, restrictions to all users, like this: vi/etc/security/limits.con the following code example, all users each session is limited to 10MB and allows at the same time there are four login. The third line to disable the kernel dump for everyone. The fourth row to remove all the user bin. Ftp allows 10 concurrent sessions (on an anonymous FTP account is especially practical); member of the managers group, number of processes is limited to 40. Developers have 64 MB of memlock restrictions, a member of wwwusers cannot create greater than 50 MB of files. Listing 3. set quotas and restrictions * hardrss10000 * hardmaxlogins4 * hardcore0bin-ftphardmaxlogins10 @ managers hardnproc40 @ developers hardmemlock64000 @ wwwusers hardfsize50000 to activate these restrictions, you need to add the following line at the bottom of/etc/pam.d/login: sessionrequired/lib/security/pam_limits.so.Using ssh to secure connection
MindTerm, VNC, socat there Oh, no!, while the ability to remote work is always system programmers and administrators like one of the advantages of Linux, but setting up remote access is not a simple thing.
Select the appropriate remote service each month, the server must describe how the clinic to get the most out of the use of the hardware in the server room. This often involves the use of Linux methods that do not like the well-deserved, as we all know: will Linux for Fortran program, the Linux operating system is made for the old design applications, and so on. Followed by a second topic is the topic of this column: security. Your servers are physically should be quarantined, you should disable all unnecessary network access and can only be through SSH or better way to access the server. In particular, as little use real-time Telnet, ftp, rsh and rlogin, and related services; they are simply too dangerous. Suppose that you have done all these things. Now your away-may in your product, or in consultation with new customers, or in the discussion needs to end a meeting (which was already included in your training budget). You need to bring up certain materials in the company. So what should you do? first, you should try something. Programmers and administrators could during normal working hours in their quiet workplace, but they do like to force yourself to do this work, the assault but this. You don't become a victim of this kind of behavior that you make! connected with the legitimate business purposes, is not a breach. However, if you used to have these organizational issues, join the answer is "ssh". Even if you are in principle more dependent on virtual private network (VPN) instead of ssh, I still think it's an emergency, if you cannot use the regular method, then set up ssh access would be more careful. VPN, there are still some difficult and you need to rely on particular hardware configuration. If you are using the client's network (mostly use ordinary desktop machines) "call hosts", you can make selection is extremely limited. Ssh needs good news is that ssh in these limits are usually also niche meets your needs. Even if you are out of work, but in the public access points (such as "Internet"), you may have insufficient resources to enable ssh work. You may not be able to rely on their equipment. Very seriously, with any large than handheld devices around, is another security risk; worse, many places are not allowed to insert external hardware. Typically, you must use the provided to your hardware. But download puTTY, ssh or MindTerm client is generally very quickly. But I also like doing that. Anyone with enough network stack, you can connect to your server room of hosts, there may be permitted to download a Web browser. Use the already installed the client must carefully; for some people, the client with a modified, can capture keystrokes (or worse) of the client it is too easy. Another way is to construct embedded MindTerm client as an applet in a Web page, this seems very attractive. But my experience tells himself this way useful. Most places are disable Java, or provide only have the old Java runtime engine (JRE) in your browser, or use other ways to reduce the applet's convenience. If I want to use the MindTerm, you only want to download and install the client and the compatibility of the JRE. For constructs for end-user application, applet usually is a good technique. Applet also suitable for read-only configuration. However, I found this usage is rare. Therefore, in order to make your work with efficiency, not worth the time to solve the applet may exist in your environment. I have always felt that find a megabyte of free high-capacity storage and install ssh client easier. You sit down one after the new installation should be ssh clients and starts it. However, this may not be enough. Some local firewall turned off most of the port, or at least close by including standard ssh port 22, many ports. Here is another way to be prepared to provide help. In my at least one host, I hope to make sshd (ssh daemon) is usually assigned to common Internet services (such as ftp, http, smtp or pop3) port. Even the most stringent firewall to open port 8080, 21, 25 and 110. Your machine is set to "capture" of such communications, you can make it through most firewalls. If this sounds like "break-in" talking? I do not agree with the abuse of the network. Often have other companies ' employees invited me to use their network, although they also know that sensitive manner (such as temporary open port 22) change their firewall systems, the company is not feasible. I began to accept this recognition: ready to use "plots" is also part of the current professional practice, but I need to make sure you only in a responsible way to finish the job. Of course, as the ssh channel open, I would have like to sit in the server room in console almost all features before. If you need a graphics display, I can use by channel X or VNC, or from the command line access to all the other common activities. This started my work session, and then: I downloaded reference ssh client, quick installation and launch them, and then use SSL-secured password back validation I left in the server room a ssd in the running. Please note that I'm still vulnerable to tampering with a host of attacks. A fully modified desktop machine or a vigilance "voyeuristic fantasy" can arrive at the keystroke information SSL library before it is logged. This solution is the use of one-time password (OTP) system. To date, inIt seems to me that OTP trouble than security. OTP to yourself the cost and revenue certainty at least slightly different. Anyway, back to the daily workplace could be a good time to update the password. The use of standard parts I want server clinics every month display working code. In this article, it is difficult to add any code. I recommended configuration is very simple, standard reference materials are made in full. For example, to a second port on the ssh service, just add the following line: Port8080 added to existing/etc/ssh/sshd_config, and then restart the sshd. Another method is to use "Web proxy" or "port forwarder" (such as netcat or socat), it refers back local host (localhost) standard SSH port, this method runs tests and tuning log records or extra security is very useful. Agent here in the context of an "agent" is a small "translator", it simply allows network traffic through. If I set up on port 22 sshd server and you want to port 110 sets another sshd server, then the realization of the idea of a method is to install the network agent. This agent on port 110 is used as a server, and receives from the outside world. It adopted in port 22 on acts as a client to handle these groupings. Basic sshd Server completes all the actual work; agent role just from one port to another port (possibly on another host). This is particularly true for the column value does not lie in the esoteric code, but merely to convey a clear concept, you should take this as the target to enable your remote services. I've tried many methods. Take advantage of these experiences, in particular to understand how not to do, at least to understand when you are first setting up the server room not to do: disable Telnet, don't let the unused service always on, there is no need to worry about applet (in particular, don't worry about applet signing), and if you don't feel wrong for remote login. On the other hand, be sure to use standard components. I've tried a lot of clever ideas, for adjusting the ssh protocol or your firewall to block "Black Hat" hacker (of specialized skills using network intrusion network failure, translator's note). And these ideas offer security compared to a small increase, their maintenance more difficult, so some gain. Unless I prepare a clear security project of the budget, and with clear long-term target, otherwise it is best to spend time on using ssh rather spend time trying to improve it. Using the above steps, you will have a server room, it security is not as simple as you only use the standard Linux Server installation. You can find almost all the world of remote management on the synchronization connection. For your own security plan, this is a good starting point.Friday, April 8, 2011
On Linux system administration and auditing of accounts
1. log in account management in Linux login user account management via the utmp and wtmp these two tools.
Wtmp also records the system reset and system state information about the changes. All the utmp and wtmp-relevant data have been saved in/var/run/utmp and/var/log/wtmp both files. These two files are relegated to the root user and access permissions are set to 644, the data in these files are encrypted. You can use this tool to original dump-utmp data converted to ASCII data for system administrators to analyze user logon and system reset and system state information about the changes. Login to account management related command last command provides each user logging in and out of time, there are also system restart and run state changes. By default, the last analysis/var/log/wtmp file and displays each connection and run the state change. Last output information that may be too much to see who cannot cope with, the typical usage is to last – 5, view the latest/var/log/wtmp 5 records. The main use of the who command is reporting system currently logged in user information. Who command provides the following information: user login into use of the system of terminal equipment, the user's address, host name, used by the X display window (if using the XWindows system), the user accepts the other user's messages and chat requests, etc. Ac command provides statistics about user connections, we can use the labels of d and p ac command. Mark d displays the day of total connection statistics, mark p shows each time a user's connection. This statistical information to understand and detect intrusion related user information and other activities. Lastlog command reads the file and produces/var/log/lastlog user last logon information report lastlog command is also used in the Linux system checks unusual log records. 2. System account audit Linux operating system by setting the log file to each user of each order record, but this feature is not turned on by default. Turn on this feature of the process: # touch/var/log/pacct # action/var/log/pact can also use your own file to replace/var/log/pacct this file. However, it must be the path and file name are correct. Sa command and ac command, sa is a statistics command. The command to get each user or each command of the process used, and provides information on the consumption of system resources. To a large extent, sa is a accounting command, identify a particular user, particularly known for special users suspect command is very useful. In addition, because the amount is large, need to deal with a script or program to filter the information. Lastcomm command, and sa command, lastcomm command provides the output of each command, print out and executing each command the time stamp. On this point and said that more than sa lastcomm security. If the system is intrusion, do not believe in the lastlog, utmp, wtm's information in the records, but also not ignored because this information may be modified. Additionally there may be someone who is replaced to deceive the public. In General, has identified some suspicious activity, process accounting can effectively play its role. Use the lastcomm can isolate user activities or execute commands at a specific time. 3. use logrorate on audit file management/var/log/utmp,/var/log/wtmp and/var/log/pacct file is dynamic data files. Wtmp and pacct file is a file tail increasing record. On a busy network, these files become large. Linux provides a program called logrotate, it allows administrators to manage these files. Logrotate read/etc/logrotate.d directory files. Administrator through the directory of the script files that control the operation of the logrotate program. A typical script files: {rotate5 weekly errors root @ serve1r mail root @ server1 copytruncate compress size100k} script files have the following meanings: ● rotate5 — to keep the file with a copy of the current backup and 5 copies of old backups. • Weekly-the weekly address files one at a time, usually the first day of the week. • Errors-to e-mail address to send the error report. ● Mail — send to e-mail address. ● Copytruncate — allows a process to continuously records, backup files are created, the activity log file empty. ● Gzip compress — use the tools on the old log file is compressed. ● Size100k — when the files are automatically processed exceeded 100k.LIlo's introduction to everyone to learn
Author: answer LINUX and Linux-LILO boot can take many forms, the loader LILO (LinuxLoader) is a flexible boot loader, and other popular bootloader LILO boot mode compared to seem more artistry, in-depth understanding, will help us to easily process multiple systems, the network boot, large hard drive and memory, and many other difficult issues.
First, LILO boot mechanism is well known that the computer's BIOS initially started from control, on some hardware (such as memory, keyboard, etc.) after initialization, it attempts to load the hard disk's master boot record (MBR) or floppy disk boot sector. MBR can run in two ways, one is to go to the active partition and load the appropriate boot sector, and the boot sector is complete the partition operating system loads the basic components; the second is directly from a specified partition loads the information and pass it into any section of the operating system, such as LILO, OS/2bootloader and PartitionMagic etc the boot loader can be configured in this way. Floppy disk boot sector amounted to a hard drive for the active partition's boot sector, it is typically used to load the operating system on the floppy disk. Thus, as long as the LILO is installed in the MBR, the active partition or boot floppy disk, you will be able to take over control of the computer, and then by LILO complete subsequent boot process. LILO is a boot in the built-in table address coding, it's boot program will be able to navigate to the Linux kernel files, this address coding you can follow the cylinder/head/sector (CHS) mode, you can use LBA mode for linear block codes, therefore, even on some SCSI controller LILO can work well. When LILO to navigate to the configuration file after preview displays the boot process, prompt: LILOboot: at this point, the system allows to select a boot different operating systems or different kernel configuration, press the tab key to display the available options list, and then enter the optional or directly enter to select the default configuration, if you choose to boot Linux, you can also pass arguments directly to the system kernel. And the other system's boot loader, LILO has more flexibility, more ways to boot. ● When LILO is installed on the hard disk's MBR, active partition or boot floppy disk, as the bootstrapper's stand-in, it can boot any of the hard drive of any partition on Linux and other operating systems; in addition to the boot sector, it does not have any hidden files do not need to use a specific partition, its configuration file can be in any area, even in Linux irrelevant DOS partition of a subdirectory; it can boot several different kernel configuration, or even several different kernel; • it can boot on the same machine on multiple Linux distributions; it can boot Linux from the network. LILO's flexibility allows its configuration becomes quite complicated, when there are multiple systems coexist, it is recommended to install other operating systems, and finally install Linux, so setting LILO boot on other system would be relatively simple. Second, several important LILO boot LILO boot parameter arguments, only on some of the more important parameter for a presentation. 1. the "boot =" this argument is specified that contains the boot sector of the device name (e.g./dev/had), if this is omitted, the current root partition to read the boot sector. 2. "root =" this parameter tells the kernel starts to which device is used as the root file system, its set value to construct the kernel root file systems device_name, available in the device name is: (1)/dev/hdaN ~/dev/hddN ST-506 compatible hard drives: a to d n partition (2)/dev/sdaN ~/dev/sdeN: SCSI-compatible hard drive, a to e, n partitions (3)/dev/xdaN ~/dev/xdbN XT compatible hard drives: a to b n partitions (4): floppy disk, A/dev/fdN: (N = 0) or B (N = 1) and (5) obtained by the network/dev/nfs: the root file system flags 3. " Nfsroot = "If you need to provide through NFS root file system to boot a diskless workstation, this parameter specifies the network for the kernel root file system is located in computer programs, directories, and NFS, the format is: nfsroot = (page〈 server_ip >:) page〈 root_dir > (, nfs_options >) 4." Nfsaddrs = "set up a network communications requirements of various network interface address, in the absence of this parameter, the kernel will attempt to use a reverse address resolution protocol (RARP) or boot protocol (BOOTP) identify these parameters, the format is: nfsaddrs = page〈 client IP >: page〈 service-IP >: page〈 gateway IP >: page〈 subnet mask >: page〈 client name >: page〈 network device name >: page〈 auto > 5." Image = "Linux kernel file specified. 6. "delay =" set boot the first image the wait time before. 7. "disk =" this argument is a special hard disk definition non-standard parameters. 8. "append =" kernel pass an optionalParameter rows, its typical applications are not fully recognized by the system to automatically specify the parameters of the hard disk, such as: append = "hd = 64, 32,202" 9. " Label = "this parameter for each image, specify a name for the boot-time selection. 10. "read-only" set to read-only linked into the root file system, used for file system consistency check (fsck). 11. "install =" install one of the specified file as the new boot sector, the default is/boot/boot.b. 12. "loader =" describes the use of chain loader (chainloader), the default is/boot/chain.b, if not from the first hard drive or floppy disk boot, this option must be a description. 13. "table =" description contains the partition table of the device name, if this parameter is ignored, the boot loader will not be able to pass the partition information to boot operating system. When this parameter points to the partition table is modified, you must rerun/sbin/lilo. 14. "init =" kernel initialization time execution of the program, usually process as init, getty, rc and s, version of the Linux kernel since 1.3.43 to execute command line/sbin/init description, if there is a problem in the boot process, you can set init =/bin/sh skip directly to the Shell. 15. "ramdisk_start =" because the kernel can not be placed on compression memory file system image to the kernel image to and compressed memory image placed on a floppy, joined "ramdisk_start = page〈 offset >" so that the kernel before? Begin execution. 16. "mem =" one of the aims of this parameter is used for Linux specifies the amount of memory, such as mem = 96MB, bis is mem = nopentium specified tell the kernel do not use 4MB paginated table. 17. the "vga =" set display mode, such as 80 × 50, 132 × 44. Third, LILO typical configuration methods typically, Linux installation program itself can complete the LILO installation configuration, to better solve the problem of multiple system boot, if your system does not automatically complete this configuration, you can manually modify the configuration file/etc/lilo.conf to boot under different conditions. 1. when the system can automatically complete the configuration for this scenario is only one suggestion: LILO installed to a Linux partition's root, not the MBR troubled areas. Assuming the current hda1 in DOS/Windows installed, hda2 Linux installed, then the contents of the/etc/lilo.conf as follows: boot =/dev/hda2 # specifies the boot location compactdelay = 50 # delay 5 seconds # root root = current in the current partition image =/boot/vmlinuz # specify the linux kernel file label = linux # used linux as representative name other =/dev/hda1 # other operating system is located in the partition table =/dev/ad # specify a hard disk that contains the partition table label = dos # use dos as representative name 2. when the system is unable to automatically complete the configuration system does not automatically complete the configuration of the following two ways: (1) BIOS can't directly see Linux root partition; (2) BIOS can only read and write to the standard IDE hard drives before 504MB. At this point, you must follow one of the most basic principles: establishing a BIOS access of smaller Linux partition that contains the kernel files, maps, documents and procedures necessary to load the chain, and root you can be a separate partition. As for the other details on the configuration, we adopted the following instances for instructions. Example 1: the primary hard disk to the IDE interface, second hard drive is a SCSI interface, the root files in SCSI. Solution: in the IDE hard drive partition a smaller Linux partition (/dev/hda2), which contains the basic file, attached to/u2, its main configuration file/etc/lilo.conf to boot =/dev/had # lilo installed in the mbr of the master ide install = install from boot.b/u2/etc/lilo/boot.b # lilo boot record map =/u2/etc/lilo/map # setup build this map file, tell the boot loader the kernel block position compact timeout = 50 image =/u2/vmlinuz # kernel file should be copied to the next label = linux/u2 root =/dev/sda1 # tell kernel root system in other scsi hard disk read-only =/dev/da1 loader =/u2/etc/lilo/chain.b # specified loader label = dos example 2: a standard IDE hard drives to install Linux and DOS/Windows. For large hard disk problems, many people only know less than 1024 cylinder limit, but somehow the standard IDE hard disk only accredit 504MB. In fact, the BIOS int13 calls is a three-digit tuple of CHS coding, 10-bit for the cylinder number, 8 bits for the head number, 6 bits for the sector number. Possible number of cylinders is 0-1023,
Subscribe to:
Comments (Atom)