Linux Home Server

History

Now that I've talked about some of the more recent enhancements to davenjudy.org, it's time to flesh out a little of the background and history for my little corner of the Internet. Sometime in the mid-1990s I realized that networking was something good to know about and the IT department where I worked at the time had a box full of old NICs that they were replacing in order to standardize on a single manufacturer and model. The folks said go ahead and take a few so I grabbed several 10mbs coax cards and then bought enough coax to string together my own little network. I was pretty content with being able to just do things like printer and connection sharing at this point. BTW, the "server" ran OS/2.

About the time OS/2 was losing traction in the marketplace I tried Linux (Red Hat Linux 5.0) and then gradually started migrating to Linux. I'm an old Unix hacker so having something that acted a lot like what I experienced with HP-UX and Solaris was fantastic. About the time the 2.6 Linux kernel was being developed I got a new job and wanted to learn about symmetric multi-processing (SMP) so I put together my current workstation (Tyan Tiger MPX with dual AMD 1900+ CPUs) and started building development kernels starting around 2.5.20. This also meant my old workstation could be dedicated to being a server.

It wasn't until I put together the current incarnation of my home server that I really got into having a true file server. My wife's old Windows 2000 installation seemed to just go from one problem to another so I set her up for dual boot to Linux and W2k and she has usually been happy with what she can do with Linux ever since. Having her files out on the server made this especially easy since she could always get to the files in the same place regardless of whether she was running Linux or W2K. It also made life a lot easier when she helped me out with a book I recently wrote since that way she could easily grab the book files as I finished writing them.

The server

CPU: AMD 1700+

RAM: 768MB

Motherboard: Abit KG7-RAID

Storage:

2X WDC WD600BB-00DKA0 (60GB)

2X ST34311A (4.75 GB)

1X Maxtor 6Y200P0 (200GB)

1X Maxtor 6Y160P0 (160GB)

Operating System:

CentOS 4.X (X = 5 as this is being written)

The two WD600BB drives and the two Seagate ST34311A drives are set up as mirrored pairs using Linux software RAID. These drives have all of the standard system directories (/, /bin, /sbin, /usr, /var, /tmp, /home, etc.). I tested the setup when I built the server by removing the IDE ribbon cable from each drive and then checking that the system would still boot with the drive missing. I had originally intended to do this using the on-board RAID controller of the motherboard but someone decided that the system should halt and wait for user intervention if a drive from a RAID pair was missing. This was unacceptable since I needed a system that could "come up" unattended in such a situation. I later found out that the minimal so-called RAID solutions such as was included on my motherboard were really not worth bothering with.

The two "standalone" Maxtor drives are mounted through /etc/init.d/rc.local instead of /etc/fstab and are used for file sharing. I took this approach since these files aren't critical. This RAID setup is probably overkill for most home users but this server also is my mail server so I really need it to be functional all of the time. One thing to remember though is that once you've set up a home server, any functionality you consolidate on the server will be unavailable when the server is down. I've had to replace one hard disk so far.

It should be noted that this is by no means a powerful system. Yet it is more than sufficient to handle all of our needs. Also, in addition to the above "internal" tasks, this system also handles a number of "external" tasks such as web server, e-mail server, firewall, etc. The bottom line is that a fairly minimal set of hardware running Linux is still sufficient to act as a home server.

Server functions

The following is more of a "what you can do" than a "how to." I'm more than happy to answer questions or provide more detail for any of the server functions documented below.

Samba - Besides my wife still booting her system to W2K we also have visitors from time-to-time who also don't run Linux. Due to work requirements for a previous job I had configured Samba as a primary domain controller (PDC). This is, again, somewhat overkill but it does provide an extra measure of security. I will probably not maintain this going forward since our use of Windows is dropping of now that Judy usually is running Linux.

CUPS - CUPS is the Common Unix Printing System. It provides printer sharing among the various Linux boxes on the network. One persistent problem is that the mime configuration files are overwritten at each update of the CUPS system. Unfortunately, these files contain configuration information that is not brought forward nor preserved. In particular, there is a line that is commented out that needs to be uncommented in order for raw (Windows) printing to work. Hopefully, this will eventually get fixed.

NFS - Network File System is the original LAN file sharing method. On the surface it is much easier to configure than Samba. On the other hand, it requires either the use of NIS or that user IDs and group IDs be coordinated among the systems that access shared drives. Just doing this manually isn't too bad for a small network and a small, stable number of users. Consider NIS if either of these conditions don't apply.

NTP - Network Time Protocol is a great way to keep the clocks on your carious systems accurate and showing the same time. You just need something like:

# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap

in /etc/ntp.conf on the server and make sure the firewall is open on the server for your LAN traffic.

DHCP - Dynamic Host Configuration Program handles the setting of IP addresses for systems within an intranet. If you're running a combo firewall/router, this is probably taken care of there. I don't find that low-end, consumer firewall/routers provide the level of control I would like to have so I use IP tables on the server for firewall and routing. I'll have a separate article on firewalls and routing at some point in the future.

DNS - Domain Name Service (named or bind) allows you to addres the systems on your network by name instead of by numeric IP address. DNS can work with DHCP to dynamicly add entries for the systems on your LAN. The trick is to allow updates only from your LAN. Assuming you're running your LAN on 192.168.0.0/16, the entry in /etc/named.conf looks like:

acl "trusted" {

localhost;
192.168.0.0/16;
my.public.ip.address;

};

// Known fake source addresses shouldn't be replied to.
acl "bogon" {

0.0.0.0/8; // Null address
1.0.0.0/8; // IANA reserved, popular fakes
2.0.0.0/8;
192.0.2.0/24; // Test address
224.0.0.0/3; // Multicast addresses
// Enterprise networks may or may not be
// bogus.
10.0.0.0/8;
172.16.0.0/12;

};

options {

directory "/var/named";
auth-nxdomain no;
interface-interval 1; // Check for new/disabled NICs. Default: 1 hour.
query-source address * port 53;
allow-query {

trusted;

};
allow-transfer {

trusted;

};
blackhole {

bogon;

};

};
...

zone "168.192.in-addr.arpa" IN {

type master;
file "192.168";
allow-query {

trusted;

};
allow-update {

trusted;

};

};

This way DHCP will update the zone file for your LAN. Windows boxes use the hostname they're given. For Linux boxes you'll need something like:

DHCP_HOSTNAME=bend

in /etc/sysconfig/network-scripts/ifcfg-eth0.

Unfortunately, there seems to be a recurring permissions problem whenever an update to the DNS software gets released by the upstream distribution and then trickles down through CentOS updates. I run the DNS process in a "chroot jail". I'm not going to explain chroot jails here but it means anyone hacking the DNS software can at best corrupt my name server but not the rest of my system since the chroot means the file system they see looks like it only includes the directories below the chroot location (e.g., /var/named/chroot/).

After my update from CentOS 5 to CentOS 5.1 I started seeing lots of named log entries that look like:

   dumping master file: tmp-XXXX2IlKiI: open: permission denied: 1 Time(s)
   dumping master file: tmp-XXXX2kqDEJ: open: permission denied: 1 Time(s)
   dumping master file: tmp-XXXX3GykU9: open: permission denied: 1 Time(s)
   dumping master file: tmp-XXXX3L7gPU: open: permission denied: 1 Time(s)
   dumping master file: tmp-XXXX3cmRCb: open: permission denied: 1 Time(s)
   dumping master file: tmp-XXXX41Wvoc: open: permission denied: 1 Time(s)

I knew I fixed this at least once before so I Googled the error message. The first answer to come up indicated the problem was with the directory permissions under the chroot location. Sure enough, I found:

[root@fraud chroot]# ls -la var

total 40

drwxr-x---  5 root  named 4096 Mar 13  2003 .

drwxr-x---  7 root  named 4096 Nov 17 02:42 ..

drwxr-x---  4 root  named 4096 Aug 25  2004 named

drwxrwx---  3 root  named 4096 Mar 13  2003 run

drwxrwx---  2 named named 4096 Mar 13  2003 tmp

Note that the named directroy is owned by root and is only writeable by root. Since the named process runs as user named it can't write to this directory. The quick fix was to chmod the directory to be group writeable which solved the problem.

Backup - One of the local "dot coms" had a yard sale to sell off excess equipment when they turned into a "dot bomb." They actually managed to survive so I'll be nice and not name them. I ended up picking up a 6 x 12 GB (native) tape changer for $125. Figuring the list price on the changer was around $1500, I think I got a good deal. 12 GB may not sound like much but it seems to be more than adequate for the amount of data we're likely to generate on any given day. I run both a backup system and RAID because RAID doesn't protect against inadvertently deleting the wrong file(s). The tape changer says SUN on the outside but /proc/scsi/scsi says:

Host: scsi0 Channel: 00 Id: 04 Lun: 00
Vendor: HP Model: C1557A Rev: U709
Type: Sequential-Access ANSI SCSI revision: 02
Host: scsi0 Channel: 00 Id: 04 Lun: 01
Vendor: HP Model: C1557A Rev: U709
Type: Medium Changer ANSI SCSI revision: 02

I run amanda to backup my network mainly because it was all that was really available way back when I first started running a server and doing backups (right after my OS/2 days). It's a little painful to configure but it just works once it's configured.

It's a really good idea to have some sort of scheme for doing backups even if all you do is tell everyone to make sure they save anything important to a known location on the server and then burn a CD or DVD of the data from time to time. How frequently is a question of how much data are you willing to potentially lose.

IMAP/POP - One advantage to running your own IMAP/POP server is you can always get to the mail you've already received. I run my own domain including mail so this is sort of a given for me. I use a server called dovecot since I found cyrus impossible to configure correctly. dovecot was surprisingly easy to configure. If you don't want to or aren't allowed to run your own mail server you can use a program like fetchmail to make it look like you are. The idea is to use fetchmail to pull your mail down from your ISP and then stick it into your IMAP/POP server for local delivery.

SMTP - Simple Mail Transfer Protocol is the real name for running a mail server. I use sendmail since I had a chance to learn quite a bit about it while working at a company called Exactis.com. They were an e-mail service that tried to extend the opt-in, junk mail business model to e-mail. It worked for a while until they dot bombed and spam became so prevalent that even legitimate commercial e-mail went the way of the dodo bird. I run one extension to sendmail: dSPAM (a server side spam filter).